lygneo-vines 0.1.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/Gemfile +3 -0
- data/LICENSE +19 -0
- data/README.md +7 -0
- data/Rakefile +23 -0
- data/bin/vines +4 -0
- data/conf/certs/README +39 -0
- data/conf/certs/ca-bundle.crt +3895 -0
- data/conf/config.rb +42 -0
- data/lib/vines/cli.rb +132 -0
- data/lib/vines/cluster/connection.rb +26 -0
- data/lib/vines/cluster/publisher.rb +55 -0
- data/lib/vines/cluster/pubsub.rb +92 -0
- data/lib/vines/cluster/sessions.rb +125 -0
- data/lib/vines/cluster/subscriber.rb +108 -0
- data/lib/vines/cluster.rb +246 -0
- data/lib/vines/command/bcrypt.rb +12 -0
- data/lib/vines/command/cert.rb +50 -0
- data/lib/vines/command/init.rb +68 -0
- data/lib/vines/command/ldap.rb +38 -0
- data/lib/vines/command/restart.rb +12 -0
- data/lib/vines/command/schema.rb +24 -0
- data/lib/vines/command/start.rb +28 -0
- data/lib/vines/command/stop.rb +18 -0
- data/lib/vines/config/host.rb +125 -0
- data/lib/vines/config/port.rb +132 -0
- data/lib/vines/config/pubsub.rb +108 -0
- data/lib/vines/config.rb +223 -0
- data/lib/vines/daemon.rb +78 -0
- data/lib/vines/error.rb +150 -0
- data/lib/vines/follower.rb +111 -0
- data/lib/vines/jid.rb +95 -0
- data/lib/vines/kit.rb +23 -0
- data/lib/vines/log.rb +24 -0
- data/lib/vines/router.rb +179 -0
- data/lib/vines/stanza/iq/auth.rb +18 -0
- data/lib/vines/stanza/iq/disco_info.rb +45 -0
- data/lib/vines/stanza/iq/disco_items.rb +29 -0
- data/lib/vines/stanza/iq/error.rb +16 -0
- data/lib/vines/stanza/iq/ping.rb +16 -0
- data/lib/vines/stanza/iq/private_storage.rb +83 -0
- data/lib/vines/stanza/iq/query.rb +10 -0
- data/lib/vines/stanza/iq/result.rb +16 -0
- data/lib/vines/stanza/iq/roster.rb +140 -0
- data/lib/vines/stanza/iq/session.rb +17 -0
- data/lib/vines/stanza/iq/vcard.rb +56 -0
- data/lib/vines/stanza/iq/version.rb +25 -0
- data/lib/vines/stanza/iq.rb +48 -0
- data/lib/vines/stanza/message.rb +40 -0
- data/lib/vines/stanza/presence/error.rb +23 -0
- data/lib/vines/stanza/presence/probe.rb +37 -0
- data/lib/vines/stanza/presence/subscribe.rb +42 -0
- data/lib/vines/stanza/presence/subscribed.rb +51 -0
- data/lib/vines/stanza/presence/unavailable.rb +15 -0
- data/lib/vines/stanza/presence/unsubscribe.rb +38 -0
- data/lib/vines/stanza/presence/unsubscribed.rb +38 -0
- data/lib/vines/stanza/presence.rb +141 -0
- data/lib/vines/stanza/pubsub/create.rb +39 -0
- data/lib/vines/stanza/pubsub/delete.rb +41 -0
- data/lib/vines/stanza/pubsub/publish.rb +66 -0
- data/lib/vines/stanza/pubsub/subscribe.rb +44 -0
- data/lib/vines/stanza/pubsub/unsubscribe.rb +30 -0
- data/lib/vines/stanza/pubsub.rb +22 -0
- data/lib/vines/stanza.rb +175 -0
- data/lib/vines/storage/ldap.rb +71 -0
- data/lib/vines/storage/local.rb +139 -0
- data/lib/vines/storage/null.rb +39 -0
- data/lib/vines/storage/sql.rb +138 -0
- data/lib/vines/storage.rb +239 -0
- data/lib/vines/store.rb +110 -0
- data/lib/vines/stream/client/auth.rb +74 -0
- data/lib/vines/stream/client/auth_restart.rb +29 -0
- data/lib/vines/stream/client/bind.rb +72 -0
- data/lib/vines/stream/client/bind_restart.rb +24 -0
- data/lib/vines/stream/client/closed.rb +13 -0
- data/lib/vines/stream/client/ready.rb +17 -0
- data/lib/vines/stream/client/session.rb +210 -0
- data/lib/vines/stream/client/start.rb +27 -0
