Merge pull request 'blacklist update' (#2) from dev into main

Reviewed-on: #2

CHANGELOG.md

@@ -1,5 +1,27 @@
 # Changelog
 
+## Unreleased 2024-05-05
+
+### Adjust config
+
+* Replace deprecated legacy_ssl with c2s_direct_tls.
+* Removed use_libevent = true. This means the default is now used which is epoll.
+
+### Test
+
+Added a test to check that no deprecated config settings are used.
+
+## v 1.3.3
+
+* Updated to LuaRocks 3.12.2
+* Updated to Lua 5.4
+* Updated to Prosody 0.12.5
+* Removed unused luarocks
+
+## v1.3.2
+
+* Added Firewall module with optional custom blacklist
+
 ## v1.3.1
 
 * Added optional Firewall module for testing

Dockerfile

@@ -4,11 +4,11 @@ ARG BUILD_DATE
 ARG VCS_REF
 ARG VERSION
 
-ARG LUAROCKS_VERSION=3.9.2
-ARG PROSODY_VERSION=0.12.4
+ARG LUAROCKS_VERSION=3.12.2
+ARG PROSODY_VERSION=0.12.5
 
-ARG LUAROCKS_SHA256="bca6e4ecc02c203e070acdb5f586045d45c078896f6236eb46aa33ccd9b94edb"
-ARG PROSODY_DOWNLOAD_SHA256="47d712273c2f29558c412f6cdaec073260bbc26b7dda243db580330183d65856"
+ARG LUAROCKS_SHA256="b0e0c85205841ddd7be485f53d6125766d18a81d226588d2366931e9a1484492"
+ARG PROSODY_DOWNLOAD_SHA256="778fb7707a0f10399595ba7ab9c66dd2a2288c0ae3a7fe4ab78f97d462bd399f"
 
 LABEL luarocks.version="${LUAROCKS_VERSION}"
 LABEL org.opencontainers.image.authors="Wproject Garapenak"
@@ -30,7 +30,8 @@ RUN apt-get update \
       libidn2-0 \
       libpq-dev \
       libsqlite3-0 \
-      lua5.2 \
+      lua5.4 \
+      liblua5.4-dev \
       lua-bitop \
       lua-dbi-mysql \
       lua-dbi-postgresql \
@@ -73,11 +74,11 @@ RUN buildDeps='gcc git libc6-dev libidn2-dev liblua5.2-dev libsqlite3-dev libssl
  && make bootstrap \
  && cd / && rm -r /usr/src/luarocks \
  \
- && luarocks install luaevent \
+ # && luarocks install luaevent \
  && luarocks install luadbi \
  `#&& luarocks install luadbi-mysql MYSQL_INCDIR=/usr/include/mariadb/` \
  && luarocks install luadbi-sqlite3 \
- && luarocks install stringy \
+ # && luarocks install stringy \
  \
  && apt-get purge -y --auto-remove $buildDeps
 
@@ -90,7 +91,7 @@ RUN groupadd -r prosody \
 RUN mkdir -p /var/run/prosody/ \
  && chown prosody:prosody /var/run/prosody/
 
-ENV __FLUSH_LOG yes
+ENV __FLUSH_LOG=yes
 
 VOLUME ["/usr/local/var/lib/prosody"]
 
@@ -111,7 +112,7 @@ RUN download-prosody-modules.bash \
         smacks `# stream management (XEP-0198)` \
         throttle_presence `# presence throttling in CSI` \
         vcard_muc `# XEP-0153: vCard-Based Avatar (MUC)` \
- && docker-prosody-module-pre-install.bash \
+ #&& docker-prosody-module-pre-install.bash \
 	firewall `# anti-spam firewall` \
  && rm -rf "/usr/src/prosody-modules"
 RUN echo "TLS_REQCERT allow" >> /etc/ldap/ldap.conf

conf.d/01-modules.cfg.lua

@@ -1,7 +1,8 @@
 plugin_paths = { "/usr/local/lib/prosody/custom-modules/" };
 
 -- table of enabled modules
-local mods_enabled = {
+-- local mods_enabled = {
+modules_enabled = {
     -- Generally required
     "roster"; -- Allow users to have a roster. Recommended ;)
     "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
@@ -48,19 +49,7 @@ local mods_enabled = {
     "server_contact_info"; -- This module lets you advertise various contact addresses for your XMPP service via XEP-0157.
 };
 
