From 5ad8c790c754f59f13337c8bd926dcd2feb633f7 Mon Sep 17 00:00:00 2001
From: Mickael Remond <mremond@process-one.net>
Date: Wed, 6 Apr 2016 13:59:06 +0200
Subject: Export add_access/3 to allow setting ACL outside of yaml config file

---
 src/acl.erl | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/acl.erl b/src/acl.erl
index fdf397d88..0c1071d15 100644
--- a/src/acl.erl
+++ b/src/acl.erl
@@ -34,6 +34,8 @@
 	 match_rule/3, match_acl/3, transform_options/1,
 	 opt_type/1]).
 
+-export([add_access/3]).
+
 -include("ejabberd.hrl").
 -include("logger.hrl").
 -include("jlib.hrl").
-- 
cgit v1.2.3


From 47039aed1572b1c45b9207f0a1c97c6da972f898 Mon Sep 17 00:00:00 2001
From: Mickael Remond <mremond@process-one.net>
Date: Wed, 6 Apr 2016 14:48:05 +0200
Subject: Allow clearing all ACL and access rules

---
 src/acl.erl | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/acl.erl b/src/acl.erl
index 0c1071d15..58b80b6ad 100644
--- a/src/acl.erl
+++ b/src/acl.erl
@@ -34,7 +34,7 @@
 	 match_rule/3, match_acl/3, transform_options/1,
 	 opt_type/1]).
 
--export([add_access/3]).
+-export([add_access/3, clear/0]).
 
 -include("ejabberd.hrl").
 -include("logger.hrl").
@@ -45,6 +45,7 @@
                  rules = [] :: [access_rule()]}).
 
 -type regexp() :: binary().
+-type iprange() :: {inet:ip_address(), integer()} | binary().
 -type glob() :: binary().
 -type access_name() :: atom().
 -type access_rule() :: {atom(), any()}.
@@ -63,7 +64,7 @@
                    {user_glob, {glob(), host()} | glob()} |
                    {server_glob, glob()} |
                    {resource_glob, glob()} |
-                   {ip, {inet:ip_address(), integer()}} |
+                   {ip, iprange()} |
                    {node_glob, {glob(), glob()}}.
 
 -type acl() :: #acl{aclname :: aclname(),
@@ -206,6 +207,12 @@ load_from_config() ->
                 end, AccessRules)
       end, Hosts).
 
+%% Delete all previous set ACLs and Access rules
+clear() ->
+    mnesia:clear_table(acl),
+    mnesia:clear_table(access),
+    ok.
+
 b(S) ->
     iolist_to_binary(S).
 
-- 
cgit v1.2.3


From 127342449ec9e0302ef662c815dd062721941c92 Mon Sep 17 00:00:00 2001
From: Mickael Remond <mremond@process-one.net>
Date: Fri, 8 Apr 2016 19:45:25 +0200
Subject: Allow testing user pattern directly in access rules

---
 src/acl.erl | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/acl.erl b/src/acl.erl
index 58b80b6ad..06202c67e 100644
--- a/src/acl.erl
+++ b/src/acl.erl
@@ -31,7 +31,7 @@
 
 -export([start/0, to_record/3, add/3, add_list/3,
 	 add_local/3, add_list_local/3, load_from_config/0,
-	 match_rule/3, match_acl/3, transform_options/1,
+	 match_rule/3, match_access/4, match_acl/3, transform_options/1,
 	 opt_type/1]).
 
 -export([add_access/3, clear/0]).
@@ -255,6 +255,19 @@ normalize_spec(Spec) ->
             end
     end.
 
+-spec match_access(global | binary(), access_name(),
+                   jid() | ljid() | inet:ip_address(),
+                   atom()) -> any().
+
+match_access(_Host, all, _JID, _Default) ->
+    allow;
+match_access(_Host, none, _JID, _Default) ->
+    deny;
+match_access(_Host, {user, UserPattern}, JID, Default) ->
+    match_user_spec({user, UserPattern}, JID, Default);
+match_access(Host, AccessRule, JID, _Default) ->
+    match_rule(Host, AccessRule, JID).
+
 -spec match_rule(global | binary(), access_name(),
                  jid() | ljid() | inet:ip_address()) -> any().
 
@@ -357,6 +370,16 @@ match_acl(ACL, JID, Host) ->
 get_aclspecs(ACL, Host) ->
       ets:lookup(acl, {ACL, Host}) ++ ets:lookup(acl, {ACL, global}).
 
