Mercurial > prosody-modules
comparison mod_client_management/mod_client_management.lua @ 5294:385346b6c81d
mod_client_management: New module for users to view/manage permitted clients
This is just the data and API part.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 30 Mar 2023 11:32:50 +0100 |
| parents | |
| children | 8ef197cccd74 |
comparison
equal
deleted
inserted
replaced
| 5293:f60287bba62c | 5294:385346b6c81d |
|---|---|
| 1 local modulemanager = require "core.modulemanager"; | |
| 2 local usermanager = require "core.usermanager"; | |
| 3 | |
| 4 local id = require "util.id"; | |
| 5 local jid = require "util.jid"; | |
| 6 local st = require "util.stanza"; | |
| 7 | |
| 8 local strict = module:get_option_boolean("enforce_client_ids", false); | |
| 9 | |
| 10 local tokenauth = module:depends("tokenauth"); | |
| 11 local mod_fast = module:depends("sasl2_fast"); | |
| 12 | |
| 13 local client_store = assert(module:open_store("clients", "keyval+")); | |
| 14 --[[{ | |
| 15 id = id; | |
| 16 first_seen = | |
| 17 last_seen = | |
| 18 user_agent = { | |
| 19 name = | |
| 20 os = | |
| 21 } | |
| 22 --}]] | |
| 23 | |
| 24 local xmlns_sasl2 = "urn:xmpp:sasl:2"; | |
| 25 | |
| 26 local function get_user_agent(sasl_handler, token_info) | |
| 27 local sasl_agent = sasl_handler and sasl_handler.user_agent; | |
| 28 local token_agent = token_info and token_info.data and token_info.data.oauth2_client; | |
| 29 if not (sasl_agent or token_agent) then return; end | |
| 30 return { | |
| 31 software = sasl_agent and sasl_agent.software or token_agent and token_agent.name or nil; | |
| 32 uri = token_agent and token_agent.uri or nil; | |
| 33 device = sasl_agent and sasl_agent.device or nil; | |
| 34 }; | |
| 35 end | |
| 36 | |
| 37 module:hook("sasl2/c2s/success", function (event) | |
| 38 local session = event.session; | |
| 39 local username, client_id = session.username, session.client_id; | |
| 40 local mechanism = session.sasl_handler.selected; | |
| 41 local token_info = session.sasl_handler.token_info; | |
| 42 local token_id = token_info and token_info.id or nil; | |
| 43 | |
| 44 local now = os.time(); | |
| 45 if client_id then -- SASL2, have client identifier | |
| 46 local is_new_client; | |
| 47 | |
| 48 local client_state = client_store:get_key(username, client_id); | |
| 49 if not client_state then | |
| 50 is_new_client = true; | |
| 51 client_state = { | |
| 52 id = client_id; | |
| 53 first_seen = now; | |
| 54 user_agent = get_user_agent(session.sasl_handler, token_info); | |
| 55 full_jid = nil; | |
| 56 last_seen = nil; | |
| 57 mechanisms = {}; | |
| 58 }; | |
| 59 end | |
| 60 -- Update state | |
| 61 client_state.full_jid = session.full_jid; | |
| 62 client_state.last_seen = now; | |
| 63 client_state.mechanisms[mechanism] = now; | |
| 64 if session.sasl_handler.fast_auth then | |
| 65 client_state.fast_auth = now; | |
| 66 end | |
| 67 if token_id then | |
| 68 client_state.auth_token_id = token_id; | |
| 69 end | |
| 70 -- Store updated state | |
| 71 client_store:set_key(username, client_id, client_state); | |
| 72 | |
| 73 if is_new_client then | |
| 74 module:fire_event("client_management/new-client", { client = client_state }); | |
| 75 end | |
| 76 end | |
| 77 end); | |
| 78 | |
| 79 local function find_client_by_resource(username, resource) | |
| 80 local full_jid = jid.join(username, module.host, resource); | |
| 81 local clients = client_store:get(username); | |
| 82 if not clients then return; end | |
| 83 | |
| 84 for _, client_state in pairs(clients) do | |
