annotate mod_privilege/mod_privilege.lua @ 5298:12f7d8b901e0

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 13:11:53 +0100
parents cce12a660b98
children a88c43de648c
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
1 -- XEP-0356 (Privileged Entity)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
2 -- Copyright (C) 2015-2022 Jérôme Poisson
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
3 --
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
4 -- This module is MIT/X11 licensed. Please see the
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
5 -- COPYING file in the source package for more information.
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
6 --
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
7 -- Some parts come from mod_remote_roster (module by Waqas Hussain and Kim Alvefur, see https://code.google.com/p/prosody-modules/)
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
8
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
9 -- TODO: manage external <presence/> (for "roster" presence permission) when the account with the roster is offline
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
10
1990
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
11 local jid = require("util.jid")
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
12 local set = require("util.set")
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
13 local st = require("util.stanza")
c4da3d9f212d mod_privilege: fixed imports, using "/" instead of "." was causing caching issues
Goffi <goffi@goffi.org>
parents: 1989
diff changeset
14 local roster_manager = require("core.rostermanager")
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
15 local usermanager_user_exists = require "core.usermanager".user_exists
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
16 local hosts = prosody.hosts
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
17 local full_sessions = prosody.full_sessions
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
18
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
19 local priv_session = module:shared("/*/privilege/session")
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
20
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
21 if priv_session.connected_cb == nil then
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
22 -- set used to have connected event listeners
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
23 -- which allows a host to react on events from
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
24 -- other hosts
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
25 priv_session.connected_cb = set.new()
1663
ca07a6ada631 mod_privilege: presence permission configuration check + use global set to know privileged entities to advertise
Goffi <goffi@goffi.org>
parents: 1662
diff changeset
26 end
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
27 local connected_cb = priv_session.connected_cb
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
28
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
29 -- the folowing sets are used to forward presence stanza
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
30 -- the folowing sets are used to forward presence stanza
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
31 local presence_man_ent = set.new()
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
32 local presence_roster = set.new()
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
33
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
34 local _ALLOWED_ROSTER = set.new({'none', 'get', 'set', 'both'})
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
35 local _ROSTER_GET_PERM = set.new({'get', 'both'})
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
36 local _ROSTER_SET_PERM = set.new({'set', 'both'})
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
37 local _ALLOWED_MESSAGE = set.new({'none', 'outgoing'})
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
38 local _ALLOWED_PRESENCE = set.new({'none', 'managed_entity', 'roster'})
1665
746d94f37a4c mod_privilege: presence already known are advertised to privileged entity (for "maneger_entity" permission only so far)
Goffi <goffi@goffi.org>
parents: 1664
diff changeset
39 local _PRESENCE_MANAGED = set.new({'managed_entity', 'roster'})
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
40 local _TO_CHECK = {roster=_ALLOWED_ROSTER, message=_ALLOWED_MESSAGE, presence=_ALLOWED_PRESENCE}
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
41 local _PRIV_ENT_NS = 'urn:xmpp:privilege:2'
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
42 local _FORWARDED_NS = 'urn:xmpp:forward:0'
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
43 local _MODULE_HOST = module:get_host()
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
44
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
45
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
46 module:log("debug", "Loading privileged entity module ")
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
47
1663
ca07a6ada631 mod_privilege: presence permission configuration check + use global set to know privileged entities to advertise
Goffi <goffi@goffi.org>
parents: 1662
diff changeset
48
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
49 --> Permissions management <--
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
50
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
51 local config_priv = module:get_option("privileged_entities", {})
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
52
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
53 local function get_session_privileges(session, host)
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
54 if not session.privileges then return nil end
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
55 return session.privileges[host]
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
56 end
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
57
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
58
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
59 local function advertise_perm(session, to_jid, perms)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
60 -- send <message/> stanza to advertise permissions
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
61 -- as expained in § 4.2
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
62 local message = st.message({from=module.host, to=to_jid})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
63 :tag("privilege", {xmlns=_PRIV_ENT_NS})
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
64
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
65 for _, perm in pairs({'roster', 'message', 'presence'}) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
66 if perms[perm] then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
67 message:tag("perm", {access=perm, type=perms[perm]}):up()
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
68 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
69 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
70 local iq_perm = perms["iq"]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
71 if iq_perm ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
72 message:tag("perm", {access="iq"})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
73 for namespace, ns_perm in pairs(iq_perm) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
74 local perm_type
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
75 if ns_perm.set and ns_perm.get then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
76 perm_type = "both"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
77 elseif ns_perm.set then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