+
+match_user_spec(Spec, JID, Default) ->
+    case do_match_user_spec(Spec, jid:tolower(JID)) of
+        true -> Default;
+        false -> deny
+    end.
+
+do_match_user_spec({user, {U, S}}, {User, Server, _Resource}) ->
+    U == User andalso S == Server.
+
 is_regexp_match(String, RegExp) ->
     case ejabberd_regexp:run(String, RegExp) of
       nomatch -> false;
-- 
cgit v1.2.3


From cd2e2b1a880f93b7198bbc17cb1d9be2c23048e8 Mon Sep 17 00:00:00 2001
From: Mickael Remond <mremond@process-one.net>
Date: Tue, 12 Apr 2016 10:34:24 +0200
Subject: Synchronizing master changes

---
 src/cyrsasl_anonymous.erl       |  5 ++---
 src/ejabberd_auth_anonymous.erl |  2 +-
 src/ejabberd_c2s.erl            | 33 +++++++--------------------------
 src/ejabberd_ctl.erl            |  6 +++++-
 src/ejabberd_s2s_in.erl         |  2 +-
 src/ejabberd_s2s_out.erl        |  2 +-
 src/ejabberd_sm.erl             |  6 +++++-
 src/mod_admin_extra.erl         |  7 +++++--
 src/mod_register.erl            |  2 +-
 9 files changed, 28 insertions(+), 37 deletions(-)

(limited to 'src')

diff --git a/src/cyrsasl_anonymous.erl b/src/cyrsasl_anonymous.erl
index 2b2a9f63c..802e1cd7b 100644
--- a/src/cyrsasl_anonymous.erl
+++ b/src/cyrsasl_anonymous.erl
@@ -45,9 +45,8 @@ mech_new(Host, _GetPassword, _CheckPassword, _CheckPasswordDigest) ->
 
 mech_step(#state{server = Server} = S, ClientIn) ->
     User = iolist_to_binary([randoms:get_string(),
-                             randoms:get_string(),
-                             randoms:get_string()]),
+                             jlib:integer_to_binary(p1_time_compat:unique_integer([positive]))]),
     case ejabberd_auth:is_user_exists(User, Server) of
         true  -> mech_step(S, ClientIn);
-        false -> {ok, [{username, User}, {auth_module, ejabberd_auth_anonymous}]}
+        false -> {ok, [{username, User}, {authzid, User}, {auth_module, ejabberd_auth_anonymous}]}
     end.
diff --git a/src/ejabberd_auth_anonymous.erl b/src/ejabberd_auth_anonymous.erl
index 9c4b719c3..5a5b395bf 100644
--- a/src/ejabberd_auth_anonymous.erl
+++ b/src/ejabberd_auth_anonymous.erl
@@ -56,7 +56,7 @@
 %% Create the anonymous table if at least one virtual host has anonymous features enabled
 %% Register to login / logout events
 -record(anonymous, {us = {<<"">>, <<"">>} :: {binary(), binary()},
-                    sid = {p1_time_compat:timestamp(), self()} :: ejabberd_sm:sid()}).
+                    sid = ejabberd_sm:make_sid() :: ejabberd_sm:sid()}).
 
