Software / code / prosody
Annotate
plugins/mod_external_services.lua @ 13801:a5d5fefb8b68 13.0
mod_tls: Enable Prosody's certificate checking for incoming s2s connections (fixes #1916) (thanks Damian, Zash)
Various options in Prosody allow control over the behaviour of the certificate
verification process For example, some deployments choose to allow falling
back to traditional "dialback" authentication (XEP-0220), while others verify
via DANE, hard-coded fingerprints, or other custom plugins.
Implementing this flexibility requires us to override OpenSSL's default
certificate verification, to allow Prosody to verify the certificate itself,
apply custom policies and make decisions based on the outcome.
To enable our custom logic, we have to suppress OpenSSL's default behaviour of
aborting the connection with a TLS alert message. With LuaSec, this can be
achieved by using the verifyext "lsec_continue" flag.
We also need to use the lsec_ignore_purpose flag, because XMPP s2s uses server
certificates as "client" certificates (for mutual TLS verification in outgoing
s2s connections).
Commit 99d2100d2918 moved these settings out of the defaults and into mod_s2s,
because we only really need these changes for s2s, and they should be opt-in,
rather than automatically applied to all TLS services we offer.
That commit was incomplete, because it only added the flags for incoming
direct TLS connections. StartTLS connections are handled by mod_tls, which was
not applying the lsec_* flags. It previously worked because they were already
in the defaults.
This resulted in incoming s2s connections with "invalid" certificates being
aborted early by OpenSSL, even if settings such as `s2s_secure_auth = false`
or DANE were present in the config.
Outgoing s2s connections inherit verify "none" from the defaults, which means
OpenSSL will receive the cert but will not terminate the connection when it is
deemed invalid. This means we don't need lsec_continue there, and we also
don't need lsec_ignore_purpose (because the remote peer is a "server").
Wondering why we can't just use verify "none" for incoming s2s? It's because
in that mode, OpenSSL won't request a certificate from the peer for incoming
connections. Setting verify "peer" is how you ask OpenSSL to request a
certificate from the client, but also what triggers its built-in verification.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 01 Apr 2025 17:26:56 +0100 |
| parent | 13756:18f560dcc9e3 |
| rev | line source |
|---|---|
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
2 local dt = require "prosody.util.datetime"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
3 local base64 = require "prosody.util.encodings".base64; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
4 local hashes = require "prosody.util.hashes"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
5 local st = require "prosody.util.stanza"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
6 local jid = require "prosody.util.jid"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
7 local array = require "prosody.util.array"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12685
diff
changeset
|
8 local set = require "prosody.util.set"; |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local default_host = module:get_option_string("external_service_host", module.host); |
|
13213
50324f66ca2a
plugins: Use integer config API with interval specification where sensible
Kim Alvefur <zash@zash.se>
parents:
13209
diff
changeset
|
11 local default_port = module:get_option_integer("external_service_port", nil, 1, 65535); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 local default_secret = module:get_option_string("external_service_secret"); |
|
13209
c8d949cf6b09
plugins: Switch to :get_option_period() for time range options
Kim Alvefur <zash@zash.se>
parents:
12977
diff
changeset
|
13 local default_ttl = module:get_option_period("external_service_ttl", "1 day"); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local configured_services = module:get_option_array("external_services", {}); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local access = module:get_option_set("external_service_access", {}); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 |
|
12685
4d75663d1552
mod_external_services: Update tools.ietf.org URL
Kim Alvefur <zash@zash.se>
parents:
12431
diff
changeset
|
19 -- https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00 |
|
11038
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
20 local function behave_turn_rest_credentials(srv, item, secret) |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
21 local ttl = default_ttl; |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
22 if type(item.ttl) == "number" then |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
23 ttl = item.ttl; |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
24 end |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
25 local expires = srv.expires or os.time() + ttl; |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
26 local username; |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
27 if type(item.username) == "string" then |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
28 username = string.format("%d:%s", expires, item.username); |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
29 else |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
30 username = string.format("%d", expires); |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
31 end |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
32 srv.username = username; |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
33 srv.password = base64.encode(hashes.hmac_sha1(secret, srv.username)); |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
34 end |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
35 |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
36 local algorithms = { |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
37 turn = behave_turn_rest_credentials; |
|
13756
18f560dcc9e3
mod_external_services: Also use TURN REST credential algo for 'turns' (thanks moreroid)
Matthew Wild <mwild1@gmail.com>
parents:
13213
diff
changeset
|
38 turns = behave_turn_rest_credentials; |
|
11038
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
39 } |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
