Software / code / prosody-modules
Changeset
6232:d72010642b31 draft default tip
Merge update
| author | Trần H. Trung <xmpp:trần.h.trung@trung.fun> |
|---|---|
| date | Fri, 11 Apr 2025 23:19:21 +0700 |
| parents | 6211:750d64c47ec6 (current diff) 6231:6b3deaa523ad (diff) |
| children | |
| files | mod_invites_page/mod_invites_page.lua |
| diffstat | 17 files changed, 144 insertions(+), 551 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_admin_web/admin_web/mod_admin_web.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_admin_web/admin_web/mod_admin_web.lua Fri Apr 11 23:19:21 2025 +0700 @@ -123,14 +123,8 @@ module:depends("admin_adhoc"); module:depends("http"); - local serve; - if not pcall(function () - local http_files = require "net.http.files"; - serve = http_files.serve; - end) then - serve = module:depends"http_files".serve; - end - local serve_file = serve { + local http_files = require "net.http.files"; + local serve_file = http_files.serve { path = module:get_directory() .. "/www_files"; };
--- a/mod_cloud_notify_encrypted/README.md Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_cloud_notify_encrypted/README.md Fri Apr 11 23:19:21 2025 +0700 @@ -15,15 +15,19 @@ Details ======= -Add to modules_enabled, there are no configuration options. +Add to `modules_enabled`, there are no configuration options. -Depends on +When used with Prosody 0.12.x, it has an extra dependency on [luaossl](http://25thandclement.com/~william/projects/luaossl.html) which is available in Debian as [`lua-luaossl`](https://tracker.debian.org/pkg/lua-luaossl) or via `luarocks install luaossl`. -Compatibility -============= +Prosody 13.0.x and trunk does not require this. + +# Compatibility -Not tested, but hopefully works on 0.11.x and later. + Prosody Version Status + ----------------- ----------------------------------- + 13.0.x Works + 0.12.x Works (with `luaossl`, see above)
--- a/mod_cloud_notify_encrypted/mod_cloud_notify_encrypted.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_cloud_notify_encrypted/mod_cloud_notify_encrypted.lua Fri Apr 11 23:19:21 2025 +0700 @@ -1,13 +1,23 @@ local array = require "util.array"; local base64 = require "util.encodings".base64; local valid_utf8 = require "util.encodings".utf8.valid; -local ciphers = require "openssl.cipher"; +local have_crypto, crypto = pcall(require, "util.crypto"); local jid = require "util.jid"; local json = require "util.json"; local random = require "util.random"; local set = require "util.set"; local st = require "util.stanza"; +if not have_crypto then + local ossl_ciphers = require "openssl.cipher"; + crypto = {}; + -- FIXME: luaossl does not expose the EVP_CTRL_GCM_GET_TAG API, so we append 16 NUL bytes + -- Siskin does not validate the tag anyway. + function crypto.aes_128_gcm_encrypt(key, iv, message) + return ciphers.new("AES-128-GCM"):encrypt(key, iv):final(message)..string.rep("\0", 16); + end +end + local xmlns_jmi = "urn:xmpp:jingle-message:0"; local xmlns_jingle_apps_rtp = "urn:xmpp:jingle:apps:rtp:1"; local xmlns_push = "urn:xmpp:push:0"; @@ -127,9 +137,7 @@ local key_binary = base64.decode(encryption.key_base64); local push_json = json.encode(push_payload); - -- FIXME: luaossl does not expose the EVP_CTRL_GCM_GET_TAG API, so we append 16 NUL bytes - -- Siskin does not validate the tag anyway. - local encrypted_payload = base64.encode(ciphers.new("AES-128-GCM"):encrypt(key_binary, iv):final(push_json)..string.rep("\0", 16)); + local encrypted_payload = base64.encode(crypto.aes_128_gcm_encrypt(key_binary, iv, push_json)); local encrypted_element = st.stanza("encrypted", { xmlns = xmlns_push_encrypt, iv = base64.encode(iv) }) :text(encrypted_payload); if push_payload.type == "call" then
--- a/mod_conversejs/mod_conversejs.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_conversejs/mod_conversejs.lua Fri Apr 11 23:19:21 2025 +0700 @@ -28,17 +28,9 @@ local serve_dist = nil; local resources = module:get_option_path("conversejs_resources"); if resources then - local serve; - if prosody.process_type == "prosody" then - -- Prosody >= trunk / 0.12 - local http_files = require "net.http.files"; - serve = http_files.serve; - else - -- Prosody <= 0.11 - serve = module:depends "http_files".serve; - end + local http_files = require "net.http.files"; local mime_map = module:shared("/*/http_files/mime").types or {css = "text/css"; js = "application/javascript"}; - serve_dist = serve({path = resources; mime_map = mime_map}); + serve_dist = http_files.serve({path = resources; mime_map = mime_map}); cdn_url = module:http_url(); end
