Mercurial > prosody-modules
view mod_auth_http_cookie/mod_auth_http_cookie.lua @ 6082:1a6cd0bbb7ab
mod_compliance_2023: Add 2023 Version of the compliance module, basis is the 2021 Version.
diff --git a/mod_compliance_2023/README.md b/mod_compliance_2023/README.md
new file mode 100644
--- /dev/null
+++ b/mod_compliance_2023/README.md
@@ -0,0 +1,22 @@
+---
+summary: XMPP Compliance Suites 2023 self-test
+labels:
+- Stage-Beta
+rockspec:
+ dependencies:
+ - mod_cloud_notify
+
+...
+
+Compare the list of enabled modules with
+[XEP-0479: XMPP Compliance Suites 2023] and produce basic report to the
+Prosody log file.
+
+If installed with the Prosody plugin installer then all modules needed for a green checkmark should be included. (With prosody 0.12 only [mod_cloud_notify] is not included with prosody and we need the community module)
+
+# Compatibility
+
+ Prosody-Version Status
+ --------------- ----------------------
+ trunk Works as of 2024-12-21
+ 0.12 Works
diff --git a/mod_compliance_2023/mod_compliance_2023.lua b/mod_compliance_2023/mod_compliance_2023.lua
new file mode 100644
--- /dev/null
+++ b/mod_compliance_2023/mod_compliance_2023.lua
@@ -0,0 +1,79 @@
+-- Copyright (c) 2021 Kim Alvefur
+--
+-- This module is MIT licensed.
+
+local hostmanager = require "core.hostmanager";
+
+local array = require "util.array";
+local set = require "util.set";
+
+local modules_enabled = module:get_option_inherited_set("modules_enabled");
+
+for host in pairs(hostmanager.get_children(module.host)) do
+ local component = module:context(host):get_option_string("component_module");
+ if component then
+ modules_enabled:add(component);
+ modules_enabled:include(module:context(host):get_option_set("modules_enabled", {}));
+ end
+end
+
+local function check(suggested, alternate, ...)
+ if set.intersection(modules_enabled, set.new({suggested; alternate; ...})):empty() then return suggested; end
+ return false;
+end
+
+local compliance = {
+ array {"Server"; check("tls"); check("disco")};
+
+ array {"Advanced Server"; check("pep", "pep_simple")};
+
+ array {"Web"; check("bosh"); check("websocket")};
+
+ -- No Server requirements for Advanced Web
+
+ array {"IM"; check("vcard_legacy", "vcard"); check("carbons"); check("http_file_share", "http_upload")};
+
+ array {
+ "Advanced IM";
+ check("vcard_legacy", "vcard");
+ check("blocklist");
+ check("muc");
+ check("private");
+ check("smacks");
+ check("mam");
+ check("bookmarks");
+ };
+
+ array {"Mobile"; check("smacks"); check("csi_simple", "csi_battery_saver")};
+
+ array {"Advanced Mobile"; check("cloud_notify")};
+
+ array {"A/V Calling"; check("turn_external", "external_services", "turncredentials", "extdisco")};
+
+};
+
+function check_compliance()
+ local compliant = true;
+ for _, suite in ipairs(compliance) do
+ local section = suite:pop(1);
+ if module:get_option_boolean("compliance_" .. section:lower():gsub("%A", "_"), true) then
+ local missing = set.new(suite:filter(function(m) return type(m) == "string" end):map(function(m) return "mod_" .. m end));
+ if suite[1] then
+ if compliant then
+ compliant = false;
+ module:log("warn", "Missing some modules for XMPP Compliance 2023");
+ end
+ module:log("info", "%s Compliance: %s", section, missing);
+ end
+ end
+ end
+
+ if compliant then module:log("info", "XMPP Compliance 2023: Compliant ✔️"); end
+end
+
+if prosody.start_time then
+ check_compliance()
+else
+ module:hook_global("server-started", check_compliance);
+end
+
| author | Menel <menel@snikket.de> |
|---|---|
| date | Sun, 22 Dec 2024 16:06:28 +0100 |
| parents | b7aa8630438e |
| children |
line wrap: on
line source
-- Prosody IM -- Copyright (C) 2008-2013 Matthew Wild -- Copyright (C) 2008-2013 Waqas Hussain -- Copyright (C) 2014 Kim Alvefur -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- local new_sasl = require "util.sasl".new; local base64 = require "util.encodings".base64.encode; local have_async, async = pcall(require, "util.async"); local nodeprep = require "util.encodings".stringprep.nodeprep; local log = module._log; local host = module.host; local password_auth_url = module:get_option_string("http_auth_url", ""):gsub("$host", host); local cookie_auth_url = module:get_option_string("http_cookie_auth_url"); if cookie_auth_url then cookie_auth_url = cookie_auth_url:gsub("$host", host); end local external_needs_authzid = cookie_auth_url and cookie_auth_url:match("$user"); if password_auth_url == "" and not cookie_auth_url then error("http_auth_url or http_cookie_auth_url required") end local provider = {}; -- globals