40 |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 -- filter config into well-defined service records |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 local function prepare(item) |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 if type(item) ~= "table" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 module:log("error", "Service definition is not a table: %q", item); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 return nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 local srv = { |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 type = nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 transport = nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 host = default_host; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 port = default_port; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 username = nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 password = nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 restricted = nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 expires = nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 }; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 if type(item.type) == "string" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 srv.type = item.type; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 else |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 module:log("error", "Service missing mandatory 'type' field: %q", item); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 return nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 if type(item.transport) == "string" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 srv.transport = item.transport; |
|
11933
f752427a5214
mod_external_services: Warn about missing recommended fields
Kim Alvefur <zash@zash.se>
parents:
11756
diff
changeset
|
67 else |
|
f752427a5214
mod_external_services: Warn about missing recommended fields
Kim Alvefur <zash@zash.se>
parents:
11756
diff
changeset
|
68 module:log("warn", "Service missing recommended 'transport' field: %q", item); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 if type(item.host) == "string" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 srv.host = item.host; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 if type(item.port) == "number" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 srv.port = item.port; |
|
11933
f752427a5214
mod_external_services: Warn about missing recommended fields
Kim Alvefur <zash@zash.se>
parents:
11756
diff
changeset
|
75 elseif not srv.port then |
|
f752427a5214
mod_external_services: Warn about missing recommended fields
Kim Alvefur <zash@zash.se>
parents:
11756
diff
changeset
|
76 module:log("warn", "Service missing recommended 'port' field: %q", item); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
77 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
78 if type(item.username) == "string" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
79 srv.username = item.username; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
80 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
81 if type(item.password) == "string" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
82 srv.password = item.password; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
83 srv.restricted = true; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
84 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
85 if item.restricted == true then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
86 srv.restricted = true; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
87 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
88 if type(item.expires) == "number" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
89 srv.expires = item.expires; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
90 elseif type(item.ttl) == "number" then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
91 srv.expires = os.time() + item.ttl; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
92 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
93 if (item.secret == true and default_secret) or type(item.secret) == "string" then |
|
11039
ec6919401790
mod_external_services: Allow specifying a credential generation callback
Kim Alvefur <zash@zash.se>
parents:
11038
diff
changeset
|
94 local secret_cb = item.credentials_cb or algorithms[item.algorithm] or algorithms[srv.type]; |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
95 local secret = item.secret; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
96 if secret == true then |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
97 secret = default_secret; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
98 end |
|
11038
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
99 if secret_cb then |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
100 secret_cb(srv, item, secret); |
|
efefdf71373b
mod_external_services: Prepare to allow more credential algorithms
Kim Alvefur <zash@zash.se>
parents:
11037
diff
changeset
|
101 srv.restricted = true; |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
102 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
103 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
104 return srv; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
105 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
106 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
107 function module.load() |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
108 -- Trigger errors on startup |
|
11626
ef62d29c8fdc
mod_external_services: Also validate services added by other modules
Kim Alvefur <zash@zash.se>
parents:
11040
diff
changeset
|
109 local extras = module:get_host_items("external_service"); |
|
ef62d29c8fdc
mod_external_services: Also validate services added by other modules
Kim Alvefur <zash@zash.se>
parents:
11040
diff
changeset
|
110 local services = ( configured_services + extras ) / prepare; |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
111 if #services == 0 then |
|
11628
0807e835d3b5
mod_external_services: Report overall status as a module status
Kim Alvefur <zash@zash.se>
parents:
11627
diff
changeset
|
112 module:set_status("warn", "No services configured or all had errors"); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
113 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
114 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
115 |
|
11627
3a5212fd7e8e
