Software /
code /
prosody-modules
File
mod_debug_omemo/mod_debug_omemo.lua @ 5193:2bb29ece216b
mod_http_oauth2: Implement stateless dynamic client registration
Replaces previous explicit registration that required either the
additional module mod_adhoc_oauth2_client or manually editing the
database. That method was enough to have something to test with, but
would not probably not scale easily.
Dynamic client registration allows creating clients on the fly, which
may be even easier in theory.
In order to not allow basically unauthenticated writes to the database,
we implement a stateless model here.
per_host_key := HMAC(config -> oauth2_registration_key, hostname)
client_id := JWT { client metadata } signed with per_host_key
client_secret := HMAC(per_host_key, client_id)
This should ensure everything we need to know is part of the client_id,
allowing redirects etc to be validated, and the client_secret can be
validated with only the client_id and the per_host_key.
A nonce injected into the client_id JWT should ensure nobody can submit
the same client metadata and retrieve the same client_secret
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 03 Mar 2023 21:14:19 +0100 |
parent | 4689:ecfffbbcbf42 |
line wrap: on
line source
local array = require "util.array"; local jid = require "util.jid"; local set = require "util.set"; local st = require "util.stanza"; local url_escape = require "util.http".urlencode; local base_url = "https://"..module.host.."/"; local render_html_template = require"util.interpolation".new("%b{}", st.xml_escape, { urlescape = url_escape; lower = string.lower; classname = function (s) return (s:gsub("%W+", "-")); end; relurl = function (s) if s:match("^%w+://") then return s; end return base_url.."/"..s; end; }); local render_url = require "util.interpolation".new("%b{}", url_escape, { urlescape = url_escape; noscheme = function (url) return (url:gsub("^[^:]+:", "")); end; }); local mod_pep = module:depends("pep"); local mam = module:open_store("archive", "archive"); local function get_user_omemo_info(username) local everything_valid = true; local any_device = false; local omemo_status = {}; local omemo_devices; local pep_service = mod_pep.get_pep_service(username); if pep_service and pep_service.nodes then local ok, _, device_list = pep_service:get_last_item("eu.siacs.conversations.axolotl.devicelist", true); if ok and device_list then device_list = device_list:get_child("list", "eu.siacs.conversations.axolotl"); end if device_list then omemo_devices = {}; for device_entry in device_list:childtags("device") do any_device = true; local device_info = {}; local device_id = tonumber(device_entry.attr.id or ""); if device_id then device_info.id = device_id; local bundle_id = ("eu.siacs.conversations.axolotl.bundles:%d"):format(device_id); local have_bundle, _, bundle = pep_service:get_last_item(bundle_id, true); if have_bundle and bundle and bundle:get_child("bundle", "eu.siacs.conversations.axolotl") then device_info.have_bundle = true; local config_ok, bundle_config = pep_service:get_node_config(bundle_id, true); if config_ok and bundle_config then device_info.bundle_config = bundle_config; if bundle_config.max_items == 1 and bundle_config.access_model == "open" and bundle_config.persist_items == true and bundle_config.publish_model == "publishers" then device_info.valid = true; end end end end if device_info.valid == nil then device_info.valid = false; everything_valid = false; end table.insert(omemo_devices, device_info); end local config_ok, list_config = pep_service:get_node_config("eu.siacs.conversations.axolotl.devicelist", true); if config_ok and list_config then omemo_status.config = list_config; if list_config.max_items == 1 and list_config.access_model == "open" and list_config.persist_items == true and list_config.publish_model == "publishers" then omemo_status.config_valid = true; end end if omemo_status.config_valid == nil then omemo_status.config_valid = false; everything_valid = false; end end end omemo_status.valid = everything_valid and any_device; return { status = omemo_status; devices = omemo_devices; }; end local access_model_text = { open = "Public"; whitelist = "Private"; roster = "Contacts only"; presence = "Contacts only"; }; local function get_message(username, message_id) if mam.get then return mam:get(username, message_id); end -- COMPAT local message; for _, result in mam:find(username, { key = message_id }) do message = result; end return message; end local function render_message(event, path) local username, message_id = path:match("^([^/]+)/(.+)$"); if not username then return 400; end local message = get_message(username, message_id); if not message then return 404; end local user_omemo_status = get_user_omemo_info(username); local user_rids = set.new(array.pluck(user_omemo_status.devices or {}, "id")) / tostring; local message_omemo_header = message:find("{eu.siacs.conversations.axolotl}encrypted/header"); local message_rids = set.new(); local rid_info = {}; if message_omemo_header then for key_el in message_omemo_header:childtags("key") do local rid = key_el.attr.rid; if rid then message_rids:add(rid); local prekey = key_el.attr.prekey; rid_info = { prekey = prekey and (prekey == "1" or prekey:lower() == "true"); }; end end end local rids = user_rids + message_rids; local direction = jid.bare(message.attr.to) == (username.."@"..module.host) and "incoming" or "outgoing"; local is_encrypted = not not message_omemo_header; local sender_id = message_omemo_header and message_omemo_header.attr.sid or nil; local f = module:load_resource("view.tpl.html"); if not f then return 500; end local tpl = f:read("*a"); local data = { user = username, rids = {} }; for rid in rids do data.rids[rid] = { status = message_rids:contains(rid) and "Encrypted" or user_rids:contains(rid) and "Missing" or nil; prekey = rid_info.prekey; }; end data.message = { type = message.attr.type or "normal"; direction = direction; encryption = is_encrypted and "encrypted" or "unencrypted"; has_any_keys = not message_rids:empty(); has_no_keys = message_rids:empty(); }; data.omemo = { sender_id = sender_id; status = user_omemo_status.status.valid and "no known issues" or "problems"; }; data.omemo.devices = {}; if user_omemo_status.devices then for _, device_info in ipairs(user_omemo_status.devices) do data.omemo.devices[("%d"):format(device_info.id)] = { status = device_info.valid and "OK" or "Problem"; bundle = device_info.have_bundle and "Published" or "Missing"; access_model = access_model_text[device_info.bundle_config and device_info.bundle_config.access_model or nil]; }; end else data.omemo.devices[false] = { status = "No devices have published OMEMO keys on this account" }; end event.response.headers.content_type = "text/html; charset=utf-8"; return render_html_template(tpl, data); end local function check_omemo_fallback(event) local message = event.stanza; local message_omemo_header = message:find("{eu.siacs.conversations.axolotl}encrypted/header"); if not message_omemo_header then return; end local to_bare = jid.bare(message.attr.to); local archive_stanza_id; for stanza_id_tag in message:childtags("stanza-id", "urn:xmpp:sid:0") do if stanza_id_tag.attr.by == to_bare then archive_stanza_id = stanza_id_tag.attr.id; end end if not archive_stanza_id then return; end local debug_url = render_url(module:http_url().."/view/{username}/{message_id}", { username = jid.node(to_bare); message_id = archive_stanza_id; }); local body = message:get_child("body"); if not body then body = st.stanza("body") :text("This message is encrypted using OMEMO, but could not be decrypted by your device.\nFor more information see: "..debug_url); message:reset():add_child(body); else body:text("\n\nOMEMO debug information: "..debug_url); end end module:hook("message/bare", check_omemo_fallback, -0.5); module:hook("message/full", check_omemo_fallback, -0.5); module:depends("http") module:provides("http", { route = { ["GET /view/*"] = render_message; }; });