78 perm_type = "set"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
79 elseif ns_perm.get then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
80 perm_type = "get"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
81 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
82 perm_type = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
83 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
84 message:tag("namespace", {ns=namespace, type=perm_type})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
85 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
86 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
87 session.send(message)
1662
d440a22fa0af mod_privilege: advertise_perm method now use session.send instead of module:send to avoid to go back in hook
Goffi <goffi@goffi.org>
parents: 1661
diff changeset
88 end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
89
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
90 local function set_presence_perm_set(to_jid, perms)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
91 -- fill the presence sets according to perms
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
92 if _PRESENCE_MANAGED:contains(perms.presence) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
93 presence_man_ent:add(to_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
94 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
95 if perms.presence == 'roster' then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
96 presence_roster:add(to_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
97 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
98 end
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
99
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
100 local function advertise_presences(session, to_jid, perms)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
101 -- send presence status for already connected entities
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
102 -- as explained in § 7.1
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
103 -- people in roster are probed only for active sessions
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
104 -- TODO: manage roster load for inactive sessions
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
105 if not perms.presence then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
106 local to_probe = {}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
107 for _, user_session in pairs(full_sessions) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
108 if user_session.presence and _PRESENCE_MANAGED:contains(perms.presence) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
109 local presence = st.clone(user_session.presence)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
110 presence.attr.to = to_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
111 module:log("debug", "sending current presence for "..tostring(user_session.full_jid))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
112 session.send(presence)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
113 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
114 if perms.presence == "roster" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
115 -- we reset the cache to avoid to miss a presence that just changed
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
116 priv_session.last_presence = nil
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
117
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
118 if user_session.roster then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
119 local bare_jid = jid.bare(user_session.full_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
120 for entity, item in pairs(user_session.roster) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
121 if entity~=false and entity~="pending" and (item.subscription=="both" or item.subscription=="to") then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
122 local _, host = jid.split(entity)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
123 if not hosts[host] then -- we don't probe jid from hosts we manage
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
124 -- using a table with entity as key avoid probing several time the same one
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
125 to_probe[entity] = bare_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
126 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
127 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
128 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
129 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
130 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
131 end
1667
c81a981479d4 mod_privilege: implemented probing of rosters items (for existing sessions only) on connection + use a globally shared table for priv_session (and fixed last_presence)
Goffi <goffi@goffi.org>
parents: 1666
diff changeset
132
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
133 -- now we probe peoples for "roster" presence permission
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
134 for probe_to, probe_from in pairs(to_probe) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
135 module:log("debug", "probing presence for %s (on behalf of %s)", tostring(probe_to), tostring(probe_from))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
136 local probe = st.presence({from=probe_from, to=probe_to, type="probe"})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
137 prosody.core_route_stanza(nil, probe)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
138 end
1665
746d94f37a4c mod_privilege: presence already known are advertised to privileged entity (for "maneger_entity" permission only so far)
Goffi <goffi@goffi.org>
parents: 1664
diff changeset
139 end
746d94f37a4c mod_privilege: presence already known are advertised to privileged entity (for "maneger_entity" permission only so far)
Goffi <goffi@goffi.org>
parents: 1664
diff changeset
140
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
141
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
142 local function on_auth(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
143 -- Check if entity is privileged according to configuration,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
144 -- and set session.privileges accordingly
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
145
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
146 local session = event.session
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
147 local bare_jid = jid.join(session.username, session.host)
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
148 if not session.privileges then
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
149 session.privileges = {}
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
150 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
151
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
152 local conf_ent_priv = config_priv[bare_jid]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
153 local ent_priv = {}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
154 if conf_ent_priv ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
155 module:log("debug", "Entity is privileged")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
156 for perm_type, allowed_values in pairs(_TO_CHECK) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
157 local value = conf_ent_priv[perm_type]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
158 if value ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
159 if not allowed_values:contains(value) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
160 module:log('warn', 'Invalid value for '..perm_type..' privilege: ['..value..']')
