diff options
-rw-r--r-- | core/usermanager.lua | 18 | ||||
-rw-r--r-- | plugins/mod_register.lua | 5 | ||||
-rw-r--r-- | plugins/mod_saslauth.lua | 16 | ||||
-rw-r--r-- | plugins/mod_tls.lua | 5 | ||||
-rw-r--r-- | prosody.cfg.lua.dist | 178 | ||||
-rw-r--r-- | util/sasl/digest-md5.lua | 2 |
6 files changed, 120 insertions, 104 deletions
diff --git a/core/usermanager.lua b/core/usermanager.lua index 6b19b651..8d7270c2 100644 --- a/core/usermanager.lua +++ b/core/usermanager.lua @@ -14,11 +14,15 @@ local ipairs = ipairs; local hashes = require "util.hashes"; local jid_bare = require "util.jid".bare; local config = require "core.configmanager"; +local hosts = hosts; module "usermanager" +local function is_cyrus(host) return config.get(host, "core", "sasl_backend") == "cyrus"; end + function validate_credentials(host, username, password, method) log("debug", "User '%s' is being validated", username); + if is_cyrus(host) then return nil, "Legacy auth not supported with Cyrus SASL."; end local credentials = datamanager.load(username, host, "accounts") or {}; if method == nil then method = "PLAIN"; end @@ -48,14 +52,26 @@ function validate_credentials(host, username, password, method) end function get_password(username, host) - return (datamanager.load(username, host, "accounts") or {}).password + if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end + return (datamanager.load(username, host, "accounts") or {}).password +end +function set_password(username, host, password) + if is_cyrus(host) then return nil, "Passwords unavailable for Cyrus SASL."; end + local account = datamanager.load(username, host, "accounts"); + if account then + account.password = password; + return datamanager.store(username, host, "accounts", account); + end + return nil, "Account not available."; end function user_exists(username, host) + if is_cyrus(host) then return true; end return datamanager.load(username, host, "accounts") ~= nil; -- FIXME also check for empty credentials end function create_user(username, password, host) + if is_cyrus(host) then return nil, "Account creation/modification not available with Cyrus SASL."; end return datamanager.store(username, host, "accounts", {password = password}); end diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua index 2a25d1d0..b8d142f7 100644 --- a/plugins/mod_register.lua +++ b/plugins/mod_register.lua @@ -12,6 +12,7 @@ local st = require "util.stanza"; local datamanager = require "util.datamanager"; local usermanager_user_exists = require "core.usermanager".user_exists; local usermanager_create_user = require "core.usermanager".create_user; +local usermanager_set_password = require "core.usermanager".set_password; local datamanager_store = require "util.datamanager".store; local os_time = os.time; local nodeprep = require "util.encodings".stringprep.nodeprep; @@ -34,7 +35,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza) local username, host = session.username, session.host; --session.send(st.error_reply(stanza, "cancel", "not-allowed")); --return; - usermanager_create_user(username, nil, host); -- Disable account + usermanager_set_password(username, host, nil); -- Disable account -- FIXME the disabling currently allows a different user to recreate the account -- we should add an in-memory account block mode when we have threading session.send(st.reply(stanza)); @@ -69,7 +70,7 @@ module:add_iq_handler("c2s", "jabber:iq:register", function (session, stanza) username = nodeprep(table.concat(username)); password = table.concat(password); if username == session.username then - if usermanager_create_user(username, password, session.host) then -- password change -- TODO is this the right way? + if usermanager_set_password(username, session.host, password) then session.send(st.reply(stanza)); else -- TODO unable to write file, file may be locked, etc, what's the correct error? diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index f2fe44ea..c0360553 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -35,7 +35,9 @@ local xmlns_bind ='urn:ietf:params:xml:ns:xmpp-bind'; local xmlns_stanzas ='urn:ietf:params:xml:ns:xmpp-stanzas'; local new_sasl; -if sasl_backend == "cyrus" then +if sasl_backend == "builtin" then + new_sasl = require "util.sasl".new; +elseif sasl_backend == "cyrus" then prosody.unlock_globals(); --FIXME: Figure out why this is needed and -- why cyrussasl isn't caught by the sandbox local ok, cyrus = pcall(require, "util.sasl_cyrus"); @@ -46,14 +48,12 @@ if sasl_backend == "cyrus" then return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp"); end else - sasl_backend = "builtin"; - module:log("warn", "Failed to load Cyrus SASL, falling back to builtin auth mechanisms"); - module:log("debug", "Failed to load Cyrus