view mod_net_proxy/mod_net_proxy.lua @ 6299:5cf5ee23b361

mod_voipms: New Module to send and receive SMS/MMS via VoIP.ms APIs. diff --git a/mod_voipms/README.md b/mod_voipms/README.md new file mode 100644 --- /dev/null +++ b/mod_voipms/README.md @@ -0,0 +1,51 @@ +--- +labels: +- 'Stage-Alpha' +- 'Type-Web' +summary: Send and receive SMS/MMS via VoIP.ms APIs. +rockspec: + build: + modules: + mod_voipms: mod_voipms.lua +... + +Introduction +============ + +This is a Prosody module to map JIDs to DIDs on VoIP.ms and support sending/receiving SMS/MMS. + +Configuration +============= + +| option | type | default | +|-----------------------|--------|---------| +| voipms\_api\_username | string | nil | +| voipms\_api\_password | string | nil | +| voipms\_query\_key | string | nil | +| voipms\_jid\_map | table | nil | +``` +VirtualHost "sms.example.com" +modules_enabled = { + "voipms"; +} +voipms_api_username = john@example.com -- E-mail registered with VoIP.ms +voipms_api_password = abcd1234 -- API password configured in VoIP.ms +voipms_query_key = some_query_key -- query param 'key' part of your URL callback +voipms_jid_map = { + ["your_jid@your_domain.com"] = "+1234567890" +} +``` + +HTTP +==== + +The module is served on Prosody's default HTTP ports at the path /voipms. More details on configuring HTTP modules in Prosody can be found in the HTTP documentation. + +VoIP.ms Webhook URL +=================== + +This module receives the VoIP.ms Webhook URL (POST) at the /voipms endpoint. It uses the sendSMS/sendMMS GET methods against the VoIP.ms APIs. This is an example webhook to use in VoIP.ms: + +``` +https://sms.example.com/voipms?key=some_query_key +``` diff --git a/mod_voipms/mod_voipms.lua b/mod_voipms/mod_voipms.lua new file mode 100644 --- /dev/null +++ b/mod_voipms/mod_voipms.lua @@ -0,0 +1,166 @@ +local http = require "net.http" +local json = require "util.json" +local st = require "util.stanza" + +local api_username = module:get_option_string("voipms_api_username") +local api_password = module:get_option_string("voipms_api_password") +local query_key = module:get_option("voipms_query_key") +local jid_map = module:get_option("voipms_jid_map") or {} +local rest_endpoint = "https://voip.ms/api/v1/rest.php" + +if not api_username or not api_password or not query_key then + module:log("error", "Missing required config values (voipms_api_username, voipms_api_password, voipms_query_key)") + return +end + +module:depends("http") + +local function normalize_number(num) + if not num then return nil end + if num:sub(1, 1) ~= "+" then + return "+1" .. num + end + return num +end + +local function extract_query_key(event) + return (event.request.url.query or ""):match("key=([^&]+)") +end + +module:provides("http", { + route = { + ["POST"] = function(event) + local req = event.request + local body = req.body or "" + + if extract_query_key(event) ~= query_key then + module:log("warn", "Unauthorized webhook: missing or invalid key") + return { status_code = 403 } + end + + local json_payload, err = json.decode(body) + if not json_payload then + module:log("warn", "Invalid JSON: %s", err or "unknown error") + return { status_code = 400 } + end + + local payload = json_payload.data and json_payload.data.payload + if not payload then + module:log("warn", "Missing payload in JSON") + return { status_code = 400 } + end + + local from = payload.from and payload.from.phone_number + local to_list = payload.to or {} + local to = #to_list > 0 and to_list[1].phone_number or nil + + if not from or not to then + module:log("warn", "Missing phone numbers (from: %s, to: %s)", tostring(from), tostring(to)) + return { status_code = 400 } + end + + local normalized_to = normalize_number(to) + local target_jid = nil + + for jid, did in pairs(jid_map) do + if normalize_number(did) == normalized_to then + target_jid = jid + break + end + end + + if not target_jid then + module:log("warn", "No JID mapping for DID %s", normalized_to) + return { status_code = 404 } + end + + local normalized_from = normalize_number(from) + local message_text = payload.text or "" + + local message = st.message({ + from = normalized_from .. "@" .. module.host, + to = target_jid, + type = "chat" + }):tag("body"):text(message_text):up() + + if payload.media and #payload.media > 0 then + for _, media_item in ipairs(payload.media) do + if media_item.url then + message_text = message_text .. "\n" .. media_item.url + message:tag("x", { xmlns = "jabber:x:oob" }) + :tag("url"):text(media_item.url):up():up() + end + end + end + + module:send(message) + module:log("info", "Delivered SMS from %s to %s", normalized_from, target_jid) + + return { status_code = 204 } + end + } +}) + +module:hook("message/bare", function(event) + local stanza = event.stanza + if stanza.attr.type ~= "chat" then return end + + local from_jid = stanza.attr.from + local to_jid = stanza.attr.to + local body = stanza:get_child_text("body") + if not body or body == "" then return end + + local from_number = jid_map[from_jid] + if not from_number then + module:log("warn", "No DID mapping for JID %s", from_jid) + return + end + + local to_number = to_jid:match("^([^@]+)") + if not to_number then + module:log("warn", "Malformed JID in message.to: %s", to_jid) + return + end + + to_number = normalize_number(to_number) + + local media_urls = {} + for line in body:gmatch("[^\r\n]+") do + if line:match("^https?://") then + table.insert(media_urls, line) + end + end + + local method = (#media_urls > 0) and "sendMMS" or "sendSMS" + local query = { + api_username = api_username, + api_password = api_password, + method = method, + did = from_number, + dst = to_number, + message = body + } + + if method == "sendMMS" then + for i, url in ipairs(media_urls) do + query["media_url[" .. (i - 1) .. "]"] = url + end + end + + local query_str = http.formencode(query) + + http.request(rest_endpoint .. "?" .. query_str, { + method = "GET"; + }, function(response_body, code) + if code == 200 then + local resp, err = json.decode(response_body) + if not resp or resp.status ~= "success" then + module:log("error", "Failed to send %s: %s", method, err or (resp and resp.status) or "unknown") + else + module:log("info", "Sent %s from %s to %s", method, from_number, to_number) + end + else + module:log("error", "HTTP error sending %s: code %s", method, tostring(code)) + end + end) +end)
author Chaz <menel@snikket.de>
date Mon, 21 Jul 2025 23:57:37 +0200
parents 49fad071e644
children 9d3e6d2f25c7
line wrap: on
line source

