annotate mod_client_certs/mod_client_certs.lua @ 5416:2393dbae51ed

mod_http_oauth2: Add option for specifying TTL of registered clients Meant to simplify configuration, since TTL vs ignoring expiration is expected to be the main thing one would want to configure. Unsure what the implications of having unlimited lifetime of clients are, given no way to revoke them currently, short of rotating the signing secret. On one hand, it would be annoying to have the client expire. On the other hand, it is trivial to re-register it.
author Kim Alvefur <zash@zash.se>
date Thu, 04 May 2023 18:41:33 +0200
parents 5f2eeebcf899
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
1 -- XEP-0257: Client Certificates Management implementation for Prosody
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2012 Thijs Alkemade
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
3 --
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
4 -- This file is MIT/X11 licensed.
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
5
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
6 local st = require "util.stanza";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
7 local jid_bare = require "util.jid".bare;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
8 local jid_split = require "util.jid".split;
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
9 local xmlns_saslcert = "urn:xmpp:saslcert:1";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
10 local dm_load = require "util.datamanager".load;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
11 local dm_store = require "util.datamanager".store;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
12 local dm_table = "client_certs";
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
13 local ssl_x509 = require "ssl.x509";
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
14 local util_x509 = require "util.x509";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
15 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
698
3a3293f37139 mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 697
diff changeset
16 local id_ce_subjectAltName = "2.5.29.17";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
17 local digest_algo = "sha1";
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
18 local base64 = require "util.encodings".base64;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
19
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
20 local function get_id_on_xmpp_addrs(cert)
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
21 local id_on_xmppAddrs = {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
22 for k,ext in pairs(cert:extensions()) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
23 if k == id_ce_subjectAltName then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
24 for e,extv in pairs(ext) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
25 if e == id_on_xmppAddr then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
26 for i,v in ipairs(extv) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
27 id_on_xmppAddrs[#id_on_xmppAddrs+1] = v;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
28 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
29 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
30 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
31 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
32 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
33 module:log("debug", "Found JIDs: (%d) %s", #id_on_xmppAddrs, table.concat(id_on_xmppAddrs, ", "));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
34 return id_on_xmppAddrs;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
35 end
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
36
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
37 local function enable_cert(username, cert, info)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
38 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
39
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
40 --[[ the method expired doesn't exist in luasec .. yet?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
41 if cert:expired() then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
42 module:log("debug", "This certificate is already expired.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
43 return nil, "This certificate is expired.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
44 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
45 --]]
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
46
1096
1abb8f2a5761 mod_client_certs: Update for x509 API in LuaSec 0.5
Kim Alvefur <zash@zash.se>
parents: 990
diff changeset
47 if not cert:validat(os.time()) then
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
48 module:log("debug", "This certificate is not valid at this moment.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
49 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
50
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
51 local valid_id_on_xmppAddrs;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
52 local require_id_on_xmppAddr = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
53 if require_id_on_xmppAddr then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
54 valid_id_on_xmppAddrs = get_id_on_xmpp_addrs(cert);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
55
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
56 local found = false;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
57 for i,k in pairs(valid_id_on_xmppAddrs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
58 if jid_bare(k) == (username .. "@" .. module.host) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
59 found = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
60 break;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
61 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
62 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
63
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
64 if not found then
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
65 return nil, "This certificate has no valid id-on-xmppAddr field.";
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
66 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
67 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
68
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
69 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
70
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
71 info.pem = cert:pem();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
72 local digest = cert:digest(digest_algo);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
73 info.digest = digest;
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
74 certs[info.name] = info;
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
75
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
76 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
77 return true
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
78 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
79
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
80 local function disable_cert(username, name, disconnect)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
81 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
82
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
83 local info = certs[name];
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
84
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
85 if not info then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
86 return nil, "item-not-found"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
87 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
88
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
89 certs[name] = nil;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
90
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
91 if disconnect then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
93 local sessions = hosts[module.host].sessions[username].sessions;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
94 local disabled_cert_pem = info.pem;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
95
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
96 for _, session in pairs(sessions) do
3447
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
97 if session and session.conn and session.conn:socket().getpeercertificate then
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
98 local cert = session.conn:socket():getpeercertificate();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
99
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
100 if cert and cert:pem() == disabled_cert_pem then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
101 module:log("debug", "Found a session that should be closed: %s", tostring(session));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
103 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
104 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
105 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
106 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
107
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
108 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
109 return info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
110 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
111
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
112 module:hook("iq-get/self/"..xmlns_saslcert..":items", function(event)
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
113 local origin, stanza = event.origin, event.stanza;
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
114 module:log("debug", "%s requested items", origin.full_jid);
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
115
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
116 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert });
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
117 local certs = dm_load(origin.username, module.host, dm_table) or {};
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
118
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
119 for digest,info in pairs(certs) do
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
120 reply:tag("item")
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
121 :tag("name"):text(info.name):up()
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
122 :tag("x509cert"):text(info.x509cert):up()
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
123 :up();
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
124 end
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
125
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
126 origin.send(reply);
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
127 return true
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
128 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
129
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
130 module:hook("iq-set/self/"..xmlns_saslcert..":append", function(event)
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
131 local origin, stanza = event.origin, event.stanza;
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
132 local append = stanza:get_child("append", xmlns_saslcert);
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
133 local name = append:get_child_text("name", xmlns_saslcert);
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
134 local x509cert = append:get_child_text("x509cert", xmlns_saslcert);
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
135
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
136 if not x509cert or not name then
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
137 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify?
