prosody-modules: mod_client_certs/mod_client

annotate mod_client_certs/mod_client_certs.lua @ 2608:362ca94192ee

mod_smacks: Add resumed session to event "smacks-hibernation-end" Older versions of this event only have the "intermediate" session in event.session (the one used to resume the existing session), but not the resumed one. This adds event.resumed which contains the resumed one alongside to event.session.

author	tmolitor <thilo@eightysoft.de>
date	Sat, 11 Mar 2017 01:37:28 +0100
parents	bdf1de953fd9
children	4b43b317e8f5

rev	line source
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	1 -- XEP-0257: Client Certificates Management implementation for Prosody
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	2 -- Copyright (C) 2012 Thijs Alkemade
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	3 --
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	4 -- This file is MIT/X11 licensed.
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	5
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	6 local st = require "util.stanza";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	7 local jid_bare = require "util.jid".bare;
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	8 local jid_split = require "util.jid".split;
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	9 local xmlns_saslcert = "urn:xmpp:saslcert:1";
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	10 local dm_load = require "util.datamanager".load;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	11 local dm_store = require "util.datamanager".store;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	12 local dm_table = "client_certs";
1779 bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding. Thijs Alkemade <me@thijsalkema.de> parents: 1343 diff changeset	13 local ssl_x509 = require "ssl.x509";
bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding. Thijs Alkemade <me@thijsalkema.de> parents: 1343 diff changeset	14 local util_x509 = require "util.x509";
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	15 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
698 3a3293f37139 mod_client_certs: Fix the checking of valid id_on_xmppAddr fields. Thijs Alkemade <thijsalkemade@gmail.com> parents: 697 diff changeset	16 local id_ce_subjectAltName = "2.5.29.17";
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	17 local digest_algo = "sha1";
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	18 local base64 = require "util.encodings".base64;
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	19
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	20 local function get_id_on_xmpp_addrs(cert)
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	21 local id_on_xmppAddrs = {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	22 for k,ext in pairs(cert:extensions()) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	23 if k == id_ce_subjectAltName then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	24 for e,extv in pairs(ext) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	25 if e == id_on_xmppAddr then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	26 for i,v in ipairs(extv) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	27 id_on_xmppAddrs[#id_on_xmppAddrs+1] = v;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	28 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	29 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	30 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	31 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	32 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	33 module:log("debug", "Found JIDs: (%d) %s", #id_on_xmppAddrs, table.concat(id_on_xmppAddrs, ", "));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	34 return id_on_xmppAddrs;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	35 end
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	36
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	37 local function enable_cert(username, cert, info)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	38 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	39
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	40 --[[ the method expired doesn't exist in luasec .. yet?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	41 if cert:expired() then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	42 module:log("debug", "This certificate is already expired.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	43 return nil, "This certificate is expired.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	44 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	45 --]]
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	46
1096 1abb8f2a5761 mod_client_certs: Update for x509 API in LuaSec 0.5 Kim Alvefur <zash@zash.se> parents: 990 diff changeset	47 if not cert:validat(os.time()) then
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	48 module:log("debug", "This certificate is not valid at this moment.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	49 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	50
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	51 local valid_id_on_xmppAddrs;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	52 local require_id_on_xmppAddr = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	53 if require_id_on_xmppAddr then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	54 valid_id_on_xmppAddrs = get_id_on_xmpp_addrs(cert);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	55
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	56 local found = false;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	57 for i,k in pairs(valid_id_on_xmppAddrs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	58 if jid_bare(k) == (username .. "@" .. module.host) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	59 found = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	60 break;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	61 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	62 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	63
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	64 if not found then
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	65 return nil, "This certificate has no valid id-on-xmppAddr field.";
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	66 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	67 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	68
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	69 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	70
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	71 info.pem = cert:pem();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	72 local digest = cert:digest(digest_algo);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	73 info.digest = digest;
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	74 certs[info.name] = info;
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	75
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	76 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	77 return true
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	78 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	79
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	80 local function disable_cert(username, name, disconnect)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	81 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	82
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	83 local info = certs[name];
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	84
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	85 if not info then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	86 return nil, "item-not-found"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	87 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	88
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	89 certs[name] = nil;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	90
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	91 if disconnect then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	93 local sessions = hosts[module.host].sessions[username].sessions;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	94 local disabled_cert_pem = info.pem;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	95
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	96 for _, session in pairs(sessions) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	97 if session and session.conn then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	98 local cert = session.conn:socket():getpeercertificate();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	99
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	100 if cert and cert:pem() == disabled_cert_pem then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	101 module:log("debug", "Found a session that should be closed: %s", tostring(session));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	103 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	104 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	105 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	106 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	107
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	108 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	109 return info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	110 end
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	111
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	112 module:hook("iq/self/"..xmlns_saslcert..":items", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	113 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	114 if stanza.attr.type == "get" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	115 module:log("debug", "%s requested items", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	116
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	117 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	118 local certs = dm_load(origin.username, module.host, dm_table) or {};
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	119
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	120 for digest,info in pairs(certs) do
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	121 reply:tag("item")
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	122 :tag("name"):text(info.name):up()
1779 bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding. Thijs Alkemade <me@thijsalkema.de> parents: 1343 diff changeset	123 :tag("x509cert"):text(info.x509cert):up()
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	124 :up();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	125 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	126
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	127 origin.send(reply);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	128 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	129 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	130 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	131
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	132 module:hook("iq/self/"..xmlns_saslcert..":append", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	133 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	134 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	135
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	136 local append = stanza:get_child("append", xmlns_saslcert);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	137 local name = append:get_child_text("name", xmlns_saslcert);
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	138 local x509cert = append:get_child_text("x509cert", xmlns_saslcert);
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	139
