Mercurial Mercurial > prosody > prosody / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
plugins/mod_legacyauth.lua
author Kim Alvefur <zash@zash.se>
Sat, 23 Mar 2024 20:48:19 +0100
changeset 13465 c673ff1075bd
parent 12981 74b9e05af71e
permissions -rw-r--r--
mod_posix: Move everything to util.startup This allows greater control over the order of events. Notably, the internal ordering between daemonization, initialization of libunbound and setup of signal handling is sensitive. libunbound starts a separate thread for processing DNS requests. If this thread is started before signal handling has been set up, it will not inherit the signal handlers and instead behave as it would have before signal handlers were set up, i.e. cause the whole process to immediately exit. libunbound is usually initialized on the first DNS request, usually triggered by an outgoing s2s connection attempt. If daemonization happens before signals have been set up, signals may not be processed at all.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 1218
diff changeset 
     1
 
-- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 1912
diff changeset 
     2
 
-- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 1912
diff changeset 
     3
 
-- Copyright (C) 2008-2010 Waqas Hussain
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5126
diff changeset 
     4
 
--
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset 
     5
 
-- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset 
     6
 
-- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset 
     7
 
--
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 438
diff changeset 
     8
 












cccd610a0ef9
Insert copyright/license headers



Matthew Wild <mwild1@gmail.com>


parents: 
438

diff
changeset




     9









30






bcf539295f2d
Huge commit to:



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    10









12981






74b9e05af71e
plugins: Prefix module imports with prosody namespace



Kim Alvefur <zash@zash.se>


parents: 
12332

diff
changeset




    11


local st = require "prosody.util.stanza";







30






bcf539295f2d
Huge commit to:



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    12


local t_concat = table.concat;












bcf539295f2d
Huge commit to:



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    13









6490






edc63dc72566
mod_legacyauth, mod_saslauth, mod_tls: Pass require_encryption as default option to s2s_require_encryption so the later overrides the former



Kim Alvefur <zash@zash.se>


parents: 
6302

diff
changeset




    14


local secure_auth_only = module:get_option("c2s_require_encryption",







12332






a80314101bc6
mod_legacyauth: Default to require encryption



Matthew Wild <mwild1@gmail.com>


parents: 
10561

diff
changeset




    15


	module:get_option("require_encryption", true))







4258






ee445e658848
mod_legacyauth: Disallow on unencrypted connections by default, heed allow_unencrypted_plain_auth config option (thanks Maranda/Zash)



Matthew Wild <mwild1@gmail.com>


parents: 
3528

diff
changeset




    16


	or not(module:get_option("allow_unencrypted_plain_auth"));







1216






fd8ce71bc72b
mod_saslauth, mod_legacyauth: Deny logins to unsecure sessions when require_encryption config option is true



Matthew Wild <mwild1@gmail.com>


parents: 
1042

diff
changeset




    17









12981






74b9e05af71e
plugins: Prefix module imports with prosody namespace



Kim Alvefur <zash@zash.se>


parents: 
12332

diff
changeset




    18


local sessionmanager = require "prosody.core.sessionmanager";












74b9e05af71e
plugins: Prefix module imports with prosody namespace



Kim Alvefur <zash@zash.se>


parents: 
12332

diff
changeset




    19


local usermanager = require "prosody.core.usermanager";












74b9e05af71e
plugins: Prefix module imports with prosody namespace



Kim Alvefur <zash@zash.se>


parents: 
12332

diff
changeset




    20


local nodeprep = require "prosody.util.encodings".stringprep.nodeprep;












74b9e05af71e
plugins: Prefix module imports with prosody namespace



Kim Alvefur <zash@zash.se>


parents: 
12332

diff
changeset




    21


local resourceprep = require "prosody.util.encodings".stringprep.resourceprep;







1042






a3d77353c18a
mod_*: Fix a load of global accesses



Matthew Wild <mwild1@gmail.com>


parents: 
896

diff
changeset




    22









541






3521e0851c9e
Change modules to use the new add_feature module API method.