 start(Host) ->
     %% TODO: Check cluster mode
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 3736f7d07..948e2027b 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -327,7 +327,7 @@ init([{SockMod, Socket}, Opts]) ->
 		       xml_socket = XMLSocket, zlib = Zlib, tls = TLS,
 		       tls_required = StartTLSRequired,
 		       tls_enabled = TLSEnabled, tls_options = TLSOpts,
-		       sid = {p1_time_compat:timestamp(), self()}, streamid = new_id(),
+		       sid = ejabberd_sm:make_sid(), streamid = new_id(),
 		       access = Access, shaper = Shaper, ip = IP,
 		       mgmt_state = StreamMgmtState,
 		       mgmt_max_queue = MaxAckQueue,
@@ -522,7 +522,6 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 				    send_element(StateData,
 					?POLICY_VIOLATION_ERR(Lang,
 					    <<"Use of STARTTLS required">>)),
-				    send_trailer(StateData),
 				    {stop, normal, StateData};
 				true ->
 				    fsm_next_state(wait_for_auth,
@@ -537,34 +536,28 @@ wait_for_stream({xmlstreamstart, _Name, Attrs}, StateData) ->
 			[jlib:ip_to_list(IP), LogReason]),
 		    send_header(StateData, Server, <<"">>, DefaultLang),
 		    send_element(StateData, ?POLICY_VIOLATION_ERR(Lang, ReasonT)),
-		    send_trailer(StateData),
 		    {stop, normal, StateData};
 		_ ->
 		    send_header(StateData, ?MYNAME, <<"">>, DefaultLang),
 		    send_element(StateData, ?HOST_UNKNOWN_ERR),
-		    send_trailer(StateData),
 		    {stop, normal, StateData}
 	    end;
 	_ ->
 	    send_header(StateData, ?MYNAME, <<"">>, DefaultLang),
 	    send_element(StateData, ?INVALID_NS_ERR),
-	    send_trailer(StateData),
 	    {stop, normal, StateData}
     end;
 wait_for_stream(timeout, StateData) ->
     {stop, normal, StateData};
 wait_for_stream({xmlstreamelement, _}, StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_stream({xmlstreamend, _}, StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_stream({xmlstreamerror, _}, StateData) ->
     send_header(StateData, ?MYNAME, <<"1.0">>, <<"">>),
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_stream(closed, StateData) ->
     {stop, normal, StateData};
@@ -724,10 +717,9 @@ wait_for_auth({xmlstreamelement, El}, StateData) ->
 wait_for_auth(timeout, StateData) ->
     {stop, normal, StateData};
 wait_for_auth({xmlstreamend, _Name}, StateData) ->
-    send_trailer(StateData), {stop, normal, StateData};
+    {stop, normal, StateData};
 wait_for_auth({xmlstreamerror, _}, StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_auth(closed, StateData) ->
     {stop, normal, StateData};
@@ -843,7 +835,6 @@ wait_for_feature_request({xmlstreamelement, El},
 		 send_element(StateData,
 			      ?POLICY_VIOLATION_ERR(Lang,
 						    <<"Use of STARTTLS required">>)),
-		 send_trailer(StateData),
 		 {stop, normal, StateData};
 	     true ->
 		 process_unauthenticated_stanza(StateData, El),
@@ -854,11 +845,10 @@ wait_for_feature_request(timeout, StateData) ->
     {stop, normal, StateData};
 wait_for_feature_request({xmlstreamend, _Name},
 			 StateData) ->
-    send_trailer(StateData), {stop, normal, StateData};
+    {stop, normal, StateData};
 wait_for_feature_request({xmlstreamerror, _},
 			 StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_feature_request(closed, StateData) ->
     {stop, normal, StateData};
@@ -963,11 +953,10 @@ wait_for_sasl_response(timeout, StateData) ->