-- mod_net_proxy.lua
-- Copyright (C) 2018 Pascal Mathis <mail@pascalmathis.com>
--
-- Implementation of PROXY protocol versions 1 and 2
-- Specifications: https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt

module:set_global();

-- Imports
local softreq = require "util.dependencies".softreq;
local bit = assert(softreq "bit" or softreq "bit32" or softreq "util.bitcompat", "No bit module found. See https://prosody.im/doc/depends#bitop");
local hex = require "util.hex";
local ip = require "util.ip";
local net = require "util.net";
local set = require "util.set";
local portmanager = require "core.portmanager";
local fmt = require "util.format".format;

-- Backwards Compatibility
local function net_ntop_bc(input)
	if input:len() == 4 then
		return string.format("%d.%d.%d.%d", input:byte(1, 4));
	elseif input:len() == 16 then
		local octets = { nil, nil, nil, nil, nil, nil, nil, nil };

		-- Convert received bytes into IPv6 address and skip leading zeroes for each group
		for index = 1, 8 do
			local high, low = input:byte(index * 2 - 1, index * 2);
			octets[index] = string.format("%x", high * 256 + low);
		end
		local address = table.concat(octets, ":", 1, 8);

		-- Search for the longest sequence of zeroes
		local token;
		local length = (address:match("^0:[0:]+()") or 1) - 1;
		for s in address:gmatch(":0:[0:]+") do
			if length < #s then
				length, token = #s, s;
			end
		end

