annotate mod_muc_http_auth/mod_muc_http_auth.lua @ 4432:e83284d4d5c2

mod_auth_ccert/README: Add setting to ensure Prosdy asks for client certificate This used to be the default for all services, but since it triggers annoying popups in web browsers it was inverted in Prosody and only s2s enables it, so it needs to be explicitly enabled for c2s again. See trunk 115b5e32d960 Thanks debacle
author Kim Alvefur <zash@zash.se>
date Sat, 06 Feb 2021 21:34:25 +0100
parents 9606e7a63a69
children 4b3f054666e6
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
1 local wait_for = require "util.async".wait_for;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
2 local http = require "net.http";
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
3 local json = require "util.json";
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
4 local st = require "util.stanza";
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
5 local jid_node = require "util.jid".node;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
6 local jid_bare = require "util.jid".bare;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
7
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
8 local authorization_url = module:get_option("muc_http_auth_url", "")
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
9 local enabled_for = module:get_option_set("muc_http_auth_enabled_for", nil)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
10 local disabled_for = module:get_option_set("muc_http_auth_disabled_for", nil)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
11 local insecure = module:get_option("muc_http_auth_insecure", false) --For development purposes
4299
8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance.
Seve Ferrer <seve@delape.net>
parents: 4296
diff changeset
12 local authorize_registration = module:get_option("muc_http_auth_authorize_registration", false)
4322
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
13 local authorization_header = module:get_option("muc_http_auth_authorization_header", nil)
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
14
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
15 local options = {method="GET", insecure=insecure}
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
16 if authorization_header then
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
17 options.headers = {["Authorization"] = authorization_header};
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
18 end
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
19
4304
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs
Seve Ferrer <seve@delape.net>
parents: 4303
diff changeset
20 local verbs = {presence='join', iq='register'};
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs
Seve Ferrer <seve@delape.net>
parents: 4303
diff changeset
21
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
22 local function must_be_authorized(room_node)
4303
d261233f7ced Improve UX by providing defaults users expect
Seve Ferrer <seve@delape.net>
parents: 4301
diff changeset
23 -- If none of these is set, all rooms need authorization
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
24 if not enabled_for and not disabled_for then return true; end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
25
4301
bcb2b9adfcde mod_muc_http_auth: Use get_option_set API properly
Seve Ferrer <seve@delape.net>
parents: 4299
diff changeset
26 if enabled_for then return enabled_for:contains(room_node); end
bcb2b9adfcde mod_muc_http_auth: Use get_option_set API properly
Seve Ferrer <seve@delape.net>
parents: 4299
diff changeset
27 if disabled_for then return not disabled_for:contains(room_node); end
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
28 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
29
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
30 local function handle_success(response)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
31 local body = json.decode(response.body or "") or {}
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
32 response = {
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
33 err = body.error,
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
34 allowed = body.allowed,
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
35 code = response.code
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
36 }
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
37 return {response=response, err=response.err};
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
38 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
39
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
40 local function handle_error(err)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
41 return {err=err};
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
42 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
43
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
44 local function handle_presence(event)
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
45 local stanza = event.stanza;
4304
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs
Seve Ferrer <seve@delape.net>
parents: 4303
diff changeset
46 if stanza.name ~= "iq" and stanza.name ~= "presence" or stanza.attr.type == "unavailable" then return; end
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
47
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
48 local room, origin = event.room, event.origin;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
49 if (not room) or (not origin) then return; end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
50
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
51 if not must_be_authorized(jid_node(room.jid)) then return; end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
52
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
53 local user_bare_jid = jid_bare(stanza.attr.from);
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
54 local url = authorization_url .. "?userJID=" .. user_bare_jid .."&mucJID=" .. room.jid;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
55
4322
9606e7a63a69 mod_mucc_http_auth: Provide Authorization header setting for deployments behind a login
Seve Ferrer <seve@delape.net>
parents: 4319
diff changeset
56 local result = wait_for(http.request(url, options):next(handle_success, handle_error));
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
57 local response, err = result.response, result.err;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
58
4304
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs
Seve Ferrer <seve@delape.net>
parents: 4303
diff changeset
59 local verb = verbs[stanza.name];
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
60 if not (response and response.allowed) then
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
61 -- User is not authorized to join this room
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
62 err = (response or {}).err or err
4304
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs
Seve Ferrer <seve@delape.net>
parents: 4303
diff changeset
63 module:log("debug", user_bare_jid .. " is not authorized to " ..verb.. ": " .. room.jid .. " Error: " .. tostring(err));
4319
caaa40f072da mod_muc_http_auth: `no-authorized` error must be of type `auth`
JC Brand <jc@opkode.com>
parents: 4304
diff changeset
64 origin.send(st.error_reply(stanza, "auth", "not-authorized", nil, module.host));
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
65 return true;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
66 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
67
4304
aec8148df26a mod_muc_http_auth: Bugfix: Not properly listening on register IQs
Seve Ferrer <seve@delape.net>
parents: 4303
diff changeset
68 module:log("debug", user_bare_jid .. " is authorized to " .. verb .. ": " .. room.jid);
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
69 return;
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
70 end
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
71
4299
8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance.
Seve Ferrer <seve@delape.net>
parents: 4296
diff changeset
72 if authorize_registration then
8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance.
Seve Ferrer <seve@delape.net>
parents: 4296
diff changeset
73 module:hook("muc-register-iq", handle_presence);
8006da2cf44c For deployments that have https://hg.prosody.im/trunk/file/tip/plugins/muc/register.lib.lua#l7 and use https://modules.prosody.im/mod_muc_http_auth.html users can still register to a MUC even if they are not allowed to join. That means they would receive RAI or RMN, for instance.
Seve Ferrer <seve@delape.net>
parents: 4296
diff changeset
74 end
4296
08138de4cb88 Prosodoy module to externalize MUC authorization via HTTP
Seve Ferrer <seve@delape.net>
parents:
diff changeset
75
4319
caaa40f072da mod_muc_http_auth: `no-authorized` error must be of type `auth`
JC Brand <jc@opkode.com>
parents: 4304
diff changeset
76 module:hook("muc-occupant-pre-join", handle_presence);