changeset 4509:16995e7624f0

mod_http_upload_external: add access control option
author Nicolas Cedilnik <nicoco@nicoco.fr>
date Sun, 14 Mar 2021 17:19:38 +0100
parents 0329cf8cdecb
children 6690586826e8
files mod_http_upload_external/README.markdown mod_http_upload_external/mod_http_upload_external.lua
diffstat 2 files changed, 19 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/mod_http_upload_external/README.markdown	Fri Mar 12 21:32:03 2021 +0100
+++ b/mod_http_upload_external/README.markdown	Sun Mar 14 17:19:38 2021 +0100
@@ -10,7 +10,7 @@
 over HTTP to an external web server.
 
 This module generates URLs that are signed using a HMAC. Any web service that can authenticate
-these URLs can be used. 
+these URLs can be used.
 
 Implementations
 ---------------
@@ -20,7 +20,7 @@
 * [Go implementation, Prosody Filer](https://github.com/ThomasLeister/prosody-filer)
 * [Perl implementation for nginx](https://github.com/weiss/ngx_http_upload)
 
-To implement your own service compatible with this module, check out the implementation notes below 
+To implement your own service compatible with this module, check out the implementation notes below
 (and if you publish your implementation - let us know!).
 
 Configuration
@@ -71,6 +71,16 @@
 
 Default is 100MB (100\*1024\*1024).
 
+Access
+------
+
+You may want to give upload access to additional entities such as components
+by using the `http_upload_access` config option.
+
+``` {.lua}
+http_upload_access = {"gateway.example.com"};
+```
+
 Compatibility
 =============
 
--- a/mod_http_upload_external/mod_http_upload_external.lua	Fri Mar 12 21:32:03 2021 +0100
+++ b/mod_http_upload_external/mod_http_upload_external.lua	Sun Mar 14 17:19:38 2021 +0100
@@ -11,6 +11,7 @@
 local http = require "util.http";
 local dataform = require "util.dataforms".new;
 local HMAC = require "util.hashes".hmac_sha256;
+local jid = require "util.jid";
 
 -- config
 local file_size_limit = module:get_option_number(module.name .. "_file_size_limit", 100 * 1024 * 1024); -- 100 MB
@@ -18,6 +19,7 @@
 	module.name .. "_base_url is a required option");
 local secret = assert(module:get_option_string(module.name .. "_secret"),
 	module.name .. "_secret is a required option");
+local access = module:get_option_set(module.name .. "_access", {});
 
 local token_protocol = module:get_option_string(module.name .. "_protocol", "v1");
 
@@ -56,8 +58,11 @@
 end
 
 local function handle_request(origin, stanza, xmlns, filename, filesize, filetype)
-	-- local clients only
-	if origin.type ~= "c2s" then
+	local user_bare = jid.bare(stanza.attr.from);
+	local user_host = jid.host(user_bare);
+
+	-- local clients or whitelisted jids/hosts only
+	if not (origin.type == "c2s" or access:contains(user_bare) or access:contains(user_host)) then
 		module:log("debug", "Request for upload slot from a %s", origin.type);
 		origin.send(st.error_reply(stanza, "cancel", "not-authorized"));
 		return nil, nil;