1 |
|
%%%---------------------------------------------------------------------- |
2 |
|
%%% File : mod_register.erl |
3 |
|
%%% Author : Alexey Shchepin <alexey@process-one.net> |
4 |
|
%%% Purpose : Inband registration support |
5 |
|
%%% Created : 8 Dec 2002 by Alexey Shchepin <alexey@process-one.net> |
6 |
|
%%% |
7 |
|
%%% |
8 |
|
%%% ejabberd, Copyright (C) 2002-2011 ProcessOne |
9 |
|
%%% |
10 |
|
%%% This program is free software; you can redistribute it and/or |
11 |
|
%%% modify it under the terms of the GNU General Public License as |
12 |
|
%%% published by the Free Software Foundation; either version 2 of the |
13 |
|
%%% License, or (at your option) any later version. |
14 |
|
%%% |
15 |
|
%%% This program is distributed in the hope that it will be useful, |
16 |
|
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of |
17 |
|
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
18 |
|
%%% General Public License for more details. |
19 |
|
%%% |
20 |
|
%%% You should have received a copy of the GNU General Public License |
21 |
|
%%% along with this program; if not, write to the Free Software |
22 |
|
%%% Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA |
23 |
|
%%% |
24 |
|
%%%---------------------------------------------------------------------- |
25 |
|
|
26 |
|
-module(mod_register). |
27 |
|
-author('alexey@process-one.net'). |
28 |
|
-xep([{xep, 77}, {version, "2.4"}]). |
29 |
|
-behaviour(gen_mod). |
30 |
|
-behaviour(mongoose_module_metrics). |
31 |
|
|
32 |
|
%% Gen_mod callbacks |
33 |
|
-export([start/2, |
34 |
|
stop/1, |
35 |
|
config_spec/0, |
36 |
|
supported_features/0]). |
37 |
|
|
38 |
|
%% IQ and hook handlers |
39 |
|
-export([c2s_stream_features/3, |
40 |
|
unauthenticated_iq_register/5, |
41 |
|
process_iq/5]). |
42 |
|
|
43 |
|
%% API |
44 |
|
-export([try_register/6, |
45 |
|
process_ip_access/1, |
46 |
|
process_welcome_message/1]). |
47 |
|
|
48 |
|
-ignore_xref([c2s_stream_features/3, process_iq/5, try_register/6, unauthenticated_iq_register/5]). |
49 |
|
|
50 |
|
-include("mongoose.hrl"). |
51 |
|
-include("jlib.hrl"). |
52 |
|
-include("mongoose_config_spec.hrl"). |
53 |
|
|
54 |
|
-spec start(mongooseim:host_type(), gen_mod:module_opts()) -> ok. |
55 |
|
start(HostType, #{iqdisc := IQDisc}) -> |
56 |
324 |
[gen_iq_handler:add_iq_handler_for_domain(HostType, ?NS_REGISTER, Component, Fn, #{}, IQDisc) || |
57 |
324 |
{Component, Fn} <- iq_handlers()], |
58 |
324 |
ejabberd_hooks:add(hooks(HostType)), |
59 |
|
|
60 |
324 |
mnesia:create_table(mod_register_ip, |
61 |
|
[{ram_copies, [node()]}, |
62 |
|
{local_content, true}, |
63 |
|
{attributes, [key, value]}]), |
64 |
324 |
mnesia:add_table_copy(mod_register_ip, node(), ram_copies), |
65 |
324 |
ok. |
66 |
|
|
67 |
|
-spec stop(mongooseim:host_type()) -> ok. |
68 |
|
stop(HostType) -> |
69 |
324 |
ejabberd_hooks:delete(hooks(HostType)), |
70 |
324 |
[gen_iq_handler:remove_iq_handler_for_domain(HostType, ?NS_REGISTER, Component) || |
