Why are "self-addressed" privileged IQs forwarded back to the sending component?

[mtstickney]

When mod_privilege is enabled and a component sends a privileged IQ where the recipient is the same as the impersonated user:

<iq id="priv_iq_1" from="matridge.aptnet.home.arpa" to="[email protected]" type="get">
  <privileged_iq xmlns='urn:xmpp:privilege:2'>
    <iq xmlns='jabber:client' id="b212a556567e4a53aa42b5ca9658e9d5"
        type="get"
        to="[email protected]">
      <pubsub xmlns="http://jabber.org/protocol/pubsub"><items node="urn:xmpp:avatar:metadata" /></pubsub>
    </iq>
  </privileged_iq>
</iq>

Then this transform rewrites the packet to wrap it in <privilege><forwarded>..</forwarded></privilege>, and sends a new IQ from the impersonated user to the privileged component with the original request type and the <privilege> payload:

<iq to='matridge.aptnet.home.arpa' from='[email protected]' type='get' id='priv_iq_1'>
  <privilege xmlns='urn:xmpp:privilege:2'>
    <forwarded xmlns='urn:xmpp:forward:0'>
      <iq to='[email protected]' from='[email protected]' type='get' id='b212a556567e4a53aa42b5ca9658e9d5' xmlns='jabber:client'>
        <pubsub xmlns='http://jabber.org/protocol/pubsub'><items node='urn:xmpp:avatar:metadata'/></pubsub>
      </iq>
    </forwarded>
  </privilege>
</iq>

Why does ejabberd do this rewrite in this specific case? There's no comment about it in the code, and it was added as part of the larger blob implementing XEP-0356 support, so there's no detail in the commit message about what this is for.

This looks like the mechanism XEP-0356 specifies for wrapping and returning the results of privileged IQs (section 6.3, particularly Example 11), but as far as I can tell there's no mention of forwarding requests in this manner.

In general, I don't think it's safe to assume that the sending component is in a position to satisfy this request, forwarded or not, so I'm not sure this should be routed back to the original component; besides that, XEP-0356 is set up so that privileged IQ requests are transparent to the recipient entity:

[...] it can then send the encapsulated as if it were sent by Juliet herself (the only difference is that the 'from' attribute has no resource while it would have the resource of Juliet's client if she was sending it herself)

That's not the case here, because the original IQ has been wrapped up in a forwarding and privilege element, so the receiving entity (which is the original sending component, in this case) would need to be set up to check for those in order to satisfy the request, unlike a regular non-privileged IQ request with the same payload.

In real-world practical terms, this shows up in slidge-based transports, which are using these "self-addressed" privileged IQs to create and manage MDS pubsub nodes -- I haven't looked into it enough to know if that's the correct/reasonable way to do that, but at least on the surface it seems like a plausible use-case.

Finally, ejabberd seems to be doing all the right things as long as the recipient and impersonated user aren't the same, and the packet rewrite doesn't trigger -- the server receives the IQ response, and correctly wraps the response up and forwards it back to the sending component. I'm inclined to just remove that packet-rewrite, but I'd like to know why it's there first.

[mtstickney]

Ah, this seems important: removing the packet rewrite seems to interfere with the correct wrapping and routing of privileged-IQ response packets (when the recipient and impersonated users are not the same, the packet ends up being dropped as indicated in the logs below).

I guess I need to check the details, but what seems to be happening here is that rewrite was meant to handle the forwarding of response packets only, and the bug is that it treats self-addressed request packets as response packets.

