--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_client_management/mod_client_management.lua Thu Mar 30 11:32:50 2023 +0100
@@ -0,0 +1,270 @@
+local modulemanager = require "core.modulemanager";
+local usermanager = require "core.usermanager";
+
+local id = require "util.id";
+local jid = require "util.jid";
+local st = require "util.stanza";
+
+local strict = module:get_option_boolean("enforce_client_ids", false);
+
+local tokenauth = module:depends("tokenauth");
+local mod_fast = module:depends("sasl2_fast");
+
+local client_store = assert(module:open_store("clients", "keyval+"));
+--[[{
+ id = id;
+ first_seen =
+ last_seen =
+ user_agent = {
+ name =
+ os =
+ }
+--}]]
+
+local xmlns_sasl2 = "urn:xmpp:sasl:2";
+
+local function get_user_agent(sasl_handler, token_info)
+ local sasl_agent = sasl_handler and sasl_handler.user_agent;
+ local token_agent = token_info and token_info.data and token_info.data.oauth2_client;
+ if not (sasl_agent or token_agent) then return; end
+ return {
+ software = sasl_agent and sasl_agent.software or token_agent and token_agent.name or nil;
+ uri = token_agent and token_agent.uri or nil;
+ device = sasl_agent and sasl_agent.device or nil;
+ };
+end
+
+module:hook("sasl2/c2s/success", function (event)
+ local session = event.session;
+ local username, client_id = session.username, session.client_id;
+ local mechanism = session.sasl_handler.selected;
+ local token_info = session.sasl_handler.token_info;
+ local token_id = token_info and token_info.id or nil;
+
+ local now = os.time();
+ if client_id then -- SASL2, have client identifier
+ local is_new_client;
+
+ local client_state = client_store:get_key(username, client_id);
+ if not client_state then
+ is_new_client = true;
+ client_state = {
+ id = client_id;
+ first_seen = now;
+ user_agent = get_user_agent(session.sasl_handler, token_info);
+ full_jid = nil;
+ last_seen = nil;
+ mechanisms = {};
+ };
+ end
+ -- Update state
+ client_state.full_jid = session.full_jid;
+ client_state.last_seen = now;
+ client_state.mechanisms[mechanism] = now;
+ if session.sasl_handler.fast_auth then
+ client_state.fast_auth = now;
+ end
+ if token_id then
+ client_state.auth_token_id = token_id;
+ end
+ -- Store updated state
+ client_store:set_key(username, client_id, client_state);
+
+ if is_new_client then
+ module:fire_event("client_management/new-client", { client = client_state });
+ end
+ end
+end);
+
+local function find_client_by_resource(username, resource)
+ local full_jid = jid.join(username, module.host, resource);
+ local clients = client_store:get(username);
+ if not clients then return; end
+
+ for _, client_state in pairs(clients) do
+ if client_state.full_jid == full_jid then
+ return client_state;
+ end
+ end
+end
+
+module:hook("resource-bind", function (event)
+ local session = event.session;
+ if session.client_id then return; end
+ local is_new_client;
+ local client_state = find_client_by_resource(event.session.username, event.session.resource);
+ local now = os.time();
+ if not client_state then
+ is_new_client = true;
+ client_state = {
+ id = id.short();
+ first_seen = now;
+ user_agent = nil;
+ full_jid = nil;
+ last_seen = nil;
+ mechanisms = {};
+ legacy = true;
+ };
+ end
+
+ -- Update state
+ local legacy_info = session.client_management_info;
+ client_state.full_jid = session.full_jid;
+ client_state.last_seen = now;
+ client_state.mechanisms[legacy_info.mechanism] = now;
+ if legacy_info.fast_auth then
+ client_state.fast_auth = now;
+ end
+
+ local token_id = legacy_info.token_info and legacy_info.token_info.id;
+ if token_id then
+ client_state.auth_token_id = token_id;
+ end
+
+ -- Store updated state
+ client_store:set_key(session.username, client_state.id, client_state);
+
+ if is_new_client then
+ module:fire_event("client_management/new-client", { client = client_state });
+ end
+end);
+
+if strict then
+ module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth)
+ local user_agent = auth:get_child("user-agent");
+ if not user_agent or not user_agent.attr.id then
+ local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
