prosody-modules
1a6cd0bbb7ab
mod_privilege/README.md

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

File

mod_privilege/README.md @ 6110:1a6cd0bbb7ab

mod_compliance_2023: Add 2023 Version of the compliance module, basis is the 2021 Version. diff --git a/mod_compliance_2023/README.md b/mod_compliance_2023/README.md new file mode 100644 --- /dev/null +++ b/mod_compliance_2023/README.md @@ -0,0 +1,22 @@ +--- +summary: XMPP Compliance Suites 2023 self-test +labels: +- Stage-Beta +rockspec: + dependencies: + - mod_cloud_notify + +... + +Compare the list of enabled modules with +[XEP-0479: XMPP Compliance Suites 2023] and produce basic report to the +Prosody log file. + +If installed with the Prosody plugin installer then all modules needed for a green checkmark should be included. (With prosody 0.12 only [mod_cloud_notify] is not included with prosody and we need the community module) + +# Compatibility + + Prosody-Version Status + --------------- ---------------------- + trunk Works as of 2024-12-21 + 0.12 Works diff --git a/mod_compliance_2023/mod_compliance_2023.lua b/mod_compliance_2023/mod_compliance_2023.lua new file mode 100644 --- /dev/null +++ b/mod_compliance_2023/mod_compliance_2023.lua @@ -0,0 +1,79 @@ +-- Copyright (c) 2021 Kim Alvefur +-- +-- This module is MIT licensed. + +local hostmanager = require "core.hostmanager"; + +local array = require "util.array"; +local set = require "util.set"; + +local modules_enabled = module:get_option_inherited_set("modules_enabled"); + +for host in pairs(hostmanager.get_children(module.host)) do + local component = module:context(host):get_option_string("component_module"); + if component then + modules_enabled:add(component); + modules_enabled:include(module:context(host):get_option_set("modules_enabled", {})); + end +end + +local function check(suggested, alternate, ...) + if set.intersection(modules_enabled, set.new({suggested; alternate; ...})):empty() then return suggested; end + return false; +end + +local compliance = { + array {"Server"; check("tls"); check("disco")}; + + array {"Advanced Server"; check("pep", "pep_simple")}; + + array {"Web"; check("bosh"); check("websocket")}; + + -- No Server requirements for Advanced Web + + array {"IM"; check("vcard_legacy", "vcard"); check("carbons"); check("http_file_share", "http_upload")}; + + array { + "Advanced IM"; + check("vcard_legacy", "vcard"); + check("blocklist"); + check("muc"); + check("private"); + check("smacks"); + check("mam"); + check("bookmarks"); + }; + + array {"Mobile"; check("smacks"); check("csi_simple", "csi_battery_saver")}; + + array {"Advanced Mobile"; check("cloud_notify")}; + + array {"A/V Calling"; check("turn_external", "external_services", "turncredentials", "extdisco")}; + +}; + +function check_compliance() + local compliant = true; + for _, suite in ipairs(compliance) do + local section = suite:pop(1); + if module:get_option_boolean("compliance_" .. section:lower():gsub("%A", "_"), true) then + local missing = set.new(suite:filter(function(m) return type(m) == "string" end):map(function(m) return "mod_" .. m end)); + if suite[1] then + if compliant then + compliant = false; + module:log("warn", "Missing some modules for XMPP Compliance 2023"); + end + module:log("info", "%s Compliance: %s", section, missing); + end + end + end + + if compliant then module:log("info", "XMPP Compliance 2023: Compliant ✔️"); end +end + +if prosody.start_time then + check_compliance() +else + module:hook_global("server-started", check_compliance); +end +
author Menel <menel@snikket.de>
date Sun, 22 Dec 2024 16:06:28 +0100
parent 6003:fe081789f7b5
line wrap: on
line source

---
labels:
- 'Stage-Beta'
summary: 'XEP-0356 (Privileged Entity) implementation'
...

Introduction
============

Privileged Entity is an extension which allows entity/component to have
privileged access to server (set/get roster, send message on behalf of server,
send IQ stanza on behalf of user, access presence information). It can be used
to build services independently of server (e.g.: PEP service).

Details
=======

You can have all the details by reading the
[XEP-0356](http://xmpp.org/extensions/xep-0356.html).

Only the latest version of the XEP is implemented (using namespace
`urn:xmpp:privilege:2`), if your component use an older version, please update.