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
138 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
139 end
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
140
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
141 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil;
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
142 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1");
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
143
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
144 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert)));
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
145
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
146 if not cert then
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
147 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate"));
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
148 return true;
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
149 end
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
150
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
151 local ok, err = enable_cert(origin.username, cert, {
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
152 name = name,
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
153 x509cert = x509cert,
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
154 no_cert_management = can_manage,
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
155 });
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
156
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
157 if not ok then
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
158 origin.send(st.error_reply(stanza, "cancel", "bad-request", err));
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
159 return true -- REJECT?!
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
160 end
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
161
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
162 module:log("debug", "%s added certificate named %s", origin.full_jid, name);
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
163
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
164 origin.send(st.reply(stanza));
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
165
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
166 return true
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
167 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
168
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
169
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
170 local function handle_disable(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
171 local origin, stanza = event.origin, event.stanza;
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
172 local disable = stanza.tags[1];
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
173 module:log("debug", "%s disabled a certificate", origin.full_jid);
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
174
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
175 local name = disable:get_child_text("name");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
176
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
177 if not name then
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
178 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified."));
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
179 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
180 end
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
181
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
182 disable_cert(origin.username, name, disable.name == "revoke");
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
183
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
184 origin.send(st.reply(stanza));
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
185
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
186 return true
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
187 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
188
3267
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
189 module:hook("iq-set/self/"..xmlns_saslcert..":disable", handle_disable);
4b43b317e8f5 mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 1779
diff changeset
190 module:hook("iq-set/self/"..xmlns_saslcert..":revoke", handle_disable);
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
191
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
192 -- Ad-hoc command
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
193 local adhoc_new = module:require "adhoc".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
194 local dataforms_new = require "util.dataforms".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
195
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
196 local function generate_error_message(errors)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
197 local errmsg = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
198 for name, err in pairs(errors) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
199 errmsg[#errmsg + 1] = name .. ": " .. err;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
200 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
201 return table.concat(errmsg, "\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
202 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
203
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
204 local choose_subcmd_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
205 title = "Certificate management";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
206 instructions = "What action do you want to perform?";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
207
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
208 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#subcmd" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
209 { name = "subcmd", type = "list-single", label = "Actions", required = true,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
210 value = { {label = "Add certificate", value = "add"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
211 {label = "List certificates", value = "list"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
212 {label = "Disable certificate", value = "disable"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
213 {label = "Revoke certificate", value = "revoke"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
214 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
215 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
216 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
217
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
218 local add_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
219 title = "Adding a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
220 instructions = "Enter the certificate in PEM format";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
221
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
222 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
223 { name = "name", type = "text-single", label = "Name", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
224 { name = "cert", type = "text-multi", label = "PEM certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
225 { name = "manage", type = "boolean", label = "Can manage certificates", value = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
226 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
227
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
228
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
229 local disable_layout_stub = dataforms_new { { name = "cert", type = "list-single", label = "Certificate", required = true } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
230
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
231
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
232 local function adhoc_handler(self, data, state)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
233 if data.action == "cancel" then return { status = "canceled" }; end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
234
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
235 if not state or data.action == "prev" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
236 return { status = "executing", form = choose_subcmd_layout, actions = { "next" } }, {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
237 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
238
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
239 if not state.subcmd then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
240 local fields, errors = choose_subcmd_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
241 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
242 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
243 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
244 local subcmd = fields.subcmd
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
245
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
246 if subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
247 return { status = "executing", form = add_layout, actions = { "prev", "next", "complete" } }, { subcmd = "add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
248 elseif subcmd == "list" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
249 local list_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
250 title = "List of certificates";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
251 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
252
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
253 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
254
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
255 for digest, info in pairs(certs) do
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
256 list_layout[#list_layout + 1] = { name = info.name, type = "text-multi", label = info.name, value = info.x509cert };
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
257 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
258
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
259 return { status = "completed", result = list_layout };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
260 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
261 local layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
262 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#" .. subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
263 { name = "cert", type = "list-single", label = "Certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
264 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
265
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
266 if subcmd == "disable" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
267 layout.title = "Disabling a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
268 layout.instructions = "Select the certificate to disable";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
269 elseif subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
270 layout.title = "Revoking a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
271 layout.instructions = "Select the certificate to revoke";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
272 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
273
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
274 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
275
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
276 local values = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
277 for digest, info in pairs(certs) do
990
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1.
