aboutsummaryrefslogtreecommitdiffstats
path: root/plugins/mod_xmlrpc.lua
blob: 56312fc769b90777721e44e5ca961f26781c4c3b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
-- Prosody IM
-- Copyright (C) 2008-2009 Matthew Wild
-- Copyright (C) 2008-2009 Waqas Hussain
-- 
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--


module.host = "*" -- Global module

local httpserver = require "net.httpserver";
local st = require "util.stanza";
local pcall = pcall;
local unpack = unpack;
local tostring = tostring;
local is_admin = require "core.usermanager".is_admin;
local jid_split = require "util.jid".split;
local jid_bare = require "util.jid".bare;
local b64_decode = require "util.encodings".base64.decode;
local get_method = require "core.objectmanager".get_object;
local validate_credentials = require "core.usermanager".validate_credentials;

local translate_request = require "util.xmlrpc".translate_request;
local create_response = require "util.xmlrpc".create_response;
local create_error_response = require "util.xmlrpc".create_error_response;

local entity_map = setmetatable({
	["amp"] = "&";
	["gt"] = ">";
	["lt"] = "<";
	["apos"] = "'";
	["quot"] = "\"";
}, {__index = function(_, s)
		if s:sub(1,1) == "#" then
			if s:sub(2,2) == "x" then
				return string.char(tonumber(s:sub(3), 16));
			else
				return string.char(tonumber(s:sub(2)));
			end
		end
	end
});
local function xml_unescape(str)
	return (str:gsub("&(.-);", entity_map));
end
local function parse_xml(xml)
	local stanza = st.stanza("root");
	local regexp = "<([^>]*)>([^<]*)";
	for elem, text in xml:gmatch(regexp) do
		--print("[<"..elem..">|"..text.."]");
		if elem:sub(1,1) == "!" or elem:sub(1,1) == "?" then -- neglect comments and processing-instructions
		elseif elem:sub(1,1) == "/" then -- end tag
			elem = elem:sub(2);
			stanza:up(); -- TODO check for start-end tag name match
		elseif elem:sub(-1,-1) == "/" then -- empty tag
			elem = elem:sub(1,-2);
			stanza:tag(elem):up();
		else -- start tag
			stanza:tag(elem);
		end
		if #text ~= 0 then -- text
			stanza:text(xml_unescape(text));
		end
	end
	return stanza.tags[1];
end

local function handle_xmlrpc_request(jid, method, args)
	local is_secure_call = (method:sub(1,7) ~= "secure/");
	if not is_admin(jid) and not is_secure_call then
		return create_error_response(401, "not authorized");
	end
	method = get_method(method);
	if not method then return create_error_response(404, "method not found"); end
	args = args or {};
	if is_secure_call then t_insert(args, 1, jid); end
	local success, result = pcall(method, unpack(args));
	if success then
		success, result = pcall(create_response, result or "nil");
		if success then
			return result;
		end
		return create_error_response(500, "Error in creating response: "..result);
	end
	return create_error_response(0, result or "nil");
end

local function handle_xmpp_request(origin, stanza)
	local query = stanza.tags[1];
	if query.name == "query" then
		if #query.tags == 1 then
			local success, method, args = pcall(translate_request, query.tags[1]);
			if success then
				local result = handle_xmlrpc_request(jid_bare(stanza.attr.from), method, args);
				origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result));
			else
				origin.send(st.error_reply(stanza, "modify", "bad-request", method));
			end
		else origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request")); end
	else origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); end
end
module:add_iq_handler({"c2s", "s2sin"}, "jabber:iq:rpc", handle_xmpp_request);
module:add_feature("jabber:iq:rpc");
-- TODO add <identity category='automation' type='rpc'/> to disco replies

local default_headers = { ['Content-Type'] = 'text/xml' };
local unauthorized_response = { status = '401 UNAUTHORIZED', headers = {['Content-Type']='text/html', ['WWW-Authenticate']='Basic realm="WallyWorld"'}; body = "<html><body>Authentication required</body></html>"; };
local function handle_http_request(method, body, request)
	-- authenticate user
	local username, password = b64_decode(request['authorization'] or ''):gmatch('([^:]*):(.*)')(); -- TODO digest auth
	local node, host = jid_split(username);
	if not validate_credentials(host, node, password) then
		return unauthorized_response;
	end
	-- parse request
	local stanza = body and parse_xml(body);
	if (not stanza) or request.method ~= "POST" then
		return "<html><body>You really don't look like an XML-RPC client to me... what do you want?</body></html>";
	end
	-- execute request
	local success, method, args = pcall(translate_request, stanza);
	if success then
		return { headers = default_headers; body = tostring(handle_xmlrpc_request(node.."@"..host, method, args)) };
	end
	return "<html><body>Error parsing XML-RPC request: "..tostring(method).."</body></html>";
end
httpserver.new{ port = 9000, base = "xmlrpc", handler = handle_http_request }