Mercurial > prosody-modules
annotate mod_audit_auth/mod_audit_auth.lua @ 6319:04c3273cb81f
mod_auth_cyrus: Add empty 'profile' table to SASL handler objects
This is for compatibility with Prosody's built-in util.sasl objects.
A SASL profile table usually includes methods supported by the backend, which
can be used by SASL mechanism handlers to perform operations (such as testing
the password). It also optionally contains a 'cb' field with channel binding
method handlers.
The Cyrus backend doesn't support channel binding, and doesn't have the same
concept of auth backend methods (it handles all that internally, and Prosody
has no insight or control over it).
Thus, we create an empty profile which informs Prosody that the SASL handler
does not support any of the auth or channel binding methods. Some features
will not work, but they didn't work anyway. This just makes it explicit.
This fixes a traceback in mod_sasl2_fast, which expected SASL handlers to
always contain a 'profile' field.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 04 Sep 2025 10:14:46 +0100 |
| parents | cc30c4b5f006 |
| children |
| rev | line source |
|---|---|
|
5906
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
1 local cache = require "util.cache"; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
2 local jid = require "util.jid"; |
|
5749
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
3 local st = require "util.stanza"; |
|
5712
b357ff3d0c8a
mod_audit_auth: Include hostpart with audit events
Kim Alvefur <zash@zash.se>
parents:
4933
diff
changeset
|
4 |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 module:depends("audit"); |
|
4933
08dea42a302a
mod_audit*: fix luacheck warnings
Jonas Schäfer <jonas@wielicki.name>
parents:
4932
diff
changeset
|
6 -- luacheck: read globals module.audit |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 |
|
5748
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5712
diff
changeset
|
8 local only_passwords = module:get_option_boolean("audit_auth_passwords_only", true); |
|
5906
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
9 local cache_size = module:get_option_number("audit_auth_cache_size", 128); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
10 local repeat_failure_timeout = module:get_option_number("audit_auth_repeat_failure_timeout"); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
11 local repeat_success_timeout = module:get_option_number("audit_auth_repeat_success_timeout"); |
|
5748
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5712
diff
changeset
|
12 |
|
5906
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
13 local failure_cache = cache.new(cache_size); |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 module:hook("authentication-failure", function(event) |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 local session = event.session; |
|
5906
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
16 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
17 local username = session.sasl_handler.username; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
18 if repeat_failure_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
19 local cache_key = ("%s\0%s"):format(username, session.ip); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
20 local last_failure = failure_cache:get(cache_key); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
21 local now = os.time(); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
22 if last_failure and (now - last_failure) > repeat_failure_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
23 return; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
24 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
25 failure_cache:set(cache_key, now); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
26 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
27 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
28 module:audit(jid.join(username, module.host), "authentication-failure", { |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
29 session = session; |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 }); |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 end) |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 |
|
5906
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
33 local success_cache = cache.new(cache_size); |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 module:hook("authentication-success", function(event) |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 local session = event.session; |
|
5748
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5712
diff
changeset
|
36 if only_passwords and session.sasl_handler.fast then |
|
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5712
diff
changeset
|
37 return; |
|
dfbced5e54b9
mod_audit_auth: Ignore FAST authentication events by default
Matthew Wild <mwild1@gmail.com>
parents:
5712
diff
changeset
|
38 end |
|
5906
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
39 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
40 local username = session.sasl_handler.username; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
41 if repeat_success_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
42 local cache_key = ("%s\0%s"):format(username, session.ip); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
43 local last_success = success_cache:get(cache_key); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
44 local now = os.time(); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
45 if last_success and (now - last_success) > repeat_success_timeout then |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
46 return; |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
47 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
48 success_cache:set(cache_key, now); |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
49 end |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
50 |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
51 module:audit(jid.join(username, module.host), "authentication-success", { |
|
cc30c4b5f006
mod_audit_auth: Allow suppressing repeated failure/success log entries from the same IP for a time
Matthew Wild <mwild1@gmail.com>
parents:
5780
diff
changeset
|
52 session = session; |
|
4932
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 }); |
|
530d116b7f68
mod_audit*: modules for audit logging in prosody
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 end) |
|
5749
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
55 |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
56 module:hook("client_management/new-client", function (event) |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
57 local session, client = event.session, event.client; |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
58 |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
59 local client_info = st.stanza("client", { id = client.id }); |
|
5780
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
60 |
|
5749
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
61 if client.user_agent then |
|
5780
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
62 local user_agent = st.stanza("user-agent", { xmlns = "urn:xmpp:sasl:2" }) |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
63 if client.user_agent.software then |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
64 user_agent:text_tag("software", client.user_agent.software, { id = client.user_agent.software_id; version = client.user_agent.software_version }); |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
65 end |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
66 if client.user_agent.device then |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
67 user_agent:text_tag("device", client.user_agent.device); |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
68 end |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
69 if client.user_agent.uri then |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
70 user_agent:text_tag("uri", client.user_agent.uri); |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
71 end |
|
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
72 client_info:add_child(user_agent); |
|
5749
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
73 end |
|
5780
f199bff16f1f
mod_audit_auth: Improve user-agent building (fixes traceback)
Matthew Wild <mwild1@gmail.com>
parents:
5749
diff
changeset
|
74 |
|
5749
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
75 if client.legacy then |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
76 client_info:text_tag("legacy"); |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
77 end |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
78 |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
79 module:audit(jid.join(session.username, module.host), "new-client", { |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
80 session = session; |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
81 custom = { |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
82 }; |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
83 }); |
|
238c4ac8b735
mod_audit_auth: Add audit record when a client connects that has not been seen before
Matthew Wild <mwild1@gmail.com>
parents:
5748
diff
changeset
|
84 end); |
