annotate mod_limit_auth/mod_limit_auth.lua @ 6082:1a6cd0bbb7ab

mod_compliance_2023: Add 2023 Version of the compliance module, basis is the 2021 Version. diff --git a/mod_compliance_2023/README.md b/mod_compliance_2023/README.md new file mode 100644 --- /dev/null +++ b/mod_compliance_2023/README.md @@ -0,0 +1,22 @@ +--- +summary: XMPP Compliance Suites 2023 self-test +labels: +- Stage-Beta +rockspec: + dependencies: + - mod_cloud_notify + +... + +Compare the list of enabled modules with +[XEP-0479: XMPP Compliance Suites 2023] and produce basic report to the +Prosody log file. + +If installed with the Prosody plugin installer then all modules needed for a green checkmark should be included. (With prosody 0.12 only [mod_cloud_notify] is not included with prosody and we need the community module) + +# Compatibility + + Prosody-Version Status + --------------- ---------------------- + trunk Works as of 2024-12-21 + 0.12 Works diff --git a/mod_compliance_2023/mod_compliance_2023.lua b/mod_compliance_2023/mod_compliance_2023.lua new file mode 100644 --- /dev/null +++ b/mod_compliance_2023/mod_compliance_2023.lua @@ -0,0 +1,79 @@ +-- Copyright (c) 2021 Kim Alvefur +-- +-- This module is MIT licensed. + +local hostmanager = require "core.hostmanager"; + +local array = require "util.array"; +local set = require "util.set"; + +local modules_enabled = module:get_option_inherited_set("modules_enabled"); + +for host in pairs(hostmanager.get_children(module.host)) do + local component = module:context(host):get_option_string("component_module"); + if component then + modules_enabled:add(component); + modules_enabled:include(module:context(host):get_option_set("modules_enabled", {})); + end +end + +local function check(suggested, alternate, ...) + if set.intersection(modules_enabled, set.new({suggested; alternate; ...})):empty() then return suggested; end + return false; +end + +local compliance = { + array {"Server"; check("tls"); check("disco")}; + + array {"Advanced Server"; check("pep", "pep_simple")}; + + array {"Web"; check("bosh"); check("websocket")}; + + -- No Server requirements for Advanced Web + + array {"IM"; check("vcard_legacy", "vcard"); check("carbons"); check("http_file_share", "http_upload")}; + + array { + "Advanced IM"; + check("vcard_legacy", "vcard"); + check("blocklist"); + check("muc"); + check("private"); + check("smacks"); + check("mam"); + check("bookmarks"); + }; + + array {"Mobile"; check("smacks"); check("csi_simple", "csi_battery_saver")}; + + array {"Advanced Mobile"; check("cloud_notify")}; + + array {"A/V Calling"; check("turn_external", "external_services", "turncredentials", "extdisco")}; + +}; + +function check_compliance() + local compliant = true; + for _, suite in ipairs(compliance) do + local section = suite:pop(1); + if module:get_option_boolean("compliance_" .. section:lower():gsub("%A", "_"), true) then + local missing = set.new(suite:filter(function(m) return type(m) == "string" end):map(function(m) return "mod_" .. m end)); + if suite[1] then + if compliant then + compliant = false; + module:log("warn", "Missing some modules for XMPP Compliance 2023"); + end + module:log("info", "%s Compliance: %s", section, missing); + end + end + end + + if compliant then module:log("info", "XMPP Compliance 2023: Compliant ✔️"); end +end + +if prosody.start_time then + check_compliance() +else + module:hook_global("server-started", check_compliance); +end +
author Menel <menel@snikket.de>
date Sun, 22 Dec 2024 16:06:28 +0100
parents 2a5a44d5b935
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1583
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_limit_auth
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 local st = require"util.stanza";
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 local new_throttle = require "util.throttle".create;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
5
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 local period = math.max(module:get_option_number(module.name.."_period", 30), 0);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 local max = math.max(module:get_option_number(module.name.."_max", 5), 1);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9 local tarpit_delay = module:get_option_number(module.name.."_tarpit_delay", nil);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 if tarpit_delay then
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11 local waiter = require "util.async".waiter;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local delay = tarpit_delay;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 function tarpit_delay()
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14 local wait, done = waiter();
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
15 module:add_timer(delay, done);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
16 wait();
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
17 end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
18 else
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
19 function tarpit_delay() end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
20 end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
21
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
22 local throttles = module:shared"throttles";
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
23
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
24 local reply = st.stanza("failure", { xmlns = "urn:ietf:params:xml:ns:xmpp-sasl" }):tag("temporary-auth-failure");
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
25
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
26 local function get_throttle(ip)
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
27 local throttle = throttles[ip];
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
28 if not throttle then
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
29 throttle = new_throttle(max, period);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 throttles[ip] = throttle;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 return throttle;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function (event)
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36 local origin = event.origin;
1941
2a5a44d5b935 mod_limit_auth: Only apply limit to normal c2s sessions (thanks cuc)
Kim Alvefur <zash@zash.se>
parents: 1854
diff changeset
37 if origin.type ~= "c2s_unauthed" then return end
1583
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 if not get_throttle(origin.ip):peek(1) then
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 origin.log("warn", "Too many authentication attepmts for ip %s", origin.ip);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 tarpit_delay();
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 origin.send(reply);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 return true;
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 end
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 end, 10);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 module:hook("authentication-failure", function (event)
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 get_throttle(event.session.ip):poll(1);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 end);
c1bb2a64aabb mod_limit_auth: Throttle authentication (failed) attempts with optional (0.10+) tarpit
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49
1854
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
50 module:add_timer(14400, function (now)
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
51 local old = now - 86400;
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
52 for ip, throttle in pairs(throttles) do
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
53 if throttle.t < old then
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
54 throttles[ip] = nil;
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
55 end
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
56 end
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
57 end);
450ada5bb1b5 mod_limit_auth: Get rid of old inactive throttle objects
Kim Alvefur <zash@zash.se>
parents: 1583
diff changeset
58