annotate mod_seclabels/mod_seclabels.lua @ 5594:e9af6abf2b1e

mod_client_management: Add shell command to revoke client access Could be used if an operator detects a compromised client.
author Kim Alvefur <zash@zash.se>
date Fri, 14 Jul 2023 13:25:30 +0200
parents 7dbde05b48a9
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local st = require "util.stanza";
981
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
2 local xml = require "util.xml";
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local xmlns_label = "urn:xmpp:sec-label:0";
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
5 local xmlns_label_catalog = "urn:xmpp:sec-label:catalog:2";
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
6 local xmlns_label_catalog_old = "urn:xmpp:sec-label:catalog:0"; -- COMPAT
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 module:add_feature(xmlns_label);
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
9 module:add_feature(xmlns_label_catalog);
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
10 module:add_feature(xmlns_label_catalog_old);
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
12 module:hook("account-disco-info", function(event) -- COMPAT
266
e7296274f48c mod_seclabels: Advertise features in account disco#info, fixes interop with Swift
Kim Alvefur <zash@zash.se>
parents: 252
diff changeset
13 local stanza = event.stanza;
1310
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
14 if stanza then
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
15 stanza:tag('feature', {var=xmlns_label}):up();
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
16 stanza:tag('feature', {var=xmlns_label_catalog}):up();
2df312eb816d mod_seclabels: Avoid tracebacks about indexing nil stanza
Vadim Misbakh-Soloviov <mva@mva.name>
parents: 981
diff changeset
17 end;
266
e7296274f48c mod_seclabels: Advertise features in account disco#info, fixes interop with Swift
Kim Alvefur <zash@zash.se>
parents: 252
diff changeset
18 end);
e7296274f48c mod_seclabels: Advertise features in account disco#info, fixes interop with Swift
Kim Alvefur <zash@zash.se>
parents: 252
diff changeset
19
449
08ffbbdafeea mod_seclabels: Fetch catalog from config.
Kim Alvefur <zash@zash.se>
parents: 266
diff changeset
20 local default_labels = {
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
21 {
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
22 name = "Unclassified",
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
23 label = true,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
24 default = true,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
25 },
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 Classified = {
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27 SECRET = { color = "black", bgcolor = "aqua", label = "THISISSECRET" };
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 PUBLIC = { label = "THISISPUBLIC" };
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 };
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
30 };
937
5276e1fc26b6 mod_seclabels: Remove config-reloaded hook. Just reload the module to update
Kim Alvefur <zash@zash.se>
parents: 452
diff changeset
31 local catalog_name = module:get_option_string("security_catalog_name", "Default");
5276e1fc26b6 mod_seclabels: Remove config-reloaded hook. Just reload the module to update
Kim Alvefur <zash@zash.se>
parents: 452
diff changeset
32 local catalog_desc = module:get_option_string("security_catalog_desc", "My labels");
5276e1fc26b6 mod_seclabels: Remove config-reloaded hook. Just reload the module to update
Kim Alvefur <zash@zash.se>
parents: 452
diff changeset
33 local labels = module:get_option("security_labels", default_labels);
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
35 function handle_catalog_request(request)
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 local catalog_request = request.stanza.tags[1];
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 local reply = st.reply(request.stanza)
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 :tag("catalog", {
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
39 xmlns = catalog_request.attr.xmlns,
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 to = catalog_request.attr.to,
449
08ffbbdafeea mod_seclabels: Fetch catalog from config.
Kim Alvefur <zash@zash.se>
parents: 266
diff changeset
41 name = catalog_name,
08ffbbdafeea mod_seclabels: Fetch catalog from config.
Kim Alvefur <zash@zash.se>
parents: 266
diff changeset
42 desc = catalog_desc
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 });
1343
7dbde05b48a9 all the things: Remove trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 1310
diff changeset
44
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
45 local function add_labels(catalog, labels, selector)
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
46 local function add_item(item, name)
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
47 local name = name or item.name;
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
48 if item.label then
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
49 if catalog_request.attr.xmlns == xmlns_label_catalog then
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
50 catalog:tag("item", {
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
51 selector = selector..name,
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
52 default = item.default and "true" or nil,
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
53 }):tag("securitylabel", { xmlns = xmlns_label })
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
54 else -- COMPAT
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
55 catalog:tag("securitylabel", {
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
56 xmlns = xmlns_label,
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
57 selector = selector..name,
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
58 default = item.default and "true" or nil,
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
59 })
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
60 end
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
61 if item.display or item.color or item.bgcolor then
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
62 catalog:tag("displaymarking", {
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
63 fgcolor = item.color,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
64 bgcolor = item.bgcolor,
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
65 }):text(item.display or name):up();
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
66 end
981
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
67 if item.label == true then
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
68 catalog:tag("label"):text(name):up();
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
69 elseif type(item.label) == "string" then
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
70 -- TODO Do we need anything other than XML parsing?
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
71 if item.label:sub(1,1) == "<" then
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
72 catalog:tag("label"):add_child(xml.parse(item.label)):up();
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
73 else
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
74 catalog:tag("label"):text(item.label):up();
020b5944a973 mod_seclabels: Allow stanzas or XML strings as labels in the config
Kim Alvefur <zash@zash.se>
parents: 937
diff changeset
75 end
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
76 elseif type(item.label) == "table" then
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
77 catalog:tag("label"):add_child(item.label):up();
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
78 end
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
79 catalog:up();
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
80 if catalog_request.attr.xmlns == xmlns_label_catalog then
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
81 catalog:up();
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
82 end
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
83 else
452
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
84 add_labels(catalog, item, (selector or "")..name.."|");
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
85 end
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
86 end
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
87 for i = 1,#labels do
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
88 add_item(labels[i])
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
89 end
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
90 for name, child in pairs(labels) do
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
91 if type(name) == "string" then
48b615229509 mod_seclabels: Support orderd items
Kim Alvefur <zash@zash.se>
parents: 451
diff changeset
92 add_item(child, name)
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
93 end
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
94 end
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
95 end
451
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
96 -- TODO query remote servers
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
97 --[[ FIXME later
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
98 labels = module:fire_event("sec-label-catalog", {
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
99 to = catalog_request.attr.to,
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
100 request = request; -- or just origin?
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
101 labels = labels;
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
102 }) or labels;
f43d2d26c1c4 mod_seclabels: Fix config reloading
Kim Alvefur <zash@zash.se>
parents: 450
diff changeset
103 --]]
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
104 add_labels(reply, labels, "");
252
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
105 request.origin.send(reply);
8eae74a31acb mod_seclabels: Prototype security labels plugin
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
106 return true;
450
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
107 end
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
108 module:hook("iq/host/"..xmlns_label_catalog..":catalog", handle_catalog_request);
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
109 module:hook("iq/self/"..xmlns_label_catalog..":catalog", handle_catalog_request); -- COMPAT
fb152d4af082 mod_seclabels: Update to latest catalog schema, while keeping compatibility with the old one.
Kim Alvefur <zash@zash.se>
parents: 449
diff changeset
110 module:hook("iq/self/"..xmlns_label_catalog_old..":catalog", handle_catalog_request); -- COMPAT