- data/lib/vines/stream/client/tls.rb +38 -0
- data/lib/vines/stream/client.rb +84 -0
- data/lib/vines/stream/component/handshake.rb +26 -0
- data/lib/vines/stream/component/ready.rb +23 -0
- data/lib/vines/stream/component/start.rb +19 -0
- data/lib/vines/stream/component.rb +58 -0
- data/lib/vines/stream/http/auth.rb +22 -0
- data/lib/vines/stream/http/bind.rb +32 -0
- data/lib/vines/stream/http/bind_restart.rb +37 -0
- data/lib/vines/stream/http/ready.rb +29 -0
- data/lib/vines/stream/http/request.rb +172 -0
- data/lib/vines/stream/http/session.rb +120 -0
- data/lib/vines/stream/http/sessions.rb +65 -0
- data/lib/vines/stream/http/start.rb +23 -0
- data/lib/vines/stream/http.rb +157 -0
- data/lib/vines/stream/parser.rb +79 -0
- data/lib/vines/stream/sasl.rb +128 -0
- data/lib/vines/stream/server/auth.rb +13 -0
- data/lib/vines/stream/server/auth_restart.rb +13 -0
- data/lib/vines/stream/server/final_restart.rb +21 -0
- data/lib/vines/stream/server/outbound/auth.rb +31 -0
- data/lib/vines/stream/server/outbound/auth_restart.rb +20 -0
- data/lib/vines/stream/server/outbound/auth_result.rb +32 -0
- data/lib/vines/stream/server/outbound/final_features.rb +28 -0
- data/lib/vines/stream/server/outbound/final_restart.rb +20 -0
- data/lib/vines/stream/server/outbound/start.rb +20 -0
- data/lib/vines/stream/server/outbound/tls.rb +30 -0
- data/lib/vines/stream/server/outbound/tls_result.rb +34 -0
- data/lib/vines/stream/server/ready.rb +24 -0
- data/lib/vines/stream/server/start.rb +13 -0
- data/lib/vines/stream/server/tls.rb +13 -0
- data/lib/vines/stream/server.rb +150 -0
- data/lib/vines/stream/state.rb +60 -0
- data/lib/vines/stream.rb +247 -0
- data/lib/vines/token_bucket.rb +55 -0
- data/lib/vines/user.rb +123 -0
- data/lib/vines/version.rb +6 -0
- data/lib/vines/xmpp_server.rb +25 -0
- data/lib/vines.rb +203 -0
- data/test/cluster/publisher_test.rb +57 -0
- data/test/cluster/sessions_test.rb +47 -0
- data/test/cluster/subscriber_test.rb +109 -0
- data/test/config/host_test.rb +369 -0
- data/test/config/pubsub_test.rb +187 -0
- data/test/config_test.rb +732 -0
- data/test/error_test.rb +58 -0
- data/test/ext/nokogiri.rb +14 -0
- data/test/follower_test.rb +102 -0
- data/test/jid_test.rb +147 -0
- data/test/kit_test.rb +31 -0
- data/test/router_test.rb +243 -0
- data/test/stanza/iq/disco_info_test.rb +78 -0
- data/test/stanza/iq/disco_items_test.rb +49 -0
- data/test/stanza/iq/private_storage_test.rb +184 -0
- data/test/stanza/iq/roster_test.rb +229 -0
- data/test/stanza/iq/session_test.rb +25 -0
- data/test/stanza/iq/vcard_test.rb +146 -0
- data/test/stanza/iq/version_test.rb +64 -0
- data/test/stanza/iq_test.rb +70 -0
- data/test/stanza/message_test.rb +126 -0
- data/test/stanza/presence/probe_test.rb +50 -0
- data/test/stanza/presence/subscribe_test.rb +83 -0
- data/test/stanza/pubsub/create_test.rb +116 -0
- data/test/stanza/pubsub/delete_test.rb +169 -0
- data/test/stanza/pubsub/publish_test.rb +309 -0
- data/test/stanza/pubsub/subscribe_test.rb +205 -0
- data/test/stanza/pubsub/unsubscribe_test.rb +148 -0
- data/test/stanza_test.rb +85 -0
- data/test/storage/ldap_test.rb +201 -0
- data/test/storage/local_test.rb +59 -0
- data/test/storage/mock_redis.rb +97 -0
- data/test/storage/null_test.rb +29 -0
