Mercurial > prosody-modules
annotate mod_watchuntrusted/mod_watchuntrusted.lua @ 5549:01a0b67a9afd
mod_http_oauth2: Add TODO about disabling password grant
Per recommendation in draft-ietf-oauth-security-topics-23 it should at
the very least be disabled by default.
However since this is used by the Snikket web portal some care needs to
be taken not to break this, unless it's already broken by other changes
to this module.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 16 Jun 2023 00:06:53 +0200 |
parents | 0e78523f8c20 |
children |
rev | line source |
---|---|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
1 local jid_prep = require "util.jid".prep; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
2 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
4 local secure_domains, insecure_domains = |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
6 |
3220
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
7 local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items; |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
8 |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
9 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; |
2810
9a3e51f348fe
mod_watchuntrusted send SHA256 by default
Michel Le Bihan <michel@lebihan.pl>
parents:
2346
diff
changeset
|
10 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
11 |
3022
3996437ff64f
mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents:
3020
diff
changeset
|
12 local msg_type = module:get_option_string("untrusted_message_type", "chat"); |
3996437ff64f
mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents:
3020
diff
changeset
|
13 |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
14 local st = require "util.stanza"; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
15 |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
16 local notified_about_already = { }; |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
17 |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
18 module:hook_global("s2s-check-certificate", function (event) |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
19 local session, host = event.session, event.host; |
1693
2328cbc41045
mod_watchuntrusted: Skip connections to/from unknown hosts (fixes possible traceback)
Kim Alvefur <zash@zash.se>
parents:
1675
diff
changeset
|
20 if not host then return end |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
21 local conn = session.conn:socket(); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
22 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
23 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
24 if not (local_host == module:get_host()) then return end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
25 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
26 module:log("debug", "Checking certificate..."); |
3220
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
27 local certificate_is_valid = false; |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
28 |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
29 if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
30 certificate_is_valid = true; |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
31 end |
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
32 |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
33 local must_secure = secure_auth; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
34 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
35 if not must_secure and secure_domains[host] then |
3220
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
36 must_secure = true; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
37 elseif must_secure and insecure_domains[host] then |
3220
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
38 must_secure = false; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
39 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
40 |
3220
0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents:
3022
diff
changeset
|
41 if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
42 notified_about_already[host] = os.time(); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
43 local _, errors = conn:getpeerverification(); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
44 local error_message = ""; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
45 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
46 for depth, t in pairs(errors or {}) do |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
47 if #t > 0 then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
48 error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". "; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
49 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
50 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
51 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
52 if session.cert_identity_status then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
53 error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. "."; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
54 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
55 |
1878
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1877
diff
changeset
|
56 local replacements = { |
1926
4c4a4191b825
mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents:
1878
diff
changeset
|
57 sha1 = event.cert and event.cert:digest("sha1") or "(No certificate)", |
4c4a4191b825
mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents:
1878
diff
changeset
|
58 sha256 = event.cert and event.cert:digest("sha256") or "(No certificate)", |
1878
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1877
diff
changeset
|
59 errors = error_message |
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1877
diff
changeset
|
60 }; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
61 |
3020
ec671ad1a8a9
mod_watchuntrusted: Add option for which message 'type' to use on notifications
Kim Alvefur <zash@zash.se>
parents:
2887
diff
changeset
|
62 local message = st.message({ type = msg_type, from = local_host }, |
2887
65082d91950e
Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2810
diff
changeset
|
63 untrusted_fail_notification:gsub("%$([%w_]+)", function (v) |
65082d91950e
Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2810
diff
changeset
|
64 return event[v] or session and session[v] or replacements and replacements[v] or nil; |
65082d91950e
Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents:
2810
diff
changeset
|
65 end)); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
66 for jid in untrusted_fail_watchers do |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
67 module:log("debug", "Notifying %s", jid); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
68 message.attr.to = jid; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
69 module:send(message); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
70 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
71 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
72 end, -0.5); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
73 |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
74 module:add_timer(14400, function (now) |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
75 for host, time in pairs(notified_about_already) do |
2346
dd1f0173f538
mod_watchuntrusted: Fix backwards time comparison
Kim Alvefur <zash@zash.se>
parents:
1926
diff
changeset
|
76 if time + 86400 < now then |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
77 notified_about_already[host] = nil; |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
78 end |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
79 end |
1877
055b39c08fd0
mod_watchuntrusted: Fix periodic cleanup to run more than once
Kim Alvefur <zash@zash.se>
parents:
1693
diff
changeset
|
80 return 14400; |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
81 end) |