aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
| * | | | | | CHANGES: Update with MUC permission changesMatthew Wild2022-09-291-0/+10
| | | | | | |
| * | | | | | mod_authz_internal: Allow specifying default role for public (remote) usersMatthew Wild2022-09-291-0/+3
| | | | | | |
| * | | | | | Backed out changeset 73a45ba6e3f1 in favour of 427dd01f0864Matthew Wild2022-09-291-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New behaviour (muc_room_allow_persistent = true, the default): - Parent host users are not restricted by default (prosody:user) - Users without roles (by default that is non-admins, non-parent-host users, and users on other servers) can no longer configure persistence by default. muc_room_allow_persistent = false will restrict persistence to prosody:admin. Parent-host users should not be restricted by default, and this can be configured via the new roles/permissions options.
| * | | | | | mod_muc: Better map restrict_room_creation to role permissions (behaviour ↵Matthew Wild2022-09-291-21/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | change) With this change and 427dd01f0864, room creation is now effectively restricted to parent-host users by default. This is a better default than previous Prosody versions (where room creation was not restricted). The "local" option for restrict_room_creation is no longer used (any value other than true/false won't change the default behaviour). restrict_room_creation = true will grant prosody:admin the ability to create rooms. restrict_room_creation = false disables all permission checks. Anything between these two can be achieved using custom roles and permissions.
| * | | | | | mod_authz_internal: Allow configuring role of local-server/parent-host usersMatthew Wild2022-09-291-1/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 'host_user_role' is the default role of users who have JIDs on the "parent" host (i.e. jabber.org users on conference.jabber.org). Defaults to 'prosody:user'. 'server_user_roles' is the default role of users who have JIDs on any active host on the current Prosody instance. Default to nil (no role). This finally allows better permissions splitting between host and server users, which has previously been done (e.g. in MUC) with options like 'restrict_room_creation' and 'muc_room_allow_persistent'. Using roles makes these permissions a lot more flexible, and easier for developers to integrate.
| * | | | | | muc: Re-allow non-admins to configure persistence (thanks Meaz)Matthew Wild2022-09-281-6/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Non-admins don't have a role on MUC services by default. Not even prosody:user. This meant they had no :create-persistent-room permission, even if muc_room_allow_persistent was true (the default). Now we only check the role permissions if persistent room creation is restricted, otherwise we skip any permission checks, just like previous versions.
| * | | | | | doap: Latest XEP-0440 supported since 9f100ab9ffdfMatthew Wild2022-09-261-1/+1
| | | | | | |
| * | | | | | mod_admin_shell: Fix display of session without role (thanks Link Mauve)Kim Alvefur2022-09-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This can happen to sessions before they are assigned a role
| * | | | | | mod_saslauth: Put <sasl-channel-binding> in stream:features per XEP-0440 0.4.0Matthew Wild2022-09-211-4/+4
| | | | | | |
| * | | | | | Merge 0.12->trunkKim Alvefur2022-09-151-0/+5
| |\ \ \ \ \ \
| * | | | | | | mod_storage_sql: Strip timestamp precision in queries to fix error (thanks ↵Kim Alvefur2022-09-071-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | muppeth) Fixes Error in SQL transaction: Error executing statement parameters: ERROR: invalid input syntax for integer This was handled for INSERT in 9524bb7f3944 but not SELECT.
| * | | | | | | mod_http_file_share: Use correct variable name (thanks riau.sni)Matthew Wild2022-09-041-3/+3
| | | | | | | |
| * | | | | | | mod_saslauth: Fix incorrect variable name introduced in 27a4a7e64831Matthew Wild2022-09-031-1/+1
| | | | | | | |
| * | | | | | | mod_smacks: Set session flag during successful enableMatthew Wild2022-09-031-0/+1
| | | | | | | |
| * | | | | | | mod_smacks: Add type field to results so actions can be later distinguishedMatthew Wild2022-09-031-1/+2
| | | | | | | |
| * | | | | | | mod_saslauth: Only announce bind feature if no resource yet boundMatthew Wild2022-09-031-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's now possible to bind during SASL2 negotiation.