		-- Return the shortened IPv6 address
		return address:gsub(token or "^0:[0:]+", "::", 1);
	end
end

local net_ntop = net.ntop or net_ntop_bc

-- Utility Functions
local function _table_invert(input)
	local output = {};
	for key, value in pairs(input) do
		output[value] = key;
	end
	return output;
end

-- Constants
local ADDR_FAMILY = { UNSPEC = 0x0, INET = 0x1, INET6 = 0x2, UNIX = 0x3 };
local ADDR_FAMILY_STR = _table_invert(ADDR_FAMILY);
local TRANSPORT = { UNSPEC = 0x0, STREAM = 0x1, DGRAM = 0x2 };
local TRANSPORT_STR = _table_invert(TRANSPORT);

local PROTO_MAX_HEADER_LENGTH = 256;
local PROTO_HANDLERS = {
	PROXYv1 = { signature = hex.from("50524F5859"), callback = nil },
	PROXYv2 = { signature = hex.from("0D0A0D0A000D0A515549540A"), callback = nil }
};
local PROTO_HANDLER_STATUS = { SUCCESS = 0, POSTPONE = 1, FAILURE = 2 };

-- Configuration Variables
local config_mappings = module:get_option("proxy_port_mappings", {});
local config_ports = module:get_option_set("proxy_ports", {});
local config_trusted_proxies = module:get_option_set("proxy_trusted_proxies", {"127.0.0.1", "::1"});

-- Persistent In-Memory Storage
local sessions = {};
local mappings = {};
local trusted_networks = set.new();

-- Proxy Data Methods
local proxy_data_mt = {}; proxy_data_mt.__index = proxy_data_mt;

function proxy_data_mt:describe()
	return fmt("proto=%s/%s src=%s:%d dst=%s:%d",
		self:addr_family_str(), self:transport_str(), self:src_addr(), self:src_port(), self:dst_addr(), self:dst_port());
end

function proxy_data_mt:addr_family_str()
	return ADDR_FAMILY_STR[self._addr_family] or ADDR_FAMILY_STR[ADDR_FAMILY.UNSPEC];
end

function proxy_data_mt:transport_str()
	return TRANSPORT_STR[self._transport] or TRANSPORT_STR[TRANSPORT.UNSPEC];
end

function proxy_data_mt:version()
	return self._version;
end

function proxy_data_mt:addr_family()
	return self._addr_family;
end

function proxy_data_mt:transport()
	return self._transport;
end

function proxy_data_mt:src_addr()
	return self._src_addr;
end

function proxy_data_mt:src_port()
	return self._src_port;
end

function proxy_data_mt:dst_addr()
	return self._dst_addr;
end

function proxy_data_mt:dst_port()
	return self._dst_port;
end

-- Protocol Handler Functions
PROTO_HANDLERS["PROXYv1"].callback = function(conn, session)
	local addr_family_mappings = { TCP4 = ADDR_FAMILY.INET, TCP6 = ADDR_FAMILY.INET6 };

	-- Postpone processing if CRLF (PROXYv1 header terminator) does not exist within buffer
	if session.buffer:find("\r\n") == nil then
		return PROTO_HANDLER_STATUS.POSTPONE, nil;
	end

	-- Declare header pattern and match current buffer against pattern
	local header_pattern = "^PROXY (%S+) (%S+) (%S+) (%d+) (%d+)\r\n";
	local addr_family, src_addr, dst_addr, src_port, dst_port = session.buffer:match(header_pattern);
	src_port, dst_port = tonumber(src_port), tonumber(dst_port);

	-- Ensure that header was successfully parsed and contains a valid address family
	if addr_family == nil or src_addr == nil or dst_addr == nil or src_port == nil or dst_port == nil then
		module:log("warn", "Received unparseable PROXYv1 header from %s", conn:ip());
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end
	if addr_family_mappings[addr_family] == nil then
		module:log("warn", "Received invalid PROXYv1 address family from %s: %s", conn:ip(), addr_family);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end