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	140 if not x509cert or not name then
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	141 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify?
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	142 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	143 end
1343 7dbde05b48a9 all the things: Remove trailing whitespace Florian Zeitz <florob@babelmonkeys.de> parents: 1096 diff changeset	144
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	145 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil;
17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	146 x509cert = x509cert:gsub("^%s(.-)%s$", "%1");
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	147
1779 bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding. Thijs Alkemade <me@thijsalkema.de> parents: 1343 diff changeset	148 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert)));
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	149
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	150 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	151 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate"));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	152 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	153 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	154
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	155 local ok, err = enable_cert(origin.username, cert, {
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	156 name = name,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	157 x509cert = x509cert,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	158 no_cert_management = can_manage,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	159 });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	160
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	161 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	162 origin.send(st.error_reply(stanza, "cancel", "bad-request", err));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	163 return true -- REJECT?!
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	164 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	165
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	166 module:log("debug", "%s added certificate named %s", origin.full_jid, name);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	167
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	168 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	169
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	170 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	171 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	172 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	173
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	174
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	175 local function handle_disable(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	176 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	177 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	178 local disable = stanza.tags[1];
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	179 module:log("debug", "%s disabled a certificate", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	180
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	181 local name = disable:get_child_text("name");
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	182
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	183 if not name then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	184 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified."));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	185 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	186 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	187
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	188 disable_cert(origin.username, name, disable.name == "revoke");
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	189
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	190 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	191
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	192 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	193 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	194 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	195
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	196 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	197 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	198
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	199 -- Ad-hoc command
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	200 local adhoc_new = module:require "adhoc".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	201 local dataforms_new = require "util.dataforms".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	202
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	203 local function generate_error_message(errors)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	204 local errmsg = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	205 for name, err in pairs(errors) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	206 errmsg[#errmsg + 1] = name .. ": " .. err;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	207 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	208 return table.concat(errmsg, "\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	209 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	210
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	211 local choose_subcmd_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	212 title = "Certificate management";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	213 instructions = "What action do you want to perform?";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	214
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	215 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#subcmd" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	216 { name = "subcmd", type = "list-single", label = "Actions", required = true,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	217 value = { {label = "Add certificate", value = "add"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	218 {label = "List certificates", value = "list"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	219 {label = "Disable certificate", value = "disable"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	220 {label = "Revoke certificate", value = "revoke"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	221 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	222 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	223 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	224
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	225 local add_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	226 title = "Adding a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	227 instructions = "Enter the certificate in PEM format";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	228
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	229 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	230 { name = "name", type = "text-single", label = "Name", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	231 { name = "cert", type = "text-multi", label = "PEM certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	232 { name = "manage", type = "boolean", label = "Can manage certificates", value = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	233 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	234
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	235
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	236 local disable_layout_stub = dataforms_new { { name = "cert", type = "list-single", label = "Certificate", required = true } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	237
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	238
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	239 local function adhoc_handler(self, data, state)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	240 if data.action == "cancel" then return { status = "canceled" }; end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	241
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	242 if not state or data.action == "prev" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	243 return { status = "executing", form = choose_subcmd_layout, actions = { "next" } }, {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	244 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	245
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	246 if not state.subcmd then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	247 local fields, errors = choose_subcmd_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	248 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	249 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	250 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	251 local subcmd = fields.subcmd
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	252
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	253 if subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	254 return { status = "executing", form = add_layout, actions = { "prev", "next", "complete" } }, { subcmd = "add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	255 elseif subcmd == "list" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	256 local list_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	257 title = "List of certificates";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	258 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	259
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	260 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	261
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	262 for digest, info in pairs(certs) do
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	263 list_layout[#list_layout + 1] = { name = info.name, type = "text-multi", label = info.name, value = info.x509cert };
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	264 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	265
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	266 return { status = "completed", result = list_layout };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	267 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	268 local layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	269 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#" .. subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	270 { name = "cert", type = "list-single", label = "Certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	271 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	272
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	273 if subcmd == "disable" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	274 layout.title = "Disabling a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	275 layout.instructions = "Select the certificate to disable";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	276 elseif subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	277 layout.title = "Revoking a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	278 layout.instructions = "Select the certificate to revoke";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	279 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	280
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	281 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	282
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	283 local values = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	284 for digest, info in pairs(certs) do
990 17ba2c59d661 mod_client_certs: Updated to match the specification in urn:xmpp:saslcert:1. Thijs Alkemade <me@thijsalkema.de> parents: 713 diff changeset	285 values[#values + 1] = { label = info.name, value = info.name };
