search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mod_c2s: Do not allow the stream 'to' to change across stream restarts (fixes #1147)
[prosody.git] / plugins / mod_saslauth.lua
bloba23d1f53c2a374d3f7e328fe415a4be6aebc5791
1 -- Prosody IM
2 -- Copyright (C) 2008-2010 Matthew Wild
3 -- Copyright (C) 2008-2010 Waqas Hussain
4 --
5 -- This project is MIT/X11 licensed. Please see the
6 -- COPYING file in the source package for more information.
7 --
8
9
10
11 local st = require "util.stanza";
12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
14 local base64 = require "util.encodings".base64;
15
16 local cert_verify_identity = require "util.x509".verify_identity;
17
18 local usermanager_get_sasl_handler = require "core.usermanager".get_sasl_handler;
19 local tostring = tostring;
20
21 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
22 local allow_unencrypted_plain_auth = module:get_option("allow_unencrypted_plain_auth")
23
24 local log = module._log;
25
26 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
27 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
28
29 local function build_reply(status, ret, err_msg)
30 local reply = st.stanza(status, {xmlns = xmlns_sasl});
31 if status == "challenge" then
32 --log("debug", "CHALLENGE: %s", ret or "");
33 reply:text(base64.encode(ret or ""));
34 elseif status == "failure" then
35 reply:tag(ret):up();
36 if err_msg then reply:tag("text"):text(err_msg); end
37 elseif status == "success" then
38 --log("debug", "SUCCESS: %s", ret or "");
39 reply:text(base64.encode(ret or ""));
40 else
41 module:log("error", "Unknown sasl status: %s", status);
42 end
43 return reply;
44 end
45
46 local function handle_status(session, status, ret, err_msg)
47 if status == "failure" then
48 module:fire_event("authentication-failure", { session = session, condition = ret, text = err_msg });
49 session.sasl_handler = session.sasl_handler:clean_clone();
50 elseif status == "success" then
51 local ok, err = sm_make_authenticated(session, session.sasl_handler.username);
52 if ok then
53 module:fire_event("authentication-success", { session = session });
54 session.sasl_handler = nil;
55 session:reset_stream();
56 else
57 module:log("warn", "SASL succeeded but username was invalid");
58 module:fire_event("authentication-failure", { session = session, condition = "not-authorized", text = err });
59 session.sasl_handler = session.sasl_handler:clean_clone();
60 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
61 end
62 end
63 return status, ret, err_msg;
64 end
65
66 local function sasl_process_cdata(session, stanza)
67 local text = stanza[1];
68 if text then
69 text = base64.decode(text);
70 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
71 if not text then
72 session.sasl_handler = nil;
73 session.send(build_reply("failure", "incorrect-encoding"));
74 return true;
75 end
76 end
77 local status, ret, err_msg = session.sasl_handler:process(text);
78 status, ret, err_msg = handle_status(session, status, ret, err_msg);
79 local s = build_reply(status, ret, err_msg);
80 log("debug", "sasl reply: %s", tostring(s));
81 session.send(s);
82 return true;
83 end
84
85 module:hook_stanza(xmlns_sasl, "success", function (session, stanza)
86 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
87 module:log("debug", "SASL EXTERNAL with %s succeeded", session.to_host);
88 session.external_auth = "succeeded"
89 session:reset_stream();
90 session:open_stream(session.from_host, session.to_host);
91
92 module:fire_event("s2s-authenticated", { session = session, host = session.to_host });
93 return true;
94 end)
95
96 module:hook_stanza(xmlns_sasl, "failure", function (session, stanza)
97 if session.type ~= "s2sout_unauthed" or session.external_auth ~= "attempting" then return; end
98
99 local text = stanza:get_child_text("text");
100 local condition = "unknown-condition";
101 for child in stanza:childtags() do
102 if child.name ~= "text" then
103 condition = child.name;
104 break;
105 end
106 end
107 if text and condition then
108 condition = condition .. ": " .. text;
109 end
110 module:log("info", "SASL EXTERNAL with %s failed: %s", session.to_host, condition);
111
112 session.external_auth = "failed"
113 end, 500)
114
115 module:hook_stanza(xmlns_sasl, "failure", function (session, stanza)
116 -- TODO: Dialback wasn't loaded. Do something useful.