71 |
324 |
{Component, _Fn} <- iq_handlers()], |
72 |
324 |
ok. |
73 |
|
|
74 |
|
iq_handlers() -> |
75 |
648 |
[{ejabberd_local, fun ?MODULE:process_iq/5}, {ejabberd_sm, fun ?MODULE:process_iq/5}]. |
76 |
|
|
77 |
|
hooks(HostType) -> |
78 |
648 |
[{c2s_stream_features, HostType, ?MODULE, c2s_stream_features, 50}, |
79 |
|
{c2s_unauthenticated_iq, HostType, ?MODULE, unauthenticated_iq_register, 50}]. |
80 |
|
|
81 |
|
%%% |
82 |
|
%%% config_spec |
83 |
|
%%% |
84 |
|
|
85 |
|
-spec config_spec() -> mongoose_config_spec:config_section(). |
86 |
|
config_spec() -> |
87 |
166 |
#section{ |
88 |
|
items = #{<<"iqdisc">> => mongoose_config_spec:iqdisc(), |
89 |
|
<<"access">> => #option{type = atom, |
90 |
|
validate = access_rule}, |
91 |
|
<<"welcome_message">> => welcome_message_spec(), |
92 |
|
<<"registration_watchers">> => #list{items = #option{type = binary, |
93 |
|
validate = jid}}, |
94 |
|
<<"password_strength">> => #option{type = integer, |
95 |
|
validate = non_negative}, |
96 |
|
<<"ip_access">> => #list{items = ip_access_spec()} |
97 |
|
}, |
98 |
|
format_items = map, |
99 |
|
defaults = #{<<"iqdisc">> => one_queue, |
100 |
|
<<"access">> => all, |
101 |
|
<<"registration_watchers">> => [], |
102 |
|
<<"password_strength">> => 0, |
103 |
|
<<"ip_access">> => []} |
104 |
|
}. |
105 |
|
|
106 |
|
welcome_message_spec() -> |
107 |
166 |
#section{ |
108 |
|
items = #{<<"body">> => #option{type = string}, |
109 |
|
<<"subject">> => #option{type = string}}, |
110 |
|
defaults = #{<<"body">> => "", |
111 |
|
<<"subject">> => ""}, |
112 |
|
format_items = map, |
113 |
|
process = fun ?MODULE:process_welcome_message/1 |
114 |
|
}. |
115 |
|
|
116 |
|
ip_access_spec() -> |
117 |
166 |
#section{ |
118 |
|
items = #{<<"address">> => #option{type = string, |
119 |
|
validate = ip_mask}, |
120 |
|
<<"policy">> => #option{type = atom, |
121 |
|
validate = {enum, [allow, deny]}} |
122 |
|
}, |
123 |
|
required = all, |
124 |
|
format_items = map, |
125 |
|
process = fun ?MODULE:process_ip_access/1 |
126 |
|
}. |
127 |
|
|
128 |
148 |
supported_features() -> [dynamic_domains]. |
129 |
|
|
130 |
|
process_ip_access(#{policy := Policy, address := Address}) -> |
131 |
166 |
{Policy, Address}. |
132 |
|
|
133 |
|
process_welcome_message(#{subject := Subject, body := Body}) -> |
134 |
:-( |
{Subject, Body}. |
135 |
|
|
136 |
|
%%% |
137 |
|
%%% Hooks and IQ handlers |
138 |
|
%%% |
139 |
|
|
140 |
|
-spec c2s_stream_features([exml:element()], mongooseim:host_type(), jid:lserver()) -> |
141 |
|
[exml:element()]. |
142 |
|
c2s_stream_features(Acc, _HostType, _LServer) -> |
143 |
6067 |
[#xmlel{name = <<"register">>, |
144 |
|
attrs = [{<<"xmlns">>, ?NS_FEATURE_IQREGISTER}]} | Acc]. |
145 |
|
|
146 |
|
-spec unauthenticated_iq_register(exml:element() | empty, mongooseim:host_type(), |
147 |
|
jid:server(), jlib:iq(), |
148 |
|
{inet:ip_address(), inet:port_number()} | undefined) -> |