-local enabled = os.getenv("ENABLE_FIREWALL") or "false"
-local spam_blocklist = os.getenv("SPAM_BLOCKLIST") and "/usr/local/etc/prosody/firewall/" .. os.getenv("SPAM_BLOCKLIST") or "module:scripts/spam-blocklists.pfw"
-
-if(enabled == "true")
-then
-   table.insert(mods_enabled, "firewall");
-   
-   firewall_scripts = {
-   	spam_blocklist;
-   }
-end
-
-modules_enabled = mods_enabled;
+-- modules_enabled = mods_enabled;
 
 -- These modules are auto-loaded, but should you want
 -- to disable them then uncomment them here:
@@ -69,4 +58,3 @@ modules_disabled = {
     -- "c2s"; -- Handle client connections
     -- "s2s"; -- Handle server-to-server connections
 };
-

conf.d/02-storage.cfg.lua

@@ -1,8 +1,8 @@
 default_storage = "sql"
 
 sql = {
-  driver = os.getenv("DB_DRIVER");
-  database = os.getenv("DB_DATABASE");
+  driver = os.getenv("DB_DRIVER") or "SQLite3";
+  database = os.getenv("DB_DATABASE") or "prosody.sqlite";
   host = os.getenv("DB_HOST");
   port = os.getenv("DB_PORT");
   username = os.getenv("DB_USERNAME");

conf.d/03-e2e-policy.cfg.lua

@@ -1,8 +1,16 @@
-local stringy = require "stringy" 
+local function _split(s, sep)
+	if not s then return nil; end
+	sep = sep or ",";
+	local parts = {};
+	for part in s:gmatch("[^"..sep.."]+") do
+		parts[#parts+1] = part;
+	end
+	return parts;
+end
 
 e2e_policy_chat = os.getenv("E2E_POLICY_CHAT")
 e2e_policy_muc = os.getenv("E2E_POLICY_MUC")
-e2e_policy_whitelist = stringy.split(os.getenv("E2E_POLICY_WHITELIST"), ", ")
+e2e_policy_whitelist = _split(os.getenv("E2E_POLICY_WHITELIST"), ", ")
 e2e_policy_message_optional_chat = "For security reasons, OMEMO, OTR or PGP encryption is STRONGLY recommended for conversations on this server."
 e2e_policy_message_required_chat = "For security reasons, OMEMO, OTR or PGP encryption is required for conversations on this server."
 e2e_policy_message_optional_muc = "For security reasons, OMEMO, OTR or PGP encryption is STRONGLY recommended for MUC on this server."

conf.d/04-server_contact_info.cfg.lua

@@ -1,12 +1,28 @@
-local stringy = require "stringy" 
+local function _split(s, sep)
+	if not s then return nil; end
+	sep = sep or ",";
+	local parts = {};
+	for part in s:gmatch("[^"..sep.."]+") do
+		parts[#parts+1] = part;
+	end
+	return parts;
+end
+
+local domain = os.getenv("DOMAIN")
+local abuse = os.getenv("SERVER_CONTACT_INFO_ABUSE") or "xmpp:abuse@" .. domain
+local admin = os.getenv("SERVER_CONTACT_INFO_ADMIN") or "xmpp:admin@" .. domain
+local feedback = os.getenv("SERVER_CONTACT_INFO_FEEDBACK") or "xmpp:feedback@" .. domain
+local sales = os.getenv("SERVER_CONTACT_INFO_SALES") or "xmpp:sales@" .. domain
+local security = os.getenv("SERVER_CONTACT_INFO_SECURITY") or "xmpp:security@" .. domain
+local support = os.getenv("SERVER_CONTACT_INFO_SUPPORT") or "xmpp:support@" .. domain
 