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
161 module:log('warn', 'Setting '..perm_type..' privilege to none')
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
162 ent_priv[perm_type] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
163 elseif value == 'none' then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
164 ent_priv[perm_type] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
165 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
166 ent_priv[perm_type] = value
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
167 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
168 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
169 ent_priv[perm_type] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
170 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
171 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
172 -- extra checks for presence permission
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
173 if ent_priv.presence == 'roster' and not _ROSTER_GET_PERM:contains(ent_priv.roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
174 module:log("warn", "Can't allow roster presence privilege without roster \"get\" privilege")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
175 module:log("warn", "Setting presence permission to none")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
176 ent_priv.presence = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
177 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
178 -- iq permission
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
179 local iq_perm_config = conf_ent_priv["iq"]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
180 if iq_perm_config ~= nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
181 local iq_perm = {}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
182 ent_priv["iq"] = iq_perm
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
183 for ns, ns_perm_config in pairs(iq_perm_config) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
184 iq_perm[ns] = {
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
185 ["get"] = ns_perm_config == "get" or ns_perm_config == "both",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
186 ["set"] = ns_perm_config == "set" or ns_perm_config == "both"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
187 }
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
188 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
189 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
190 ent_priv["iq"] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
191 end
1663
ca07a6ada631 mod_privilege: presence permission configuration check + use global set to know privileged entities to advertise
Goffi <goffi@goffi.org>
parents: 1662
diff changeset
192
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
193 if session.type == "component" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
194 -- we send the message stanza only for component
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
195 -- it will be sent at first <presence/> for other entities
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
196 advertise_perm(session, bare_jid, ent_priv)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
197 set_presence_perm_set(bare_jid, ent_priv)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
198 advertise_presences(session, bare_jid, ent_priv)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
199 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
200 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
201
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
202 session.privileges[_MODULE_HOST] = ent_priv
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
203 end
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
204
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
205 local function on_presence(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
206 -- Permission are already checked at this point,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
207 -- we only advertise them to the entity
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
208 local session = event.origin
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
209 local session_privileges = get_session_privileges(session, _MODULE_HOST)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
210 if session_privileges then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
211 advertise_perm(session, session.full_jid, session_privileges)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
212 set_presence_perm_set(session.full_jid, session_privileges)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
213 advertise_presences(session, session.full_jid, session_privileges)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
214 end
1659
495a093798eb mod_privilege: added permissions notification on initial presence for entities which are not components
Goffi <goffi@goffi.org>
parents: 1658
diff changeset
215 end
495a093798eb mod_privilege: added permissions notification on initial presence for entities which are not components
Goffi <goffi@goffi.org>
parents: 1658
diff changeset
216
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
217 local function on_component_auth(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
218 -- react to component-authenticated event from this host
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
219 -- and call the on_auth methods from all other hosts
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
220 -- needed for the component to get delegations advertising
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
221 for callback in connected_cb:items() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
222 callback(event)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
223 end
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
224 end
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
225
1775
0d78bb31348e mod_privilege: fixed bad calling of on_auth for components
Goffi <goffi@goffi.org>
parents: 1708
diff changeset
226 if module:get_host_type() ~= "component" then
0d78bb31348e mod_privilege: fixed bad calling of on_auth for components
Goffi <goffi@goffi.org>
parents: 1708
diff changeset
227 connected_cb:add(on_auth)
0d78bb31348e mod_privilege: fixed bad calling of on_auth for components
Goffi <goffi@goffi.org>
parents: 1708
diff changeset
228 end
1657
7116bc76663b mod_privilege: mod_privilege first draft
Goffi <goffi@goffi.org>
parents:
diff changeset
229 module:hook('authentication-success', on_auth)
1708
ad7afcf86131 mod_privilege: fixed bad handling of presence permissions / component authentication between different hosts
Goffi <goffi@goffi.org>
parents: 1707
diff changeset
230 module:hook('component-authenticated', on_component_auth)
1659
495a093798eb mod_privilege: added permissions notification on initial presence for entities which are not components
Goffi <goffi@goffi.org>
parents: 1658
diff changeset
231 module:hook('presence/initial', on_presence)
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
232
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
233
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
234 --> roster permission <--
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
235
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
236 -- get
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
237 module:hook("iq-get/bare/jabber:iq:roster:query", function(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
238 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
239 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
240 -- we don't want stanzas addressed to /self
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
241 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
242 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
243 local node, host = jid.split(stanza.attr.to)
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
244 local session_privileges = get_session_privileges(session, host)
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
245
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
246 if session_privileges and _ROSTER_GET_PERM:contains(session_privileges.roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
247 module:log("debug", "Roster get from allowed privileged entity received")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
248 -- following code is adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
249 local roster = roster_manager.load_roster(node, host)
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
250
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
251 local reply = st.reply(stanza):query("jabber:iq:roster")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
252 for entity_jid, item in pairs(roster) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