| 85 if client_state.full_jid == full_jid then | |
| 86 return client_state; | |
| 87 end | |
| 88 end | |
| 89 end | |
| 90 | |
| 91 module:hook("resource-bind", function (event) | |
| 92 local session = event.session; | |
| 93 if session.client_id then return; end | |
| 94 local is_new_client; | |
| 95 local client_state = find_client_by_resource(event.session.username, event.session.resource); | |
| 96 local now = os.time(); | |
| 97 if not client_state then | |
| 98 is_new_client = true; | |
| 99 client_state = { | |
| 100 id = id.short(); | |
| 101 first_seen = now; | |
| 102 user_agent = nil; | |
| 103 full_jid = nil; | |
| 104 last_seen = nil; | |
| 105 mechanisms = {}; | |
| 106 legacy = true; | |
| 107 }; | |
| 108 end | |
| 109 | |
| 110 -- Update state | |
| 111 local legacy_info = session.client_management_info; | |
| 112 client_state.full_jid = session.full_jid; | |
| 113 client_state.last_seen = now; | |
| 114 client_state.mechanisms[legacy_info.mechanism] = now; | |
| 115 if legacy_info.fast_auth then | |
| 116 client_state.fast_auth = now; | |
| 117 end | |
| 118 | |
| 119 local token_id = legacy_info.token_info and legacy_info.token_info.id; | |
| 120 if token_id then | |
| 121 client_state.auth_token_id = token_id; | |
| 122 end | |
| 123 | |
| 124 -- Store updated state | |
| 125 client_store:set_key(session.username, client_state.id, client_state); | |
| 126 | |
| 127 if is_new_client then | |
| 128 module:fire_event("client_management/new-client", { client = client_state }); | |
| 129 end | |
| 130 end); | |
| 131 | |
| 132 if strict then | |
| 133 module:hook_tag(xmlns_sasl2, "authenticate", function (session, auth) | |
| 134 local user_agent = auth:get_child("user-agent"); | |
| 135 if not user_agent or not user_agent.attr.id then | |
| 136 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 }) | |
| 137 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up() | |
| 138 :text_tag("text", "Client identifier required but not supplied"); | |
| 139 session.send(failure); | |
| 140 return true; | |
| 141 end | |
| 142 end, 500); | |
| 143 | |
| 144 if modulemanager.get_modules_for_host(module.host):contains("saslauth") then | |
| 145 module:log("error", "mod_saslauth is enabled, but enforce_client_ids is enabled and will prevent it from working"); | |
| 146 end | |
| 147 | |
| 148 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event) | |
| 149 -- Block legacy SASL, if for some reason it is being used (either mod_saslauth is loaded, | |
| 150 -- or clients try it without advertisement) | |
| 151 module:log("warn", "Blocking legacy SASL authentication because enforce_client_ids is enabled"); | |
| 152 local failure = st.stanza("failure", { xmlns = xmlns_sasl2 }) | |
| 153 :tag("malformed-request", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):up() | |
| 154 :text_tag("text", "Legacy SASL authentication is not available on this server"); | |
| 155 event.session.send(failure); | |
| 156 return true; | |
| 157 end); | |
| 158 else | |
| 159 -- Legacy client compat code | |
| 160 module:hook("authentication-success", function (event) | |
| 161 local session = event.session; | |
| 162 if session.client_id then return; end -- SASL2 client | |
| 163 | |
| 164 local sasl_handler = session.sasl_handler; | |
| 165 session.client_management_info = { | |
| 166 mechanism = sasl_handler.selected; | |
| 167 token_info = sasl_handler.token_info; | |
| 168 fast_auth = sasl_handler.fast_auth; | |
| 169 }; | |
| 170 end); | |
| 171 end | |
| 172 | |
| 173 local function is_password_mechanism(mech_name) | |
