Mercurial > prosody-modules
comparison mod_client_management/mod_client_management.lua @ 5650:0eb2d5ea2428
merge
| author | Stephen Paul Weber <singpolyma@singpolyma.net> |
|---|---|
| date | Sat, 06 May 2023 19:40:23 -0500 |
| parents | d9397d6a5513 |
| children | f25df3af02c1 |
comparison
equal
deleted
inserted
replaced
| 5649:2c69577b28c2 | 5650:0eb2d5ea2428 |
|---|---|
| 1 local modulemanager = require "core.modulemanager"; | |
| 2 local usermanager = require "core.usermanager"; | |
| 3 | |
| 4 local array = require "util.array"; | |
| 5 local dt = require "util.datetime"; | |
| 6 local id = require "util.id"; | |
| 7 local it = require "util.iterators"; | |
| 8 local jid = require "util.jid"; | |
| 9 local st = require "util.stanza"; | |
| 10 | |
| 11 local strict = module:get_option_boolean("enforce_client_ids", false); | |
| 12 | |
| 13 module:default_permission("prosody:user", ":list-clients"); | |
| 14 module:default_permission("prosody:user", ":manage-clients"); | |
| 15 | |
| 16 local tokenauth = module:depends("tokenauth"); | |
| 17 local mod_fast = module:depends("sasl2_fast"); | |
| 18 | |
| 19 local client_store = assert(module:open_store("clients", "keyval+")); | |
| 20 --[[{ | |
| 21 id = id; | |
| 22 first_seen = | |
| 23 last_seen = | |
| 24 user_agent = { | |
| 25 name = | |
| 26 os = | |
| 27 } | |
| 28 --}]] | |
| 29 | |
| 30 local xmlns_sasl2 = "urn:xmpp:sasl:2"; | |
| 31 | |
| 32 local function get_user_agent(sasl_handler, token_info) | |
| 33 local sasl_agent = sasl_handler and sasl_handler.user_agent; | |
| 34 local token_agent = token_info and token_info.data and token_info.data.oauth2_client; | |
| 35 if not (sasl_agent or token_agent) then return; end | |
| 36 return { | |
| 37 software = sasl_agent and sasl_agent.software or token_agent and token_agent.name or nil; | |
| 38 uri = token_agent and token_agent.uri or nil; | |
| 39 device = sasl_agent and sasl_agent.device or nil; | |
| 40 }; | |
| 41 end | |
| 42 | |
| 43 module:hook("sasl2/c2s/success", function (event) | |
| 44 local session = event.session; | |
| 45 local username, client_id = session.username, session.client_id; | |
| 46 local mechanism = session.sasl_handler.selected; | |
| 47 local token_info = session.sasl_handler.token_info; | |
| 48 local token_id = token_info and token_info.id or nil; | |
| 49 | |
| 50 local now = os.time(); | |
| 51 if client_id then -- SASL2, have client identifier | |
| 52 local is_new_client; | |
| 53 | |
| 54 local client_state = client_store:get_key(username, client_id); | |
| 55 if not client_state then | |
| 56 is_new_client = true; | |
| 57 client_state = { | |
| 58 id = client_id; | |
| 59 first_seen = now; | |
| 60 user_agent = get_user_agent(session.sasl_handler, token_info); | |
| 61 full_jid = nil; | |
| 62 last_seen = nil; | |
| 63 mechanisms = {}; | |
| 64 }; | |
| 65 end | |
| 66 -- Update state | |
| 67 client_state.full_jid = session.full_jid; | |
| 68 client_state.last_seen = now; | |
| 69 client_state.mechanisms[mechanism] = now; | |
| 70 if session.sasl_handler.fast_auth then | |
| 71 client_state.fast_auth = now; | |
| 72 end | |
| 73 if token_id then | |
| 74 client_state.auth_token_id = token_id; | |
| 75 end | |
| 76 -- Store updated state | |
| 77 client_store:set_key(username, client_id, client_state); | |
| 78 | |
| 79 if is_new_client then | |
| 80 module:fire_event("client_management/new-client", { client = client_state }); | |
| 81 end | |
| 82 end | |
| 83 end); | |
| 84 | |
| 85 local function find_client_by_resource(username, resource) | |
