How to set_room_affiliation for mod_muc in ejabberd? - ejabberd

Hi am using ejabberd version 16.04 for my chat application and am using mod_rest for creating a muc room and for sending room invitation, now what i need is to set_room_affiliation for a particular mod_muc but its says error could some one help me out please...!!!
Below is the argument am passing for each respective ejabberd commands
Creating a Team
{"key": "secret","command": "create_room","args": ["kandan_team","conference","kandan.com"]}
Team got created. Passed...!!!
For sending Room Invitation to user 1
{"key": "secret","command": "send_direct_invitation","args": ["kandan_team","conference","none", "team_inviataion", "user1#kandan.com"]}
Inviatation sent successfully..!!! Passed..!!!
For sending Room Invitation to user 2
{"key": "secret","command": "send_direct_invitation","args": ["kandan_team","conference","none", "team_inviataion", "user2#kandan.com"]}
Inviatation sent successfully..!!! Passed..!!!
For removing user1 from team
{"key":"secret","command":"set_room_affiliation","args":["kandan_team", "conference", "user1#kandan.com", "outcast"]}
Couldn't remove user1 and saying as error..! Failed..!!!
Ejabberd.yml file configuration for mod_rest
mod_restful:
api:
- path: ["admin"]
module: mod_restful_admin
params:
key: "secret"
allowed_commands: [register, unregister,status, add_rosteritem, create_room, send_direct_invitation, set_room_affiliation]
- path: ["register"]
module: mod_restful_register
params:
key: "secret"
So can someone help me out how to set_room_affiliation please ...!!!

I found the answer, i created muc with wrong service that was the issue.Instead of creating muc with below service i created in other way..!!!
{"key": "secret","command": "create_room","args": ["kandan_team","conference.kandan.com","kandan.com"]}

Related

How to secure a Google Cloud Function with API Gateway and CORS?

I created an API Gateway which uses the x-google-backend to a cloud functions.
When I tried to access it via browser I received a CORS error so I researched and find a solution by adding this to the OpenAPI config where the address part is the same as the cloud function.
options:
operationId: cors
x-google-backend:
address: https://europe-west3-myproject.cloudfunctions.net/api/query
responses:
'200':
description: A successful response
This works! So I removed the public access to the cloud function and gave the gateway service account access to it and tried again.
Which gave me a permission error. After research I found this post explaining the problem and giving me a solution to fix it.
The issue was that I call my define the cloud function with an additional path to call query. I added this to the OpenAPI config:
jwt_audience: https://europe-west3-myproject.cloudfunctions.net/api
So I tried it again in Postman and it works, however in the browser I now get again a CORS error.
So now I am at square one... what should I do?
Here is my complete OpenAPI config:
# openapi2-functions.yaml
swagger: '2.0'
info:
version: 1.0.0
schemes:
- https
produces:
- application/json
paths:
/query:
post:
operationId: api
parameters:
- in: "body"
name: "message"
schema:
$ref: '#/definitions/messasge'
x-google-backend:
address: https://europe-west3-myproject.cloudfunctions.net/api/query
jwt_audience: https://europe-west3-myproject.cloudfunctions.net/api
x-google-quota:
metricCosts:
"read-requests": 1
security:
- api_key: []
responses:
'200':
description: A successful response
schema:
type: string
options:
operationId: cors
x-google-backend:
address: https://europe-west3-myproject.cloudfunctions.net/api/query
responses:
'200':
description: A successful response
securityDefinitions:
# This section configures basic authentication with an API key.
api_key:
type: "apiKey"
name: "key"
in: "query"
x-google-management:
metrics:
# Define a metric for read requests.
- name: "read-requests"
displayName: "Read requests"
valueType: INT64
metricKind: DELTA
quota:
limits:
# Define the limit or the read-requests metric.
- name: "read-limit"
metric: "read-requests"
unit: "1/min/{project}"
values:
STANDARD: 100
definitions:
chatmessage:
type: "object"
properties:
id:
type: string
description: session id
example: "2vr34524tg3"
query:
type: string
description: message
example: "Hello"
required:
- id
- query
According to the documentation Cross-Origin Resource Sharing (CORS) on Cloud Functions has some limitations:
CORS preflight requests are sent without an Authorization header, so they will be rejected on all non-public HTTP Functions. Because the preflight requests fail, the main request will also fail.
To overcome this limitation in your case the mentioned documentation recommends to deploy a Cloud Endpoints proxy and enable CORS. Also you might find useful the Support CORS documentation page for a description of available CORS support options