| * | | | | | | semgrep: Catch stanza:text() (assuming it's meant to be :get_text())Matthew Wild2022-09-031-0/+6
| | | | | | | |
| * | | | | | | util.paseto: Do strict type check in pae() functionKim Alvefur2022-07-111-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes a test failure on Lua 5.4 where ipairs("") does not produce an error.
| * | | | | | | util.crypto: Use Lua 5.2 API for predictable buffer sizeKim Alvefur2022-07-111-6/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In Lua 5.3 LUAL_BUFFERSIZE is a macro computed from sizeof and is thus not known at pre-processing time, so this does not work. Since Lua 5.1 is no longer supported, we can use luaL_prepbuffsize() which is available from Lua 5.2
| * | | | | | | util.crypto: Use stack space buffersKim Alvefur2022-07-111-14/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removes assumption that LUAL_BUFFERSIZE is known at pre-processing time, which it is not in Lua 5.3 and 5.4, where it is a computed macro based on sizeof. Allocation of stack space is safer and faster, no need to worry about luaL_prepbuffer failing to allocate memory and skipping free()
| * | | | | | | util.paseto: Drop custom wrappers around key objectsMatthew Wild2022-07-112-47/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The PASETO spec recommends - no, *requires* - that implementations enforce type safety for keys, and e.g. do not pass them around as arbitrary byte strings. Typed wrapper objects are recommended. I originally followed this advice when starting the lib. However, key wrapping and type safety is now also a feature of util.crypto. All we're doing is duplicating it unnecessarily with this additional wrapper code.
| * | | | | | | util.paseto: Add tests based on official PASETO test vectorsMatthew Wild2022-07-111-0/+118
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unfortunately there are only a few relevant ones, but they did help catch some bugs.
| * | | | | | | util.paseto: Export similar API to new util.jwt for ease and consistencyMatthew Wild2022-07-111-0/+21
| | | | | | | |
| * | | | | | | util.paseto: Error early on invalid keysMatthew Wild2022-07-111-0/+2
| | | | | | | |
| * | | | | | | util.paseto: Fix to decode footer before comparisonMatthew Wild2022-07-111-0/+1
| | | | | | | |
| * | | | | | | mod_http_file_share: Switch to new util.jwt APIMatthew Wild2022-07-111-32/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some changes/improvements in this commit: - Default token lifetime is now 3600s (from 300s) - Tokens are only validated once per upload - "iat"/"exp" are handled automatically by util.jwt
| * | | | | | | util.jwt: Add new init() convenience method to obtain both signer and verifierMatthew Wild2022-07-111-0/+6
| | | | | | | |
| * | | | | | | util.jwt: Consolidate payload parsing, ensure it's always a valid objectMatthew Wild2022-07-111-11/+13
| | | | | | | |
| * | | | | | | util.jwt: Provide built-in token expiry support (defaults to 3600s lifetime)Matthew Wild2022-07-111-3/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | To avoid every user of the library needing to add and verify expiry info, this is now handled by util.jwt itself (if not overridden or disabled). Issuing tokens that are valid forever is bad practice and rarely desired, and the default token lifetime is now 3600s (1 hour).
| * | | | | | | util.jwt: All the algorithms (+ all the tests!)Matthew Wild2022-07-022-24/+98
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Except 'none'. Not implementing that one.
| * | | | | | | util.crypto: tests: fix some tests that didn't do much (thanks luacheck!)Matthew Wild2022-07-021-3/+2
| | | | | | | |
| * | | | | | | util.crypto: More digests for sign/verify, use macros for clarity/consistencyMatthew Wild2022-07-022-34/+42
| | | | | | | |
| * | | | | | | util.jwt: Overhaul of tests to use declarative approachMatthew Wild2022-07-022-115/+199
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now we can consistently apply the same tests to every algorithm, instead of duplicating code.
