Merge 0.10->trunk

core/certmanager.lua

@@ -58,6 +58,7 @@ local key_try = { "", "/%s.key", "/%s/privkey.pem",   "/%s.pem", };
 
 local function find_cert(user_certs, name)
 	local certs = resolve_path(config_path, user_certs or global_certificates);
+	log("debug", "Searching %s for a key and certificate for %s...", certs, name);
 	for i = 1, #crt_try do
 		local crt_path = certs .. crt_try[i]:format(name);
 		local key_path = certs .. key_try[i]:format(name);
@@ -66,13 +67,16 @@ local function find_cert(user_certs, name)
 			if key_path:sub(-4) == ".crt" then
 				key_path = key_path:sub(1, -4) .. "key";
 				if stat(key_path, "mode") == "file" then
+					log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
 					return { certificate = crt_path, key = key_path };
 				end
 			elseif stat(key_path, "mode") == "file" then
+				log("debug", "Selecting certificate %s with key %s for %s", crt_path, key_path, name);
 				return { certificate = crt_path, key = key_path };
 			end
 		end
 	end
+	log("debug", "No certificate/key found for %s", name);
 end
 
 local function find_host_cert(host)

net/adns.lua

@@ -7,7 +7,7 @@
 --
 
 local server = require "net.server";
-local dns = require "net.dns";
+local new_resolver = require "net.dns".resolver;
 
 local log = require "util.logger".init("adns");
 
@@ -17,35 +17,11 @@ local function dummy_send(sock, data, i, j) return (j-i)+1; end
 
 local _ENV = nil;
 
-local function lookup(handler, qname, qtype, qclass)
-	return coroutine.wrap(function (peek)
-				if peek then
-					log("debug", "Records for %s already cached, using those...", qname);
-					handler(peek);
-					return;
-				end
-				log("debug", "Records for %s not in cache, sending query (%s)...", qname, tostring(coroutine.running()));
-				local ok, err = dns.query(qname, qtype, qclass);
-				if ok then
-					coroutine.yield({ qclass or "IN", qtype or "A", qname, coroutine.running()}); -- Wait for reply
-					log("debug", "Reply for %s (%s)", qname, tostring(coroutine.running()));
-				end
-				if ok then
-					ok, err = pcall(handler, dns.peek(qname, qtype, qclass));
-				else
-					log("error", "Error sending DNS query: %s", err);
-					ok, err = pcall(handler, nil, err);
-				end
-				if not ok then
-					log("error", "Error in DNS response handler: %s", tostring(err));
-				end
-			end)(dns.peek(qname, qtype, qclass));
-end
+local async_resolver_methods = {};
+local async_resolver_mt = { __index = async_resolver_methods };
 
-local function cancel(handle, call_handler, reason)
-	log("warn", "Cancelling DNS lookup for %s", tostring(handle[3]));
-	dns.cancel(handle[1], handle[2], handle[3], handle[4], call_handler);
-end
+local query_methods = {};
+local query_mt = { __index = query_methods };
 
 local function new_async_socket(sock, resolver)
 	local peername = "<unknown>";
@@ -54,7 +30,7 @@ local function new_async_socket(sock, resolver)
 	local err;
 	function listener.onincoming(conn, data)
 		if data then
-			dns.feed(handler, data);
+			resolver:feed(handler, data);
 		end
 	end
 	function listener.ondisconnect(conn, err)
@@ -85,10 +61,47 @@ local function new_async_socket(sock, resolver)
 	return handler;
 end
 
