vines 0.1.0

data/lib/vines/store.rb

@@ -0,0 +1,51 @@
+# encoding: UTF-8
+
+module Vines
+
+  # An X509 certificate store that validates certificate trust chains.
+  # This uses the conf/certs/*.crt files as the list of trusted root
+  # CA certificates.
+  class Store
+    @@certs = nil
+
+    def initialize
+      @store = OpenSSL::X509::Store.new
+      certs.each {|c| @store.add_cert(c) }
+    end
+
+    # Return true if the certificate is signed by a CA certificate in the
+    # store. If the certificate can be trusted, it's added to the store so
+    # it can be used to trust other certs.
+    def trusted?(pem)
+      if cert = OpenSSL::X509::Certificate.new(pem) rescue nil
+        @store.verify(cert).tap do |trusted|
+          @store.add_cert(cert) if trusted rescue nil
+        end
+      end
+    end
+
+    # Return true if the domain name matches one of the names in the
+    # certificate. In other words, is the certificate provided to us really
+    # for the domain to which we think we're connected?
+    def domain?(pem, domain)
+      if cert = OpenSSL::X509::Certificate.new(pem) rescue nil
+        OpenSSL::SSL.verify_certificate_identity(cert, domain) rescue false
+      end
+    end
+
+    # Return the trusted root CA certificates installed in conf/certs. These
+    # certificates are used to start the trust chain needed to validate certs
+    # we receive from clients and servers.
+    def certs
+      unless @@certs
+        pattern = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m
+        dir = File.join(VINES_ROOT, 'conf', 'certs')
+        certs = Dir[File.join(dir, '*.crt')].map {|f| File.read(f) }
+        certs = certs.map {|c| c.scan(pattern) }.flatten
+        certs.map! {|c| OpenSSL::X509::Certificate.new(c) }
+        @@certs = certs.reject {|c| c.not_after < Time.now }
+      end
+      @@certs
+    end
+  end
+end

data/lib/vines/stream.rb

@@ -0,0 +1,198 @@
+# encoding: UTF-8
+
+module Vines
+  # The base class for various XMPP streams (c2s, s2s, component, http),
+  # containing behavior common to all streams like rate limiting, stanza
+  # parsing, and stream error handling.
+  class Stream < EventMachine::Connection
+    include Vines::Log
+
+    ERROR = 'error'.freeze
+    PAD   = 20
+
+    attr_accessor :user
+
+    def post_init
+      router << self
+      @remote_addr, @local_addr = [get_peername, get_sockname].map do |addr|
+        addr ? Socket.unpack_sockaddr_in(addr)[0, 2].reverse.join(':') : 'unknown'
+      end
+      @user, @closed, @stanza_size = nil, false, 0
+      @bucket = TokenBucket.new(100, 10)
+      @store = Store.new
+
+      @nodes = EM::Queue.new
+      process_node_queue
+
+      @parser = Parser.new.tap do |p|
+        p.stream_open {|node| @nodes.push(node) }
+        p.stream_close { close_connection }
+        p.stanza {|node| @nodes.push(node) }
+      end
+      log.info { "%s %21s -> %s" %
+        ['Stream connected:'.ljust(PAD), @remote_addr, @local_addr] }
+    end
+
+    def close_connection(after_writing=false)
+      super
+      @closed = true
+      advance(Client::Closed.new(self))
+    end
+
+    def receive_data(data)
+      return if @closed
+      @stanza_size += data.bytesize
+      if @stanza_size < max_stanza_size
+        @parser << data rescue error(StreamErrors::NotWellFormed.new)
+      else
+        error(StreamErrors::PolicyViolation.new('max stanza size reached'))
+      end
+    end
+
+    # Send the stanza to all recipients, stamping it with from and
+    # to addresses first.
+    def broadcast(stanza, recipients)
+      stanza['from'] = @user.jid.to_s
+      recipients.each do |recipient|
+        stanza['to'] = recipient.user.jid.to_s
+        recipient.write(stanza)
+      end
+    end
+
+    # Returns the storage system for the domain. If no domain is given,
+    # the stream's storage mechanism is returned.
+    def storage(domain=@domain)
+      @config.vhosts[domain]
+    end
+
+    # Reload the user's information into their active connections. Call this
+    # after storage.save_user() to sync the new user state with their other
+    # connections.
+    def update_user_streams(user)
+      router.connected_resources(user.jid.bare).each do |stream|
+        stream.user.update_from(user)
+      end
+    end
+
+    def ssl_verify_peer(pem)
+      # EM is supposed to close the connection when this returns false,
+      # but it only does that for inbound connections, not when we
+      # make a connection to another server.
+      @store.trusted?(pem).tap do |trusted|
+        close_connection unless trusted
+      end
+    end
+
+    def cert_domain_matches?(domain)
+      @store.domain?(get_peer_cert, domain)
+    end
+
+    # Send the data over the wire to this client.
+    def write(data)
+      log_node(data, :out)
+      if data.respond_to?(:to_xml)
+        data = data.to_xml(:indent => 0)
+      end
+      send_data(data)
+    end
+
+    def encrypt
+      cert, key = tls_files
+      start_tls(:private_key_file => key, :cert_chain_file => cert, :verify_peer => true)
+    end
+
+    # Returns true if the TLS certificate and private key files for this domain
+    # exist and can be used to encrypt this stream.
+    def encrypt?
+      tls_files.all? {|f| File.exists?(f) }
+    end
+
+    def unbind
+      router.delete(self)
+      log.info { "%s %21s -> %s" %
+        ['Stream disconnected:'.ljust(PAD), @remote_addr, @local_addr] }
+      log.info { "Streams connected: #{router.size}" }
+    end
+
+    def advance(state)
+      @state = state
+    end
+
+    # Stream level errors close the stream while stanza and SASL errors are
+    # written to the client and leave the stream open. All exceptions should
+    # pass through this method for consistent handling.
+    def error(e)
+      case e
+      when SaslError, StanzaError
+        write(e.to_xml)
+      when StreamError
+        write(e.to_xml)
+        close_stream
+      else
+        log.error(e)
+        write(StreamErrors::InternalServerError.new.to_xml)
+        close_stream
+      end
+    end
+
+    def router
+      Router.instance
+    end
+
+    private
+
+    def close_stream
+      write('</stream:stream>')
+      close_connection_after_writing
+    end
+
+    def error?(node)
+      ns = node.namespace ? node.namespace.href : nil
+      node.name == ERROR && ns == NAMESPACES[:stream]
+    end
+
+    # Schedule a queue pop on the EM thread to handle the next element.
+    # This provides the in-order stanza processing guarantee required by
+    # RFC 6120 section 10.1.
+    def process_node_queue
+      @nodes.pop do |node|
+        Fiber.new do
+          process_node(node)
+          process_node_queue
+        end.resume unless @closed
+      end
+    end
+
+    def process_node(node)
+      log_node(node, :in)
+      @stanza_size = 0
+      enforce_rate_limit
+      if error?(node)
+        close_stream
+      else
+        @state.node(node)
+      end
+    rescue Exception => e
+      error(e)
+    end
+
+    def enforce_rate_limit
+      unless @bucket.take(1)
+        raise StreamErrors::PolicyViolation.new('rate limit exceeded')
+      end
+    end
+
+    def log_node(node, direction)
+      return unless log.debug?
+      from, to = @remote_addr, @local_addr
+      from, to = to, from if direction == :out
+      label = (direction == :out) ? 'Sent' : 'Received'
+      log.debug("%s %21s -> %s\n%s\n" %
+        ["#{label} stanza:".ljust(PAD), from, to, node])
+    end
+
+    def tls_files
+      %w[crt key].map {|ext| File.join(VINES_ROOT, 'conf', 'certs', "#{@domain}.#{ext}") }
+    end
+  end
+end