- data/test/storage/storage_tests.rb +182 -0
- data/test/storage_test.rb +85 -0
- data/test/store_test.rb +130 -0
- data/test/stream/client/auth_test.rb +137 -0
- data/test/stream/client/ready_test.rb +47 -0
- data/test/stream/client/session_test.rb +27 -0
- data/test/stream/component/handshake_test.rb +52 -0
- data/test/stream/component/ready_test.rb +103 -0
- data/test/stream/component/start_test.rb +39 -0
- data/test/stream/http/auth_test.rb +70 -0
- data/test/stream/http/ready_test.rb +86 -0
- data/test/stream/http/request_test.rb +209 -0
- data/test/stream/http/sessions_test.rb +49 -0
- data/test/stream/http/start_test.rb +50 -0
- data/test/stream/parser_test.rb +122 -0
- data/test/stream/sasl_test.rb +195 -0
- data/test/stream/server/auth_test.rb +61 -0
- data/test/stream/server/outbound/auth_test.rb +75 -0
- data/test/stream/server/ready_test.rb +98 -0
- data/test/test_helper.rb +42 -0
- data/test/token_bucket_test.rb +44 -0
- data/test/user_test.rb +96 -0
- data/vines.gemspec +30 -0
- metadata +387 -0
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Http < Client
|
|
6
|
+
attr_accessor :session
|
|
7
|
+
|
|
8
|
+
def initialize(config)
|
|
9
|
+
super
|
|
10
|
+
@session = Http::Session.new(self)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
# Override +Stream#create_parser+ to provide an HTTP parser rather than
|
|
14
|
+
# a Nokogiri XML parser.
|
|
15
|
+
def create_parser
|
|
16
|
+
@parser = ::Http::Parser.new.tap do |p|
|
|
17
|
+
body = ''
|
|
18
|
+
p.on_body = proc {|data| body << data }
|
|
19
|
+
p.on_message_complete = proc {
|
|
20
|
+
process_request(Request.new(self, @parser, body))
|
|
21
|
+
body = ''
|
|
22
|
+
}
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
# If the session ID is valid, switch this stream's session to the new
|
|
27
|
+
# ID and return true. Some clients, like Google Chrome, reuse one stream
|
|
28
|
+
# for multiple sessions.
|
|
29
|
+
def valid_session?(sid)
|
|
30
|
+
if session = Sessions[sid]
|
|
31
|
+
@session = session
|
|
32
|
+
end
|
|
33
|
+
!!session
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
%w[max_stanza_size max_resources_per_account bind root].each do |name|
|
|
37
|
+
define_method name do |*args|
|
|
38
|
+
config[:http].send(name, *args)
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
|
|
42
|
+
def process_request(request)
|
|
43
|
+
if request.path == self.bind && request.options?
|
|
44
|
+
request.reply_to_options
|
|
45
|
+
elsif request.path == self.bind
|
|
46
|
+
body = Nokogiri::XML(request.body).root
|
|
47
|
+
if session = Sessions[body['sid']]
|
|
48
|
+
@session = session
|
|
49
|
+
else
|
|
50
|
+
@session = Http::Session.new(self)
|
|
51
|
+
end
|
|
52
|
+
@session.request(request)
|
|
53
|
+
@nodes.push(body)
|
|
54
|
+
else
|
|
55
|
+
request.reply_with_file(self.root)
|
|
56
|
+
end
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
# Alias the Stream#write method before overriding it so we can call
|
|
60
|
+
# it later from a Session instance.
|
|
61
|
+
alias :stream_write :write
|
|
62
|
+
|
|
63
|
+
# Override Stream#write to queue stanzas rather than immediately writing
|
|
64
|
+
# to the stream. Stanza responses must be paired with a queued request.
|
|
65
|
+
def write(data)
|
|
66
|
+
@session.write(data)
