6 files changed, 115 insertions, 110 deletions

diff --git a/plugins/mod_bosh.lua b/plugins/mod_bosh.lua
index 02f3ce38..66a79785 100644
--- a/plugins/mod_bosh.lua
+++ b/plugins/mod_bosh.lua
@@ -31,6 +31,8 @@ local BOSH_DEFAULT_POLLING = tonumber(module:get_option("bosh_max_polling")) or
 local BOSH_DEFAULT_REQUESTS = tonumber(module:get_option("bosh_max_requests")) or 2;
 local BOSH_DEFAULT_MAXPAUSE = tonumber(module:get_option("bosh_max_pause")) or 300;
 
+local consider_bosh_secure = module:get_option_boolean("consider_bosh_secure");
+
 local default_headers = { ["Content-Type"] = "text/xml; charset=utf-8" };
 local session_close_reply = { headers = default_headers, body = st.stanza("body", { xmlns = xmlns_bosh, type = "terminate" }), attr = {} };
 
@@ -63,8 +65,11 @@ function on_destroy_request(request)
 	local session = sessions[request.sid];
 	if session then
 		local requests = session.requests;
-		for i,r in pairs(requests) do
-			if r == request then requests[i] = nil; break; end
+		for i,r in ipairs(requests) do
+			if r == request then
+				t_remove(requests, i);
+				break;
+			end
 		end
 		
 		-- If this session now has no requests open, mark it as inactive
@@ -90,6 +95,8 @@ function handle_request(method, body, request)
 	--log("debug", "Handling new request %s: %s\n----------", request.id, tostring(body));
 	request.notopen = true;
 	request.log = log;
+	request.on_destroy = on_destroy_request;
+	
 	local parser = lxp.new(init_xmlhandlers(request, stream_callbacks), "\1");
 	
 	parser:parse(body);
@@ -118,14 +125,21 @@ function handle_request(method, body, request)
 			session.send(resp);
 		end
 		
-		if not request.destroyed and session.bosh_wait then
-			request.reply_before = os_time() + session.bosh_wait;
-			request.on_destroy = on_destroy_request;
-			waiting_requests[request] = true;
+		if not request.destroyed then
+			-- We're keeping this request open, to respond later
+			log("debug", "Have nothing to say, so leaving request unanswered for now");
+			if session.bosh_wait then
+				request.reply_before = os_time() + session.bosh_wait;
+				waiting_requests[request] = true;
+			end
+			if inactive_sessions[session] then
+				-- Session was marked as inactive, since we have
+				-- a request open now, unmark it
+				inactive_sessions[session] = nil;
+			end
 		end
 		
-		log("debug", "Have nothing to say, so leaving request unanswered for now");
-		return true;
+		return true; -- Inform httpserver we shall reply later
 	end
 end
 
@@ -162,10 +176,14 @@ function stream_callbacks.streamopened(request, attr)
 		
 		-- New session
 		sid = new_uuid();
-		local session = { type = "c2s_unauthed", conn = {}, sid = sid, rid = tonumber(attr.rid), host = attr.to, bosh_version = attr.ver, bosh_wait = attr.wait, streamid = sid, 
-						bosh_hold = BOSH_DEFAULT_HOLD, bosh_max_inactive = BOSH_DEFAULT_INACTIVITY,
-						requests = { }, send_buffer = {}, reset_stream = bosh_reset_stream, close = bosh_close_stream, 
-						dispatch_stanza = core_process_stanza, log = logger.init("bosh"..sid), secure = request.secure };
+		local session = {
+			type = "c2s_unauthed", conn = {}, sid = sid, rid = tonumber(attr.rid)-1, host = attr.to,
+			bosh_version = attr.ver, bosh_wait = attr.wait, streamid = sid,
+			bosh_hold = BOSH_DEFAULT_HOLD, bosh_max_inactive = BOSH_DEFAULT_INACTIVITY,
+			requests = { }, send_buffer = {}, reset_stream = bosh_reset_stream,
+			close = bosh_close_stream, dispatch_stanza = core_process_stanza,
+			log = logger.init("bosh"..sid),	secure = consider_bosh_secure or request.secure
+		};
 		sessions[sid] = session;
 		