-dns.socket_wrapper_set(new_async_socket);
+function async_resolver_methods:lookup(handler, qname, qtype, qclass)
+	local resolver = self._resolver;
+	return coroutine.wrap(function (peek)
+				if peek then
+					log("debug", "Records for %s already cached, using those...", qname);
+					handler(peek);
+					return;
+				end
+				log("debug", "Records for %s not in cache, sending query (%s)...", qname, tostring(coroutine.running()));
+				local ok, err = resolver:query(qname, qtype, qclass);
+				if ok then
+					coroutine.yield(setmetatable({ resolver, qclass or "IN", qtype or "A", qname, coroutine.running()}, query_mt)); -- Wait for reply
+					log("debug", "Reply for %s (%s)", qname, tostring(coroutine.running()));
+				end
+				if ok then
+					ok, err = pcall(handler, resolver:peek(qname, qtype, qclass));
+				else
+					log("error", "Error sending DNS query: %s", err);
+					ok, err = pcall(handler, nil, err);
+				end
+				if not ok then
+					log("error", "Error in DNS response handler: %s", tostring(err));
+				end
+			end)(resolver:peek(qname, qtype, qclass));
+end
+
+function query_methods:cancel(call_handler, reason)
+	log("warn", "Cancelling DNS lookup for %s", tostring(self[4]));
+	self[1].cancel(self[2], self[3], self[4], self[5], call_handler);
+end
+
+local function new_async_resolver()
+	local resolver = new_resolver();
+	resolver:socket_wrapper_set(new_async_socket);
+	return setmetatable({ _resolver = resolver}, async_resolver_mt);
+end
 
 return {
-	lookup = lookup;
-	cancel = cancel;
+	lookup = function (...)
+		return new_async_resolver():lookup(...);
+	end;
+	resolver = new_async_resolver;
 	new_async_socket = new_async_socket;
 };

net/dns.lua

@@ -504,7 +504,7 @@ function resolver:rr()    -- - - - - - - - - - - - - - - - - - - - - - - -  rr
 	rr.ttl      = 0x10000*self:word() + self:word();
 	rr.rdlength = self:word();
 
-	rr.tod = self.time + math.min(rr.ttl, 1);
+	rr.tod = self.time + math.max(rr.ttl, 1);
 
 	local remember = self.offset;
 	local rr_parser = self[dns.type[rr.type]];

plugins/mod_limits.lua

@@ -0,0 +1,96 @@
+-- Because we deal we pre-authed sessions and streams we can't be host-specific
+module:set_global();
+
+local filters = require "util.filters";
+local throttle = require "util.throttle";
+local timer = require "util.timer";
+
+local limits_cfg = module:get_option("limits", {});
+local limits_resolution = module:get_option_number("limits_resolution", 1);
+
+local default_bytes_per_second = 3000;
+local default_burst = 2;
+
+local rate_units = { b = 1, k = 3, m = 6, g = 9, t = 12 } -- Plan for the future.
+local function parse_rate(rate, sess_type)
+	local quantity, unit, exp;
+	if rate then
+		quantity, unit = rate:match("^(%d+) ?([^/]+)/s$");
+		exp = quantity and rate_units[unit:sub(1,1):lower()];
+	end
+	if not exp then
+		module:log("error", "Error parsing rate for %s: %q, using default rate (%d bytes/s)", sess_type, rate, default_bytes_per_second);
+		return default_bytes_per_second;
+	end
+	return quantity*(10^exp);
+end
+
+local function parse_burst(burst, sess_type)
+	if type(burst) == "string" then
+		burst = burst:match("^(%d+) ?s$");
+	end
+	local n_burst = tonumber(burst);
+	if not n_burst then
+		module:log("error", "Unable to parse burst for %s: %q, using default burst interval (%ds)", sess_type, tostring(burst), default_burst);
+	end
+	return n_burst or default_burst;
+end
+
+-- Process config option into limits table:
+-- limits = { c2s = { bytes_per_second = X, burst_seconds = Y } }
+local limits = {};
+
+for sess_type, sess_limits in pairs(limits_cfg) do
+	limits[sess_type] = {
+		bytes_per_second = parse_rate(sess_limits.rate, sess_type);
+		burst_seconds = parse_burst(sess_limits.burst, sess_type);
+	};
+end
+
+local default_filter_set = {};
+
+function default_filter_set.bytes_in(bytes, session)
+	local throttle = session.throttle;
+	if throttle then
+		local ok, balance, outstanding = throttle:poll(#bytes, true);
+		if not ok then
+			session.log("debug", "Session over rate limit (%d) with %d (by %d), pausing", throttle.max, #bytes, outstanding);
+			session.conn:pause(); -- Read no more data from the connection until there is no outstanding data
+			local outstanding_data = bytes:sub(-outstanding);
+			bytes = bytes:sub(1, #bytes-outstanding);
+			timer.add_task(limits_resolution, function ()
+				if not session.conn then return; end
+				if throttle:peek(#outstanding_data) then
+					session.log("debug", "Resuming paused session");
+					session.conn:resume();
+				end
+				-- Handle what we can of the outstanding data
+				session.data(outstanding_data);
+			end);
+		end
+	end
+	return bytes;
+end
+
+local type_filters = {
+	c2s = default_filter_set;
+	s2sin = default_filter_set;
+	s2sout = default_filter_set;
+};
+
+local function filter_hook(session)
+	local session_type = session.type:match("^[^_]+");
+	local filter_set, opts = type_filters[session_type], limits[session_type];
+	if opts then
+		session.throttle = throttle.create(opts.bytes_per_second * opts.burst_seconds, opts.burst_seconds);
+		filters.add_filter(session, "bytes/in", filter_set.bytes_in, 1000);
+	end
+end
+
+function module.load()
+	filters.add_filter_hook(filter_hook);
+end
+
+function module.unload()
+	filters.remove_filter_hook(filter_hook);
+end

