Mercurial > prosody-modules
view mod_s2s_auth_posh/mod_s2s_auth_posh.lua @ 4268:871d140d61bb
mod_adhoc_oauth2_client: Fix including final client_id in result form
The client_id is composed of the details needed for retrieving the data,
making it redundant to include in the data, albeit somewhat convenient
sometimes. Decided to remove it anyways, but forgot to change the result.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 22 Nov 2020 17:00:26 +0100 |
parents | f2037a754480 |
children | 58a112bd9792 |
line wrap: on
line source
-- Copyright (C) 2013 - 2014 Tobias Markmann -- This file is MIT/X11 licensed. -- -- Implements authentication via POSH (PKIX over Secure HTTP) -- http://tools.ietf.org/html/draft-miller-posh-03 -- module:set_global(); local json = require "util.json"; local base64 = require "util.encodings".base64; local pem2der = require "util.x509".pem2der; local hashes = require "util.hashes"; local build_url = require "socket.url".build; local async = require "util.async"; local http = require "net.http"; local cache = require "util.cache".new(100); local hash_order = { "sha-512", "sha-384", "sha-256", "sha-224", "sha-1" }; local hash_funcs = { hashes.sha512, hashes.sha384, hashes.sha256, hashes.sha224, hashes.sha1 }; local function posh_lookup(host_session, resume) -- do nothing if posh info already exists if host_session.posh ~= nil then return end local target_host = false; if host_session.direction == "incoming" then target_host = host_session.from_host; elseif host_session.direction == "outgoing" then target_host = host_session.to_host; end local cached = cache:get(target_host); if cached then if os.time() > cached.expires then cache:set(target_host, nil); else host_session.posh = { jwk = cached }; return false; end end local log = host_session.log or module._log; log("debug", "Session direction: %s", tostring(host_session.direction)); local url = build_url { scheme = "https", host = target_host, path = "/.well-known/posh/xmpp-server.json" }; log("debug", "Request POSH information for %s", tostring(target_host)); local redirect_followed = false; local function cb (response, code) if code ~= 200 then log("debug", "No or invalid POSH response received"); resume(); return; end log("debug", "Received POSH response"); local jwk = json.decode(response); if not jwk or type(jwk) ~= "table" then log("error", "POSH response is not valid JSON!\n%s", tostring(response)); resume(); return; end if type(jwk.url) == "string" then if redirect_followed then redirect_followed = true; http.request(jwk.url, nil, cb); else log("error", "POSH had invalid redirect:\n%s", tostring(response)); resume(); return; end end host_session.posh = { orig = response }; jwk.expires = os.time() + tonumber(jwk.expires) or 3600; host_session.posh.jwk = jwk; cache:set(target_host, jwk); resume(); end http.request(url, nil, cb); return true; end -- Do POSH authentication module:hook("s2s-check-certificate", function (event) local session, cert = event.session, event.cert; local log = session.log or module._log; if session.cert_identity_status == "valid" then log("debug", "Not trying POSH because certificate is already valid"); return; end log("info", "Trying POSH authentication."); local wait, done = async.waiter(); if posh_lookup(session, done) then wait(); end local posh = session.posh; local jwk = posh and posh.jwk; local fingerprints = jwk and jwk.fingerprints; if type(fingerprints) ~= "table" then log("debug", "No POSH authentication data available"); return; end local cert_der = pem2der(cert:pem()); local cert_hashes = {}; for i = 1, #hash_order do cert_hashes[i] = base64.encode(hash_funcs[i](cert_der)); end for i = 1, #fingerprints do local fp = fingerprints[i]; for j = 1, #hash_order do local hash = fp[hash_order[j]]; if cert_hashes[j] == hash then session.cert_chain_status = "valid"; session.cert_identity_status = "valid"; log("debug", "POSH authentication succeeded!"); return true; elseif hash then -- Don't try weaker hashes break; end end end log("debug", "POSH authentication failed!"); end); function module.command(arg) if not arg[1] then print("Usage: mod_s2s_auth_posh /path/to/cert.pem") return 1; end local jwkset = { fingerprints = { }; expires = 86400; } for i, cert_file in ipairs(arg) do local cert, err = io.open(cert_file); if not cert then io.stderr:write(err, "\n"); return 1; end local cert_pem = cert:read("*a"); local cert_der, typ = pem2der(cert_pem); if typ == "CERTIFICATE" then table.insert(jwkset.fingerprints, { ["sha-256"] = base64.encode(hashes.sha256(cert_der)); }); elseif typ then io.stderr:write(cert_file, " contained a ", typ:lower(), ", was expecting a certificate\n"); return 1; else io.stderr:write(cert_file, " did not contain a certificate in PEM format\n"); return 1; end end print(json.encode(jwkset)); return 0; end