update upstream #17
Merged
update upstream #17
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Co-authored-by: Dan Caseley <dan@caseley.me.uk>
Co-authored-by: Dan Caseley <dan@caseley.me.uk>
…ile name convention.
This introduces a small utility class to centralize the configuration of Trunking, and updates the API for using configuration properties. Finally, a new enable/disable flag is added, instead of depending on the non-emptiness of the collection of domains to trunk for.
Co-authored-by: Dan Caseley <dan@caseley.me.uk>
…erDialback.java Co-authored-by: Dan Caseley <dan@caseley.me.uk>
…ting OF-2525: Deprecate non-persisting XMLProperties API
OF-2415: Allow empty plugins directory at boot time in Docker entrypoint
Instead of allowing only singular IP addresses, also allow IP ranges when defining access control lists.
Java's javax.servlet.ServletRequest#getRemoteAddr normalizes an IPv6 address to be an IPv6 literal, using brackets. This commit undoes that operation, to improve comparison with other addresses.
XEP-0060 defines, amongst many others, the 'multi-items' service discovery feature. This feature can be advertised by a pubsub service, when clients are allowed to configure a node in such a way that it can accept more-than-one item, by: - setting `persist_items` to `true` - setting `max_items` to a value higher than 1. Openfire supports allows for both. It can/should advertise the feature `http://jabber.org/protocol/pubsub#multi-items` on its pubsub services.
OF-2537: Advertise support for pubsub's 'multi-item' feature
When deleting a property, its child properties are expected to be deleted. The original code would also delete properties that shared a common prefix. That is fixed by this commit.
ZipSlip is possible only when explicitly enabled by an administrator. No need to have a static analyzer alert for this particular case.
The pubsub node configuration option `pubsub#deliver_payloads` is defined in XEP-0060 to control if payloads are included in pubsub notification events. Openfire should not use it to determine if payloads are to be included when answering item retrievals (those should _always_ have payloads, if they exist on the item).
This overrides the default name (pool-x-thread-y) used for threads generated by an executor service to something that is more identifiable. Should not introduce functional changes.
This adds functionality that allows to mock statics.
Let's decouple the stream ID and resource identifier that's used by default. This should help make both less predictable.
The value of `xmpp.server.tls.policy` is an enum. It should not be evaluated as a boolean.
This is a commit that cleans up most of the warnings that IntelliJ shows when looking at the admin console JSP pages. Also, styling has been made more consistent were opportune: re-use of the various taglibs has been improved, and custom styling has been removed. I've not been very careful: I've applied some global search/replaces, that could have unexpected side-effects. We should test this more than what I have done so far.
This cleans up almost all IDE warnings in the HTML that is Openfire's documentation. A similar HTML structure has been applied to all pages, which has been updated to something a bit more HTML5-ish. Dropped the wildfire migration documentation. I've updates some, but not all, of the texts (eg: depend on Java 11, use Maven, not Ant, drop references to Windows 95/98).
The Connection interface defines methods to read the configuration of TLS and compression policies, even though these are also defined by the ConnectionConfiguration instance that is used to create the connection. It is undesirable to have the configuration of a connection be defined in various places, or be modified after the original connection has been applied. This commit removes the duplication, and ensures that connection configuration is applied as soon as the instance is created. As a side-effect, this solves an issue with the new Netty code, that never explicitly sets the tlsPolicy on the connection. The single functional aspect of the separation of tlsPolicy between connection and configuration (prior to this change) was the following: the state of the connection-tlsPolicy was used to implicitly define if a session was initialized (this was used to close a connection that was sending unencrypted data, when its configuration required encryption). This commit replaces that implicit defintion by a new, explicit 'isInitialized` method on the Connection interface.
…lexer connections We can now deprecate (and remove) all NIO components that were built using the Apache MINA framework
We were seeing resource limit issues (too many open files) when running Outgoing S2S tests. This was caused by the outbound session initialisation failing to clean up its NioEventLoopGroup in many scenarios.
…ted implementations
When the identity store does not contain any certificates, inbound TLS will never be able to succeed. In such cases, lets not advertise the StartTLS feature.
By waiting for handshake to complete before attempting SASL
… LocalOutboundServerSessionTest pass. Also add generic typing for Connection.starttls return type, some tidy up of comments and WIP code.