data/lib/vines/stream/client.rb

@@ -0,0 +1,131 @@
+# encoding: UTF-8
+
+module Vines
+  class Stream
+
+    # Implements the XMPP protocol for client-to-server (c2s) streams. This
+    # serves connected streams using the jabber:client namespace.
+    class Client < Stream
+      attr_reader :config, :domain
+      attr_accessor :last_broadcast_presence
+
+      def initialize(config)
+        @config = config
+        @domain = nil
+        @requested_roster = false
+        @available = false
+        @unbound = false
+        @last_broadcast_presence = nil
+        @state = Start.new(self)
+      end
+
+      def ssl_handshake_completed
+        if get_peer_cert
+          close_connection unless cert_domain_matches?(@domain)
+        end
+      end
+
+      def max_stanza_size
+        @config[:client].max_stanza_size
+      end
+
+      def max_resources_per_account
+        @config[:client].max_resources_per_account
+      end
+
+      def unbind
+        @unbound = true
+        @available = false
+        if authenticated?
+          doc = Nokogiri::XML::Document.new
+          el = doc.create_element('presence', 'type' => 'unavailable')
+          Stanza::Presence::Unavailable.new(el, self).outbound_broadcast_presence
+        end
+        super
+      end
+
+      # Returns true if this client has properly authenticated with
+      # the server.
+      def authenticated?
+        !@user.nil?
+      end
+
+      # A connected resource has authenticated and bound a resource
+      # identifier.
+      def connected?
+        !@unbound && authenticated? && !@user.jid.bare?
+      end
+
+      # An available resource has sent initial presence and can
+      # receive presence subscription requests.
+      def available?
+        @available && connected?
+      end
+
+      # An interested resource has requested its roster and can
+      # receive roster pushes.
+      def interested?
+        @requested_roster && connected?
+      end
+
+      def available!
+        @available = true
+      end
+
+      def requested_roster!
+        @requested_roster = true
+      end
+
+      # Returns streams for available resources to which this user
+      # has successfully subscribed.
+      def available_subscribed_to_resources
+        subscribed = @user.subscribed_to_contacts.map {|c| c.jid }
+        router.available_resources(subscribed)
+      end
+
+      # Returns streams for available resources that are subscribed
+      # to this user's presence updates.
+      def available_subscribers
+        subscribed = @user.subscribed_from_contacts.map {|c| c.jid }
+        router.available_resources(subscribed)
+      end
+
+      # Returns contacts hosted at remote servers that are subscribed
+      # to this user's presence updates.
+      def remote_subscribers(to=nil)
+        jid = (to.nil? || to.empty?) ? nil : JID.new(to).bare
+        @user.subscribed_from_contacts.reject do |c|
+          router.local_jid?(c.jid) || (jid && c.jid.bare != jid)
+        end
+      end
+
+      def ready?
+        @state.class == Client::Ready
+      end
+
+      def start(node)
+        @domain, from = %w[to from].map {|a| node[a] }
+        send_stream_header(from)
+        raise StreamErrors::UnsupportedVersion unless node['version'] == '1.0'
+        raise StreamErrors::HostUnknown unless @config.vhost?(@domain)
+        raise StreamErrors::InvalidNamespace unless node.namespaces['xmlns'] == NAMESPACES[:client]
+        raise StreamErrors::InvalidNamespace unless node.namespaces['xmlns:stream'] == NAMESPACES[:stream]
+      end
+
+      private
+
+      def send_stream_header(to)
+        attrs = {
+          'xmlns' => NAMESPACES[:client],
+          'xmlns:stream' => NAMESPACES[:stream],
+          'xml:lang' => 'en',
+          'id' => Kit.uuid,
+          'from' => @domain,
+          'version' => '1.0'
+        }
+        attrs['to'] = to if to
+        write "<stream:stream %s>" % attrs.to_a.map{|k,v| "#{k}='#{v}'"}.join(' ')
+      end
+    end
+  end
+end

