annotate mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua @ 5418:f2c7bb3af600

mod_http_oauth2: Add role selector to consent page List includes all roles available to the user, if more than one. Defaults to either the first role in the scope string or the users primary role. Earlier draft listed all roles, but having options that can't be selected is bad UX and the entire list of all roles on the server could be long, and perhaps even sensitive. Allows e.g. picking a role with fewer permissions than what might otherwise have been selected. UX wise, doing this with more checkboxes or possibly radio buttons would have been confusion and/or looked messier. Fixes the previous situation where unselecting a role would default to the primary role, which could be more permissions than requested.
author Kim Alvefur <zash@zash.se>
date Fri, 05 May 2023 01:23:13 +0200
parents 8d1141025b43
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 module:set_global();
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local json = require"util.json";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local json_encode, json_decode = json.encode, json.decode;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5 local gettime = require"socket".gettime;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local serialize = require"util.serialization".serialize;
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
7 local async = require"util.async";
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
8 local http_request = require "net.http".request;
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET",
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 "MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local function check_with_monkeysphere(event)
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local session, host, cert = event.session, event.host, event.cert;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 local post_body = json_encode {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 peer = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 name = host;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 type = "peer";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 };
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 context = "https";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21 -- context = "xmpp"; -- Monkeysphere needs to be extended to understand this
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 pkc = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23 type = "x509pem";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 data = cert:pem();
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25 };
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 }
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local req = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 method = "POST";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 headers = {
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 ["Content-Type"] = "application/json";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 };
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
32 body = post_body;
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 };
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34 session.log("debug", "Asking what Monkeysphere thinks about this certificate");
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 local starttime = gettime();
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
36 local wait, done = async.waiter();
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
37 local body, code;
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
38 http_request(msva_url, req, function (_, _code)
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
39 body, code = body, _code;
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
40 done();
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
41 end);
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
42 wait();
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 module:log("debug", "Request took %fs", gettime() - starttime);
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
44 if code == 200 and body then
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45 body = json_decode(body);
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 if body then
3393
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
47 session.log(body.valid and "info" or "warn",
8d1141025b43 mod_s2s_auth_monkeysphere: Remove blocking mode (simplifes code) (not tested)
Kim Alvefur <zash@zash.se>
parents: 2186
diff changeset
48 "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message);
1413
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 if body.valid then
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 session.cert_chain_status = "valid";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 session.cert_identity_status = "valid";
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 return true;
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
55 else
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56 module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body));
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57 module:log("debug", serialize(req));
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 end
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60
cfe360d9d82c mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 module:hook("s2s-check-certificate", check_with_monkeysphere);