diff options
47 files changed, 1519 insertions, 365 deletions
diff --git a/.semgrep.yml b/.semgrep.yml index 22bfcfea..c475859d 100644 --- a/.semgrep.yml +++ b/.semgrep.yml @@ -28,3 +28,12 @@ rules: message: Use :get_text() to read text, or pass a value here to add text severity: WARNING languages: [lua] +- id: require-unprefixed-module + patterns: + - pattern: require("$X") + - metavariable-regex: + metavariable: $X + regex: '^(core|net|util)\.' + message: Prefix required module path with 'prosody.' + severity: ERROR + languages: [lua] @@ -1,12 +1,26 @@ TRUNK ===== +13.0.x +====== + ## New +## Modules + +- mod_account_activity +- mod_cloud_notify +- mod_flags +- mod_http_altconnect +- mod_s2s_auth_dane_in +- mod_server_info + ### Administration - Add 'watch log' command to follow live debug logs at runtime (even if disabled) - mod_announce: Add shell commands to send messages to all users, online users, or limited by roles +- New mod_account_activity plugin records last login/logout time of a user account +- New 'prosodyctl check features' recommends configuration improvements ### Networking @@ -30,6 +44,7 @@ TRUNK - muc_room_allow_public = false restricts to admins - Commands to show occupants and affiliations in the Shell - Save 'reason' text supplied with affiliation change +- Owners can set MUC avatars (functionality previously in community module mod_vcard_muc) ### Security and authentication @@ -40,6 +55,7 @@ TRUNK - Ability to disable and enable user accounts - Full DANE support for s2s - A "grace period" is now supported for deletion requests via in-band registration +- No longer check certificate Common Names per RFC 9525 ### Storage @@ -56,6 +72,7 @@ TRUNK - Method for retrieving integer settings from config - It is now easy for modules to expose a Prosody shell command, by adding a shell-command item - Modules can now implement a module.ready method which will be called after server initialization +- module:depends() now accepts a second parameter 'soft' to enable soft dependencies ### Configuration @@ -77,6 +94,8 @@ TRUNK - Support for the roster *group* access_model in mod_pep - Support for systemd socket activation in server_epoll - mod_invites_adhoc gained a command for creating password resets +- mod_cloud_notify imported from community modules for push notification support +- mod_http_altconnect imported from community modules, simplifying web clients ## Removed diff --git a/core/certmanager.lua b/core/certmanager.lua index 9e0ace6a..3acddf73 100644 --- a/core/certmanager.lua +++ b/core/certmanager.lua @@ -91,7 +91,7 @@ local function index_certs(dir, files_by_name, depth_limit) index_certs(full, files_by_name, depth_limit-1); end elseif file:find("%.crt$") or file:find("fullchain") then -- This should catch most fullchain files - local f = io_open(full); + local f, err = io_open(full); if f then -- TODO look for chained certificates local firstline = f:read(); @@ -113,13 +113,17 @@ local function index_certs(dir, files_by_name, depth_limit) files_by_name[name] = { [full] = services; }; end end + else + log("debug", "Skipping expired certificate: %s", full); end end f:close(); + elseif err then + log("debug", "Failed to open file for indexing: %s", full); end end end - log("debug", "Certificate index: %q", files_by_name); + log("debug", "Certificate index in %s: %q", dir, files_by_name); -- | hostname | filename | service | return files_by_name; end @@ -189,10 +193,6 @@ local core_defaults = { single_ecdh_use = tls.features.options.single_ecdh_use; no_renegotiation = tls.features.options.no_renegotiation; }; - verifyext = { - "lsec_continue", -- Continue past certificate verification errors - "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates - }; curve = tls.features.algorithms.ec and not tls.features.capabilities.curves_list and "secp384r1"; curveslist = { "X25519", diff --git a/core/configmanager.lua b/core/configmanager.lua index 36df0171..6c6b670b 100644 --- a/core/configmanager.lua +++ b/core/configmanager.lua @@ -18,6 +18,8 @@ local resolve_relative_path = require"prosody.util.paths".resolve_relative_path; local glob_to_pattern = require"prosody.util.paths".glob_to_pattern; local path_sep = package.config:sub(1,1); local get_traceback_table = require "prosody.util.debug".get_traceback_table; +local errors = require "prosody.util.error"; +local log = require "prosody.util.logger".init("config"); local encodings = deps.softreq"prosody.util.encodings"; local nameprep = encodings and encodings.stringprep.nameprep or function (host) return host:lower(); end @@ -33,6 +35,8 @@ local parser = nil; local config_mt = { __index = function (t, _) return rawget(t, "*"); end}; local config = setmetatable({ ["*"] = { } }, config_mt); local files = {}; +local credentials_directory = nil; +local credential_fallback_fatal = true; -- When host not found, use global local host_mt = { __index = function(_, k) return config["*"][k] end } @@ -42,7 +46,12 @@ function _M.getconfig() end function _M.get(host, key) - return config[host][key]; + local v = config[host][key]; + if v and errors.is_error(v) then + log("warn", "%s:%d: %s", v.context.filename, v.context.fileline, v.text); + return nil; + end + return v; end function _M.rawget(host, key) local hostconfig = rawget(config, host); @@ -360,17 +369,17 @@ do env.FileLine = filereader(config_path, "*l"); env.FileLines = linereader(config_path); - if _G.prosody.paths.credentials then - env.Credential = filereader(_G.prosody.paths.credentials, "*a"); - elseif _G.prosody.process_type == "prosody" then + if credentials_directory then + env.Credential = filereader(credentials_directory, "*a"); + elseif credential_fallback_fatal then env.Credential = function() error("Credential() requires the $CREDENTIALS_DIRECTORY environment variable to be set", 2) end else env.Credential = function() - t_insert(warnings, ("%s:%d: Credential() requires the $CREDENTIALS_DIRECTORY environment variable to be set") - :format(config_file, get_line_number(config_file))); - return nil; + return errors.new({ + type = "continue"; + text = "Credential() requires the $CREDENTIALS_DIRECTORY environment variable to be set"; + }, { filename = config_file; fileline = get_line_number(config_file) }); end - end local chunk, err = envload(data, "@"..config_file, env); @@ -392,4 +401,12 @@ do end +function _M.set_credentials_directory(directory) + credentials_directory = directory; +end + +function _M.set_credential_fallback_mode(mode) + credential_fallback_fatal = mode == "error"; +end + return _M; diff --git a/core/features.lua b/core/features.lua index cd6618db..8e155f70 100644 --- a/core/features.lua +++ b/core/features.lua @@ -10,6 +10,10 @@ return { "mod_flags"; -- mod_cloud_notify bundled "mod_cloud_notify"; + -- mod_muc has built-in vcard support + "muc_vcard"; + -- mod_http_altconnect bundled + "http_altconnect"; -- Roles, module.may and per-session authz "permissions"; -- prosody.* namespace diff --git a/core/moduleapi.lua b/core/moduleapi.lua index b93536b5..50524b32 100644 --- a/core/moduleapi.lua +++ b/core/moduleapi.lua @@ -136,10 +136,14 @@ function api:require(lib) return f(); end -function api:depends(name) +function api:depends(name, soft) local modulemanager = require"prosody.core.modulemanager"; if self:get_option_inherited_set("modules_disabled", {}):contains(name) then - error("Dependency on disabled module mod_"..name); + if not soft then + error("Dependency on disabled module mod_"..name); + end + self:log("debug", "Not loading disabled soft dependency mod_%s", name); + return nil, "disabled"; end if not self.dependencies then self.dependencies = {}; diff --git a/core/modulemanager.lua b/core/modulemanager.lua index b8ba2f35..7295ba25 100644 --- a/core/modulemanager.lua +++ b/core/modulemanager.lua @@ -29,7 +29,6 @@ local ipairs, pairs, type, t_insert = ipairs, pairs, type, table.insert; local lua_version = _VERSION:match("5%.%d+$"); local autoload_modules = { - prosody.platform, "presence", "message", "iq", diff --git a/core/usermanager.lua b/core/usermanager.lua index 793e7af6..c179e21b 100644 --- a/core/usermanager.lua +++ b/core/usermanager.lua @@ -109,6 +109,7 @@ end local function set_password(username, password, host, resource) local ok, err = hosts[host].users.set_password(username, password); if ok then + log("info", "Account password changed: %s@%s", username, host); prosody.events.fire_event("user-password-changed", { username = username, host = host, resource = resource }); end return ok, err; @@ -126,12 +127,17 @@ local function user_exists(username, host) end local function create_user(username, password, host) - return hosts[host].users.create_user(username, password); + local ok, err = hosts[host].users.create_user(username, password); + if ok then + log("info", "User account created: %s@%s", username, host); + end + return ok, err; end local function delete_user(username, host) local ok, err = hosts[host].users.delete_user(username); if not ok then return nil, err; end + log("info", "User account deleted: %s@%s", username, host); prosody.events.fire_event("user-deleted", { username = username, host = host }); return storagemanager.purge(username, host); end @@ -158,6 +164,7 @@ local function enable_user(username, host) if not method then return nil, "method not supported"; end local ret, err = method(username); if ret then + log("info", "User account enabled: %s@%s", username, host); prosody.events.fire_event("user-enabled", { username = username, host = host }); end return ret, err; @@ -168,6 +175,7 @@ local function disable_user(username, host, meta) if not method then return nil, "method not supported"; end local ret, err = method(username, meta); if ret then + log("info", "User account disabled: %s@%s", username, host); prosody.events.fire_event("user-disabled", { username = username, host = host, meta = meta }); end return ret, err; @@ -198,6 +206,7 @@ local function set_user_role(user, host, role_name) local role, err = hosts[host].authz.set_user_role(user, role_name); if role then + log("info", "Account %s@%s role changed to %s", user, host, role_name); prosody.events.fire_event("user-role-changed", { username = user, host = host, role = role; }); @@ -244,7 +253,7 @@ local function add_user_secondary_role(user, host, role_name) local role, err = hosts[host].authz.add_user_secondary_role(user, role_name); if role then prosody.events.fire_event("user-role-added", { - username = user, host = host, role = role; + username = user, host = host, role_name = role_name, role = role; }); end return role, err; diff --git a/doc/doap.xml b/doc/doap.xml index edd924bf..9c97ef1c 100644 --- a/doc/doap.xml +++ b/doc/doap.xml @@ -64,6 +64,7 @@ <implements rdf:resource="https://www.rfc-editor.org/info/rfc7673"/> <implements rdf:resource="https://www.rfc-editor.org/info/rfc8305"/> <implements rdf:resource="https://www.rfc-editor.org/info/rfc9266"/> + <implements rdf:resource="https://www.rfc-editor.org/info/rfc9525"/> <implements rdf:resource="https://datatracker.ietf.org/doc/draft-cridland-xmpp-session/"> <!-- since=0.6.0 note=Added in hg:0bbbc9042361 --> </implements> @@ -245,7 +246,7 @@ <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0090.html"/> <xmpp:version>1.2</xmpp:version> <xmpp:since>0.1.0</xmpp:since> - <xmpp:until>trunk</xmpp:until> + <xmpp:until>13.0.0</xmpp:until> <xmpp:status>removed</xmpp:status> <xmpp:note>mod_time</xmpp:note> </xmpp:SupportedXep> @@ -736,7 +737,7 @@ <xmpp:SupportedXep> <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0357.html"/> <xmpp:version>0.4.1</xmpp:version> - <xmpp:since>trunk</xmpp:since> + <xmpp:since>13.0.0</xmpp:since> <xmpp:status>complete</xmpp:status> <xmpp:note>mod_cloud_notify</xmpp:note> </xmpp:SupportedXep> @@ -840,7 +841,7 @@ <implements> <xmpp:SupportedXep> <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0421.html"/> - <xmpp:version>0.2.0</xmpp:version> + <xmpp:version>1.0.0</xmpp:version> <xmpp:since>0.12.0</xmpp:since> <xmpp:status>complete</xmpp:status> <xmpp:note>mod_muc</xmpp:note> @@ -857,7 +858,7 @@ <xmpp:SupportedXep> <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0440.html"/> <xmpp:version>0.4.2</xmpp:version> - <xmpp:since>trunk</xmpp:since> + <xmpp:since>13.0.0</xmpp:since> <xmpp:status>complete</xmpp:status> </xmpp:SupportedXep> </implements> @@ -881,7 +882,7 @@ <xmpp:SupportedXep> <xmpp:xep rdf:resource="https://xmpp.org/extensions/xep-0478.html"/> <xmpp:version>0.2.0</xmpp:version> - <xmpp:since>trunk</xmpp:since> + <xmpp:since>13.0.0</xmpp:since> </xmpp:SupportedXep> </implements> </Project> diff --git a/net/adns.lua b/net/adns.lua index 2ecd7f53..59f19302 100644 --- a/net/adns.lua +++ b/net/adns.lua @@ -74,11 +74,17 @@ local function new_async_socket(sock, resolver) return handler; end +local function measure(_qclass, _qtype) + return measure; +end + function async_resolver_methods:lookup(handler, qname, qtype, qclass) local resolver = self._resolver; + local m = measure(qclass or "IN", qtype or "A"); return coroutine.wrap(function (peek) if peek then log("debug", "Records for %s already cached, using