|
|
67
|
+
end
|
|
68
|
+
|
|
69
|
+
# Return an array of Node objects inside the body element.
|
|
70
|
+
# TODO This parses the XML again just to strip namespaces. Figure out
|
|
71
|
+
# Nokogiri namespace handling instead.
|
|
72
|
+
def parse_body(body)
|
|
73
|
+
body.namespace = nil
|
|
74
|
+
body.elements.map do |node|
|
|
75
|
+
Nokogiri::XML(node.to_s.sub(' xmlns="jabber:client"', '')).root
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
|
|
79
|
+
def start(node)
|
|
80
|
+
domain, type, hold, wait, rid = %w[to content hold wait rid].map {|a| (node[a] || '').strip }
|
|
81
|
+
version = node.attribute_with_ns('version', NAMESPACES[:bosh]).value rescue nil
|
|
82
|
+
|
|
83
|
+
@session.inactivity = 20
|
|
84
|
+
@session.domain = domain
|
|
85
|
+
@session.content_type = type unless type.empty?
|
|
86
|
+
@session.hold = hold.to_i unless hold.empty?
|
|
87
|
+
@session.wait = wait.to_i unless wait.empty?
|
|
88
|
+
|
|
89
|
+
raise StreamErrors::UndefinedCondition.new('rid required') if rid.empty?
|
|
90
|
+
raise StreamErrors::UnsupportedVersion unless version == '1.0'
|
|
91
|
+
raise StreamErrors::ImproperAddressing unless valid_address?(domain)
|
|
92
|
+
raise StreamErrors::HostUnknown unless config.vhost?(domain)
|
|
93
|
+
raise StreamErrors::InvalidNamespace unless node.namespaces['xmlns'] == NAMESPACES[:http_bind]
|
|
94
|
+
|
|
95
|
+
Sessions[@session.id] = @session
|
|
96
|
+
send_stream_header
|
|
97
|
+
end
|
|
98
|
+
|
|
99
|
+
def terminate
|
|
100
|
+
doc = Nokogiri::XML::Document.new
|
|
101
|
+
node = doc.create_element('body',
|
|
102
|
+
'type' => 'terminate',
|
|
103
|
+
'xmlns' => NAMESPACES[:http_bind])
|
|
104
|
+
@session.reply(node)
|
|
105
|
+
close_stream
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
private
|
|
109
|
+
|
|
110
|
+
def send_stream_header
|
|
111
|
+
doc = Nokogiri::XML::Document.new
|
|
112
|
+
node = doc.create_element('body',
|
|
113
|
+
'charsets' => 'UTF-8',
|
|
114
|
+
'from' => @session.domain,
|
|
115
|
+
'hold' => @session.hold,
|
|
116
|
+
'inactivity' => @session.inactivity,
|
|
117
|
+
'polling' => '5',
|
|
118
|
+
'requests' => '2',
|
|
119
|
+
'sid' => @session.id,
|
|
120
|
+
'ver' => '1.6',
|
|
121
|
+
'wait' => @session.wait,
|
|
122
|
+
'xmpp:version' => '1.0',
|
|
123
|
+
'xmlns' => NAMESPACES[:http_bind],
|
|
124
|
+
'xmlns:xmpp' => NAMESPACES[:bosh],
|
|
125
|
+
'xmlns:stream' => NAMESPACES[:stream])
|
|
126
|
+
|
|
127
|
+
node << doc.create_element('stream:features') do |el|
|
|
128
|
+
el << doc.create_element('mechanisms') do |mechanisms|
|
|
129
|
+
mechanisms.default_namespace = NAMESPACES[:sasl]
|
|
130
|
+
mechanisms << doc.create_element('mechanism', 'PLAIN')
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
@session.reply(node)
|
|
134
|
+
end
|
|
135
|
+
|
|
136
|
+
# Override +Stream#send_stream_error+ to wrap the error XML in a BOSH
|
|
137
|
+
# terminate body tag.
|
|
138
|
+
def send_stream_error(e)
|
|
139
|
+
doc = Nokogiri::XML::Document.new
|
|
140
|
+
node = doc.create_element('body',
|
|
141
|
+
'condition' => 'remote-stream-error',
|
|
142
|
+
'type' => 'terminate',
|
|
143
|
+
'xmlns' => NAMESPACES[:http_bind],
|
|
144
|
+
'xmlns:stream' => NAMESPACES[:stream])
|
|
145
|
+
node.inner_html = e.to_xml
|
|
146
|
+
@session.reply(node)
