plugins/mod_saslauth.lua

   1 -- Prosody IM
   2 -- Copyright (C) 2008-2009 Matthew Wild
   3 -- Copyright (C) 2008-2009 Waqas Hussain
   4 --
   5 -- This project is MIT/X11 licensed. Please see the
   6 -- COPYING file in the source package for more information.
   7 --
   8
   9
  10
  11 local st = require "util.stanza";
  12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
  13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
  14 local base64 = require "util.encodings".base64;
  15
  16 local nodeprep = require "util.encodings".stringprep.nodeprep;
  17 local datamanager_load = require "util.datamanager".load;
  18 local usermanager_validate_credentials = require "core.usermanager".validate_credentials;
  19 local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods;
  20 local usermanager_user_exists = require "core.usermanager".user_exists;
  21 local usermanager_get_password = require "core.usermanager".get_password;
  22 local t_concat, t_insert = table.concat, table.insert;
  23 local tostring = tostring;
  24 local jid_split = require "util.jid".split;
  25 local md5 = require "util.hashes".md5;
  26 local config = require "core.configmanager";
  27
  28 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
  29 local sasl_backend = module:get_option("sasl_backend") or "builtin";
  30
  31 local log = module._log;
  32
  33 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
  34 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
  35 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
  36
  37 local new_sasl;
  38 if sasl_backend == "cyrus" then
  39         local ok, cyrus = pcall(require, "util.sasl_cyrus");
  40         if ok then
  41                 local cyrus_new = cyrus.new;
  42                 new_sasl = function(realm)
  43                         return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp");
  44                 end
  45         else
  46                 sasl_backend = "builtin";
  47                 module:log("warn", "Failed to load Cyrus SASL, falling back to builtin auth mechanisms");
  48                 module:log("debug", "Failed to load Cyrus because: %s", cyrus);
  49         end
  50 end
  51 if not new_sasl then
  52         if sasl_backend ~= "builtin" then module:log("warn", "Unknown SASL backend %s", sasl_backend); end;
  53         new_sasl = require "util.sasl".new;
  54 end
  55
  56 local default_authentication_profile = {
  57         plain = function(username, realm)
  58                 local prepped_username = nodeprep(username);
  59                 if not prepped_username then
  60                         log("debug", "NODEprep failed on username: %s", username);
  61                         return "", nil;
  62                 end
  63                 local password = usermanager_get_password(prepped_username, realm);
  64                 if not password then
  65                         return "", nil;
  66                 end
  67                 return password, true;
  68         end
  69 };
  70
  71 local anonymous_authentication_profile = {
  72         anonymous = function(username, realm)
  73                 return true; -- for normal usage you should always return true here
  74         end
  75 };
  76
  77 local function build_reply(status, ret, err_msg)
  78         local reply = st.stanza(status, {xmlns = xmlns_sasl});
  79         if status == "challenge" then
  80                 --log("debug", "CHALLENGE: %s", ret or "");
  81                 reply:text(base64.encode(ret or ""));
  82         elseif status == "failure" then
  83                 reply:tag(ret):up();
  84                 if err_msg then reply:tag("text"):text(err_msg); end
  85         elseif status == "success" then
  86                 --log("debug", "SUCCESS: %s", ret or "");
  87                 reply:text(base64.encode(ret or ""));
  88         else
  89                 module:log("error", "Unknown sasl status: %s", status);
  90         end
  91         return reply;
  92 end
  93
  94 local function handle_status(session, status)
  95         if status == "failure" then
  96                 session.sasl_handler = session.sasl_handler:clean_clone();
  97         elseif status == "success" then
  98                 local username = nodeprep(session.sasl_handler.username);
  99                 if not username then -- TODO move this to sessionmanager
 100                         module:log("warn", "SASL succeeded but we didn't get a username!");
 101                         session.sasl_handler = nil;
 102                         session:reset_stream();
 103                         return;
 104                 end
 105                 sm_make_authenticated(session, session.sasl_handler.username);
 106                 session.sasl_handler = nil;
 107                 session:reset_stream();
 108         end
 109 end
 110
 111 local function sasl_handler(session, stanza)
