annotate mod_watchuntrusted/mod_watchuntrusted.lua @ 3195:66b3085ecc49

mod_lib_ldap: assert() connection for hopefully better error reporting (thanks adac)
author Matthew Wild <mwild1@gmail.com>
date Thu, 26 Jul 2018 10:35:30 +0100
parents 3996437ff64f
children 0e78523f8c20
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
1 local jid_prep = require "util.jid".prep;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
2
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
4 local secure_domains, insecure_domains =
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
6
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
7 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep;
2810
9a3e51f348fe mod_watchuntrusted send SHA256 by default
Michel Le Bihan <michel@lebihan.pl>
parents: 2346
diff changeset
8 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors");
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
9
3022
3996437ff64f mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents: 3020
diff changeset
10 local msg_type = module:get_option_string("untrusted_message_type", "chat");
3996437ff64f mod_watchuntrusted: Actually add the untrusted_message_type option
Kim Alvefur <zash@zash.se>
parents: 3020
diff changeset
11
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
12 local st = require "util.stanza";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
13
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
14 local notified_about_already = { };
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
15
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
16 module:hook_global("s2s-check-certificate", function (event)
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
17 local session, host = event.session, event.host;
1693
2328cbc41045 mod_watchuntrusted: Skip connections to/from unknown hosts (fixes possible traceback)
Kim Alvefur <zash@zash.se>
parents: 1675
diff changeset
18 if not host then return end
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
19 local conn = session.conn:socket();
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
20 local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
21
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
22 if not (local_host == module:get_host()) then return end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
23
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
24 module:log("debug", "Checking certificate...");
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
25 local must_secure = secure_auth;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
26
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
27 if not must_secure and secure_domains[host] then
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
28 must_secure = true;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
29 elseif must_secure and insecure_domains[host] then
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
30 must_secure = false;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
31 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
32
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
33 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
34 notified_about_already[host] = os.time();
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
35 local _, errors = conn:getpeerverification();
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
36 local error_message = "";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
37
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
38 for depth, t in pairs(errors or {}) do
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
39 if #t > 0 then
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
40 error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". ";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
41 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
42 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
43
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
44 if session.cert_identity_status then
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
45 error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. ".";
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
46 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
47
1878
7f96183a60ce mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents: 1877
diff changeset
48 local replacements = {
1926
4c4a4191b825 mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents: 1878
diff changeset
49 sha1 = event.cert and event.cert:digest("sha1") or "(No certificate)",
4c4a4191b825 mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents: 1878
diff changeset
50 sha256 = event.cert and event.cert:digest("sha256") or "(No certificate)",
1878
7f96183a60ce mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents: 1877
diff changeset
51 errors = error_message
7f96183a60ce mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents: 1877
diff changeset
52 };
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
53
3020
ec671ad1a8a9 mod_watchuntrusted: Add option for which message 'type' to use on notifications
Kim Alvefur <zash@zash.se>
parents: 2887
diff changeset
54 local message = st.message({ type = msg_type, from = local_host },
2887
65082d91950e Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 2810
diff changeset
55 untrusted_fail_notification:gsub("%$([%w_]+)", function (v)
65082d91950e Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 2810
diff changeset
56 return event[v] or session and session[v] or replacements and replacements[v] or nil;
65082d91950e Many modules: Simplify st.message(…):tag("body"):text(…):up() into st.message(…, …)
Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
parents: 2810
diff changeset
57 end));
1188
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
58 for jid in untrusted_fail_watchers do
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
59 module:log("debug", "Notifying %s", jid);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
60 message.attr.to = jid;
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
61 module:send(message);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
62 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
63 end
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
64 end, -0.5);
5eaecb7f680d mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff changeset
65
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
66 module:add_timer(14400, function (now)
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
67 for host, time in pairs(notified_about_already) do
2346
dd1f0173f538 mod_watchuntrusted: Fix backwards time comparison
Kim Alvefur <zash@zash.se>
parents: 1926
diff changeset
68 if time + 86400 < now then
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
69 notified_about_already[host] = nil;
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
70 end
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
71 end
1877
055b39c08fd0 mod_watchuntrusted: Fix periodic cleanup to run more than once
Kim Alvefur <zash@zash.se>
parents: 1693
diff changeset
72 return 14400;
1675
116488cced16 mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents: 1188
diff changeset
73 end)