those...", qname); + m(); handler(peek); return; end @@ -89,6 +95,7 @@ function async_resolver_methods:lookup(handler, qname, qtype, qclass) log("debug", "Reply for %s (%s)", qname, coroutine.running()); end if ok then + m(); ok, err = pcall(handler, resolver:peek(qname, qtype, qclass)); else log("error", "Error sending DNS query: %s", err); @@ -129,4 +136,5 @@ return { end; resolver = new_async_resolver; new_async_socket = new_async_socket; + instrument = function(measure_) measure = measure_; end; }; diff --git a/net/httpserver.lua b/net/httpserver.lua deleted file mode 100644 index 0dfd862e..00000000 --- a/net/httpserver.lua +++ /dev/null @@ -1,17 +0,0 @@ --- COMPAT w/pre-0.9 -local log = require "prosody.util.logger".init("net.httpserver"); -local traceback = debug.traceback; - -local _ENV = nil; --- luacheck: std none - -local function fail() - log("error", "Attempt to use legacy HTTP API. For more info see https://prosody.im/doc/developers/legacy_http"); - log("error", "Legacy HTTP API usage, %s", traceback("", 2)); -end - -return { - new = fail; - new_from_config = fail; - set_default_handler = fail; -}; diff --git a/net/server_epoll.lua b/net/server_epoll.lua index b4477375..44ab4f69 100644 --- a/net/server_epoll.lua +++ b/net/server_epoll.lua @@ -657,6 +657,7 @@ interface.send = interface.write; -- Close, possibly after writing is done function interface:close() + local status, err; if self.writebuffer and #self.writebuffer ~= 0 then self._connected = false; self:set(false, true); -- Flush final buffer contents @@ -665,6 +666,24 @@ function interface:close() self.write, self.send = noop, noop; -- No more writing self:debug("Close after writing remaining buffered data"); self.ondrain = interface.close; + elseif self.conn.shutdown and self._tls then + status, err = self.conn:shutdown(); + self.onreadable = interface.close; + self.onwritable = interface.close; + if err == nil then + if status == true then + self._tls = false; + end + return self:close(); + elseif err == "wantread" then + self:set(true, nil); + self:setreadtimeout(); + elseif err == "wantwrite" then + self:set(nil, true); + self:setwritetimeout(); + else + self._tls = false; + end else self:debug("Closing now"); self.write, self.send = noop, noop; @@ -675,6 +694,8 @@ function interface:close() end function interface:destroy() + -- make sure tls sockets aren't put in blocking mode + if self.conn.shutdown and self._tls then self.conn:shutdown(); end self:del(); self:setwritetimeout(false); self:setreadtimeout(false); @@ -786,7 +807,7 @@ function interface:inittls(tls_ctx, now) self:debug("Enabling DANE with %d TLSA records", #self.extra.tlsa); self:noise("DANE hostname is %q", self.servername or self.extra.dane_hostname); for _, tlsa in ipairs(self.extra.tlsa) do - self:noise("TLSA: %q", tlsa); + self:noise("TLSA: %s", tlsa); conn:settlsa(tlsa.use, tlsa.select, tlsa.match, tlsa.data); end end diff --git a/net/unbound.lua b/net/unbound.lua index 176a6156..557a37fc 100644 --- a/net/unbound.lua +++ b/net/unbound.lua @@ -20,7 +20,6 @@ local libunbound = require"lunbound"; local promise = require"prosody.util.promise"; local new_id = require "prosody.util.id".short; -local gettime = require"socket".gettime; local dns_utils = require"prosody.util.dns"; local classes, types, errors = dns_utils.classes, dns_utils.types, dns_utils.errors; local parsers = dns_utils.parsers; @@ -116,21 +115,26 @@ local function prep_answer(a) return setmetatable(a, answer_mt); end +local function measure(_qclass, _qtype) + return measure; +end + local function lookup(callback, qname, qtype, qclass) if not unbound then initialize(); end qtype = qtype and s_upper(qtype) or "A"; qclass = qclass and s_upper(qclass) or "IN"; local ntype, nclass = types[qtype], classes[qclass]; - local startedat = gettime(); + + local m; local ret; local log_query = logger.init("unbound.query"..new_id()); local function callback_wrapper(a, err) - local gotdataat = gettime(); + m(); waiting_queries[ret] = nil; if a then prep_answer(a); - log_query("debug", "Results for %s %s %s: %s (%s, %f sec)", qname, qclass, qtype, a.rcode == 0 and (#a .. " items") or a.status, - a.secure and "Secure" or a.bogus or "Insecure", gotdataat - startedat); -- Insecure as in unsigned + log_query("debug", "Results for %s %s %s: %s (%s)", qname, qclass, qtype, a.rcode == 0 and (#a .. " items") or a.status, + a.secure and "Secure" or a.bogus or "Insecure"); -- Insecure as in unsigned else log_query("error", "Results for %s %s %s: %s", qname, qclass, qtype, tostring(err)); end @@ -138,6 +142,7 @@ local function lookup(callback, qname, qtype, qclass) if not ok then log_query("error", "Error in callback: %s", cerr); end end log_query("debug", "Resolve %s %s %s", qname, qclass, qtype); + m = measure(qclass, qtype); local err; ret, err = unbound:resolve_async(callback_wrapper, qname, ntype, nclass); if ret then @@ -225,6 +230,8 @@ local wrapper = { }; } +_M.instrument = function(measure_) measure = measure_; end; + function _M.resolver() return wrapper; end return _M; diff --git a/plugins/mod_account_activity.lua b/plugins/mod_account_activity.lua new file mode 100644 index 00000000..1b1208e7 --- /dev/null +++ b/plugins/mod_account_activity.lua @@ -0,0 +1,152 @@ +local jid = require "prosody.util.jid"; +local time = os.time; + +local store = module:open_store(nil, "keyval+"); + +module:hook("authentication-success", function(event) + local session = event.session; + if session.username then + store:set_key(session.username, "timestamp", time()); + end +end); + +module:hook("resource-unbind", function(event) + local session = event.session; + if session.username then + store:set_key(session.username, "timestamp", time()); + end +end); + +local user_sessions = prosody.hosts[module.host].sessions; +function get_last_active(username) --luacheck: ignore 131/get_last_active + if user_sessions[username] then + return os.time(), true; -- Currently connected + else + local last_activity = store:get(username); + if not last_activity then return nil; end + return last_activity.timestamp; + end +end + +module:add_item("shell-command", { + section = "user"; + section_desc = "View user activity data"; + name = "activity"; + desc = "View the last recorded user activity for an account"; + args = { { name = "jid"; type = "string" } }; + host_selector = "jid"; + handler = function(self, userjid) --luacheck: ignore 212/self + local username = jid.prepped_split(userjid); + local last_timestamp, is_online = get_last_active(username); + if not last_timestamp then + return true, "No activity"; + end + + return true, ("%s (%s)"):format(os.date("%Y-%m-%d %H:%M:%S", last_timestamp), (is_online and "online" or "offline")); + end; +}); + +module:add_item("shell-command", { + section = "user"; + section_desc = "View user activity data"; + name = "list_inactive"; + desc = "List inactive user accounts"; + args = { + { name = "host"; type = "string" }; + { name = "duration"; type = "string" }; + }; + host_selector = "host"; + handler = function(self, host, duration) --luacheck: ignore 212/self + local um = require "prosody.core.usermanager"; + local duration_sec = require "prosody.util.human.io".parse_duration(duration or ""); + if not duration_sec then + return false, ("Invalid duration %q - try something like \"30d\""):format(duration); + end + + local now = os.time(); + local n_inactive, n_unknown = 0, 0; + + for username in um.users(host) do + local last_active = store:get_key(username, "timestamp"); + if not last_active then + local created_at = um.get_account_info(username, host).created; + if created_at and (now - created_at) > duration_sec then + self.session.print(username, ""); + n_inactive = n_inactive + 1; + elseif not created_at then + n_unknown = n_unknown + 1; + end + elseif (now - last_active) > duration_sec then + self.session.print(username, os.date("%Y-%m-%dT%T", last_active)); + n_inactive = n_inactive + 1; + end + end + + if n_unknown > 0 then + return true, ("%d accounts inactive since %s (%d unknown)"):format(n_inactive, os.date("%Y-%m-%dT%T", now - duration_sec), n_unknown); + end + return true, ("%d accounts inactive since %s"):format(n_inactive, os.date("%Y-%m-%dT%T", now - duration_sec)); + end; +}); + +module:add_item("shell-command", { + section = "migrate"; + section_desc = "Perform data migrations"; + name = "account_activity_lastlog2"; + desc = "Migrate account activity information from mod_lastlog2"; + args = { { name = "host"; type = "string" } }; + host_selector = "host"; + handler = function(self, host) --luacheck: ignore 212/host + local lastlog2 = module:open_store("lastlog2", "keyval+"); + local n_updated, n_errors, n_skipped = 0, 0, 0; + + local async = require "prosody.util.async"; + + local p = require "prosody.util.promise".new(function (resolve) + local async_runner = async.runner(function () + local n = 0; + for username in lastlog2:items() do + n = n + 1; + if n % 100 == 0 then + self.session.print(("Processed %d..."):format(n)); + async.sleep(0); + end + local lastlog2_data = lastlog2:get(username); + if lastlog2_data then + local current_data, err = store:get(username); + if not current_data then + if not err then + current_data = {}; + else + n_errors = n_errors + 1; + end + end + if current_data then + local imported_timestamp = current_data.timestamp; + local latest; + for k, v in pairs(lastlog2_data) do + if k ~= "registered" and (not latest or v.timestamp > latest) then + latest = v.timestamp; + end + end + if latest and (not imported_timestamp or imported_timestamp < latest) then + local ok, err = store:set_key(username, "timestamp", latest); + if ok then + n_updated = n_updated + 1; + else + self.session.print(("WW: Failed to import %q: %s"):format(username, err)); + n_errors = n_errors + 1; + end + else + n_skipped = n_skipped + 1; + end + end + end + end + return resolve(("%d accounts imported, %d errors, %d skipped"):format(n_updated, n_errors, n_skipped)); + end); + async_runner:run(true); + end); + return p; + end; +}); diff --git a/plugins/mod_admin_shell.lua b/plugins/mod_admin_shell.lua index 974ed8d9..28d758d0 100644 --- a/plugins/mod_admin_shell.lua +++ b/plugins/mod_admin_shell.lua @@ -19,6 +19,7 @@ local it = require "prosody.util.iterators"; local server = require "prosody.net.server"; local schema = require "prosody.util.jsonschema"; local st = require "prosody.util.stanza"; +local parse_args = require "prosody.util.argparse".parse; local _G = _G; @@ -91,13 +92,8 @@ end -- Seed with default sections and their description text help_topic "console" "Help regarding the console itself" [[ Hey! Welcome to Prosody's admin console. -First thing, if you're ever wondering how to get out, simply type 'quit'. -Secondly, note that we don't support the full telnet protocol yet (it's coming) -so you may have trouble using the arrow keys, etc. depending on your system. - -For now we offer a couple of handy shortcuts: -!! - Repeat the last command -!old!new! - repeat the last command, but with 'old' replaced by 'new' +If you're ever wondering how to get out, simply type 'quit' (ctrl+d should also +work). For those well-versed in Prosody's internals, or taking instruction from those who are, you can prefix a command with > to escape the console sandbox, and access everything in @@ -141,7 +137,7 @@ Built-in roles are: prosody:registered - Registered user prosody:member - Provisioned user prosody:admin - Host administrator - prosody:operator - Server administrator + prosody:operator - Server administrator Roles can be assigned using the user management commands (see 'help user'). ]]; @@ -255,6 +251,83 @@ function console:new_session(admin_session) return session; end +local function process_cmd_line(session, arg_line) + local chunk = load("return "..arg_line, "=shell", "t", {}); + local ok, args = pcall(chunk); + if not ok then return nil, args; end + + local section_name, command = args[1], args[2]; + + local section_mt = getmetatable(def_env[section_name]); + local section_help = section_mt and section_mt.help; + local command_help = section_help and section_help.commands[command]; + + if not command_help then + if commands[section_name] then + commands[section_name](session, table.concat(args, " ")); + return; + end + if section_help then + return nil, "Command not found or necessary module not loaded. Try 'help "..section_name.." for a list of available commands."; + end + return nil, "Command not found. Is the necessary module loaded?"; + end + + local fmt = { "%s"; ":%s("; ")" }; + + if command_help.flags then + local flags, flags_err, flags_err_extra = parse_args(args, command_help.flags); + if not flags then + if flags_err == "missing-value" then + return nil, "Expected value after "..flags_err_extra; + elseif flags_err == "param-not-found" then + return nil, "Unknown parameter: "..flags_err_extra; + end + return nil, flags_err; + end + + table.remove(flags, 2); + table.remove(flags, 1); + + local n_fixed_args = #command_help.args; + + local arg_str = {}; + for i = 1, n_fixed_args do + if flags[i] ~= nil then + table.insert(arg_str, ("%q"):format(flags[i])); + else + table.insert(arg_str, "nil"); + end + end + + table.insert(arg_str, "flags"); + + for i = n_fixed_args + 1, #flags do + if flags[i] ~= nil then + table.insert(arg_str, ("%q"):format(flags[i])); + else + table.insert(arg_str, "nil"); + end + end + + table.insert(fmt, 3, "%s"); + + return "local flags = ...; return "..string.format(table.concat(fmt), section_name, command, table.concat(arg_str, ", ")), flags; + end + + for i = 3, #args do + if args[i]:sub(1, 1) == ":" then + table.insert(fmt, i, ")%s("); + elseif i > 3 and fmt[i - 1]:match("%%q$") then + table.insert(fmt, i, ", %q"); + else + table.insert(fmt, i, "%q"); + end + end + + return "return "..string.format(table.concat(fmt), table.unpack(args)); +end + local function handle_line(event) local session = event.origin.shell_session; if not session then @@ -269,6 +342,8 @@ local function handle_line(event) local line = event.stanza:get_text(); local useglobalenv; + session.repl = event.stanza.attr.repl ~= "0"; + local result = st.stanza("repl-result"); if line:match("^>") then @@ -295,23 +370,6 @@ local function handle_line(event) session.globalenv = redirect_output(_G, session); end - local chunkname = "=console"; - local env = (useglobalenv and session.globalenv) or session.env or nil - -- luacheck: ignore 311/err - local chunk, err = envload("return "..line, chunkname, env); - if not chunk then - chunk, err = envload(line, chunkname, env); - if not chunk then - err = err:gsub("^%[string .