Note that roster permission is not fully implemented yet, roster pushes are not yet sent
to privileged entity.

Usage
=====

To use the module, like usual add **"privilege"** to your
modules\_enabled. Note that if you use it with a local component, you
also need to activate the module in your component section:

    modules_enabled = {
            [...]
        
            "privilege";
    }

    [...]

    Component "pubsub.yourdomain.tld"
        component_secret = "yourpassword"
        modules_enabled = {"privilege"}

then specify privileged entities **in your host section** like that:

    VirtualHost "yourdomain.tld"

        privileged_entities = {
            ["romeo@montaigu.lit"] = {
                roster = "get";
                presence = "managed_entity";
            },
            ["juliet@capulet.lit"] = {
                roster = "both";
                message = "outgoing";
                presence = "roster";
            },
            ["pubsub.yourdomain.tld"] = {
                roster = "get";
                message = "outgoing";
                presence = "roster";
                iq = {
                    ["http://jabber.org/protocol/pubsub"] = "set";
                };
            },
        }

Here *romeo@montaigu.lit* can **get** roster of anybody on the host, and will
**have presence for any user** of the host, while *juliet@capulet.lit* can
**get** and **set** a roster, **send messages** on behalf of the server, and
**access presence of anybody linked to the host** (not only people on the
server, but also people in rosters of users of the server).

*pubsub.yourdomain.tld* is a Pubsub/PEP component which can **get** roster of
anybody on the host, **send messages** on the behalf of the server, **access
presence of anybody linked to the host**, and **send IQ stanza of type "set" for
the namespace "http://jabber.org/protocol/pubsub"** (this can be used to
implement XEP-0376 "Pubsub Account Management").

**/!\\ Be extra careful when you give a permission to an entity/component, it's
a powerful access, only do it if you absolutely trust the component/entity, and
you know where the software is coming from**

Configuration
=============

roster
------

All the permissions give access to all accounts of the virtual host.

  -------- ------------------------------------------------ ----------------------
  roster   none *(default)*                                 No access to rosters
  get      Allow **read** access to rosters                 
  set      Allow **write** access to rosters                
  both     Allow **read** and **write** access to rosters   
  -------- ------------------------------------------------ ----------------------

Note that roster implementation is incomplete at the moment, roster pushes are not yet
send to privileged entity.

message
-------

  ------------------ ------------------------------------------------------------
  none *(default)*   Can't send message from server
  outgoing           Allow to send message on behalf of server (from bare jids)
  ------------------ ------------------------------------------------------------

presence
--------

  ------------------ ------------------------------------------------------------------------------------------------
  none *(default)*   Do not have extra presence information
  managed\_entity    Receive presence stanzas (except subscriptions) from host users
  roster             Receive all presence stanzas (except subsciptions) from host users and people in their rosters
  ------------------ ------------------------------------------------------------------------------------------------

iq
--

IQ permission is a table mapping allowed namespaces to allowed stanza type. When
a namespace is specified, IQ stanza of the specified type (see below) can be
sent if and only if the first child element of the IQ stanza has the specified
namespace. See https://xmpp.org/extensions/xep-0356.html#iq for details.

Allowed stanza type:

  -------- -------------------------------------------
  get      Allow IQ stanza of type **get**
  set      Allow IQ stanza of type **set**
  both     Allow IQ stanza of type **get** and **set**
  -------- -------------------------------------------

Compatibility
=============

If you use it with Prosody 0.9 and with a component, you need to patch
core/mod\_component.lua to fire a new signal. To do it, copy the
following patch in a, for example, /tmp/component.patch file:

``` {.patch}
    diff --git a/plugins/mod_component.lua b/plugins/mod_component.lua
    --- a/plugins/mod_component.lua
    +++ b/plugins/mod_component.lua
    @@ -85,6 +85,7 @@
                    session.type = "component";
                    module:log("info", "External component successfully authenticated");
                    session.send(st.stanza("handshake"));
    +               module:fire_event("component-authenticated", { session = session });
     
                    return true;
            end
```

Then, at the root of prosody, enter:

`patch -p1 < /tmp/component.patch`

  ----- --------------------------------------------------
  trunk Works
  0.12  Works
  0.11  Works
  0.10  Works
  0.9   Need a patched core/mod\_component.lua (see above)
  ----- --------------------------------------------------

Note
====

This module is often used with mod\_delegation (c.f. XEP for more details)