aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2013-03-22 14:18:23 +0000
committerMatthew Wild <mwild1@gmail.com>2013-03-22 14:18:23 +0000
commitf068e80993a53e7ae194c364c2a52b1b6b76ed17 (patch)
tree56f94a216b68ee8338360b8c3e48a977cb013875 /plugins
parentee067c787551dc07f2bc3970b5636cdc5973da71 (diff)
downloadprosody-f068e80993a53e7ae194c364c2a52b1b6b76ed17.tar.gz
prosody-f068e80993a53e7ae194c364c2a52b1b6b76ed17.zip
s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_dialback.lua5
-rw-r--r--plugins/mod_s2s/mod_s2s.lua76
-rw-r--r--plugins/mod_saslauth.lua5
3 files changed, 78 insertions, 8 deletions
diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua
index 34d8a2fb..9dcb0ed5 100644
--- a/plugins/mod_dialback.lua
+++ b/plugins/mod_dialback.lua
@@ -7,7 +7,6 @@
--
local hosts = _G.hosts;
-local s2s_make_authenticated = require "core.s2smanager".make_authenticated;
local log = module._log;
@@ -110,7 +109,7 @@ module:hook("stanza/jabber:server:dialback:verify", function(event)
if dialback_verifying and attr.from == origin.to_host then
local valid;
if attr.type == "valid" then
- s2s_make_authenticated(dialback_verifying, attr.from);
+ module:fire_event("s2s-authenticated", { session = dialback_verifying, host = attr.from });
valid = "valid";
else
-- Warn the original connection that is was not verified successfully
@@ -146,7 +145,7 @@ module:hook("stanza/jabber:server:dialback:result", function(event)
return true;
end
if stanza.attr.type == "valid" then
- s2s_make_authenticated(origin, attr.from);
+ module:fire_event("s2s-authenticated", { session = origin, host = attr.from });
else
origin:close("not-authorized", "dialback authentication failed");
end
diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua
index 8d99b855..fb54188a 100644
--- a/plugins/mod_s2s/mod_s2s.lua
+++ b/plugins/mod_s2s/mod_s2s.lua
@@ -24,15 +24,17 @@ local new_xmpp_stream = require "util.xmppstream".new;
local s2s_new_incoming = require "core.s2smanager".new_incoming;
local s2s_new_outgoing = require "core.s2smanager".new_outgoing;
local s2s_destroy_session = require "core.s2smanager".destroy_session;
-local s2s_mark_connected = require "core.s2smanager".mark_connected;
local uuid_gen = require "util.uuid".generate;
local cert_verify_identity = require "util.x509".verify_identity;
+local fire_global_event = prosody.events.fire_event;
local s2sout = module:require("s2sout");
local connect_timeout = module:get_option_number("s2s_timeout", 90);
local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5);
+local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth);
+
local sessions = module:shared("sessions");
local log = module._log;
@@ -132,6 +134,76 @@ function module.add_host(module)
end
module:hook("route/remote", route_to_existing_session, 200);
module:hook("route/remote", route_to_new_session, 100);
+ module:hook("s2s-authenticated", make_authenticated, -1);
+end
+
+-- Stream is authorised, and ready for normal stanzas
+function mark_connected(session)
+ local sendq, send = session.sendq, session.sends2s;
+
+ local from, to = session.from_host, session.to_host;
+
+ session.log("info", "%s s2s connection %s->%s complete", session.direction, from, to);
+
+ local event_data = { session = session };
+ if session.type == "s2sout" then
+ fire_global_event("s2sout-established", event_data);
+ hosts[from].events.fire_event("s2sout-established", event_data);
+ else
+ local host_session = hosts[to];
+ session.send = function(stanza)
+ return host_session.events.fire_event("route/remote", { from_host = to, to_host = from, stanza = stanza });
+ end;
+
+ fire_global_event("s2sin-established", event_data);
+ hosts[to].events.fire_event("s2sin-established", event_data);
+ end
+
+ if session.direction == "outgoing" then
+ if sendq then
+ session.log("debug", "sending %d queued stanzas across new outgoing connection to %s", #sendq, session.to_host);
+ for i, data in ipairs(sendq) do
+ send(data[1]);
+ sendq[i] = nil;
+ end
+ session.sendq = nil;
+ end
+
+ session.ip_hosts = nil;
+ session.srv_hosts = nil;
+ end
+end
+
+function make_authenticated(event)
+ local session, host = event.session, event.host;
+ if not session.secure then
+ if require_encryption or secure_auth or secure_domains[host] then
+ session:close({
+ condition = "policy-violation",
+ text = "Encrypted server-to-server communication is required but was not "
+ ..((session.direction == "outgoing" and "offered") or "used")
+ });
+ end
+ end
+ if session.type == "s2sout_unauthed" then
+ session.type = "s2sout";
+ elseif session.type == "s2sin_unauthed" then
+ session.type = "s2sin";
+ if host then
+ if not session.hosts[host] then session.hosts[host] = {}; end
+ session.hosts[host].authed = true;
+ end
+ elseif session.type == "s2sin" and host then
+ if not session.hosts[host] then session.hosts[host] = {}; end
+ session.hosts[host].authed = true;
+ else
+ return false;
+ end
+ session.log("debug", "connection %s->%s is now authenticated for %s", session.from_host, session.to_host, host);
+
+ mark_connected(session);
+
+ return true;
end
--- Helper to check that a session peer's certificate is valid
@@ -287,7 +359,7 @@ function stream_callbacks.streamopened(session, attr)
if not session.dialback_verifying then
hosts[session.from_host].events.fire_event("s2sout-authenticate-legacy", { origin = session });
else
- s2s_mark_connected(session);
+ mark_connected(session);
end
end
end
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index 264ee967..b75b1844 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -11,7 +11,6 @@
local st = require "util.stanza";
local sm_bind_resource = require "core.sessionmanager".bind_resource;
local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
-local s2s_make_authenticated = require "core.s2smanager".make_authenticated;
local base64 = require "util.encodings".base64;
local cert_verify_identity = require "util.x509".verify_identity;
@@ -90,7 +89,7 @@ module:hook_stanza(xmlns_sasl, "success", function (session, stanza)
session:reset_stream();
session:open_stream();
- s2s_make_authenticated(session, session.to_host);
+ module:fire_event("s2s-authenticated", { session = session, host = session.to_host });
return true;
end)
@@ -187,7 +186,7 @@ local function s2s_external_auth(session, stanza)
local domain = text ~= "" and text or session.from_host;
module:log("info", "Accepting SASL EXTERNAL identity from %s", domain);
- s2s_make_authenticated(session, domain);
+ module:fire_event("s2s-authenticated", { session = session, host = domain });
session:reset_stream();
return true
end