-%]:%d+: ", ""); - err = err:gsub("^:%d+: ", ""); - err = err:gsub("'<eof>'", "the end of the line"); - result.attr.type = "error"; - result:text("Sorry, I couldn't understand that... "..err); - event.origin.send(result); - return; - end - end - local function send_result(taskok, message) if not message then if type(taskok) ~= "string" and useglobalenv then @@ -328,7 +386,45 @@ local function handle_line(event) event.origin.send(result); end - local taskok, message = chunk(); + local taskok, message; + local env = (useglobalenv and session.globalenv) or session.env or nil; + local flags; + + local source; + if line:match("^{") then + -- Input is a serialized array of strings, typically from + -- a command-line invocation of 'prosodyctl shell something' + source, flags = process_cmd_line(session, line); + if not source then + if flags then -- err + send_result(false, flags); + else -- no err, but nothing more to do + -- This happens if it was a "simple" command + event.origin.send(result); + end + return; + end + end + + local chunkname = "=console"; + -- luacheck: ignore 311/err + local chunk, err = envload(source or ("return "..line), chunkname, env); + if not chunk then + if not source then + chunk, err = envload(line, chunkname, env); + end + if not chunk then + err = err:gsub("^%[string .-%]:%d+: ", ""); + err = err:gsub("^:%d+: ", ""); + err = err:gsub("'<eof>'", "the end of the line"); + result.attr.type = "error"; + result:text("Sorry, I couldn't understand that... "..err); + event.origin.send(result); + return; + end + end + + taskok, message = chunk(flags); if promise.is_promise(taskok) then taskok:next(function (resolved_message) @@ -349,7 +445,7 @@ module:hook("admin/repl-input", function (event) return true; end); -local function describe_command(s) +local function describe_command(s, hidden) local section, name, args, desc = s:match("^([%w_]+):([%w_]+)%(([^)]*)%) %- (.+)$"); if not section then error("Failed to parse command description: "..s); @@ -360,9 +456,14 @@ local function describe_command(s) args = array.collect(args:gmatch("[%w_]+")):map(function (arg_name) return { name = arg_name }; end); + hidden = hidden; }; end +local function hidden_command(s) + return describe_command(s, true); +end + -- Console commands -- -- These are simple commands, not valid standalone in Lua @@ -455,10 +556,46 @@ def_env.help = setmetatable({}, { end for command, command_help in it.sorted_pairs(section_help.commands or {}) do - c = c + 1; - local args = command_help.args:pluck("name"):concat(", "); - local desc = command_help.desc or command_help.module and ("Provided by mod_"..command_help.module) or ""; - print(("%s:%s(%s) - %s"):format(section_name, command, args, desc)); + if not command_help.hidden then + c = c + 1; + local desc = command_help.desc or command_help.module and ("Provided by mod_"..command_help.module) or ""; + if self.session.repl then + local args = array.pluck(command_help.args, "name"):concat(", "); + print(("%s:%s(%s) - %s"):format(section_name, command, args, desc)); + else + local args = array.pluck(command_help.args, "name"):concat("> <"); + if args ~= "" then + args = "<"..args..">"; + end + print(("%s %s %s"):format(section_name, command, args)); + print((" %s"):format(desc)); + if command_help.flags then + local flags = command_help.flags; + print(""); + print((" Flags:")); + + if flags.kv_params then + for name in it.sorted_pairs(flags.kv_params) do + print(" --"..name:gsub("_", "-")); + end + end + + if flags.value_params then + for name in it.sorted_pairs(flags.value_params) do + print(" --"..name:gsub("_", "-").." <"..name..">"); + end + end + + if flags.array_params then + for name in it.sorted_pairs(flags.array_params) do + print(" --"..name:gsub("_", "-").." <"..name..">, ..."); + end + end + + end + print(""); + end + end end elseif help_topics[section_name] then local topic = help_topics[section_name]; @@ -1800,9 +1937,8 @@ function def_env.user:password(jid, password) end); end -describe_command [[user:roles(jid, host) - Show current roles for an user]] +describe_command [[user:role(jid, host) - Show primary role for a user]] function def_env.user:role(jid, host) - local print = self.session.print; local username, userhost = jid_split(jid); if host == nil then host = userhost; end if not prosody.hosts[host] then @@ -1814,22 +1950,27 @@ function def_env.user:role(jid, host) local primary_role = um.get_user_role(username, host); local secondary_roles = um.get_user_secondary_roles(username, host); + local primary_role_desc = primary_role and primary_role.name or "<none>"; + print(primary_role and primary_role.name or "<none>"); - local count = primary_role and 1 or 0; + local n_secondary = 0; for role_name in pairs(secondary_roles or {}) do - count = count + 1; + n_secondary = n_secondary + 1; print(role_name.." (secondary)"); end - return true, count == 1 and "1 role" or count.." roles"; + if n_secondary > 0 then + return true, primary_role_desc.." (primary)"; + end + return true, primary_role_desc; end def_env.user.roles = def_env.user.role; -describe_command [[user:setrole(jid, host, role) - Set primary role of a user (see 'help roles')]] --- user:setrole("someone@example.com", "example.com", "prosody:admin") --- user:setrole("someone@example.com", "prosody:admin") -function def_env.user:setrole(jid, host, new_role) +describe_command [[user:set_role(jid, host, role) - Set primary role of a user (see 'help roles')]] +-- user:set_role("someone@example.com", "example.com", "prosody:admin") +-- user:set_role("someone@example.com", "prosody:admin") +function def_env.user:set_role(jid, host, new_role) local username, userhost = jid_split(jid); if new_role == nil then host, new_role = userhost, host; end if not prosody.hosts[host] then @@ -1844,7 +1985,7 @@ function def_env.user:setrole(jid, host, new_role) end end -describe_command [[user:addrole(jid, host, role) - Add a secondary role to a user]] +hidden_command [[user:addrole(jid, host, role) - Add a secondary role to a user]] function def_env.user:addrole(jid, host, new_role) local username, userhost = jid_split(jid); if new_role == nil then host, new_role = userhost, host; end @@ -1855,10 +1996,14 @@ function def_env.user:addrole(jid, host, new_role) elseif userhost ~= host then return nil, "Can't add roles outside users own host" end - return um.add_user_secondary_role(username, host, new_role); + local role, err = um.add_user_secondary_role(username, host, new_role); + if not role then + return nil, err; + end + return true, "Role added"; end -describe_command [[user:delrole(jid, host, role) - Remove a secondary role from a user]] +hidden_command [[user:delrole(jid, host, role) - Remove a secondary role from a user]] function def_env.user:delrole(jid, host, role_name) local username, userhost = jid_split(jid); if role_name == nil then host, role_name = userhost, host; end @@ -1869,7 +2014,11 @@ function def_env.user:delrole(jid, host, role_name) elseif userhost ~= host then return nil, "Can't remove roles outside users own host" end - return um.remove_user_secondary_role(username, host, role_name); + local ok, err = um.remove_user_secondary_role(username, host, role_name); + if not ok then + return nil, err; + end + return true, "Role removed"; end describe_command [[user:list(hostname, pattern) - List users on the specified host, optionally filtering with a pattern]] @@ -2622,10 +2771,20 @@ local function new_item_handlers(command_host) section_mt.help = section_help; end + if command.flags then + if command.flags.stop_on_positional == nil then + command.flags.stop_on_positional = false; + end + if command.flags.strict == nil then + command.flags.strict = true; + end + end + section_help.commands[command.name] = { desc = command.desc; full = command.help; args = array(command.args); + flags = command.flags; module = command._provided_by; }; diff --git a/plugins/mod_authz_internal.lua b/plugins/mod_authz_internal.lua index 7a06c904..f683d90c 100644 --- a/plugins/mod_authz_internal.lua +++ b/plugins/mod_authz_internal.lua @@ -161,7 +161,7 @@ end function set_user_role(user, role_name) local role = role_registry[role_name]; if not role then - return error("Cannot assign default user an unknown role: "..tostring(role_name)); + return error("Cannot assign user an unknown role: "..tostring(role_name)); end local keys_update = { _default = role_name; @@ -180,14 +180,19 @@ function set_user_role(user, role_name) end function add_user_secondary_role(user, role_name) - if not role_registry[role_name] then - return error("Cannot assign default user an unknown role: "..tostring(role_name)); + local role = role_registry[role_name]; + if not role then + return error("Cannot assign user an unknown role: "..tostring(role_name)); end - role_map_store:set(user, role_name, true); + local ok, err = role_map_store:set(user, role_name, true); + if not ok then + return nil, err; + end + return role; end function remove_user_secondary_role(user, role_name) - role_map_store:set(user, role_name, nil); + return role_map_store:set(user, role_name, nil); end function get_user_secondary_roles(user) diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua index 091a7d81..2d1b1922 100644 --- a/plugins/mod_bosh.lua +++ b/plugins/mod_bosh.lua @@ -557,6 +557,10 @@ function module.add_host(module) ["POST /"] = handle_POST; }; }); + + if module.host ~= "*" then + module:depends("http_altconnect", true); + end end if require"prosody.core.modulemanager".get_modules_for_host("*"):contains(module.name) then diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua index e29ea6a0..c1fbdb9e 100644 --- a/plugins/mod_c2s.lua +++ b/plugins/mod_c2s.lua @@ -252,12 +252,16 @@ local function session_close(session, reason) if not session.destroyed then session.log("warn", "Failed to receive a stream close response, closing connection anyway..."); sm_destroy_session(session, reason_text); - if conn then conn:close(); end + if conn then + conn:close(); + end end end); else sm_destroy_session(session, reason_text); - if conn then conn:close(); end + if conn then + conn:close(); + end end else local reason_text = (reason and (reason.name or reason.text or reason.condition)) or reason; @@ -273,6 +277,7 @@ local function disconnect_user_sessions(reason, leave_resource) if not (hosts[host] and hosts[host].type == "local") then return -- not a local VirtualHost so no sessions end + module:log("debug", "Disconnecting %s sessions of %s@%s (%s)", not leave_resource and "all" or "other", username, host, reason.text); local user = hosts[host].sessions[username]; if user and user.sessions then for r, session in pairs(user.sessions) do diff --git a/plugins/mod_cloud_notify.lua b/plugins/mod_cloud_notify.lua index 987be84f..1c660e93 100644 --- a/plugins/mod_cloud_notify.lua +++ b/plugins/mod_cloud_notify.lua @@ -5,13 +5,13 @@ -- This file is MIT/X11 licensed. local os_time = os.time; -local st = require"util.stanza"; -local jid = require"util.jid"; -local dataform = require"util.dataforms".new; -local hashes = require"util.hashes"; -local random = require"util.random"; -local cache = require"util.cache"; -local watchdog = require "util.watchdog"; +local st = require"prosody.util.stanza"; +local jid = require"prosody.util.jid"; +local dataform = require"prosody.util.dataforms".new; +local hashes = require"prosody.util.hashes"; +local random = require"prosody.util.random"; +local cache = require"prosody.util.cache"; +local watchdog = require "prosody.util.watchdog"; local xmlns_push = "urn:xmpp:push:0"; diff --git a/plugins/mod_component.lua b/plugins/mod_component.lua index 86ceb980..51c73235 100644 --- a/plugins/mod_component.lua +++ b/plugins/mod_component.lua @@ -239,7 +239,9 @@ function stream_callbacks.handlestanza(session, stanza) end if not stanza.attr.to then session.log("warn", "Rejecting stanza with no 'to' address"); - session.send(st.error_reply(stanza, "modify", "bad-request", "Components MUST specify a 'to' address on stanzas")); + if stanza.attr.type ~= "error" and stanza.attr.type ~= "result" then + session.send(st.error_reply(stanza, "modify", "bad-request", "Components MUST specify a 'to' address on stanzas")); + end return; end end diff --git a/plugins/mod_cron.lua b/plugins/mod_cron.lua index 67b68514..77bdd7e5 100644 --- a/plugins/mod_cron.lua +++ b/plugins/mod_cron.lua @@ -78,7 +78,7 @@ module:add_item("shell-command", { args = {}; handler = function(self, filter_host) local format_table = require("prosody.util.human.io").table; - local it = require("util.iterators"); + local it = require("prosody.util.iterators"); local row = format_table({ { title = "Host"; width = "2p" }; { title = "Task"; width = "3p" }; diff --git a/plugins/mod_external_services.lua b/plugins/mod_external_services.lua index ade1e327..a2cd232c 100644 --- a/plugins/mod_external_services.lua +++ b/plugins/mod_external_services.lua @@ -35,6 +35,7 @@ end local algorithms = { turn = behave_turn_rest_credentials; + turns = behave_turn_rest_credentials; } -- filter config into well-defined service records diff --git a/plugins/mod_http_altconnect.lua b/plugins/mod_http_altconnect.lua new file mode 100644 index 00000000..9252433e --- /dev/null +++ b/plugins/mod_http_altconnect.lua @@ -0,0 +1,52 @@ +-- mod_http_altconnect +-- XEP-0156: Discovering Alternative XMPP Connection Methods + +module:depends"http"; + +local mm = require "prosody.core.modulemanager"; +local json = require"prosody.util.json"; +local st = require"prosody.util.stanza"; +local array = require"prosody.util.array"; + +local advertise_bosh = module:get_option_boolean("advertise_bosh", true); +local advertise_websocket = module:get_option_boolean("advertise_websocket", true); + +local function get_supported() + local uris = array(); + if advertise_bosh and (mm.is_loaded(module.host, "bosh") or mm.is_loaded("*", "bosh")) then + uris:push({ rel = "urn:xmpp:alt-connections:xbosh", href = module:http_url("bosh", "/http-bind") }); + end + if advertise_websocket and (mm.is_loaded(module.host, "websocket") or mm.is_loaded("*", "websocket")) then + uris:push({ rel = "urn:xmpp:alt-connections:websocket", href = module:http_url("websocket", "xmpp-websocket"):gsub("^http", "ws") }); + end + return uris; +end + + +local function GET_xml(event) + local response = event.response; + local xrd = st.stanza("XRD", { xmlns='http://docs.oasis-open.org/ns/xri/xrd-1.0' }); + local uris = get_supported(); + for _, method in ipairs(uris) do + xrd:tag("Link", method):up(); + end + response.headers.content_type = "application/xrd+xml" + response.headers.access_control_allow_origin = "*"; + return '<?xml version="1.0" encoding="UTF-8"?>' .. tostring(xrd); +end + +local function GET_json(event) + local response = event.response; + local jrd = { links = get_supported() }; + response.headers.content_type = "application/json" + response.headers.access_control_allow_origin = "*"; + return json.encode(jrd); +end; + +module:provides("http", { + default_path = "/.well-known"; + route = { + ["GET /host-meta"] = GET_xml; + ["GET /host-meta.json"] = GET_json; + }; +}); diff --git a/plugins/mod_http_file_share.lua b/plugins/mod_http_file_share.lua index 48972067..705420d0 100644 --- a/plugins/mod_http_file_share.lua +++ b/plugins/mod_http_file_share.lua @@ -224,6 +224,7 @@ function handle_slot_request(event) end total_storage_usage = total_storage_usage + filesize; + persist_stats:set(nil, "total", total_storage_usage); module:log("debug", "Total storage usage: %s / %s", B(total_storage_usage), B(total_storage_limit)); local cached_quota = quota_cache:get(uploader); diff --git a/plugins/mod_invites.lua b/plugins/mod_invites.lua index 1dfc8804..c6a66a8f 100644 --- a/plugins/mod_invites.lua +++ b/plugins/mod_invites.lua @@ -6,8 +6,8 @@ local jid_split = require "prosody.util.jid".split; local argparse = require "prosody.util.argparse"; local human_io = require "prosody.util.human.io"; -local url_escape = require "util.http".urlencode; -local render_url = require "util.interpolation".new("%b{}", url_escape, { +local url_escape = require "prosody.util.http".urlencode; +local render_url = require "prosody.util.interpolation".new("%b{}", url_escape, { urlescape = url_escape; noscheme = function (urlstring) return (urlstring:gsub("^[^:]+:", "")); @@ -239,19 +239,76 @@ end module:hook("invite-created", add_landing_url, -1); --- shell command +-- COMPAT: Dynamic groups are work in progress as of 13.0, so we'll use the +-- presence of mod_invites_groups (a community module) to determine whether to +-- expose our support for invites to groups. +local have_group_invites = module:get_option_inherited_set("modules_enabled"):contains("invites_groups"); + module:add_item("shell-command", { section = "invite"; section_desc = "Create and manage invitations"; name = "create_account"; desc = "Create an invitation to make an account on this server with the specified JID (supply only a hostname to allow any username)"; + args = { + { name = "user_jid", type = "string" }; + }; + host_selector = "user_jid"; + flags = { + array_params = { role = true, group = have_group_invites }; + value_params = { expires_after = true }; + }; + + handler = function (self, user_jid, opts) --luacheck: ignore 212/self + local username = jid_split(user_jid); + local roles = opts and opts.role or {}; + local groups = opts and opts.group or {}; + + if opts and opts.admin then + -- Insert it first since we don't get order out of argparse + table.insert(roles, 1, "prosody:admin"); + end + + local ttl; + if opts and opts.expires_after then + ttl = human_io.parse_duration(opts.expires_after); + if not ttl then + return false, "Unable to parse duration: "..opts.expires_after; + end + end + + local invite = assert(create_account(username, { + roles = roles; + groups = groups; + }, ttl)); + + return true, invite.landing_page or invite.uri; + end; +}); + +module:add_item("shell-command", { + section = "invite"; + section_desc = "Create and manage invitations"; + name = "create_reset"; + desc = "Create a password reset link for the specified user"; args = { { name = "user_jid", type = "string" } }; host_selector = "user_jid"; + flags = { + value_params = { expires_after = true }; + }; - handler = function (self, user_jid) --luacheck: ignore 212/self + handler = function (self, user_jid, opts) --luacheck: ignore 212/self local username = jid_split(user_jid); - local invite, err = create_account(username); + if not username then + return nil, "Supply the JID of the account you want to generate a password reset for"; + end + local duration_sec = require "prosody.util.human.io".parse_duration(opts and opts.expires_after or "1d"); + if not duration_sec then + return nil, "Unable to parse duration: "..opts.expires_after; + end + local invite, err = create_account_reset(username, duration_sec); if not invite then return nil, err; end - return true, invite.landing_page or invite.uri; + self.session.print(invite.landing_page or invite.uri); + return true, ("Password reset link for %s valid until %s"):format(user_jid, os.date("%Y-%m-%d %T", invite.expires)); end; }); @@ -260,126 +317,185 @@ module:add_item("shell-command", { section_desc = "Create and manage invitations"; name = "create_contact"; desc = "Create an invitation to become contacts with the specified user"; - args = { { name = "user_jid", type = "string" }, { name = "allow_registration" } }; + args = { { name = "user_jid", type = "string" } }; host_selector = "user_jid"; + flags = { + value_params = { expires_after = true }; + kv_params = { allow_registration = true }; + }; - handler = function (self, user_jid, allow_registration) --luacheck: ignore 212/self + handler = function (self, user_jid, opts) --luacheck: ignore 212/self local username = jid_split(user_jid); - local invite, err = create_contact(username, allow_registration); + if not username then + return nil, "Supply the JID of the account you want the recipient to become a contact of"; + end + local ttl; + if opts and opts.expires_after then + ttl = require "prosody.util.human.io".parse_duration(opts.expires_after); + if not ttl then + return nil, "Unable to parse duration: "..opts.expires_after; + end + end + local invite, err = create_contact(username, opts and opts.allow_registration, nil, ttl); if not invite then return nil, err; end return true, invite.landing_page or invite.uri; end; }); -local subcommands = {}; - ---- prosodyctl command -function module.command(arg) - local opts = argparse.parse(arg, { short_params = { h = "help"; ["?"] = "help" } }); - local cmd = table.remove(arg, 1); -- pop command - if opts.help or not cmd or not subcommands[cmd] then - print("usage: prosodyctl mod_"..module.name.." generate example.com"); - return 2; - end - return subcommands[cmd](arg); -end - -function subcommands.generate(arg) - local function help(short) - print("usage: prosodyctl mod_" .. module.name .. " generate DOMAIN --reset USERNAME") - print("usage: prosodyctl mod_" .. module.name .. " generate DOMAIN [--admin] [--role ROLE] [--group GROUPID]...") - if short then return 2 end - print() - print("This command has two modes: password reset and new account.") - print("If --reset is given, the command operates in password reset mode and in new account mode otherwise.") - print() - print("required arguments in password reset mode:") - print() - print(" --reset USERNAME Generate a password reset link for the given USERNAME.") - print() - print("optional arguments in new account mode:") - print() - print(" --admin Make the new user privileged") - print(" Equivalent to --role prosody:admin") - print(" --role ROLE Grant the given ROLE to the new user") - print(" --group GROUPID Add the user to the group with the given ID") - print(" Can be specified multiple times") - print(" --expires-after T Time until the invite expires (e.g. '1 week')") - print() - print("--group can be specified multiple times; the user will be added to all groups.") - print() - print("--reset and the other options cannot be mixed.") - return 2 - end +module:add_item("shell-command", { + section = "invite"; + section_desc = "Create and manage invitations"; + name = "show"; + desc = "Show details of an account invitation token"; + args = { { name = "host", type = "string" }, { name = "token", type = "string" } }; + host_selector = "host"; - local earlyopts = argparse.parse(arg, { short_params = { h = "help"; ["?"] = "help" } }); - if earlyopts.help or not earlyopts[1] then - return help(); - end + handler = function (self, host, token) --luacheck: ignore 212/self 212/host + local invite, err = get_account_invite_info(token); + if not invite then return nil, err; end - local sm = require "prosody.core.storagemanager"; - local mm = require "prosody.core.modulemanager"; + local print = self.session.print; + + if invite.type == "roster" then + print("Invitation to register and become a contact of "..invite.jid); + elseif invite.type == "register" then + local jid_user, jid_host = jid_split(invite.jid); + if invite.additional_data and invite.additional_data.allow_reset then + print("Password reset for "..invite.additional_data.allow_reset.."