author | Kim Alvefur <zash@zash.se> |
Wed, 27 Mar 2024 19:33:11 +0100 | |
changeset 13471 | c2a476f4712a |
parent 13116 | b6aaab0846fe |
permissions | -rw-r--r-- |
12979
d10957394a3c
util: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12955
diff
changeset
|
1 |
local json = require "prosody.util.json"; |
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 |
local _ENV = nil; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
local function oauthbearer(self, message) |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
if not message then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 |
return "failure", "malformed-request"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 |
if message == "\001" then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
return "failure", "not-authorized"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 |
|
13116
b6aaab0846fe
util.sasl.oauthbearer: Tighter parsing of SASL message
Kim Alvefur <zash@zash.se>
parents:
12979
diff
changeset
|
14 |
-- gs2-header kvsep *kvpair kvsep |
b6aaab0846fe
util.sasl.oauthbearer: Tighter parsing of SASL message
Kim Alvefur <zash@zash.se>
parents:
12979
diff
changeset
|
15 |
local gs2_header, kvpairs = message:match("^(n,[^,]*,)\001(.+)\001$"); |
12944
2aebd9bf02fc
util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid
Kim Alvefur <zash@zash.se>
parents:
12942
diff
changeset
|
16 |
if not gs2_header then |
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 |
return "failure", "malformed-request"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 |
end |
12944
2aebd9bf02fc
util.sasl.oauthbearer: Adjust parsing of GS2 to allow lack of authzid
Kim Alvefur <zash@zash.se>
parents:
12942
diff
changeset
|
19 |
local gs2_authzid = gs2_header:match("^[^,]*,a=([^,]*),$"); |
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 |
|
13116
b6aaab0846fe
util.sasl.oauthbearer: Tighter parsing of SASL message
Kim Alvefur <zash@zash.se>
parents:
12979
diff
changeset
|
21 |
-- key "=" value kvsep |
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 |
local auth_header; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
for k, v in kvpairs:gmatch("([a-zA-Z]+)=([\033-\126 \009\r\n]*)\001") do |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
if k == "auth" then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 |
auth_header = v; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 |
break; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
if not auth_header then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 |
return "failure", "malformed-request"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 |
local token = auth_header:match("^Bearer (.+)$"); |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 |
|
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12941
diff
changeset
|
36 |
local username, state, token_info = self.profile.oauthbearer(self, token, self.realm, gs2_authzid); |
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 |
if state == false then |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 |
return "failure", "account-disabled"; |
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12941
diff
changeset
|
40 |
elseif state == nil or not username then |
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 |
-- For token-level errors, RFC 7628 demands use of a JSON-encoded |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 |
-- challenge response upon failure. We relay additional info from |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 |
-- the auth backend if available. |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 |
return "challenge", json.encode({ |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 |
status = token_info and token_info.status or "invalid_token"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 |
scope = token_info and token_info.scope or nil; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 |
["openid-configuration"] = token_info and token_info.oidc_discovery_url or nil; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 |
}); |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 |
end |
12942
055b03d3059b
util.sasl.oauthbearer: Return username from callback instead using authzid (BC)
Kim Alvefur <zash@zash.se>
parents:
12941
diff
changeset
|
50 |
self.username = username; |
12941
23b20ede9c34
util.sasl.oauthbearer: Fix syntax error in b796e08e6376
Matthew Wild <mwild1@gmail.com>
parents:
12940
diff
changeset
|
51 |
self.token_info = token_info; |
12940
b796e08e6376
util.sasl.oauthbearer: Attach token_info to sasl handler
Matthew Wild <mwild1@gmail.com>
parents:
12922
diff
changeset
|
52 |
|
12915
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
53 |
return "success"; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
54 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
55 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
56 |
local function init(registerMechanism) |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
57 |
registerMechanism("OAUTHBEARER", {"oauthbearer"}, oauthbearer); |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
58 |
end |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 |
|
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 |
return { |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
init = init; |
ab1164eda011
util.sasl: Add SASL OAUTHBEARER mechanism (RFC 7628)
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 |
} |