--- a/mod_http_libjs/mod_http_libjs.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_http_libjs/mod_http_libjs.lua Fri Apr 11 23:19:21 2025 +0700 @@ -1,16 +1,10 @@ +local http_files = require "net.http.files"; + local mime_map = module:shared("/*/http_files/mime").types or { css = "text/css", js = "application/javascript", }; -local serve; -if prosody.process_type == "prosody" then - local http_files = require "net.http.files"; - serve = http_files.serve; -else - serve = module:depends"http_files".serve; -end - local libjs_path = module:get_option_string("libjs_path", "/usr/share/javascript"); do -- sanity check @@ -25,6 +19,6 @@ module:provides("http", { default_path = "/share"; route = { - ["GET /*"] = serve({ path = libjs_path, mime_map = mime_map }); + ["GET /*"] = http_files.serve({ path = libjs_path, mime_map = mime_map }); } });
--- a/mod_http_muc_log/mod_http_muc_log.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_http_muc_log/mod_http_muc_log.lua Fri Apr 11 23:19:21 2025 +0700 @@ -581,16 +581,9 @@ local serve_static do - if prosody.process_type == "prosody" then - -- Prosody >= 0.12 - local http_files = require "net.http.files"; - serve = http_files.serve; - else - -- Prosody <= 0.11 - serve = module:depends "http_files".serve; - end + local http_files = require "net.http.files"; local mime_map = module:shared("/*/http_files/mime").types or { css = "text/css"; js = "application/javascript" }; - serve_static = serve({ path = resources; mime_map = mime_map }); + serve_static = http_files.serve({ path = resources; mime_map = mime_map }); end module:provides("http", {
--- a/mod_invite/mod_invite.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_invite/mod_invite.lua Fri Apr 11 23:19:21 2025 +0700 @@ -7,19 +7,12 @@ local rostermanager = require "core.rostermanager"; local tohtml = require "util.stanza".xml_escape local nodeprep = require "util.encodings".stringprep.nodeprep; +local http_files = require "net.http.files"; local tostring = tostring; local invite_storage = module:open_store(); local inviter_storage = module:open_store("inviter"); -local serve; -if prosody.process_type == "prosody" then - local http_files = require "net.http.files"; - serve = http_files.serve; -else - serve = module:depends"http_files".serve; -end - module:depends"adhoc"; module:depends"http"; @@ -132,7 +125,7 @@ module:provides("http", { route = { - ["GET /bootstrap.min.css"] = serve(module:get_directory() .. "/invite/bootstrap.min.css"); + ["GET /bootstrap.min.css"] = http_files.serve(module:get_directory() .. "/invite/bootstrap.min.css"); ["GET /*"] = generate_page; POST = handle_form; };
--- a/mod_invites_page/mod_invites_page.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_invites_page/mod_invites_page.lua Fri Apr 11 23:19:21 2025 +0700 @@ -34,12 +34,7 @@ -- Load HTTP-serving dependencies if prosody.shutdown then -- not if running under prosodyctl module:depends("http"); - - if prosody.process_type == "prosody" then - http_files = require "net.http.files"; - else - http_files = module:depends"http_files"; - end + http_files = require "net.http.files"; elseif prosody.process_type and module.get_option_period then module:depends("http"); http_files = require "net.http.files";
--- a/mod_jsxc/mod_jsxc.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_jsxc/mod_jsxc.lua Fri Apr 11 23:19:21 2025 +0700 @@ -19,17 +19,9 @@ local serve_dist = nil; local resources = module:get_option_path("jsxc_resources"); if resources then - local serve; - if prosody.process_type == "prosody" then - -- Prosody >= trunk / 0.12 - local http_files = require "net.http.files"; - serve = http_files.serve; - else - -- Prosody <= 0.11 - serve = module:depends "http_files".serve; - end + local http_files = require "net.http.files"; local mime_map = module:shared("/*/http_files/mime").types or { css = "text/css", js = "application/javascript" }; - serve_dist = serve({ path = resources, mime_map = mime_map }); + serve_dist = http_files.serve({ path = resources, mime_map = mime_map }); cdn_url = module:http_url(); end
--- a/mod_password_reset/mod_password_reset.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_password_reset/mod_password_reset.lua Fri Apr 11 23:19:21 2025 +0700 @@ -8,19 +8,12 @@ local dataforms_new = require "util.dataforms".new; local st = require "util.stanza"; local apply_template = require"util.interpolation".new("%b{}", st.xml_escape); +local http_files = require "net.http.files"; local reset_tokens = module:open_store(); local max_token_age = module:get_option_number("password_reset_validity", 86400); -local serve; -if prosody.process_type == "prosody" then - local http_files = require "net.http.files"; - serve = http_files.serve; -else - serve = module:depends"http_files".serve; -end - module:depends("adhoc"); module:depends("http"); local password_policy = module:depends("password_policy"); @@ -90,7 +83,7 @@ module:provides("http", { route = { - ["GET /bootstrap.min.css"] = serve(module:get_directory() .. "/password_reset/bootstrap.min.css"); + ["GET /bootstrap.min.css"] = http_files.serve(module:get_directory() .. "/password_reset/bootstrap.min.css"); ["GET /reset"] = generate_page; ["POST /reset"] = handle_form; };