@"..jid_host); + elseif jid_user then + print("Invitation to register on "..jid_host.." with username '"..jid_user.."'"); + else + print("Invitation to register on "..jid_host); + end + else + print("Unknown invitation type"); + end - local host = table.remove(arg, 1); -- pop host - if not host then return help(true) end - sm.initialize_host(host); - module.host = host; --luacheck: ignore 122/module - token_storage = module:open_store("invite_token", "map"); + if invite.inviter then + print("Creator:", invite.inviter); + end - local opts = argparse.parse(arg, { - short_params = { h = "help"; ["?"] = "help"; g = "group" }; - value_params = { group = true; reset = true; role = true }; - array_params = { group = true; role = true }; - }); + print("Created:", os.date("%Y-%m-%d %T", invite.created_at)); + print("Expires:", os.date("%Y-%m-%d %T", invite.expires)); - if opts.help then - return help(); - end + print(""); - -- Load mod_invites - local invites = module:depends("invites"); - -- Optional community module that if used, needs to be loaded here - local invites_page_module = module:get_option_string("invites_page_module", "invites_page"); - if mm.get_modules_for_host(host):contains(invites_page_module) then - module:depends(invites_page_module); - end + if invite.uri then + print("XMPP URI:", invite.uri); + end - local allow_reset; + if invite.landing_page then + print("Web link:", invite.landing_page); + end - if opts.reset then - local nodeprep = require "prosody.util.encodings".stringprep.nodeprep; - local username = nodeprep(opts.reset) - if not username then - print("Please supply a valid username to generate a reset link for"); - return 2; + if invite.additional_data then + print(""); + if invite.additional_data.roles then + if invite.additional_data.roles[1] then + print("Role:", invite.additional_data.roles[1]); + end + if invite.additional_data.roles[2] then + print("Secondary roles:", table.concat(invite.additional_data.roles, ", ", 2, #invite.additional_data.roles)); + end + end + if invite.additional_data.groups then + print("Groups:", table.concat(invite.additional_data.groups, ", ")); + end + if invite.additional_data.note then + print("Comment:", invite.additional_data.note); + end end - allow_reset = username; - end - local roles = opts.role or {}; - local groups = opts.groups or {}; + return true, "Invitation valid"; + end; +}); - if opts.admin then - -- Insert it first since we don't get order out of argparse - table.insert(roles, 1, "prosody:admin"); - end +module:add_item("shell-command", { + section = "invite"; + section_desc = "Create and manage invitations"; + name = "delete"; + desc = "Delete/revoke an invitation token"; + args = { { name = "host", type = "string" }, { name = "token", type = "string" } }; + host_selector = "host"; - local invite; - if allow_reset then - if roles[1] then - print("--role/--admin and --reset are mutually exclusive") - return 2; - end - if #groups > 0 then - print("--group and --reset are mutually exclusive") + handler = function (self, host, token) --luacheck: ignore 212/self 212/host + local invite, err = delete_account_invite(token); + if not invite then return nil, err; end + return true, "Invitation deleted"; + end; +}); + +module:add_item("shell-command", { + section = "invite"; + section_desc = "Create and manage invitations"; + name = "list"; + desc = "List pending invitations which allow account registration"; + args = { { name = "host", type = "string" } }; + host_selector = "host"; + + handler = function (self, host) -- luacheck: ignore 212/host + local print_row = human_io.table({ + { + title = "Token"; + key = "invite"; + width = 24; + mapper = function (invite) + return invite.token; + end; + }; + { + title = "Expires"; + key = "invite"; + width = 20; + mapper = function (invite) + return os.date("%Y-%m-%dT%T", invite.expires); + end; + }; + { + title = "Description"; + key = "invite"; + width = "100%"; + mapper = function (invite) + if invite.type == "roster" then + return "Contact with "..invite.jid; + elseif invite.type == "register" then + local jid_user, jid_host = jid_split(invite.jid); + if invite.additional_data and invite.additional_data.allow_reset then + return "Password reset for "..invite.additional_data.allow_reset.."@"..jid_host; + end + if jid_user then + return "Register on "..jid_host.." with username "..jid_user; + end + return "Register on "..jid_host; + end + end; + }; + }, self.session.width); + + self.session.print(print_row()); + local count = 0; + for _, invite in pending_account_invites() do + count = count + 1; + self.session.print(print_row({ invite = invite })); end - invite = assert(invites.create_account_reset(allow_reset)); - else - invite = assert(invites.create_account(nil, { - roles = roles, - groups = groups - }, opts.expires_after and human_io.parse_duration(opts.expires_after))); + return true, ("%d pending invites"):format(count); + end; +}); + +local subcommands = {}; + +--- prosodyctl command +function module.command(arg) + local opts = argparse.parse(arg, { short_params = { h = "help"; ["?"] = "help" } }); + local cmd = table.remove(arg, 1); -- pop command + if opts.help or not cmd or not subcommands[cmd] then + print("usage: prosodyctl mod_"..module.name.." generate example.com"); + return 2; end + return subcommands[cmd](arg); +end - print(invite.landing_page or invite.uri); +function subcommands.generate() + print("This command is deprecated. Please see 'prosodyctl shell help invite' for available commands."); + return 1; end diff --git a/plugins/mod_presence.lua b/plugins/mod_presence.lua index f939fa00..c3d6bc04 100644 --- a/plugins/mod_presence.lua +++ b/plugins/mod_presence.lua @@ -54,11 +54,12 @@ function handle_normal_presence(origin, stanza) if priority < -128 then priority = -128 end if priority > 127 then priority = 127 end else priority = 0; end + + local node, host = origin.username, origin.host; + local roster = origin.roster; if full_sessions[origin.full_jid] then -- if user is still connected origin.send(stanza); -- reflect their presence back to them end - local roster = origin.roster; - local node, host = origin.username, origin.host; local user = bare_sessions[node.."@"..host]; for _, res in pairs(user and user.sessions or NULL) do -- broadcast to all resources if res ~= origin and res.presence then -- to resource @@ -72,6 +73,13 @@ function handle_normal_presence(origin, stanza) core_post_stanza(origin, stanza, true); end end + + -- It's possible that after the network activity above, the origin + -- has been disconnected (particularly if something happened while + -- sending the reflection). So we abort further presence processing + -- in that case. + if not origin.type then return; end + stanza.attr.to = nil; if stanza.attr.type == nil and not origin.presence then -- initial presence module:fire_event("presence/initial", { origin = origin, stanza = stanza } ); diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua index 8eb1565e..84ae34b5 100644 --- a/plugins/mod_s2s.lua +++ b/plugins/mod_s2s.lua @@ -1097,6 +1097,10 @@ module:provides("net", { -- FIXME This only applies to Direct TLS, which we don't use yet. -- This gets applied for real in mod_tls verify = { "peer", "client_once", }; + verifyext = { + "lsec_continue", -- Continue past certificate verification errors + "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates + }; }; multiplex = { protocol = "xmpp-server"; @@ -1111,6 +1115,10 @@ module:provides("net", { encryption = "ssl"; ssl_config = { verify = { "peer", "client_once", }; + verifyext = { + "lsec_continue", -- Continue past certificate verification errors + "lsec_ignore_purpose", -- Validate client certificates as if they were server certificates + }; }; multiplex = { protocol = "xmpp-server"; diff --git a/plugins/mod_storage_internal.lua b/plugins/mod_storage_internal.lua index a43dd272..1332ae75 100644 --- a/plugins/mod_storage_internal.lua +++ b/plugins/mod_storage_internal.lua @@ -4,7 +4,7 @@ local array = require "prosody.util.array"; local datetime = require "prosody.util.datetime"; local st = require "prosody.util.stanza"; local now = require "prosody.util.time".now; -local id = require "prosody.util.id".medium; +local uuid_v7 = require "prosody.util.uuid".v7; local jid_join = require "prosody.util.jid".join; local set = require "prosody.util.set"; local it = require "prosody.util.iterators"; @@ -111,7 +111,7 @@ function archive:append(username, key, value, when, with) module:log("debug", "%s reached or over quota, not adding to store", username); return nil, "quota-limit"; end - key = id(); + key = uuid_v7(); end module:log("debug", "%s has %d items out of %d limit in store %s", username, item_count, archive_item_limit, self.store); diff --git a/plugins/mod_storage_sql.lua b/plugins/mod_storage_sql.lua index fa0588b2..ff44adba 100644 --- a/plugins/mod_storage_sql.lua +++ b/plugins/mod_storage_sql.lua @@ -42,7 +42,7 @@ end local function has_upsert(engine) if engine.params.driver == "SQLite3" then -- SQLite3 >= 3.24.0 - return (engine.sqlite_version[2] or 0) >= 24; + return engine.sqlite_version and (engine.sqlite_version[2] or 0) >= 24; elseif engine.params.driver == "PostgreSQL" then -- PostgreSQL >= 9.5 -- Versions without support have long since reached end of life. diff --git a/plugins/mod_vcard.lua b/plugins/mod_vcard.lua index ea6839bb..dfd43363 100644 --- a/plugins/mod_vcard.lua +++ b/plugins/mod_vcard.lua @@ -6,13 +6,24 @@ -- COPYING file in the source package for more information. -- +local base64 = require "prosody.util.encodings".base64; +local jid = require "prosody.util.jid"; +local sha1 = require "prosody.util.hashes".sha1; local st = require "prosody.util.stanza" local jid_split = require "prosody.util.jid".split; -local vcards = module:open_store(); +local store_name = module:get_option_string("vcard_store_name"); + +local is_component = module:get_host_type() == "component"; +if is_component and not store_name and module:get_option_string("component_module") == "muc" then + store_name = "vcard_muc"; +end + +local vcards = module:open_store(store_name); module:add_feature("vcard-temp"); + local function handle_vcard(event) local session, stanza = event.origin, event.stanza; local to = stanza.attr.to; @@ -21,7 +32,7 @@ local function handle_vcard(event) if to then local node = jid_split(to); vCard = st.deserialize(vcards:get(node)); -- load vCard for user or server - else + elseif not is_component then vCard = st.deserialize(vcards:get(session.username));-- load user's own vCard end if vCard then @@ -30,9 +41,11 @@ local function handle_vcard(event) session.send(st.error_reply(stanza, "cancel", "item-not-found")); end else -- stanza.attr.type == "set" - if not to then - if vcards:set(session.username, st.preserialize(stanza.tags[1])) then + if not to or (is_component and event.allow_vcard_modification) then + local node = is_component and jid.node(stanza.attr.to) or session.username; + if vcards:set(node, st.preserialize(stanza.tags[1])) then session.send(st.reply(stanza)); + module:fire_event("vcard-updated", event); else -- TODO unable to write file, file may be locked, etc, what's the correct error? session.send(st.error_reply(stanza, "wait", "internal-server-error")); @@ -46,3 +59,14 @@ end module:hook("iq/bare/vcard-temp:vCard", handle_vcard); module:hook("iq/host/vcard-temp:vCard", handle_vcard); + +function get_avatar_hash(username) + local vcard = st.deserialize(vcards:get(username)); + if not vcard then return end + local photo = vcard:get_child("PHOTO"); + if not photo then return end + + local photo_b64 = photo:get_child_text("BINVAL"); + local photo_raw = photo_b64 and base64.decode(photo_b64); + return (sha1(photo_raw, true)); +end diff --git a/plugins/mod_websocket.lua b/plugins/mod_websocket.lua index 7120f3cc..17a91076 100644 --- a/plugins/mod_websocket.lua +++ b/plugins/mod_websocket.lua @@ -87,6 +87,7 @@ local function session_close(session, reason) end end end + stream_error = tostring(stream_error); log("debug", "Disconnecting client, <stream:error> is: %s", stream_error); session.send(stream_error); end @@ -94,28 +95,33 @@ local function session_close(session, reason) session.send(st.stanza("close", { xmlns = xmlns_framing })); function session.send() return false; end - -- luacheck: ignore 422/reason - -- FIXME reason should be handled in common place - local reason = (reason and (reason.name or reason.text or reason.condition)) or reason; - session.log("debug", "c2s stream for %s closed: %s", session.full_jid or ("<"..session.ip..">"), reason or "session closed"); + local reason_text = (reason and (reason.name or reason.text or reason.condition)) or reason; + session.log("debug", "c2s stream for %s closed: %s", session.full_jid or session.ip or "<unknown>", reason_text or "session closed"); -- Authenticated incoming stream may still be sending us stanzas, so wait for </stream:stream> from remote local conn = session.conn; - if reason == nil and not session.notopen and session.type == "c2s" then + if reason_text == nil and not session.notopen and session.type == "c2s" then -- Grace time to process data from authenticated cleanly-closed stream add_task(stream_close_timeout, function () if not session.destroyed then session.log("warn", "Failed to receive a stream close response, closing connection anyway..."); - sm_destroy_session(session, reason); - conn:write(build_close(1000, "Stream closed")); - conn:close(); + sm_destroy_session(session, reason_text); + if conn then + conn:write(build_close(1000, "Stream closed")); + conn:close(); + end end end); else - sm_destroy_session(session, reason); - conn:write(build_close(1000, "Stream closed")); - conn:close(); + sm_destroy_session(session, reason_text); + if conn then + conn:write(build_close(1000, "Stream closed")); + conn:close(); + end end + else + local reason_text = (reason and (reason.name or reason.text or reason.condition)) or reason; + sm_destroy_session(session, reason_text); end end @@ -367,6 +373,10 @@ function module.add_host(module) }; }); + if module.host ~= "*" then + module:depends("http_altconnect", true); + end + module:hook("c2s-read-timeout", keepalive, -0.9); end diff --git a/plugins/muc/hats.lib.lua b/plugins/muc/hats.lib.lua index 7eb71eb4..7ccf194e 100644 --- a/plugins/muc/hats.lib.lua +++ b/plugins/muc/hats.lib.lua @@ -1,7 +1,7 @@ local st = require "prosody.util.stanza"; local muc_util = module:require "muc/util"; -local hats_compat = module:get_option_boolean("muc_hats_compat", true); -- COMPAT for pre-XEP namespace, TODO reconsider default for next release +local hats_compat = module:get_option_boolean("muc_hats_compat", false); -- COMPAT for pre-XEP namespace local xmlns_hats_legacy = "xmpp:prosody.im/protocol/hats:1"; local xmlns_hats = "urn:xmpp:hats:0"; diff --git a/plugins/muc/mod_muc.lua b/plugins/muc/mod_muc.lua index 1dc99f07..2ce6e19a 100644 --- a/plugins/muc/mod_muc.lua +++ b/plugins/muc/mod_muc.lua @@ -116,6 +116,10 @@ module:depends "muc_unique" module:require "muc/hats"; module:require "muc/lock"; +if module:get_option_boolean("muc_vcard", true) ~= false then + module:require "muc/vcard"; +end + module:default_permissions("prosody:admin", { ":automatic-ownership"; ":create-room"; diff --git a/plugins/muc/vcard.lib.lua b/plugins/muc/vcard.lib.lua new file mode 100644 index 00000000..f9f97721 --- /dev/null +++ b/plugins/muc/vcard.lib.lua @@ -0,0 +1,82 @@ +local mod_vcard = module:depends("vcard"); + +local jid = require "prosody.util.jid"; +local st = require "prosody.util.stanza"; + +-- This must be the same event that mod_vcard hooks +local vcard_event = "iq/bare/vcard-temp:vCard"; +local advertise_hashes = module:get_option("muc_avatar_advertise_hashes"); + +--luacheck: ignore 113/get_room_from_jid + +local function get_avatar_hash(room) + if room.avatar_hash then return room.avatar_hash; end + + local room_node = jid.split(room.jid); + local hash = mod_vcard.get_avatar_hash(room_node); + room.avatar_hash = hash; + + return hash; +end + +local function send_avatar_hash(room, to) + local hash = get_avatar_hash(room); + if not hash and to then return; end -- Don't announce when no avatar + + local presence_vcard = st.presence({to = to, from = room.jid}) + :tag("x", { xmlns = "vcard-temp:x:update" }) + :tag("photo"):text(hash):up(); + + if to == nil then + if not advertise_hashes or advertise_hashes == "presence" then + room:broadcast_message(presence_vcard); + end + if not advertise_hashes or advertise_hashes == "message" then + room:broadcast_message(st.message({ from = room.jid, type = "groupchat" }) + :tag("x", { xmlns = "http://jabber.org/protocol/muc#user" }) + :tag("status", { code = "104" })); + end + + else + module:send(presence_vcard); + end +end + +module:hook(vcard_event, function (event) + local stanza = event.stanza; + local to = stanza.attr.to; + + if stanza.attr.type ~= "set" then + return; + end + + local room = get_room_from_jid(to); + if not room then + return; + end + + local sender_affiliation = room:get_affiliation(stanza.attr.from); + if sender_affiliation == "owner" then + event.allow_vcard_modification = true; + end +end, 10); + +if advertise_hashes ~= "none" then + module:hook("muc-occupant-joined", function (event) + send_avatar_hash(event.room, event.stanza.attr.from); + end); + module:hook("vcard-updated", function (event) + local room = get_room_from_jid(event.stanza.attr.to); + send_avatar_hash(room, nil); + end); +end + +module:hook("muc-disco#info", function (event) + event.reply:tag("feature", { var = "vcard-temp" }):up(); + + table.insert(event.form, { + name = "muc#roominfo_avatarhash", + type = "text-multi", + }); + event.formdata["muc#roominfo_avatarhash"] = get_avatar_hash(event.room); +end); diff --git a/prosody.cfg.lua.dist b/prosody.cfg.lua.dist index 267a650c..65eedc7d 100644 --- a/prosody.cfg.lua.dist +++ b/prosody.cfg.lua.dist @@ -9,6 +9,8 @@ -- If there are any errors, it will let you know what and where -- they are, otherwise it will keep quiet. -- +-- Upgrading from a previous release? Check https://prosody.im/doc/upgrading +-- -- The only thing left to do is rename this file to remove the .dist ending, and fill in the -- blanks. Good luck, and happy Jabbering! @@ -51,6 +53,8 @@ modules_enabled = { "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard -- Nice to have + "account_activity"; -- Record time when an account was last used + "cloud_notify"; -- Push notifications for mobile devices "csi_simple"; -- Simple but effective traffic optimizations for mobile devices "invites"; -- Create and manage invites "invites_adhoc"; -- Allow admins/users to create invitations via their client @@ -75,7 +79,6 @@ modules_enabled = { -- Other specific functionality --"announce"; -- Send announcement to all online users --"groups"; -- Shared roster support - --"legacyauth"; -- Legacy authentication. Only used by some old clients and bots. --"mimicking"; -- Prevent address spoofing --"motd"; -- Send a message to users when they log in --"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use @@ -92,7 +95,6 @@ modules_disabled = { -- "offline"; -- Store offline messages -- "c2s"; -- Handle client connections -- "s2s"; -- Handle server-to-server connections - -- "posix"; -- POSIX functionality, sends server to background, etc. } @@ -182,15 +182,29 @@ end local function service_command_warning(service_command) if prosody.installed and configmanager.get("*", "prosodyctl_service_warnings") ~= false then - show_warning("WARNING: Use of prosodyctl start/stop/restart/reload is not recommended"); - show_warning(" if Prosody is managed by an init system - use that directly instead."); + show_warning("ERROR: Use of 'prosodyctl %s' is disabled in this installation because", service_command); + local init = has_init_system() - if init == "systemd" then - show_warning(" e.g. systemctl %s prosody", service_command); - elseif init == "rc.d" then - show_warning(" e.g. /etc/init.d/prosody %s", service_command); + if init then + show_warning(" we detected that this system uses %s for managing services.", init); + show_warning(""); + show_warning(" To avoid problems, use that directly instead. For example:"); + show_warning(""); + if init == "systemd" then + show_warning(" systemctl %s prosody", service_command); + elseif init == "rc.d" then + show_warning(" /etc/init.d/prosody %s", service_command); + end + else + show_warning(" it may conflict with your system's service manager."); + show_warning(""); end - show_warning(""); + + show_warning(" Proceeding to use prosodyctl may cause process management issues."); + show_warning(" You can pass --force to override this warning, or set"); + show_warning(" prosodyctl_service_warnings = false in your global config."); + + os.exit(1); end end @@ -200,7 +214,9 @@ function commands.start(arg) show_usage([[start]], [[Start Prosody]]); return 0; end - service_command_warning("start"); + if not opts.force then + service_command_warning("start"); + end local ok, ret = prosodyctl.isrunning(); if not ok then show_message(error_messages[ret]); @@ -301,9 +317,15 @@ function commands.stop(arg) return 0; end - service_command_warning("stop"); + if not opts.force then + service_command_warning("stop"); + end - if not prosodyctl.isrunning() then + local ok, running = prosodyctl.isrunning(); + if not ok then + show_message(error_messages[running]); + return 1; + elseif not running then show_message("Prosody is not running"); return 1; end @@ -312,7 +334,7 @@ function commands.stop(arg) if ok then local i=1; while true do - local ok, running = prosodyctl.isrunning(); + local ok, running = prosodyctl.isrunning(); --luacheck: ignore 421 if ok and not running then break; elseif i == 5 then @@ -339,7 +361,9 @@ function commands.restart(arg) return 1; end - service_command_warning("restart"); + if not opts.force then + service_command_warning("restart"); + end commands.stop(arg); return commands.start(arg); @@ -502,22 +526,34 @@ function commands.reload(arg) return 0; end - if arg[1] and arg[1]:match"^mod_" then - -- TODO reword the usage text, document - local shell = require "prosody.util.prosodyctl.shell"; - arg[1] = arg[1]:match("^mod_(.*)"); -- strip mod_ prefix - table.insert(arg, 1, "module"); - table.insert(arg, 2, "reload"); - return shell.shell(arg); + local shell = require "prosody.util.prosodyctl.shell"; + if shell.available() then + if arg[1] and arg[1]:match"^mod_" then + -- TODO reword the usage text, document + arg[1] = arg[1]:match("^mod_(.*)"); -- strip mod_ prefix + table.insert(arg, 1, "module"); + table.insert(arg, 2, "reload"); + return shell.shell(arg); + end + return shell.shell({ "config", "reload" }); + elseif arg[1] then + show_message("Admin socket not found - is it enabled and is Prosody running?"); + return 1; end - service_command_warning("reload"); - - if not prosodyctl.isrunning() then + local ok, running = prosodyctl.isrunning(); + if not ok then + show_message(error_messages[running]); + return 1; + elseif not running then show_message("Prosody is not running"); return 1; end + if not opts.force then + service_command_warning("reload"); + end + local ok, ret = prosodyctl.reload(); if ok then diff --git a/spec/util_argparse_spec.lua b/spec/util_argparse_spec.lua index 40f647c9..3fd4070e 100644 --- a/spec/util_argparse_spec.lua +++ b/spec/util_argparse_spec.lua @@ -24,10 +24,28 @@ describe("parse", function() assert.same({ "bar"; "--baz" }, arg); end); - it("expands short options", function() - local opts, err = parse({ "--foo"; "-b" }, { short_params = { b = "bar" } }); + it("allows continuation beyond first positional argument", function() + local arg = { "--foo"; "bar"; "--baz" }; + local opts, err = parse(arg, { stop_on_positional = false }); assert.falsy(err); - assert.same({ foo = true; bar = true }, opts); + assert.same({ foo = true, baz = true, "bar" }, opts); + -- All input should have been consumed: + assert.same({ }, arg); + end); + + it("expands short options", function() + do + local opts, err = parse({ "--foo"; "-b" }, { short_params = { b = "bar" } }); + assert.falsy(err); + assert.same({ foo = true; bar = true }, opts); + end + + do + -- Same test with strict mode enabled and all parameters declared + local opts, err = parse({ "--foo"; "-b" }, { kv_params = { foo = true, bar = true }; short_params = { b = "bar" }, strict = true }); + assert.falsy(err); + assert.same({ foo = true; bar = true }, opts); + end end); it("supports value arguments", function() @@ -36,6 +54,12 @@ describe("parse", function() assert.same({ foo = "bar"; baz = "moo" }, opts); end); + it("supports value arguments in strict mode", function() + local opts, err = parse({ "--foo"; "bar"; "--baz=moo" }, { strict = true, value_params = { foo = true; baz = true } }); + assert.falsy(err); + assert.same({ foo = "bar"; baz = "moo" }, opts); + end); + it("demands values for value params", function() local opts, err, where = parse({ "--foo" }, { value_params = { foo = true } }); assert.falsy(opts); @@ -51,8 +75,30 @@ describe("parse", function() end); it("supports array arguments", function () - local opts, err = parse({ "--item"; "foo"; "--item"; "bar" }, { array_params = { item = true } }); - assert.falsy(err); - assert.same({"foo","bar"}, opts.item); + do + local opts, err = parse({ "--item"; "foo"; "--item"; "bar" }, { array_params = { item = true } }); + assert.falsy(err); + assert.same({"foo","bar"}, opts.item); + end + + do + -- Same test with strict mode enabled + local opts, err = parse({ "--item"; "foo"; "--item"; "bar" }, { array_params = { item = true }, strict = true }); + assert.falsy(err); + assert.same({"foo","bar"}, opts.item); + end end) + + it("rejects unknown parameters in strict mode", function () + local opts, err, err2 = parse({ "--item"; "foo"; "--item"; "bar", "--foobar" }, { array_params = { item = true }, strict = true }); + assert.falsy(opts); + assert.same("param-not-found", err); + assert.same("--foobar", err2); + end); + + it("accepts known kv parameters in strict mode", function () + local opts, err = parse({ "--item=foo" }, { kv_params = { item = true }, strict = true }); + assert.falsy(err); + assert.same("foo", opts.item); + end); end); diff --git a/tools/dnsregistry.lua b/tools/dnsregistry.lua index 5a258c1a..fa4296da 100644 --- a/tools/dnsregistry.lua +++ b/tools/dnsregistry.lua @@ -19,6 +19,7 @@ for registry in registries:childtags("registry") do local registry_name = registry_mapping[registry.attr.id]; if registry_name then print("\t" .. registry_name .. " = {"); + local duplicates = {}; for record in registry:childtags("record") do local record_name = record:get_child_text("name"); local record_type = record:get_child_text("type"); @@ -37,7 +38,9 @@ for registry in registries:childtags("registry") do elseif registry_name == "types" and record_type and record_code then print(("\t\t[%q] = %d; [%d] = %q;"):format(record_type, record_code, record_code, record_type)) elseif registry_name == "errors" and record_code and record_name then - print(("\t\t[%d] = %q; [%q] = %q;"):format(record_code, record_name, record_name, record_desc or record_name)); + local dup = duplicates[record_code] and "-- " or ""; + print(("\t\t%s[%d] = %q; [%q] = %q;"):format(dup, record_code, record_name, record_name, record_desc or record_name)); + duplicates[record_code] = true; end end print("\t};"); diff --git a/util/argparse.lua b/util/argparse.lua index 7a55cb0b..75b1c2f9 100644 --- a/util/argparse.lua +++ b/util/argparse.lua @@ -2,6 +2,9 @@ local function parse(arg, config) local short_params = config and config.short_params or {}; local value_params = config and config.value_params or {}; local array_params = config and config.array_params or {}; + local kv_params = config and config.kv_params or {}; + local strict = config and config.strict; + local stop_on_positional = not config or config.stop_on_positional ~= false; local parsed_opts = {}; @@ -15,51 +18,69 @@ local function parse(arg, config) end local prefix = raw_param:match("^%-%-?"); - if not prefix then + if not prefix and stop_on_positional then break; elseif prefix == "--" and raw_param == "--" then table.remove(arg, 1); break; end - local param = table.remove(arg, 1):sub(#prefix+1); - if #param == 1 and short_params then - param = short_params[param]; - end - if not param then - return nil, "param-not-found", raw_param; - end + if prefix then + local param = table.remove(arg, 1):sub(#prefix+1); + if #param == 1 and short_params then + param = short_params[param]; + end - local param_k, param_v; - if value_params[param] or array_params[param] then - param_k, param_v = param, table.remove(arg, 1); - if not param_v then - return nil, "missing-value", raw_param; + if not param then + return nil, "param-not-found", raw_param; end - else - param_k, param_v = param:match("^([^=]+)=(.