Creating a bot-like configuration with ejabberd? - xmpp

How to implement a bot with ejabberd?
The idea is that on my (Debian 7.0 Wheezy) VPS, I'm running ejabberd and there I have a special bot Jabber user with limited set of commands that he can run. Let's call him butler#myvps.foo.
On another box (say, my android phone), I have a Jabber client connected to my account at possibly a third party server. Let's call it me#somewhere.bar.
Now I want ejabberd to:
allow only one specific Jabber ID, me#somewhere.bar to ever communicate with this
butler#myvps.foo.
have everything typed into chat with butler#myvps.foo passed to shell and executed
as a command, possibly in a chrooted or another protected environment (e.g. using
a specific limited user). (And the STDOUT + STDERR returned as a reply, of course.)
I understand there can be security risks, but for now I just want to know if this the way to go.

You can simply write a bot in any language and have it connect to the XMPP server as a client. A list of XMPP client libraries can be found here.
The bot can check the JID in the 'from' attribute of messages it receives to verify identity. It is not generally possible to forge a JID in XMPP, as servers authenticate their clients and also each other. In reality however it is only as secure as the authentication methods used (and the server containing no bugs).
To execute commands and read the results, a PTY is a good easy solution. There are PTY libraries available in many languages, including Python, Ruby and Lua.
You are right that security is an issue, as with any system. Years of effort have gone into securing ssh, and issues still arise occasionally.
It is worth noting that Google's XMPP server does not support encryption for server-to-server connections, so someone on a network between your XMPP server and Google's would be able to see your messages, and potentially modify and/or forge them completely.
And finally, even if they did support encryption for the server-to-server link... Google themselves technically have the ability to send messages as you, and your phone would also be a potential weak point.
Isolating the target process will remove a lot of security concerns. If the server runs on Linux, LXC containers might be a good solution for you.
Hopefully this covers all aspects of your question!

Related

Is there a way to ignore the MOTD from an IRC client?

I'm making an IRC bot for a game to connect the in-game chat to an arbitrary IRC network/channel.
Some users complain that the bot takes too much time to load, and it's because of the bot having to get the MOTD.
Is there a way to ignore the MOTD?
The bot is using the LuaIRC library for IRC protocol handling.
The protocol described in RFC 1459 (section 8.5) defines that the MOTD will be sent to every client that is connecting to an IRC server.
This is part of the connection procedure and if you want to ignore it, you have to manage that on your client. I guess this is not about reading it or ignoring it, but rather not being annoyed by the time spent to make the bot ignore these messages.
If you happen to be the administrators of one of the network you are connecting to, you might want to connect your bot as an IRC operator. Some classes use to be defined for special users or servers in order to make them able to read data faster.
But for the other networks, you will have to find a way to manage this MOTD better, because you will receive it anyway.

Easiest way to make automated SIP phone calls from a web app?