Amazon ASK CLI Alexa Update Skill not working

I've created an Alexa skill based on the Hello World template using the ASK CLI. The skill is called demo-skill. I want to use the ask api update-skill command to update the skill to reflect local changes that I've made to the en-US.json file in the demo-skill project structure. This is the command I'm using:
ask api update-skill --skill-id <my skill id> --file <my working directory>/demo-skill/models/en-US.json
This is the error I'm receiving:
Call update-skill error.
Error code: 400
{
"message": "Skill manifest is not valid.",
"violations": [
{
"code": "INVALID_REQUEST_PARAMETER",
"message": "Instance at property path \"$\" has an invalid number of properties. Actual properties: 0, Minimum properties: 1",
"validationDetails": {
"originalInstance": {
"propertyPath": "$",
"type": "BODY"
},
"reason": {
"actualProperties": 0,
"minimumProperties": 1,
"type": "INVALID_NUMBER_OF_PROPERTIES"
}
}
}
]
}
Can someone please explain what parameter is missing here and how can I update a skill using the CLI if what I'm doing is wrong?
The command you are using is to update the schema of the skill, vs the interaction model.
The corollary to 'get' the schema is:
ask api get-skill -s {skill_id} --stage development > skill.json
If you turn around and put the output of that command into your command:
ask api update-skill --skill-id <my skill id> --file skill.json
you should find that the command executes successfully.
You may be looking for:
ask api update-model <-s|--skill-id <skillId>> <-f|--file <fileName>> <-l|--locale <locale>> [-g|--stage <stage>] [-d|--description <description>] [-p|--profile <profile>] [--debug]
Here are the docs for that:
ASK CLI command reference

isGranted returns false for logged in user JWT - Symfony API-Platform AWS-EB

I have deployed an API-Platform app using JWT token to ElasticBeanstalk which, as usual, works fine in my local server.
On EB though it is denying access to logged in users despite the correct BearerToken being provided.
This is the error thrown:
{
"errors": [
{
"message": "Access Denied.",
"extensions": {
"category": "graphql"
},
"locations": [
{
"line": 6,
"column": 9
}
],
"path": [
"retrievedQueryUser"
]
}
],
"data": {
"retrievedQueryUser": null
}
}
The query in question attempts to retrieve user profile info through the below graphql config:
* "retrievedQuery"={
* "item_query"=UserProfileResolver::class,
* "normalization_context"={"groups"={"get-owner"}},
* "security"="is_granted('IS_AUTHENTICATED_FULLY') and object == user"
* },
So, it should be a simple matter of checking if the users IS_AUTHENTICATED_FULLY and if it is the user him/herself trying to execute the query.
Far as I could tell, by dump below on /vendor/symfony/security-core/Authorization/AuthorizationChecker.php, it's failing to retrieve a token.
var_dump($this->tokenStorage->getToken()->getUser()->getUsername());
I did a cursory comparison of phpinfo() between my local installation and the one at AWS-EB and could not find any obvious mismatch.
This is the config for JWT at /config/packages/lexik_jwt_authentication.yaml.
lexik_jwt_authentication:
secret_key: '%env(resolve:JWT_SECRET_KEY)%'
public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
pass_phrase: '%env(JWT_PASSPHRASE)%'
user_identity_field: email
token_ttl: 1800
Just to confirm that the users are able to login. It's passing through the isGranted() check that fails.
Any ideas?
EDIT - add `/config/packages/security.yaml
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
encoders:
App\Entity\User:
algorithm: auto
#algorithm: bcrypt
#algorithm: argon2i
cost: 12
providers:
database:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
refresh:
pattern: ^/api/token/refresh
stateless: true
anonymous: true
api:
pattern: ^/api
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- app.google_login_authenticator
- App\Security\TokenAuthenticator
entry_point: App\Security\TokenAuthenticator
user_checker: App\Security\UserEnabledChecker
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin, roles: ROLE_SUPERADMIN }
- { path: ^/api/token/refresh, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
role_hierarchy:
ROLE_PROVIDER: ROLE_USER
ROLE_ADMIN: [ROLE_PROVIDER, ROLE_EDITOR]
ROLE_SUPERADMIN: ROLE_ADMIN
Upon further research I found out that Apache was stripping the authorization token from the request.
On the method supports of /lexik/jwt-authenticator-bundle/Security/Guard/JWTTokenAuthenticator, the dump as below will not include the token on AWS:
var_dump($request->headers->all());
var_dump($_SERVER);
As per this question, this is an issue of Apache configuration which is not accepting the authorization headers.
The indicated solution is to add the following to .htaccess:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
This resolves the issue, though one should note that the local Apache installation works fine without the above edit to .htaccess.
So, it should also be possible to change Apache config directly, but I could not find how to go about it.
EDIT: Later I found a specific instruction on 'JWT-Token' docs as follows, that confirm that solution on this link.