149 |
|
exml:element() | empty. |
150 |
|
unauthenticated_iq_register(_Acc, HostType, Server, #iq{xmlns = ?NS_REGISTER} = IQ, IP) -> |
151 |
378 |
Address = case IP of |
152 |
378 |
{A, _Port} -> A; |
153 |
:-( |
_ -> undefined |
154 |
|
end, |
155 |
378 |
ResIQ = process_unauthenticated_iq(HostType, |
156 |
|
no_JID, |
157 |
|
%% For the above: the client is |
158 |
|
%% not registered (no JID), at |
159 |
|
%% least not yet, so they can |
160 |
|
%% not be authenticated either. |
161 |
|
make_host_only_jid(Server), |
162 |
|
IQ, |
163 |
|
Address), |
164 |
378 |
set_sender(jlib:iq_to_xml(ResIQ), make_host_only_jid(Server)); |
165 |
|
unauthenticated_iq_register(Acc, _HostType, _Server, _IQ, _IP) -> |
166 |
:-( |
Acc. |
167 |
|
|
168 |
|
%% Clients must register before being able to authenticate. |
169 |
|
process_unauthenticated_iq(HostType, From, To, #iq{type = set} = IQ, IPAddr) -> |
170 |
120 |
process_iq_set(HostType, From, To, IQ, IPAddr); |
171 |
|
process_unauthenticated_iq(HostType, From, To, #iq{type = get} = IQ, IPAddr) -> |
172 |
258 |
process_iq_get(HostType, From, To, IQ, IPAddr). |
173 |
|
|
174 |
|
-spec process_iq(mongoose_acc:t(), jid:jid(), jid:jid(), jlib:iq(), map()) |
175 |
|
-> {mongoose_acc:t(), jlib:iq()}. |
176 |
|
process_iq(Acc, From, To, #iq{type = set} = IQ, _Extra) -> |
177 |
110 |
HostType = mongoose_acc:host_type(Acc), |
178 |
110 |
Res = process_iq_set(HostType, From, To, IQ, jid:to_lower(From)), |
179 |
110 |
{Acc, Res}; |
180 |
|
process_iq(Acc, From, To, #iq{type = get} = IQ, _Extra) -> |
181 |
1 |
HostType = mongoose_acc:host_type(Acc), |
182 |
1 |
Res = process_iq_get(HostType, From, To, IQ, jid:to_lower(From)), |
183 |
1 |
{Acc, Res}. |
184 |
|
|
185 |
|
process_iq_set(HostType, From, To, #iq{sub_el = Child} = IQ, Source) -> |
186 |
230 |
true = is_query_element(Child), |
187 |
230 |
handle_set(HostType, IQ, From, To, Source). |
188 |
|
|
189 |
|
handle_set(HostType, IQ, ClientJID, ServerJID, Source) -> |
190 |
230 |
#iq{sub_el = Query} = IQ, |
191 |
230 |
case which_child_elements(Query) of |
192 |
|
bad_request -> |
193 |
1 |
error_response(IQ, mongoose_xmpp_errors:bad_request()); |
194 |
|
only_remove_child -> |
195 |
105 |
attempt_cancelation(HostType, ClientJID, ServerJID, IQ); |
196 |
|
various_elements_present -> |
197 |
124 |
case has_username_and_password_children(Query) of |
198 |
|
true -> |
199 |
124 |
Credentials = get_username_and_password_values(Query), |
200 |
124 |
register_or_change_password(HostType, Credentials, ClientJID, ServerJID, IQ, Source); |
201 |
|
false -> |
202 |
:-( |
error_response(IQ, mongoose_xmpp_errors:bad_request()) |
203 |
|
end |
204 |
|
end. |
205 |
|
|
206 |
|
which_child_elements(#xmlel{children = C} = Q) when length(C) =:= 1 -> |
207 |
105 |
case Q#xmlel.children of |
208 |
|
[#xmlel{name = <<"remove">>}] -> |
209 |
105 |
only_remove_child; |
210 |
|
[_] -> |
211 |
:-( |
bad_request |
