vinesmod 0.4.5

data/lib/vines/store.rb

@@ -0,0 +1,94 @@
+# encoding: UTF-8
+
+module Vines
+
+  # An X509 certificate store that validates certificate trust chains.
+  # This uses the conf/certs/*.crt files as the list of trusted root
+  # CA certificates.
+  class Store
+    @@sources = nil
+
+    # Create a certificate store to read certificate files from the given
+    # directory.
+    def initialize(dir)
+      @dir = File.expand_path(dir)
+      @store = OpenSSL::X509::Store.new
+      certs.each {|c| @store.add_cert(c) }
+    end
+
+    # Return true if the certificate is signed by a CA certificate in the
+    # store. If the certificate can be trusted, it's added to the store so
+    # it can be used to trust other certs.
+    def trusted?(pem)
+      if cert = OpenSSL::X509::Certificate.new(pem) rescue nil
+        @store.verify(cert).tap do |trusted|
+          @store.add_cert(cert) if trusted rescue nil
+        end
+      end
+    end
+
+    # Return true if the domain name matches one of the names in the
+    # certificate. In other words, is the certificate provided to us really
+    # for the domain to which we think we're connected?
+    def domain?(pem, domain)
+      if cert = OpenSSL::X509::Certificate.new(pem) rescue nil
+        OpenSSL::SSL.verify_certificate_identity(cert, domain) rescue false
+      end
+    end
+
+    # Return the trusted root CA certificates installed in conf/certs. These
+    # certificates are used to start the trust chain needed to validate certs
+    # we receive from clients and servers.
+    def certs
+      unless @@sources
+        pattern = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m
+        pairs = Dir[File.join(@dir, '*.crt')].map do |name|
+          File.open(name, "r:UTF-8") do |f|
+            pems = f.read.scan(pattern)
+            certs = pems.map {|pem| OpenSSL::X509::Certificate.new(pem) }
+            certs.reject! {|cert| cert.not_after < Time.now }
+            [name, certs]
+          end
+        end
+        @@sources = Hash[pairs]
+      end
+      @@sources.values.flatten
+    end
+
+    # Returns a pair of file names containing the public key certificate
+    # and matching private key for the given domain. This supports using
+    # wildcard certificate files to serve several subdomains.
+    #
+    # Finding the certificate and private key file for a domain follows these steps:
+    # - look for <domain>.crt and <domain>.key files in the conf/certs directory.
+    #   if found, return those file names, else
+    # - inspect all conf/certs/*.crt files for certificates that contain the
+    #   domain name either as the subject common name (CN) or as a DNS
+    #   subjectAltName. The corresponding private key must be in a file of the
+    #   same name as the certificate's, but with a .key extension.
+    #
+    # So in the simplest configuration, the tea.wonderland.lit encryption files would
+    # be named conf/certs/tea.wonderland.lit.crt and conf/certs/tea.wonderland.lit.key.
+    #
+    # However, in the case of a wildcard certificate for *.wonderland.lit, the
+    # files would be conf/certs/wonderland.lit.crt and conf/certs/wonderland.lit.key.
+    # These same two files would be returned for the subdomains of tea.wonderland.lit,
+    # crumpets.wonderland.lit, etc.
+    def files_for_domain(domain)
+      crt = File.expand_path("#{domain}.crt", @dir)
+      key = File.expand_path("#{domain}.key", @dir)
+      return [crt, key] if File.exists?(crt) && File.exists?(key)
+
+      # might be a wildcard cert file
+      @@sources.each do |file, certs|
+        certs.each do |cert|
+          if OpenSSL::SSL.verify_certificate_identity(cert, domain)
+            key = file.chomp(File.extname(file)) + '.key'
+            return [file, key] if File.exists?(file) && File.exists?(key)
+          end
+        end
+      end
+      nil
+    end
+  end
+end