	-- Ensure that received source and destination ports are within 1 and 65535 (0xFFFF)
	if src_port <= 0 or src_port >= 0xFFFF then
		module:log("warn", "Received invalid PROXYv1 source port from %s: %d", conn:ip(), src_port);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end
	if dst_port <= 0 or dst_port >= 0xFFFF then
		module:log("warn", "Received invalid PROXYv1 destination port from %s: %d", conn:ip(), dst_port);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end

	-- Ensure that received source and destination address can be parsed
	local _, err = ip.new_ip(src_addr);
	if err ~= nil then
		module:log("warn", "Received unparseable PROXYv1 source address from %s: %s", conn:ip(), src_addr);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end
	_, err = ip.new_ip(dst_addr);
	if err ~= nil then
		module:log("warn", "Received unparseable PROXYv1 destination address from %s: %s", conn:ip(), dst_addr);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end

	-- Strip parsed header from session buffer and build proxy data
	session.buffer = session.buffer:gsub(header_pattern, "");

	local proxy_data = {
		_version = 1,
		_addr_family = addr_family, _transport = TRANSPORT.STREAM,
		_src_addr = src_addr, _src_port = src_port,
		_dst_addr = dst_addr, _dst_port = dst_port
	};
	setmetatable(proxy_data, proxy_data_mt);

	-- Return successful response with gathered proxy data
	return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
end

PROTO_HANDLERS["PROXYv2"].callback = function(conn, session)
	-- Postpone processing if less than 16 bytes are available
	if #session.buffer < 16 then
		return PROTO_HANDLER_STATUS.POSTPONE, nil;
	end

	-- Parse first 16 bytes of protocol header
	local version = bit.rshift(bit.band(session.buffer:byte(13), 0xF0), 4);
	local command = bit.band(session.buffer:byte(13), 0x0F);
	local addr_family = bit.rshift(bit.band(session.buffer:byte(14), 0xF0), 4);
	local transport = bit.band(session.buffer:byte(14), 0x0F);
	local length = bit.bor(session.buffer:byte(16), bit.lshift(session.buffer:byte(15), 8));

	-- Postpone processing if less than 16+<length> bytes are available
	if #session.buffer < 16 + length then
		return PROTO_HANDLER_STATUS.POSTPONE, nil;
	end

	-- Ensure that version number is correct
	if version ~= 0x2 then
		module:log("warn", "Received unsupported PROXYv2 version from %s: %d", conn:ip(), version);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end

	local payload = session.buffer:sub(17);
	if command == 0x0 then
		-- Gather source/destination addresses and ports from local socket
		local src_addr, src_port = conn:socket():getpeername();
		local dst_addr, dst_port = conn:socket():getsockname();

		-- Build proxy data based on real connection information
		local proxy_data = {
			_version = version,
			_addr_family = addr_family, _transport = transport,
			_src_addr = src_addr, _src_port = src_port,
			_dst_addr = dst_addr, _dst_port = dst_port
		};
		setmetatable(proxy_data, proxy_data_mt);

		-- Return successful response with gathered proxy data
		return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
	elseif command == 0x1 then
		local offset = 1;
		local src_addr, src_port, dst_addr, dst_port;

		-- Verify transport protocol is either STREAM or DGRAM
		if transport ~= TRANSPORT.STREAM and transport ~= TRANSPORT.DGRAM then
			module:log("warn", "Received unsupported PROXYv2 transport from %s: 0x%02X", conn:ip(), transport);
			return PROTO_HANDLER_STATUS.FAILURE, nil;
		end

		-- Parse source and destination addresses
		if addr_family == ADDR_FAMILY.INET then
			src_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
			dst_addr = net_ntop(payload:sub(offset, offset + 3)); offset = offset + 4;
		elseif addr_family == ADDR_FAMILY.INET6 then
			src_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
			dst_addr = net_ntop(payload:sub(offset, offset + 15)); offset = offset + 16;
		elseif addr_family == ADDR_FAMILY.UNIX then
			src_addr = payload:sub(offset, offset + 107); offset = offset + 108;
			dst_addr = payload:sub(offset, offset + 107); offset = offset + 108;
		end