required by socket.http if rawget(_G, "PROXY") == nil then rawset(_G, "PROXY", false) end if rawget(_G, "base_parsed") == nil then rawset(_G, "base_parsed", false) end if not have_async then -- FINE! Set your globals then prosody.unlock_globals() require "ltn12" require "socket" require "socket.http" require "ssl.https" prosody.lock_globals() end local function async_http_request(url, headers) module:log("debug", "async_http_auth()"); local http = require "net.http"; local wait, done = async.waiter(); local content, code, request, response; local ex = { headers = headers; } local function cb(content_, code_, request_, response_) content, code, request, response = content_, code_, request_, response_; done(); end http.request(url, ex, cb); wait(); log("debug", "response code %s", tostring(code)); if code >= 200 and code <= 299 then return true, content; end return nil; end local function sync_http_request(url, headers) module:log("debug", "sync_http_auth()"); require "ltn12"; local http = require "socket.http"; local https = require "ssl.https"; local request; if string.sub(url, 1, string.len('https')) == 'https' then request = https.request; else request = http.request; end local body_chunks = {}; local _, code, headers, status = request{ url = url, headers = headers; sink = ltn12.sink.table(body_chunks); }; log("debug", "response code %s %s", type(code), tostring(code)); if type(code) == "number" and code >= 200 and code <= 299 then log("debug", "success") return true, table.concat(body_chunks); end return nil; end local http_request = have_async and async_http_request or sync_http_request; function http_test_password(username, password) local url = password_auth_url:gsub("$user", username):gsub("$password", password); log("debug", "Testing password for user %s at host %s with URL %s", username, host, url); local ok = (http_request(url, { Authorization = "Basic "..base64(username..":"..password); })); if not ok then return nil, "not authorized"; end return true; end function http_test_cookie(cookie, username) local url = external_needs_authzid and cookie_auth_url:gsub("$user", username) or cookie_auth_url; log("debug", "Testing cookie auth for user %s at host %s with URL %s", username or "<unknown>", host, url); local ok, resp = http_request(url, { Cookie = cookie; }); if not ok then return nil, "not authorized"; end return external_needs_authzid or resp; end function provider.test_password(username, password) return http_test_password(username, password); end function provider.users() return function() return nil; end end function provider.set_password(username, password) return nil, "Changing passwords not supported"; end function provider.user_exists(username) return true; end function provider.create_user(username, password) return nil, "User creation not supported"; end function provider.delete_user(username) return nil , "User deletion not supported"; end local function get_session_cookies(session) local request = session.websocket_request; -- WebSockets if not request and session.requests then -- BOSH request = session.requests[1]; end if not request and session.conn._http_open_response then -- Fallback BOSH local response = session.conn._http_open_response; request = response and response.request; end if request then return request.headers.cookie; end end function provider.get_sasl_handler(session) local cookie = cookie_auth_url and get_session_cookies(session); log("debug", "Request cookie: %s", cookie); return new_sasl(host, { plain_test = function(sasl, username, password, realm) return provider.test_password(username, password), true; end; external = cookie and function (authzid) if external_needs_authzid then -- Authorize the username provided by the client, using request cookie if authzid ~= "" then module:log("warn", "Client requested authzid, but cookie auth URL does not contain $user variable"); return nil; end local success = http_test_cookie(cookie); if not success then return nil; end return nodeprep(authzid), true; else -- Authorize client using request cookie, username comes from auth server if authzid == "" then module:log("warn", "Client did not provide authzid, but cookie auth URL contains $user variable"); return nil; end local unprepped_username = http_test_cookie(cookie, nodeprep(authzid)); local username = nodeprep(unprepped_username); if not username then if unprepped_username then log("warn", "Username supplied by cookie_auth_url is not valid for XMPP"); end return nil; end return username, true; end; end; }); end module:provides("auth", provider);