117 end, 90)
118
119 module:hook_stanza("http://etherx.jabber.org/streams", "features", function (session, stanza)
120 if session.type ~= "s2sout_unauthed" or not session.secure then return; end
121
122 local mechanisms = stanza:get_child("mechanisms", xmlns_sasl)
123 if mechanisms then
124 for mech in mechanisms:childtags() do
125 if mech[1] == "EXTERNAL" then
126 module:log("debug", "Initiating SASL EXTERNAL with %s", session.to_host);
127 local reply = st.stanza("auth", {xmlns = xmlns_sasl, mechanism = "EXTERNAL"});
128 reply:text(base64.encode(session.from_host))
129 session.sends2s(reply)
130 session.external_auth = "attempting"
131 return true
132 end
133 end
134 end
135 end, 150);
136
137 local function s2s_external_auth(session, stanza)
138 local mechanism = stanza.attr.mechanism;
139
140 if not session.secure then
141 if mechanism == "EXTERNAL" then
142 session.sends2s(build_reply("failure", "encryption-required"))
143 else
144 session.sends2s(build_reply("failure", "invalid-mechanism"))
145 end
146 return true;
147 end
148
149 if mechanism ~= "EXTERNAL" or session.cert_chain_status ~= "valid" then
150 session.sends2s(build_reply("failure", "invalid-mechanism"))
151 return true;
152 end
153
154 local text = stanza[1]
155 if not text then
156 session.sends2s(build_reply("failure", "malformed-request"))
157 return true
158 end
159
160 -- Either the value is "=" and we've already verified the external
161 -- cert identity, or the value is a string and either matches the
162 -- from_host (
163
164 text = base64.decode(text)
165 if not text then
166 session.sends2s(build_reply("failure", "incorrect-encoding"))
167 return true;
168 end
169
170 if session.cert_identity_status == "valid" then
171 if text ~= "" and text ~= session.from_host then
172 session.sends2s(build_reply("failure", "invalid-authzid"))
173 return true
174 end
175 else
176 if text == "" then
177 session.sends2s(build_reply("failure", "invalid-authzid"))
178 return true
179 end
180
181 local cert = session.conn:socket():getpeercertificate()
182 if (cert_verify_identity(text, "xmpp-server", cert)) then
183 session.cert_identity_status = "valid"
184 else
185 session.cert_identity_status = "invalid"
186 session.sends2s(build_reply("failure", "invalid-authzid"))
187 return true
188 end
189 end
190
191 session.external_auth = "succeeded"
192
193 if not session.from_host then
194 session.from_host = text;
195 end
196 session.sends2s(build_reply("success"))
197
198 local domain = text ~= "" and text or session.from_host;
199 module:log("info", "Accepting SASL EXTERNAL identity from %s", domain);
200 module:fire_event("s2s-authenticated", { session = session, host = domain });
201 session:reset_stream();
202 return true
203 end
204
205 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
206 local session, stanza = event.origin, event.stanza;
207 if session.type == "s2sin_unauthed" then
208 return s2s_external_auth(session, stanza)
209 end
210
211 if session.type ~= "c2s_unauthed" or module:get_host_type() ~= "local" then return; end
212
213 if session.sasl_handler and session.sasl_handler.selected then
214 session.sasl_handler = nil; -- allow starting a new SASL negotiation before completing an old one
215 end
216 if not session.sasl_handler then
217 session.sasl_handler = usermanager_get_sasl_handler(module.host, session);
218 end
219 local mechanism = stanza.attr.mechanism;
220 if not session.secure and (secure_auth_only or (mechanism == "PLAIN" and not allow_unencrypted_plain_auth)) then
221 session.send(build_reply("failure", "encryption-required"));
222 return true;
223 end
224 local valid_mechanism = session.sasl_handler:select(mechanism);
225 if not valid_mechanism then
226 session.send(build_reply("failure", "invalid-mechanism"));
227 return true;
228 end
229 return sasl_process_cdata(session, stanza);
230 end);
231 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:response", function(event)
232 local session = event.origin;
233 if not(session.sasl_handler and session.sasl_handler.selected) then
234 session.send(build_reply("failure", "not-authorized", "Out of order SASL element"));
235 return true;
236 end
237 return sasl_process_cdata(session, event.stanza);
238 end);
239 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:abort", function(event)
240 local session = event.origin;
241 session.sasl_handler = nil;
242 session.send(build_reply("failure", "aborted"));
243 return true;
244 end);
245
246 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
247 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
248 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
249 module:hook("stream-features", function(event)
250 local origin, features = event.origin, event.features;
251 if not origin.username then
252 if secure_auth_only and not origin.secure then
253 return;
254 end
255 origin.sasl_handler = usermanager_get_sasl_handler(module.host, origin);
256 local mechanisms = st.stanza("mechanisms", mechanisms_attr);
257 for mechanism in pairs(origin.sasl_handler:mechanisms()) do
258 if mechanism ~= "PLAIN" or origin.secure or allow_unencrypted_plain_auth then
259 mechanisms:tag("mechanism"):text(mechanism):up();
260 end
261 end
262 if mechanisms[1] then features:add_child(mechanisms); end
263 else
264 features:tag("bind", bind_attr):tag("required"):up():up();
265 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
266 end
267 end);
268
269 module:hook("s2s-stream-features", function(event)
270 local origin, features = event.origin, event.features;
271 if origin.secure and origin.type == "s2sin_unauthed" then
272 -- Offer EXTERNAL if chain is valid and either we didn't validate
273 -- the identity or it passed.
274 if origin.cert_chain_status == "valid" and origin.cert_identity_status ~= "invalid" then --TODO: Configurable
275 module:log("debug", "Offering SASL EXTERNAL")
276 features:tag("mechanisms", { xmlns = xmlns_sasl })
277 :tag("mechanism"):text("EXTERNAL")
278 :up():up();
279 end
280 end
281 end);
282
283 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-bind:bind", function(event)
284 local origin, stanza = event.origin, event.stanza;
285 local resource;
286 if stanza.attr.type == "set" then
287 local bind = stanza.tags[1];
288 resource = bind:child_with_name("resource");
289 resource = resource and #resource.tags == 0 and resource[1] or nil;
290 end
291 local success, err_type, err, err_msg = sm_bind_resource(origin, resource);
292 if success then
293 origin.send(st.reply(stanza)
294 :tag("bind", { xmlns = xmlns_bind })
295 :tag("jid"):text(origin.full_jid));
296 origin.log("debug", "Resource bound: %s", origin.full_jid);
297 else
298 origin.send(st.error_reply(stanza, err_type, err, err_msg));
299 origin.log("debug", "Resource bind failed: %s", err_msg or err);
300 end
301 return true;
302 end);
303
304 local function handle_legacy_session(event)
305 event.origin.send(st.reply(event.stanza));
306 return true;
307 end
308
309 module:hook("iq/self/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
310 module:hook("iq/host/urn:ietf:params:xml:ns:xmpp-session:session", handle_legacy_session);
Prosody is a modern XMPP communication server.