|
|
147
|
+
end
|
|
148
|
+
|
|
149
|
+
# Override +Stream#close_stream+ to simply close the connection without
|
|
150
|
+
# writing a closing stream tag.
|
|
151
|
+
def close_stream
|
|
152
|
+
close_connection_after_writing
|
|
153
|
+
@session.close
|
|
154
|
+
end
|
|
155
|
+
end
|
|
156
|
+
end
|
|
157
|
+
end
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Parser < Nokogiri::XML::SAX::Document
|
|
6
|
+
include Nokogiri::XML
|
|
7
|
+
STREAM_NAME = 'stream'.freeze
|
|
8
|
+
STREAM_URI = 'http://etherx.jabber.org/streams'.freeze
|
|
9
|
+
IGNORE = NAMESPACES.values_at(:client, :component, :server)
|
|
10
|
+
|
|
11
|
+
def initialize(&block)
|
|
12
|
+
@listeners, @node = Hash.new {|h, k| h[k] = []}, nil
|
|
13
|
+
@parser = Nokogiri::XML::SAX::PushParser.new(self)
|
|
14
|
+
instance_eval(&block) if block
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
[:stream_open, :stream_close, :stanza].each do |name|
|
|
18
|
+
define_method(name) do |&block|
|
|
19
|
+
@listeners[name] << block
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
|
|
23
|
+
def <<(data)
|
|
24
|
+
@parser << data
|
|
25
|
+
self
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
def start_element_namespace(name, attrs=[], prefix=nil, uri=nil, ns=[])
|
|
29
|
+
el = node(name, attrs, prefix, uri, ns)
|
|
30
|
+
if stream?(name, uri)
|
|
31
|
+
notify(:stream_open, el)
|
|
32
|
+
else
|
|
33
|
+
@node << el if @node
|
|
34
|
+
@node = el
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
|
|
38
|
+
def end_element_namespace(name, prefix=nil, uri=nil)
|
|
39
|
+
if stream?(name, uri)
|
|
40
|
+
notify(:stream_close)
|
|
41
|
+
elsif @node.parent != @node.document
|
|
42
|
+
@node = @node.parent
|
|
43
|
+
else
|
|
44
|
+
notify(:stanza, @node)
|
|
45
|
+
@node = nil
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
def characters(chars)
|
|
50
|
+
@node << Text.new(chars, @node.document) if @node
|
|
51
|
+
end
|
|
52
|
+
alias :cdata_block :characters
|
|
53
|
+
|
|
54
|
+
private
|
|
55
|
+
|
|
56
|
+
def notify(msg, node=nil)
|
|
57
|
+
@listeners[msg].each do |b|
|
|
58
|
+
(node ? b.call(node) : b.call) rescue nil
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def stream?(name, uri)
|
|
63
|
+
name == STREAM_NAME && uri == STREAM_URI
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
def node(name, attrs=[], prefix=nil, uri=nil, ns=[])
|
|
67
|
+
ignore = stream?(name, uri) ? [] : IGNORE
|
|
68
|
+
doc = @node ? @node.document : Document.new
|
|
69
|
+
node = doc.create_element(name) do |node|
|
|
70
|
+
attrs.each {|attr| node[attr.localname] = attr.value }
|
|
71
|
+
ns.each {|prefix, uri| node.add_namespace(prefix, uri) unless ignore.include?(uri) }
|
|
72
|
+
doc << node unless @node
|
|
73
|
+
end
|
|
74
|
+
node.namespace = node.add_namespace(prefix, uri) unless ignore.include?(uri)
|
|
75
|
+
node
|
|
76
|
+
end
|
|
77
|
+
end
|
|
78
|
+
end
|
|
79
|
+
end
|
|
@@ -0,0 +1,128 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
# Provides plain (username/password) and external (TLS certificate) SASL
|
|
6
|
+
# authentication to client and server streams.
|
|
7
|
+
class SASL
|
|
8
|
+
include Vines::Log
|
|
9
|
+
EMPTY = '='.freeze
|
|
10
|
+
|
|
11
|
+
def initialize(stream)