 contact_info = {
-  abuse = stringy.split(os.getenv("SERVER_CONTACT_INFO_ABUSE"), ", ");
-  admin = stringy.split(os.getenv("SERVER_CONTACT_INFO_ADMIN"), ", ");
-  feedback = stringy.split(os.getenv("SERVER_CONTACT_INFO_FEEDBACK"), ", ");
-  sales = stringy.split(os.getenv("SERVER_CONTACT_INFO_SALES"), ", ");
-  security = stringy.split(os.getenv("SERVER_CONTACT_INFO_SECURITY"), ", ");
-  support = stringy.split(os.getenv("SERVER_CONTACT_INFO_SUPPORT"), ", ");
+  abuse = _split(abuse, ", ");
+  admin = _split(admin, ", ");
+  feedback = _split(feedback, ", ");
+  sales = _split(sales, ", ");
+  security = _split(security, ", ");
+  support = _split(support, ", ");
 }
 
 welcome_message = "Kaixo $username, ongi etorri $host IM zerbitzura! Mesedez irakurri itzazu ondorengo <a href='https://lainoa.eus/terms/tos.html'>Erabilpen baldintzak</a>."

conf.d/05-vhost.cfg.lua

@@ -6,11 +6,11 @@ local domain_pubsub = os.getenv("DOMAIN_PUBSUB")
 
 -- XEP-0368: SRV records for XMPP over TLS
 -- https://compliance.conversations.im/test/xep0368/
-legacy_ssl_ssl = {
-	certificate = "certs/" .. domain .. "/fullchain.pem";
+c2s_direct_tls_ssl = {
+    certificate = "certs/" .. domain .. "/fullchain.pem";
 	key = "certs/" .. domain .. "/privkey.pem";
 }
-legacy_ssl_ports = { 5223 }
+c2s_direct_tls_ports = { 5223 }
 
 -- https://prosody.im/doc/certificates#service_certificates
 -- https://prosody.im/doc/ports#ssl_configuration

docker-prosody-module-install.bash

@@ -43,7 +43,13 @@ for ext in $exts; do
 	# Skip this if the modules should not be added to modules_enabled.
 	if [ "$ext" != "http_upload" ] && [ "$ext" != "vcard_muc" ] ; then
 		echo " - enabling within ${config}"
-		new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(mods_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/')
+		new_config=$(cat "${config}" | module="${ext}" perl -0pe 's/(modules_enabled[ ]*=[ ]*{[^}]*)};/$1\n\t"$ENV{module}";\n};/')
 		echo "${new_config}" > "${config}"
 	fi
+	# firewall module configuration
+    	if [ "$ext" == "firewall" ] ; then
+        	echo " - setting up mod_${ext}"
+        	new_config=$(cat "${config}" | echo -e "\nlocal spam_blocklist = os.getenv(\"SPAM_BLOCKLIST\") and \"/usr/local/etc/prosody/firewall/\" .. os.getenv(\"SPAM_BLOCKLIST\") or \"module:scripts/spam-blocklists.pfw\"\n\nfirewall_scripts = {\n\t\"module:scripts/spam-blocking.pfw\";\n\tspam_blocklist;\n};")
+        	echo "${new_config}" >> "${config}"
+    	fi
 done

docker-prosody-module-pre-install.bash

@@ -1,42 +0,0 @@
-#!/bin/bash
-set -e
-
-source="/usr/src/prosody-modules"
-target="/usr/local/lib/prosody/custom-modules"
-
-cd ${source}
-
-usage() {
-	echo "usage: $0 ext-name [ext-name ...]"
-	echo "   ie: $0 carbons e2e_policy proxy65"
-	echo
-	echo 'Possible values for ext-name:'
-	find . -mindepth 1 -maxdepth 1 -type d | sort | sed s/\.\\/mod_//g | xargs
-}
-
-exts=
-for ext; do
-	if [ -z "mod_$ext" ]; then
-		continue
-	fi
-	if [ ! -d "mod_$ext" ]; then
-		echo >&2 "error: $PWD/mod_$ext does not exist"
-		echo >&2
-		usage >&2
-		exit 1
-	fi
-	exts="$exts $ext"
-done
-
-if [ -z "$exts" ]; then
-	usage >&2
-	exit 1
-fi
-
-for ext in $exts; do
-	echo "Installing mod_${ext}"
-
-	echo " - copying to ${target}"
-	cp -r "${source}/mod_${ext}" "${target}/"
-
-done