I have a client company with a simple web application (Python Flask) and I need to add a phone notification functionality to it.
The main requirement is that the app should call users, play a certain sound file and accept some tone input ("Hello! This is an automated message from your WebApp account. You have a meeting with $John today at $5pm. Please press 1 to confirm").
The other requirement is that the solution should be relatively cheap and fast to market.
I have done some research already and it seems that there are a few consequent steps to achieve that:
Set up an Asterisk or a FreeSwitch server;
Set up a SIP account;
Write some business logic for the Asterisk server which allows to make calls and play sounds via a SIP account;
Write an API at the Asterisk server and expose it to the Python Flask web app.
Do I miss something here? Can any of the steps be omitted anyhow? Can I do it simpler?
the fastest way to get it working is to use one of the cloud voice services with speech synthesiser. Here's a short list to check out:
Twilio
Tropo
Plivo
Here I listed some details.
Those services charge you per minute, plus you may have to pay some monthly fee.
If you want to run an independent and standalone service, I would recommend FreeSWITCH instead of Asterisk. It's got reach integration possibilities and API. You will need to read the FreeSWITCH book in order to understand how it works and how to build your service.
I agree with Stanislav Sinyagin on the cloud based solutions, but I would add one more, Voxeo Prophecy. Tropo is from Voxeo, but they have offered Prophecy as a solution for a lot longer and it supports the open standards CCXML and VoiceXML. The advantage of CCXML for outbound notification applications is you have a lot more control of the notification process.
The Prophecy platform has excellent call progress analysis (CPA) which will allow you to determine whether a machine or a human answered and handle the call accordingly. For example, it does not make sense to ask a machine to "...press one to confirm". Instead you may want to leave a message that provides a call back number for the user to confirm with after they have listened to the voice message. The CPA can be used to leave a message on a machine at the correct time (when the greeting message has stopped) so that you do not get clipped messages in the voice mail. CPA will also allow you to provide detailed reports on who was notified and for those that did not it can tell you whether it was a bad number (received a SIT tone), a modem or fax answered, or ring-no-answer (pretty rare these days). These type of details can factor into your retry process for failed notifications.
The other advantage to using Prophecy and open standards is your application will be portable to other IVR systems that are VoiceXML/CCXML compatible if you ever want to migrate. Tropo, Twilio, and Plivo all use proprietary API's which does not allow you to move your applications to other services. Prophecy is also available as a software solution so that if you want to take it out of the cloud you can run it on premise. You can get a two port version for free to try it out.
There is excellent documentation on developing outbound notification systems on Voxeo's developer site. Take a look at the CCXML documentation in section F on Outbound Dialing.
Not sure which development languages you are familiar with, but if you are used to ASP.NET MVC there is an open source project called VoiceModel that makes it easier to develop VoiceXML applications. The other advantage of VoiceModel is that you develop your application once and it will run on any VoiceXML compatible platform and Tropo. They are currently working on adding outbound notification support in this project that will work for both Tropo and VoiceXML.
Third party solutions listed are your easy choice. Running your own asterisk is also suitable for what you want to do, but i think for only this much it would be overkill, from an operational perspective.
In asterisk, you can originate a call that has the 2 variables you need with an (basic-authenticated) HTTP request. You will also need some settings and a tiny dialplan. Setting up the SIP account is easier or more difficult, depending on the documentation from the provider. Most of them have detailed documentation for configuring asterisk (not so much so for freeswitch). Keeping the damn thing alive is what's gonna get to you :)

Is it worth customizing an XMPP server? (vs. having client workers)

I've been asked about the possibilities for writing an ejabber module for an internal application. I am opposed to the idea, but I'm not sufficiently familiar with xmpp to support my response, and perhaps I'm wrong.
When google did wave they chose xmpp; and I understand that choice; real time communication between multiple people. Same goal here.
...but it feels to me like a customized server plugin isn't the right answer.
The issues I see are:
1) You lose sync with the server development and have to go through merge hell to ensure security updates, patches, etc. on the server are patched.
2) Any heavy customization of the server means you're probably expecting to be passing special mark up messages to interact with the server plugin; that means you'll have to do heavy client customization as well.
There is an alternative route:
Standard XMPP server. two customized xmpp clients; one for the client and one for the server.
The server client opens a connection to the XMPP server and sits and waits.
Multiple front end clients open connections to the XMPP server and then use xmpp to open connections optionally: 1) to each other and 2) to the server client user.
The front end can then perform real time updates by talking to the server client. It can even subscribe to multiple server client users and have incoming 'activity streams' for multiple different concurrent tasks.
This has the advantages of:
1) You only need to solve the XMPP problem once (client library)
2) Your application server is never externally visible; only the XMPP server is externally visible, which is massive security win.
3) You can use whatever XMPP server infrastructure you want without any issue.
4) You will never have a server update that causes your application server to become 'legacy' and unable to use those apis any more (short of a complete XMPP protocol update).
Downside:
You application server client needs to be complicated enough to handle multiple requests, or have multiple workers or something (but this scales using resource fields and have multiple application servers from different machines connecting to the XMPP network).
...but, I'm not that familiar with the technology.
Is there any reason why the alternative I've suggested would be worse than a customized xmpp server?
XMPP is used in Google Wave/Wave in a Box only for Federation, i.e. only for server to server communications. This is in order to take advantage of existing XMPP capabilities like discovery protocol. The messages are transported in binary form between servers inside XMPP packets. The Web clients use WebSockets/Socket.IO to communicate with the server. Actually that was the reason to argue about developing an alternative pure HTTP based Federation protocol.

