vines 0.2.1 → 0.3.0

data/conf/config.rb

@@ -16,17 +16,28 @@ Vines::Config.configure do
   # command. Change the example, 'wonderland.lit', domain name to your actual
   # domain.
   #
+  # The private_storage attribute allows clients to store XML fragments
+  # on the server, using the XEP-0049 Private XML Storage feature.
+  #
   # Shared storage example:
   # host 'verona.lit', 'wonderland.lit' do
+  #   private_storage false
+  #   cross_domain_messages false
   #   storage 'fs' do
   #     dir 'data/users'
   #   end
+  #   components 'tea'  => 'secr3t',
+  #              'cake' => 'passw0rd'
   # end
 
   host 'wonderland.lit' do
+    cross_domain_messages false
+    private_storage false
     storage 'fs' do
       dir 'data/users'
     end
+    # components 'tea'  => 'secr3t',
+    #            'cake' => 'passw0rd'
   end
 
   # Hosts can use LDAP authentication that overrides the authentication
@@ -35,6 +46,8 @@ Vines::Config.configure do
   # information, like rosters, is still saved in the storage database.
   #
   # host 'wonderland.lit' do
+  #   cross_domain_messages false
+  #   private_storage false
   #   storage 'fs' do
   #     dir 'data/users'
   #   end
@@ -42,19 +55,19 @@ Vines::Config.configure do
   #     dn 'cn=Directory Manager'
   #     password 'secr3t'
   #     basedn 'dc=wonderland,dc=lit'
+  #     groupdn 'cn=chatters,dc=wonderland,dc=lit' # optional
   #     object_class 'person'
   #     user_attr 'uid'
   #     name_attr 'cn'
   #     tls true
   #   end
+  #   components 'tea'  => 'secr3t',
+  #              'cake' => 'passw0rd'
   # end
 
   # Configure the client-to-server port. The max_resources_per_account attribute
   # limits how many concurrent connections one user can have to the server.
-  # The private_storage attribute allows clients to store XML fragments
-  # on the server, using the XEP-0049 Private XML Storage feature.
   client '0.0.0.0', 5222 do
-    private_storage true
     max_stanza_size 65536
     max_resources_per_account 5
   end
@@ -75,19 +88,15 @@ Vines::Config.configure do
   # the URL to which BOSH clients must POST their XMPP stanza requests.
   http '0.0.0.0', 5280 do
     bind '/xmpp'
-    private_storage true
     max_stanza_size 65536
     max_resources_per_account 5
     root 'web'
   end
 
-  # Configure the XEP-0114 external component port. Add entries for each
-  # component sub-domain allowed to connect to this server. Components must
-  # authenticate with a password.
+  # Configure the XEP-0114 external component port. Component sub-domains and
+  # their passwords are defined with their virtual host entries above.
   component '0.0.0.0', 5347 do
     max_stanza_size 131072
-    #components 'tea.wonderland.lit'  => 'secr3t',
-    #           'cake.wonderland.lit' => 'passw0rd'
   end
 end
 

data/lib/vines.rb

@@ -9,6 +9,7 @@ module Vines
     :roster       => 'jabber:iq:roster'.freeze,
     :non_sasl     => 'jabber:iq:auth'.freeze,
     :storage      => 'jabber:iq:private'.freeze,
+    :version      => 'jabber:iq:version'.freeze,
     :sasl         => 'urn:ietf:params:xml:ns:xmpp-sasl'.freeze,
     :tls          => 'urn:ietf:params:xml:ns:xmpp-tls'.freeze,
     :bind         => 'urn:ietf:params:xml:ns:xmpp-bind'.freeze,
@@ -65,7 +66,9 @@ end
   uri
   yaml
 
+  vines/log
   vines/jid
+
   vines/stanza
   vines/stanza/iq
   vines/stanza/iq/query
@@ -79,6 +82,7 @@ end
   vines/stanza/iq/roster
   vines/stanza/iq/session
   vines/stanza/iq/vcard
+  vines/stanza/iq/version
   vines/stanza/message
   vines/stanza/presence
   vines/stanza/presence/error
@@ -96,9 +100,12 @@ end
   vines/storage/redis
   vines/storage/sql
 
