diff options
-rw-r--r-- | core/s2smanager.lua | 75 | ||||
-rw-r--r-- | plugins/mod_dialback.lua | 5 | ||||
-rw-r--r-- | plugins/mod_s2s/mod_s2s.lua | 76 | ||||
-rw-r--r-- | plugins/mod_saslauth.lua | 5 |
4 files changed, 80 insertions, 81 deletions
diff --git a/core/s2smanager.lua b/core/s2smanager.lua index 86389d8d..b034fcae 100644 --- a/core/s2smanager.lua +++ b/core/s2smanager.lua @@ -9,15 +9,13 @@ local hosts = hosts; -local tostring, pairs, ipairs, getmetatable, newproxy, setmetatable - = tostring, pairs, ipairs, getmetatable, newproxy, setmetatable; +local tostring, pairs, getmetatable, newproxy, setmetatable + = tostring, pairs, getmetatable, newproxy, setmetatable; local logger_init = require "util.logger".init; local log = logger_init("s2smanager"); -local config = require "core.configmanager"; - local prosody = _G.prosody; incoming_s2s = {}; prosody.incoming_s2s = incoming_s2s; @@ -49,75 +47,6 @@ function new_outgoing(from_host, to_host, connect) return host_session; end -function make_authenticated(session, host) - if not session.secure then - local local_host = session.direction == "incoming" and session.to_host or session.from_host; - if config.get(local_host, "core", "s2s_require_encryption") then - session:close({ - condition = "policy-violation", - text = "Encrypted server-to-server communication is required but was not " - ..((session.direction == "outgoing" and "offered") or "used") - }); - end - end - if session.type == "s2sout_unauthed" then - session.type = "s2sout"; - elseif session.type == "s2sin_unauthed" then - session.type = "s2sin"; - if host then - if not session.hosts[host] then session.hosts[host] = {}; end - session.hosts[host].authed = true; - end - elseif session.type == "s2sin" and host then - if not session.hosts[host] then session.hosts[host] = {}; end - session.hosts[host].authed = true; - else - return false; - end - session.log("debug", "connection %s->%s is now authenticated for %s", session.from_host, session.to_host, host); - - mark_connected(session); - - return true; -end - --- Stream is authorised, and ready for normal stanzas -function mark_connected(session) - local sendq, send = session.sendq, session.sends2s; - - local from, to = session.from_host, session.to_host; - - session.log("info", "%s s2s connection %s->%s complete", session.direction, from, to); - - local event_data = { session = session }; - if session.type == "s2sout" then - fire_event("s2sout-established", event_data); - hosts[from].events.fire_event("s2sout-established", event_data); - else - local host_session = hosts[to]; - session.send = function(stanza) - return host_session.events.fire_event("route/remote", { from_host = to, to_host = from, stanza = stanza }); - end; - - fire_event("s2sin-established", event_data); - hosts[to].events.fire_event("s2sin-established", event_data); - end - - if session.direction == "outgoing" then - if sendq then - session.log("debug", "sending %d queued stanzas across new outgoing connection to %s", #sendq, session.to_host); - for i, data in ipairs(sendq) do - send(data[1]); - sendq[i] = nil; - end - session.sendq = nil; - end - - session.ip_hosts = nil; - session.srv_hosts = nil; - end -end - local resting_session = { -- Resting, not dead destroyed = true; type = "s2s_destroyed"; diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index 34d8a2fb..9dcb0ed5 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -7,7 +7,6 @@ -- local hosts = _G.hosts; -local s2s_make_authenticated = require "core.s2smanager".make_authenticated; local log = module._log; @@ -110,7 +109,7 @@ module:hook("stanza/jabber:server:dialback:verify", function(event) if dialback_verifying and attr.from == origin.to_host then local valid; if attr.type == "valid" then - s2s_make_authenticated(dialback_verifying, attr.from); + module:fire_event("s2s-authenticated", { session = dialback_verifying, host = attr.from }); valid = "valid"; else -- Warn the original connection that is was not verified successfully @@ -146,7 +145,7 @@ module:hook("stanza/jabber:server:dialback:result", function(event) return true; end if stanza.attr.type == "valid" then - s2s_make_authenticated(origin, attr.from); + module:fire_event("s2s-authenticated", { session = origin, host = attr.from }); else origin:close("not-authorized", "dialback authentication failed"); end diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 8d99b855..fb54188a 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -24,15 +24,17 @@ local new_xmpp_stream = require "util.xmppstream".new; local s2s_new_incoming = require "core.s2smanager".new_incoming; local