--- a/mod_push2/README.md Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_push2/README.md Fri Apr 11 23:19:21 2025 +0700 @@ -16,6 +16,7 @@ ------------------------------------ ----------------- ------------------------------------------------------------------------------------------------------------------- `contact_uri` xmpp:server.tld Contact information for the server operator (usually as a `mailto:` URI is preferred) `push_max_hibernation_timeout` `259200` (72h) Number of seconds to extend the smacks timeout if no push was triggered yet (default: 72 hours) + `hibernate_past_first_push` `true` Keep hibernating using the `push_max_hibernation_timeout` even after first push Internal design notes =====================
--- a/mod_push2/mod_push2.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_push2/mod_push2.lua Fri Apr 11 23:19:21 2025 +0700 @@ -9,11 +9,14 @@ local crypto = require "util.crypto"; local jwt = require "util.jwt"; +pcall(function() module:depends("track_muc_joins") end) + local xmlns_push = "urn:xmpp:push2:0"; -- configuration local contact_uri = module:get_option_string("contact_uri", "xmpp:" .. module.host) local extended_hibernation_timeout = module:get_option_number("push_max_hibernation_timeout", 72*3600) -- use same timeout like ejabberd +local hibernate_past_first_push = module:get_option_boolean("hibernate_past_first_push", true) local host_sessions = prosody.hosts[module.host].sessions local push2_registrations = module:open_store("push2_registrations", "keyval") @@ -28,7 +31,22 @@ module:hook("account-disco-info", account_dico_info); local function parse_match(matchel) - local match = { match = matchel.attr.profile } + local match = { match = matchel.attr.profile, chats = {} } + + for chatel in matchel:childtags("chat") do + local chat = {} + if chatel:get_child("mention") then + chat.mention = true + end + if chatel:get_child("reply") then + chat.reply = true + end + match.chats[chatel.attr.jid] = chat + end + + match.grace = matchel:get_child_text("grace") + if match.grace then match.grace = tonumber(match.grace) end + local send = matchel:get_child("send", "urn:xmpp:push2:send:notify-only:0") if send then match.send = send.attr.xmlns @@ -156,7 +174,7 @@ end -- is this push a high priority one -local function is_important(stanza) +local function is_important(stanza, session) local is_voip_stanza, urgent_reason = is_voip(stanza) if is_voip_stanza then return true; end @@ -177,8 +195,17 @@ -- carbon copied outgoing messages are not important if carbon and stanza_direction == "out" then return false; end - -- groupchat subjects are not important here - if st_type == "groupchat" and stanza:get_child_text("subject") then + -- groupchat reflections are not important here + if st_type == "groupchat" and session and session.rooms_joined then + local muc = jid.bare(stanza.attr.from) + local from_nick = jid.resource(stanza.attr.from) + if from_nick == session.rooms_joined[muc] then + return false + end + end + + -- edits are not imporatnt + if stanza:get_child("replace", "urn:xmpp:message-correct:0") then return false end @@ -222,7 +249,7 @@ end if string.len(envelope_bytes) > max_data_size then local body = stanza:get_child_text("body") - if string.len(body) > 50 then + if body and string.len(body) > 50 then stanza_clone:maptags(function(el) if el.name == "body" then return nil @@ -251,8 +278,9 @@ end) envelope_bytes = tostring(envelope) end - if string.len(envelope_bytes) < max_data_size/2 then - envelope:text_tag("rpad", base64.encode(random.bytes(math.min(150, max_data_size/3 - string.len(envelope_bytes))))) + local padding_size = math.min(150, max_data_size/3 - string.len(envelope_bytes)) + if padding_size > 0 then + envelope:text_tag("rpad", base64.encode(random.bytes(padding_size))) envelope_bytes = tostring(envelope) end @@ -294,12 +322,12 @@ push_notification_payload:text_tag("jwt", signer(payload), { key = base64.encode(public_key) }) end -local function handle_notify_request(stanza, node, user_push_services, log_push_decline) +local function handle_notify_request(stanza, node, user_push_services, session, log_push_decline) local pushes = 0; if not #user_push_services then return pushes end local notify_push_services = {}; - if is_important(stanza) then + if is_important(stanza, session) then notify_push_services = user_push_services else for identifier, push_info in