plugins/mod_s2s/mod_s2s.lua

@@ -180,6 +180,7 @@ end
 
 -- Stream is authorised, and ready for normal stanzas
 function mark_connected(session)
+
 	local sendq = session.sendq;
 
 	local from, to = session.from_host, session.to_host;
@@ -211,6 +212,7 @@ function mark_connected(session)
 			session.sendq = nil;
 		end
 
+		session.resolver = nil;
 		session.ip_hosts = nil;
 		session.srv_hosts = nil;
 	end

plugins/mod_s2s/s2sout.lib.lua

@@ -49,6 +49,8 @@ function s2sout.initiate_connection(host_session)
 	initialize_filters(host_session);
 	host_session.version = 1;
 
+	host_session.resolver = adns.resolver();
+
 	-- Kick the connection attempting machine into life
 	if not s2sout.attempt_connection(host_session) then
 		-- Intentionally not returning here, the
@@ -84,9 +86,7 @@ function s2sout.attempt_connection(host_session, err)
 	if not err then -- This is our first attempt
 		log("debug", "First attempt to connect to %s, starting with SRV lookup...", to_host);
 		host_session.connecting = true;
-		local handle;
-		handle = adns.lookup(function (answer)
-			handle = nil;
+		host_session.resolver:lookup(function (answer)
 			local srv_hosts = { answer = answer };
 			host_session.srv_hosts = srv_hosts;
 			host_session.srv_choice = 0;
@@ -168,7 +168,7 @@ function s2sout.try_connect(host_session, connect_host, connect_port, err)
 		local have_other_result = not(has_ipv4) or not(has_ipv6) or false;
 
 		if has_ipv4 then
-			handle4 = adns.lookup(function (reply, err)
+			handle4 = host_session.resolver:lookup(function (reply, err)
 				handle4 = nil;
 
 				if reply and reply[#reply] and reply[#reply].a then
@@ -206,7 +206,7 @@ function s2sout.try_connect(host_session, connect_host, connect_port, err)
 		end
 
 		if has_ipv6 then
-			handle6 = adns.lookup(function (reply, err)
+			handle6 = host_session.resolver:lookup(function (reply, err)
 				handle6 = nil;
 