+  vines/config
+  vines/config/host
+  vines/config/port
+
   vines/store
   vines/contact
-  vines/config
   vines/daemon
   vines/error
   vines/kit

data/lib/vines/command/cert.rb

@@ -5,7 +5,7 @@ module Vines
     class Cert
       def run(opts)
         raise 'vines cert <domain>' unless opts[:args].size == 1
-        dir = File.expand_path(File.join(opts[:config], '../certs'))
+        dir = File.expand_path('../certs', opts[:config])
         create_cert(opts[:args].first, dir)
       end
 
@@ -36,6 +36,7 @@ module Vines
         {'key' => key, 'crt' => cert}.each_pair do |ext, o| 
           name = File.join(dir, "#{domain}.#{ext}")
           File.open(name, "w") {|f| f.write(o.to_pem) }
+          File.chmod(0600, name) if ext == 'key'
         end
       end
 

data/lib/vines/command/init.rb

@@ -19,6 +19,7 @@ module Vines
 
         create_users(domain, users)
         update_config(domain, File.join(dir, 'conf', 'config.rb'))
+        fix_perms(dir)
         Command::Cert.new.create_cert(domain, File.join(dir, 'conf/certs'))
 
         puts "Initialized server directory: #{domain}"
@@ -27,6 +28,16 @@ module Vines
 
       private
 
+      # Limit file system database directory access so the server is the only
+      # process managing the data. The config.rb file contains component and
+      # database passwords, so restrict access to just the server user as well.
+      def fix_perms(dir)
+        %w[data data/users].each do |f|
+          File.chmod(0700, File.join(dir, f))
+        end
+        File.chmod(0600, File.join(dir, 'conf/config.rb'))
+      end
+
       def update_config(domain, config)
         text = File.read(config)
         File.open(config, 'w') do |f|

data/lib/vines/command/ldap.rb

@@ -7,7 +7,7 @@ module Vines
         raise 'vines ldap <domain>' unless opts[:args].size == 1
         require opts[:config]
         domain = opts[:args].first
-        unless storage = Config.instance.vhosts[domain]
+        unless storage = Config.instance.vhosts[domain].storage rescue nil
           raise "#{domain} virtual host not found in conf/config.rb"
         end
         unless storage.ldap?
@@ -27,8 +27,11 @@ module Vines
         rescue Exception => e
           raise "LDAP connection failed: #{e.message}"
         end
-        raise "User not found" unless user
-        puts "Found #{user.jid} with name: #{user.name}"
+
+        filter = storage.ldap.filter(jid)
+        raise "User not found with filter:\n  #{filter}" unless user
+        name = user.name.empty? ? '<name missing>' : user.name
+        puts "Found user #{name} with filter:\n  #{filter}"
       end
     end
   end

data/lib/vines/command/schema.rb

@@ -7,7 +7,7 @@ module Vines
         raise 'vines schema <domain>' unless opts[:args].size == 1
         require opts[:config]
         domain = opts[:args].first
-        unless storage = Config.instance.vhosts[domain]
+        unless storage = Config.instance.vhosts[domain].storage rescue nil
           raise "#{domain} virtual host not found in conf/config.rb"
         end
         unless storage.respond_to?(:create_schema)

data/lib/vines/config.rb

@@ -31,7 +31,7 @@ module Vines
       dupes = names.uniq.size != names.size || (@vhosts.keys & names).any?
       raise "one host definition per domain allowed" if dupes
       names.each do |name|
-        @vhosts.merge! Host.new(name, &block).to_hash
+        @vhosts[name] = Host.new(name, &block)
       end
     end
 
@@ -57,10 +57,36 @@ module Vines
       @ports.values
     end
 
+    # Return true if the domain is virtual hosted by this server.
     def vhost?(domain)
       @vhosts.key?(domain)
     end
 