 		log("info", "New BOSH session, assigned it sid '%s'", sid);
@@ -174,11 +192,6 @@ function stream_callbacks.streamopened(request, attr)
 		function session.send(s)
 			--log("debug", "Sending BOSH data: %s", tostring(s));
 			local oldest_request = r[1];
-			while oldest_request and oldest_request.destroyed do
-				t_remove(r, 1);
-				waiting_requests[oldest_request] = nil;
-				oldest_request = r[1];
-			end
 			if oldest_request then
 				log("debug", "We have an open request, so sending on that");
 				response.body = t_concat{"<body xmlns='http://jabber.org/protocol/httpbind' sid='", sid, "' xmlns:stream = 'http://etherx.jabber.org/streams'>", tostring(s), "</body>" };
@@ -193,7 +206,6 @@ function stream_callbacks.streamopened(request, attr)
 				else
 					log("debug", "Destroying the request now...");
 					oldest_request:destroy();
-					t_remove(r, 1);
 				end
 			elseif s ~= "" then
 				log("debug", "Saved to send buffer because there are %d open requests", #r);
@@ -235,8 +247,9 @@ function stream_callbacks.streamopened(request, attr)
 			session.log("warn", "rid too large (means a request was lost). Last rid: %d New rid: %s", session.rid, attr.rid);
 		elseif diff <= 0 then
 			-- Repeated, ignore
-			session.log("debug", "rid repeated (on request %s), ignoring: %d", request.id, session.rid);
+			session.log("debug", "rid repeated (on request %s), ignoring: %s (diff %d)", request.id, session.rid, diff);
 			request.notopen = nil;
+			request.sid = sid;
 			t_insert(session.requests, request);
 			return;
 		end
@@ -250,12 +263,6 @@ function stream_callbacks.streamopened(request, attr)
 		return;
 	end
 	
-	-- If session was inactive, make sure it is now marked as not
-	if #session.requests == 0 then
-		(session.log or log)("debug", "BOSH client now active again at %d", os_time());
-		inactive_sessions[session] = nil;
-	end
-	
 	if session.notopen then
 		local features = st.stanza("stream:features");
 		hosts[session.host].events.fire_event("stream-features", { origin = session, features = features });
diff --git a/plugins/mod_groups.lua b/plugins/mod_groups.lua
index d4604b1e..5f821cbc 100644
--- a/plugins/mod_groups.lua
+++ b/plugins/mod_groups.lua
@@ -18,7 +18,7 @@ local jid_bare, jid_prep = jid.bare, jid.prep;
 local module_host = module:get_host();
 
 function inject_roster_contacts(username, host, roster)
-	module:log("warn", "Injecting group members to roster");
+	--module:log("debug", "Injecting group members to roster");
 	local bare_jid = username.."@"..host;
 	if not members[bare_jid] and not members[false] then return; end -- Not a member of any groups
 	
@@ -41,7 +41,7 @@ function inject_roster_contacts(username, host, roster)
 	-- Find groups this JID is a member of
 	if members[bare_jid] then
 		for _, group_name in ipairs(members[bare_jid]) do
-			module:log("debug", "Importing group %s", group_name);
+			--module:log("debug", "Importing group %s", group_name);
 			import_jids_to_roster(group_name);
 		end
 	end
@@ -49,7 +49,7 @@ function inject_roster_contacts(username, host, roster)
 	-- Import public groups
 	if members[false] then
 		for _, group_name in ipairs(members[false]) do
-			module:log("debug", "Importing group %s", group_name);
+			--module:log("debug", "Importing group %s", group_name);
 			import_jids_to_roster(group_name);
 		end
 	end
@@ -67,7 +67,9 @@ function remove_virtual_contacts(username, host, datastore, data)
 				new_roster[jid] = contact;
 			end
 		end
-		new_roster[false].version = nil; -- Version is void
+		if new_roster[false] then
+			new_roster[false].version = nil; -- Version is void
+		end
 		return username, host, datastore, new_roster;
 	end
 
diff --git a/plugins/mod_presence.lua b/plugins/mod_presence.lua
index 5ad3bfdf..9071ae4c 100644
--- a/plugins/mod_presence.lua
+++ b/plugins/mod_presence.lua
@@ -38,42 +38,23 @@ function core_route_stanza(origin, stanza)
 	_core_route_stanza(origin, stanza);
 end
 