 				if reply and reply[#reply] and reply[#reply].aaaa then

plugins/mod_server_contact_info.lua

@@ -0,0 +1,49 @@
+-- XEP-0157: Contact Addresses for XMPP Services for Prosody
+--
+-- Copyright (C) 2011-2016 Kim Alvefur
+--
+-- This file is MIT/X11 licensed.
+--
+
+local t_insert = table.insert;
+local array = require "util.array";
+local df_new = require "util.dataforms".new;
+
+-- Source: http://xmpp.org/registrar/formtypes.html#http:--jabber.org-network-serverinfo
+local valid_types = {
+	abuse = true;
+	admin = true;
+	feedback = true;
+	sales = true;
+	security = true;
+	support = true;
+}
+
+local contact_config = module:get_option("contact_info");
+if not contact_config or not next(contact_config) then -- we'll use admins from the config as default
+	local admins = module:get_option_inherited_set("admins", {});
+	if admins:empty() then
+		module:log("error", "No contact_info or admins set in config");
+		return -- Nothing to attach, so we'll just skip it.
+	end
+	module:log("info", "No contact_info in config, using admins as fallback");
+	contact_config = {
+		admin = array.collect( admins / function(admin) return "xmpp:" .. admin; end);
+	};
+end
+
+local form_layout = {
+	{ value = "http://jabber.org/network/serverinfo"; type = "hidden"; name = "FORM_TYPE"; };
+};
+
+local form_values = {};
+
+for t in pairs(valid_types) do
+	local addresses = contact_config[t];
+	if addresses then
+		t_insert(form_layout, { name = t .. "-addresses", type = "list-multi" });
+		form_values[t .. "-addresses"] = addresses;
+	end
+end
+
+module:add_extension(df_new(form_layout):form(form_values, "result"));

prosody

@@ -20,8 +20,8 @@ CFG_DATADIR=CFG_DATADIR or os.getenv("PROSODY_DATADIR");
 
 local function is_relative(path)
 	local path_sep = package.config:sub(1,1);
-        return ((path_sep == "/" and path:sub(1,1) ~= "/")
-	or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\")))
+	return ((path_sep == "/" and path:sub(1,1) ~= "/")
+		or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\")))
 end
 
 -- Tell Lua where to find our libraries

prosody.cfg.lua.dist

@@ -4,7 +4,8 @@
 -- website at https://prosody.im/doc/configure
 --
 -- Tip: You can check that the syntax of this file is correct
--- when you have finished by running: prosodyctl check config
+-- when you have finished by running this command:
+--     prosodyctl check config
 -- If there are any errors, it will let you know what and where
 -- they are, otherwise it will keep quiet.
 --
@@ -26,9 +27,14 @@ admins = { }
 -- For more information see: https://prosody.im/doc/libevent
 --use_libevent = true
 
+-- Prosody will always look in its source directory for modules, but
+-- this option allows you to specify additional locations where Prosody
+-- will look for modules first. For community modules, see https://modules.prosody.im/
+--plugin_paths = {}
+
 -- This is the list of modules Prosody will load on startup.
 -- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.
--- Documentation on modules can be found at: https://prosody.im/doc/modules
+-- Documentation for bundled modules can be found at: https://prosody.im/doc/modules
 modules_enabled = {
 
 	-- Generally required
@@ -39,20 +45,19 @@ modules_enabled = {
 		"disco"; -- Service discovery
 
 	-- Not essential, but recommended
+		"carbons"; -- Keep multiple clients in sync
+		"pep"; -- Enables users to publish their mood, activity, playing music and more
 		"private"; -- Private XML storage (for room bookmarks, etc.)
+		"blocklist"; -- Allow users to block communications with other users
 		"vcard"; -- Allow users to set vCards
 
-	-- These are commented by default as they have a performance impact
-		--"blocklist"; -- Allow users to block communications with other users
-		--"compression"; -- Stream compression
-
 	-- Nice to have
 		"version"; -- Replies to server version requests
 		"uptime"; -- Report how long server has been running
 		"time"; -- Let others know the time here on this server
 		"ping"; -- Replies to XMPP pings with pongs
-		"pep"; -- Enables users to publish their mood, activity, playing music and more
 		"register"; -- Allow users to register on this server using a client and change passwords
+		--"mam"; -- Store messages in an archive and allow users to access it
 
 	-- Admin interfaces
 		"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
@@ -60,15 +65,19 @@ modules_enabled = {
 
 	-- HTTP modules
 		--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
+		--"websockets"; -- XMPP over WebSockets
 		--"http_files"; -- Serve static files from a directory over HTTP
 
