view mod_sasl2_fast/mod_sasl2_fast.lua @ 5062:38a0e3621181

mod_sasl2_fast: New module for SASL2 FAST authentication (WIP)
author Matthew Wild <mwild1@gmail.com>
date Thu, 13 Oct 2022 22:47:35 +0100
parents
children 74145faceba2
line wrap: on
line source

local tokenauth = module:depends("tokenauth");
local sasl = require "util.sasl";
local dt = require "util.datetime";
local st = require "util.stanza";

local fast_token_ttl = module:get_option_number("sasl2_fast_token_ttl", 86400*21);

local xmlns_fast = "urn:xmpp:fast:0";
local xmlns_sasl2 = "urn:xmpp:sasl:2";

function get_sasl_handler(session) --luacheck: ignore session
	local token_auth_profile = {
		token_test = function (_, client_id, token, mech_name, counter) --luacheck: ignore
			return false; -- FIXME
		end;
	};
	return sasl.new(module.host, token_auth_profile);
end

-- Advertise FAST to connecting clients
module:hook("advertise-sasl-features", function (event)
	local sasl_handler = get_sasl_handler(event.session);
	if not sasl_handler then return; end
	event.session.fast_sasl_handler = sasl_handler;
	local fast = st.stanza("fast", { xmlns = xmlns_fast });
	for mech in sasl_handler:mechanisms() do
		fast:text_tag("mechanism", mech);
	end
	event.features:add_child(fast);
end);

-- Process any FAST elements in <authenticate/>
module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
	-- Cache action for future processing (after auth success)
	local fast_auth = auth:get_child(xmlns_fast, "fast");
	if fast_auth then
		-- Client says it is using FAST auth, so set our SASL handler
		session.log("debug", "Client is authenticating using FAST");
		session.sasl_handler = session.fast_sasl_handler;
	end
	session.fast_sasl_handler = nil;
	local fast_token_request = auth:get_child(xmlns_fast, "request-token");
	if fast_token_request then
		local mech = fast_token_request.attr.mechanism;
		session.log("debug", "Client requested new FAST token for %s", mech);
		session.fast_token_request = {
			mechanism = mech;
		};
	end
end, 100);

-- Process post-success (new token generation, etc.)
module:hook("sasl2/c2s/success", function (event)
	local session = event.session;

	local token_request = session.fast_token_request;
	if token_request then
		local token, token_info = tokenauth.create_jid_token(
			session.full_jid,
			session.full_jid,
			session.role,
			fast_token_ttl,
			{
				fast_token = true;
				fast_mechanism = token_request.mechanism;
			}
		);
		if token then
			event.success:tag("token", {
				xmlns = xmlns_fast;
				expiry = dt.datetime(token_info.expiry);
				token = token;
			}):up();
		end
	end
end, 75);


-- X-PLAIN-TOKEN mechanism

local function x_plain_token(self, message) --luacheck: ignore 212/self
	if not message then
		return nil, "malformed-request";
	end
	return nil, "temporary-auth-failure"; -- FIXME
end

sasl.registerMechanism("X-PLAIN-TOKEN", { "token_test" }, x_plain_token);