From 339e74b1b9961f14dc289656973997d6583771d9 Mon Sep 17 00:00:00 2001 From: Matthew Wild Date: Fri, 22 Mar 2013 14:18:23 +0000 Subject: s2smanager, mod_s2s, mod_dialback, mod_saslauth: Move s2smanager.make_authenticated() to mod_s2s, and plugins now signal authentication via the s2s-authenticated event --- plugins/mod_dialback.lua | 5 ++- plugins/mod_s2s/mod_s2s.lua | 76 +++++++++++++++++++++++++++++++++++++++++++-- plugins/mod_saslauth.lua | 5 ++- 3 files changed, 78 insertions(+), 8 deletions(-) (limited to 'plugins') diff --git a/plugins/mod_dialback.lua b/plugins/mod_dialback.lua index 34d8a2fb..9dcb0ed5 100644 --- a/plugins/mod_dialback.lua +++ b/plugins/mod_dialback.lua @@ -7,7 +7,6 @@ -- local hosts = _G.hosts; -local s2s_make_authenticated = require "core.s2smanager".make_authenticated; local log = module._log; @@ -110,7 +109,7 @@ module:hook("stanza/jabber:server:dialback:verify", function(event) if dialback_verifying and attr.from == origin.to_host then local valid; if attr.type == "valid" then - s2s_make_authenticated(dialback_verifying, attr.from); + module:fire_event("s2s-authenticated", { session = dialback_verifying, host = attr.from }); valid = "valid"; else -- Warn the original connection that is was not verified successfully @@ -146,7 +145,7 @@ module:hook("stanza/jabber:server:dialback:result", function(event) return true; end if stanza.attr.type == "valid" then - s2s_make_authenticated(origin, attr.from); + module:fire_event("s2s-authenticated", { session = origin, host = attr.from }); else origin:close("not-authorized", "dialback authentication failed"); end diff --git a/plugins/mod_s2s/mod_s2s.lua b/plugins/mod_s2s/mod_s2s.lua index 8d99b855..fb54188a 100644 --- a/plugins/mod_s2s/mod_s2s.lua +++ b/plugins/mod_s2s/mod_s2s.lua @@ -24,15 +24,17 @@ local new_xmpp_stream = require "util.xmppstream".new; local s2s_new_incoming = require "core.s2smanager".new_incoming; local s2s_new_outgoing = require "core.s2smanager".new_outgoing; local s2s_destroy_session = require "core.s2smanager".destroy_session; -local s2s_mark_connected = require "core.s2smanager".mark_connected; local uuid_gen = require "util.uuid".generate; local cert_verify_identity = require "util.x509".verify_identity; +local fire_global_event = prosody.events.fire_event; local s2sout = module:require("s2sout"); local connect_timeout = module:get_option_number("s2s_timeout", 90); local stream_close_timeout = module:get_option_number("s2s_close_timeout", 5); +local require_encryption = module:get_option_boolean("s2s_require_encryption", secure_auth); + local sessions = module:shared("sessions"); local log = module._log; @@ -132,6 +134,76 @@ function module.add_host(module) end module:hook("route/remote", route_to_existing_session, 200); module:hook("route/remote", route_to_new_session, 100); + module:hook("s2s-authenticated", make_authenticated, -1); +end + +-- Stream is authorised, and ready for normal stanzas +function mark_connected(session) + local sendq, send = session.sendq, session.sends2s; + + local from, to = session.from_host, session.to_host; + + session.log("info", "%s s2s connection %s->%s complete", session.direction, from, to); + + local event_data = { session = session }; + if session.type == "s2sout" then + fire_global_event("s2sout-established", event_data); + hosts[from].events.fire_event("s2sout-established", event_data); + else + local host_session = hosts[to]; + session.send = function(stanza) + return host_session.events.fire_event("route/remote", { from_host = to, to_host = from, stanza = stanza }); + end; + + fire_global_event("s2sin-established", event_data); + hosts[to].events.fire_event("s2sin-established", event_data); + end + + if session.direction == "outgoing" then + if sendq then + session.log("debug", "sending %d queued stanzas across new outgoing connection to %s", #sendq, session.to_host); + for i, data in ipairs(sendq) do + send(data[1]); + sendq[i] = nil; + end + session.sendq = nil; + end + + session.ip_hosts = nil; + session.srv_hosts = nil; + end +end + +function make_authenticated(event) + local session, host = event.session, event.host; + if not session.secure then + if require_encryption or secure_auth or secure_domains[host] then + session:close({ + condition = "policy-violation", + text = "Encrypted server-to-server communication is required but was not " + ..((session.direction == "outgoing" and "offered") or "used") + }); + end + end + if session.type == "s2sout_unauthed" then + session.type = "s2sout"; + elseif session.type == "s2sin_unauthed" then + session.type = "s2sin"; + if host then + if not session.hosts[host] then session.hosts[host] = {}; end + session.hosts[host].authed = true; + end + elseif session.type == "s2sin" and host then + if not session.hosts[host] then session.hosts[host] = {}; end + session.hosts[host].authed = true; + else + return false; + end + session.log("debug", "connection %s->%s is now authenticated for %s", session.from_host, session.to_host, host); + + mark_connected(session); + + return true; end --- Helper to check that a session peer's certificate is valid @@ -287,7 +359,7 @@ function stream_callbacks.streamopened(session, attr) if not session.dialback_verifying then hosts[session.from_host].events.fire_event("s2sout-authenticate-legacy", { origin = session }); else - s2s_mark_connected(session); + mark_connected(session); end end end diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua index 264ee967..b75b1844 100644 --- a/plugins/mod_saslauth.lua +++ b/plugins/mod_saslauth.lua @@ -11,7 +11,6 @@ local st = require "util.stanza"; local sm_bind_resource = require "core.sessionmanager".bind_resource; local sm_make_authenticated = require "core.sessionmanager".make_authenticated; -local s2s_make_authenticated = require "core.s2smanager".make_authenticated; local base64 = require "util.encodings".base64; local cert_verify_identity = require "util.x509".verify_identity; @@ -90,7 +89,7 @@ module:hook_stanza(xmlns_sasl, "success", function (session, stanza) session:reset_stream(); session:open_stream(); - s2s_make_authenticated(session, session.to_host); + module:fire_event("s2s-authenticated", { session = session, host = session.to_host }); return true; end) @@ -187,7 +186,7 @@ local function s2s_external_auth(session, stanza) local domain = text ~= "" and text or session.from_host; module:log("info", "Accepting SASL EXTERNAL identity from %s", domain); - s2s_make_authenticated(session, domain); + module:fire_event("s2s-authenticated", { session = session, host = domain }); session:reset_stream(); return true end -- cgit v1.2.3