 	-- Other specific functionality
+		--"limits"; -- Enable bandwidth limiting for XMPP connections
 		--"groups"; -- Shared roster support
+		--"server_contact_info"; -- Publish contact information for this service
 		--"announce"; -- Send announcement to all online users
 		--"welcome"; -- Welcome users who register accounts
 		--"watchregistrations"; -- Alert admins of registrations
 		--"motd"; -- Send a message to users when they log in
 		--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
+		--"proxy65"; -- Enables a file transfer proxy service which clients behind NAT can use
 }
 
 -- These modules are auto-loaded, but should you want
@@ -84,18 +93,18 @@ modules_disabled = {
 -- For more information see https://prosody.im/doc/creating_accounts
 allow_registration = false
 
--- These are the SSL/TLS-related settings. If you don't want
--- to use SSL/TLS, you may comment or remove this
-ssl = {
-	key = "certs/localhost.key";
-	certificate = "certs/localhost.crt";
-}
-
 -- Force clients to use encrypted connections? This option will
 -- prevent clients from authenticating unless they are using encryption.
 
 c2s_require_encryption = true
 
+-- Force servers to use encrypted connections? This option will
+-- prevent servers from authenticating unless they are using encryption.
+-- Note that this is different from authentication
+
+s2s_require_encryption = true
+
+
 -- Force certificate authentication for server-to-server connections?
 -- This provides ideal security, but requires servers you communicate
 -- with to support encryption AND present valid, trusted certificates.
@@ -104,11 +113,12 @@ c2s_require_encryption = true
 
 s2s_secure_auth = false
 
--- Many servers don't support encryption or have invalid or self-signed
--- certificates. You can list domains here that will not be required to
--- authenticate using certificates. They will be authenticated using DNS.
+-- Some servers have invalid or self-signed certificates. You can list
+-- remote domains here that will not be required to authenticate using
+-- certificates. They will be authenticated using DNS instead, even
+-- when s2s_secure_auth is enabled.
 
---s2s_insecure_domains = { "gmail.com" }
+--s2s_insecure_domains = { "insecure.example" }
 
 -- Even if you leave s2s_secure_auth disabled, you can still require valid
 -- certificates for some domains by specifying a list here.
@@ -122,7 +132,7 @@ s2s_secure_auth = false
 -- server please see https://prosody.im/doc/modules/mod_auth_internal_hashed
 -- for information about using the hashed backend.
 
-authentication = "internal_plain"
+authentication = "internal_hashed"
 
 -- Select the storage backend to use. By default Prosody uses flat files
 -- in its configured data directory, but it also supports more backends
@@ -136,6 +146,18 @@ authentication = "internal_plain"
 --sql = { driver = "MySQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
 --sql = { driver = "PostgreSQL", database = "prosody", username = "prosody", password = "secret", host = "localhost" }
 
+
+-- Archiving configuration
+-- If mod_mam is enabled, Prosody will store a copy of every message. This
+-- is used to synchronize conversations between multiple clients, even if
+-- they are offline. This setting controls how long Prosody will keep
+-- messages in the archive before removing them.
+
+archive_expires_after = "1w" -- Remove archived messages after 1 week
+
+-- You can also configure messages to be stored in-memory only. For more
+-- archiving options, see https://prosody.im/doc/modules/mod_mam
+
 -- Logging configuration
 -- For advanced logging see https://prosody.im/doc/logging
 log = {
@@ -145,23 +167,28 @@ log = {
 	-- "*console"; -- Log to the console, useful for debugging with daemonize=false
 }
 
+-- Uncomment to enable statistics
+-- For more info see https://prosody.im/doc/statistics
+-- statistics = "internal"
+
+-- Certificates
+-- Every virtual host and component needs a certificate so that clients and
+-- servers can securely verify its identity. Prosody will automatically load
+-- certificates/keys from the directory specified here.
+-- For more information, including how to use 'prosodyctl' to auto-import certificates
+-- (from e.g. Let's Encrypt) see https://prosody.im/doc/certificates
+
+-- Location of directory to find certificates in (relative to main config file):
+certificates = "certs"
+
 ----------- Virtual hosts -----------
 -- You need to add a VirtualHost entry for each domain you wish Prosody to serve.
 -- Settings under each VirtualHost entry apply *only* to that host.
 
