Mercurial > prosody-modules
view mod_debug_omemo/mod_debug_omemo.lua @ 5448:9d542e86e19a
mod_http_oauth2: Allow requesting a subset of scopes on token refresh
This enables clients to request access tokens with fewer permissions
than the grant they were given, reducing impact of token leak. Clients
could e.g. request access tokens with some privileges and immediately
revoke them after use, or other strategies.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 11 May 2023 21:40:09 +0200 |
parents | ecfffbbcbf42 |
children |
line wrap: on
line source
local array = require "util.array"; local jid = require "util.jid"; local set = require "util.set"; local st = require "util.stanza"; local url_escape = require "util.http".urlencode; local base_url = "https://"..module.host.."/"; local render_html_template = require"util.interpolation".new("%b{}", st.xml_escape, { urlescape = url_escape; lower = string.lower; classname = function (s) return (s:gsub("%W+", "-")); end; relurl = function (s) if s:match("^%w+://") then return s; end return base_url.."/"..s; end; }); local render_url = require "util.interpolation".new("%b{}", url_escape, { urlescape = url_escape; noscheme = function (url) return (url:gsub("^[^:]+:", "")); end; }); local mod_pep = module:depends("pep"); local mam = module:open_store("archive", "archive"); local function get_user_omemo_info(username) local everything_valid = true; local any_device = false; local omemo_status = {}; local omemo_devices; local pep_service = mod_pep.get_pep_service(username); if pep_service and pep_service.nodes then local ok, _, device_list = pep_service:get_last_item("eu.siacs.conversations.axolotl.devicelist", true); if ok and device_list then device_list = device_list:get_child("list", "eu.siacs.conversations.axolotl"); end if device_list then omemo_devices = {}; for device_entry in device_list:childtags("device") do any_device = true; local device_info = {}; local device_id = tonumber(device_entry.attr.id or ""); if device_id then device_info.id = device_id; local bundle_id = ("eu.siacs.conversations.axolotl.bundles:%d"):format(device_id); local have_bundle, _, bundle = pep_service:get_last_item(bundle_id, true); if have_bundle and bundle and bundle:get_child("bundle", "eu.siacs.conversations.axolotl") then device_info.have_bundle = true; local config_ok, bundle_config = pep_service:get_node_config(bundle_id, true); if config_ok and bundle_config then device_info.bundle_config = bundle_config; if bundle_config.max_items == 1 and bundle_config.access_model == "open" and bundle_config.persist_items == true and bundle_config.publish_model == "publishers" then device_info.valid = true; end end end end if device_info.valid == nil then device_info.valid = false; everything_valid = false; end table.insert(omemo_devices, device_info); end local config_ok, list_config = pep_service:get_node_config("eu.siacs.conversations.axolotl.devicelist", true); if config_ok and list_config then omemo_status.config = list_config; if list_config.max_items == 1 and list_config.access_model == "open" and list_config.persist_items == true and list_config.publish_model == "publishers" then omemo_status.config_valid = true; end end if omemo_status.config_valid == nil then omemo_status.config_valid = false; everything_valid = false; end end end omemo_status.valid = everything_valid and any_device; return { status = omemo_status; devices = omemo_devices; }; end local access_model_text = { open = "Public"; whitelist = "Private"; roster = "Contacts only"; presence = "Contacts only"; }; local function get_message(username, message_id) if mam.get then return mam:get(username, message_id); end -- COMPAT local message; for _, result in mam:find(username, { key = message_id }) do message = result; end return message; end local function render_message(event, path) local username, message_id = path:match("^([^/]+)/(.+)$"); if not username then return 400; end local message = get_message(username, message_id); if not message then return 404; end local user_omemo_status = get_user_omemo_info(username); local user_rids = set.new(array.pluck(user_omemo_status.devices or {}, "id")) / tostring; local message_omemo_header = message:find("{eu.siacs.conversations.axolotl}encrypted/header"); local message_rids = set.new(); local rid_info = {}; if message_omemo_header then for key_el in message_omemo_header:childtags("key") do local rid = key_el.attr.rid; if rid then message_rids:add(rid); local prekey = key_el.attr.prekey; rid_info = { prekey = prekey and (prekey == "1" or prekey:lower() == "true"); }; end end end local rids = user_rids + message_rids; local direction = jid.bare(message.attr.to) == (username.."@"..module.host) and "incoming" or "outgoing"; local is_encrypted = not not message_omemo_header; local sender_id = message_omemo_header and message_omemo_header.attr.sid or nil; local f = module:load_resource("view.tpl.html"); if not f then return 500; end local tpl = f:read("*a"); local data = { user = username, rids = {} }; for rid in rids do data.rids[rid] = { status = message_rids:contains(rid) and "Encrypted" or user_rids:contains(rid) and "Missing" or nil; prekey = rid_info.prekey; }; end data.message = { type = message.attr.type or "normal"; direction = direction; encryption = is_encrypted and "encrypted" or "unencrypted"; has_any_keys = not message_rids:empty(); has_no_keys = message_rids:empty(); }; data.omemo = { sender_id = sender_id; status = user_omemo_status.status.valid and "no known issues" or "problems"; }; data.omemo.devices = {}; if user_omemo_status.devices then for _, device_info in ipairs(user_omemo_status.devices) do data.omemo.devices[("%d"):format(device_info.id)] = { status = device_info.valid and "OK" or "Problem"; bundle = device_info.have_bundle and "Published" or "Missing"; access_model = access_model_text[device_info.bundle_config and device_info.bundle_config.access_model or nil]; }; end else data.omemo.devices[false] = { status = "No devices have published OMEMO keys on this account" }; end event.response.headers.content_type = "text/html; charset=utf-8"; return render_html_template(tpl, data); end local function check_omemo_fallback(event) local message = event.stanza; local message_omemo_header = message:find("{eu.siacs.conversations.axolotl}encrypted/header"); if not message_omemo_header then return; end local to_bare = jid.bare(message.attr.to); local archive_stanza_id; for stanza_id_tag in message:childtags("stanza-id", "urn:xmpp:sid:0") do if stanza_id_tag.attr.by == to_bare then archive_stanza_id = stanza_id_tag.attr.id; end end if not archive_stanza_id then return; end local debug_url = render_url(module:http_url().."/view/{username}/{message_id}", { username = jid.node(to_bare); message_id = archive_stanza_id; }); local body = message:get_child("body"); if not body then body = st.stanza("body") :text("This message is encrypted using OMEMO, but could not be decrypted by your device.\nFor more information see: "..debug_url); message:reset():add_child(body); else body:text("\n\nOMEMO debug information: "..debug_url); end end module:hook("message/bare", check_omemo_fallback, -0.5); module:hook("message/full", check_omemo_fallback, -0.5); module:depends("http") module:provides("http", { route = { ["GET /view/*"] = render_message; }; });