+)$"); - if not param_k then - if param:match("^no%-") then - param_k, param_v = param:sub(4), false; - else - param_k, param_v = param, true; + + local uparam = param:match("^[^=]*"):gsub("%-", "_"); + + local param_k, param_v; + if value_params[uparam] or array_params[uparam] then + param_k = uparam; + param_v = param:match("^=(.*)$", #uparam+1); + if not param_v then + param_v = table.remove(arg, 1); + if not param_v then + return nil, "missing-value", raw_param; + end + end + else + param_k, param_v = param:match("^([^=]+)=(.+)$"); + if not param_k then + if param:match("^no%-") then + param_k, param_v = param:sub(4), false; + else + param_k, param_v = param, true; + end + end + param_k = param_k:gsub("%-", "_"); + if strict and not kv_params[param_k] then + return nil, "param-not-found", raw_param; end end - param_k = param_k:gsub("%-", "_"); - end - if array_params[param] then - if parsed_opts[param_k] then - table.insert(parsed_opts[param_k], param_v); + if array_params[uparam] then + if parsed_opts[param_k] then + table.insert(parsed_opts[param_k], param_v); + else + parsed_opts[param_k] = { param_v }; + end else - parsed_opts[param_k] = { param_v }; + parsed_opts[param_k] = param_v; end - else - parsed_opts[param_k] = param_v; + elseif not stop_on_positional then + table.insert(parsed_opts, table.remove(arg, 1)); end end - for i = 1, #arg do - parsed_opts[i] = arg[i]; + + if stop_on_positional then + for i = 1, #arg do + parsed_opts[i] = arg[i]; + end end + return parsed_opts; end diff --git a/util/dnsregistry.lua b/util/dnsregistry.lua index b65debe0..56c76cac 100644 --- a/util/dnsregistry.lua +++ b/util/dnsregistry.lua @@ -1,5 +1,5 @@ -- Source: https://www.iana.org/assignments/dns-parameters/dns-parameters.xml --- Generated on 2024-10-26 +-- Generated on 2025-02-09 return { classes = { ["IN"] = 1; [1] = "IN"; @@ -72,6 +72,7 @@ return { ["ZONEMD"] = 63; [63] = "ZONEMD"; ["SVCB"] = 64; [64] = "SVCB"; ["HTTPS"] = 65; [65] = "HTTPS"; + ["DSYNC"] = 66; [66] = "DSYNC"; ["SPF"] = 99; [99] = "SPF"; ["NID"] = 104; [104] = "NID"; ["L32"] = 105; [105] = "L32"; diff --git a/util/prosodyctl.lua b/util/prosodyctl.lua index 9cb4b4dd..c6856526 100644 --- a/util/prosodyctl.lua +++ b/util/prosodyctl.lua @@ -40,6 +40,7 @@ local error_messages = setmetatable({ ["unable-to-save-data"] = "Unable to store, perhaps you don't have permission?"; ["no-pidfile"] = "There is no 'pidfile' option in the configuration file, see https://prosody.im/doc/prosodyctl#pidfile for help"; ["invalid-pidfile"] = "The 'pidfile' option in the configuration file is not a string, see https://prosody.im/doc/prosodyctl#pidfile for help"; + ["pidfile-not-locked"] = "Stale pidfile found. Prosody is probably not running."; ["no-posix"] = "The mod_posix module is not enabled in the Prosody config file, see https://prosody.im/doc/prosodyctl for more info"; ["no-such-method"] = "This module has no commands"; ["not-running"] = "Prosody is not running"; @@ -143,8 +144,14 @@ local function getpid() return false, "pidfile-read-failed", err; end + -- Check for a lock on the file local locked, err = lfs.lock(file, "w"); -- luacheck: ignore 211/err if locked then + -- Prosody keeps the pidfile locked while it is running. + -- We successfully locked the file, which means Prosody is not + -- running and the pidfile is stale (somehow it was not + -- cleaned up). We'll abort here, to avoid sending signals to + -- a non-Prosody PID. file:close(); return false, "pidfile-not-locked"; end diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua index ac8cc9c1..0a0ab878 100644 --- a/util/prosodyctl/check.lua +++ b/util/prosodyctl/check.lua @@ -11,6 +11,7 @@ local jid_split = require "prosody.util.jid".prepped_split; local modulemanager = require "prosody.core.modulemanager"; local async = require "prosody.util.async"; local httputil = require "prosody.util.http"; +local human_units = require "prosody.util.human.units"; local function api(host) return setmetatable({ name = "prosodyctl.check"; host = host; log = prosody.log }, { __index = moduleapi }) @@ -325,7 +326,12 @@ local function check(arg) local ok = true; local function contains_match(hayset, needle) for member in hayset do if member:find(needle) then return true end end end local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end - local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end + local function is_user_host(host, conf) return host ~= "*" and conf.component_module == nil; end + local function is_component_host(host, conf) return host ~= "*" and conf.component_module ~= nil; end + local function enabled_hosts() return it.filter(disabled_hosts, it.sorted_pairs(configmanager.getconfig())); end + local function enabled_user_hosts() return it.filter(is_user_host, it.sorted_pairs(configmanager.getconfig())); end + local function enabled_components() return it.filter(is_component_host, it.sorted_pairs(configmanager.getconfig())); end + local checks = {}; function checks.disabled() local disabled_hosts_set = set.new(); @@ -632,6 +638,12 @@ local function check(arg) print(" Both mod_pep_simple and mod_pep are enabled but they conflict"); print(" with each other. Remove one."); end + if all_modules:contains("posix") then + print(""); + print(" mod_posix is loaded in your configuration file, but it has"); + print(" been deprecated. You can safely remove it."); + end + for host, host_config in pairs(config) do --luacheck: ignore 213/host if type(rawget(host_config, "storage")) == "string" and rawget(host_config, "default_storage") then print(""); @@ -790,12 +802,28 @@ local function check(arg) if #invalid_hosts > 0 or #alabel_hosts > 0 then print(""); - print("WARNING: Changing the name of a VirtualHost in Prosody's config file"); - print(" WILL NOT migrate any existing data (user accounts, etc.) to the new name."); + print(" WARNING: Changing the name of a VirtualHost in Prosody's config file"); + print(" WILL NOT migrate any existing data (user accounts, etc.) to the new name."); ok = false; end end + -- Check features + do + local missing_features = {}; + for host in enabled_user_hosts() do + local all_features = checks.features(host, true); + if not all_features then + table.insert(missing_features, host); + end + end + if #missing_features > 0 then + print(""); + print(" Some of your hosts may be missing features due to a lack of configuration."); + print(" For more details, use the 'prosodyctl check features' command."); + end + end + print("Done.\n"); end function checks.dns() @@ -901,7 +929,11 @@ local function check(arg) local unknown_addresses = set.new(); - for jid in enabled_hosts() do + local function is_valid_domain(domain) + return idna.to_ascii(domain) ~= nil; + end + + for jid in it.filter(is_valid_domain, enabled_hosts()) do local all_targets_ok, some_targets_ok = true, false; local node, host = jid_split(jid); @@ -1444,6 +1476,311 @@ local function check(arg) end end end + + function checks.features(check_host, quiet) + if not quiet then + print("Feature report"); + end + + local common_subdomains = { + http_file_share = "share"; + muc = "groups"; + }; + + local recommended_component_modules = { + muc = { "muc_mam" }; + }; + + local function print_feature_status(feature, host) + if quiet then return; end + print("", feature.ok and "OK" or "(!)", feature.name); + if feature.desc then + print("", "", feature.desc); + print(""); + end + if not feature.ok then + if feature.lacking_modules then + table.sort(feature.lacking_modules); + print("", "", "Suggested modules: "); + for _, module in ipairs(feature.lacking_modules) do + print("", "", (" - %s: https://prosody.im/doc/modules/mod_%s"):format(module, module)); + end + end + if feature.lacking_components then + table.sort(feature.lacking_components); + for _, component_module in ipairs(feature.lacking_components) do + local subdomain = common_subdomains[component_module]; + local recommended_mods = recommended_component_modules[component_module]; + if subdomain then + print("", "", "Suggested component:"); + print(""); + print("", "", "", ("-- Documentation: https://prosody.im/doc/modules/mod_%s"):format(component_module)); + print("", "", "", ("Component %q %q"):format(subdomain.."."..host, component_module)); + if recommended_mods then + print("", "", "", " modules_enabled = {"); + table.sort(recommended_mods); + for _, mod in ipairs(recommended_mods) do + print("", "", "", (" %q;"):format(mod)); + end + print("", "", "", " }"); + end + else + print("", "", ("Suggested component: %s"):format(component_module)); + end + end + print(""); + print("", "", "If you have already configured any of these components, they may not be"); + print("", "", "linked correctly to "..host..". For more info see https://prosody.im/doc/components"); + end + if feature.lacking_component_modules then + table.sort(feature.lacking_component_modules, function (a, b) + return a.host < b.host; + end); + for _, problem in ipairs(feature.lacking_component_modules) do + local hostapi = api(problem.host); + local current_modules_enabled = hostapi:get_option_array("modules_enabled", {}); + print("", "", ("Component %q is missing the following modules: %s"):format(problem.host, table.concat(problem.missing_mods))); + print(""); + print("","", "Add the missing modules to your modules_enabled under the Component, like this:"); + print(""); + print(""); + print("", "", "", ("-- Documentation: https://prosody.im/doc/modules/mod_%s"):format(problem.component_module)); + print("", "", "", ("Component %q %q"):format(problem.host, problem.component_module)); + print("", "", "", (" modules_enabled = {")); + for _, mod in ipairs(current_modules_enabled) do + print("", "", "", (" %q;"):format(mod)); + end + for _, mod in ipairs(problem.missing_mods) do + print("", "", "", (" %q; -- Add this!"):format(mod)); + end + print("", "", "", (" }")); + end + end + end + if feature.meta then + for k, v in it.sorted_pairs(feature.meta) do + print("", "", (" - %s: %s"):format(k, v)); + end + end + print(""); + end + + local all_ok = true; + + local config = configmanager.getconfig(); + + local f, s, v; + if check_host then + f, s, v = it.values({ check_host }); + else + f, s, v = enabled_user_hosts(); + end + + for host in f, s, v do + local modules_enabled = set.new(config["*"].modules_enabled); + modules_enabled:include(set.new(config[host].modules_enabled)); + + -- { [component_module] = { hostname1, hostname2, ... } } + local host_components = setmetatable({}, { __index = function (t, k) return rawset(t, k, {})[k]; end }); + + do + local hostapi = api(host); + + -- Find implicitly linked components + for other_host in enabled_components() do + local parent_host = other_host:match("^[^.]+%.(.+)$"); + if parent_host == host then + local component_module = configmanager.get(other_host, "component_module"); + if component_module then + table.insert(host_components[component_module], other_host); + end + end + end + + -- And components linked explicitly + for _, disco_item in ipairs(hostapi:get_option_array("disco_items", {})) do + local other_host = disco_item[1]; + local component_module = configmanager.get(other_host, "component_module"); + if component_module then + table.insert(host_components[component_module], other_host); + end + end + end + + local current_feature; + + local function check_module(suggested, alternate, ...) + if set.intersection(modules_enabled, set.new({suggested, alternate, ...