-- Prosody IM
-- Copyright (C) 2008-2013 Matthew Wild
-- Copyright (C) 2008-2013 Waqas Hussain
-- Copyright (C) 2014 Kim Alvefur
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
local new_sasl = require "util.sasl".new;
local base64 = require "util.encodings".base64.encode;
local have_async, async = pcall(require, "util.async");
local nodeprep = require "util.encodings".stringprep.nodeprep;
local log = module._log;
local host = module.host;
local password_auth_url = module:get_option_string("http_auth_url", ""):gsub("$host", host);
local cookie_auth_url = module:get_option_string("http_cookie_auth_url");
if cookie_auth_url then
cookie_auth_url = cookie_auth_url:gsub("$host", host);
end
local external_needs_authzid = cookie_auth_url and cookie_auth_url:match("$user");
if password_auth_url == "" and not cookie_auth_url then error("http_auth_url or http_cookie_auth_url required") end
local provider = {};
-- globals required by socket.http
if rawget(_G, "PROXY") == nil then
rawset(_G, "PROXY", false)
end
if rawget(_G, "base_parsed") == nil then
rawset(_G, "base_parsed", false)
end
if not have_async then -- FINE! Set your globals then
prosody.unlock_globals()
require "ltn12"
require "socket"
require "socket.http"
require "ssl.https"
prosody.lock_globals()
end
local function async_http_request(url, headers)
module:log("debug", "async_http_auth()");
local http = require "net.http";
local wait, done = async.waiter();
local content, code, request, response;
local ex = {
headers = headers;
}
local function cb(content_, code_, request_, response_)
content, code, request, response = content_, code_, request_, response_;
done();
end
http.request(url, ex, cb);
wait();
log("debug", "response code %s", tostring(code));
if code >= 200 and code <= 299 then
return true, content;
end
return nil;
end
local function sync_http_request(url, headers)
module:log("debug", "sync_http_auth()");
require "ltn12";
local http = require "socket.http";
local https = require "ssl.https";
local request;
if string.sub(url, 1, string.len('https')) == 'https' then
request = https.request;
else
request = http.request;
end
local body_chunks = {};
local _, code, headers, status = request{
url = url,
headers = headers;
sink = ltn12.sink.table(body_chunks);
};
log("debug", "response code %s %s", type(code), tostring(code));
if type(code) == "number" and code >= 200 and code <= 299 then
log("debug", "success")
return true, table.concat(body_chunks);
end
return nil;
end
local http_request = have_async and async_http_request or sync_http_request;
function http_test_password(username, password)
local url = password_auth_url:gsub("$user", username):gsub("$password", password);
log("debug", "Testing password for user %s at host %s with URL %s", username, host, url);
local ok = (http_request(url, { Authorization = "Basic "..base64(username..":"..password); }));
if not ok then
return nil, "not authorized";
end
return true;
end
function http_test_cookie(cookie, username)
local url = external_needs_authzid and cookie_auth_url:gsub("$user", username) or cookie_auth_url;
log("debug", "Testing cookie auth for user %s at host %s with URL %s", username or "<unknown>", host, url);
local ok, resp = http_request(url, { Cookie = cookie; });
if not ok then
return nil, "not authorized";
end
return external_needs_authzid or resp;
end
function provider.test_password(username, password)
return http_test_password(username, password);
end
function provider.users()
return function()
return nil;
end
end
function provider.set_password(username, password)
return nil, "Changing passwords not supported";
end
function provider.user_exists(username)
return true;
end
function provider.create_user(username, password)
return nil, "User creation not supported";
end
function provider.delete_user(username)
return nil , "User deletion not supported";
end
local function get_session_cookies(session)
local request = session.websocket_request; -- WebSockets
if not request and session.requests then -- BOSH
request = session.requests[1];
end
if not request and session.conn._http_open_response then -- Fallback BOSH
local response = session.conn._http_open_response;
request = response and response.request;
end
if request then
return request.headers.cookie;
end
end
function provider.get_sasl_handler(session)
local cookie = cookie_auth_url and get_session_cookies(session);
log("debug", "Request cookie: %s", cookie);
return new_sasl(host, {
plain_test = function(sasl, username, password, realm)
return provider.test_password(username, password), true;
end;
external = cookie and function (authzid)
if external_needs_authzid then
-- Authorize the username provided by the client, using request cookie
if authzid ~= "" then
module:log("warn", "Client requested authzid, but cookie auth URL does not contain $user variable");
return nil;
end
local success = http_test_cookie(cookie);
if not success then
return nil;
end
return nodeprep(authzid), true;
else
-- Authorize client using request cookie, username comes from auth server
if authzid == "" then
module:log("warn", "Client did not provide authzid, but cookie auth URL contains $user variable");
return nil;
end
local unprepped_username = http_test_cookie(cookie, nodeprep(authzid));
local username = nodeprep(unprepped_username);
if not username then
if unprepped_username then
log("warn", "Username supplied by cookie_auth_url is not valid for XMPP");
end
return nil;
end
return username, true;
end;
end;
});
end
module:provides("auth", provider);