Mercurial > prosody-modules

comparison mod_client_management/mod_client_management.lua @ 5650:0eb2d5ea2428

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge
author Stephen Paul Weber <singpolyma@singpolyma.net>
date Sat, 06 May 2023 19:40:23 -0500
parents d9397d6a5513
children f25df3af02c1
comparison
equal deleted inserted replaced
5649:2c69577b28c2 5650:0eb2d5ea2428
1 local modulemanager = require "core.modulemanager";
2 local usermanager = require "core.usermanager";
3
4 local array = require "util.array";
5 local dt = require "util.datetime";
6 local id = require "util.id";
7 local it = require "util.iterators";
8 local jid = require "util.jid";
9 local st = require "util.stanza";
10
11 local strict = module:get_option_boolean("enforce_client_ids", false);
12
13 module:default_permission("prosody:user", ":list-clients");
14 module:default_permission("prosody:user", ":manage-clients");
15
16 local tokenauth = module:depends("tokenauth");
17 local mod_fast = module:depends("sasl2_fast");
18
19 local client_store = assert(module:open_store("clients", "keyval+"));
20 --[[{
21 id = id;
22 first_seen =
23 last_seen =
24 user_agent = {
25 name =
26 os =
27 }
28 --}]]
29
30 local xmlns_sasl2 = "urn:xmpp:sasl:2";
31
32 local function get_user_agent(sasl_handler, token_info)
33 local sasl_agent = sasl_handler and sasl_handler.user_agent;
34 local token_agent = token_info and token_info.data and token_info.data.oauth2_client;
35 if not (sasl_agent or token_agent) then return; end
36 return {
37 software = sasl_agent and sasl_agent.software or token_agent and token_agent.name or nil;
38 uri = token_agent and token_agent.uri or nil;
39 device = sasl_agent and sasl_agent.device or nil;
40 };
41 end
42
43 module:hook("sasl2/c2s/success", function (event)
44 local session = event.session;
45 local username, client_id = session.username, session.client_id;
46 local mechanism = session.sasl_handler.selected;
47 local token_info = session.sasl_handler.token_info;
48 local token_id = token_info and token_info.id or nil;
49
50 local now = os.time();
51 if client_id then -- SASL2, have client identifier
52 local is_new_client;
53
54 local client_state = client_store:get_key(username, client_id);
55 if not client_state then
56 is_new_client = true;
57 client_state = {
58 id = client_id;
59 first_seen = now;
60 user_agent = get_user_agent(session.sasl_handler, token_info);
61 full_jid = nil;
62 last_seen = nil;
63 mechanisms = {};
64 };
65 end
66 -- Update state
67 client_state.full_jid = session.full_jid;
68 client_state.last_seen = now;
69 client_state.mechanisms[mechanism] = now;
70 if session.sasl_handler.fast_auth then
71 client_state.fast_auth = now;
72 end
73 if token_id then
74 client_state.auth_token_id = token_id;
75 end
76 -- Store updated state
77 client_store:set_key(username, client_id, client_state);
78
79 if is_new_client then
80 module:fire_event("client_management/new-client", { client = client_state });
81 end
82 end
83 end);
84
85 local function find_client_by_resource(username, resource)
86 local full_jid = jid.join(username, module.host, resource);
87 local clients = client_store:get(username);
88 if not clients then return; end
89
90 for _, client_state in pairs(clients) do
91 if client_state.full_jid == full_jid then
92 return client_state;
93 end
94 end
95 end
96
97 module:hook("resource-bind", function (event)
98 local session = event.session;
99 if session.client_id then return; end
100 local is_new_client;
101 local client_state = find_client_by_resource(event.session.username, event.session.resource);
102 local now = os.time();
103 if not client_state then
104 is_new_client = true;
105 client_state = {
106 id = id.short();
107 first_seen = now;
108 user_agent = nil;
109 full_jid = nil;
110 last_seen = nil;
111 mechanisms = {};
112 legacy = true;
113 };
114 end
115
116 -- Update state
117 local legacy_info = session.client_management_info;
118 client_state.full_jid = session.full_jid;
119 client_state.last_seen = now;
120 client_state.mechanisms[legacy_info.mechanism] = now;
121 if legacy_info.fast_auth then
122 client_state.fast_auth = now;
123 end
124
125 local token_id = legacy_info.token_info and legacy_info.token_info.id;
126 if token_id then
127 client_state.auth_token_id = token_id;
128 end
129
130 -- Store updated state
131 client_store:set_key(session.username, client_state.id, client_state);
132
133 if is_new_client then
134 module:fire_event("client_management/new-client", { client = client_state });
135 end
136 end);
137
138 if strict then
139 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
140 local user_agent = auth:get_child("user-agent");
141 if not user_agent or not user_agent.attr.id then
142 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
143 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
144 :text_tag("text", "Client identifier required but not supplied");
145 session.send(failure);
146 return true;
147 end
148 end, 500);
149