data/lib/vines/stream.rb

@@ -0,0 +1,247 @@
+# encoding: UTF-8
+
+module Vines
+  # The base class for various XMPP streams (c2s, s2s, component, http),
+  # containing behavior common to all streams like rate limiting, stanza
+  # parsing, and stream error handling.
+  class Stream < EventMachine::Connection
+    include Vines::Log
+
+    ERROR = 'error'.freeze
+    PAD   = 20
+
+    attr_reader   :config, :domain
+    attr_accessor :user
+
+    def initialize(config)
+      @config = config
+    end
+
+    def post_init
+      @remote_addr, @local_addr = addresses
+      @user, @closed, @stanza_size = nil, false, 0
+      @bucket = TokenBucket.new(100, 10)
+      @store = Store.new(@config.certs)
+      @nodes = EM::Queue.new
+      process_node_queue
+      create_parser
+      log.info { "%s %21s -> %s" %
+        ['Stream connected:'.ljust(PAD), @remote_addr, @local_addr] }
+    end
+
+    # Initialize a new XML parser for this connection. This is called when the
+    # stream is first connected as well as for stream restarts during
+    # negotiation. Subclasses can override this method to provide a different
+    # type of parser (e.g. HTTP).
+    def create_parser
+      @parser = Parser.new.tap do |p|
+        p.stream_open {|node| @nodes.push(node) }
+        p.stream_close { close_connection }
+        p.stanza {|node| @nodes.push(node) }
+      end
+    end
+
+    # Advance the state machine into the +Closed+ state so any remaining queued
+    # nodes are not processed while we're waiting for EM to actually close the
+    # connection.
+    def close_connection(after_writing=false)
+      super
+      @closed = true
+      advance(Client::Closed.new(self))
+    end
+
+    def receive_data(data)
+      return if @closed
+      @stanza_size += data.bytesize
+      if @stanza_size < max_stanza_size
+        @parser << data rescue error(StreamErrors::NotWellFormed.new)
+      else
+        error(StreamErrors::PolicyViolation.new('max stanza size reached'))
+      end
+    end
+
+    # Reset the connection's XML parser when a new <stream:stream> header
+    # is received.
+    def reset
+      create_parser
+    end
+
+    # Returns the storage system for the domain. If no domain is given,
+    # the stream's storage mechanism is returned.
+    def storage(domain=nil)
+      @config.storage(domain || self.domain)
+    end
+
+    # Returns the Vines::Config::Host virtual host for the stream's domain.
+    def vhost
+      @config.vhost(domain)
+    end
+
+    # Reload the user's information into their active connections. Call this
+    # after storage.save_user() to sync the new user state with their other
+    # connections.
+    def update_user_streams(user)
+      connected_resources(user.jid.bare).each do |stream|
+        stream.user.update_from(user)
+      end
+    end
+
+    def connected_resources(jid)
+      router.connected_resources(jid, user.jid)
+    end
+
+    def available_resources(*jid)
+      router.available_resources(*jid, user.jid)
+    end
+
+    def interested_resources(*jid)
+      router.interested_resources(*jid, user.jid)
+    end
+
+    def ssl_verify_peer(pem)
+      # EM is supposed to close the connection when this returns false,
+      # but it only does that for inbound connections, not when we
+      # make a connection to another server.
+      @store.trusted?(pem).tap do |trusted|
+        close_connection unless trusted
+      end
+    end
+
+    def cert_domain_matches?(domain)
+      @store.domain?(get_peer_cert, domain)
+    end
+
+    # Send the data over the wire to this client.
+    def write(data)
+      log_node(data, :out)
+      if data.respond_to?(:to_xml)
+        data = data.to_xml(:indent => 0)
+      end
+      send_data(data)
