changeset 80:bed9a6b40fae

mod_proxy65: basic white list - access control list
author Thilo Cestonaro <thilo@cestona.ro>
date Sun, 01 Nov 2009 16:42:04 +0100
parents 34f5818c90e9
children 9ceeab822e40
files mod_muc_log/mod_muc_log.lua mod_proxy65/mod_proxy65.lua
diffstat 2 files changed, 50 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/mod_muc_log/mod_muc_log.lua	Sun Nov 01 14:37:28 2009 +0100
+++ b/mod_muc_log/mod_muc_log.lua	Sun Nov 01 16:42:04 2009 +0100
@@ -13,6 +13,8 @@
 local data_load, data_store, data_getpath = datamanager.load, datamanager.store, datamanager.getpath;
 local datastore = "muc_log";
 local config = {};
+local verifyAuthRequest = module:require "verifyhttpauth".verifyHttpAuthRequest;
+
 
 
 --[[ LuaFileSystem 
@@ -421,7 +423,7 @@
 		return generateDayListSiteContentByRoom(bareRoomJid); -- fallback
 	end
 end
-
+local requests = {};
 function handle_request(method, body, request)
 	local query = splitQuery(request.url.query);
 	local node, host = grepRoomJid(request.url.path);
@@ -437,7 +439,17 @@
 				if room._data ~= nil and room._data.subject ~= nil then
 					subject = room._data.subject;
 				end
-				return createDoc(parseDay(bare, subject, query));
+				local doc = createDoc(parseDay(bare, subject, query));
+				local id = "thisIsTheId";
+				requests[id] = request;
+				requests[id].doc = doc;
+				
+				verifyAuthRequest(request.url.path .. "?" .. request.url.query, "thilo@cestona.ro", id, function (id, confirmed)
+					if confirmed and requests[id] then
+						requests[id].send(requests[id].doc);
+					end
+				end)
+				return true;
 			end
 		else
 			return createDoc(generateRoomListSiteContent());
@@ -448,7 +460,7 @@
 	return;
 end
 
-config = config_get(module:get_host(), "core", "muc_log");
+config = config_get(module:get_host(), "core", "muc_log") or {};
 
 httpserver.new_from_config({ config.http_port or true }, handle_request, { base = "muc_log" });
 
--- a/mod_proxy65/mod_proxy65.lua	Sun Nov 01 14:37:28 2009 +0100
+++ b/mod_proxy65/mod_proxy65.lua	Sun Nov 01 16:42:04 2009 +0100
@@ -21,6 +21,7 @@
 local proxy_port = config_get(host, "core", "proxy65_port") or 5000;
 local proxy_interface = config_get(host, "core", "proxy65_interface") or "*";
 local proxy_address = config_get(host, "core", "proxy65_address") or (proxy_interface ~= "*" and proxy_interface) or host;
+local proxy_acl = config_get(host, "core", "proxy65_acl");
 
 local connlistener = { default_port = proxy_port, default_interface = proxy_interface, default_mode = "*a" };
 
@@ -126,16 +127,42 @@
 	return reply;
 end
 
-local function get_stream_host(stanza)
+local function get_stream_host(origin, stanza)
 	local reply = replies_cache.stream_host;
+	local err_reply = replies_cache.stream_host_err;
 	local sid = stanza.tags[1].attr.sid;
-	if reply == nil then
-		reply = st.iq({type="result", from=host})
-			:query("http://jabber.org/protocol/bytestreams")
-			:tag("streamhost", {jid=host, host=proxy_address, port=proxy_port}); -- TODO get the correct data
-		replies_cache.stream_host = reply;
+	local allow = false;
+	
+	if proxy_acl then
+		for _, acl in ipairs(proxy_acl) do
+			local acl_node, acl_host, acl_resource = jid_split(acl);
+			if ((acl_node ~= nil and acl_node == origin.username) or acl_node == nil) and
+			   ((acl_host ~= nil and acl_host == origin.host) or acl_host == nil) and
+			   ((acl_resource ~= nil and acl_resource == origin.resource) or acl_resource == nil) then
+				allow = true;
+			end
+		end
+	else
+		allow = true;
 	end
-	
+	if allow == true then
+		if reply == nil then
+			reply = st.iq({type="result", from=host})
+				:query("http://jabber.org/protocol/bytestreams")
+				:tag("streamhost", {jid=host, host=proxy_address, port=proxy_port});
+			replies_cache.stream_host = reply;
+		end
+	else
+		module:log("debug", "Denying use of proxy for %s@%s/%s", tostring(origin.username), tostring(origin.host), tostring(origin.resource));
+		if err_reply == nil then
+			err_reply = st.iq({type="error", from=host})
+				:query("http://jabber.org/protocol/bytestreams")
+				:tag("error", {code='403', type='auth'})
+				:tag("forbidden", {xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'});
+			replies_cache.stream_host_err = err_reply;
+		end
+		reply = err_reply;
+	end
 	reply.attr.id = stanza.attr.id;
 	reply.attr.to = stanza.attr.from;
 	reply.tags[1].attr.sid = sid;
@@ -179,7 +206,7 @@
 				origin.send(get_disco_items(stanza));
 				return true;
 			elseif xmlns == "http://jabber.org/protocol/bytestreams" then
-				origin.send(get_stream_host(stanza));
+				origin.send(get_stream_host(origin, stanza));
 				return true;
 			end
 		elseif stanza.name == "iq" and type == "set" then