plugins/mod_saslauth.lua

   1 -- Prosody IM
   2 -- Copyright (C) 2008-2010 Matthew Wild
   3 -- Copyright (C) 2008-2010 Waqas Hussain
   4 --
   5 -- This project is MIT/X11 licensed. Please see the
   6 -- COPYING file in the source package for more information.
   7 --
   8
   9
  10
  11 local st = require "util.stanza";
  12 local sm_bind_resource = require "core.sessionmanager".bind_resource;
  13 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
  14 local base64 = require "util.encodings".base64;
  15
  16 local nodeprep = require "util.encodings".stringprep.nodeprep;
  17 local datamanager_load = require "util.datamanager".load;
  18 local usermanager_validate_credentials = require "core.usermanager".validate_credentials;
  19 local usermanager_get_supported_methods = require "core.usermanager".get_supported_methods;
  20 local usermanager_user_exists = require "core.usermanager".user_exists;
  21 local usermanager_get_password = require "core.usermanager".get_password;
  22 local t_concat, t_insert = table.concat, table.insert;
  23 local tostring = tostring;
  24 local jid_split = require "util.jid".split;
  25 local md5 = require "util.hashes".md5;
  26 local config = require "core.configmanager";
  27
  28 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
  29 local sasl_backend = module:get_option("sasl_backend") or "builtin";
  30
  31 -- Cyrus config options
  32 local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
  33 local cyrus_service_realm = module:get_option("cyrus_service_realm");
  34 local cyrus_service_name = module:get_option("cyrus_service_name");
  35 local cyrus_application_name = module:get_option("cyrus_application_name");
  36
  37 local log = module._log;
  38
  39 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
  40 local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind';
  41 local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas';
  42
  43 local new_sasl;
  44 if sasl_backend == "builtin" then
  45         new_sasl = require "util.sasl".new;
  46 elseif sasl_backend == "cyrus" then
  47         prosody.unlock_globals(); --FIXME: Figure out why this is needed and
  48                                   -- why cyrussasl isn't caught by the sandbox
  49         local ok, cyrus = pcall(require, "util.sasl_cyrus");
  50         prosody.lock_globals();
  51         if ok then
  52                 local cyrus_new = cyrus.new;
  53                 new_sasl = function(realm)
  54                         return cyrus_new(
  55                                 cyrus_service_realm or realm,
  56                                 cyrus_service_name or "xmpp",
  57                                 cyrus_application_name or "prosody"
  58                         );
  59                 end
  60         else
  61                 module:log("error", "Failed to load Cyrus SASL because: %s", cyrus);
  62                 error("Failed to load Cyrus SASL");
  63         end
  64 else
  65         module:log("error", "Unknown SASL backend: %s", sasl_backend);
  66         error("Unknown SASL backend");
  67 end
  68
  69 local default_authentication_profile = {
  70         plain = function(username, realm)
  71                 local prepped_username = nodeprep(username);
  72                 if not prepped_username then
  73                         log("debug", "NODEprep failed on username: %s", username);
  74                         return "", nil;
  75                 end
  76                 local password = usermanager_get_password(prepped_username, realm);
  77                 if not password then
  78                         return "", nil;
  79                 end
  80                 return password, true;
  81         end
  82 };
  83
  84 local anonymous_authentication_profile = {
  85         anonymous = function(username, realm)
  86                 return true; -- for normal usage you should always return true here
  87         end
  88 };
  89
  90 local function build_reply(status, ret, err_msg)
  91         local reply = st.stanza(status, {xmlns = xmlns_sasl});
  92         if status == "challenge" then
  93                 --log("debug", "CHALLENGE: %s", ret or "");
  94                 reply:text(base64.encode(ret or ""));
  95         elseif status == "failure" then
  96                 reply:tag(ret):up();
  97                 if err_msg then reply:tag("text"):text(err_msg); end
  98         elseif status == "success" then
  99                 --log("debug", "SUCCESS: %s", ret or "");
 100                 reply:text(base64.encode(ret or ""));
 101         else
 102                 module:log("error", "Unknown sasl status: %s", status);
 103         end
 104         return reply;
 105 end
 106
 107 local function handle_status(session, status, ret, err_msg)
 108         if status == "failure" then
 109                 session.sasl_handler = session.sasl_handler:clean_clone();
 110         elseif status == "success" then
 111                 local username = nodeprep(session.sasl_handler.username);
 112
 113                 if not(require_provisioning) or usermanager_user_exists(username, session.host) then
 114                         local aret, err = sm_make_authenticated(session, session.sasl_handler.username);
 115                         if aret then
 116                                 session.sasl_handler = nil;
 117                                 session:reset_stream();
 118                         else
 119                                 module:log("warn", "SASL succeeded but username was invalid");
 120                                 session.sasl_handler = session.sasl_handler:clean_clone();
