# HG changeset patch # User Nicolas Cedilnik # Date 1615738778 -3600 # Node ID 16995e7624f0640fc957a6f07cef7edac0482cb7 # Parent 0329cf8cdecbff1d1b08fa08aba881de61fac1d5 mod_http_upload_external: add access control option diff -r 0329cf8cdecb -r 16995e7624f0 mod_http_upload_external/README.markdown --- a/mod_http_upload_external/README.markdown Fri Mar 12 21:32:03 2021 +0100 +++ b/mod_http_upload_external/README.markdown Sun Mar 14 17:19:38 2021 +0100 @@ -10,7 +10,7 @@ over HTTP to an external web server. This module generates URLs that are signed using a HMAC. Any web service that can authenticate -these URLs can be used. +these URLs can be used. Implementations --------------- @@ -20,7 +20,7 @@ * [Go implementation, Prosody Filer](https://github.com/ThomasLeister/prosody-filer) * [Perl implementation for nginx](https://github.com/weiss/ngx_http_upload) -To implement your own service compatible with this module, check out the implementation notes below +To implement your own service compatible with this module, check out the implementation notes below (and if you publish your implementation - let us know!). Configuration @@ -71,6 +71,16 @@ Default is 100MB (100\*1024\*1024). +Access +------ + +You may want to give upload access to additional entities such as components +by using the `http_upload_access` config option. + +``` {.lua} +http_upload_access = {"gateway.example.com"}; +``` + Compatibility ============= diff -r 0329cf8cdecb -r 16995e7624f0 mod_http_upload_external/mod_http_upload_external.lua --- a/mod_http_upload_external/mod_http_upload_external.lua Fri Mar 12 21:32:03 2021 +0100 +++ b/mod_http_upload_external/mod_http_upload_external.lua Sun Mar 14 17:19:38 2021 +0100 @@ -11,6 +11,7 @@ local http = require "util.http"; local dataform = require "util.dataforms".new; local HMAC = require "util.hashes".hmac_sha256; +local jid = require "util.jid"; -- config local file_size_limit = module:get_option_number(module.name .. "_file_size_limit", 100 * 1024 * 1024); -- 100 MB @@ -18,6 +19,7 @@ module.name .. "_base_url is a required option"); local secret = assert(module:get_option_string(module.name .. "_secret"), module.name .. "_secret is a required option"); +local access = module:get_option_set(module.name .. "_access", {}); local token_protocol = module:get_option_string(module.name .. "_protocol", "v1"); @@ -56,8 +58,11 @@ end local function handle_request(origin, stanza, xmlns, filename, filesize, filetype) - -- local clients only - if origin.type ~= "c2s" then + local user_bare = jid.bare(stanza.attr.from); + local user_host = jid.host(user_bare); + + -- local clients or whitelisted jids/hosts only + if not (origin.type == "c2s" or access:contains(user_bare) or access:contains(user_host)) then module:log("debug", "Request for upload slot from a %s", origin.type); origin.send(st.error_reply(stanza, "cancel", "not-authorized")); return nil, nil;