mod_external_services: Validate items as they are added
Kim Alvefur <zash@zash.se>
parents:
11626
diff
changeset
|
116 module:handle_items("external_service", function(added) |
|
11628
0807e835d3b5
mod_external_services: Report overall status as a module status
Kim Alvefur <zash@zash.se>
parents:
11627
diff
changeset
|
117 if prepare(added.item) then |
|
0807e835d3b5
mod_external_services: Report overall status as a module status
Kim Alvefur <zash@zash.se>
parents:
11627
diff
changeset
|
118 module:set_status("core", "OK"); |
|
0807e835d3b5
mod_external_services: Report overall status as a module status
Kim Alvefur <zash@zash.se>
parents:
11627
diff
changeset
|
119 end |
|
11627
3a5212fd7e8e
mod_external_services: Validate items as they are added
Kim Alvefur <zash@zash.se>
parents:
11626
diff
changeset
|
120 end, module.load); |
|
3a5212fd7e8e
mod_external_services: Validate items as they are added
Kim Alvefur <zash@zash.se>
parents:
11626
diff
changeset
|
121 |
|
11040
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
122 -- Ensure only valid items are added in events |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
123 local services_mt = { |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
124 __index = getmetatable(array()).__index; |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
125 __newindex = function (self, i, v) |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
126 rawset(self, i, assert(prepare(v), "Invalid service entry added")); |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
127 end; |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
128 } |
|
c560531d9a6e
mod_external_services: Validate services added via events
Kim Alvefur <zash@zash.se>
parents:
11039
diff
changeset
|
129 |
|
11755
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
130 function get_services() |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
131 local extras = module:get_host_items("external_service"); |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
132 local services = ( configured_services + extras ) / prepare; |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
133 |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
134 setmetatable(services, services_mt); |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
135 |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
136 return services; |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
137 end |
|
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
138 |
|
11756
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
139 function services_xml(services, name, namespace) |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
140 local reply = st.stanza(name or "services", { xmlns = namespace or "urn:xmpp:extdisco:2" }); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
141 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
142 for _, srv in ipairs(services) do |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
143 reply:tag("service", { |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
144 type = srv.type; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
145 transport = srv.transport; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
146 host = srv.host; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
147 port = srv.port and string.format("%d", srv.port) or nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
148 username = srv.username; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
149 password = srv.password; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
150 expires = srv.expires and dt.datetime(srv.expires) or nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
151 restricted = srv.restricted and "1" or nil; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
152 }):up(); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
153 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
154 |
|
11756
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
155 return reply; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
156 end |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
157 |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
158 local function handle_services(event) |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
159 local origin, stanza = event.origin, event.stanza; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
160 local action = stanza.tags[1]; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
161 |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
162 local user_bare = jid.bare(stanza.attr.from); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
163 local user_host = jid.host(user_bare); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
164 if not ((access:empty() and origin.type == "c2s") or access:contains(user_bare) or access:contains(user_host)) then |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
165 origin.send(st.error_reply(stanza, "auth", "forbidden")); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
166 return true; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
167 end |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
168 |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
169 local services = get_services(); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
170 |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
171 local requested_type = action.attr.type; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
172 if requested_type then |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
173 services:filter(function(item) |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
174 return item.type == requested_type; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
175 end); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
176 end |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
177 |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
178 module:fire_event("external_service/services", { |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
179 origin = origin; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
180 stanza = stanza; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
181 requested_type = requested_type; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
182 services = services; |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
183 }); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
184 |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