s2s_new_outgoing = require "core.s2smanager".new_outgoing; local s2s_destroy_session = require "core.s2smanager".destroy_session; -local s2s_mark_connected = require "core.s2smanager".mark_connected; local uuid_gen = require "util.uuid".generate; local cert_verify_identity = require "util.x509".verify_identity; +local fire_global_event = prosody.events.fire_event; local s2sout = module:require("s2sout"); local connect_timeout = module:get_option_number("s2s_timeout", 90); local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); +local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth); + local sessions = module:shared("sessions"); local log = module._log; @@ -132,6 +134,76 @@ function module.add_host(module) end module:hook("route/remote", route_to_existing_session, 200); module:hook("route/remote", route_to_new_session, 100); + module:hook("s2s-authenticated", make_authenticated, -1); +end + +-- Stream is authorised, and ready for normal stanzas +function mark_connected(session) + local sendq, send = session.sendq, session.sends2s; + + local from, to = session.from_host, session.to_host; + + session.log("info", "%s s2s connection %s->%s complete", session.direction, from, to); + + local event_data = { session = session }; + if session.type == "s2sout" then + fire_global_event("s2sout-established", event_data); + hosts[from].events.fire_event("s2sout-established", event_data); + else + local host_session = hosts[to]; + session.send = function(stanza) + return host_session.events.fire_event("route/remote", { from_host = to, to_host = from, stanza = stanza }); + end; + + fire_global_event("s2sin-established", event_data); + hosts[to].events.fire_event("s2sin-established", event_data); + end + + if session.direction == "outgoing" then + if sendq then + session.log("debug", "sending %d queued stanzas across new outgoing connection to %s", #sendq, session.to_host); + for i, data in ipairs(sendq) do + send(data[1]); + sendq[i] = nil; + end + session.sendq = nil; + end + + session.ip_hosts = nil; + session.srv_hosts = nil; + end +end + +function make_authenticated(event) + local session, host = event.session, event.host; + if not session.secure then + if require_encryption or secure_auth or secure_domains[host] then + session:close({ + condition = "policy-violation", + text = "Encrypted server-to-server communication is required but was not " + ..((session.direction == "outgoing" and "offered") or "used") + }); + end + end + if session.type == "s2sout_unauthed" then + session.type = "s2sout"; + elseif session.type == "s2sin_unauthed" then + session.type = "s2sin"; + if host then + if not session.hosts[host] then session.hosts[host] = {}; end + session.hosts[host].authed = true; + end + elseif session.type == "s2sin" and host then + if not session.hosts[host] then session.hosts[host] = {}; end + session.hosts[host].authed = true; + else + return false; + end + session.log("debug", "connection %s->%s is now authenticated for %s", session.from_host, session.to_host, host); + + mark_connected(session); + + return true; end --- Helper to check that a session peer's certificate is valid @@ -287,7 +359,7 @@ function stream_callbacks.streamopened(session, attr) if not session.dialback_verifying then hosts[session.from_host].events.fire_event("s2sout-authenticate-legacy", { origin = session }); else - s2s_mark_connected(session); + mark_connected(session); end end end diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 264ee967..b75b1844 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -11,7 +11,6 @@ local st = require "util.stanza"; local sm_bind_resource = require "core.sessionmanager".bind_resource; local sm_make_authenticated = require "core.sessionmanager".make_authenticated; -local s2s_make_authenticated = require "core.s2smanager".make_authenticated; local base64 = require "util.encodings".base64; local cert_verify_identity = require "util.x509".verify_identity; @@ -90,7 +89,7 @@ module:hook_stanza(xmlns_sasl, "success", function (session, stanza) session:reset_stream(); session:open_stream(); - s2s_make_authenticated(session, session.to_host); + module:fire_event("s2s-authenticated", { session = session, host = session.to_host }); return true; end) @@ -187,7 +186,7 @@ local function s2s_external_auth(session, stanza) local domain = text ~= "" and text or session.from_host; module:log("info", "Accepting SASL EXTERNAL identity from %s", domain); - s2s_make_authenticated(session, domain); + module:fire_event("s2s-authenticated", { session = session, host = domain }); session:reset_stream(); return true end |