-local select_top_resources;
-local bare_message_delivery_policy = module:get_option("bare_message_delivery_policy") or "priority";
-if bare_message_delivery_policy == "broadcast" then
-	function select_top_resources(user)
-		local recipients = {};
-		for _, session in pairs(user.sessions) do -- find resources with non-negative priority
+local function select_top_resources(user)
+	local priority = 0;
+	local recipients = {};
+	for _, session in pairs(user.sessions) do -- find resource with greatest priority
+		if session.presence then
+			-- TODO check active privacy list for session
 			local p = session.priority;
-			if p and p >= 0 then
+			if p > priority then
+				priority = p;
+				recipients = {session};
+			elseif p == priority then
 				t_insert(recipients, session);
 			end
 		end
-		return recipients;
-	end
-else
-	if bare_message_delivery_policy ~= "priority" then
-		module:log("warn", "Invalid value for config option bare_message_delivery_policy");
-	end
-	function select_top_resources(user)
-		local priority = 0;
-		local recipients = {};
-		for _, session in pairs(user.sessions) do -- find resource with greatest priority
-			if session.presence then
-				-- TODO check active privacy list for session
-				local p = session.priority;
-				if p > priority then
-					priority = p;
-					recipients = {session};
-				elseif p == priority then
-					t_insert(recipients, session);
-				end
-			end
-		end
-		return recipients;
 	end
+	return recipients;
 end
-
 local function recalc_resource_map(user)
 	if user then
 		user.top_resources = select_top_resources(user);
@@ -81,7 +62,17 @@ local function recalc_resource_map(user)
 	end
 end
 
+local ignore_presence_priority = module:get_option("ignore_presence_priority");
+
 function handle_normal_presence(origin, stanza, core_route_stanza)
+	if ignore_presence_priority then
+		local priority = stanza:child_with_name("priority");
+		if priority and priority[1] ~= "0" then
+			for i=#priority.tags,1,-1 do priority.tags[i] = nil; end
+			for i=#priority,1,-1 do priority[i] = nil; end
+			priority[1] = "0";
+		end
+	end
 	if full_sessions[origin.full_jid] then -- if user is still connected
 		origin.send(stanza); -- reflect their presence back to them
 	end
@@ -236,16 +227,13 @@ function handle_inbound_presence_subscriptions_and_probes(origin, stanza, from_b
 	stanza.attr.from, stanza.attr.to = from_bare, to_bare;
 	log("debug", "inbound presence "..stanza.attr.type.." from "..from_bare.." for "..to_bare);
 	
-	if not node then
-		log("debug", "dropping presence sent to host or invalid address '%s'", tostring(to_bare));
-	end
-	
 	if stanza.attr.type == "probe" then
-		if rostermanager.is_contact_subscribed(node, host, from_bare) then
+		local result, err = rostermanager.is_contact_subscribed(node, host, from_bare);
+		if result then
 			if 0 == send_presence_of_available_resources(node, host, st_from, origin, core_route_stanza) then
 				core_route_stanza(hosts[host], st.presence({from=to_bare, to=from_bare, type="unavailable"})); -- TODO send last activity
 			end
-		else
+		elseif not err then
 			core_route_stanza(hosts[host], st.presence({from=to_bare, to=from_bare, type="unsubscribed"}));
 		end
 	elseif stanza.attr.type == "subscribe" then
diff --git a/plugins/mod_privacy.lua b/plugins/mod_privacy.lua
index 77b4dd12..ca5d51fa 100644
--- a/plugins/mod_privacy.lua
+++ b/plugins/mod_privacy.lua
@@ -13,7 +13,7 @@ local datamanager = require "util.datamanager";
 local bare_sessions, full_sessions = bare_sessions, full_sessions;
 local util_Jid = require "util.jid";
 local jid_bare = util_Jid.bare;
-local jid_split = util_Jid.split;
+local jid_split, jid_join = util_Jid.split, util_Jid.join;
 local load_roster = require "core.rostermanager".load_roster;
 local to_number = tonumber;
 
@@ -160,26 +160,7 @@ function createOrReplaceList (privacy_lists, origin, stanza, name, entries, rost
 			end
 		end
 		