})):empty() then + current_feature.lacking_modules = current_feature.lacking_modules or {}; + table.insert(current_feature.lacking_modules, suggested); + end + end + + local function check_component(suggested, alternate, ...) + local found; + for _, component_module in ipairs({ suggested, alternate, ... }) do + found = host_components[component_module][1]; + if found then + local enabled_component_modules = api(found):get_option_inherited_set("modules_enabled"); + local recommended_mods = recommended_component_modules[component_module]; + if recommended_mods then + local missing_mods = {}; + for _, mod in ipairs(recommended_mods) do + if not enabled_component_modules:contains(mod) then + table.insert(missing_mods, mod); + end + end + if #missing_mods > 0 then + if not current_feature.lacking_component_modules then + current_feature.lacking_component_modules = {}; + end + table.insert(current_feature.lacking_component_modules, { + host = found; + component_module = component_module; + missing_mods = missing_mods; + }); + end + end + break; + end + end + if not found then + current_feature.lacking_components = current_feature.lacking_components or {}; + table.insert(current_feature.lacking_components, suggested); + end + return found; + end + + local features = { + { + name = "Basic functionality"; + desc = "Support for secure connections, authentication and messaging"; + check = function () + check_module("disco"); + check_module("roster"); + check_module("saslauth"); + check_module("tls"); + end; + }; + { + name = "Multi-device messaging and data synchronization"; + desc = "Multiple clients connected to the same account stay in sync"; + check = function () + check_module("carbons"); + check_module("mam"); + check_module("bookmarks"); + check_module("pep"); + end; + }; + { + name = "Mobile optimizations"; + desc = "Help mobile clients reduce battery and data usage"; + check = function () + check_module("smacks"); + check_module("csi_simple", "csi_battery_saver"); + end; + }; + { + name = "Web connections"; + desc = "Allow connections from browser-based web clients"; + check = function () + check_module("bosh"); + check_module("websocket"); + end; + }; + { + name = "User profiles"; + desc = "Enable users to publish profile information"; + check = function () + check_module("vcard_legacy", "vcard"); + end; + }; + { + name = "Blocking"; + desc = "Block communication with chosen entities"; + check = function () + check_module("blocklist"); + end; + }; + { + name = "Push notifications"; + desc = "Receive notifications on platforms that don't support persistent connections"; + check = function () + check_module("cloud_notify"); + end; + }; + { + name = "Audio/video calls and P2P"; + desc = "Assist clients in setting up connections between each other"; + check = function () + check_module( + "turn_external", + "external_services", + "turncredentials", + "extdisco" + ); + end; + }; + { + name = "File sharing"; + desc = "Sharing of files to groups and offline users"; + check = function (self) + local service = check_component("http_file_share", "http_upload", "http_upload_external"); + if service then + local size_limit; + if api(service):get_option("component_module") == "http_file_share" then + size_limit = api(service):get_option_number("http_file_share_size_limit", 10*1024*1024); + end + if size_limit then + self.meta = { + ["Size limit"] = human_units.format(size_limit, "b", "b"); + }; + end + end + end; + }; + { + name = "Group chats"; + desc = "Create group chats and channels"; + check = function () + check_component("muc"); + end; + }; + }; + + if not quiet then + print(host); + end + + for _, feature in ipairs(features) do + current_feature = feature; + feature:check(); + feature.ok = ( + not feature.lacking_modules and + not feature.lacking_components and + not feature.lacking_component_modules + ); + -- For improved presentation, we group the (ok) and (not ok) features + if feature.ok then + print_feature_status(feature, host); + end + end + + for _, feature in ipairs(features) do + if not feature.ok then + all_ok = false; + print_feature_status(feature, host); + end + end + + if not quiet then + print(""); + end + end + + return all_ok; + end + if what == nil or what == "all" then local ret; ret = checks.disabled(); diff --git a/util/prosodyctl/shell.lua b/util/prosodyctl/shell.lua index d6d885d8..31936989 100644 --- a/util/prosodyctl/shell.lua +++ b/util/prosodyctl/shell.lua @@ -29,8 +29,8 @@ local function read_line(prompt_string) end end -local function send_line(client, line) - client.send(st.stanza("repl-input", { width = tostring(term_width()) }):text(line)); +local function send_line(client, line, interactive) + client.send(st.stanza("repl-input", { width = tostring(term_width()), repl = interactive == false and "0" or "1" }):text(line)); end local function repl(client) @@ -64,6 +64,13 @@ local function printbanner() print("https://prosody.im/doc/console\n"); end +local function check() + local lfs = require "lfs"; + local socket_path = path.resolve_relative_path(prosody.paths.data, config.get("*", "admin_socket") or "prosody.sock"); + local state = lfs.attributes(socket_path, "mode"); + return state == "socket"; +end + local function start(arg) --luacheck: ignore 212/arg local client = adminstream.client(); local opts, err, where = parse_args(arg); @@ -80,21 +87,11 @@ local function start(arg) --luacheck: ignore 212/arg if arg[1] then if arg[2] then - local fmt = { "%s"; ":%s("; ")" }; - for i = 3, #arg do - if arg[i]:sub(1, 1) == ":" then - table.insert(fmt, i, ")%s("); - elseif i > 3 and fmt[i - 1]:match("%%q$") then - table.insert(fmt, i, ", %q"); - else - table.insert(fmt, i, "%q"); - end - end - arg[1] = string.format(table.concat(fmt), table.unpack(arg)); + arg[1] = ("{"..string.rep("%q", #arg, ", ").."}"):format(table.unpack(arg, 1, #arg)); end client.events.add_handler("connected", function() - send_line(client, arg[1]); + send_line(client, arg[1], false); return true; end, 1); @@ -180,4 +177,5 @@ end return { shell = start; + available = check; }; diff --git a/util/sasl.lua b/util/sasl.lua index c3c22a1c..dc11d426 100644 --- a/util/sasl.lua +++ b/util/sasl.lua @@ -67,7 +67,7 @@ local function registerMechanism(name, backends, f, cb_backends) end -- create a new SASL object which can be used to authenticate clients -local function new(realm, profile) +local function new(realm, profile, userdata) local mechanisms = profile.mechanisms; if not mechanisms then mechanisms = {}; @@ -80,7 +80,12 @@ local function new(realm, profile) end profile.mechanisms = mechanisms; end - return setmetatable({ profile = profile, realm = realm, mechs = mechanisms }, method); + return setmetatable({ + profile = profile, + realm = realm, + mechs = mechanisms, + userdata = userdata + }, method); end -- add a channel binding handler @@ -94,7 +99,7 @@ end -- get a fresh clone with the same realm and profile function method:clean_clone() - return new(self.realm, self.profile) + return new(self.realm, self.profile, self.userdata) end -- get a list of possible SASL mechanisms to use diff --git a/util/sql.lua b/util/sql.lua index 2f0ec493..06550455 100644 --- a/util/sql.lua +++ b/util/sql.lua @@ -84,7 +84,7 @@ function engine:connect() dbh:autocommit(false); -- don't commit automatically self.conn = dbh; self.prepared = {}; - if params.password then + if params.driver == "SQLite3" and params.password then local ok, err = self:execute(("PRAGMA key='%s'"):format(dbh:quote(params.password))); if not ok then return ok, err; diff --git a/util/startup.lua b/util/startup.lua index c54fa56d..15f07fdf 100644 --- a/util/startup.lua +++ b/util/startup.lua @@ -89,6 +89,14 @@ function startup.read_config() end end prosody.config_file = filename + local credentials_directory = os.getenv("CREDENTIALS_DIRECTORY"); + if credentials_directory then + config.set_credentials_directory(credentials_directory); + elseif prosody.process_type == "prosody" then + config.set_credential_fallback_mode("error"); + else + config.set_credential_fallback_mode("warn"); + end local ok, level, err = config.load(filename); if not ok then print("\n"); @@ -271,7 +279,6 @@ function startup.init_global_state() config = CFG_CONFIGDIR or "."; plugins = CFG_PLUGINDIR or "plugins"; data = "data"; - credentials = os.getenv("CREDENTIALS_DIRECTORY"); }; prosody.arg = _G.arg; @@ -425,6 +432,19 @@ function startup.init_async() async.set_schedule_function(timer.add_task); end +function startup.instrument() + local statsmanager = require "prosody.core.statsmanager"; + local timed = require"prosody.util.openmetrics".timed; + + local adns = require "prosody.net.adns"; + if adns.instrument then + local m = statsmanager.metric("histogram", "prosody_dns", "seconds", "DNS lookups", { "qclass"; "qtype" }, { + buckets = { 1 / 1024; 1 / 256; 1 / 64; 1 / 16; 1 / 4; 1; 4 }; + }); + adns.instrument(function(qclass, qtype) return timed(m:with_labels(qclass, qtype)); end); + end +end + function startup.init_data_store() require "prosody.core.storagemanager"; end @@ -814,12 +834,12 @@ function startup.hook_posix_signals() end); end -function startup.systemd_notify() +function startup.notification_socket() local notify_socket_name = os.getenv("NOTIFY_SOCKET"); if not notify_socket_name then return end local have_unix, unix = pcall(require, "socket.unix"); if not have_unix or type(unix) ~= "table" then - log("error", "LuaSocket without UNIX socket support, can't notify systemd.") + log("error", "LuaSocket without UNIX socket support, can't notify process manager.") return os.exit(1); end log("debug", "Will notify on socket %q", notify_socket_name); @@ -827,7 +847,7 @@ function startup.systemd_notify() local notify_socket = unix.dgram(); local ok, err = notify_socket:setpeername(notify_socket_name); if not ok then - log("error", "Could not connect to systemd notification socket %q: %q", notify_socket_name, err); + log("error", "Could not connect to notification socket %q: %q", notify_socket_name, err); return os.exit(1); end local time = require "prosody.util.time"; @@ -922,13 +942,14 @@ function startup.prosody() startup.load_secondary_libraries(); startup.init_promise(); startup.init_async(); + startup.instrument(); startup.init_http_client(); startup.init_data_store(); startup.init_global_protection(); startup.posix_daemonize(); startup.write_pidfile(); startup.hook_posix_signals(); - startup.systemd_notify(); + startup.notification_socket(); startup.prepare_to_start(); startup.notify_started(); end diff --git a/util/x509.lua b/util/x509.lua index 9ecb5b60..6d856be0 100644 --- a/util/x509.lua +++ b/util/x509.lua @@ -11,7 +11,8 @@ -- IDN libraries complicate that. --- [TLS-CERTS] - https://www.rfc-editor.org/rfc/rfc6125.html +-- [TLS-CERTS] - https://www.rfc-editor.org/rfc/rfc6125.html -- Obsolete +-- [TLS-IDENT] - https://www.rfc-editor.org/rfc/rfc9525.html -- [XMPP-CORE] - https://www.rfc-editor.org/rfc/rfc6120.html -- [SRV-ID] - https://www.rfc-editor.org/rfc/rfc4985.html -- [IDNA] - https://www.rfc-editor.org/rfc/rfc5890.html @@ -35,10 +36,8 @@ local oid_subjectaltname = "2.5.29.17"; -- [PKIX] 4.2.1.6 local oid_xmppaddr = "1.3.6.1.5.5.7.8.5"; -- [XMPP-CORE] local oid_dnssrv = "1.3.6.1.5.5.7.8.7"; -- [SRV-ID] --- Compare a hostname (possibly international) with asserted names --- extracted from a certificate. --- This function follows the rules laid out in --- sections 6.4.1 and 6.4.2 of [TLS-CERTS] +-- Compare a hostname (possibly international) with asserted names extracted from a certificate. +-- This function follows the rules laid out in section 6.3 of [TLS-IDENT] -- -- A wildcard ("*") all by itself is allowed only as the left-most label local function compare_dnsname(host, asserted_names) @@ -159,61 +158,25 @@ local function verify_identity(host, service, cert) if ext[oid_subjectaltname] then local sans = ext[oid_subjectaltname]; - -- Per [TLS-CERTS] 6.3, 6.4.4, "a client MUST NOT seek a match for a - -- reference identifier if the presented identifiers include a DNS-ID - -- SRV-ID, URI-ID, or any application-specific identifier types" - local had_supported_altnames = false - if sans[oid_xmppaddr] then - had_supported_altnames = true if service == "_xmpp-client" or service == "_xmpp-server" then if compare_xmppaddr(host, sans[oid_xmppaddr]) then return true end end end if sans[oid_dnssrv] then - had_supported_altnames = true -- Only check srvNames if the caller specified a service if service and compare_srvname(host, service, sans[oid_dnssrv]) then return true end end if sans["dNSName"] then - had_supported_altnames = true if compare_dnsname(host, sans["dNSName"]) then return true end end - - -- We don't need URIs, but [TLS-CERTS] is clear. - if sans["uniformResourceIdentifier"] then - had_supported_altnames = true - end - - if had_supported_altnames then return false end - end - - -- Extract a common name from the certificate, and check it as if it were - -- a dNSName subjectAltName (wildcards may apply for, and receive, - -- cat treats) - -- - -- Per [TLS-CERTS] 1.8, a CN-ID is the Common Name from a cert subject - -- which has one and only one Common Name - local subject = cert:subject() - local cn = nil - for i=1,#subject do - local dn = subject[i] - if dn["oid"] == oid_commonname then - if cn then - log("info", "Certificate has multiple common names") - return false - end - - cn = dn["value"]; - end end - if cn then - -- Per [TLS-CERTS] 6.4.4, follow the comparison rules for dNSName SANs. - return compare_dnsname(host, { cn }) - end + -- Per [TLS-IDENT] ignore the Common Name + -- The server identity can only be expressed in the subjectAltNames extension; + -- it is no longer valid to use the commonName RDN, known as CN-ID in [TLS-CERTS]. -- If all else fails, well, why should we be any different? return false |