2025-01-28 15:59:34.561 [debug] Route:
#iq{
 id = <<"b212a556567e4a53aa42b5ca9658e9d5">>,type = result,lang = <<>>,
 from =
  #jid{
   user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
   luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,lresource = <<>>},
 to =
  #jid{
   user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
   luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,lresource = <<>>},
 sub_els =
  [#pubsub{
    subscriptions = undefined,subscription = undefined,
    affiliations = undefined,publish = undefined,publish_options = undefined,
    subscribe = undefined,unsubscribe = undefined,options = undefined,
    items =
     #ps_items{
      xmlns = <<>>,node = <<"urn:xmpp:avatar:metadata">>,
      items =
       [#ps_item{
         xmlns = <<>>,id = <<"67a6a4e90b6a2549e33ab65f7fd59f1c08baf8fa">>,
         sub_els =
          [#xmlel{
            name = <<"metadata">>,
            attrs = [{<<"xmlns">>,<<"urn:xmpp:avatar:metadata">>}],
            children =
             [#xmlel{
               name = <<"info">>,
               attrs =
                [{<<"bytes">>,<<"43950">>},
                 {<<"id">>,<<"67a6a4e90b6a2549e33ab65f7fd59f1c08baf8fa">>},
                 {<<"type">>,<<"image/png">>},
                 {<<"height">>,<<"159">>},
                 {<<"width">>,<<"160">>}],
               children = []}]}],
         node = <<>>,publisher = <<>>}],
      max_items = undefined,subid = <<>>,retract = undefined},
    retract = undefined,create = undefined,configure = undefined,
    default = undefined,delete = undefined,purge = undefined,rsm = undefined}],
 meta =
  #{privilege_iq =>
     {<<"priv_iq_1">>,<<"matridge.aptnet.home.arpa">>,
      #jid{
       user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
       luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,
       lresource = <<>>}}}}
2025-01-28 15:59:34.561 [debug] Dispatching packet
2025-01-28 15:59:34.561 [debug] Local route:
#iq{
 id = <<"b212a556567e4a53aa42b5ca9658e9d5">>,type = result,lang = <<>>,
 from =
  #jid{
   user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
   luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,lresource = <<>>},
 to =
  #jid{
   user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
   luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,lresource = <<>>},
 sub_els =
  [#pubsub{
    subscriptions = undefined,subscription = undefined,
    affiliations = undefined,publish = undefined,publish_options = undefined,
    subscribe = undefined,unsubscribe = undefined,options = undefined,
    items =
     #ps_items{
      xmlns = <<>>,node = <<"urn:xmpp:avatar:metadata">>,
      items =
       [#ps_item{
         xmlns = <<>>,id = <<"67a6a4e90b6a2549e33ab65f7fd59f1c08baf8fa">>,
         sub_els =
          [#xmlel{
            name = <<"metadata">>,
            attrs = [{<<"xmlns">>,<<"urn:xmpp:avatar:metadata">>}],
            children =
             [#xmlel{
               name = <<"info">>,
               attrs =
                [{<<"bytes">>,<<"43950">>},
                 {<<"id">>,<<"67a6a4e90b6a2549e33ab65f7fd59f1c08baf8fa">>},
                 {<<"type">>,<<"image/png">>},
                 {<<"height">>,<<"159">>},
                 {<<"width">>,<<"160">>}],
               children = []}]}],
         node = <<>>,publisher = <<>>}],
      max_items = undefined,subid = <<>>,retract = undefined},
    retract = undefined,create = undefined,configure = undefined,
    default = undefined,delete = undefined,purge = undefined,rsm = undefined}],
 meta =
  #{privilege_iq =>
     {<<"priv_iq_1">>,<<"matridge.aptnet.home.arpa">>,
      #jid{
       user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
       luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,
       lresource = <<>>}}}}
2025-01-28 15:59:34.562 [debug] Running hook :sm_receive_packet: :mod_mam::sm_receive_packet/1
2025-01-28 15:59:34.562 [debug] Running hook :bounce_sm_packet: :ejabberd_sm::bounce_sm_packet/1
2025-01-28 15:59:34.562 [debug] Dropping packet to unavailable resource:
#iq{
 id = <<"b212a556567e4a53aa42b5ca9658e9d5">>,type = result,lang = <<>>,
 from =
  #jid{
   user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
   luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,lresource = <<>>},
 to =
  #jid{
   user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
   luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,lresource = <<>>},
 sub_els =
  [#pubsub{
    subscriptions = undefined,subscription = undefined,
    affiliations = undefined,publish = undefined,publish_options = undefined,
    subscribe = undefined,unsubscribe = undefined,options = undefined,
    items =
     #ps_items{
      xmlns = <<>>,node = <<"urn:xmpp:avatar:metadata">>,
      items =
       [#ps_item{
         xmlns = <<>>,id = <<"67a6a4e90b6a2549e33ab65f7fd59f1c08baf8fa">>,
         sub_els =
          [#xmlel{
            name = <<"metadata">>,
            attrs = [{<<"xmlns">>,<<"urn:xmpp:avatar:metadata">>}],
            children =
             [#xmlel{
               name = <<"info">>,
               attrs =
                [{<<"bytes">>,<<"43950">>},
                 {<<"id">>,<<"67a6a4e90b6a2549e33ab65f7fd59f1c08baf8fa">>},
                 {<<"type">>,<<"image/png">>},
                 {<<"height">>,<<"159">>},
                 {<<"width">>,<<"160">>}],
               children = []}]}],
         node = <<>>,publisher = <<>>}],
      max_items = undefined,subid = <<>>,retract = undefined},
    retract = undefined,create = undefined,configure = undefined,
    default = undefined,delete = undefined,purge = undefined,rsm = undefined}],
 meta =
  #{privilege_iq =>
     {<<"priv_iq_1">>,<<"matridge.aptnet.home.arpa">>,
      #jid{
       user = <<"admin">>,server = <<"aptnet.home.arpa">>,resource = <<>>,
       luser = <<"admin">>,lserver = <<"aptnet.home.arpa">>,
       lresource = <<>>}}}}