+    # Return true if all JID's belong to components hosted by this server.
+    def component?(*jids)
+      !jids.flatten.index do |jid|
+        !component_password(JID.new(jid).domain)
+      end
+    end
+
+    # Return the password for the component or nil if it's not hosted here.
+    def component_password(domain)
+      host = @vhosts.values.find {|host| host.component?(domain) }
+      host.password(domain) if host
+    end
+
+    # Return true if all of the JID's are hosted by this server.
+    def local_jid?(*jids)
+      !jids.flatten.index do |jid|
+        !vhost?(JID.new(jid).domain)
+      end
+    end
+
+    # Return true if private XML fragment storage is enabled for this domain.
+    def private_storage?(domain)
+      @vhosts[domain].private_storage?
+    end
+
     # Returns true if server-to-server connections are allowed with the
     # given domain.
     def s2s?(domain)
@@ -73,160 +99,45 @@ module Vines
       @ports[name] or raise ArgumentError.new("no port named #{name}")
     end
 
-    class Host
-      def initialize(name, &block)
-        @name, @storage, @ldap = name, nil, nil
-        instance_eval(&block)
-      end
-
-      def storage(name, &block)
-        raise "one storage mechanism per host allowed" if @storage
-        @storage = Storage.from_name(name, &block)
-        @storage.ldap = @ldap
-      end
-
-      def ldap(host='localhost', port=636, &block)
-        @ldap = Storage::Ldap.new(host, port, &block)
-        @storage.ldap = @ldap if @storage
-      end
-
-      def to_hash
-        raise "storage required for #{@name}" unless @storage
-        {@name => @storage}
-      end
-    end
-
-    class Port
-      include Vines::Log
-
-      attr_reader :config, :stream
-
-      %w[host port].each do |name|
-        define_method(name) do
-          @settings[name.to_sym]
-        end
-      end
-
-      def initialize(config, host, port, &block)
-        @config, @settings = config, {}
-        instance_eval(&block) if block
-        defaults = {:host => host, :port => port,
-          :max_resources_per_account => 5, :max_stanza_size => 128 * 1024}
-        @settings = defaults.merge(@settings)
-      end
-
-      def max_stanza_size(max=nil)
-        if max
-          # rfc 6120 section 13.12
-          @settings[:max_stanza_size] = [10000, max].max
-        else
-          @settings[:max_stanza_size]
-        end
-      end
-
-      def start
-        type = stream.name.split('::').last.downcase
-        log.info("Accepting #{type} connections on #{host}:#{port}")
-        EventMachine::start_server(host, port, stream, config)
-      end
+    # Return true if the two JID's are allowed to send messages to each other.
+    # Both domains must have enabled cross_domain_messages in their config files.
+    def allowed?(to, from)
+      to, from = JID.new(to), JID.new(from)
+      return false                      if to.empty? || from.empty?
+      return true                       if to.domain == from.domain # same domain always allowed
+      return cross_domain?(to, from)    if local_jid?(to, from)     # both virtual hosted here
+      return check_components(to, from) if component?(to, from)     # component to component
+      return check_component(to, from)  if component?(to)           # to component
+      return check_component(from, to)  if component?(from)         # from component
+      return cross_domain?(to)          if local_jid?(to)           # from is remote
+      return cross_domain?(from)        if local_jid?(from)         # to is remote
+      return false
     end
 
-    class ClientPort < Port
-      def initialize(config, host='0.0.0.0', port=5222, &block)
-        @stream = Vines::Stream::Client
-        super(config, host, port, &block)
-      end
-
-      def max_resources_per_account(max=nil)
-        if max
-          @settings[:max_resources_per_account] = max
-        else
-          @settings[:max_resources_per_account]
-        end
-      end
+    private
 
-      def private_storage(enabled)
-        @settings[:private_storage] = !!enabled
-      end
-
-      def private_storage?
-        @settings[:private_storage]
-      end
+    def check_components(to, from)
+      comp1, comp2 = strip_domain(to), strip_domain(from)
+      (comp1 == comp2) || cross_domain?(comp1, comp2)
     end
 
-    class ServerPort < Port
-      def initialize(config, host='0.0.0.0', port=5269, &block)
-        @hosts, @stream = [], Vines::Stream::Server
-        super(config, host, port, &block)
-      end
-
-      def hosts(*hosts)
-        if hosts.any?
-          @hosts << hosts
-          @hosts.flatten!
-        else
-          @hosts
-        end
-      end
+    def check_component(component_jid, jid)
+      comp = strip_domain(component_jid)
+      return true if comp.domain == jid.domain
+      local_jid?(jid) ? cross_domain?(comp, jid) : cross_domain?(comp)
     end
 