253 if entity_jid and entity_jid ~= "pending" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
254 reply:tag("item", {
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
255 jid = entity_jid,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
256 subscription = item.subscription,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
257 ask = item.ask,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
258 name = item.name,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
259 })
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
260 for group in pairs(item.groups) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
261 reply:tag("group"):text(group):up()
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
262 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
263 reply:up(); -- move out from item
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
264 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
265 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
266 -- end of code adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
267 session.send(reply)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
268 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
269 module:log("warn", "Entity "..tostring(session.full_jid).." try to get roster without permission")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
270 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
271 end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
272
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
273 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
274 end)
1658
1146cb4493a9 mod_privilege: roster get permission implemented
Goffi <goffi@goffi.org>
parents: 1657
diff changeset
275
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
276 -- set
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
277 module:hook("iq-set/bare/jabber:iq:roster:query", function(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
278 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
279 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
280 -- we don't want stanzas addressed to /self
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
281 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
282 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
283 local from_node, from_host = jid.split(stanza.attr.to)
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
284 local session_privileges = get_session_privileges(session, from_host)
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
285
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
286 if session_privileges and _ROSTER_SET_PERM:contains(session_privileges.roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
287 module:log("debug", "Roster set from allowed privileged entity received")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
288 -- following code is adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
289 if not(usermanager_user_exists(from_node, from_host)) then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
290 local roster = roster_manager.load_roster(from_node, from_host)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
291 if not(roster) then return; end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
292
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
293 local query = stanza.tags[1]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
294 for _, item in ipairs(query.tags) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
295 if item.name == "item"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
296 and item.attr.xmlns == "jabber:iq:roster" and item.attr.jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
297 -- Protection against overwriting roster.pending, until we move it
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
298 and item.attr.jid ~= "pending" then
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
299
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
300 local item_jid = jid.prep(item.attr.jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
301 local _, host, resource = jid.split(item_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
302 if not resource then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
303 if item_jid ~= stanza.attr.to then -- not self-item_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
304 if item.attr.subscription == "remove" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
305 local r_item = roster[item_jid]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
306 if r_item then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
307 roster[item_jid] = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
308 if roster_manager.save_roster(from_node, from_host, roster) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
309 session.send(st.reply(stanza))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
310 roster_manager.roster_push(from_node, from_host, item_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
311 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
312 roster[item_jid] = item
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
313 session.send(st.error_reply(stanza, "wait", "internal-server-error", "Unable to save roster"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
314 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
315 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
316 session.send(st.error_reply(stanza, "modify", "item-not-found"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
317 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
318 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
319 local subscription = item.attr.subscription
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
320 if subscription ~= "both" and subscription ~= "to" and subscription ~= "from" and subscription ~= "none" then -- TODO error on invalid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
321 subscription = roster[item_jid] and roster[item_jid].subscription or "none"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
322 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
323 local r_item = {name = item.attr.name, groups = {}}
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
324 if r_item.name == "" then r_item.name = nil; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
325 r_item.subscription = subscription
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
326 if subscription ~= "both" and subscription ~= "to" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
327 r_item.ask = roster[item_jid] and roster[item_jid].ask
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
328 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
329 for _, child in ipairs(item) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
330 if child.name == "group" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
331 local text = table.concat(child)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
332 if text and text ~= "" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
333 r_item.groups[text] = true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
334 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
335 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
336 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
337 local olditem = roster[item_jid]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
338 roster[item_jid] = r_item
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
339 if roster_manager.save_roster(from_node, from_host, roster) then -- Ok, send success
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
340 session.send(st.reply(stanza))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
341 -- and push change to all resources
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
342 roster_manager.roster_push(from_node, from_host, item_jid)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
343 else -- Adding to roster failed
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
344 roster[item_jid] = olditem
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
345 session.send(st.error_reply(stanza, "wait", "internal-server-error", "Unable to save roster"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
346 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
347 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
348 else -- Trying to add self to roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
349 session.send(st.error_reply(stanza, "cancel", "not-allowed"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
350 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
351 else -- Invalid JID added to roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
352 module:log("warn", "resource: %s , host: %s", tostring(resource), tostring(host))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
353 session.send(st.error_reply(stanza, "modify", "bad-request")); -- FIXME what's the correct error?