212 |
|
end; |
213 |
|
which_child_elements(#xmlel{children = C} = Q) when length(C) > 1 -> |
214 |
125 |
case exml_query:subelement(Q, <<"remove">>) of |
215 |
|
#xmlel{name = <<"remove">>} -> |
216 |
1 |
bad_request; |
217 |
|
undefined -> |
218 |
124 |
various_elements_present |
219 |
|
end; |
220 |
|
which_child_elements(#xmlel{children = []}) -> |
221 |
:-( |
bad_request. |
222 |
|
|
223 |
|
has_username_and_password_children(Q) -> |
224 |
|
(undefined =/= exml_query:path(Q, [{element, <<"username">>}])) |
225 |
124 |
and |
226 |
|
(undefined =/= exml_query:path(Q, [{element, <<"password">>}])). |
227 |
|
|
228 |
|
get_username_and_password_values(Q) -> |
229 |
124 |
{exml_query:path(Q, [{element, <<"username">>}, cdata]), |
230 |
|
exml_query:path(Q, [{element, <<"password">>}, cdata])}. |
231 |
|
|
232 |
|
register_or_change_password(HostType, Credentials, ClientJID, #jid{lserver = ServerDomain}, IQ, IPAddr) -> |
233 |
124 |
{Username, Password} = Credentials, |
234 |
124 |
case inband_registration_and_cancelation_allowed(HostType, ServerDomain, ClientJID) of |
235 |
|
true -> |
236 |
124 |
#iq{sub_el = Children, lang = Lang} = IQ, |
237 |
124 |
try_register_or_set_password(HostType, Username, ServerDomain, Password, |
238 |
|
ClientJID, IQ, Children, IPAddr, Lang); |
239 |
|
false -> |
240 |
|
%% This is not described in XEP 0077. |
241 |
:-( |
error_response(IQ, mongoose_xmpp_errors:forbidden()) |
242 |
|
end. |
243 |
|
|
244 |
|
attempt_cancelation(HostType, #jid{} = ClientJID, #jid{lserver = ServerDomain}, #iq{} = IQ) -> |
245 |
105 |
case inband_registration_and_cancelation_allowed(HostType, ServerDomain, ClientJID) of |
246 |
|
true -> |
247 |
|
%% The response must be sent *before* the |
248 |
|
%% XML stream is closed (the call to |
249 |
|
%% `ejabberd_auth:remove_user/1' does |
250 |
|
%% this): as it is, when canceling a |
251 |
|
%% registration, there is no way to deal |
252 |
|
%% with failure. |
253 |
104 |
ResIQ = IQ#iq{type = result, sub_el = []}, |
254 |
104 |
ejabberd_router:route( |
255 |
|
jid:make_noprep(<<>>, <<>>, <<>>), |
256 |
|
ClientJID, |
257 |
|
jlib:iq_to_xml(ResIQ)), |
258 |
104 |
ejabberd_auth:remove_user(ClientJID), |
259 |
104 |
ignore; |
260 |
|
false -> |
261 |
1 |
error_response(IQ, mongoose_xmpp_errors:not_allowed()) |
262 |
|
end. |
263 |
|
|
264 |
|
inband_registration_and_cancelation_allowed(_HostType, _ServerDomain, no_JID) -> |
265 |
120 |
true; |
266 |
|
inband_registration_and_cancelation_allowed(HostType, ServerDomain, JID) -> |
267 |
109 |
Rule = gen_mod:get_module_opt(HostType, ?MODULE, access), |
268 |
109 |
allow =:= acl:match_rule(HostType, ServerDomain, Rule, JID). |
269 |
|
|
270 |
|
process_iq_get(_HostType, From, _To, #iq{lang = Lang, sub_el = Child} = IQ, _Source) -> |
271 |
259 |
true = is_query_element(Child), |
272 |
259 |
{_IsRegistered, UsernameSubels, QuerySubels} = |
273 |
|
case From of |
274 |
|
JID = #jid{user = User} -> |