|
|
12
|
+
@stream = stream
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
# Authenticate server-to-server streams, comparing their domain to their
|
|
16
|
+
# SSL certificate.
|
|
17
|
+
#
|
|
18
|
+
# http://xmpp.org/extensions/xep-0178.html#s2s
|
|
19
|
+
#
|
|
20
|
+
# encoded - The Base64 encoded remote domain name String sent by the
|
|
21
|
+
# server stream.
|
|
22
|
+
#
|
|
23
|
+
# Returns true if the Base64 encoded domain matches the TLS certificate
|
|
24
|
+
# presented earlier in stream negotiation.
|
|
25
|
+
#
|
|
26
|
+
# Raises a SaslError if authentication failed.
|
|
27
|
+
def external_auth(encoded)
|
|
28
|
+
unless encoded == EMPTY
|
|
29
|
+
authzid = decode64(encoded)
|
|
30
|
+
matches_from = (authzid == @stream.remote_domain)
|
|
31
|
+
raise SaslErrors::InvalidAuthzid unless matches_from
|
|
32
|
+
end
|
|
33
|
+
matches_from = @stream.cert_domain_matches?(@stream.remote_domain)
|
|
34
|
+
matches_from or raise SaslErrors::NotAuthorized
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
# Authenticate client-to-server streams using a username and password.
|
|
38
|
+
#
|
|
39
|
+
# encoded - The Base64 encoded jid and password String sent by the
|
|
40
|
+
# client stream.
|
|
41
|
+
#
|
|
42
|
+
# Returns the authenticated User or raises SaslError if authentication failed.
|
|
43
|
+
def plain_auth(encoded)
|
|
44
|
+
jid, password = decode_credentials(encoded)
|
|
45
|
+
user = authenticate(jid, password)
|
|
46
|
+
user or raise SaslErrors::NotAuthorized
|
|
47
|
+
end
|
|
48
|
+
|
|
49
|
+
private
|
|
50
|
+
|
|
51
|
+
# Storage backends should not raise errors, but if an unexpected error
|
|
52
|
+
# occurs during authentication, convert it to a temporary-auth-failure.
|
|
53
|
+
#
|
|
54
|
+
# jid - The user's jid String.
|
|
55
|
+
# password - The String password.
|
|
56
|
+
#
|
|
57
|
+
# Returns the authenticated User or nil if authentication failed.
|
|
58
|
+
#
|
|
59
|
+
# Raises TemoraryAuthFailure if the storage system failed.
|
|
60
|
+
def authenticate(jid, password)
|
|
61
|
+
log.info("Authenticating user: %s" % jid)
|
|
62
|
+
@stream.storage.authenticate(jid, password).tap do |user|
|
|
63
|
+
log.info("Authentication succeeded: %s" % user.jid) if user
|
|
64
|
+
end
|
|
65
|
+
rescue => e
|
|
66
|
+
log.error("Failed to authenticate: #{e.to_s}")
|
|
67
|
+
raise SaslErrors::TemporaryAuthFailure
|
|
68
|
+
end
|
|
69
|
+
|
|
70
|
+
# Return the JID and password decoded from the Base64 encoded SASL PLAIN
|
|
71
|
+
# credentials formatted as authzid\0authcid\0password.
|
|
72
|
+
#
|
|
73
|
+
# http://tools.ietf.org/html/rfc6120#section-6.3.8
|
|
74
|
+
# http://tools.ietf.org/html/rfc4616
|
|
75
|
+
#
|
|
76
|
+
# encoded - The Base64 encoded String from which to extract jid and password.
|
|
77
|
+
#
|
|
78
|
+
# Returns an Array of jid String and password String.
|
|
79
|
+
def decode_credentials(encoded)
|
|
80
|
+
authzid, node, password = decode64(encoded).split("\x00")
|
|
81
|
+
raise SaslErrors::NotAuthorized if node.nil? || node.empty? || password.nil? || password.empty?