 112         if stanza.name == "auth" then
 113                 -- FIXME ignoring duplicates because ejabberd does
 114                 if config.get(session.host or "*", "core", "anonymous_login") then
 115                         if stanza.attr.mechanism ~= "ANONYMOUS" then
 116                                 return session.send(build_reply("failure", "invalid-mechanism"));
 117                         end
 118                 elseif stanza.attr.mechanism == "ANONYMOUS" then
 119                         return session.send(build_reply("failure", "mechanism-too-weak"));
 120                 end
 121                 local valid_mechanism = session.sasl_handler:select(stanza.attr.mechanism);
 122                 if not valid_mechanism then
 123                         return session.send(build_reply("failure", "invalid-mechanism"));
 124                 end
 125                 if secure_auth_only and not session.secure then
 126                         return session.send(build_reply("failure", "encryption-required"));
 127                 end
 128         elseif not session.sasl_handler then
 129                 return; -- FIXME ignoring out of order stanzas because ejabberd does
 130         end
 131         local text = stanza[1];
 132         if text then
 133                 text = base64.decode(text);
 134                 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
 135                 if not text then
 136                         session.sasl_handler = nil;
 137                         session.send(build_reply("failure", "incorrect-encoding"));
 138                         return;
 139                 end
 140         end
 141         local status, ret, err_msg = session.sasl_handler:process(text);
 142         handle_status(session, status);
 143         local s = build_reply(status, ret, err_msg);
 144         log("debug", "sasl reply: %s", tostring(s));
 145         session.send(s);
 146 end
 147
 148 module:add_handler("c2s_unauthed", "auth", xmlns_sasl, sasl_handler);
 149 module:add_handler("c2s_unauthed", "abort", xmlns_sasl, sasl_handler);
 150 module:add_handler("c2s_unauthed", "response", xmlns_sasl, sasl_handler);
 151
 152 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
 153 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
 154 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
 155 module:hook("stream-features", function(event)
 156         local origin, features = event.origin, event.features;
 157         if not origin.username then
 158                 if secure_auth_only and not origin.secure then
 159                         return;
 160                 end
 161                 if module:get_option("anonymous_login") then
 162                         origin.sasl_handler = new_sasl(origin.host, anonymous_authentication_profile);
 163                 else
 164                         origin.sasl_handler = new_sasl(origin.host, default_authentication_profile);
 165                         if not (module:get_option("allow_unencrypted_plain_auth")) and not origin.secure then
 166                                 origin.sasl_handler:forbidden({"PLAIN"});
 167                         end
 168                 end
 169                 features:tag("mechanisms", mechanisms_attr);
 170                 for k, v in pairs(origin.sasl_handler:mechanisms()) do
 171                         features:tag("mechanism"):text(v):up();
 172                 end
 173                 features:up();
 174         else
 175                 features:tag("bind", bind_attr):tag("required"):up():up();
 176                 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
 177         end
 178 end);
 179
 180 module:add_iq_handler("c2s", "urn:ietf:params:xml:ns:xmpp-bind", function(session, stanza)
 181         log("debug", "Client requesting a resource bind");
 182         local resource;
 183         if stanza.attr.type == "set" then
 184                 local bind = stanza.tags[1];
 185                 if bind and bind.attr.xmlns == xmlns_bind then
 186                         resource = bind:child_with_name("resource");
 187                         if resource then
 188                                 resource = resource[1];
 189                         end
 190                 end
 191         end
 192         local success, err_type, err, err_msg = sm_bind_resource(session, resource);
 193         if not success then
 194                 session.send(st.error_reply(stanza, err_type, err, err_msg));
 195         else
 196                 session.send(st.reply(stanza)
 197                         :tag("bind", { xmlns = xmlns_bind})
 198                         :tag("jid"):text(session.full_jid));
 199         end
 200 end);
 201
 202 module:add_iq_handler("c2s", "urn:ietf:params:xml:ns:xmpp-session", function(session, stanza)
 203         log("debug", "Client requesting a session");
 204         session.send(st.reply(stanza));
 205 end);