275 |
1 |
case ejabberd_auth:does_user_exist(JID) of |
276 |
|
true -> |
277 |
1 |
{true, [#xmlcdata{content = User}], |
278 |
|
[#xmlel{name = <<"registered">>}]}; |
279 |
|
false -> |
280 |
:-( |
{false, [#xmlcdata{content = User}], []} |
281 |
|
end; |
282 |
|
_ -> |
283 |
258 |
{false, [], []} |
284 |
|
end, |
285 |
259 |
TranslatedMsg = translate:translate( |
286 |
|
Lang, <<"Choose a username and password to register with this server">>), |
287 |
259 |
IQ#iq{type = result, |
288 |
|
sub_el = [#xmlel{name = <<"query">>, |
289 |
|
attrs = [{<<"xmlns">>, <<"jabber:iq:register">>}], |
290 |
|
children = [#xmlel{name = <<"instructions">>, |
291 |
|
children = [#xmlcdata{content = TranslatedMsg}]}, |
292 |
|
#xmlel{name = <<"username">>, |
293 |
|
children = UsernameSubels}, |
294 |
|
#xmlel{name = <<"password">>} |
295 |
|
| QuerySubels]}]}. |
296 |
|
|
297 |
|
try_register_or_set_password(HostType, User, Server, Password, #jid{user = User, lserver = Server} = UserJID, |
298 |
|
IQ, SubEl, _Source, Lang) -> |
299 |
4 |
try_set_password(HostType, UserJID, Password, IQ, SubEl, Lang); |
300 |
|
try_register_or_set_password(HostType, User, Server, Password, _From, IQ, SubEl, Source, Lang) -> |
301 |
120 |
case check_timeout(Source) of |
302 |
|
true -> |
303 |
112 |
case try_register(HostType, User, Server, Password, Source, Lang) of |
304 |
|
ok -> |
305 |
103 |
IQ#iq{type = result, sub_el = [SubEl]}; |
306 |
|
{error, Error} -> |
307 |
9 |
error_response(IQ, [SubEl, Error]) |
308 |
|
end; |
309 |
|
false -> |
310 |
8 |
ErrText = <<"Users are not allowed to register accounts so quickly">>, |
311 |
8 |
error_response(IQ, mongoose_xmpp_errors:resource_constraint(Lang, ErrText)) |
312 |
|
end. |
313 |
|
|
314 |
|
%% @doc Try to change password and return IQ response |
315 |
|
try_set_password(HostType, #jid{} = UserJID, Password, IQ, SubEl, Lang) -> |
316 |
4 |
case is_strong_password(HostType, Password) of |
317 |
|
true -> |
318 |
4 |
case ejabberd_auth:set_password(UserJID, Password) of |
319 |
|
ok -> |
320 |
2 |
IQ#iq{type = result, sub_el = [SubEl]}; |
321 |
|
{error, empty_password} -> |
322 |
2 |
error_response(IQ, [SubEl, mongoose_xmpp_errors:bad_request()]); |
323 |
|
{error, not_allowed} -> |
324 |
:-( |
error_response(IQ, [SubEl, mongoose_xmpp_errors:not_allowed()]); |
325 |
|
{error, invalid_jid} -> |
326 |
:-( |
error_response(IQ, [SubEl, mongoose_xmpp_errors:item_not_found()]) |
327 |
|
end; |
328 |
|
false -> |
329 |
:-( |
ErrText = <<"The password is too weak">>, |
330 |
:-( |
error_response(IQ, [SubEl, mongoose_xmpp_errors:not_acceptable(Lang, ErrText)]) |
331 |
|
end. |
332 |
|
|
333 |
|
try_register(HostType, User, Server, Password, SourceRaw, Lang) -> |
334 |
112 |
case jid:is_nodename(User) of |
335 |
|
false -> |
336 |
:-( |
{error, mongoose_xmpp_errors:bad_request()}; |
337 |
|
_ -> |
338 |
112 |
JID = jid:make(User, Server, <<>>), |
339 |
112 |