| 86 local full_jid = jid.join(username, module.host, resource); | |
| 87 local clients = client_store:get(username); | |
| 88 if not clients then return; end | |
| 89 | |
| 90 for _, client_state in pairs(clients) do | |
| 91 if client_state.full_jid == full_jid then | |
| 92 return client_state; | |
| 93 end | |
| 94 end | |
| 95 end | |
| 96 | |
| 97 module:hook("resource-bind", function (event) | |
| 98 local session = event.session; | |
| 99 if session.client_id then return; end | |
| 100 local is_new_client; | |
| 101 local client_state = find_client_by_resource(event.session.username, event.session.resource); | |
| 102 local now = os.time(); | |
| 103 if not client_state then | |
| 104 is_new_client = true; | |
| 105 client_state = { | |
| 106 id = id.short(); | |
| 107 first_seen = now; | |
| 108 user_agent = nil; | |
| 109 full_jid = nil; | |
| 110 last_seen = nil; | |
| 111 mechanisms = {}; | |
| 112 legacy = true; | |
| 113 }; | |
| 114 end | |
| 115 | |
| 116 -- Update state | |
| 117 local legacy_info = session.client_management_info; | |
| 118 client_state.full_jid = session.full_jid; | |
| 119 client_state.last_seen = now; | |
| 120 client_state.mechanisms[legacy_info.mechanism] = now; | |
| 121 if legacy_info.fast_auth then | |
| 122 client_state.fast_auth = now; | |
| 123 end | |
| 124 | |
| 125 local token_id = legacy_info.token_info and legacy_info.token_info.id; | |
| 126 if token_id then | |
| 127 client_state.auth_token_id = token_id; | |
| 128 end | |
| 129 | |
| 130 -- Store updated state | |
| 131 client_store:set_key(session.username, client_state.id, client_state); | |
| 132 | |
| 133 if is_new_client then | |
| 134 module:fire_event("client_management/new-client", { client = client_state }); | |
| 135 end | |
| 136 end); | |
| 137 | |
| 138 if strict then | |
| 139 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) | |
| 140 local user_agent = auth:get_child("user-agent"); | |
| 141 if not user_agent or not user_agent.attr.id then | |
| 142 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 }) | |
| 143 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up() | |
| 144 :text_tag("text", "Client identifier required but not supplied"); | |
| 145 session.send(failure); | |
| 146 return true; | |
| 147 end | |
| 148 end, 500); | |
| 149 | |
| 150 if modulemanager.get_modules_for_host(module.host):contains("saslauth") then | |
| 151 module:log("error", "mod_saslauth is enabled, but enforce_client_ids is enabled and will prevent it from working"); | |
| 152 end | |
| 153 | |
| 154 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event) | |
| 155 -- Block legacy SASL, if for some reason it is being used (either mod_saslauth is loaded, | |
| 156 -- or clients try it without advertisement) | |
| 157 module:log("warn", "Blocking legacy SASL authentication because enforce_client_ids is enabled"); | |
| 158 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 }) | |
| 159 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up() | |
| 160 :text_tag("text", "Legacy SASL authentication is not available on this server"); | |
| 161 event.session.send(failure); | |
| 162 return true; | |
| 163 end); | |
| 164 else | |
| 165 -- Legacy client compat code | |
| 166 module:hook("authentication-success", function (event) | |
| 167 local session = event.session; | |
| 168 if session.client_id then return; end -- SASL2 client | |
| 169 | |
| 170 local sasl_handler = session.sasl_handler; | |
| 171 session.client_management_info = { | |
