Mercurial > prosody-modules
changeset 5062:38a0e3621181
mod_sasl2_fast: New module for SASL2 FAST authentication (WIP)
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 13 Oct 2022 22:47:35 +0100 |
parents | e44b868cc575 |
children | 53145c6b6b0b |
files | mod_sasl2_fast/mod_sasl2_fast.lua |
diffstat | 1 files changed, 88 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_sasl2_fast/mod_sasl2_fast.lua Thu Oct 13 22:47:35 2022 +0100 @@ -0,0 +1,88 @@ +local tokenauth = module:depends("tokenauth"); +local sasl = require "util.sasl"; +local dt = require "util.datetime"; +local st = require "util.stanza"; + +local fast_token_ttl = module:get_option_number("sasl2_fast_token_ttl", 86400*21); + +local xmlns_fast = "urn:xmpp:fast:0"; +local xmlns_sasl2 = "urn:xmpp:sasl:2"; + +function get_sasl_handler(session) --luacheck: ignore session + local token_auth_profile = { + token_test = function (_, client_id, token, mech_name, counter) --luacheck: ignore + return false; -- FIXME + end; + }; + return sasl.new(module.host, token_auth_profile); +end + +-- Advertise FAST to connecting clients +module:hook("advertise-sasl-features", function (event) + local sasl_handler = get_sasl_handler(event.session); + if not sasl_handler then return; end + event.session.fast_sasl_handler = sasl_handler; + local fast = st.stanza("fast", { xmlns = xmlns_fast }); + for mech in sasl_handler:mechanisms() do + fast:text_tag("mechanism", mech); + end + event.features:add_child(fast); +end); + +-- Process any FAST elements in <authenticate/> +module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) + -- Cache action for future processing (after auth success) + local fast_auth = auth:get_child(xmlns_fast, "fast"); + if fast_auth then + -- Client says it is using FAST auth, so set our SASL handler + session.log("debug", "Client is authenticating using FAST"); + session.sasl_handler = session.fast_sasl_handler; + end + session.fast_sasl_handler = nil; + local fast_token_request = auth:get_child(xmlns_fast, "request-token"); + if fast_token_request then + local mech = fast_token_request.attr.mechanism; + session.log("debug", "Client requested new FAST token for %s", mech); + session.fast_token_request = { + mechanism = mech; + }; + end +end, 100); + +-- Process post-success (new token generation, etc.) +module:hook("sasl2/c2s/success", function (event) + local session = event.session; + + local token_request = session.fast_token_request; + if token_request then + local token, token_info = tokenauth.create_jid_token( + session.full_jid, + session.full_jid, + session.role, + fast_token_ttl, + { + fast_token = true; + fast_mechanism = token_request.mechanism; + } + ); + if token then + event.success:tag("token", { + xmlns = xmlns_fast; + expiry = dt.datetime(token_info.expiry); + token = token; + }):up(); + end + end +end, 75); + + +-- X-PLAIN-TOKEN mechanism + +local function x_plain_token(self, message) --luacheck: ignore 212/self + if not message then + return nil, "malformed-request"; + end + return nil, "temporary-auth-failure"; -- FIXME +end + +sasl.registerMechanism("X-PLAIN-TOKEN", { "token_test" }, x_plain_token);