AuthZForce-PEP-IDM Always allow access even when user doesnt have permission for specific resource

I created user and gave him only one role.(Member)
Currently this role doesn't have any permission with any Http verb nor path.
This is my user:
{
organizations: [1]
0: {
website: ""
description: "AREAS"
roles: [1]
0: {
name: "Member"
id: "09dc1bdba42c48de9e15e88816284cbc"
}-
-
enabled: true
id: "363ac390cfc94aa293e02547afa78256"
domain_id: "default"
name: "AREAS"
}-
-
displayName: "root"
roles: [0]
app_id: "aea8f4a70b87422cb48068db9f0c6aea"
email: "root"
id: "root"
}
Now, when i try to do GET request on address: http://localhost/parameters/search_tables/
for which this user don't have permission,
it allows me access and redirects me nonetheless.
This is log from pep proxy:
2015-11-13 14:55:53.446 - INFO: IDM-Client - Checking token with IDM...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking auth with AZF...
2015-11-13 14:55:53.484 - INFO: AZF-Client - Checking authorization
to roles [ '09dc1bdba42c48de9e15e88816284cbc' ] to do GET
on parameters/search_tables/ and app aea8f4a70b87422cb48068db9f0c6aea
2015-11-13 14:55:53.508 - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "cookie"
My config file regarding authorization is:
config.azf = {
enabled: true,
host: '192.168.4.180',
port: 8080,
path: '/authzforce/domains/afb096b2-8951-11e5-980f-6bf3c4dac98a/pdp'
};
config.public_paths = [];
config.tokens_engine = 'oauth2';
My Pap policy is:
<PolicySet PolicySetId="default" Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.1:policy-combining-
algorithm:ordered-permit-overrides">
<Target />
<Policy PolicyId="permit-all" Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.1:rule-combining-
algorithm:ordered-permit-overrides">
<Target />
<Rule RuleId="permit-all" Effect="Permit" />
</Policy>
</PolicySet>
How should i formulate my PAP policy to enable authorization level2, to use only http verb and resource path for authorization?
By default, Authzforce PAP permits all when no policy is added. Check if your PAP has the right information:
GET
/domains/{domainId}/pap/policySet
Edit 1:
In order to be able to connect with Authzforce, you need to configure some Authzforce parameters into your IdM instance:
ACCESS_CONTROL_URL at fiware-idm/horizon/openstack_dashboard/local/local_settings.py
and
ACCESS_CONTROL_MAGIC_KEY at fiware-idm/horizon/openstack_dashboard/local/local_settings.py
Then, just go to IdM, and check that the permissions and roles are well configured. Sometimes, you have to 'trigger' the policy generation in IdM by going to your application -> manage roles and just click 'save' to trigger the XACML generation.

BOSH implementation on ejabberd

I tried to start BOSH on ejabberd. My ejabberd.cfg snippet is below:
{5280, ejabberd_http, [
{request_handlers, [
{["xmpp-httpbind"], mod_http_bind}
]},
captcha,
http_bind,
http_poll,
web_admin
]}
http://localhost:5280/http-bind fails to open any page.
And my client getting this response from server
Sent XML:
<iq to='localhost' id='uid:50502b03:00004823' type='get' x
mlns='jabber:client'><query xmlns='jabber:iq:auth'><username>anurag</username></
query></iq>
Received XML:
<iq xmlns='jabber:client' from='localhost' id='uid:505
029df:00004823' type='error'><error code='503' type='cancel'><service-unavailabl
e xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/></error></iq>
Sent XML: </stream:stream>
auth failed. reason: 0
ce: 18
I am using gloox library to create a client.
Did you add {mod_http_bind, []} to your modules section?