apitech
/
prosody
mirror of https://github.com/bjc/prosody
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
IMPORTANT: due to a drive failure, as of 13-Mar-2021, the Mercurial repository had to be re-mirrored, which changed every commit SHA. The old SHAs and trees are backed up in the vault branches. Please migrate to the new branches as soon as you can.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13887 Commits
12 Branches
101 Tags
54 MiB
Tag: Branch: Tree: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
prosody/plugins/mod_auth_internal_hashed.lua

196 lines
6.3 KiB
Raw Permalink Normal View History Unescape

Check in mod_hashpassauth -- works!
16 years ago
-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
-- Copyright (C) 2010 Jeff Mitchell
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
12 years ago
local max = math.max;
plugins: Prefix module imports with prosody namespace
3 years ago
local scram_hashers = require "prosody.util.sasl.scram".hashers;
local generate_uuid = require "prosody.util.uuid".generate;
local new_sasl = require "prosody.util.sasl".new;
local hex = require"prosody.util.hex";
util.hex: Deprecate to/from in favour of encode/decode, for consistency!
4 years ago
local to_hex, from_hex = hex.encode, hex.decode;
plugins: Prefix module imports with prosody namespace
3 years ago
local saslprep = require "prosody.util.encodings".stringprep.saslprep;
local secure_equals = require "prosody.util.hashes".equals;
Check in mod_hashpassauth -- works!
16 years ago
mod_auth_internal_hashed: Use logger setup by moduleapi instead of going for util.logger directly
13 years ago
local log = module._log;
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
13 years ago
local host = module.host;
mod_auth_internal_hashed: Use logger setup by moduleapi instead of going for util.logger directly
13 years ago
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
local accounts = module:open_store("accounts");
plugins: Use get_option_enum where appropriate
5 years ago
local hash_name = module:get_option_enum("password_hash", "SHA-1", "SHA-256");
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1 This will currently require a hard reset of all passwords back to plain. This will be least painful on new deployments.
7 years ago
local get_auth_db = assert(scram_hashers[hash_name], "SCRAM-"..hash_name.." not supported by SASL library");
mod_auth_internal_hashed: Precompute SCRAM authentication profile name (thanks MattJ)
6 years ago
local scram_name = "scram_"..hash_name:gsub("%-","_"):lower();
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
16 years ago
Check in mod_hashpassauth -- works!
16 years ago
-- Default; can be set per-user
plugins: Use integer config API with interval specification where sensible Many of these fall into a few categories: - util.cache size, must be >= 1 - byte or item counts that logically can't be negative - port numbers that should be in 1..0xffff
2 years ago
local default_iteration_count = module:get_option_integer("default_iteration_count", 10000, 4096);
Check in mod_hashpassauth -- works!
16 years ago
mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile
3 years ago
local tokenauth = module:depends("tokenauth");
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
-- define auth provider
mod_auth_*: Use module:provides().
13 years ago
local provider = {};
Check in mod_hashpassauth -- works!
16 years ago
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
function provider.test_password(username, password)
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
13 years ago
log("debug", "test password for user '%s'", username);
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
local credentials = accounts:get(username) or {};
mod_auth_internal_{hashed,plain}: Respect flag for disabled accounts in test_password() This API method is used e.g. in HTTP modules which also should respect disabled accounts.
1 year ago
if credentials.disabled then
return nil, "Account disabled.";
end
mod_auth_internal_*: Apply saslprep to passwords Related to #1560
6 years ago
password = saslprep(password);
if not password then
return nil, "Password fails SASLprep.";
end
Add mechanism for upgrading to hashed passwords from default. Remove some extra debug.
16 years ago
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if credentials.password ~= nil and string.len(credentials.password) ~= 0 then
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
5 years ago
if not secure_equals(saslprep(credentials.password), password) then
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
return nil, "Auth failed. Provided password is incorrect.";
Check in mod_hashpassauth -- works!
16 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if provider.set_password(username, credentials.password) == nil then
return nil, "Auth failed. Could not set hashed password from plaintext.";
Check in mod_hashpassauth -- works!
16 years ago
else
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
return true;
Check in mod_hashpassauth -- works!
16 years ago
end
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if credentials.iteration_count == nil or credentials.salt == nil or string.len(credentials.salt) == 0 then
return nil, "Auth failed. Stored salt and iteration count information is not complete.";
Check in mod_hashpassauth -- works!