pairs(user_push_services) do @@ -329,7 +357,7 @@ if send_push then local push_notification_payload = st.stanza("notification", { xmlns = xmlns_push }) push_notification_payload:text_tag("client", push_info.client) - push_notification_payload:text_tag("priority", is_voip(stanza) and "high" or (is_important(stanza) and "normal" or "low")) + push_notification_payload:text_tag("priority", is_voip(stanza) and "high" or (is_important(stanza, session) and "normal" or "low")) if is_voip(stanza) then push_notification_payload:tag("voip"):up() end @@ -340,13 +368,47 @@ if match.match == "urn:xmpp:push2:match:all" then does_match = true elseif match.match == "urn:xmpp:push2:match:important" then - does_match = is_important(stanza) + does_match = is_important(stanza, session) elseif match.match == "urn:xmpp:push2:match:archived" then does_match = stanza:get_child("stana-id", "urn:xmpp:sid:0") elseif match.match == "urn:xmpp:push2:match:archived-with-body" then does_match = stanza:get_child("stana-id", "urn:xmpp:sid:0") and has_body(stanza) end + local to_user, to_host = jid.split(stanza.attr.to) + to_user = to_user or session.username + to_host = to_host or module.host + + -- If another session has recent activity within configured grace period, don't send push + if does_match and match.grace and to_host == module.host and host_sessions[to_user] then + local now = os_time() + for _, session in pairs(host_sessions[to_user].sessions) do + if session.last_activity and session.push_registration_id ~= push_registration_id and (now - session.last_activity) < match.grace then + does_match = false + end + end + end + + local chat = match.chats and (match.chats[stanza.attr.from] or match.chats[jid.bare(stanza.attr.from)] or match.chats[jid.host(stanza.attr.from)]) + if does_match and chat then + does_match = false + + local nick = (session.rooms_joined and session.rooms_joined[jid.bare(stanza.attr.from)]) or to_user + + if not does_match and chat.mention then + local body = stanza:get_child_text("body") + if body and body:find(nick, 1, true) then + does_match = true + end + end + if not does_match and chat.reply then + local reply = stanza:get_child("reply", "urn:xmpp:reply:0") + if reply and (reply.attr.to == to_user.."@"..to_host or (jid.bare(reply.attr.to) == jid.bare(stanza.attr.from) and jid.resource(reply.attr.to) == nick)) then + does_match = true + end + end + end + if does_match and not sends_added[match.send] then sends_added[match.send] = true if match.send == "urn:xmpp:push2:send:notify-only" then @@ -384,7 +446,7 @@ module:hook("message/offline/handle", function(event) local node, user_push_services = get_push_settings(event.stanza, event.origin); module:log("debug", "Invoking handle_notify_request() for offline stanza"); - handle_notify_request(event.stanza, node, user_push_services, true); + handle_notify_request(event.stanza, node, user_push_services, event.origin, true); end, 1); -- publish on bare groupchat @@ -402,7 +464,7 @@ end end - handle_notify_request(event.stanza, node, notify_push_services, true); + handle_notify_request(event.stanza, node, notify_push_services, event.origin, true); end, 1); local function process_stanza_queue(queue, session, queue_type) @@ -415,14 +477,14 @@ local node, all_push_services = get_push_settings(stanza, session) local user_push_services = {[session.push_registration_id] = all_push_services[session.push_registration_id]} local stanza_type = "unimportant"; - if is_important(stanza) then stanza_type = "important"; end + if is_important(stanza, session) then stanza_type = "important"; end if not notified[stanza_type] then -- only notify if we didn't try to push for this stanza type already - if handle_notify_request(stanza, node, user_push_services, false) ~= 0 then + if handle_notify_request(stanza, node, user_push_services, session, false) ~= 0 then if session.hibernating and not session.first_hibernated_push then -- if the message was important -- then record the time of first push in the session for the smack module which will extend its hibernation -- timeout based on the value of session.first_hibernated_push - if is_important(stanza) then + if is_important(stanza, session) and not hibernate_past_first_push then session.first_hibernated_push = os_time(); -- check for prosody 0.12 mod_smacks if session.hibernating_watchdog and session.original_smacks_callback and session.original_smacks_timeout then @@ -567,7 +629,7 @@ end end - handle_notify_request(stanza, to_user, notify_push_services, true); + handle_notify_request(stanza, to_user, notify_push_services, event.origin, true); end end @@ -577,6 +639,15 @@ module:hook("smacks-hibernation-stanza-queued", process_smacks_stanza); module:hook("archive-message-added", archive_message_added); +local function track_activity(event) + if has_body(event.stanza) or event.stanza:child_with_ns("http://jabber.org/protocol/chatstates") then + event.origin.last_activity = os_time() + end +end + +module:hook("pre-message/bare", track_activity) +module:hook("pre-message/full", track_activity) + module:log("info", "Module loaded"); function module.unload() module:log("info", "Unloading module");