Waqas Hussain <waqas20@gmail.com>


parents: 
519

diff
changeset




    23


module:add_feature("jabber:iq:auth");







2610






c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
1912

diff
changeset




    24


module:hook("stream-features", function(event)












c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
1912

diff
changeset




    25


	local origin, features = event.origin, event.features;












c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
1912

diff
changeset




    26


	if secure_auth_only and not origin.secure then







1218






8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure



Matthew Wild <mwild1@gmail.com>


parents: 
1216

diff
changeset




    27


		-- Sorry, not offering to insecure streams!












8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure



Matthew Wild <mwild1@gmail.com>


parents: 
1216

diff
changeset




    28


		return;







2610






c9ed79940b2e
mod_legacyauth: Hook stream-features event using new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
1912

diff
changeset




    29


	elseif not origin.username then







1218






8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure



Matthew Wild <mwild1@gmail.com>


parents: 
1216

diff
changeset




    30


		features:tag("auth", {xmlns='http://jabber.org/features/iq-auth'}):up();












8e02c10c9e60
mod_legacyauth: Hide stream feature when secure auth is enabled, and session isn't secure



Matthew Wild <mwild1@gmail.com>


parents: 
1216

diff
changeset




    31


	end







891






236d1ce9fa99
mod_legacyauth: Added stream feature: <auth xmlns='http://jabber.org/features/iq-auth'/>



Waqas Hussain <waqas20@gmail.com>


parents: 
760

diff
changeset




    32


end);







421






63be85693710
Modules now sending disco replies



Waqas Hussain <waqas20@gmail.com>


parents: 
308

diff
changeset




    33









3527






59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    34


module:hook("stanza/iq/jabber:iq:auth:query", function(event)












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    35


	local session, stanza = event.origin, event.stanza;












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    36









3528






5cdcd7ee6ef5
mod_legacyauth: Limit authentication to unauthenticated client connections.



Waqas Hussain <waqas20@gmail.com>


parents: 
3527

diff
changeset




    37


	if session.type ~= "c2s_unauthed" then







8771






bd88ca43d77a
mod_legacyauth: Split a long line [luacheck]



Kim Alvefur <zash@zash.se>


parents: 
6490

diff
changeset




    38


		(session.sends2s or session.send)(st.error_reply(stanza, "cancel", "service-unavailable",












bd88ca43d77a
mod_legacyauth: Split a long line [luacheck]



Kim Alvefur <zash@zash.se>


parents: 
6490

diff
changeset




    39


			"Legacy authentication is only allowed for unauthenticated client connections."));







3528






5cdcd7ee6ef5
mod_legacyauth: Limit authentication to unauthenticated client connections.



Waqas Hussain <waqas20@gmail.com>


parents: 
3527

diff
changeset




    40


		return true;












5cdcd7ee6ef5
mod_legacyauth: Limit authentication to unauthenticated client connections.



Waqas Hussain <waqas20@gmail.com>


parents: 
3527

diff
changeset




    41


	end












5cdcd7ee6ef5
mod_legacyauth: Limit authentication to unauthenticated client connections.



Waqas Hussain <waqas20@gmail.com>


parents: 
3527

diff
changeset




    42









3527






59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    43


	if secure_auth_only and not session.secure then












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    44


		session.send(st.error_reply(stanza, "modify", "not-acceptable", "Encryption (SSL or TLS) is required to connect to this server"));












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    45


		return true;












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    46


	end







5776






bd0ff8ae98a8
Remove all trailing whitespace



Florian Zeitz <florob@babelmonkeys.de>


parents: 
5126

diff
changeset




    47









6302






76699a0ae4c4
mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups



Kim Alvefur <zash@zash.se>


parents: 
5776

diff
changeset




    48


	local query = stanza.tags[1];