		-- Parse source and destination ports
		if addr_family == ADDR_FAMILY.INET or addr_family == ADDR_FAMILY.INET6 then
			src_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
			-- luacheck: ignore 311
			dst_port = bit.bor(payload:byte(offset + 1), bit.lshift(payload:byte(offset), 8)); offset = offset + 2;
		end

		-- Strip parsed header from session buffer and build proxy data
		session.buffer = session.buffer:sub(17 + length);

		local proxy_data = {
			_version = version,
			_addr_family = addr_family, _transport = transport,
			_src_addr = src_addr, _src_port = src_port,
			_dst_addr = dst_addr, _dst_port = dst_port
		};
		setmetatable(proxy_data, proxy_data_mt);

		-- Return successful response with gathered proxy data
		return PROTO_HANDLER_STATUS.SUCCESS, proxy_data;
	else
		module:log("warn", "Received unsupported PROXYv2 command from %s: 0x%02X", conn:ip(), command);
		return PROTO_HANDLER_STATUS.FAILURE, nil;
	end
end

-- Wrap an existing connection with the provided proxy data. This will override several methods of the 'conn' object to
-- return the proxied source instead of the source which initiated the TCP connection. Afterwards, the listener of the
-- connection gets set according to the globally defined port<>service mappings and the methods 'onconnect' and
-- 'onincoming' are being called manually with the current session buffer.
local function wrap_proxy_connection(conn, session, proxy_data)
	-- Override and add functions of 'conn' object when source information has been collected
	conn.proxyip, conn.proxyport = conn.ip, conn.port;
	if proxy_data:src_addr() ~= nil and proxy_data:src_port() ~= nil then
		conn.ip = function()
			return proxy_data:src_addr();
		end
		conn.port = function()
			return proxy_data:src_port();
		end
		conn.clientport = conn.port;
	end

	-- Attempt to find service by processing port<>service mappings
	local mapping = mappings[tonumber(conn:serverport())];
	if mapping == nil then
		conn:close();
		module:log("warn", "Connection %s@%s terminated: Could not find mapping for port %d",
			conn:ip(), conn:proxyip(), conn:serverport());
		return;
	end

	if mapping.service == nil then
		local service = portmanager.get_service(mapping.service_name);

		if service ~= nil then
			mapping.service = service;
		else
			conn:close();
			module:log("warn", "Connection %s@%s terminated: Could not process mapping for unknown service %s",
				conn:ip(), conn:proxyip(), mapping.service_name);
			return;
		end
	end

	-- Pass connection to actual service listener and simulate onconnect/onincoming callbacks
	local service_listener = mapping.service.listener;

	module:log("info", "Passing proxied connection %s:%d to service %s", conn:ip(), conn:port(), mapping.service_name);
	conn:setlistener(service_listener);
	if service_listener.onconnect then
		service_listener.onconnect(conn);
	end
	return service_listener.onincoming(conn, session.buffer);
end

local function is_trusted_proxy(conn)
	-- If no trusted proxies were configured, trust any incoming connection
	-- While this may seem insecure, the module defaults to only trusting 127.0.0.1 and ::1
	if trusted_networks:empty() then
		return true;
	end

	-- Iterate through all trusted proxies and check for match against connected IP address
	local conn_ip = ip.new_ip(conn:ip());
	for trusted_network in trusted_networks:items() do
		if ip.match(trusted_network.ip, conn_ip, trusted_network.cidr) then
			return true;
		end
	end

	-- Connection does not match any trusted proxy
	return false;
end

-- Network Listener Methods
local listener = {};

function listener.onconnect(conn)
	-- Silently drop connections with an IP address of <nil>, which can happen when the socket was closed before the
	-- responsible net.server backend was able to grab the IP address of the connecting client.
	if conn:ip() == nil then
		conn:close();
		return;
	end