Access = gen_mod:get_module_opt(HostType, ?MODULE, access), |
340 |
112 |
IPAccess = get_ip_access(HostType), |
341 |
112 |
case {acl:match_rule(HostType, Server, Access, JID), |
342 |
|
check_ip_access(SourceRaw, IPAccess)} of |
343 |
|
{deny, _} -> |
344 |
1 |
{error, mongoose_xmpp_errors:forbidden()}; |
345 |
|
{_, deny} -> |
346 |
:-( |
{error, mongoose_xmpp_errors:forbidden()}; |
347 |
|
{allow, allow} -> |
348 |
111 |
verify_password_and_register(HostType, JID, Password, SourceRaw, Lang) |
349 |
|
end |
350 |
|
end. |
351 |
|
|
352 |
|
verify_password_and_register(HostType, #jid{} = JID, Password, SourceRaw, Lang) -> |
353 |
111 |
case is_strong_password(HostType, Password) of |
354 |
|
true -> |
355 |
111 |
case ejabberd_auth:try_register(JID, Password) of |
356 |
|
{error, exists} -> |
357 |
7 |
{error, mongoose_xmpp_errors:conflict()}; |
358 |
|
{error, invalid_jid} -> |
359 |
:-( |
{error, mongoose_xmpp_errors:jid_malformed()}; |
360 |
|
{error, not_allowed} -> |
361 |
:-( |
{error, mongoose_xmpp_errors:not_allowed()}; |
362 |
|
{error, null_password} -> |
363 |
1 |
{error, mongoose_xmpp_errors:not_acceptable()}; |
364 |
|
_ -> |
365 |
103 |
send_welcome_message(HostType, JID), |
366 |
103 |
send_registration_notifications(HostType, JID, SourceRaw), |
367 |
103 |
ok |
368 |
|
end; |
369 |
|
false -> |
370 |
:-( |
ErrText = <<"The password is too weak">>, |
371 |
:-( |
{error, mongoose_xmpp_errors:not_acceptable(Lang, ErrText)} |
372 |
|
end. |
373 |
|
|
374 |
|
send_welcome_message(HostType, #jid{lserver = Server} = JID) -> |
375 |
103 |
case gen_mod:lookup_module_opt(HostType, ?MODULE, welcome_message) of |
376 |
|
{error, not_found} -> |
377 |
103 |
ok; |
378 |
|
{ok, {Subj, Body}} -> |
379 |
:-( |
ejabberd_router:route( |
380 |
|
jid:make_noprep(<<>>, Server, <<>>), |
381 |
|
JID, |
382 |
|
#xmlel{name = <<"message">>, attrs = [{<<"type">>, <<"normal">>}], |
383 |
|
children = [#xmlel{name = <<"subject">>, |
384 |
|
children = [#xmlcdata{content = Subj}]}, |
385 |
|
#xmlel{name = <<"body">>, |
386 |
|
children = [#xmlcdata{content = Body}]}]}) |
387 |
|
end. |
388 |
|
|
389 |
|
send_registration_notifications(HostType, #jid{lserver = Domain} = UJID, Source) -> |
390 |
103 |
case gen_mod:get_module_opt(HostType, ?MODULE, registration_watchers) of |
391 |
101 |
[] -> ok; |
392 |
|
JIDs when is_list(JIDs) -> |
393 |
2 |
Body = lists:flatten( |
394 |
|
io_lib:format( |
395 |
|
"[~s] The account ~s was registered from IP address ~s " |
396 |
|
"on node ~w using ~p.", |
397 |
|
[get_time_string(), jid:to_binary(UJID), |
398 |
|
ip_to_string(Source), node(), ?MODULE])), |
399 |
2 |
lists:foreach(fun(S) -> send_registration_notification(S, Domain, Body) end, JIDs); |
400 |
|
_ -> |
401 |
:-( |
ok |
402 |
|
end. |
403 |
|
|
404 |
|
send_registration_notification(JIDBin, Domain, Body) -> |
405 |
2 |
case jid:from_binary(JIDBin) of |
406 |
:-( |
error -> ok; |
407 |
|
JID -> |
408 |
2 |
Message = #xmlel{name = <<"message">>, |
