annotate mod_seclabels/mod_seclabels.lua @ 5298:12f7d8b901e0

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 13:11:53 +0100
parents 7dbde05b48a9
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local st = require "util.stanza";
981
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
2 local xml = require "util.xml";
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local xmlns_label = "urn:xmpp:sec-label:0";
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
5 local xmlns_label_catalog = "urn:xmpp:sec-label:catalog:2";
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
6 local xmlns_label_catalog_old = "urn:xmpp:sec-label:catalog:0"; -- COMPAT
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 module:add_feature(xmlns_label);
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
9 module:add_feature(xmlns_label_catalog);
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
10 module:add_feature(xmlns_label_catalog_old);
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
12 module:hook("account-disco-info", function(event) -- COMPAT
266
e7296274f48c mod_seclabels: Advertise features in account disco#info, fixes interop with Swift
Kim Alvefur <zash@zash.se>
parents: 252
diff changeset
13 local stanza = event.stanza;
1310
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
14 if stanza then
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
15 stanza:tag('feature', {var=xmlns_label}):up();
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
16 stanza:tag('feature', {var=xmlns_label_catalog}):up();
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
17 end;
266
e7296274f48c mod_seclabels: Advertise features in account disco#info, fixes interop with Swift
Kim Alvefur <zash@zash.se>
parents: 252
diff changeset
18 end);
e7296274f48c mod_seclabels: Advertise features in account disco#info, fixes interop with Swift
Kim Alvefur <zash@zash.se>
parents: 252
diff changeset
19
449
08ffbbdafeea mod_seclabels: Fetch catalog from config.
Kim Alvefur <zash@zash.se>
parents: 266
diff changeset
20 local default_labels = {
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
21 {
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
22 name = "Unclassified",
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
23 label = true,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
24 default = true,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
25 },
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 Classified = {
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 SECRET = { color = "black", bgcolor = "aqua", label = "THISISSECRET" };
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 PUBLIC = { label = "THISISPUBLIC" };
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 };
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 };
937
5276e1fc26b6 mod_seclabels: Remove config-reloaded hook. Just reload the module to update
Kim Alvefur <zash@zash.se>
parents: 452
diff changeset
31 local catalog_name = module:get_option_string("security_catalog_name", "Default");
5276e1fc26b6 mod_seclabels: Remove config-reloaded hook. Just reload the module to update
Kim Alvefur <zash@zash.se>
parents: 452
diff changeset
32 local catalog_desc = module:get_option_string("security_catalog_desc", "My labels");
5276e1fc26b6 mod_seclabels: Remove config-reloaded hook. Just reload the module to update
Kim Alvefur <zash@zash.se>
parents: 452
diff changeset
33 local labels = module:get_option("security_labels", default_labels);
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
35 function handle_catalog_request(request)
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 local catalog_request = request.stanza.tags[1];
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 local reply = st.reply(request.stanza)
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 :tag("catalog", {
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
39 xmlns = catalog_request.attr.xmlns,
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 to = catalog_request.attr.to,
449
08ffbbdafeea mod_seclabels: Fetch catalog from config.
Kim Alvefur <zash@zash.se>
parents: 266
diff changeset
41 name = catalog_name,
08ffbbdafeea mod_seclabels: Fetch catalog from config.
Kim Alvefur <zash@zash.se>
parents: 266
diff changeset
42 desc = catalog_desc
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 });
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1310
diff changeset
44
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 local function add_labels(catalog, labels, selector)
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
46 local function add_item(item, name)
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
47 local name = name or item.name;
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
48 if item.label then
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
49 if catalog_request.attr.xmlns == xmlns_label_catalog then
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
50 catalog:tag("item", {
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
51 selector = selector..name,
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
52 default = item.default and "true" or nil,
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
53 }):tag("securitylabel", { xmlns = xmlns_label })
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
54 else -- COMPAT
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
55 catalog:tag("securitylabel", {
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
56 xmlns = xmlns_label,
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
57 selector = selector..name,
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
58 default = item.default and "true" or nil,
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
59 })
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
60 end
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
61 if item.display or item.color or item.bgcolor then
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
62 catalog:tag("displaymarking", {
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
63 fgcolor = item.color,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
64 bgcolor = item.bgcolor,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
65 }):text(item.display or name):up();
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
66 end
981
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
67 if item.label == true then
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
68 catalog:tag("label"):text(name):up();
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
69 elseif type(item.label) == "string" then
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
70 -- TODO Do we need anything other than XML parsing?
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
71 if item.label:sub(1,1) == "<" then
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
72 catalog:tag("label"):add_child(xml.parse(item.label)):up();
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
73 else
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
74 catalog:tag("label"):text(item.label):up();
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
75 end
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
76 elseif type(item.label) == "table" then
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
77 catalog:tag("label"):add_child(item.label):up();
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 end
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
79 catalog:up();
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
80 if catalog_request.attr.xmlns == xmlns_label_catalog then
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
81 catalog:up();
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
82 end
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 else
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
84 add_labels(catalog, item, (selector or "")..name.."|");
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
85 end
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
86 end
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
87 for i = 1,#labels do
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
88 add_item(labels[i])
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
89 end
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
90 for name, child in pairs(labels) do
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
91 if type(name) == "string" then
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
92 add_item(child, name)
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 end
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 end
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 end
451
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
96 -- TODO query remote servers
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
97 --[[ FIXME later
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
98 labels = module:fire_event("sec-label-catalog", {
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
99 to = catalog_request.attr.to,
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
100 request = request; -- or just origin?
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
101 labels = labels;
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
102 }) or labels;
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
103 --]]
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
104 add_labels(reply, labels, "");
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105 request.origin.send(reply);
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106 return true;
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
107 end
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
108 module:hook("iq/host/"..xmlns_label_catalog..":catalog", handle_catalog_request);
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
109 module:hook("iq/self/"..xmlns_label_catalog..":catalog", handle_catalog_request); -- COMPAT
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
110 module:hook("iq/self/"..xmlns_label_catalog_old..":catalog", handle_catalog_request); -- COMPAT