 VirtualHost "localhost"
 
-VirtualHost "example.com"
-	enabled = false -- Remove this line to enable this host
-
-	-- Assign this host a certificate for TLS, otherwise it would use the one
-	-- set in the global section (if any).
-	-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-	-- use the global one.
-	ssl = {
-		key = "certs/example.com.key";
-		certificate = "certs/example.com.crt";
-	}
+--VirtualHost "example.com"
+--	certificate = "/path/to/example.crt"
 
 ------ Components ------
 -- You can specify components to add hosts that provide special services,
@@ -171,9 +198,6 @@ VirtualHost "example.com"
 ---Set up a MUC (multi-user chat) room server on conference.example.com:
 --Component "conference.example.com" "muc"
 
--- Set up a SOCKS5 bytestream proxy for server-proxied file transfers:
---Component "proxy.example.com" "proxy65"
-
 ---Set up an external component (default component port is 5347)
 --
 -- External components allow adding various services, such as gateways/

prosodyctl

@@ -1030,7 +1030,7 @@ function commands.check(arg)
 					suggested_global_modules = set.intersection(suggested_global_modules or set.new(options.modules_enabled), set.new(options.modules_enabled));
 				end
 			end
-			if not suggested_global_modules:empty() then
+			if suggested_global_modules and not suggested_global_modules:empty() then
 				print("    Consider moving these modules into modules_enabled in the global section:")
 				print("    "..tostring(suggested_global_modules / function (x) return ("%q"):format(x) end));
 			end

util/dataforms.lua

@@ -68,33 +68,37 @@ function form_t.form(layout, data, formtype)
 					form:tag("value"):text(line):up();
 				end
 			elseif field_type == "list-single" then
-				local has_default = false;
-				for _, val in ipairs(field.options or value) do
-					if type(val) == "table" then
-						form:tag("option", { label = val.label }):tag("value"):text(val.value):up():up();
-						if value == val.value or val.default and (not has_default) then
-							form:tag("value"):text(val.value):up();
-							has_default = true;
+				if formtype ~= "result" then
+					local has_default = false;
+					for _, val in ipairs(field.options or value) do
+						if type(val) == "table" then
+							form:tag("option", { label = val.label }):tag("value"):text(val.value):up():up();
+							if value == val.value or val.default and (not has_default) then
+								form:tag("value"):text(val.value):up();
+								has_default = true;
+							end
+						else
+							form:tag("option", { label= val }):tag("value"):text(tostring(val)):up():up();
 						end
-					else
-						form:tag("option", { label= val }):tag("value"):text(tostring(val)):up():up();
 					end
 				end
-				if field.options and value then
+				if (field.options or formtype == "result") and value then
 					form:tag("value"):text(value):up();
 				end
 			elseif field_type == "list-multi" then
-				for _, val in ipairs(field.options or value) do
-					if type(val) == "table" then
-						form:tag("option", { label = val.label }):tag("value"):text(val.value):up():up();
-						if not field.options and val.default then
-							form:tag("value"):text(val.value):up();
+				if formtype ~= "result" then
+					for _, val in ipairs(field.options or value) do
+						if type(val) == "table" then
+							form:tag("option", { label = val.label }):tag("value"):text(val.value):up():up();
+							if not field.options and val.default then
+								form:tag("value"):text(val.value):up();
+							end
+						else
+							form:tag("option", { label= val }):tag("value"):text(tostring(val)):up():up();
 						end
-					else
-						form:tag("option", { label= val }):tag("value"):text(tostring(val)):up():up();
 					end
 				end
-				if field.options and value then
+				if (field.options or formtype == "result") and value then
 					for _, val in ipairs(value) do
 						form:tag("value"):text(val):up();
 					end