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
354 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
355 else -- Roster set didn't include a single item, or its name wasn't 'item'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
356 session.send(st.error_reply(stanza, "modify", "bad-request"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
357 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
358 end -- for loop end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
359 -- end of code adapted from mod_remote_roster
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
360 else -- The permission is not granted
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
361 module:log("warn", "Entity "..tostring(session.full_jid).." try to set roster without permission")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
362 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
363 end
1660
d1072db4db44 mod_privilege: implemented roster set privilege
Goffi <goffi@goffi.org>
parents: 1659
diff changeset
364
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
365 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
366 end)
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
367
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
368
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
369 --> message permission <--
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
370
3388
7454274ead2f mod_privilege: fixed routing issue with message permission:
Goffi <goffi@goffi.org>
parents: 2068
diff changeset
371 local function clean_xmlns(node)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
372 -- Recursively remove "jabber:client" attribute from node.
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
373 -- In Prosody internal routing, xmlns should not be set.
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
374 -- Keeping xmlns would lead to issues like mod_smacks ignoring the outgoing stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
375 -- so we remove all xmlns attributes with a value of "jabber:client"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
376 if node.attr.xmlns == 'jabber:client' then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
377 for childnode in node:childtags() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
378 clean_xmlns(childnode)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
379 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
380 node.attr.xmlns = nil
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
381 end
3388
7454274ead2f mod_privilege: fixed routing issue with message permission:
Goffi <goffi@goffi.org>
parents: 2068
diff changeset
382 end
7454274ead2f mod_privilege: fixed routing issue with message permission:
Goffi <goffi@goffi.org>
parents: 2068
diff changeset
383
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
384 module:hook("message/host", function(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
385 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
386 local privilege_elt = stanza:get_child('privilege', _PRIV_ENT_NS)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
387 if privilege_elt==nil then return; end
1955
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
388 local _, to_host = jid.split(stanza.attr.to)
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
389 local session_privileges = get_session_privileges(session, to_host)
f719d5e6c627 mod_privilege: fixed session.privilege overwritting when multiple hosts are activated + fixed roster permission check on presence permission.
Goffi <goffi@goffi.org>
parents: 1775
diff changeset
390
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
391 if session_privileges and session_privileges.message=="outgoing" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
392 if #privilege_elt.tags==1 and privilege_elt.tags[1].name == "forwarded"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
393 and privilege_elt.tags[1].attr.xmlns==_FORWARDED_NS then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
394 local message_elt = privilege_elt.tags[1]:get_child('message', 'jabber:client')
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
395 if message_elt ~= nil then
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
396 local username, from_host, from_resource = jid.split(message_elt.attr.from)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
397 if from_resource == nil and hosts[from_host] then -- we only accept bare jids from one of the server hosts
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
398 clean_xmlns(message_elt); -- needed do to proper routing
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
399 local session = {
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
400 username = username;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
401 host = from_host;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
402 type = "c2s";
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
403 log = module._log;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
404 }
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
405 -- at this point everything should be alright, we can send the message
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
406 prosody.core_post_stanza(session, message_elt, true)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
407 else -- trying to send a message from a forbidden entity
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
408 module:log("warn", "Entity "..tostring(session.full_jid).." try to send a message from "..tostring(message_elt.attr.from))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
409 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
410 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
411 else -- incorrect message child
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
412 session.send(st.error_reply(stanza, "modify", "bad-request", "invalid forwarded <message/> element"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
413 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
414 else -- incorrect forwarded child
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
415 session.send(st.error_reply(stanza, "modify", "bad-request", "invalid <forwarded/> element"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
416 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
417 else -- The permission is not granted
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
418 module:log("warn", "Entity "..tostring(session.full_jid).." try to send message without permission")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
419 session.send(st.error_reply(stanza, 'auth', 'forbidden'))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
420 end
1661
69aa2b54ba8a mod_privilege: implemented message privilege
Goffi <goffi@goffi.org>
parents: 1660
diff changeset
421
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
422 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
423 end)
1664
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
424
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
425
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
426 --> presence permission <--
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
427
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
428 local function same_tags(tag1, tag2)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
429 -- check if two tags are equivalent
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
430
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
431 if tag1.name ~= tag2.name then return false; end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
432
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
433 if #tag1 ~= #tag2 then return false; end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
434
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
435 for name, value in pairs(tag1.attr) do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
436 if tag2.attr[name] ~= value then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
437 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
438
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
439 for i=1,#tag1 do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
440 if type(tag1[i]) == "string" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
441 if tag1[i] ~= tag2[i] then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
442 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
443 if not same_tags(tag1[i], tag2[i]) then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
444 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
445 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
446
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
447 return true
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
448 end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
449
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
450 local function same_presences(presence1, presence2)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