150 if modulemanager.get_modules_for_host(module.host):contains("saslauth") then
151 module:log("error", "mod_saslauth is enabled, but enforce_client_ids is enabled and will prevent it from working");
152 end
153
154 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
155 -- Block legacy SASL, if for some reason it is being used (either mod_saslauth is loaded,
156 -- or clients try it without advertisement)
157 module:log("warn", "Blocking legacy SASL authentication because enforce_client_ids is enabled");
158 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
159 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
160 :text_tag("text", "Legacy SASL authentication is not available on this server");
161 event.session.send(failure);
162 return true;
163 end);
164 else
165 -- Legacy client compat code
166 module:hook("authentication-success", function (event)
167 local session = event.session;
168 if session.client_id then return; end -- SASL2 client
169
170 local sasl_handler = session.sasl_handler;
171 session.client_management_info = {
172 mechanism = sasl_handler.selected;
173 token_info = sasl_handler.token_info;
174 fast_auth = sasl_handler.fast_auth;
175 };
176 end);
177 end
178
179 local function is_password_mechanism(mech_name)
180 if mech_name == "OAUTHBEARER" then return false; end
181 if mech_name:match("^HT%-") then return false; end
182 return true;
183 end
184
185 local function is_client_active(client)
186 local username, host = jid.split(client.full_jid);
187 local account_info = usermanager.get_account_info(username, host);
188 local last_password_change = account_info and account_info.password_updated;
189
190 local status = {};
191
192 -- Check for an active token grant that has been previously used by this client
193 if client.auth_token_id then
194 local grant = tokenauth.get_grant_info(client.auth_token_id);
195 if grant then
196 status.grant = grant;
197 end
198 end
199
200 -- Check for active FAST tokens
201 if client.fast_auth then
202 if mod_fast.is_client_fast(username, client.id, last_password_change) then
203 status.fast = client.fast_auth;
204 end
205 end
206
207 -- Client has access if any password-based SASL mechanisms have been used since last password change
208 for mech, mech_last_used in pairs(client.mechanisms) do
209 if is_password_mechanism(mech) and (not last_password_change or mech_last_used >= last_password_change) then
210 status.password = mech_last_used;
211 end
212 end
213
214 if prosody.full_sessions[client.full_jid] then
215 status.connected = true;
216 end
217
218 if next(status) == nil then
219 return nil;
220 end
221 return status;
222 end
223
224 -- Public API
225 --luacheck: ignore 131
226 function get_active_clients(username)
227 local clients = client_store:get(username);
228 local active_clients = {};
229 local used_grants = {};
230
231 -- Go through known clients, check whether they could possibly log in
232 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id
233 local active = is_client_active(client);
234 if active then
235 client.type = "session";
236 client.id = "client/"..client.id;
237 client.active = active;
238 table.insert(active_clients, client);
239 if active.grant then
240 used_grants[active.grant.id] = true;
241 end
242 end
243 end
244
245 -- Next, account for any grants that have been issued, but never actually logged in
246 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do
247 if not used_grants[grant_id] then -- exclude grants already accounted for
248 table.insert(active_clients, {
249 id = "grant/"..grant_id;
250 type = "access";
251 first_seen = grant.created;
252 last_seen = grant.accessed;
253 active = {
254 grant = grant;
255 };
256 user_agent = get_user_agent(nil, grant);
257 });
258 end
259 end
260
261 table.sort(active_clients, function (a, b)
262 if a.last_seen and b.last_seen then
263 return a.last_seen < b.last_seen;
264 elseif not (a.last_seen or b.last_seen) then
265 if a.first_seen and b.first_seen then
266 return a.first_seen < b.first_seen;
267 end
268 elseif b.last_seen then
269 return true;
270 elseif a.last_seen then
271 return false;
272 end
273 return a.id < b.id;
274 end);
275
276 return active_clients;
277 end
278
279 function revoke_client_access(username, client_selector)
280 if client_selector then
281 local c_type, c_id = client_selector:match("^(%w+)/(.+)$");
282 if c_type == "client" then
283 local client = client_store:get_key(username, c_id);
284 if not client then
285 return nil, "item-not-found";
286 end
287 local status = is_client_active(client);
288 if status.connected then
289 local ok, err = prosody.full_sessions[client.full_jid]:close();
290 if not ok then return ok, err; end
291 end
292 if status.fast then
293 local ok = mod_fast.revoke_fast_tokens(username, client.id);
294 if not ok then return nil, "internal-server-error"; end
295 end
296 if status.grant then
297 local ok = tokenauth.revoke_grant(username, status.grant.id);
298 if not ok then return nil, "internal-server-error"; end