-		if tmp.type == "group" then
-			local found = false;
-			local roster = load_roster(origin.username, origin.host);
-			for jid,item in pairs(roster) do
-				if item.groups ~= nil then
-					for group in pairs(item.groups) do
-						if group == tmp.value then
-							found = true;
-							break;
-						end
-					end
-					if found == true then
-						break;
-					end
-				end
-			end
-			if found == false then
-				return {"cancel", "item-not-found", "Specifed roster group not existing."};
-			end
-		elseif tmp.type == "subscription" then
+		if tmp.type == "subscription" then
 			if	tmp.value ~= "both" and
 				tmp.value ~= "to" and
 				tmp.value ~= "from" and
@@ -326,7 +307,7 @@ function checkIfNeedToBeBlocked(e, session)
 	local is_to_user = bare_jid == jid_bare(to);
 	local is_from_user = bare_jid == jid_bare(from);
 	
-	module:log("debug", "stanza: %s, to: %s, from: %s", tostring(stanza.name), tostring(to), tostring(from));
+	--module:log("debug", "stanza: %s, to: %s, from: %s", tostring(stanza.name), tostring(to), tostring(from));
 	
 	if privacy_lists.lists == nil or
 		not (session.activePrivacyList or privacy_lists.default)
@@ -334,7 +315,7 @@ function checkIfNeedToBeBlocked(e, session)
 		return; -- Nothing to block, default is Allow all
 	end
 	if is_from_user and is_to_user then
-		module:log("debug", "Not blocking communications between user's resources");
+		--module:log("debug", "Not blocking communications between user's resources");
 		return; -- from one of a user's resource to another => HANDS OFF!
 	end
 	
@@ -344,8 +325,8 @@ function checkIfNeedToBeBlocked(e, session)
 		listname = privacy_lists.default; -- no active list selected, use default list
 	end
 	local list = privacy_lists.lists[listname];
-	if not list then
-		module:log("debug", "given privacy list not found. name: %s", listname);
+	if not list then -- should never happen
+		module:log("warn", "given privacy list not found. name: %s for user %s", listname, bare_jid);
 		return;
 	end
 	for _,item in ipairs(list.items) do
@@ -364,10 +345,10 @@ function checkIfNeedToBeBlocked(e, session)
 			local evilJid = {};
 			apply = false;
 			if is_to_user then
-				module:log("debug", "evil jid is (from): %s", from);
+				--module:log("debug", "evil jid is (from): %s", from);
 				evilJid.node, evilJid.host, evilJid.resource = jid_split(from);
 			else
-				module:log("debug", "evil jid is (to): %s", to);
+				--module:log("debug", "evil jid is (to): %s", to);
 				evilJid.node, evilJid.host, evilJid.resource = jid_split(to);
 			end
 			if	item.type == "jid" and
@@ -379,17 +360,22 @@ function checkIfNeedToBeBlocked(e, session)
 				block = (item.action == "deny");
 			elseif item.type == "group" then
 				local roster = load_roster(session.username, session.host);
-				local groups = roster[evilJid.node .. "@" .. evilJid.host].groups;
-				for group in pairs(groups) do
-					if group == item.value then
-						apply = true;
-						block = (item.action == "deny");
-						break;
+				local roster_entry = roster[jid_join(evilJid.node, evilJid.host)];
+				if roster_entry then
+					local groups = roster_entry.groups;
+					for group in pairs(groups) do
+						if group == item.value then
+							apply = true;
+							block = (item.action == "deny");
+							break;
+						end
 					end
 				end
-			elseif item.type == "subscription" and evilJid.node ~= nil and evilJid.host ~= nil then -- we need a valid bare evil jid
+			elseif item.type == "subscription" then -- we need a valid bare evil jid
 				local roster = load_roster(session.username, session.host);
-				if roster[evilJid.node .. "@" .. evilJid.host].subscription == item.value then
+				local roster_entry = roster[jid_join(evilJid.node, evilJid.host)];
+				if (not(roster_entry) and item.value == "none")
+				   or (roster_entry and roster_entry.subscription == item.value) then
 					apply = true;
 					block = (item.action == "deny");
 				end
@@ -408,7 +394,7 @@ function checkIfNeedToBeBlocked(e, session)
 				end
 				return true; -- stanza blocked !
 			else
-				module:log("debug", "stanza explicitly allowed!")
+				--module:log("debug", "stanza explicitly allowed!")
 				return;
 			end
 		end
@@ -439,7 +425,7 @@ function preCheckIncoming(e)
 		if session ~= nil then
 			return checkIfNeedToBeBlocked(e, session);
 		else
-			module:log("debug", "preCheckIncoming: Couldn't get session for jid: %s@%s/%s", tostring(node), tostring(host), tostring(resource));
+			--module:log("debug", "preCheckIncoming: Couldn't get session for jid: %s@%s/%s", tostring(node), tostring(host), tostring(resource));
 		end
 	end
 end
diff --git a/plugins/mod_private.lua b/plugins/mod_private.lua
index 859bf45a..abf1ec03 100644
--- a/plugins/mod_private.lua
+++ b/plugins/mod_private.lua
@@ -26,7 +26,11 @@ module:add_iq_handler("c2s", "jabber:iq:private",
 				if #query.tags == 1 then
 					local tag = query.tags[1];
 					local key = tag.name..":"..tag.attr.xmlns;
-					local data = datamanager.load(node, host, "private");
+					local data, err = datamanager.load(node, host, "private");
+					if err then
+						session.send(st.error_reply(stanza, "wait", "internal-server-error"));
+						return true;
+					end
 					if stanza.attr.type == "get" then
 						if data and data[key] then
 							session.send(st.reply(stanza):tag("query", {xmlns = "jabber:iq:private"}):add_child(st.deserialize(data[key])));
diff --git a/plugins/mod_saslauth.lua b/plugins/mod_saslauth.lua
index c0360553..9f940c37 100644
--- a/plugins/mod_saslauth.lua
+++ b/plugins/mod_saslauth.lua
@@ -28,6 +28,12 @@ local config = require "core.configmanager";
 local secure_auth_only = module:get_option("c2s_require_encryption") or module:get_option("require_encryption");
 local sasl_backend = module:get_option("sasl_backend") or "builtin";
 