409 |
|
attrs = [{<<"type">>, <<"chat">>}], |
410 |
|
children = [#xmlel{name = <<"body">>, |
411 |
|
children = [#xmlcdata{content = Body}]}]}, |
412 |
2 |
ejabberd_router:route(jid:make_noprep(<<>>, Domain, <<>>), JID, Message) |
413 |
|
end. |
414 |
|
|
415 |
|
check_timeout(undefined) -> |
416 |
:-( |
true; |
417 |
|
check_timeout(Source) -> |
418 |
120 |
Timeout = mongoose_config:get_opt(registration_timeout), |
419 |
120 |
case is_integer(Timeout) of |
420 |
|
true -> |
421 |
11 |
Priority = -(erlang:system_time(second)), |
422 |
11 |
CleanPriority = Priority + Timeout, |
423 |
11 |
F = fun() -> check_and_store_ip_entry(Source, Priority, CleanPriority) end, |
424 |
|
|
425 |
11 |
case mnesia:transaction(F) of |
426 |
|
{atomic, Res} -> |
427 |
11 |
Res; |
428 |
|
{aborted, Reason} -> |
429 |
:-( |
?LOG_ERROR(#{what => reg_check_timeout_failed, |
430 |
:-( |
reg_source => Source, reason => Reason}), |
431 |
:-( |
true |
432 |
|
end; |
433 |
|
false -> |
434 |
109 |
true |
435 |
|
end. |
436 |
|
|
437 |
|
check_and_store_ip_entry(Source, Priority, CleanPriority) -> |
438 |
11 |
Treap = case mnesia:read(mod_register_ip, treap, write) of |
439 |
|
[] -> |
440 |
1 |
treap:empty(); |
441 |
10 |
[{mod_register_ip, treap, T}] -> T |
442 |
|
end, |
443 |
11 |
Treap1 = clean_treap(Treap, CleanPriority), |
444 |
11 |
case treap:lookup(Source, Treap1) of |
445 |
|
error -> |
446 |
3 |
Treap2 = treap:insert(Source, Priority, [], |
447 |
|
Treap1), |
448 |
3 |
mnesia:write({mod_register_ip, treap, Treap2}), |
449 |
3 |
true; |
450 |
|
{ok, _, _} -> |
451 |
8 |
mnesia:write({mod_register_ip, treap, Treap1}), |
452 |
8 |
false |
453 |
|
end. |
454 |
|
|
455 |
|
clean_treap(Treap, CleanPriority) -> |
456 |
13 |
case treap:is_empty(Treap) of |
457 |
|
true -> |
458 |
3 |
Treap; |
459 |
|
false -> |
460 |
10 |
{_Key, Priority, _Value} = treap:get_root(Treap), |
461 |
10 |
case Priority > CleanPriority of |
462 |
2 |
true -> clean_treap(treap:delete_root(Treap), CleanPriority); |
463 |
8 |
false -> Treap |
464 |
|
end |
465 |
|
end. |
466 |
|
|
467 |
2 |
ip_to_string(Source) when is_tuple(Source) -> inet_parse:ntoa(Source); |
468 |
:-( |
ip_to_string(undefined) -> "undefined"; |
469 |
:-( |
ip_to_string(_) -> "unknown". |
470 |
|
|
471 |
2 |
get_time_string() -> write_time(erlang:localtime()). |
472 |
|
%% Function copied from ejabberd_logger_h.erl and customized |
473 |
|
write_time({{Y, Mo, D}, {H, Mi, S}}) -> |
474 |
2 |
io_lib:format("~w-~.2.0w-~.2.0w ~.2.0w:~.2.0w:~.2.0w", |
475 |
|
[Y, Mo, D, H, Mi, S]). |
476 |
|
|
477 |
|
is_strong_password(HostType, Password) -> |
478 |
115 |
case gen_mod:get_module_opt(HostType, ?MODULE, password_strength) of |
479 |
|
Entropy when is_number(Entropy), Entropy == 0 -> |
480 |
115 |
true; |
481 |
|
Entropy when is_number(Entropy), Entropy > 0 -> |
482 |
:-( |
ejabberd_auth:entropy(Password) >= Entropy; |
483 |
|
Wrong -> |
484 |
:-( |