+    end
+
+    def encrypt
+      cert, key = @store.files_for_domain(domain)
+      start_tls(cert_chain_file: cert, private_key_file: key, verify_peer: true)
+    end
+
+    # Returns true if the TLS certificate and private key files for this domain
+    # exist and can be used to encrypt this stream.
+    def encrypt?
+      !@store.files_for_domain(domain).nil?
+    end
+
+    def unbind
+      router.delete(self)
+      log.info { "%s %21s -> %s" %
+        ['Stream disconnected:'.ljust(PAD), @remote_addr, @local_addr] }
+      log.info { "Streams connected: #{router.size}" }
+    end
+
+    # Advance the stream's state machine to the new state. XML nodes received
+    # by the stream will be passed to this state's +node+ method.
+    def advance(state)
+      @state = state
+    end
+
+    # Stream level errors close the stream while stanza and SASL errors are
+    # written to the client and leave the stream open. All exceptions should
+    # pass through this method for consistent handling.
+    def error(e)
+      case e
+      when SaslError, StanzaError
+        write(e.to_xml)
+      when StreamError
+        send_stream_error(e)
+        close_stream
+      else
+        log.error(e)
+        send_stream_error(StreamErrors::InternalServerError.new)
+        close_stream
+      end
+    end
+
+    def router
+      @config.router
+    end
+
+    private
+
+    # Return the remote and local socket addresses used by this connection.
+    def addresses
+      [get_peername, get_sockname].map do |addr|
+        addr ? Socket.unpack_sockaddr_in(addr)[0, 2].reverse.join(':') : 'unknown'
+      end
+    end
+
+    # Write the StreamError's xml to the stream. Subclasses can override
+    # this method with custom error writing behavior.
+    def send_stream_error(e)
+      write(e.to_xml)
+    end
+
+    # Write a closing stream tag to the stream then close the stream. Subclasses
+    # can override this method for custom close behavior.
+    def close_stream
+      write('</stream:stream>')
+      close_connection_after_writing
+    end
+
+    def error?(node)
+      ns = node.namespace ? node.namespace.href : nil
+      node.name == ERROR && ns == NAMESPACES[:stream]
+    end
+
+    # Schedule a queue pop on the EM thread to handle the next element. This
+    # guarantees all stanzas received on this stream are processed in order.
+    # http://tools.ietf.org/html/rfc6120#section-10.1
+    def process_node_queue
+      @nodes.pop do |node|
+        Fiber.new do
+          process_node(node)
+          process_node_queue
+        end.resume unless @closed
+      end
+    end
+
+    def process_node(node)
+      log_node(node, :in)
+      @stanza_size = 0
+      enforce_rate_limit
+      if error?(node)
+        close_stream
+      else
+        state.node(node)
+      end
+    rescue => e
+      error(e)
+    end
+
+    def enforce_rate_limit
+      unless @bucket.take(1)
+        raise StreamErrors::PolicyViolation.new('rate limit exceeded')
+      end
+    end
+
+    def log_node(node, direction)
+      return unless log.debug?
+      from, to = @remote_addr, @local_addr
+      from, to = to, from if direction == :out
+      label = (direction == :out) ? 'Sent' : 'Received'
+      log.debug("%s %21s -> %s\n%s\n" %
+        ["#{label} stanza:".ljust(PAD), from, to, node])
+    end
+
+    # Returns the current +State+ of the stream's state machine. Provided as a
+    # method so subclasses can override the behavior.
+    def state
+      @state
+    end
+
+    # Return +true+ if this is a valid domain-only JID that can be used in
+    # stream initiation stanza headers.
+    def valid_address?(jid)
+      JID.new(jid).domain? rescue false
+    end
+  end
+end