--- a/mod_push2/push2.md Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_push2/push2.md Fri Apr 11 23:19:21 2025 +0700 @@ -15,6 +15,10 @@ <service>pusher@push.example.com</service> <client>https://push.example.com/adlfkjadafdasf</client> <match profile="urn:xmpp:push2:match:archived-with-body"> + <grace>144</grace> + <chat jid="somemuc@conference.example.com"> + <mention/> + </chat> <send xmlns="urn:xmpp:push2:send:notify-only:0"/> </match> </enable> @@ -26,6 +30,10 @@ The `<match/>` and `<send/>` elements define what profiles to use for matching stanzas and sending notifications. These are described later in this document. +The optional `<chat/>` child of `<match/>` allows extra filtering of pushes for only specific chats. No specified filters means muted, do not push. `<mention/>` means push on mentions, `<reply/>` means push on replies. + +The optional `<grace/>` child of `<match/>` allows specifying a "grace period" in seconds where activity on another session by the same user (such as sending a message) will temporarily pause sending push notifications. + ## Match and send profiles Different clients and push services have different requirements for push notifications, often due to the differing capabilities of target platforms.
--- a/mod_register_apps/mod_register_apps.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_register_apps/mod_register_apps.lua Fri Apr 11 23:19:21 2025 +0700 @@ -1,13 +1,6 @@ -- luacheck: ignore 631 module:depends("http"); -local http_files -if prosody.process_type then - -- Prosody >= 0.12 - http_files = require "net.http.files"; -else - -- Prosody <= 0.11 - http_files = module:depends "http_files"; -end +local http_files = require "net.http.files"; local app_config = module:get_option("site_apps", { { @@ -225,7 +218,7 @@ module:provides("http", { route = { - ["GET /assets/*"] = http_files and http_files.serve({ + ["GET /assets/*"] = http_files.serve({ path = module:get_directory().."/assets"; mime_map = mime_map; });
--- a/mod_s2s_auth_dane/README.md Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_s2s_auth_dane/README.md Fri Apr 11 23:19:21 2025 +0700 @@ -1,10 +1,16 @@ --- labels: -- Stage-Broken +- Stage-Obsolete - Type-S2SAuth summary: S2S authentication using DANE ... +::: {.alert .alert-warning} +This module no longer works with recent versions of Prosody. + +However, Prosody as of [13.0.0](//prosody.im/doc/release/13.0.0) ships with native support for [DANE](//prosody.im/doc/dnssec). +::: + Introduction ============
--- a/mod_s2s_auth_dane/mod_s2s_auth_dane.lua Tue Mar 18 00:31:36 2025 +0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,436 +0,0 @@ --- mod_s2s_auth_dane --- Copyright (C) 2013-2014 Kim Alvefur --- --- This file is MIT/X11 licensed. --- --- Implements DANE and Secure Delegation using DNS SRV as described in --- http://tools.ietf.org/html/draft-miller-xmpp-dnssec-prooftype --- --- Known issues: --- Could be done much cleaner if mod_s2s was using util.async --- --- TODO Things to test/handle: --- Negative or bogus answers --- No encryption offered --- Different hostname before and after STARTTLS - mod_s2s should complain --- Interaction with Dialback --- --- luacheck: ignore module - -module:set_global(); - -local have_async, async = pcall(require, "util.async"); -local noop = function () end -local unpack = table.unpack or _G.unpack; -local type = type; -local t_insert = table.insert; -local set = require"util.set"; -local dns_lookup = require"net.adns".lookup; -local hashes = require"util.hashes"; -local base64 = require"util.encodings".base64; -local idna_to_ascii = require "util.encodings".idna.to_ascii; -local idna_to_unicode = require"util.encodings".idna.to_unicode; -local nameprep = require"util.encodings".stringprep.nameprep; -local cert_verify_identity = require "util.x509".verify_identity; - -do - local net_dns = require"net.dns"; - if not net_dns.types or not net_dns.types[52] then - module:log("error", "No TLSA support available, DANE will not be supported"); - return - end -end - -local pat = "%-%-%-%-%-BEGIN ([A-Z ]+)%-%-%-%-%-\r?\n".. -"([0-9A-Za-z=+/\r\n]*)\r?