| 174 if mech_name == "OAUTHBEARER" then return false; end | |
| 175 if mech_name:match("^HT%-") then return false; end | |
| 176 return true; | |
| 177 end | |
| 178 | |
| 179 local function is_client_active(client) | |
| 180 local username, host = jid.split(client.full_jid); | |
| 181 local account_info = usermanager.get_account_info(username, host); | |
| 182 local last_password_change = account_info and account_info.password_updated; | |
| 183 | |
| 184 local status = {}; | |
| 185 | |
| 186 -- Check for an active token grant that has been previously used by this client | |
| 187 if client.auth_token_id then | |
| 188 local grant = tokenauth.get_grant_info(client.auth_token_id); | |
| 189 if grant then | |
| 190 status.active_grant = grant; | |
| 191 end | |
| 192 end | |
| 193 | |
| 194 -- Check for active FAST tokens | |
| 195 if client.fast_auth then | |
| 196 if mod_fast.is_client_fast(username, client.id, last_password_change) then | |
| 197 status.active_fast = client.fast_auth; | |
| 198 end | |
| 199 end | |
| 200 | |
| 201 -- Client has access if any password-based SASL mechanisms have been used since last password change | |
| 202 for mech, mech_last_used in pairs(client.mechanisms) do | |
| 203 if is_password_mechanism(mech) and mech_last_used >= last_password_change then | |
| 204 status.active_password = mech_last_used; | |
| 205 end | |
| 206 end | |
| 207 | |
| 208 if prosody.full_sessions[client.full_jid] then | |
| 209 status.active_connected = true; | |
| 210 end | |
| 211 | |
| 212 if next(status) == nil then | |
| 213 return nil; | |
| 214 end | |
| 215 return status; | |
| 216 end | |
| 217 | |
| 218 -- Public API | |
| 219 --luacheck: ignore 131 | |
| 220 function get_active_clients(username) | |
| 221 local clients = client_store:get(username); | |
| 222 local active_clients = {}; | |
| 223 local used_grants = {}; | |
| 224 | |
| 225 -- Go through known clients, check whether they could possibly log in | |
| 226 for client_id, client in pairs(clients or {}) do --luacheck: ignore 213/client_id | |
| 227 local active = is_client_active(client); | |
| 228 if active then | |
| 229 client.type = "session"; | |
| 230 client.active = active; | |
| 231 table.insert(active_clients, client); | |
| 232 if active.active_grant then | |
| 233 used_grants[active.active_grant.id] = true; | |
| 234 end | |
| 235 end | |
| 236 end | |
| 237 | |
| 238 -- Next, account for any grants that have been issued, but never actually logged in | |
| 239 for grant_id, grant in pairs(tokenauth.get_user_grants(username) or {}) do | |
| 240 if not used_grants[grant_id] then -- exclude grants already accounted for | |
| 241 table.insert(active_clients, { | |
| 242 id = grant_id; | |
| 243 type = "access"; | |
| 244 first_seen = grant.created; | |
| 245 last_seen = grant.accessed; | |
| 246 active = { | |
| 247 active_grant = grant; | |
| 248 }; | |
| 249 user_agent = get_user_agent(nil, grant); | |
| 250 }); | |
| 251 end | |
| 252 end | |
| 253 | |
| 254 table.sort(active_clients, function (a, b) | |
| 255 if a.last_seen and b.last_seen then | |
| 256 return a.last_seen < b.last_seen; | |
| 257 elseif not (a.last_seen or b.last_seen) then | |
| 258 if a.first_seen and b.first_seen then | |
| 259 return a.first_seen < b.first_seen; | |
| 260 end | |
| 261 elseif b.last_seen then | |
| 262 return true; | |
| 263 elseif a.last_seen then | |
| 264 return false; | |
| 265 end | |
| 266 return a.id < b.id; | |
| 267 end); | |
| 268 | |
| 269 return active_clients; | |
| 270 end |