How Google Talk server history pulling is implemented?

Google GTalk clients (web, android, windows) have great ability to suck conversation history from server, even though conversations were done an another jabber client.
What jabber (XMPP) functionality (XEP) is used for that or is it some custom thing?
Why no other XMPP client (non Google) has this ability?
P.S. It is programming question, because I am asking about specific XMPP functionality.
It is possible that this is done using message archiving. See XEP-0136: http://xmpp.org/extensions/xep-0136.html
(And with regard to the other answer, this is supported by ejabberd: http://www.ejabberd.im/mod_archive)
Its a property of XMPP server not XMPP/Jabber client. All conversation happens through XMPP Server. So If server wants it can store all the history. As far as I know there is no open source XMPP server which can store history.
Google has it all.
I am not sure, but I think there is no specific XEP for storing history on server.
Server side XEP-0136 (message archiving) can be done with ejabberd + mod_archive (mod_archive_odbc variant with sql backend, for better perfomance) or with openfire server with open archive plugin.
Client side, for XEP-0136 I use vacuum im, http://code.google.com/p/vacuum-im/ , it's open-source and cross platform.

Send emails through VB6 if no email client

I have a VB6 app which is used by a large number of clients.
I need to allow the clients to be able to send emails to me. In the past I have done this using Microsoft MAPI controls. However, not all of them have an email client installed, since they use webmail instead.
Is there any other method anyone can recommend which would allow them to do this?
SMTP
You can use CDO for Windows to do this if we make a few assumptions:
Your users are all on Win2K or later.
The users will never be behind a firewall blocking SMTP or proxying all SMTP port use to a corporate server.
You have an SMTP server that you have an account you can let the user-mails be sent with.
You embed the server's address and account credentials in your program.
Sometimes using an SMTP server listening on an alternate port will address the second issue, but often such an alternate port is even more likely to be blocked.
SMTP is Dying
Abuse over time has made SMTP less and less viable for automated/assisted user contact. There are just too many variables involved in trying to open some sort of "clear channel" for SMTP communication as people work harder to fight spammers and such.
Today I would be much more likely to use either WebDAV or a Web Service for this. Both use HTTP/HTTPS which is more likely to get past firewalls and usually get by most proxy servers as well. WebDAV is often more "slippery" at this than Web Services, which more and more proxies are bocking. You can also use something more RESTful than SOAPy since the traffic "smells more like" user browsing to proxy servers.
WebDAV is a Clean Option
There are even free WebDAV providers offering 2GB of storage with a main and a guest user. The guest account can be given limited rights to various folders so some folders they might post your messages to, other folders they might get data from (read only folders), etc. For a paid account you can get more storage, additional users, etc.
This works well. You can even use the same hosting for program version files, new version code to be downloaded and installed, etc. All you need on your end is an aggregator program that scoops up user posted messages and deletes them using the main user/pw.
You still need to embed user credentials in your program, but it can be a simpler matter to change passwords over time. Just have the program fetch an info file with a new password and an effective date and have the program flip the "new" password to "current" once run on that date or after.
WebDAV support in Windows varies. From WinXP SP3 forward you can simply programmatically map a drive letter to a WebDAV share and then use regular file I/O statements against it, and unmap the letter when done. For more general use across even Win9x you can build a simple WebDAV client on top of XMLHTTPRequest or use a 3rd party library.
Web Services Have Higher Costs
Just to start with you have server-side code to write and maintain, and you have to use a specific kind of hosting. For example if you built it using PHP you need a PHP host, ASP an ASP host, ASP.Net an ASP.Net host, etc.
Web Services can also be more problematic in terms of versioning. If you later update your program to provide different information in these user contact posts you have to make another Web Service as well as changing both the application and the aggregator. Using WebDAV you can just make a "new format" folder on the server and have the new program post the data there in the new format. Your aggregator can simply pull from both folders and do any necessary reformatting into your new local database/message repository format.
This is merely an incremental additional effort though and a Web Service might be the way to go, even if it is just something written like an HTML Form GET/POST acceptor.
Although this question is for VBA you may find it of interest. Sending Emails using VBA without MAPI