|
|
82
|
+
jid = JID.new(node, @stream.domain) rescue (raise SaslErrors::NotAuthorized)
|
|
83
|
+
validate_authzid!(authzid, jid)
|
|
84
|
+
[jid, password]
|
|
85
|
+
end
|
|
86
|
+
|
|
87
|
+
# An optional SASL authzid allows a user to authenticate with one
|
|
88
|
+
# user name and password and then have their connection authorized as a
|
|
89
|
+
# different ID (the authzid). We don't support that, so raise an error if
|
|
90
|
+
# the authzid is provided and different than the authcid.
|
|
91
|
+
#
|
|
92
|
+
# Most clients don't send an authzid at all because it's optional and not
|
|
93
|
+
# widely supported. However, Strophe and Blather send a bare JID, in
|
|
94
|
+
# compliance with RFC 6120, but Smack sends just the user name as the
|
|
95
|
+
# authzid. So, take care to handle non-compliant clients here.
|
|
96
|
+
#
|
|
97
|
+
# http://tools.ietf.org/html/rfc6120#section-6.3.8
|
|
98
|
+
#
|
|
99
|
+
# authzid - The authzid String (may be nil).
|
|
100
|
+
# jid - The username String.
|
|
101
|
+
#
|
|
102
|
+
# Returns nothing.
|
|
103
|
+
def validate_authzid!(authzid, jid)
|
|
104
|
+
return if authzid.nil? || authzid.empty?
|
|
105
|
+
authzid.downcase!
|
|
106
|
+
smack = authzid == jid.node
|
|
107
|
+
compliant = authzid == jid.to_s
|
|
108
|
+
raise SaslErrors::InvalidAuthzid unless compliant || smack
|
|
109
|
+
end
|
|
110
|
+
|
|
111
|
+
# Decode the Base64 encoded string, raising an error for invalid data.
|
|
112
|
+
#
|
|
113
|
+
# http://tools.ietf.org/html/rfc6120#section-13.9.1
|
|
114
|
+
#
|
|
115
|
+
# encoded - The Base64 encoded String.
|
|
116
|
+
#
|
|
117
|
+
# Returns a UTF-8 String.
|
|
118
|
+
def decode64(encoded)
|
|
119
|
+
Base64.strict_decode64(encoded).tap do |decoded|
|
|
120
|
+
decoded.force_encoding(Encoding::UTF_8)
|
|
121
|
+
raise SaslErrors::IncorrectEncoding unless decoded.valid_encoding?
|
|
122
|
+
end
|
|
123
|
+
rescue
|
|
124
|
+
raise SaslErrors::IncorrectEncoding
|
|
125
|
+
end
|
|
126
|
+
end
|
|
127
|
+
end
|
|
128
|
+
end
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class FinalRestart < State
|
|
7
|
+
def initialize(stream, success=Ready)
|
|
8
|
+
super
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
def node(node)
|
|
12
|
+
raise StreamErrors::NotAuthorized unless stream?(node)
|
|
13
|
+
stream.start(node)
|
|
14
|
+
stream.write('<stream:features/>')
|
|
15
|
+
stream.router << stream
|
|
16
|
+
advance
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class Auth < State
|
|
8
|
+
NS = NAMESPACES[:sasl]
|
|
9
|
+
|
|
10
|
+
def initialize(stream, success=AuthResult)
|
|
11
|
+
super
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def node(node)
|
|
15
|
+
raise StreamErrors::NotAuthorized unless external?(node)
|
|
16
|
+
authzid = Base64.strict_encode64(stream.domain)
|
|
17
|
+
stream.write(%Q{<auth xmlns="#{NS}" mechanism="EXTERNAL">#{authzid}</auth>})
|
|
18
|
+
advance
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
private
|
|
22
|
+
|
|
23
|
+
def external?(node)
|
|
24
|
+
external = node.xpath("ns:mechanisms/ns:mechanism[text()='EXTERNAL']", 'ns' => NS).any?
|
|
25
|
+
node.name == 'features' && namespace(node) == NAMESPACES[:stream] && external
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class AuthRestart < State
|
|
8
|
+
def initialize(stream, success=Auth)
|
|
9
|
+
super
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def node(node)
|
|
13
|
+
raise StreamErrors::NotAuthorized unless stream?(node)
|
|
14
|
+
advance
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class AuthResult < State
|
|
8
|
+
SUCCESS = 'success'.freeze
|
|
9
|
+
FAILURE = 'failure'.freeze
|
|
10
|
+
|
|
11
|
+
def initialize(stream, success=FinalRestart)
|
|
12
|
+
super
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
def node(node)
|
|
16
|
+
raise StreamErrors::NotAuthorized unless namespace(node) == NAMESPACES[:sasl]
|
|
17
|
+
case node.name
|
|
18
|
+
when SUCCESS
|
|
19
|
+
stream.start(node)
|
|
20
|
+
stream.reset
|
|
21
|
+
advance
|
|
22
|
+
when FAILURE
|
|
23
|
+
stream.close_connection
|
|
24
|
+
else
|
|
25
|
+
raise StreamErrors::NotAuthorized
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class FinalFeatures < State
|
|
8
|
+
def initialize(stream, success=Server::Ready)
|
|
9
|
+
super
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def node(node)
|
|
13
|
+
raise StreamErrors::NotAuthorized unless empty_features?(node)
|
|
14
|
+
stream.router << stream
|
|
15
|
+
advance
|
|
16
|
+
stream.notify_connected
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
private
|
|
20
|
+
|
|
21
|
+
def empty_features?(node)
|
|
22
|
+
node.name == 'features' && namespace(node) == NAMESPACES[:stream] && node.elements.empty?