+-- Cyrus config options
+local require_provisioning = module:get_option("cyrus_require_provisioning") or false;
+local cyrus_service_realm = module:get_option("cyrus_service_realm");
+local cyrus_service_name = module:get_option("cyrus_service_name");
+local cyrus_application_name = module:get_option("cyrus_application_name");
+
 local log = module._log;
 
 local xmlns_sasl ='urn:ietf:params:xml:ns:xmpp-sasl';
@@ -45,7 +51,11 @@ elseif sasl_backend == "cyrus" then
 	if ok then
 		local cyrus_new = cyrus.new;
 		new_sasl = function(realm)
-			return cyrus_new(realm, module:get_option("cyrus_service_name") or "xmpp");
+			return cyrus_new(
+				cyrus_service_realm or realm,
+				cyrus_service_name or "xmpp",
+				cyrus_application_name or "prosody"
+			);
 		end
 	else
 		module:log("error", "Failed to load Cyrus SASL because: %s", cyrus);
@@ -94,7 +104,7 @@ local function build_reply(status, ret, err_msg)
 	return reply;
 end
 
-local function handle_status(session, status)
+local function handle_status(session, status, ret, err_msg)
 	if status == "failure" then
 		session.sasl_handler = session.sasl_handler:clean_clone();
 	elseif status == "success" then
@@ -103,12 +113,20 @@ local function handle_status(session, status)
 			module:log("warn", "SASL succeeded but we didn't get a username!");
 			session.sasl_handler = nil;
 			session:reset_stream();
-			return;
+			return status, ret, err_msg;
+		end
+
+		if not(require_provisioning) or usermanager_user_exists(username, session.host) then
+			sm_make_authenticated(session, session.sasl_handler.username);
+			session.sasl_handler = nil;
+			session:reset_stream();
+		else
+			module:log("warn", "SASL succeeded but we don't have an account provisioned for %s", username);
+			session.sasl_handler = session.sasl_handler:clean_clone();
+			return "failure", "not-authorized", "User authenticated successfully, but not provisioned for XMPP";
 		end
-		sm_make_authenticated(session, session.sasl_handler.username);
-		session.sasl_handler = nil;
-		session:reset_stream();
 	end
+	return status, ret, err_msg;
 end
 
 local function sasl_handler(session, stanza)
@@ -142,7 +160,7 @@ local function sasl_handler(session, stanza)
 		end
 	end
 	local status, ret, err_msg = session.sasl_handler:process(text);
-	handle_status(session, status);
+	status, ret, err_msg = handle_status(session, status, ret, err_msg);
 	local s = build_reply(status, ret, err_msg);
 	log("debug", "sasl reply: %s", tostring(s));
 	session.send(s);