| 172 mechanism = sasl_handler.selected; | |
| 173 token_info = sasl_handler.token_info; | |
| 174 fast_auth = sasl_handler.fast_auth; | |
| 175 }; | |
| 176 end); | |
| 177 end | |
| 178 | |
| 179 local function is_password_mechanism(mech_name) | |
| 180 if mech_name == "OAUTHBEARER" then return false; end | |
| 181 if mech_name:match("^HT%-") then return false; end | |
| 182 return true; | |
| 183 end | |
| 184 | |
| 185 local function is_client_active(client) | |
| 186 local username, host = jid.split(client.full_jid); | |
| 187 local account_info = usermanager.get_account_info(username, host); | |
| 188 local last_password_change = account_info and account_info.password_updated; | |
| 189 | |
| 190 local status = {}; | |
| 191 | |
| 192 -- Check for an active token grant that has been previously used by this client | |
| 193 if client.auth_token_id then | |
| 194 local grant = tokenauth.get_grant_info(client.auth_token_id); | |
| 195 if grant then | |
| 196 status.grant = grant; | |
| 197 end | |
| 198 end | |
| 199 | |
| 200 -- Check for active FAST tokens | |
| 201 if client.fast_auth then | |
| 202 if mod_fast.is_client_fast(username, client.id, last_password_change) then | |
| 203 status.fast = client.fast_auth; | |
| 204 end | |
| 205 end | |
| 206 | |
| 207 -- Client has access if any password-based SASL mechanisms have been used since last password change | |
| 208 for mech, mech_last_used in pairs(client.mechanisms) do | |
| 209 if is_password_mechanism(mech) and (not last_password_change or mech_last_used >= last_password_change) then | |
| 210 status.password = mech_last_used; | |
| 211 end | |
| 212 end | |
| 213 | |
| 214 if prosody.full_sessions[client.full_jid] then | |
| 215 status.connected = true; | |
| 216 end | |
| 217 | |
| 218 if next(status) == nil then | |
| 219 return nil; | |
| 220 end | |
| 221 return status; | |
| 222 end | |
| 223 | |
| 224 -- Public API | |
| 225 --luacheck: ignore 131 | |
| 226 function get_active_clients(username) | |
| 227 local clients = client_store:get(username); | |
| 228 local active_clients = {}; | |
| 229 local used_grants = {}; | |
| 230 | |
| 231 -- Go through known clients, check whether they could possibly log in | |
| 232 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id | |
| 233 local active = is_client_active(client); | |
| 234 if active then | |
| 235 client.type = "session"; | |
| 236 client.id = "client/"..client.id; | |
| 237 client.active = active; | |
| 238 table.insert(active_clients, client); | |
| 239 if active.grant then | |
| 240 used_grants[active.grant.id] = true; | |
| 241 end | |
| 242 end | |
| 243 end | |
| 244 | |
| 245 -- Next, account for any grants that have been issued, but never actually logged in | |
| 246 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do | |
| 247 if not used_grants[grant_id] then -- exclude grants already accounted for | |
| 248 table.insert(active_clients, { | |
| 249 id = "grant/"..grant_id; | |
| 250 type = "access"; | |
| 251 first_seen = grant.created; | |
| 252 last_seen = grant.accessed; | |
| 253 active = { | |
| 254 grant = grant; | |
| 255 }; | |
| 256 user_agent = get_user_agent(nil, grant); | |
| 257 }); | |
| 258 end | |
| 259 end | |
| 260 | |
| 261 table.sort(active_clients, function (a, b) | |
| 262 if a.last_seen and b.last_seen then | |
| 263 return a.last_seen < b.last_seen; | |
| 264 elseif not (a.last_seen or b.last_seen) then | |
| 265 if a.first_seen and b.first_seen then | |
| 266 return a.first_seen < b.first_seen; | |
| 267 end | |
