Mercurial > prosody-modules
annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 5298:12f7d8b901e0
mod_audit: Support for adding location (GeoIP) to audit events
This can be more privacy-friendly than logging full IP addresses, and also
more informative to a user - IP addresses don't mean much to the average
person, however if they see activity from outside their expected country, they
can immediately identify suspicious activity.
As with IPs, this field is configurable for deployments that would like to
disable it. Location is also not logged when the geoip library is not
available.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Sat, 01 Apr 2023 13:11:53 +0100 |
parents | 663e5d923ef0 |
children |
rev | line source |
---|---|
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local dm_load = require "util.datamanager".load; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local dm_store = require "util.datamanager".store; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local datetime = require "util.datetime".datetime; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 local do_store = module:get_option_boolean(module:get_name().."_persist", false); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local function note_cert_digest(event) |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local session, remote_host, cert = event.session, event.host, event.cert; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 if not (remote_host and cert and cert.digest) then return end; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local digest = cert:digest(digest_algo); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local chain_status = session.cert_chain_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 local identity_status = session.cert_identity_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
1091
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
20 module:log("info", "%s has a %s %s certificate with %s: %s", |
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
21 remote_host, |
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 chain_status == "valid" and "trusted" or "untrusted", |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 identity_status or "invalid", |
1091
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
24 digest_algo:upper(), |
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 digest:upper():gsub("..",":%0"):sub(2)); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 if do_store then |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {}; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 digest = digest_algo..":"..digest; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; } |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 this_cert.last = datetime(); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 this_cert.times = this_cert.times + 1; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 seen_certs[digest] = this_cert; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 chain_status = chain_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 identity_status = identity_status; |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 dm_store(remote_host, local_host, "s2s_certs", seen_certs); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 end |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 end |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
1787
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
41 if module.wrap_event then |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
42 -- 0.10 |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
43 module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data) |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
44 local ret = handlers(event_name, event_data); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
45 note_cert_digest(event_data); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
46 return ret; |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
47 end); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
48 else |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
49 -- 0.9 |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
50 module:hook("s2s-check-certificate", note_cert_digest, 1000); |
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
51 end |
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 --[[ |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 function module.add_host(module) |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 module:hook("s2s-check-certificate", note_cert_digest, 1000); |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 end |
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 ]] |