\n%-%-%-%-%-END %1%-%-%-%-%-"; -local function pem2der(pem) - local typ, data = pem:match(pat); - if typ and data then - return base64.decode(data), typ; - end -end -local use_map = { ["DANE-EE"] = 3; ["DANE-TA"] = 2; ["PKIX-EE"] = 1; ["PKIX-CA"] = 0 } - -local implemented_uses = set.new { "DANE-EE", "PKIX-EE" }; -do - local cert_mt = debug.getregistry()["SSL:Certificate"]; - if cert_mt and cert_mt.__index.issued then - -- Need cert:issued() for these - implemented_uses:add("DANE-TA"); - implemented_uses:add("PKIX-CA"); - else - module:log("debug", "The cert:issued() method is unavailable, DANE-TA and PKIX-CA can't be enabled"); - end - if not cert_mt.__index.pubkey then - module:log("debug", "The cert:pubkey() method is unavailable, the SPKI usage can't be supported"); - end -end -local configured_uses = module:get_option_set("dane_uses", { "DANE-EE", "DANE-TA" }); -local enabled_uses = set.intersection(implemented_uses, configured_uses) / function(use) return use_map[use] end; -local unsupported = configured_uses - implemented_uses; -if not unsupported:empty() then - module:log("warn", "Unable to support DANE uses %s", tostring(unsupported)); -end - --- Find applicable TLSA records --- Takes a s2sin/out and a callback -local function dane_lookup(host_session, cb) - cb = cb or noop; - local log = host_session.log or module._log; - if host_session.dane ~= nil then return end -- Has already done a lookup - - if host_session.direction == "incoming" then - if not host_session.from_host then - log("debug", "Session doesn't have a 'from' host set"); - return; - end - -- We don't know what hostname or port to use for Incoming connections - -- so we do a SRV lookup and then request TLSA records for each SRV - -- Most servers will probably use the same certificate on outgoing - -- and incoming connections, so this should work well - local name = host_session.from_host and idna_to_ascii(host_session.from_host); - if not name then - log("warn", "Could not convert '%s' to ASCII for DNS lookup", tostring(host_session.from_host)); - return; - end - log("debug", "Querying SRV records from _xmpp-server._tcp.%s.", name); - host_session.dane = dns_lookup(function (answer, err) - host_session.dane = false; -- Mark that we already did the lookup - - if not answer then - log("debug", "Resolver error: %s", tostring(err)); - return cb(host_session); - end - - if answer.bogus then - log("warn", "Results are bogus!"); - -- Bad sign, probably not a good idea to do any fallback here - host_session.dane = answer; - elseif not answer.secure then - log("debug", "Results are not secure"); - return cb(host_session); - end - - local n = answer.n or #answer; - if n == 0 then - -- No SRV records, synthesize fallback host and port - -- this may behave oddly for connections in the other direction if - -- mod_s2s doesn't keep the answer around - answer[1] = { srv = { target = name, port = 5269 } }; - n = 1; - elseif n == 1 and answer[1].srv.target == '.' then - return cb(host_session); -- No service ... This shouldn't happen? - end - local srv_hosts = { answer = answer }; - host_session.srv_hosts = srv_hosts; - local dane; - for _, record in ipairs(answer) do - t_insert(srv_hosts, record.srv); - log("debug", "Querying TLSA record for %s:%d", record.srv.target, record.srv.port); - dns_lookup(function(dane_answer) - log("debug", "Got answer for %s:%d", record.srv.target, record.srv.port); - n = n - 1; - -- There are three kinds of answers - -- Insecure, Secure and Bogus - -- - -- We collect Secure answers for later use - -- - -- Insecure (legacy) answers are simply ignored - -- - -- If we get a Bogus (dnssec error) reply, keep the - -- status around. If there were only bogus replies, the - -- connection will be aborted. If there were at least - -- one non-Bogus reply, we proceed. If none of the - -- replies matched, we consider the connection insecure. - - if (dane_answer.bogus or dane_answer.secure) and not dane then - -- The first answer we care about - -- For services with only one SRV record, this will be the only one - log("debug", "First secure (or bogus) TLSA") - dane = dane_answer; - elseif dane_answer.bogus then - log("debug", "Got additional bogus TLSA") - dane.bogus = dane_answer.bogus; - elseif dane_answer.secure then - log("debug", "Got additional secure TLSA") - for _, dane_record in ipairs(dane_answer) do - t_insert(dane, dane_record); - end - end - if n == 0 then - if dane then - host_session.dane = dane; - if #dane > 0 and dane.bogus then - -- Got at least one non-bogus reply, - -- This should trigger a failure if one of them did not match - log("warn", "Ignoring bogus replies"); - dane.bogus = nil; - end - if #dane == 0 and dane.bogus == nil then - -- Got no usable data - host_session.dane = false; - end - end - return cb(host_session); - end - end, ("_%d._tcp.%s."):format(record.srv.port, record.srv.target), "TLSA"); - end - end, "_xmpp-server._tcp."