299 end
300 if status.password then
301 return nil, "password-reset-required";
302 end
303 return true;
304 elseif c_type == "grant" then
305 local grant = tokenauth.get_grant_info(username, c_id);
306 if not grant then
307 return nil, "item-not-found";
308 end
309 local ok = tokenauth.revoke_grant(username, c_id);
310 if not ok then return nil, "internal-server-error"; end
311 return true;
312 end
313 end
314
315 return nil, "item-not-found";
316 end
317
318 -- Protocol
319
320 local xmlns_manage_clients = "xmpp:prosody.im/protocol/manage-clients";
321
322 module:hook("iq-get/self/xmpp:prosody.im/protocol/manage-clients:list", function (event)
323 local origin, stanza = event.origin, event.stanza;
324
325 if not module:may(":list-clients", event) then
326 origin.send(st.error_reply(stanza, "auth", "forbidden"));
327 return true;
328 end
329
330 local reply = st.reply(stanza)
331 :tag("clients", { xmlns = xmlns_manage_clients });
332
333 local active_clients = get_active_clients(event.origin.username);
334 for _, client in ipairs(active_clients) do
335 local auth_type = st.stanza("auth");
336 if client.active then
337 if client.active.password then
338 auth_type:text_tag("password");
339 end
340 if client.active.grant then
341 auth_type:text_tag("bearer-token");
342 end
343 if client.active.fast then
344 auth_type:text_tag("fast");
345 end
346 end
347
348 local user_agent = st.stanza("user-agent");
349 if client.user_agent then
350 if client.user_agent.software then
351 user_agent:text_tag("software", client.user_agent.software);
352 end
353 if client.user_agent.device then
354 user_agent:text_tag("device", client.user_agent.device);
355 end
356 if client.user_agent.uri then
357 user_agent:text_tag("uri", client.user_agent.uri);
358 end
359 end
360
361 local connected = client.active and client.active.connected;
362 reply:tag("client", { id = client.id, connected = connected and "true" or "false", type = client.type })
363 :text_tag("first-seen", dt.datetime(client.first_seen))
364 :text_tag("last-seen", dt.datetime(client.last_seen))
365 :add_child(auth_type)
366 :add_child(user_agent)
367 :up();
368 end
369 reply:up();
370
371 origin.send(reply);
372 return true;
373 end);
374
375 local revocation_errors = require "util.error".init(module.name, xmlns_manage_clients, {
376 ["item-not-found"] = { "cancel", "item-not-found", "Client not found" };
377 ["internal-server-error"] = { "wait", "internal-server-error", "Unable to revoke client access" };
378 ["password-reset-required"] = { "cancel", "service-unavailable", "Password reset required", "password-reset-required" };
379 });
380
381 module:hook("iq-set/self/xmpp:prosody.im/protocol/manage-clients:revoke", function (event)
382 local origin, stanza = event.origin, event.stanza;
383
384 if not module:may(":manage-clients", event) then
385 origin.send(st.error_reply(stanza, "auth", "forbidden"));
386 return true;
387 end
388
389 local client_id = stanza.tags[1].attr.id;
390
391 local ok, err = revocation_errors.coerce(revoke_client_access(origin.username, client_id));
392 if not ok then
393 origin.send(st.error_reply(stanza, err));
394 return true;
395 end
396
397 origin.send(st.reply(stanza));
398 return true;
399 end);
400
401
402 -- Command
403
404 module:once(function ()
405 local console_env = module:shared("/*/admin_shell/env");
406 if not console_env.user then return; end -- admin_shell probably not loaded
407
408 function console_env.user:clients(user_jid)
409 local username, host = jid.split(user_jid);
410 local mod = prosody.hosts[host] and prosody.hosts[host].modules.client_management;
411 if not mod then
412 return false, ("Host does not exist on this server, or does not have mod_client_management loaded");
413 end
414
415 local clients = mod.get_active_clients(username);
416 if not clients or #clients == 0 then
417 return true, "No clients associated with this account";
418 end
419
420 local colspec = {
421 {
422 title = "Software";
423 key = "user_agent";
424 width = "1p";
425 mapper = function(user_agent)
426 return user_agent and user_agent.software;
427 end;
428 };
429 {
430 title = "Last seen";
431 key = "last_seen";
432 width = math.max(#os.date("%Y-%m-%d"), #os.date("%H:%M:%S"));
433 align = "right";
434 mapper = function(last_seen)
435 return os.date(os.difftime(os.time(), last_seen) >= 86400 and "%Y-%m-%d" or "%H:%M:%S", last_seen);
436 end;
437 };
438 {
439 title = "Authentication";
440 key = "active";
441 width = "2p";
442 mapper = function(active)
443 return array.collect(it.keys(active)):sort():concat(", ");
444 end;
445 };
446 };
447
448 local row = require "util.human.io".table(colspec, self.session.width);
449
450 local print = self.session.print;
451 print(row());
452 print(string.rep("-", self.session.width));
453 for _, client in ipairs(clients) do
454 print(row(client));
455 end
456 print(string.rep("-", self.session.width));
457 return true, ("%d clients"):format(#clients);
458 end
459 end);