…penfire into OF-2559_mina-to-netty # Conflicts: # xmppserver/src/main/java/org/jivesoftware/openfire/net/VirtualConnection.java # xmppserver/src/main/java/org/jivesoftware/openfire/nio/NettyConnection.java
Prior to this commit handlers were being shared across all sessions. Now a new handler is instantiated per connection/session.
Prior to this commit SSL Handshake events were not making it down the netty pipeline to our client connection handler (aka business logic handler). This meant that inbound connections were never set to encrypted=true causing the session to be abandoned when TLS was required.
The old implementation (still used by ServerDialback) is unable to negotiate a TLS 1.3 connection. Netty-based connections can use TLS 1.3.
OF-2559: Introduce Netty for S2S & C2S
When a user is requesting a data form, try to localize the text in the form according to the user's preferred language. In this commit, the preferred language is being obtained from the session of a locally connected user. This will not work for federated users. As a fallback, the default langague as configured in Openfire is used (as is already the case prior to this commit).
Key and Trust material is used when creating an SSL context. Openfire provides custom implementations, that tie into its own keystores (the 'identity' and 'key' stores). In one of the new SslContext creation methods that are specific to Netty, Openfire's custom truststore was never added to the context that was being created. As a result, trust material that is configured to be used by Openfire was not. This problem might not always be apparent, as I believe that without explicit configuration, default Java trust material is used. There will be much overlap between generally accepted trust material in Openfire's keystores, and the defaults in Java. This commit adds Openfire's specific trust store to the SSL context that is going to be used by Netty.
A slight refactoring that takes away the need to perform a call that almost implicitly prepares a to-be-used lazy-loaded field.
This might have been a problem that existed in the code for a long time, but only popped up with the migration from MINA to Netty: that's when ServerStanzaHandler started to being used in anger. ServerStanzaHandler is invoked to create a session. The code more or less assumes that this always happens. When a session is not created, the code should inform the peer that something went wrong. Without that, the peer is left hanging. In this commit, any attempt to create a session that does not lead to a session being created results in a stream error to be returned to the peer, after which the connection is forcefully closed.
When Openfire is configured to require TLS for S2S, the StartTLS feature that’s advertised should be marked as being “required”. It currently is only when Dialback is not available (making TLS needed for authentication purposes).
* feat: add IdleState handling for outbound connections so that they are automatically closed when idle as with inbound connections * fix: implement correct maxIdleTime in NettyOutboundConnectionHandler * fix: NettyIdleStateKeepAliveHandler should call close on connection not the channel context. Closign the connection should cascade and close both session and Netty channel * feat: add IdleState handling for outbound connections so that they are automatically closed when idle as with inbound connections * fix: implement correct maxIdleTime in NettyOutboundConnectionHandler * fix: NettyIdleStateKeepAliveHandler should call close on connection not the channel context. Closign the connection should cascade and close both session and Netty channel * OF-2559: Comment to explain hard-coded startTls(false) * fix: OF-2559 - cleanup Connection & session when channel unregistered to prevent NPE in session summary * fix: OF-2559 - add null check for connection close * Fix server-session-details NPE JSP resolvers are unable to resolve default properties on interfaces. NPEs were caused by the failure to resolve the new default methods on the ServerSession interface (e.g. `ServerSession#isUsingServerDialback()`) See this post for further details: https://stackoverflow.com/questions/35130290/property-not-found-on-type-when-using-interface-default-methods-in-jsp-el * fix: OF-2559 - fix for compression pipeline position * fix: OF-2559 - unique names for compression handlers --------- Co-authored-by: Alex Gidman <alex.gidman@surevine.com>
Previous fix missed two instances of the troublesome properties. JSP resolvers are unable to resolve default properties on interfaces. NPEs were caused by the failure to resolve the new default methods on the ServerSession interface (e.g. `ServerSession#isUsingServerDialback()`) See this post for further details: https://stackoverflow.com/questions/35130290/property-not-found-on-type-when-using-interface-default-methods-in-jsp-el
The firewall section of the install guide should make it clear that even though the admin console _can_ be exposed to the general internet, it should not be. By highlighting port numbers and using paragraphs per subject, the text becomes easier to consume. The old text discarded the DirectTLS ports. At some point in time, it was believed that these would be phased out. As that's not the case, they should be mentioned in the guide.
* fix: OF-2559 - cleanup Connection & session when channel unregistered to prevent NPE in session summary * fix: OF-2559 - add null check for connection close * fix: OF-2641 - do not validate host for S2S connections (restores previous behaviour)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.