     {stop, normal, StateData};
 wait_for_sasl_response({xmlstreamend, _Name},
 		       StateData) ->
-    send_trailer(StateData), {stop, normal, StateData};
+    {stop, normal, StateData};
 wait_for_sasl_response({xmlstreamerror, _},
 		       StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_sasl_response(closed, StateData) ->
     {stop, normal, StateData};
@@ -1092,10 +1081,9 @@ wait_for_bind({xmlstreamelement, El}, StateData) ->
 wait_for_bind(timeout, StateData) ->
     {stop, normal, StateData};
 wait_for_bind({xmlstreamend, _Name}, StateData) ->
-    send_trailer(StateData), {stop, normal, StateData};
+    {stop, normal, StateData};
 wait_for_bind({xmlstreamerror, _}, StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 wait_for_bind(closed, StateData) ->
     {stop, normal, StateData};
@@ -1168,7 +1156,6 @@ session_established({xmlstreamelement, El},
     case check_from(El, FromJID) of
 	'invalid-from' ->
 	    send_element(StateData, ?INVALID_FROM),
-	    send_trailer(StateData),
 	    {stop, normal, StateData};
 	_NewEl ->
 	    session_established2(El, StateData)
@@ -1181,17 +1168,15 @@ session_established(timeout, StateData) ->
 		       [?MODULE, Options, session_established, StateData]),
     fsm_next_state(session_established, StateData);
 session_established({xmlstreamend, _Name}, StateData) ->
-    send_trailer(StateData), {stop, normal, StateData};
+    {stop, normal, StateData};
 session_established({xmlstreamerror,
 		     <<"XML stanza is too big">> = E},
 		    StateData) ->
     send_element(StateData,
 		 ?POLICY_VIOLATION_ERR((StateData#state.lang), E)),
-    send_trailer(StateData),
     {stop, normal, StateData};
 session_established({xmlstreamerror, _}, StateData) ->
     send_element(StateData, ?INVALID_XML_ERR),
-    send_trailer(StateData),
     {stop, normal, StateData};
 session_established(closed, #state{mgmt_state = active} = StateData) ->
     catch (StateData#state.sockmod):close(StateData#state.socket),
@@ -1346,7 +1331,6 @@ handle_info(kick, StateName, StateData) ->
     handle_info({kick, kicked_by_admin, Xmlelement}, StateName, StateData);
 handle_info({kick, Reason, Xmlelement}, _StateName, StateData) ->
     send_element(StateData, Xmlelement),
-    send_trailer(StateData),
     {stop, normal,
      StateData#state{authenticated = Reason}};
 handle_info({route, _From, _To, {broadcast, Data}},
@@ -1359,7 +1343,6 @@ handle_info({route, _From, _To, {broadcast, Data}},
         {exit, Reason} ->
             Lang = StateData#state.lang,
             send_element(StateData, ?SERRT_CONFLICT(Lang, Reason)),
-            catch send_trailer(StateData),
             {stop, normal, StateData};
         {privacy_list, PrivList, PrivListName} ->
             case ejabberd_hooks:run_fold(privacy_updated_list,
@@ -1673,11 +1656,9 @@ handle_info(system_shutdown, StateName, StateData) ->
       wait_for_stream ->
 	  send_header(StateData, ?MYNAME, <<"1.0">>, <<"en">>),
 	  send_element(StateData, ?SERR_SYSTEM_SHUTDOWN),
-	  send_trailer(StateData),
 	  ok;
       _ ->
 	  send_element(StateData, ?SERR_SYSTEM_SHUTDOWN),
-	  send_trailer(StateData),
 	  ok
     end,
     {stop, normal, StateData};
@@ -1809,6 +1790,7 @@ terminate(_Reason, StateName, StateData) ->
 		 ok
 	  end
     end,
+    catch send_trailer(StateData),
     (StateData#state.sockmod):close(StateData#state.socket),
     ok.
 