| * | | | | | | spec: Move test crypto keys to a shared file for clarity and easy maintenanceMatthew Wild2022-07-023-125/+82
| | | | | | | |
| * | | | | | | util.jwt: Add support for RSA-based algorithms (RS256, PS256)Matthew Wild2022-07-022-14/+205
| | | | | | | |
| * | | | | | | util.crypto: Friendlier error message on incorrect key typesMatthew Wild2022-07-021-1/+6
| | | | | | | |
| * | | | | | | util.crypto: Add support for RSA signatures (PKCS1-v1.5 + PSS)Matthew Wild2022-07-021-3/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These are used by the RS*** and PS*** family of JOSE algorithms (e.g. in JWTs)
| * | | | | | | util.jwt: Add support/tests for ES256 via improved API and using util.cryptoMatthew Wild2022-07-012-19/+171
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In many cases code will be either signing or verifying. With asymmetric algorithms it's clearer and more efficient to just state that once, instead of passing keys (and possibly other parameters) with every sign/verify call. This also allows earlier validation of the key used. The previous (HS256-only) sign/verify methods continue to be exposed for backwards-compatibility.
| * | | | | | | util.crypto: Add Teal type specificationKim Alvefur2022-06-301-0/+29
| | | | | | | |
| * | | | | | | util.paseto: Implementation of PASETO v4.public tokensMatthew Wild2022-06-241-0/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | PASETO provides an alternative to JWT with the promise of fewer implementation pitfalls. The v4.public algorithm allows asymmetric cryptographically-verified token issuance and validation. In summary, such tokens can be issued by one party and securely verified by any other party independently using the public key of the issuer. This has a number of potential applications in a decentralized network and ecosystem such as XMPP. For example, such tokens could be combined with XEP-0317 to allow hats to be verified even in the context of a third-party MUC service.
| * | | | | | | util.crypto: New wrapper for some operations in OpenSSL's libcryptoMatthew Wild2022-06-243-2/+753
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Specifically, ED25519 key generation/import/export, sign/verify operations, and AES encrypt/decrypt.
| * | | | | | | util-src: Add new utility header managed_pointer.hMatthew Wild2022-07-011-0/+61
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The macros in this header allow creation of GC-managed objects from manually- managed C alloc/free APIs.
| * | | | | | | mod_smacks: Set session.smacks after sending <enabled/> to fix tracebackMatthew Wild2022-08-291-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ...with opportunistic writes enabled.
| * | | | | | | core.moduleapi: Check for local role-aware sessions before e.g. s2sKim Alvefur2022-08-291-9/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The condition checked for s2sin but not s2sout, so would have ignored bidi-enabled s2sout sessions. Components as well.
| * | | | | | | mod_smacks: Use new :add_error() in last remaining error result constructionMatthew Wild2022-08-291-2/+1
| | | | | | | |
| * | | | | | | mod_smacks: Split enable handling to stages, to allow easier SASL2 integrationMatthew Wild2022-08-291-21/+48
| | | | | | | |
| * | | | | | | util.stanza: Add add_error() to simplify adding error tags to existing stanzasMatthew Wild2022-08-292-25/+45
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some fiddling is required now in error_reply() to ensure the cursor is in the same place as before this change (a lot of code apparently uses that feature).
| * | | | | | | mod_component: Require 'from' attribute on stanzas by defaultMatthew Wild2022-08-281-16/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The old behaviour of falling back to the component domain when it is missing has been merged into the logic for the existing "validate_from_addresses" option (which is strict by default). ejabberd already rejects component stanzas with no 'from' (as the XEP requires), and this has led to compatibility issues for components that were seemingly working fine with Prosody.
| * | | | | | | mod_external_services: Update tools.ietf.org URLKim Alvefur2022-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | See bd9e006a7a74
| * | | | | | | doap: Update for XEP-0215 advancement to StableKim Alvefur2022-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | No other changes to account for.