Mercurial > lxmppd-hg-xmllex / annotate

plugins/mod_legacyauth.lua@7bd0dae5c84f (annotated)

plugins/mod_legacyauth.lua

Sat, 22 May 2010 01:48:31 +0200

author
Tobias Markmann <tm@ayena.de>
date
Sat, 22 May 2010 01:48:31 +0200
changeset 3074
7bd0dae5c84f
parent 2925
692b3c6c5bd2
child 3217
382f70627ff9
permissions
-rw-r--r--

util.sasl.scram: Check nonce in client final message. Check channel binding flag in client first message. Adding some TODOs on more strict parsing. (thanks Marc Santamaria)

1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1218
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 1912
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 1912
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
8
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset
9
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local st = require "util.stanza";
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12 local t_concat = table.concat;
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13
1912
126401a7159f require_encryption deprecated, use c2s_require_encryption instead
Matthew Wild <mwild1@gmail.com>
parents: 1833
diff changeset
14 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
1216
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
15
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 894
diff changeset
16 local sessionmanager = require "core.sessionmanager";
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 894
diff changeset
17 local usermanager = require "core.usermanager";
1828
ced7a6b8bcd0 mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
18 local nodeprep = require "util.encodings".stringprep.nodeprep;
ced7a6b8bcd0 mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
19 local resourceprep = require "util.encodings".stringprep.resourceprep;
1042
a3d77353c18a mod_*: Fix a load of global accesses
Matthew Wild <mwild1@gmail.com>
parents: 894
diff changeset
20
541
3521e0851c9e Change modules to use the new add_feature module API method.
Waqas Hussain <waqas20@gmail.com>
parents: 519
diff changeset
21 module:add_feature("jabber:iq:auth");
2610
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
22 module:hook("stream-features", function(event)
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
23 local origin, features = event.origin, event.features;
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
24 if secure_auth_only and not origin.secure then
1218
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
25 -- Sorry, not offering to insecure streams!
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
26 return;
2610
c9ed79940b2e mod_legacyauth: Hook stream-features event using new events API.
Waqas Hussain <waqas20@gmail.com>
parents: 1912
diff changeset
27 elseif not origin.username then
1218
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
28 features:tag("auth", {xmlns='http://jabber.org/features/iq-auth'}):up();
8e02c10c9e60 mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure
Matthew Wild <mwild1@gmail.com>
parents: 1216
diff changeset
29 end
891
236d1ce9fa99 mod_legacyauth: Added stream feature: <auth xmlns='http://jabber.org/features/iq-auth'/>
Waqas Hussain <waqas20@gmail.com>
parents: 760
diff changeset
30 end);
421
63be85693710 Modules now sending disco replies
Waqas Hussain <waqas20@gmail.com>
parents: 308
diff changeset
31
438
193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents: 421
diff changeset
32 module:add_iq_handler("c2s_unauthed", "jabber:iq:auth",
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33 function (session, stanza)
1216
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
34 if secure_auth_only and not session.secure then
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
35 session.send(st.error_reply(stanza, "modify", "not-acceptable", "Encryption (SSL or TLS) is required to connect to this server"));
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
36 return true;
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
37 end
fd8ce71bc72b mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true
Matthew Wild <mwild1@gmail.com>
parents: 1042
diff changeset
38
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 local username = stanza.tags[1]:child_with_name("username");
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 local password = stanza.tags[1]:child_with_name("password");
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 local resource = stanza.tags[1]:child_with_name("resource");
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42 if not (username and password and resource) then
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 local reply = st.reply(stanza);
308
6345cf3e994a Fixed mod_legacyauth to use session.send for sending stanzas
Waqas Hussain <waqas20@gmail.com>
parents: 304
diff changeset
44 session.send(reply:query("jabber:iq:auth")
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 :tag("username"):up()
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
46 :tag("password"):up()
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
47 :tag("resource"):up());
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
48 else
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
49 username, password, resource = t_concat(username), t_concat(password), t_concat(resource);
1828
ced7a6b8bcd0 mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
50 username = nodeprep(username);
ced7a6b8bcd0 mod_legacyauth: Added node and resource prepping.
Waqas Hussain <waqas20@gmail.com>
parents: 1523
diff changeset
51 resource = resourceprep(resource)
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
52 local reply = st.reply(stanza);
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
53 if usermanager.validate_credentials(session.host, username, password) then
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
54 -- Authentication successful!
38
Matthew Wild <mwild1@gmail.com>
parents: 30
diff changeset
55 local success, err = sessionmanager.make_authenticated(session, username);
Matthew Wild <mwild1@gmail.com>
parents: 30
diff changeset
56 if success then
304
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 154
diff changeset
57 local err_type, err_msg;
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 154
diff changeset
58 success, err_type, err, err_msg = sessionmanager.bind_resource(session, resource);
38
Matthew Wild <mwild1@gmail.com>
parents: 30
diff changeset
59 if not success then
304
7b28fa8bbfe5 Code cleanup for resource binding
Waqas Hussain <waqas20@gmail.com>
parents: 154
diff changeset
60 session.send(st.error_reply(stanza, err_type, err, err_msg));
1829
a805e4fe104a mod_legacyauth: Undo auth on bind fail. Legacy auth is atomic.
Waqas Hussain <waqas20@gmail.com>
parents: 1828
diff changeset
61 session.username, session.type = nil, "c2s_unauthed"; -- FIXME should this be placed in sessionmanager?
38
Matthew Wild <mwild1@gmail.com>
parents: 30
diff changeset
62 return true;
1830
5408d5100bd0 mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents: 1829
diff changeset
63 elseif resource ~= session.resource then -- server changed resource, not supported by legacy auth
5408d5100bd0 mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents: 1829
diff changeset
64 session.send(st.error_reply(stanza, "cancel", "conflict", "The requested resource could not be assigned to this session."));
5408d5100bd0 mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents: 1829
diff changeset
65 session:close(); -- FIXME undo resource bind and auth instead of closing the session?
5408d5100bd0 mod_legacyauth: Don't allow server-generated resource identifiers, as these are not support by legacy auth.
Waqas Hussain <waqas20@gmail.com>
parents: 1829
diff changeset
66 return true;
38
Matthew Wild <mwild1@gmail.com>
parents: 30
diff changeset
67 end
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
68 end
308
6345cf3e994a Fixed mod_legacyauth to use session.send for sending stanzas
Waqas Hussain <waqas20@gmail.com>
parents: 304
diff changeset
69 session.send(st.reply(stanza));
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
70 else
1689
5eb806590525 mod_legacyauth: Refactored a bit
Waqas Hussain <waqas20@gmail.com>
parents: 1688
diff changeset
71 session.send(st.error_reply(stanza, "auth", "not-authorized"));
30
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
72 end
bcf539295f2d Huge commit to:
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
73 end
1689
5eb806590525 mod_legacyauth: Refactored a bit
Waqas Hussain <waqas20@gmail.com>
parents: 1688
diff changeset
74 return true;
438
193f9dd64f17 Bumper commit for the new modulemanager API \o/ Updates all the modules, though some more changes may be in store.
Matthew Wild <mwild1@gmail.com>
parents: 421
diff changeset
75 end);

Mercurial Repository: lxmppd-hg-xmllex

mercurial