@@ -2431,7 +2413,6 @@ fsm_next_state(session_established, #state{mgmt_max_queue = exceeded} =
     Err = ?SERRT_POLICY_VIOLATION(StateData#state.lang,
 				  <<"Too many unacked stanzas">>),
     send_element(StateData, Err),
-    send_trailer(StateData),
     {stop, normal, StateData#state{mgmt_resend = false}};
 fsm_next_state(session_established, #state{mgmt_state = pending} = StateData) ->
     fsm_next_state(wait_for_resume, StateData);
diff --git a/src/ejabberd_ctl.erl b/src/ejabberd_ctl.erl
index edec5a07e..7cacc3bbb 100644
--- a/src/ejabberd_ctl.erl
+++ b/src/ejabberd_ctl.erl
@@ -48,7 +48,7 @@
 -behaviour(ejabberd_config).
 -author('alexey@process-one.net').
 
--export([start/0, init/0, process/1,
+-export([start/0, init/0, process/1, process2/2,
 	 register_commands/3, unregister_commands/3,
 	 opt_type/1]).
 
@@ -231,6 +231,10 @@ process(Args, Version) ->
     Code.
 
 %% @spec (Args::[string()], AccessCommands) -> {String::string(), Code::integer()}
+process2(Args, AccessCommands) ->
+    process2(Args, AccessCommands, ?DEFAULT_VERSION).
+
+%% @spec (Args::[string()], AccessCommands, Version) -> {String::string(), Code::integer()}
 process2(["--auth", User, Server, Pass | Args], AccessCommands, Version) ->
     process2(Args, AccessCommands, {list_to_binary(User), list_to_binary(Server),
 				    list_to_binary(Pass), true}, Version);
diff --git a/src/ejabberd_s2s_in.erl b/src/ejabberd_s2s_in.erl
index c8d3cd04e..d8d0a400a 100644
--- a/src/ejabberd_s2s_in.erl
+++ b/src/ejabberd_s2s_in.erl
@@ -325,7 +325,7 @@ wait_for_feature_request({xmlstreamelement, El},
                            {s2s_tls_compression, StateData#state.server},
                            fun(true) -> true;
                               (false) -> false
-                           end, true) of
+                           end, false) of
                         true -> lists:delete(compression_none, TLSOpts1);
                         false -> [compression_none | TLSOpts1]
                     end,
diff --git a/src/ejabberd_s2s_out.erl b/src/ejabberd_s2s_out.erl
index 594fbb2c7..a30f2f438 100644
--- a/src/ejabberd_s2s_out.erl
+++ b/src/ejabberd_s2s_out.erl
@@ -192,7 +192,7 @@ init([From, Server, Type]) ->
                      {s2s_tls_compression, From},
                      fun(true) -> true;
                         (false) -> false
-                     end, true) of
+                     end, false) of
                   false -> [compression_none | TLSOpts4];
                   true -> TLSOpts4
               end,
diff --git a/src/ejabberd_sm.erl b/src/ejabberd_sm.erl
index 4f7cfeeaa..7ab0a5f78 100644
--- a/src/ejabberd_sm.erl
+++ b/src/ejabberd_sm.erl
@@ -66,7 +66,8 @@
 	 get_max_user_sessions/2,
 	 get_all_pids/0,
 	 is_existing_resource/3,
-	 get_commands_spec/0
+	 get_commands_spec/0,
+	 make_sid/0
 	]).
 
 -export([init/1, handle_call/3, handle_cast/2,
@@ -806,6 +807,9 @@ kick_user(User, Server) ->
 	end, Resources),
     length(Resources).
 
+make_sid() ->
+    {p1_time_compat:unique_timestamp(), self()}.
+
 opt_type(sm_db_type) ->
     fun (mnesia) -> mnesia;
 	(internal) -> mnesia;
diff --git a/src/mod_admin_extra.erl b/src/mod_admin_extra.erl
index cb7947876..b12a80007 100644
--- a/src/mod_admin_extra.erl
+++ b/src/mod_admin_extra.erl
@@ -31,7 +31,7 @@
 -include("logger.hrl").
 
 -export([start/2, stop/1, compile/1, get_cookie/0,
-	 remove_node/1, set_password/3,
+	 remove_node/1, set_password/3, check_password/3,
 	 check_password_hash/4, delete_old_users/1,
 	 delete_old_users_vhost/2, ban_account/3,
 	 num_active_users/2, num_resources/2, resource_num/3,
@@ -162,7 +162,7 @@ get_commands_spec() ->
 			result_desc = "Status code: 0 on success, 1 otherwise"},
      #ejabberd_commands{name = check_password, tags = [accounts],
 			desc = "Check if a password is correct",
-			module = ejabberd_auth, function = check_password,
+			module = ?MODULE, function = check_password,
 			args = [{user, binary}, {host, binary}, {password, binary}],
 			args_example = [<<"peter">>, <<"myserver.com">>, <<"secret">>],
 			args_desc = ["User name to check", "Server to check", "Password to check"],
@@ -593,6 +593,9 @@ set_password(User, Host, Password) ->
     Fun = fun () -> ejabberd_auth:set_password(User, Host, Password) end,
     user_action(User, Host, Fun, ok).
 
+check_password(User, Host, Password) ->
+    ejabberd_auth:check_password(User, <<>>, Host, Password).
+
 %% Copied some code from ejabberd_commands.erl
 check_password_hash(User, Host, PasswordHash, HashMethod) ->
     AccountPass = ejabberd_auth:get_password_s(User, Host),
diff --git a/src/mod_register.erl b/src/mod_register.erl
index fee2a2284..c1a7cab81 100644
--- a/src/mod_register.erl
+++ b/src/mod_register.erl
@@ -375,7 +375,7 @@ try_set_password(User, Server, Password, IQ, SubEl,
 		Txt = <<"Empty password">>,
 		IQ#iq{type = error, sub_el = [SubEl, ?ERRT_BAD_REQUEST(Lang, Txt)]};
 	    {error, not_allowed} ->
-		Txt = <<"Chaning password is not allowed">>,
+		Txt = <<"Changing password is not allowed">>,
 		IQ#iq{type = error, sub_el = [SubEl, ?ERRT_NOT_ALLOWED(Lang, Txt)]};
 	    {error, invalid_jid} ->
 		IQ#iq{type = error,
-- 
cgit v1.2.3