+ :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
+ :text_tag("text", "Client identifier required but not supplied");
+ session.send(failure);
+ return true;
+ end
+ end, 500);
+
+ if modulemanager.get_modules_for_host(module.host):contains("saslauth") then
+ module:log("error", "mod_saslauth is enabled, but enforce_client_ids is enabled and will prevent it from working");
+ end
+
+ module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
+ -- Block legacy SASL, if for some reason it is being used (either mod_saslauth is loaded,
+ -- or clients try it without advertisement)
+ module:log("warn", "Blocking legacy SASL authentication because enforce_client_ids is enabled");
+ local failure = st.stanza("failure", { xmlns = xmlns_sasl2 })
+ :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up()
+ :text_tag("text", "Legacy SASL authentication is not available on this server");
+ event.session.send(failure);
+ return true;
+ end);
+else
+ -- Legacy client compat code
+ module:hook("authentication-success", function (event)
+ local session = event.session;
+ if session.client_id then return; end -- SASL2 client
+
+ local sasl_handler = session.sasl_handler;
+ session.client_management_info = {
+ mechanism = sasl_handler.selected;
+ token_info = sasl_handler.token_info;
+ fast_auth = sasl_handler.fast_auth;
+ };
+ end);
+end
+
+local function is_password_mechanism(mech_name)
+ if mech_name == "OAUTHBEARER" then return false; end
+ if mech_name:match("^HT%-") then return false; end
+ return true;
+end
+
+local function is_client_active(client)
+ local username, host = jid.split(client.full_jid);
+ local account_info = usermanager.get_account_info(username, host);
+ local last_password_change = account_info and account_info.password_updated;
+
+ local status = {};
+
+ -- Check for an active token grant that has been previously used by this client
+ if client.auth_token_id then
+ local grant = tokenauth.get_grant_info(client.auth_token_id);
+ if grant then
+ status.active_grant = grant;
+ end
+ end
+
+ -- Check for active FAST tokens
+ if client.fast_auth then
+ if mod_fast.is_client_fast(username, client.id, last_password_change) then
+ status.active_fast = client.fast_auth;
+ end
+ end
+
+ -- Client has access if any password-based SASL mechanisms have been used since last password change
+ for mech, mech_last_used in pairs(client.mechanisms) do
+ if is_password_mechanism(mech) and mech_last_used >= last_password_change then
+ status.active_password = mech_last_used;
+ end
+ end
+
+ if prosody.full_sessions[client.full_jid] then
+ status.active_connected = true;
+ end
+
+ if next(status) == nil then
+ return nil;
+ end
+ return status;
+end
+
+-- Public API
+--luacheck: ignore 131
+function get_active_clients(username)
+ local clients = client_store:get(username);
+ local active_clients = {};
+ local used_grants = {};
+
+ -- Go through known clients, check whether they could possibly log in
+ for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id
+ local active = is_client_active(client);
+ if active then
+ client.type = "session";
+ client.active = active;
+ table.insert(active_clients, client);
+ if active.active_grant then
+ used_grants[active.active_grant.id] = true;
+ end
+ end
+ end
+
+ -- Next, account for any grants that have been issued, but never actually logged in
+ for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do
+ if not used_grants[grant_id] then -- exclude grants already accounted for
+ table.insert(active_clients, {
+ id = grant_id;
+ type = "access";
+ first_seen = grant.created;
+ last_seen = grant.accessed;
+ active = {
+ active_grant = grant;
+ };
+ user_agent = get_user_agent(nil, grant);
+ });
+ end
+ end
+
+ table.sort(active_clients, function (a, b)
+ if a.last_seen and b.last_seen then
+ return a.last_seen < b.last_seen;
+ elseif not (a.last_seen or b.last_seen) then
+ if a.first_seen and b.first_seen then
+ return a.first_seen < b.first_seen;
+ end
+ elseif b.last_seen then
+ return true;
+ elseif a.last_seen then
+ return false;
+ end
+ return a.id < b.id;
+ end);
+
+ return active_clients;
+end