 121                                 return "failure", "not-authorized", "User authenticated successfully, but username was invalid";
 122                         end
 123                 else
 124                         module:log("warn", "SASL succeeded but we don't have an account provisioned for %s", username);
 125                         session.sasl_handler = session.sasl_handler:clean_clone();
 126                         return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
 127                 end
 128         end
 129         return status, ret, err_msg;
 130 end
 131
 132 local function sasl_handler(session, stanza)
 133         if stanza.name == "auth" then
 134                 -- FIXME ignoring duplicates because ejabberd does
 135                 if config.get(session.host or "*", "core", "anonymous_login") then
 136                         if stanza.attr.mechanism ~= "ANONYMOUS" then
 137                                 return session.send(build_reply("failure", "invalid-mechanism"));
 138                         end
 139                 elseif stanza.attr.mechanism == "ANONYMOUS" then
 140                         return session.send(build_reply("failure", "mechanism-too-weak"));
 141                 end
 142                 local valid_mechanism = session.sasl_handler:select(stanza.attr.mechanism);
 143                 if not valid_mechanism then
 144                         return session.send(build_reply("failure", "invalid-mechanism"));
 145                 end
 146                 if secure_auth_only and not session.secure then
 147                         return session.send(build_reply("failure", "encryption-required"));
 148                 end
 149         elseif not session.sasl_handler then
 150                 return; -- FIXME ignoring out of order stanzas because ejabberd does
 151         end
 152         local text = stanza[1];
 153         if text then
 154                 text = base64.decode(text);
 155                 --log("debug", "AUTH: %s", text:gsub("[%z\001-\008\011\012\014-\031]", " "));
 156                 if not text then
 157                         session.sasl_handler = nil;
 158                         session.send(build_reply("failure", "incorrect-encoding"));
 159                         return;
 160                 end
 161         end
 162         local status, ret, err_msg = session.sasl_handler:process(text);
 163         status, ret, err_msg = handle_status(session, status, ret, err_msg);
 164         local s = build_reply(status, ret, err_msg);
 165         log("debug", "sasl reply: %s", tostring(s));
 166         session.send(s);
 167 end
 168
 169 module:add_handler("c2s_unauthed", "auth", xmlns_sasl, sasl_handler);
 170 module:add_handler("c2s_unauthed", "abort", xmlns_sasl, sasl_handler);
 171 module:add_handler("c2s_unauthed", "response", xmlns_sasl, sasl_handler);
 172
 173 local mechanisms_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-sasl' };
 174 local bind_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-bind' };
 175 local xmpp_session_attr = { xmlns='urn:ietf:params:xml:ns:xmpp-session' };
 176 module:hook("stream-features", function(event)
 177         local origin, features = event.origin, event.features;
 178         if not origin.username then
 179                 if secure_auth_only and not origin.secure then
 180                         return;
 181                 end
 182                 local realm = module:get_option("sasl_realm") or origin.host;
 183                 if module:get_option("anonymous_login") then
 184                         origin.sasl_handler = new_sasl(realm, anonymous_authentication_profile);
 185                 else
 186                         origin.sasl_handler = new_sasl(realm, default_authentication_profile);
 187                         if not (module:get_option("allow_unencrypted_plain_auth")) and not origin.secure then
 188                                 origin.sasl_handler:forbidden({"PLAIN"});
 189                         end
 190                 end
 191                 features:tag("mechanisms", mechanisms_attr);
 192                 for k, v in pairs(origin.sasl_handler:mechanisms()) do
 193                         features:tag("mechanism"):text(v):up();
 194                 end
 195                 features:up();
 196         else
 197                 features:tag("bind", bind_attr):tag("required"):up():up();
 198                 features:tag("session", xmpp_session_attr):tag("optional"):up():up();
 199         end
 200 end);
 201
 202 module:add_iq_handler("c2s", "urn:ietf:params:xml:ns:xmpp-bind", function(session, stanza)
 203         log("debug", "Client requesting a resource bind");
 204         local resource;
 205         if stanza.attr.type == "set" then
 206                 local bind = stanza.tags[1];
 207                 if bind and bind.attr.xmlns == xmlns_bind then
 208                         resource = bind:child_with_name("resource");
 209                         if resource then
 210                                 resource = resource[1];
 211                         end
 212                 end
 213         end
 214         local success, err_type, err, err_msg = sm_bind_resource(session, resource);
 215         if not success then
 216                 session.send(st.error_reply(stanza, err_type, err, err_msg));
 217         else
 218                 session.send(st.reply(stanza)
 219                         :tag("bind", { xmlns = xmlns_bind})
 220                         :tag("jid"):text(session.full_jid));
 221         end
 222 end);
 223
 224 module:add_iq_handler("c2s", "urn:ietf:params:xml:ns:xmpp-session", function(session, stanza)
 225         log("debug", "Client requesting a session");
 226         session.send(st.reply(stanza));
 227 end);