..name..".", "SRV"); - return true; - elseif host_session.direction == "outgoing" then - -- Prosody has already done SRV lookups for outgoing session, so check if those are secure - local srv_hosts = host_session.srv_hosts; - if not ( srv_hosts and srv_hosts.answer and srv_hosts.answer.secure ) then - return; -- No secure SRV records, fall back to non-DANE mode - -- Empty response were not kept by older mod_s2s/s2sout - end - -- Do TLSA lookup for currently selected SRV record - local srv_choice = srv_hosts[host_session.srv_choice or 0] or { target = idna_to_ascii(host_session.to_host), port = 5269 }; - log("debug", "Querying TLSA record for %s:%d", srv_choice.target, srv_choice.port); - host_session.dane = dns_lookup(function(answer) - if answer and ((answer.secure and #answer > 0) or answer.bogus) then - srv_choice.dane = answer; - else - srv_choice.dane = false; - end - host_session.dane = srv_choice.dane; - return cb(host_session); - end, ("_%d._tcp.%s."):format(srv_choice.port, srv_choice.target), "TLSA"); - return true; - end -end - -local function pause(host_session) - host_session.log("debug", "Pausing connection until DANE lookup is completed"); - host_session.conn:pause() -end - -local function resume(host_session) - host_session.log("debug", "DANE lookup completed, resuming connection"); - host_session.conn:resume() -end - -if have_async then - function pause(host_session) - host_session.log("debug", "Pausing connection until DANE lookup is completed"); - local wait, done = async.waiter(); - host_session._done_waiting_for_dane = done; - wait(); - end - local function _resume(_, host_session) - if host_session._done_waiting_for_dane then - host_session.log("debug", "DANE lookup completed, resuming connection"); - host_session._done_waiting_for_dane(); - host_session._done_waiting_for_dane = nil; - end - end - function resume(host_session) - -- Something about the way luaunbound calls callbacks is messed up - if host_session._done_waiting_for_dane then - module:add_timer(0, _resume, host_session); - end - end -end - -local new_dane = module:get_option_boolean("use_dane", false); - -function module.add_host(module) - local function on_new_s2s(event) - local host_session = event.origin; - if host_session.type == "s2sout" or host_session.type == "s2sin" then - return; -- Already authenticated - end - if host_session.dane ~= nil then - return; -- Already done DANE lookup - end - dane_lookup(host_session, resume); - -- Let it run in parallel until we need to check the cert - end - - if not new_dane then - -- New outgoing connections - module:hook("stanza/http://etherx.jabber.org/streams:features", on_new_s2s, 501); - module:hook("s2sout-authenticate-legacy", on_new_s2s, 200); - end - - -- New incoming connections - module:hook("s2s-stream-features", on_new_s2s, 10); - - module:hook("s2s-authenticated", function(event) - local session = event.session; - if session.dane and type(session.dane) == "table" and next(session.dane) ~= nil and not session.secure then - -- TLSA record but no TLS, not ok. - -- TODO Optional? - -- Bogus replies should trigger this path - -- How does this interact with Dialback? - session:close({ - condition = "policy-violation", - text = "Encrypted server-to-server communication is required but was not " - ..((session.direction == "outgoing" and "offered") or "used") - }); - return false; - end - -- Cleanup - session.srv_hosts = nil; - end); -end - --- Compare one TLSA record against a certificate -local function one_dane_check(tlsa, cert, log) - local select, match, certdata = tlsa.select, tlsa.match; - - if select == 0 then - certdata = pem2der(cert:pem()); - elseif select == 1 and cert.pubkey then - certdata = pem2der(cert:pubkey()); - else - log("warn", "DANE selector %s is unsupported", tlsa:getSelector() or select); - return; - end - - if match == 1 then - certdata = hashes.sha256(certdata); - elseif match == 2 then - certdata = hashes.sha512(certdata); - elseif match ~= 0 then - log("warn", "DANE match rule %s is unsupported", tlsa:getMatchType() or match); - return; - end - - if #certdata ~= #tlsa.data then - log("warn", "Length mismatch: Cert: %d, TLSA: %d", #certdata, #tlsa.data); - end - return certdata == tlsa.data; -end - -module:hook("s2s-check-certificate", function(event) - local session, cert, host = event.session, event.cert, event.host; - if not cert then return end - local log = session.log or module._log; - local dane = session.dane; - if type(dane) ~= "table" then - if dane == nil and dane_lookup(session, resume) then - pause(session); - dane = session.dane; - end - end - if type(dane) == "table" then - local match_found, supported_found; - for i = 1, #dane do - local tlsa = dane[i].tlsa; - log("debug", "TLSA #%d: %s", i, tostring(tlsa)) - local use = tlsa.use; - - if enabled_uses:contains(use) then - -- DANE-EE or PKIX-EE - if use == 3 or use == 1 then - -- Should we check if the cert subject matches? - local is_match = one_dane_check(tlsa, cert, log); - if is_match ~= nil then - supported_found = true; - end - if is_match and use == 1 and session.cert_chain_status ~= "valid" then - -- for usage 1, PKIX-EE, the chain has to be valid already - log("debug", "PKIX-EE TLSA matches untrusted certificate"); - is_match = false; - end - if is_match then - log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); - session.cert_identity_status = "valid"; - if use == 3 then -- DANE-EE, chain status equals DNSSEC chain status - session.cert_chain_status = "valid"; - end - match_found = true; - dane.matching = tlsa; - break; - end - -- DANE-TA or PKIX-CA - elseif use == 2 or use == 0 then - supported_found = true; - local chain = session.conn:socket():getpeerchain(); - for c = 1, #chain do - local cacert = chain[c]; - local is_match = one_dane_check(tlsa, cacert, log); - if is_match ~= nil then - supported_found = true; - end - if is_match and not cacert:issued(cert, unpack(chain)) then - is_match = false; - end - if is_match and use == 0 and session.cert_chain_status ~= "valid" then - -- for usage 0, PKIX-CA, identity and chain has to be valid already - is_match = false; - end - if is_match then - log("info", "DANE validated ok for %s using %s", host, tlsa:getUsage()); - if use == 2 then -- DANE-TA - session.cert_identity_status = "valid"; - if cert_verify_identity(host, "xmpp-server", cert) then - session.cert_chain_status = "valid"; - -- else -- TODO Check against SRV target? - end - end - match_found = true; - dane.matching = tlsa; - break; - end - end - if match_found then break end - end - end - end - if supported_found and not match_found or dane.bogus then - -- No TLSA matched or response was bogus - local why = "No TLSA matched certificate"; - if dane.bogus then - why = "Bogus: "..tostring(dane.bogus); - end - log("warn", "DANE validation failed for %s: %s", host, why); - session.cert_identity_status = "invalid"; - session.cert_chain_status = "invalid"; - end - else - if session.cert_chain_status == "valid" and session.cert_identity_status ~= "valid" - and session.srv_hosts and session.srv_hosts.answer and session.srv_hosts.answer.secure then - local srv_hosts, srv_choice, srv_target = session.srv_hosts, session.srv_choice; - for i = srv_choice or 1, srv_choice or #srv_hosts do - srv_target = session.srv_hosts[i].target:gsub("%.?$",""); - log("debug", "Comparing certificate with Secure SRV target %s", srv_target); - srv_target = nameprep(idna_to_unicode(srv_target)); - if srv_target and cert_verify_identity(srv_target, "xmpp-server", cert) then - log("info", "Certificate for %s matches Secure SRV target %s", host, srv_target); - session.cert_identity_status = "valid"; - return; - end - end - end - end -end); - --- Telnet command -if module:get_option_set("modules_enabled", {}):contains("admin_telnet") then - module:depends("admin_telnet"); -- Make sure the env is there - local def_env = module:shared("admin_telnet/env"); - - local function annotate(session, line) - line = line or {}; - table.insert(line, "--"); - if session.dane == nil then - table.insert(line, "No DANE attempted, probably insecure SRV response"); - elseif session.dane == false then - table.insert(line, "DANE failed or response was insecure"); - elseif type(session.dane) ~= "table" then - table.insert(line, "Waiting for DANE records..."); - elseif session.dane.matching then - table.insert(line, "Matching DANE record:\n| " .. tostring(session.dane.matching)); - else - table.insert(line, "DANE records:\n| " .. tostring(session.dane)); - end - return table.concat(line, " "); - end - - function def_env.s2s:show_dane(...) - return self:show(..., annotate); - end -end -
--- a/mod_welcome_page/mod_welcome_page.lua Tue Mar 18 00:31:36 2025 +0700 +++ b/mod_welcome_page/mod_welcome_page.lua Fri Apr 11 23:19:21 2025 +0700 @@ -3,6 +3,7 @@ local render_html_template = require"util.interpolation".new("%b{}", st.xml_escape, { urlescape = url_escape; }); +local http_files = require "net.http.files"; local template_path = module:get_option_string("welcome_page_template_path", module:get_directory().."/html"); local user_vars = module:get_option("welcome_page_variables", {}); @@ -61,15 +62,6 @@ return 303; end -local http_files -if prosody.process_type == "prosody" then - -- Prosody >= 0.12 - http_files = require "net.http.files"; -else - -- Prosody <= 0.11 - http_files = module:depends "http_files"; -end - module:provides("http", { default_path = "/"; route = {