because: %s", cyrus); + module:log("error", "Failed to load Cyrus SASL because: %s", cyrus); + error("Failed to load Cyrus SASL"); end -end -if not new_sasl then - if sasl_backend ~= "builtin" then module:log("warn", "Unknown SASL backend %s", sasl_backend); end; - new_sasl = require "util.sasl".new; +else + module:log("error", "Unknown SASL backend: %s", sasl_backend); + error("Unknown SASL backend"); end local default_authentication_profile = { diff --git a/plugins/mod_tls.lua b/plugins/mod_tls.lua index b30ad3f3..8b96aa15 100644 --- a/plugins/mod_tls.lua +++ b/plugins/mod_tls.lua @@ -10,6 +10,7 @@ local st = require "util.stanza"; local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption"); local secure_s2s_only = module:get_option("s2s_require_encryption"); +local allow_s2s_tls = module:get_option("s2s_allow_encryption") ~= false; local xmlns_starttls = 'urn:ietf:params:xml:ns:xmpp-tls'; local starttls_attr = { xmlns = xmlns_starttls }; @@ -27,9 +28,9 @@ local host = hosts[module.host]; local function can_do_tls(session) if session.type == "c2s_unauthed" then return session.conn.starttls and host.ssl_ctx_in; - elseif session.type == "s2sin_unauthed" then + elseif session.type == "s2sin_unauthed" and allow_s2s_tls then return session.conn.starttls and host.ssl_ctx_in; - elseif session.direction == "outgoing" then + elseif session.direction == "outgoing" and allow_s2s_tls then return session.conn.starttls and host.ssl_ctx; end return false; diff --git a/prosody.cfg.lua.dist b/prosody.cfg.lua.dist index 021f6f11..c959b4fe 100644 --- a/prosody.cfg.lua.dist +++ b/prosody.cfg.lua.dist @@ -34,85 +34,85 @@ -- Server-wide settings go in this section Host "*" - -- This is a (by default, empty) list of accounts that are admins for the - -- server. Note that you must create the accounts separately (see - -- http://prosody.im/doc/creating_accounts) - -- Example: admins = { "user1@example.com", "user2@example.net" } - admins = { } - - -- Enable use of libevent for better performance under high load - -- For more information see: http://prosody.im/doc/libevent - --use_libevent = true; - - -- This is the list of modules Prosody will load on startup. It looks for - -- mod_modulename.lua in the plugins folder, so make sure that exists too. - -- Documentation on modules can be found at: http://prosody.im/doc/modules - modules_enabled = { - -- Generally required - "roster"; -- Allow users to have a roster. Recommended ;) - "saslauth"; -- Authentication for clients and servers. Recommended if - -- you want to log in. - "dialback"; -- s2s dialback support - "disco"; -- Service discovery - "posix"; -- POSIX functionality, daemonizes, enables syslog, etc. - - -- Not essential, but recommended - "private"; -- Private XML storage (for room bookmarks, etc.) - "vcard"; -- Allow users to set vCards - "privacy"; -- Support privacy lists - "tls"; -- Support for secure TLS on c2s/s2s connections - --"compression"; -- Stream compression for client-to-server streams - - -- Nice to have - "legacyauth"; -- Legacy authentication. Only used by some old - -- clients and bots. - "version"; -- Replies to server version requests - "uptime"; -- Report how long server has been running - "time"; -- Let others know the time here on this server - "ping"; -- Replies to XMPP pings with pongs - "pep"; -- Enables users to publish their mood, activity, playing - -- music and more - "register"; -- Allow users to register on this server using a client - -- and change passwords - - -- Other specific functionality - --"console"; -- telnet to port 5582 - -- (needs console_enabled = true) - --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" - --"httpserver"; -- Serve static files from a directory over - -- HTTP - --"groups"; -- Shared roster support - --"announce"; -- Send announcement to all online users - --"welcome"; -- Welcome users who register accounts - --"watchregistrations"; -- Alert admins of registrations - } - - -- These modules are auto-loaded, should you for (for some mad - -- reason) want to disable them then uncomment them below. - modules_disabled = { - --"presence"; - --"message"; - --"iq"; - } - - -- Disable account creation by default, for security - -- For more information see http://prosody.im/doc/creating_accounts - allow_registration = false; - - --These are the SSL/TLS-related settings. - --ssl = { - -- key = "certs/localhost.key"; - -- certificate = "certs/localhost.cert"; - --} - - -- Require encryption on client/server connections? - --c2s_require_encryption = false - --s2s_require_encryption = false - - -- Logging configuration - -- For advanced logging see http://prosody.im/doc/logging - log = "prosody.log"; - debug = false; -- Log debug messages? + -- This is a (by default, empty) list of