data/lib/vines/stream/client.rb

@@ -0,0 +1,84 @@
+# encoding: UTF-8
+
+module Vines
+  class Stream
+    # Implements the XMPP protocol for client-to-server (c2s) streams. This
+    # serves connected streams using the jabber:client namespace.
+    class Client < Stream
+      MECHANISMS = %w[PLAIN].freeze
+
+      def initialize(config)
+        super
+        @session = Client::Session.new(self)
+      end
+
+      # Delegate behavior to the session that's storing our stream state.
+      def method_missing(name, *args)
+        @session.send(name, *args)
+      end
+
+      %w[advance domain state user user=].each do |name|
+        define_method name do |*args|
+          @session.send(name, *args)
+        end
+      end
+
+      %w[max_stanza_size max_resources_per_account].each do |name|
+        define_method name do |*args|
+          config[:client].send(name, *args)
+        end
+      end
+
+      # Return an array of allowed authentication mechanisms advertised as
+      # client stream features.
+      def authentication_mechanisms
+        MECHANISMS
+      end
+
+      def ssl_handshake_completed
+        if get_peer_cert
+          close_connection unless cert_domain_matches?(@session.domain)
+        end
+      end
+
+      def unbind
+        @session.unbind!(self)
+        super
+      end
+
+      def start(node)
+        to, from = %w[to from].map {|a| node[a] }
+        @session.domain = to unless @session.domain
+        send_stream_header(from)
+        raise StreamErrors::NotAuthorized if domain_change?(to)
+        raise StreamErrors::UnsupportedVersion unless node['version'] == '1.0'
+        raise StreamErrors::ImproperAddressing unless valid_address?(@session.domain)
+        raise StreamErrors::HostUnknown unless config.vhost?(@session.domain)
+        raise StreamErrors::InvalidNamespace unless node.namespaces['xmlns'] == NAMESPACES[:client]
+        raise StreamErrors::InvalidNamespace unless node.namespaces['xmlns:stream'] == NAMESPACES[:stream]
+      end
+
+      private
+
+      # The +to+ domain address set on the initial stream header must not change
+      # during stream restarts. This prevents a user from authenticating in one
+      # domain, then using a stream in a different domain.
+      def domain_change?(to)
+        to != @session.domain
+      end
+
+      def send_stream_header(to)
+        attrs = {
+          'xmlns' => NAMESPACES[:client],
+          'xmlns:stream' => NAMESPACES[:stream],
+          'xml:lang' => 'en',
+          'id' => Kit.uuid,
+          'from' => @session.domain,
+          'version' => '1.0'
+        }
+        attrs['to'] = to if to
+        write "<stream:stream %s>" % attrs.to_a.map{|k,v| "#{k}='#{v}'"}.join(' ')
+      end
+    end
+  end
+end

data/lib/vines/stream/client/auth.rb

@@ -0,0 +1,74 @@
+# encoding: UTF-8
+
+module Vines
+  class Stream
+    class Client
+      class Auth < State
+        NS        = NAMESPACES[:sasl]
+        MECHANISM = 'mechanism'.freeze
+        AUTH      = 'auth'.freeze
+        PLAIN     = 'PLAIN'.freeze
+        EXTERNAL  = 'EXTERNAL'.freeze
+        SUCCESS   = %Q{<success xmlns="#{NS}"/>}.freeze
+        MAX_AUTH_ATTEMPTS = 3
+
+        def initialize(stream, success=BindRestart)
+          super
+          @attempts = 0
+          @sasl = SASL.new(stream)
+        end
+
+        def node(node)
+          raise StreamErrors::NotAuthorized unless auth?(node)
+          if node.text.empty?
+            send_auth_fail(SaslErrors::MalformedRequest.new)
+          elsif stream.authentication_mechanisms.include?(node[MECHANISM])
+            case node[MECHANISM]
+            when PLAIN    then plain_auth(node)
+            when EXTERNAL then external_auth(node)
+            end
+          else
+            send_auth_fail(SaslErrors::InvalidMechanism.new)
+          end
+        end
+
+        private
+
+        def auth?(node)
+          node.name == AUTH && namespace(node) == NS
+        end
+
+        def plain_auth(node)
+          stream.user = @sasl.plain_auth(node.text)
+          send_auth_success
+        rescue => e
+          send_auth_fail(e)
+        end
+
+        def external_auth(node)
+          @sasl.external_auth(node.text)
+          send_auth_success
+        rescue => e
+          send_auth_fail(e)
+          stream.write('</stream:stream>')
+          stream.close_connection_after_writing
+        end
+
+        def send_auth_success
+          stream.write(SUCCESS)
+          stream.reset
+          advance
+        end
+
+        def send_auth_fail(condition)
+          @attempts += 1
+          if @attempts >= MAX_AUTH_ATTEMPTS
+            stream.error(StreamErrors::PolicyViolation.new("max authentication attempts exceeded"))
+          else
+            stream.error(condition)
+          end
+        end
+      end
+    end
+  end
+end