| 268 elseif b.last_seen then | |
| 269 return true; | |
| 270 elseif a.last_seen then | |
| 271 return false; | |
| 272 end | |
| 273 return a.id < b.id; | |
| 274 end); | |
| 275 | |
| 276 return active_clients; | |
| 277 end | |
| 278 | |
| 279 function revoke_client_access(username, client_selector) | |
| 280 if client_selector then | |
| 281 local c_type, c_id = client_selector:match("^(%w+)/(.+)$"); | |
| 282 if c_type == "client" then | |
| 283 local client = client_store:get_key(username, c_id); | |
| 284 if not client then | |
| 285 return nil, "item-not-found"; | |
| 286 end | |
| 287 local status = is_client_active(client); | |
| 288 if status.connected then | |
| 289 local ok, err = prosody.full_sessions[client.full_jid]:close(); | |
| 290 if not ok then return ok, err; end | |
| 291 end | |
| 292 if status.fast then | |
| 293 local ok = mod_fast.revoke_fast_tokens(username, client.id); | |
| 294 if not ok then return nil, "internal-server-error"; end | |
| 295 end | |
| 296 if status.grant then | |
| 297 local ok = tokenauth.revoke_grant(username, status.grant.id); | |
| 298 if not ok then return nil, "internal-server-error"; end | |
| 299 end | |
| 300 if status.password then | |
| 301 return nil, "password-reset-required"; | |
| 302 end | |
| 303 return true; | |
| 304 elseif c_type == "grant" then | |
| 305 local grant = tokenauth.get_grant_info(username, c_id); | |
| 306 if not grant then | |
| 307 return nil, "item-not-found"; | |
| 308 end | |
| 309 local ok = tokenauth.revoke_grant(username, c_id); | |
| 310 if not ok then return nil, "internal-server-error"; end | |
| 311 return true; | |
| 312 end | |
| 313 end | |
| 314 | |
| 315 return nil, "item-not-found"; | |
| 316 end | |
| 317 | |
| 318 -- Protocol | |
| 319 | |
| 320 local xmlns_manage_clients = "xmpp:prosody.im/protocol/manage-clients"; | |
| 321 | |
| 322 module:hook("iq-get/self/xmpp:prosody.im/protocol/manage-clients:list", function (event) | |
| 323 local origin, stanza = event.origin, event.stanza; | |
| 324 | |
| 325 if not module:may(":list-clients", event) then | |
| 326 origin.send(st.error_reply(stanza, "auth", "forbidden")); | |
| 327 return true; | |
| 328 end | |
| 329 | |
| 330 local reply = st.reply(stanza) | |
| 331 :tag("clients", { xmlns = xmlns_manage_clients }); | |
| 332 | |
| 333 local active_clients = get_active_clients(event.origin.username); | |
| 334 for _, client in ipairs(active_clients) do | |
| 335 local auth_type = st.stanza("auth"); | |
| 336 if client.active then | |
| 337 if client.active.password then | |
| 338 auth_type:text_tag("password"); | |
| 339 end | |
| 340 if client.active.grant then | |
| 341 auth_type:text_tag("bearer-token"); | |
| 342 end | |
| 343 if client.active.fast then | |
| 344 auth_type:text_tag("fast"); | |
| 345 end | |
| 346 end | |
| 347 | |
| 348 local user_agent = st.stanza("user-agent"); | |
| 349 if client.user_agent then | |
| 350 if client.user_agent.software then | |
| 351 user_agent:text_tag("software", client.user_agent.software); | |
| 352 end | |
| 353 if client.user_agent.device then | |
| 354 user_agent:text_tag("device", client.user_agent.device); | |
| 355 end | |
| 356 if client.user_agent.uri then | |
| 357 user_agent:text_tag("uri", client.user_agent.uri); | |
| 358 end | |
| 359 end | |
| 360 | |
| 361 local connected = client.active and client.active.connected; | |
| 362 reply:tag("client", { id = client.id, connected = connected and "true" or "false", type = client.type }) | |
| 363 :text_tag("first-seen", dt.datetime(client.first_seen)) | |