16 years ago
end
Remove all trailing whitespace
13 years ago
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1 This will currently require a hard reset of all passwords back to plain. This will be least painful on new deployments.
7 years ago
local valid, stored_key, server_key = get_auth_db(password, credentials.salt, credentials.iteration_count);
Remove all trailing whitespace
13 years ago
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
Remove all trailing whitespace
13 years ago
mod_auth_internal_{plain,hashed}: Use constant-time string comparison for secrets
5 years ago
if valid and secure_equals(stored_key_hex, credentials.stored_key) and secure_equals(server_key_hex, credentials.server_key) then
Check in mod_hashpassauth -- works!
16 years ago
return true;
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
else
return nil, "Auth failed. Invalid username, password, or password hash information.";
Check in mod_hashpassauth -- works!
16 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
end
Check in mod_hashpassauth -- works!
16 years ago
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
function provider.set_password(username, password)
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
13 years ago
log("debug", "set_password for username '%s'", username);
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
local account = accounts:get(username);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if account then
mod_auth_interal_hashed: Update salt and iteration count when setting a new password
12 years ago
account.salt = generate_uuid();
account.iteration_count = max(account.iteration_count or 0, default_iteration_count);
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1 This will currently require a hard reset of all passwords back to plain. This will be least painful on new deployments.
7 years ago
local valid, stored_key, server_key = get_auth_db(password, account.salt, account.iteration_count);
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
6 years ago
if not valid then
return valid, stored_key;
end
mod_auth_internal_hashed: Remove far too many instances of inline hex conversion using gsub, which was creating useless closures and what-not
16 years ago
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
Remove all trailing whitespace
13 years ago
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
account.stored_key = stored_key_hex
account.server_key = server_key_hex
account.password = nil;
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach).
4 years ago
account.updated = os.time();
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
return accounts:set(username, account);
Check in mod_hashpassauth -- works!
16 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
return nil, "Account not available.";
end
Check in mod_hashpassauth -- works!
16 years ago
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach).
4 years ago
function provider.get_account_info(username)
local account = accounts:get(username);
if not account then return nil, "Account not available"; end
return {
created = account.created;
password_updated = account.updated;
mod_auth_internal_hashed: Implement is_enabled() method Uses 'disabled' property already introduced in aed38948791f
3 years ago
enabled = not account.disabled;
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach).
4 years ago
};
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
function provider.user_exists(username)
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
local account = accounts:get(username);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if not account then
mod_auth_internal_hashed: Log calls to provider methods and be consistent with mod_auth_internal_plain
13 years ago
log("debug", "account not found for username '%s'", username);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
return nil, "Auth failed. Invalid username";
mod_auth_internal_*: Support for delete_user method
15 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
return true;
end
mod_auth_internal_*: Support for delete_user method
15 years ago
mod_auth_internal_hashed: Refactor to prepare for disabling users Moving this out will make space for a dynamic check whether a particular user is disabled or not, which is one possible response to abuse of account privileges.
3 years ago
function provider.is_enabled(username) -- luacheck: ignore 212
mod_auth_internal_hashed: Implement is_enabled() method Uses 'disabled' property already introduced in aed38948791f
3 years ago
local info, err = provider.get_account_info(username);
if not info then return nil, err; end
return info.enabled;
mod_auth_internal_hashed: Refactor to prepare for disabling users Moving this out will make space for a dynamic check whether a particular user is disabled or not, which is one possible response to abuse of account privileges.
3 years ago
end
mod_auth_internal_hashed: Implement methods to enable and disable users
3 years ago
function provider.enable(username)
-- TODO map store?
local account = accounts:get(username);
account.disabled = nil;
mod_auth_internal_hashed: Record time of account disable / re-enable Could be useful for e.g. #1772
3 years ago
account.updated = os.time();
mod_auth_internal_hashed: Implement methods to enable and disable users
3 years ago
return accounts:set(username, account);
mod_auth_internal_hashed: Add stub methods for enabling and disabling users But how and where?
3 years ago
end
usermanager, mod_auth_internal_hashed: Support metadata when disabling a user This allows us to store a time, actor, comment and/or reason why an account was disabled, which seems a generally useful thing to support.
2 years ago
function provider.disable(username, meta)
mod_auth_internal_hashed: Implement methods to enable and disable users
3 years ago
local account = accounts:get(username);
account.disabled = true;
usermanager, mod_auth_internal_hashed: Support metadata when disabling a user This allows us to store a time, actor, comment and/or reason why an account was disabled, which seems a generally useful thing to support.
