view mod_sentry/mod_sentry.lua @ 5682:527c747711f3

mod_http_oauth2: Limit revocation to clients own tokens in strict mode RFC 7009 section 2.1 states: > The authorization server first validates the client credentials (in > case of a confidential client) and then verifies whether the token was > issued to the client making the revocation request. If this > validation fails, the request is refused and the client is informed of > the error by the authorization server as described below. The first part was already covered (in strict mode). This adds the later part using the hash of client_id recorded in 0860497152af It still seems weird to me that revoking a leaked token should not be allowed whoever might have discovered it, as that seems the responsible thing to do.
author Kim Alvefur <zash@zash.se>
date Sun, 29 Oct 2023 11:30:49 +0100
parents cb3de818ff55
children
line wrap: on
line source

module:set_global();

local sentry_lib = module:require "sentry";

local hostname;
local have_pposix, pposix = pcall(require, "util.pposix");
if have_pposix and pposix.uname then
	hostname = pposix.uname().nodename;
end

local loggingmanager = require "core.loggingmanager";
local errors = require "util.error";
local format = require "util.format".format;

local default_config = assert(module:get_option("sentry"), "Please provide a 'sentry' configuration option");
default_config.server_name = default_config.server_name or hostname or "prosody";

local sentry = assert(sentry_lib.new(default_config));

local log_filters = {
	source = function (filter_source, name)
		local source = name:match(":(.+)$") or name;
		if filter_source == source then
			return true;
		end
	end;
	message_pattern = function (pattern, _, _, message)
		return not not message:match(pattern);
	end;
};

local serialize = require "util.serialization".serialize;

local function sentry_error_handler(e)
	module:log("error", "Failed to submit event to sentry: %s", e);
end

local function sentry_log_sink_maker(sink_config)
	local filters = sink_config.ignore or {};
	local n_filters = #filters;

	local submitting;
	return function (name, level, message, ...)
		-- Ignore any log messages that occur during sentry submission
		-- to avoid loops
		if submitting then return; end
		for i = 1, n_filters do
			local filter = filters[i];
			local matched;
			for filter_name, filter_value in pairs(filter) do
				local f = log_filters[filter_name];
				if f and f(filter_value, name, level, message) then
					matched = true;
				else
					matched = nil;
					break;
				end
			end
			if matched then
				return;
			end
		end
		if level == "warn" then
			level = "warning";
		end

		local event = sentry:event(level, name):message(format(message, ...));

		local params = { ... };
		for i = 1, select("#", ...) do
			if errors.is_error(params[i]) then
				event:add_exception(params[i]);
			end
		end

		submitting = true;
		event:send():catch(sentry_error_handler);
		submitting = false;
	end;
end

loggingmanager.register_sink_type("sentry", sentry_log_sink_maker);

function new(conf) --luacheck: ignore 131/new
	conf = conf or {};
	for k, v in pairs(default_config) do
		if conf[k] == nil then
			conf[k] = v;
		end
	end
	return sentry_lib.new(conf);
end