451 -- check that 2 <presence/> stanzas are equivalent (except for "to" attribute)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
452 -- /!\ if the id change but everything else is equivalent, this method return false
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
453 -- this behaviour may change in the future
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
454 if presence1.attr.from ~= presence2.attr.from or presence1.attr.id ~= presence2.attr.id
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
455 or presence1.attr.type ~= presence2.attr.type then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
456 return false
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
457 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
458
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
459 if presence1.attr.id and presence1.attr.id == presence2.attr.id then return true; end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
460
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
461 if #presence1 ~= #presence2 then return false; end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
462
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
463 for i=1,#presence1 do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
464 if type(presence1[i]) == "string" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
465 if presence1[i] ~= presence2[i] then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
466 else
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
467 if not same_tags(presence1[i], presence2[i]) then return false; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
468 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
469 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
470
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
471 return true
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
472 end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
473
1707
64b3d1eb0cfe mod_privilege: fixed various issues reported by luacheck
Goffi <goffi@goffi.org>
parents: 1667
diff changeset
474 local function forward_presence(presence, to_jid)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
475 local presence_fwd = st.clone(presence)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
476 presence_fwd.attr.to = to_jid
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
477 module:log("debug", "presence forwarded to "..to_jid..": "..tostring(presence_fwd))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
478 module:send(presence_fwd)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
479 -- cache used to avoid to send several times the same stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
480 priv_session.last_presence = presence
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
481 end
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
482
1664
6bdcb1418029 mod_privilege: implemented "managed_entity" presence
Goffi <goffi@goffi.org>
parents: 1663
diff changeset
483 module:hook("presence/bare", function(event)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
484 if presence_man_ent:empty() and presence_roster:empty() then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
485
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
486 local stanza = event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
487 if stanza.attr.type == nil or stanza.attr.type == "unavailable" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
488 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
489 for entity in presence_man_ent:items() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
490 if stanza.attr.from ~= entity then forward_presence(stanza, entity); end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
491 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
492 else -- directed presence
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
493 -- we ignore directed presences from our own host, as we already have them
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
494 local _, from_host = jid.split(stanza.attr.from)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
495 if hosts[from_host] then return; end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
496
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
497 -- we don't send several time the same presence, as recommended in §7 #2
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
498 if priv_session.last_presence and same_presences(priv_session.last_presence, stanza) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
499 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
500 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
501
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
502 for entity in presence_roster:items() do
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
503 if stanza.attr.from ~= entity then forward_presence(stanza, entity); end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
504 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
505 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
506 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
507 end, 150)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
508
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
509 --> IQ permission <--
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
510
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
511 module:hook("iq/bare/".._PRIV_ENT_NS..":privileged_iq", function(event)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
512 local session, stanza = event.origin, event.stanza
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
513 if not stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
514 -- we don't want stanzas addressed to /self
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
515 return
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
516 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
517 local from_node, from_host, from_resource = jid.split(stanza.attr.to)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
518
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
519 if from_resource ~= nil or not usermanager_user_exists(from_node, from_host) then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
520 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
521 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
522 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
523 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
524 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
525 "wrapping <IQ> stanza recipient must be a bare JID of a local user"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
526 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
527 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
528 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
529 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
530
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
531 local session_privileges = get_session_privileges(session, from_host)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
532
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
533 if session_privileges == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
534 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
535 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
536 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
537 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
538 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
539 "no privilege granted"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
540 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
541 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
542 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
543 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
544
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
545 local iq_privileges = session_privileges["iq"]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
546 if iq_privileges == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
547 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
548 session.send(st.error_reply(stanza, "auth", "forbidden", "you are not allowed to send privileged <IQ> stanzas"))
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
549 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
550 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
551 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
552
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
553 local privileged_iq = stanza:get_child("privileged_iq", _PRIV_ENT_NS)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
554
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
555 local wrapped_iq = privileged_iq.tags[1]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
556 if wrapped_iq == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
557 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
558 st.error_reply(stanza, "auth", "forbidden", "missing <IQ> stanza to send")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
559 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
