net.dns: (for some reason this commit didn't pull over from 0.5) Remove hard-coded...

[prosody.git] / plugins / mod_xmlrpc.lua

diff --git a/plugins/mod_xmlrpc.lua b/plugins/mod_xmlrpc.lua
index a366dcaf40ca07469c1e3ba6d7b7187c8ad759c1..7165386ae3fec8516ac53fccfe80feb220675d60 100644 (file)
--- a/plugins/mod_xmlrpc.lua
+++ b/plugins/mod_xmlrpc.lua
@@ -1,4 +1,4 @@
--- Prosody IM v0.3
+-- Prosody IM
 -- Copyright (C) 2008-2009 Matthew Wild
 -- Copyright (C) 2008-2009 Waqas Hussain
 -- 
@@ -14,6 +14,12 @@ local st = require "util.stanza";
 local pcall = pcall;
 local unpack = unpack;
 local tostring = tostring;
+local is_admin = require "core.usermanager".is_admin;
+local jid_split = require "util.jid".split;
+local jid_bare = require "util.jid".bare;
+local b64_decode = require "util.encodings".base64.decode;
+local get_method = require "core.objectmanager".get_object;
+local validate_credentials = require "core.usermanager".validate_credentials;
 
 local translate_request = require "util.xmlrpc".translate_request;
 local create_response = require "util.xmlrpc".create_response;
@@ -60,16 +66,15 @@ local function parse_xml(xml)
        return stanza.tags[1];
 end
 
-local function get_method(method)
-       return function(...)
-               return {method = method; args = {...}};
+local function handle_xmlrpc_request(jid, method, args)
+       local is_secure_call = (method:sub(1,7) == "secure/");
+       if not is_admin(jid) and not is_secure_call then
+               return create_error_response(401, "not authorized");
        end
-end
-
-local function handle_xmlrpc_request(method, args)
        method = get_method(method);
        if not method then return create_error_response(404, "method not found"); end
        args = args or {};
+       if is_secure_call then table.insert(args, 1, jid); end
        local success, result = pcall(method, unpack(args));
        if success then
                success, result = pcall(create_response, result or "nil");
@@ -78,38 +83,46 @@ local function handle_xmlrpc_request(method, args)
                end
                return create_error_response(500, "Error in creating response: "..result);
        end
-       return create_error_response(0, result or "nil");
+       return create_error_response(0, tostring(result):gsub("^[^:]+:%d+: ", ""));
 end
 
---[[local function handle_xmpp_request(origin, stanza)
+local function handle_xmpp_request(origin, stanza)
        local query = stanza.tags[1];
        if query.name == "query" then
                if #query.tags == 1 then
                        local success, method, args = pcall(translate_request, query.tags[1]);
                        if success then
-                               local result = handle_xmlrpc_request(method, args);
+                               local result = handle_xmlrpc_request(jid_bare(stanza.attr.from), method, args);
                                origin.send(st.reply(stanza):tag('query', {xmlns='jabber:iq:rpc'}):add_child(result));
                        else
                                origin.send(st.error_reply(stanza, "modify", "bad-request", method));
                        end
-               else
-                       origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request"));
-               end
-       else
-               origin.send(st.error_reply(stanza, "cancel", "service-unavailable"));
-       end
+               else origin.send(st.error_reply(stanza, "modify", "bad-request", "No content in XML-RPC request")); end
+       else origin.send(st.error_reply(stanza, "cancel", "service-unavailable")); end
 end
-module:add_iq_handler({"c2s", "s2sin"}, "jabber:iq:rpc", handle_xmpp_request);]]
+module:add_iq_handler({"c2s", "s2sin"}, "jabber:iq:rpc", handle_xmpp_request);
+module:add_feature("jabber:iq:rpc");
+-- TODO add <identity category='automation' type='rpc'/> to disco replies
 
+local default_headers = { ['Content-Type'] = 'text/xml' };
+local unauthorized_response = { status = '401 UNAUTHORIZED', headers = {['Content-Type']='text/html', ['WWW-Authenticate']='Basic realm="WallyWorld"'}; body = "<html><body>Authentication required</body></html>"; };
 local function handle_http_request(method, body, request)
+       -- authenticate user
+       local username, password = b64_decode(request['authorization'] or ''):gmatch('([^:]*):(.*)')(); -- TODO digest auth
+       local node, host = jid_split(username);
+       if not validate_credentials(host, node, password) then
+               return unauthorized_response;
+       end
+       -- parse request
        local stanza = body and parse_xml(body);
        if (not stanza) or request.method ~= "POST" then
                return "<html><body>You really don't look like an XML-RPC client to me... what do you want?</body></html>";
        end
+       -- execute request
        local success, method, args = pcall(translate_request, stanza);
        if success then
-               return tostring(handle_xmlrpc_request(method, args));
+               return { headers = default_headers; body = tostring(handle_xmlrpc_request(node.."@"..host, method, args)) };
        end
-       return "<html><body>You really don't look like an XML-RPC client to me... what do you want?</body></html>";
+       return "<html><body>Error parsing XML-RPC request: "..tostring(method).."</body></html>";
 end
 httpserver.new{ port = 9000, base = "xmlrpc", handler = handle_http_request }