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	286 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	287
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	288 return { status = "executing", form = { layout = layout, values = { cert = values } }, actions = { "prev", "next", "complete" } },
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	289 { subcmd = subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	290 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	291 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	292
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	293 if state.subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	294 local fields, errors = add_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	295 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	296 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	297 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	298
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	299 local name = fields.name;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	300 local x509cert = fields.cert:gsub("^%s(.-)%s$", "%1");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	301
1779 bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding. Thijs Alkemade <me@thijsalkema.de> parents: 1343 diff changeset	302 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert)));
713 88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	303
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	304 if not cert then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	305 return { status = "completed", error = { message = "Could not parse X.509 certificate" } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	306 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	307
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	308 local ok, err = enable_cert(jid_split(data.from), cert, {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	309 name = name,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	310 x509cert = x509cert,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	311 no_cert_management = not fields.manage
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	312 });
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	313
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	314 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	315 return { status = "completed", error = { message = err } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	316 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	317
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	318 module:log("debug", "%s added certificate named %s", data.from, name);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	319
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	320 return { status = "completed", info = "Successfully added certificate " .. name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	321 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	322 local fields, errors = disable_layout_stub:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	323 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	324 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	325 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	326
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	327 local info = disable_cert(jid_split(data.from), fields.cert, state.subcmd == "revoke" );
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	328
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	329 if state.subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	330 return { status = "completed", info = "Revoked certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	331 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	332 return { status = "completed", info = "Disabled certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	333 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	334 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	335 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	336
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	337 local cmd_desc = adhoc_new("Manage certificates", "http://prosody.im/protocol/certs", adhoc_handler, "user");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	338 module:provides("adhoc", cmd_desc);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management Florian Zeitz <florob@babelmonkeys.de> parents: 712 diff changeset	339
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	340 -- Here comes the SASL EXTERNAL stuff
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	341
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	342 local now = os.time;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	343 module:hook("stream-features", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	344 local session, features = event.origin, event.features;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	345 if session.secure and session.type == "c2s_unauthed" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	346 local cert = session.conn:socket():getpeercertificate();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	347 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	348 module:log("error", "No Client Certificate");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	349 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	350 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	351 module:log("info", "Client Certificate: %s", cert:digest(digest_algo));
1096 1abb8f2a5761 mod_client_certs: Update for x509 API in LuaSec 0.5 Kim Alvefur <zash@zash.se> parents: 990 diff changeset	352 if not cert:validat(now()) then
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	353 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	354 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	355 end
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	356 module:log("debug", "Stream features:\n%s", tostring(features));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	357 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	358 if mechs then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	359 mechs:tag("mechanism"):text("EXTERNAL");
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	360 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	361 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	362 end, -1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	363
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	364 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	365
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	366 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	367 local session, stanza = event.origin, event.stanza;
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	368 if session.type == "c2s_unauthed" and stanza.attr.mechanism == "EXTERNAL" then
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	369 if session.secure then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	370 local cert = session.conn:socket():getpeercertificate();
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	371 local username_data = stanza:get_text();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	372 local username = nil;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	373
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	374 if username_data == "=" then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	375 -- Check for either an id_on_xmppAddr
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	376 local jids = get_id_on_xmpp_addrs(cert);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	377
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	378 if not (#jids == 1) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	379 module:log("debug", "Client tried to authenticate as =, but certificate has multiple JIDs.");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	380 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	381 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	382 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	383 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	384
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	385 username = jids[1];
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	386 else
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	387 -- Check the base64 encoded username
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	388 username = base64.decode(username_data);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	389 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	390
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	391 local user, host, resource = jid_split(username);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	392
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	393 module:log("debug", "Inferred username: %s", user or "nil");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	394
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	395 if (not username) or (not host == module.host) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	396 module:log("debug", "No valid username found for %s", tostring(session));
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	397 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	398 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	399 return true;
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	400 end
709 151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	401
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	402 local certs = dm_load(user, module.host, dm_table) or {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	403 local digest = cert:digest(digest_algo);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	404 local pem = cert:pem();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	405
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	406 for name,info in pairs(certs) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	407 if info.digest == digest and info.pem == pem then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	408 sm_make_authenticated(session, user);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	409 module:fire_event("authentication-success", { session = session });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	410 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	411 session:reset_stream();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	412 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	413 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	414 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	415 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user. Thijs Alkemade <thijsalkemade@gmail.com> parents: 698 diff changeset	416 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
695 f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	417 else
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	418 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	419 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	420 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	421 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	422 end, 1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes. Thijs Alkemade <thijsalkemade@gmail.com> parents: diff changeset	423
1779 bdf1de953fd9 mod_client_certs: Patch from mathieui fixing invalid results when requesting multiple certs, missing stream feature and problem with PEM decoding. Thijs Alkemade <me@thijsalkema.de> parents: 1343 diff changeset	424 module:add_feature(xmlns_saslcert);

Mercurial > prosody-modules

annotate mod_client_certs/mod_client_certs.lua @ 2608:362ca94192ee