185 local reply = st.reply(stanza):add_child(services_xml(services, action.name, action.attr.xmlns)); |
|
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
186 |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
187 origin.send(reply); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
188 return true; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
189 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
190 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
191 local function handle_credentials(event) |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
192 local origin, stanza = event.origin, event.stanza; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
193 local action = stanza.tags[1]; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
194 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
195 if origin.type ~= "c2s" then |
|
12431
95f33a006c03
mod_external_services: Move error message to correct place (fix #1725)
Kim Alvefur <zash@zash.se>
parents:
11933
diff
changeset
|
196 origin.send(st.error_reply(stanza, "auth", "forbidden")); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
197 return true; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
198 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
199 |
|
11755
ae565e49289a
mod_external_services: Factor out public function returning current services
Kim Alvefur <zash@zash.se>
parents:
11754
diff
changeset
|
200 local services = get_services(); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
201 services:filter(function (item) |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
202 return item.restricted; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
203 end) |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
204 |
|
11754
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
205 local requested_credentials = set.new(); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
206 for service in action:childtags("service") do |
|
11753
c4599a7c534c
mod_external_services: Validate required attributes on credentials requests
Kim Alvefur <zash@zash.se>
parents:
11628
diff
changeset
|
207 if not service.attr.type or not service.attr.host then |
|
12431
95f33a006c03
mod_external_services: Move error message to correct place (fix #1725)
Kim Alvefur <zash@zash.se>
parents:
11933
diff
changeset
|
208 origin.send(st.error_reply(stanza, "modify", "bad-request", "The 'port' and 'type' attributes are required.")); |
|
11753
c4599a7c534c
mod_external_services: Validate required attributes on credentials requests
Kim Alvefur <zash@zash.se>
parents:
11628
diff
changeset
|
209 return true; |
|
c4599a7c534c
mod_external_services: Validate required attributes on credentials requests
Kim Alvefur <zash@zash.se>
parents:
11628
diff
changeset
|
210 end |
|
c4599a7c534c
mod_external_services: Validate required attributes on credentials requests
Kim Alvefur <zash@zash.se>
parents:
11628
diff
changeset
|
211 |
|
11754
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
212 requested_credentials:add(string.format("%s:%s:%d", service.attr.type, service.attr.host, |
|
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
213 tonumber(service.attr.port) or 0)); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
214 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
215 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
216 module:fire_event("external_service/credentials", { |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
217 origin = origin; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
218 stanza = stanza; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
219 requested_credentials = requested_credentials; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
220 services = services; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
221 }); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
222 |
|
11754
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
223 services:filter(function (srv) |
|
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
224 local port_key = string.format("%s:%s:%d", srv.type, srv.host, srv.port or 0); |
|
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
225 local portless_key = string.format("%s:%s:%d", srv.type, srv.host, 0); |
|
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
226 return requested_credentials:contains(port_key) or requested_credentials:contains(portless_key); |
|
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
227 end); |
|
21a9b3f2a728
mod_external_services: Filter services by requested credentials using a Set
Kim Alvefur <zash@zash.se>
parents:
11753
diff
changeset
|
228 |
|
11756
a0e17b7c8b05
mod_external_services: Factor out public function for converting to XML
Kim Alvefur <zash@zash.se>
parents:
11755
diff
changeset
|
229 local reply = st.reply(stanza):add_child(services_xml(services, action.name, action.attr.xmlns)); |
|
11036
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
230 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
231 origin.send(reply); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
232 return true; |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
233 end |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
234 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
235 -- XEP-0215 v0.7 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
236 module:add_feature("urn:xmpp:extdisco:2"); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
237 module:hook("iq-get/host/urn:xmpp:extdisco:2:services", handle_services); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
238 module:hook("iq-get/host/urn:xmpp:extdisco:2:credentials", handle_credentials); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
239 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
240 -- COMPAT XEP-0215 v0.6 |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
241 -- Those still on the old version gets to deal with undefined attributes until they upgrade. |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
242 module:add_feature("urn:xmpp:extdisco:1"); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
243 module:hook("iq-get/host/urn:xmpp:extdisco:1:services", handle_services); |
|
79e410cd7f6e
mod_external_services: XEP-0215: External Service Discovery
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
244 module:hook("iq-get/host/urn:xmpp:extdisco:1:credentials", handle_credentials); |