| 364 :text_tag("last-seen", dt.datetime(client.last_seen)) | |
| 365 :add_child(auth_type) | |
| 366 :add_child(user_agent) | |
| 367 :up(); | |
| 368 end | |
| 369 reply:up(); | |
| 370 | |
| 371 origin.send(reply); | |
| 372 return true; | |
| 373 end); | |
| 374 | |
| 375 local revocation_errors = require "util.error".init(module.name, xmlns_manage_clients, { | |
| 376 ["item-not-found"] = { "cancel", "item-not-found", "Client not found" }; | |
| 377 ["internal-server-error"] = { "wait", "internal-server-error", "Unable to revoke client access" }; | |
| 378 ["password-reset-required"] = { "cancel", "service-unavailable", "Password reset required", "password-reset-required" }; | |
| 379 }); | |
| 380 | |
| 381 module:hook("iq-set/self/xmpp:prosody.im/protocol/manage-clients:revoke", function (event) | |
| 382 local origin, stanza = event.origin, event.stanza; | |
| 383 | |
| 384 if not module:may(":manage-clients", event) then | |
| 385 origin.send(st.error_reply(stanza, "auth", "forbidden")); | |
| 386 return true; | |
| 387 end | |
| 388 | |
| 389 local client_id = stanza.tags[1].attr.id; | |
| 390 | |
| 391 local ok, err = revocation_errors.coerce(revoke_client_access(origin.username, client_id)); | |
| 392 if not ok then | |
| 393 origin.send(st.error_reply(stanza, err)); | |
| 394 return true; | |
| 395 end | |
| 396 | |
| 397 origin.send(st.reply(stanza)); | |
| 398 return true; | |
| 399 end); | |
| 400 | |
| 401 | |
| 402 -- Command | |
| 403 | |
| 404 module:once(function () | |
| 405 local console_env = module:shared("/*/admin_shell/env"); | |
| 406 if not console_env.user then return; end -- admin_shell probably not loaded | |
| 407 | |
| 408 function console_env.user:clients(user_jid) | |
| 409 local username, host = jid.split(user_jid); | |
| 410 local mod = prosody.hosts[host] and prosody.hosts[host].modules.client_management; | |
| 411 if not mod then | |
| 412 return false, ("Host does not exist on this server, or does not have mod_client_management loaded"); | |
| 413 end | |
| 414 | |
| 415 local clients = mod.get_active_clients(username); | |
| 416 if not clients or #clients == 0 then | |
| 417 return true, "No clients associated with this account"; | |
| 418 end | |
| 419 | |
| 420 local colspec = { | |
| 421 { | |
| 422 title = "Software"; | |
| 423 key = "user_agent"; | |
| 424 width = "1p"; | |
| 425 mapper = function(user_agent) | |
| 426 return user_agent and user_agent.software; | |
| 427 end; | |
| 428 }; | |
| 429 { | |
| 430 title = "Last seen"; | |
| 431 key = "last_seen"; | |
| 432 width = math.max(#os.date("%Y-%m-%d"), #os.date("%H:%M:%S")); | |
| 433 align = "right"; | |
| 434 mapper = function(last_seen) | |
| 435 return os.date(os.difftime(os.time(), last_seen) >= 86400 and "%Y-%m-%d" or "%H:%M:%S", last_seen); | |
| 436 end; | |
| 437 }; | |
| 438 { | |
| 439 title = "Authentication"; | |
| 440 key = "active"; | |
| 441 width = "2p"; | |
| 442 mapper = function(active) | |
| 443 return array.collect(it.keys(active)):sort():concat(", "); | |
| 444 end; | |
| 445 }; | |
| 446 }; | |
| 447 | |
| 448 local row = require "util.human.io".table(colspec, self.session.width); | |
| 449 | |
| 450 local print = self.session.print; | |
| 451 print(row()); | |
| 452 print(string.rep("-", self.session.width)); | |
| 453 for _, client in ipairs(clients) do | |
| 454 print(row(client)); | |
| 455 end | |
| 456 print(string.rep("-", self.session.width)); | |
| 457 return true, ("%d clients"):format(#clients); | |
| 458 end | |
| 459 end); |
