mod_xmlrpc: Limit usage to admins

Sun, 08 Mar 2009 05:03:22 +0500

author
Waqas Hussain <waqas20@gmail.com>
date
Sun, 08 Mar 2009 05:03:22 +0500
changeset 892
2128891180b7
parent 891
236d1ce9fa99
child 893
cec476fcc19f

mod_xmlrpc: Limit usage to admins

plugins/mod_xmlrpc.lua file | annotate | diff | comparison | revisions
--- a/plugins/mod_xmlrpc.lua	Sun Mar 08 04:49:51 2009 +0500
+++ b/plugins/mod_xmlrpc.lua	Sun Mar 08 05:03:22 2009 +0500
@@ -14,6 +14,11 @@
 local pcall = pcall;
 local unpack = unpack;
 local tostring = tostring;
+local is_admin = require "core.usermanager".is_admin;
+local jid_split = require "util.jid".split;
+local b64_decode = require "util.encodings".base64.decode;
+local get_method = require "core.objectmanager".get_object;
+local validate_credentials = require "core.usermanager".validate_credentials;
 
 local translate_request = require "util.xmlrpc".translate_request;
 local create_response = require "util.xmlrpc".create_response;
@@ -60,13 +65,6 @@
 	return stanza.tags[1];
 end
 
---[[local function get_method(method)
-	return function(...)
-		return {method = method; args = {...}};
-	end
-end]]
-local get_method = require "core.objectmanager".get_object;
-
 local function handle_xmlrpc_request(method, args)
 	method = get_method(method);
 	if not method then return create_error_response(404, "method not found"); end
@@ -86,29 +84,37 @@
 	local query = stanza.tags[1];
 	if query.name == "query" then
 		if #query.tags == 1 then
-			local success, method, args = pcall(translate_request, query.tags[1]);
-			if success then
-				local result = handle_xmlrpc_request(method, args);
-				origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result));
-			else
-				origin.send(st.error_reply(stanza, "modify", "bad-request", method));
-			end
-		else
-			origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request"));
-		end
-	else
-		origin.send(st.error_reply(stanza, "cancel", "service-unavailable"));
-	end
+			if is_admin(stanza.attr.from) then
+				local success, method, args = pcall(translate_request, query.tags[1]);
+				if success then
+					local result = handle_xmlrpc_request(method, args);
+					origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result));
+				else
+					origin.send(st.error_reply(stanza, "modify", "bad-request", method));
+				end
+			else origin.send(st.error_reply(stanza, "auth", "forbidden", "No content in XML-RPC request")); end
+		else origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request")); end
+	else origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); end
 end
 module:add_iq_handler({"c2s", "s2sin"}, "jabber:iq:rpc", handle_xmpp_request);
 module:add_feature("jabber:iq:rpc");
+-- TODO add <identity category='automation' type='rpc'/> to disco replies
 
-local default_headers = { ["Content-Type"] = "text/xml" };
+local default_headers = { ['Content-Type'] = 'text/xml' };
+local unauthorized_response = { status = '401 UNAUTHORIZED', headers = {['Content-Type']='text/html', ['WWW-Authenticate']='Basic realm="WallyWorld"'}; body = "<html><body>Authentication required</body></html>"; };
 local function handle_http_request(method, body, request)
+	-- authenticate user
+	local username, password = b64_decode(request['authorization'] or ''):gmatch('([^:]*):(.*)')(); -- TODO digest auth
+	local node, host = jid_split(username);
+	if not validate_credentials(host, node, password) and is_admin(username) then
+		return unauthorized_response;
+	end
+	-- parse request
 	local stanza = body and parse_xml(body);
 	if (not stanza) or request.method ~= "POST" then
 		return "<html><body>You really don't look like an XML-RPC client to me... what do you want?</body></html>";
 	end
+	-- execute request
 	local success, method, args = pcall(translate_request, stanza);
 	if success then
 		return { headers = default_headers; body = tostring(handle_xmlrpc_request(method, args)) };

mercurial