data/lib/vines/stream/client/auth.rb

@@ -0,0 +1,94 @@
+# encoding: UTF-8
+
+module Vines
+  class Stream
+    class Client
+      class Auth < State
+        NS = NAMESPACES[:sasl]
+        AUTH = 'auth'.freeze
+        SUCCESS = %Q{<success xmlns="#{NS}"/>}.freeze
+        MAX_AUTH_ATTEMPTS = 3
+        AUTH_MECHANISMS = {'PLAIN' => :plain_auth, 'EXTERNAL' => :external_auth}.freeze
+  
+        def initialize(stream, success=BindRestart)
+          super
+          @attempts, @outstanding = 0, false
+        end
+
+        def node(node)
+          raise StreamErrors::NotAuthorized unless auth?(node)
+          unless node.text.empty?
+            (name = AUTH_MECHANISMS[node['mechanism']]) ?
+                method(name).call(node) :
+                send_auth_fail(SaslErrors::InvalidMechanism.new)
+          else
+            send_auth_fail(SaslErrors::MalformedRequest.new)
+          end
+        end
+
+        private
+
+        def auth?(node)
+          node.name == AUTH && namespace(node) == NS && !@outstanding
+        end
+
+        # Authenticate s2s streams by comparing their domain to
+        # their SSL certificate.
+        def external_auth(stanza)
+          domain = Base64.decode64(stanza.text)
+          cert = OpenSSL::X509::Certificate.new(stream.get_peer_cert) rescue nil
+          if (!OpenSSL::SSL.verify_certificate_identity(cert, domain) rescue false)
+            send_auth_fail(SaslErrors::NotAuthorized.new)
+            stream.write('</stream:stream>')
+            stream.close_connection_after_writing
+          else
+            stream.remote_domain = domain
+            send_auth_success
+          end
+        end
+
+        # Authenticate c2s streams using a username and password. Call the
+        # authentication module in a separate thread to avoid blocking stanza
+        # processing for other users. 
+        def plain_auth(stanza)
+          jid, node, password = Base64.decode64(stanza.text).split("\000")
+          jid = [node, stream.domain].join('@') if jid.nil? || jid.empty?
+          log.info("Authenticating user: %s" % jid)
+          @outstanding = true
+          begin
+            user = stream.storage.authenticate(jid, password)
+            finish(user || SaslErrors::NotAuthorized.new)
+          rescue Exception => e
+            log.error("Failed to authenticate: #{e.to_s}")
+            finish(SaslErrors::TemporaryAuthFailure.new)
+          end
+        end
+
+        def finish(result)
+          @outstanding = false
+          if result.kind_of?(Exception)
+            send_auth_fail(result)
+          else
+            stream.user = result
+            log.info("Authentication succeeded: %s" % stream.user.jid)
+            send_auth_success
+          end
+        end
+
+        def send_auth_success
+          stream.write(SUCCESS)
+          advance
+        end
+
+        def send_auth_fail(condition)
+          @attempts += 1
+          if @attempts >= MAX_AUTH_ATTEMPTS
+            stream.error(StreamErrors::PolicyViolation.new("max authentication attempts exceeded"))
+          else
+            stream.error(condition)
+          end
+        end
+      end
+    end
+  end
+end