2 years ago
account.disabled_meta = meta;
mod_auth_internal_hashed: Record time of account disable / re-enable Could be useful for e.g. #1772
3 years ago
account.updated = os.time();
mod_auth_internal_hashed: Implement methods to enable and disable users
3 years ago
return accounts:set(username, account);
mod_auth_internal_hashed: Add stub methods for enabling and disabling users But how and where?
3 years ago
end
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
13 years ago
function provider.users()
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
return accounts:users();
mod_auth_internal_{plain,hashed}: Add support for iterating over accounts
13 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
function provider.create_user(username, password)
mod_auth_internal_hashed: Allow creating disabled account without password Otherwise, create_user(username, nil) leads to the account being deleted.
3 years ago
local now = os.time();
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if password == nil then
mod_auth_internal_hashed: Allow creating disabled account without password Otherwise, create_user(username, nil) leads to the account being deleted.
3 years ago
return accounts:set(username, { created = now; updated = now; disabled = true });
Check in mod_hashpassauth -- works!
16 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
local salt = generate_uuid();
mod_auth_internal_hashed: Add support for optionally using SCRAM-SHA-256 instead of SHA-1 This will currently require a hard reset of all passwords back to plain. This will be least painful on new deployments.
7 years ago
local valid, stored_key, server_key = get_auth_db(password, salt, default_iteration_count);
mod_auth_internal_hashed: Pass on errors from password hash function (fixes #1477)
6 years ago
if not valid then
return valid, stored_key;
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
local stored_key_hex = to_hex(stored_key);
local server_key_hex = to_hex(server_key);
mod_auth_internal_hashed: Split long lines [luacheck]
9 years ago
return accounts:set(username, {
stored_key = stored_key_hex, server_key = server_key_hex,
usermanager, mod_auth_*: Add get_account_info() returning creation/update time This is useful for a number of things. For example, listing users that need to rotate their passwords after some event. It also provides a safer way for code to determine that a user password has changed without needing to set a handler for the password change event (which is a more fragile approach).
4 years ago
salt = salt, iteration_count = default_iteration_count,
created = now, updated = now;
mod_auth_internal_hashed: Split long lines [luacheck]
9 years ago
});
Check in mod_hashpassauth -- works!
16 years ago
end
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
function provider.delete_user(username)
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
return accounts:set(username, nil);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
end
function provider.get_sasl_handler()
local testpass_authentication_profile = {
mod_auth_internal_hashed: Shorten call path Why did it call a function defined in the same module through usermanager?
3 years ago
plain_test = function(_, username, password)
return provider.test_password(username, password), provider.is_enabled(username);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
end,
mod_auth_internal_hashed: Precompute SCRAM authentication profile name (thanks MattJ)
6 years ago
[scram_name] = function(_, username)
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
local credentials = accounts:get(username);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if not credentials then return; end
if credentials.password then
core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
9 years ago
if provider.set_password(username, credentials.password) == nil then
return nil, "Auth failed. Could not set hashed password from plaintext.";
end
mod_auth_internal_hashed, mod_auth_internal_plain, mod_privacy, mod_private, mod_register, mod_vcard, mod_muc: Use module:open_store()
13 years ago
credentials = accounts:get(username);
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
if not credentials then return; end
end
Remove all trailing whitespace
13 years ago
mod_auth_internal_hashed: Split long lines [luacheck]
9 years ago
local stored_key, server_key = credentials.stored_key, credentials.server_key;
local iteration_count, salt = credentials.iteration_count, credentials.salt;
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
stored_key = stored_key and from_hex(stored_key);
server_key = server_key and from_hex(server_key);
mod_auth_internal_hashed: Implement is_enabled() method Uses 'disabled' property already introduced in aed38948791f
3 years ago
return stored_key, server_key, iteration_count, salt, not credentials.disabled;
mod_auth_internal_hashed: Add oauthbearer handler to our SASL profile
3 years ago
end;
oauthbearer = tokenauth.sasl_handler(provider, "oauth2", module:shared("tokenauth/oauthbearer_config"));
mod_auth_internal_hashed: Get rid of useless wrapper function new_hashpass_provider.
13 years ago
};
return new_sasl(host, testpass_authentication_profile);
end
Remove all trailing whitespace
13 years ago
mod_auth_*: Use module:provides().
13 years ago
module:provides("auth", provider);
Check in mod_hashpassauth -- works!
16 years ago