76699a0ae4c4
mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups



Kim Alvefur <zash@zash.se>


parents: 
5776

diff
changeset




    49


	local username = query:get_child("username");












76699a0ae4c4
mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups



Kim Alvefur <zash@zash.se>


parents: 
5776

diff
changeset




    50


	local password = query:get_child("password");












76699a0ae4c4
mod_lastactivity, mod_legacyauth, mod_presence, mod_saslauth, mod_tls: Use the newer stanza:get_child APIs and optimize away some table lookups



Kim Alvefur <zash@zash.se>


parents: 
5776

diff
changeset




    51


	local resource = query:get_child("resource");







3527






59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    52


	if not (username and password and resource) then












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    53


		local reply = st.reply(stanza);












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    54


		session.send(reply:query("jabber:iq:auth")












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    55


			:tag("username"):up()












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    56


			:tag("password"):up()












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    57


			:tag("resource"):up());












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    58


	else












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    59


		username, password, resource = t_concat(username), t_concat(password), t_concat(resource);












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    60


		username = nodeprep(username);












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    61


		resource = resourceprep(resource)







5083






4629c60a303b
mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)



Kim Alvefur <zash@zash.se>


parents: 
4258

diff
changeset




    62


		if not (username and resource) then












4629c60a303b
mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)



Kim Alvefur <zash@zash.se>


parents: 
4258

diff
changeset




    63


			session.send(st.error_reply(stanza, "modify", "bad-request"));












4629c60a303b
mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)



Kim Alvefur <zash@zash.se>


parents: 
4258

diff
changeset




    64


			return true;












4629c60a303b
mod_legacyauth: Return an error if username or resource fails stringprep (thanks iron)



Kim Alvefur <zash@zash.se>


parents: 
4258

diff
changeset




    65


		end







3527






59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    66


		if usermanager.test_password(username, session.host, password) then












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    67


			-- Authentication successful!












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    68


			local success, err = sessionmanager.make_authenticated(session, username);












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    69


			if success then












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    70


				local err_type, err_msg;












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    71


				success, err_type, err, err_msg = sessionmanager.bind_resource(session, resource);












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    72


				if not success then












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    73


					session.send(st.error_reply(stanza, err_type, err, err_msg));












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    74


					session.username, session.type = nil, "c2s_unauthed"; -- FIXME should this be placed in sessionmanager?












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    75


					return true;












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    76


				elseif resource ~= session.resource then -- server changed resource, not supported by legacy auth












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    77


					session.send(st.error_reply(stanza, "cancel", "conflict", "The requested resource could not be assigned to this session."));












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    78


					session:close(); -- FIXME undo resource bind and auth instead of closing the session?












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    79


					return true;







30






bcf539295f2d
Huge commit to:



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    80


				end







10561






e1cb869e2f6c
mod_legacyauth: Report failure from sessionmanager (mostly invalid username)



Kim Alvefur <zash@zash.se>


parents: 
8771

diff
changeset




    81


				session.send(st.reply(stanza));












e1cb869e2f6c
mod_legacyauth: Report failure from sessionmanager (mostly invalid username)



Kim Alvefur <zash@zash.se>


parents: 
8771

diff
changeset




    82


			else












e1cb869e2f6c
mod_legacyauth: Report failure from sessionmanager (mostly invalid username)



Kim Alvefur <zash@zash.se>


parents: 
8771

diff
changeset




    83


				session.send(st.error_reply(stanza, "auth", "not-authorized", err));







30






bcf539295f2d
Huge commit to:



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    84


			end







3527






59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    85


		else












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    86


			session.send(st.error_reply(stanza, "auth", "not-authorized"));












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    87


		end












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    88


	end












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    89


	return true;












59cdb9166bd0
mod_legacyauth: Updated to use the new events API.



Waqas Hussain <waqas20@gmail.com>


parents: 
3395

diff
changeset




    90


end);














prosody