-    class HttpPort < Port
-      def initialize(config, host='0.0.0.0', port=5280, &block)
-        @stream = Vines::Stream::Http
-        super(config, host, port, &block)
-        defaults = {:root => File.expand_path('web'), :bind => '/xmpp'}
-        @settings = defaults.merge(@settings)
-      end
-
-      def max_resources_per_account(max=nil)
-        if max
-          @settings[:max_resources_per_account] = max
-        else
-          @settings[:max_resources_per_account]
-        end
-      end
-
-      def private_storage(enabled)
-        @settings[:private_storage] = !!enabled
-      end
-
-      def private_storage?
-        @settings[:private_storage]
-      end
-
-      def root(dir=nil)
-        if dir
-          @settings[:root] = File.expand_path(dir)
-        else
-          @settings[:root]
-        end
-      end
-
-      def bind(url=nil)
-        if url
-          @settings[:bind] = url
-        else
-          @settings[:bind]
-        end
-      end
+    # Return the JID's domain with the first subdomain stripped off. For example,
+    # alice@tea.wonderland.lit returns wonderland.lit.
+    def strip_domain(jid)
+      domain = jid.domain.split('.').drop(1).join('.')
+      JID.new(domain)
     end
 
-    class ComponentPort < Port
-      def initialize(config, host='0.0.0.0', port=5347, &block)
-        @components, @stream = {}, Vines::Stream::Component
-        super(config, host, port, &block)
-      end
-
-      def components(options=nil)
-        if options
-          @components = options
-        else
-          @components
-        end
-      end
-
-      def password(component)
-        @components[component]
+    # Return true if all JID's are allowed to exchange cross domain messages.
+    def cross_domain?(*jids)
+      !jids.flatten.index do |jid|
+        !@vhosts[jid.domain].cross_domain_messages?
       end
     end
   end

data/lib/vines/config/host.rb

@@ -0,0 +1,85 @@
+# encoding: UTF-8
+
+module Vines
+  class Config
+
+    # Provides the DSL methods for the virtual host definitions in the
+    # conf/config.rb file. Host instances can be accessed at runtime through
+    # the +Config#vhosts+ method.
+    class Host
+      def initialize(name, &block)
+        @name, @storage, @ldap = name.downcase, nil, nil
+        @cross_domain_messages = false
+        @private_storage = false
+        @components = {}
+        validate_domain(@name)
+        instance_eval(&block)
+        raise "storage required for #{@name}" unless @storage
+      end
+
+      def storage(name=nil, &block)
+        if name
+          raise "one storage mechanism per host allowed" if @storage
+          @storage = Storage.from_name(name, &block)
+          @storage.ldap = @ldap
+        else
+          @storage
+        end
+      end
+
+      def ldap(host='localhost', port=636, &block)
+        @ldap = Storage::Ldap.new(host, port, &block)
+        @storage.ldap = @ldap if @storage
+      end
+
+      def cross_domain_messages(enabled)
+        @cross_domain_messages = !!enabled
+      end
+
+      def cross_domain_messages?
+        @cross_domain_messages
+      end
+
+      def components(options=nil)
+        return @components unless options
+
+        names = options.keys.map {|domain| "#{domain}.#{@name}".downcase }
+        dupes = names.uniq.size != names.size || (@components.keys & names).any?
+        raise "duplicate component domains not allowed" if dupes
+
+        options.each do |domain, password|
+          raise 'component domain required' if (domain || '').to_s.strip.empty?
+          raise 'component password required' if (password || '').strip.empty?
+          name = "#{domain}.#{@name}".downcase
+          raise "components must be one level below their host: #{name}" if domain.to_s.include?('.')
+          validate_domain(name)
+          @components[name] = password
+        end
+      end
+
+      def component?(domain)
+        !!@components[domain]
+      end
+
+      def password(domain)
+        @components[domain]
+      end
+
+      def private_storage(enabled)
+        @private_storage = !!enabled
+      end
+
+      def private_storage?
+        @private_storage
+      end
+
+      private
+
+      # Prevent domains in config files that won't form valid JID's.
+      def validate_domain(name)
+        jid = JID.new(name)
+        raise "incorrect domain: #{name}" if jid.node || jid.resource
+      end
+    end
+  end
+end