annotate mod_watchuntrusted/mod_watchuntrusted.lua @ 5549:01a0b67a9afd

mod_http_oauth2: Add TODO about disabling password grant Per recommendation in draft-ietf-oauth-security-topics-23 it should at the very least be disabled by default. However since this is used by the Snikket web portal some care needs to be taken not to break this, unless it's already broken by other changes to this module.
author Kim Alvefur <zash@zash.se>
date Fri, 16 Jun 2023 00:06:53 +0200
parents 0e78523f8c20
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
1 local jid_prep = require "util.jid".prep;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
2
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
4 local secure_domains, insecure_domains =
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
6
3220
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
7 local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items;
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
8
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
9 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep;
2810
9a3e51f348fe mod_watchuntrusted send SHA256 by default
Michel Le Bihan <michel@lebihan.pl>
parents: 2346
diff changeset
10 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors");
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
11
3022
3996437ff64f mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents: 3020
diff changeset
12 local msg_type = module:get_option_string("untrusted_message_type", "chat");
3996437ff64f mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents: 3020
diff changeset
13
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
14 local st = require "util.stanza";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
15
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
16 local notified_about_already = { };
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
17
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
18 module:hook_global("s2s-check-certificate", function (event)
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
19 local session, host = event.session, event.host;
1693
2328cbc41045 mod_watchuntrusted: Skip connections to/from unknown hosts (fixes possible traceback)
Kim Alvefur <zash@zash.se>
parents: 1675
diff changeset
20 if not host then return end
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
21 local conn = session.conn:socket();
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
22 local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
23
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
24 if not (local_host == module:get_host()) then return end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
25
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
26 module:log("debug", "Checking certificate...");
3220
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
27 local certificate_is_valid = false;
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
28
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
29 if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
30 certificate_is_valid = true;
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
31 end
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
32
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
33 local must_secure = secure_auth;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
34
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
35 if not must_secure and secure_domains[host] then
3220
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
36 must_secure = true;
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
37 elseif must_secure and insecure_domains[host] then
3220
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
38 must_secure = false;
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
39 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
40
3220
0e78523f8c20 mod_watchuntrusted: Add option to ignore domains
Michel Le Bihan <michel@lebihan.pl>
parents: 3022
diff changeset
41 if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
42 notified_about_already[host] = os.time();
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
43 local _, errors = conn:getpeerverification();
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
44 local error_message = "";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
45
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
46 for depth, t in pairs(errors or {}) do
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
47 if #t > 0 then
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
48 error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". ";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
49 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
50 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
51
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
52 if session.cert_identity_status then
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
53 error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. ".";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
54 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
55
1878
7f96183a60ce mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents: 1877
diff changeset
56 local replacements = {
1926
4c4a4191b825 mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents: 1878
diff changeset
57 sha1 = event.cert and event.cert:digest("sha1") or "(No certificate)",
4c4a4191b825 mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents: 1878
diff changeset
58 sha256 = event.cert and event.cert:digest("sha256") or "(No certificate)",
1878
7f96183a60ce mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents: 1877
diff changeset
59 errors = error_message
7f96183a60ce mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents: 1877
diff changeset
60 };
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
61
3020
ec671ad1a8a9 mod_watchuntrusted: Add option for which message 'type' to use on notifications
Kim Alvefur <zash@zash.se>
parents: 2887
diff changeset
62 local message = st.message({ type = msg_type, from = local_host },
2887
65082d91950e Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 2810
diff changeset
63 untrusted_fail_notification:gsub("%$([%w_]+)", function (v)
65082d91950e Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 2810
diff changeset
64 return event[v] or session and session[v] or replacements and replacements[v] or nil;
65082d91950e Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 2810
diff changeset
65 end));
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
66 for jid in untrusted_fail_watchers do
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
67 module:log("debug", "Notifying %s", jid);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
68 message.attr.to = jid;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
69 module:send(message);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
70 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
71 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
72 end, -0.5);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
73
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
74 module:add_timer(14400, function (now)
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
75 for host, time in pairs(notified_about_already) do
2346
dd1f0173f538 mod_watchuntrusted: Fix backwards time comparison
Kim Alvefur <zash@zash.se>
parents: 1926
diff changeset
76 if time + 86400 < now then
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
77 notified_about_already[host] = nil;
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
78 end
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
79 end
1877
055b39c08fd0 mod_watchuntrusted: Fix periodic cleanup to run more than once
Kim Alvefur <zash@zash.se>
parents: 1693
diff changeset
80 return 14400;
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
81 end)