?LOG_WARNING(#{what => reg_wrong_password_strength, |
485 |
:-( |
host => HostType, value => Wrong}), |
486 |
:-( |
true |
487 |
|
end. |
488 |
|
|
489 |
|
%%% |
490 |
|
%%% ip_access management |
491 |
|
%%% |
492 |
|
|
493 |
|
get_ip_access(HostType) -> |
494 |
112 |
IPAccess = gen_mod:get_module_opt(HostType, ?MODULE, ip_access), |
495 |
112 |
lists:flatmap( |
496 |
|
fun({Access, {IP, Mask}}) -> |
497 |
:-( |
[{Access, IP, Mask}]; |
498 |
|
({Access, S}) -> |
499 |
224 |
case mongoose_lib:parse_ip_netmask(S) of |
500 |
|
{ok, {IP, Mask}} -> |
501 |
224 |
[{Access, IP, Mask}]; |
502 |
|
error -> |
503 |
:-( |
?LOG_ERROR(#{what => reg_invalid_network_specification, |
504 |
:-( |
specification => S}), |
505 |
:-( |
[] |
506 |
|
end |
507 |
|
end, IPAccess). |
508 |
|
|
509 |
|
check_ip_access(_Source, []) -> |
510 |
:-( |
allow; |
511 |
|
check_ip_access({User, Server, Resource}, IPAccess) -> |
512 |
:-( |
case ejabberd_sm:get_session_ip(jid:make(User, Server, Resource)) of |
513 |
:-( |
{IPAddress, _PortNumber} -> check_ip_access(IPAddress, IPAccess); |
514 |
:-( |
_ -> true |
515 |
|
end; |
516 |
|
check_ip_access({_, _, _, _} = IP, |
517 |
|
[{Access, {_, _, _, _} = Net, Mask} | IPAccess]) -> |
518 |
112 |
IPInt = ip_to_integer(IP), |
519 |
112 |
NetInt = ip_to_integer(Net), |
520 |
112 |
M = bnot ((1 bsl (32 - Mask)) - 1), |
521 |
112 |
case IPInt band M =:= NetInt band M of |
522 |
112 |
true -> Access; |
523 |
:-( |
false -> check_ip_access(IP, IPAccess) |
524 |
|
end; |
525 |
|
check_ip_access({_, _, _, _, _, _, _, _} = IP, |
526 |
|
[{Access, {_, _, _, _, _, _, _, _} = Net, Mask} | IPAccess]) -> |
527 |
:-( |
IPInt = ip_to_integer(IP), |
528 |
:-( |
NetInt = ip_to_integer(Net), |
529 |
:-( |
M = bnot ((1 bsl (128 - Mask)) - 1), |
530 |
:-( |
case IPInt band M =:= NetInt band M of |
531 |
:-( |
true -> Access; |
532 |
:-( |
false -> check_ip_access(IP, IPAccess) |
533 |
|
end; |
534 |
|
check_ip_access(IP, [_ | IPAccess]) -> |
535 |
:-( |
check_ip_access(IP, IPAccess). |
536 |
|
|
537 |
|
ip_to_integer({IP1, IP2, IP3, IP4}) -> |
538 |
224 |
<<X:32>> = <<IP1, IP2, IP3, IP4>>, |
539 |
224 |
X; |
540 |
|
ip_to_integer({IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8}) -> |
541 |
:-( |
<<X:64>> = <<IP1, IP2, IP3, IP4, IP5, IP6, IP7, IP8>>, |
542 |
:-( |
X. |
543 |
|
|
544 |
|
make_host_only_jid(Name) when is_binary(Name) -> |
545 |
756 |
jid:make(<<>>, Name, <<>>). |
546 |
|
|
547 |
|
set_sender(#xmlel{attrs = A} = Stanza, #jid{} = From) -> |
548 |
378 |
Stanza#xmlel{attrs = [{<<"from">>, jid:to_binary(From)}|A]}. |
549 |
|
|
550 |
|
is_query_element(#xmlel{name = <<"query">>}) -> |
551 |
489 |
true; |
552 |
|
is_query_element(_) -> |
553 |
:-( |
false. |
554 |
|
|
555 |
|
error_response(Request, Reasons) when is_list(Reasons) -> |
556 |
11 |
Request#iq{type = error, sub_el = Reasons}; |
557 |
|
error_response(Request, Reason) -> |
558 |
10 |
Request#iq{type = error, sub_el = Reason}. |