560 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
561 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
562
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
563 if wrapped_iq.attr.xmlns ~= "jabber:client" then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
564 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
565 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
566 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
567 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
568 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
569 'wrapped <IQ> must have a xmlns of "jabber:client"'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
570 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
571 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
572 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
573 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
574
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
575 clean_xmlns(wrapped_iq)
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
576
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
577 if #wrapped_iq.tags ~= 1 then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
578 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
579 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
580 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
581 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
582 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
583 'invalid payload in wrapped <IQ>'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
584 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
585 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
586 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
587 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
588
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
589 local payload = wrapped_iq.tags[1]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
590
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
591 local priv_ns = payload.attr.xmlns
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
592 if priv_ns == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
593 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
594 st.error_reply(stanza, "auth", "forbidden", "xmlns not set in privileged <IQ>")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
595 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
596 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
597 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
598
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
599 local ns_perms = iq_privileges[priv_ns]
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
600 local iq_type = stanza.attr.type
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
601 if ns_perms == nil or iq_type == nil or not ns_perms[iq_type] then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
602 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
603 session.send(st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
604 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
605 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
606 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
607 "you are not allowed to send privileged <IQ> stanzas of this type and namespace")
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
608 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
609 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
610 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
611 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
612
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
613 if wrapped_iq.attr.from ~= nil and wrapped_iq.attr.from ~= stanza.attr.to then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
614 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
615 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
616 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
617 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
618 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
619 'wrapped <IQ> "from" attribute is inconsistent with main <IQ> "to" attribute'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
620 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
621 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
622 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
623 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
624
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
625 wrapped_iq.attr.from = stanza.attr.to
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
626
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
627
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
628 if wrapped_iq.attr.type ~= iq_type then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
629 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
630 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
631 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
632 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
633 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
634 'invalid wrapped <IQ>: type mismatch'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
635 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
636 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
637 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
638 end
1666
0b1b4b7d5fe0 mod_privilege: implemented "roster" presence permission
Goffi <goffi@goffi.org>
parents: 1665
diff changeset
639
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
640 if wrapped_iq.attr.id == nil then
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
641 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
642 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
643 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
644 "auth",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
645 "forbidden",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
646 'invalid wrapped <IQ>: missing "id" attribute'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
647 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
648 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
649 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
650 end
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
651
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
652 -- at this point, wrapped_iq is considered valid, and privileged entity is allowed to send it
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
653 local username, from_host, _ = jid.split(wrapped_iq.attr.from)
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
654 local newsession = {
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
655 username = username;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
656 host = from_host;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
657 full_jid = stanza.attr.to;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
658 type = "c2s";
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
659 log = module._log;
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
660 }
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
661
4994
cce12a660b98 mod_privilege: process entity IQs (credit to adx) and messages with a constructed entity session
Nicoco <nicoco@nicoco.fr>
parents: 4913
diff changeset
662 module:send_iq(wrapped_iq,newsession)
4913
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
663 :next(function (response)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
664 local reply = st.reply(stanza);
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
665 response.stanza.attr.xmlns = 'jabber:client'
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
666 reply:tag("privilege", {xmlns = _PRIV_ENT_NS})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
667 :tag("forwarded", {xmlns = _FORWARDED_NS})
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
668 :add_child(response.stanza)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
669 session.send(reply)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
670 end,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
671 function(response)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
672 module:log("error", "Error while sending privileged <IQ>: %s", response);
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
673 session.send(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
674 st.error_reply(
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
675 stanza,
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
676 "cancel",
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
677 "internal-server-error"
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
678 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
679 )
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
680 end)
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
681
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
682 return true
3ddab718f717 mod_privilege: update to v0.4:
Goffi <goffi@goffi.org>
parents: 3388
diff changeset
683 end)