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class FinalRestart < State
|
|
8
|
+
def initialize(stream, success=FinalFeatures)
|
|
9
|
+
super
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def node(node)
|
|
13
|
+
raise StreamErrors::NotAuthorized unless stream?(node)
|
|
14
|
+
advance
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class Start < State
|
|
8
|
+
def initialize(stream, success=TLS)
|
|
9
|
+
super
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
def node(node)
|
|
13
|
+
raise StreamErrors::NotAuthorized unless stream?(node)
|
|
14
|
+
advance
|
|
15
|
+
end
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
end
|
|
19
|
+
end
|
|
20
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class TLS < State
|
|
8
|
+
NS = NAMESPACES[:tls]
|
|
9
|
+
|
|
10
|
+
def initialize(stream, success=TLSResult)
|
|
11
|
+
super
|
|
12
|
+
end
|
|
13
|
+
|
|
14
|
+
def node(node)
|
|
15
|
+
raise StreamErrors::NotAuthorized unless tls?(node)
|
|
16
|
+
stream.write("<starttls xmlns='#{NS}'/>")
|
|
17
|
+
advance
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
private
|
|
21
|
+
|
|
22
|
+
def tls?(node)
|
|
23
|
+
tls = node.xpath('ns:starttls', 'ns' => NS).any?
|
|
24
|
+
node.name == 'features' && namespace(node) == NAMESPACES[:stream] && tls
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Outbound
|
|
7
|
+
class TLSResult < State
|
|
8
|
+
NS = NAMESPACES[:tls]
|
|
9
|
+
PROCEED = 'proceed'.freeze
|
|
10
|
+
FAILURE = 'failure'.freeze
|
|
11
|
+
|
|
12
|
+
def initialize(stream, success=AuthRestart)
|
|
13
|
+
super
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def node(node)
|
|
17
|
+
raise StreamErrors::NotAuthorized unless namespace(node) == NS
|
|
18
|
+
case node.name
|
|
19
|
+
when PROCEED
|
|
20
|
+
stream.encrypt
|
|
21
|
+
stream.start(node)
|
|
22
|
+
stream.reset
|
|
23
|
+
advance
|
|
24
|
+
when FAILURE
|
|
25
|
+
stream.close_connection
|
|
26
|
+
else
|
|
27
|
+
raise StreamErrors::NotAuthorized
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# encoding: UTF-8
|
|
2
|
+
|
|
3
|
+
module Vines
|
|
4
|
+
class Stream
|
|
5
|
+
class Server
|
|
6
|
+
class Ready < State
|
|
7
|
+
def node(node)
|
|
8
|
+
stanza = to_stanza(node)
|
|
9
|
+
raise StreamErrors::UnsupportedStanzaType unless stanza
|
|
10
|
+
to, from = stanza.validate_to, stanza.validate_from
|
|
11
|
+
raise StreamErrors::ImproperAddressing unless to && from
|
|
12
|
+
raise StreamErrors::InvalidFrom unless from.domain == stream.remote_domain
|
|
13
|
+
raise StreamErrors::HostUnknown unless to.domain == stream.domain
|
|
14
|
+
stream.user = User.new(jid: from)
|
|
15
|
+
if stanza.local? || stanza.to_pubsub_domain?
|
|
16
|
+
stanza.process
|
|
17
|
+
else
|
|
18
|
+
stanza.route
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
end
|
|
22
|
+
end
|
|
23
|
+
end
|
|
24
|
+
end
|