extras/firewall/blacklist.txt

@@ -2,17 +2,21 @@ bashtel.ru
 creep.im
 darkengine.biz
 default.rs
+exploit.im
 hiddenlizard.org
 jabber.bitactive.com
 jabber.cd
+jabber.cz
 jabber.freenet.de
 jabber.ipredator.se
 jabber.npw.net
 jabber.sampo.ru
+jabbim.pl
 labas.biz
 otr.chat
 paranoid.scarab.name
 rassnet.org
 safetyjabber.com
 sj.ms
+trashserver.net
 xmpp.bytesund.biz

prosody.cfg.lua

@@ -1,14 +1,12 @@
 -- see example config at https://hg.prosody.im/-1.9/file/0.9.10/prosody.cfg.lua.dist
 -- easily extendable by putting into different config files within conf.d folder
 
-local stringy = require "stringy" 
+local stringy = require "stringy"
 
 admins = stringy.split(os.getenv("PROSODY_ADMINS"), ", ");
 
 pidfile = "/var/run/prosody/prosody.pid"
 
-use_libevent = true; -- improves performance
-
 allow_registration = os.getenv("ALLOW_REGISTRATION");
 
 c2s_require_encryption = os.getenv("C2S_REQUIRE_ENCRYPTION");

readme.md

@@ -158,11 +158,9 @@ docker build -t prosody/xmpp .
 Next I recommend using a ```docker-compose.yml``` file:
 
 ```yaml
-version: '3.7'
-
 services:
   server:
-    image: sarasmiseth/prosody:latest
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"
@@ -177,9 +175,9 @@ services:
       - ./data:/usr/local/var/lib/prosody
 ```
 
-Boot it via: ```docker-compose up -d```.
+Boot it via: ```docker compose up -d```.
 
-Inspect logs: ```docker-compose logs -f```.
+Inspect logs: ```docker compose logs -f```.
 
 ### Volumes permissions
 

tests/bats/bats-assert

@@ -0,0 +1 @@
+Subproject commit e2d855bc78619ee15b0c702b5c30fb074101159f

tests/bats/bats-core

@@ -0,0 +1 @@
+Subproject commit a751f3d3da4b7db830612322a068a18379c78d09

tests/bats/bats-support

@@ -0,0 +1 @@
+Subproject commit 9bf10e876dd6b624fe44423f0b35e064225f7556

tests/docker-compose.yml

@@ -1,8 +1,6 @@
-version: "3.9"
-
 services:
   prosody:
-    image: prosody
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"
@@ -19,7 +17,7 @@ services:
       - ./certs:/usr/local/etc/prosody/certs
 
   prosody_postgres:
-    image: prosody
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"
@@ -53,7 +51,7 @@ services:
       POSTGRES_PASSWORD: prosody
 
   prosody_ldap:
-    image: prosody
+    image: prosody/xmpp:latest
     restart: unless-stopped
     ports:
       - "5000:5000"

tests/tests.bats

@@ -57,8 +57,8 @@ load 'bats/bats-assert/load'
   assert_output
 }
 
-@test "Should activate legacy_ssl" {
-  run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"Activated service 'legacy_ssl' on (\[::\]:5223|\[\*\]:5223), (\[::\]:5223|\[\*\]:5223)\""
+@test "Should activate c2s_direct_tls" {
+  run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"Activated service 'c2s_direct_tls' on (\[::\]:5223|\[\*\]:5223), (\[::\]:5223|\[\*\]:5223)\""
   assert_success
   assert_output
 }
@@ -82,7 +82,17 @@ load 'bats/bats-assert/load'
 }
 
 @test "Should show upload URL" {
-  run bash -c "sudo docker-compose logs $batsContainerName | grep \"URL: <https:\/\/upload.example.com:5281\/upload> - Ensure this can be reached by users\""
+  run bash -c "sudo docker-compose logs $batsContainerName | grep \"Serving 'file_share' at https:\/\/upload.example.com:5281\/file_share\""
   assert_success
   assert_output
 }
+
+@test "Should not use deprecated config" {
+  run bash -c "sudo docker-compose exec $batsContainerName /bin/bash -c \"/entrypoint.bash check\" | grep 'deprecated' -A 3"
+  assert_failure
+}
+
+@test "Should not have warnings in log" {
+  run bash -c "sudo docker-compose logs $batsContainerName | grep -E \"warn\""
+  assert_failure
+}