	-- Check if connection is coming from a trusted proxy
	if not is_trusted_proxy(conn) then
		conn:close();
		module:log("warn", "Dropped connection from untrusted proxy: %s", conn:ip());
		return;
	end

	-- Initialize session variables
	sessions[conn] = {
		handler = nil;
		buffer = nil;
	};
end

function listener.onincoming(conn, data)
	-- Abort processing if no data has been received
	if not data then
		return;
	end

	-- Lookup session for connection and append received data to buffer
	local session = sessions[conn];
	session.buffer = session.buffer and session.buffer .. data or data;

	-- Attempt to determine protocol handler if not done previously
	if session.handler == nil then
		-- Match current session buffer against all known protocol signatures to determine protocol handler
		for handler_name, handler in pairs(PROTO_HANDLERS) do
			if session.buffer:find("^" .. handler.signature) ~= nil then
				session.handler = handler.callback;
				module:log("debug", "Detected %s connection from %s:%d", handler_name, conn:ip(), conn:port());
				break;
			end
		end

		-- Decide between waiting for a complete header signature or terminating the connection when no handler has been found
		if session.handler == nil then
			-- Terminate connection if buffer size has exceeded tolerable maximum size
			if #session.buffer > PROTO_MAX_HEADER_LENGTH then
				conn:close();
				module:log("warn", "Connection %s:%d terminated: No valid PROXY header within %d bytes",
					conn:ip(), conn:port(), PROTO_MAX_HEADER_LENGTH);
			end

			-- Skip further processing without a valid protocol handler
			module:log("debug", "No valid header signature detected from %s:%d, waiting for more data...",
				conn:ip(), conn:port());
			return;
		end
	end

	-- Execute proxy protocol handler and process response
	local response, proxy_data = session.handler(conn, session);
	if response == PROTO_HANDLER_STATUS.SUCCESS then
		module:log("info", "Received PROXY header from %s: %s", conn:ip(), proxy_data:describe());
		return wrap_proxy_connection(conn, session, proxy_data);
	elseif response == PROTO_HANDLER_STATUS.POSTPONE then
		module:log("debug", "Postponed parsing of incomplete PROXY header received from %s", conn:ip());
		return;
	elseif response == PROTO_HANDLER_STATUS.FAILURE then
		conn:close();
		module:log("warn", "Connection %s terminated: Could not process PROXY header from client, " +
			"see previous log messages.", conn:ip());
		return;
	else
		-- This code should be never reached, but is included for completeness
		conn:close();
		module:log("warn", "Connection terminated: Received invalid protocol handler response with code %d", response);
		return;
	end
end

function listener.ondisconnect(conn)
	sessions[conn] = nil;
end

listener.ondetach = listener.ondisconnect;

-- Parse trusted proxies which can either contain single hosts or networks
if not config_trusted_proxies:empty() then
	for trusted_proxy in config_trusted_proxies:items() do
		local network = {};
		network.ip, network.cidr = ip.parse_cidr(trusted_proxy);
		trusted_networks:add(network);
	end
else
	module:log("warn", "No trusted proxies configured, all connections will be accepted - this might be dangerous");
end

-- Process all configured port mappings and generate a list of mapped ports
local mapped_ports = {};
for port, mapping in pairs(config_mappings) do
	port = tonumber(port);
	table.insert(mapped_ports, port);
	mappings[port] = {
		service_name = mapping,
		service = nil,
	};
end

-- Log error message when user manually specifies ports without configuring the necessary port mappings
if not config_ports:empty() then
	local missing_ports = config_ports - set.new(mapped_ports);
	if not missing_ports:empty() then
		module:log("error", "Missing port<>service mappings for these ports: %s", tostring(missing_ports));
	end
end

-- Register the previously declared network listener
module:provides("net", {
	name = "proxy";
	listener = listener;
	default_ports = mapped_ports;
});