accounts that are admins for the + -- server. Note that you must create the accounts separately (see + -- http://prosody.im/doc/creating_accounts) + -- Example: admins = { "user1@example.com", "user2@example.net" } + admins = { } + + -- Enable use of libevent for better performance under high load + -- For more information see: http://prosody.im/doc/libevent + --use_libevent = true; + + -- This is the list of modules Prosody will load on startup. It looks for + -- mod_modulename.lua in the plugins folder, so make sure that exists too. + -- Documentation on modules can be found at: http://prosody.im/doc/modules + modules_enabled = { + -- Generally required + "roster"; -- Allow users to have a roster. Recommended ;) + "saslauth"; -- Authentication for clients and servers. Recommended if + -- you want to log in. + "dialback"; -- s2s dialback support + "disco"; -- Service discovery + "posix"; -- POSIX functionality, daemonizes, enables syslog, etc. + + -- Not essential, but recommended + "private"; -- Private XML storage (for room bookmarks, etc.) + "vcard"; -- Allow users to set vCards + "tls"; -- Support for secure TLS on c2s/s2s connections + --"privacy"; -- Support privacy lists + --"compression"; -- Stream compression for client-to-server streams + + -- Nice to have + "legacyauth"; -- Legacy authentication. Only used by some old + -- clients and bots. + "version"; -- Replies to server version requests + "uptime"; -- Report how long server has been running + "time"; -- Let others know the time here on this server + "ping"; -- Replies to XMPP pings with pongs + "pep"; -- Enables users to publish their mood, activity, playing + -- music and more + "register"; -- Allow users to register on this server using a client + -- and change passwords + + -- Other specific functionality + --"console"; -- telnet to port 5582 + -- (needs console_enabled = true) + --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP" + --"httpserver"; -- Serve static files from a directory over + -- HTTP + --"groups"; -- Shared roster support + --"announce"; -- Send announcement to all online users + --"welcome"; -- Welcome users who register accounts + --"watchregistrations"; -- Alert admins of registrations + } + + -- These modules are auto-loaded, should you for (for some mad + -- reason) want to disable them then uncomment them below. + modules_disabled = { + --"presence"; + --"message"; + --"iq"; + } + + -- Disable account creation by default, for security + -- For more information see http://prosody.im/doc/creating_accounts + allow_registration = false; + + --These are the SSL/TLS-related settings. + --ssl = { + -- key = "certs/localhost.key"; + -- certificate = "certs/localhost.cert"; + --} + + -- Require encryption on client/server connections? + --c2s_require_encryption = false + --s2s_require_encryption = false + + -- Logging configuration + -- For advanced logging see http://prosody.im/doc/logging + log = "prosody.log"; + debug = false; -- Log debug messages? -- This allows clients to connect to localhost. No harm in it. Host "localhost" @@ -120,16 +120,16 @@ Host "localhost" -- Section for example.com -- (replace example.com with your domain name) Host "example.com" - enabled = false -- This will disable the host, preserving the config, but - -- denying connections (remove to enable!) - - -- Assign this host a certificate for TLS, otherwise it would use the one - -- set in the global section (if any). Note that old-style SSL on port 5223 - -- only supports one certificate, and will always use the global one. - --ssl = { - -- key = "certs/example.com.key"; - -- certificate = "certs/example.com.crt"; - --} + enabled = false -- This will disable the host, preserving the config, but + -- denying connections (remove to enable!) + + -- Assign this host a certificate for TLS, otherwise it would use the one + -- set in the global section (if any). Note that old-style SSL on port 5223 + -- only supports one certificate, and will always use the global one. + --ssl = { + -- key = "certs/example.com.key"; + -- certificate = "certs/example.com.crt"; + --} -- Set up a MUC (multi-user chat) room server on conference.example.com: --Component "conference.example.com" "muc" diff --git a/util/sasl/digest-md5.lua b/util/sasl/digest-md5.lua index 5b8f5c8a..04acf04d 100644 --- a/util/sasl/digest-md5.lua +++ b/util/sasl/digest-md5.lua @@ -35,8 +35,6 @@ local function digest(self, message) local function serialize(message) local data = "" - if type(message) ~= "table" then error("serialize needs an argument of type table.") end - -- testing all possible values if message["realm"] then data = data..[[realm="]]..message.realm..[[",]] end if message["nonce"] then data = data..[[nonce="]]..message.nonce..[[",]] end |