Thijs Alkemade <me@thijsalkema.de>
parents: 713
diff changeset
278 values[#values + 1] = { label = info.name, value = info.name };
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
279 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
280
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
281 return { status = "executing", form = { layout = layout, values = { cert = values } }, actions = { "prev", "next", "complete" } },
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
282 { subcmd = subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
283 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
284 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
285
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
286 if state.subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
287 local fields, errors = add_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
288 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
289 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
290 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
291
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
292 local name = fields.name;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
293 local x509cert = fields.cert:gsub("^%s*(.-)%s*$", "%1");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
294
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
295 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert)));
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
296
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
297 if not cert then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
298 return { status = "completed", error = { message = "Could not parse X.509 certificate" } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
299 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
300
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
301 local ok, err = enable_cert(jid_split(data.from), cert, {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
302 name = name,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
303 x509cert = x509cert,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
304 no_cert_management = not fields.manage
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
305 });
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
306
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
307 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
308 return { status = "completed", error = { message = err } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
309 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
310
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
311 module:log("debug", "%s added certificate named %s", data.from, name);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
312
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
313 return { status = "completed", info = "Successfully added certificate " .. name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
314 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
315 local fields, errors = disable_layout_stub:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
316 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
317 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
318 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
319
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
320 local info = disable_cert(jid_split(data.from), fields.cert, state.subcmd == "revoke" );
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
321
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
322 if state.subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
323 return { status = "completed", info = "Revoked certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
324 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
325 return { status = "completed", info = "Disabled certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
326 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
327 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
328 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
329
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
330 local cmd_desc = adhoc_new("Manage certificates", "http://prosody.im/protocol/certs", adhoc_handler, "user");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
331 module:provides("adhoc", cmd_desc);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
332
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
333 -- Here comes the SASL EXTERNAL stuff
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
334
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
335 local now = os.time;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
336 module:hook("stream-features", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
337 local session, features = event.origin, event.features;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
338 if session.secure and session.type == "c2s_unauthed" then
3447
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
339 local socket = session.conn:socket();
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
340 if not socket.getpeercertificate then
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
341 module:log("debug", "Not a TLS socket");
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
342 return
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
343 end
5f2eeebcf899 mod_client_certs: do not crash on plain sockets
Thibaut Girka <thib@sitedethib.com>
parents: 3267
diff changeset
344 local cert = socket:getpeercertificate();
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
345 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
346 module:log("error", "No Client Certificate");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
347 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
348 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
349 module:log("info", "Client Certificate: %s", cert:digest(digest_algo));
1096
1abb8f2a5761 mod_client_certs: Update for x509 API in LuaSec 0.5
Kim Alvefur <zash@zash.se>
parents: 990
diff changeset
350 if not cert:validat(now()) then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
351 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
352 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
353 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
354 module:log("debug", "Stream features:\n%s", tostring(features));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
355 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
356 if mechs then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
357 mechs:tag("mechanism"):text("EXTERNAL");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
358 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
359 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
360 end, -1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
361
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
362 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
363
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
364 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
365 local session, stanza = event.origin, event.stanza;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
366 if session.type == "c2s_unauthed" and stanza.attr.mechanism == "EXTERNAL" then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
367 if session.secure then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
368 local cert = session.conn:socket():getpeercertificate();
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
369 local username_data = stanza:get_text();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
370 local username = nil;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
371
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
372 if username_data == "=" then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
373 -- Check for either an id_on_xmppAddr
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
374 local jids = get_id_on_xmpp_addrs(cert);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
375
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
376 if not (#jids == 1) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
377 module:log("debug", "Client tried to authenticate as =, but certificate has multiple JIDs.");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
378 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
379 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
380 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
381 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
382
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
383 username = jids[1];
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
384 else
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
385 -- Check the base64 encoded username
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
386 username = base64.decode(username_data);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
387 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
388
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
389 local user, host, resource = jid_split(username);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
390
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
391 module:log("debug", "Inferred username: %s", user or "nil");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
392
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
393 if (not username) or (not host == module.host) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
394 module:log("debug", "No valid username found for %s", tostring(session));
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
395 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
396 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
397 return true;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
398 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
399
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
400 local certs = dm_load(user, module.host, dm_table) or {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
401 local digest = cert:digest(digest_algo);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
402 local pem = cert:pem();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
403
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
404 for name,info in pairs(certs) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
405 if info.digest == digest and info.pem == pem then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
406 sm_make_authenticated(session, user);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
407 module:fire_event("authentication-success", { session = session });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
408 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
409 session:reset_stream();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
410 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
411 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
412 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
413 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
414 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
415 else
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
416 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
417 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
418 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
419 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
420 end, 1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
421
1779
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding.
Thijs Alkemade <me@thijsalkema.de>
parents: 1343
diff changeset
422 module:add_feature(xmlns_saslcert);