Mercurial > prosody-modules
annotate mod_watchuntrusted/mod_watchuntrusted.lua @ 2670:6e01878103c0
mod_smacks: Ignore user when writing or reading session_cache on prosody 0.9
At least under some circumstances it seems that session.username is nil when
a user tries to resume his session in prosody 0.9.
The username is not relevant when no limiting is done (limiting the number of
entries in the session cache is only possible in prosody 0.10), so this
commit removes the usage of the username when accessing the prosody 0.9 session
cache.
author | tmolitor <thilo@eightysoft.de> |
---|---|
date | Thu, 06 Apr 2017 02:12:14 +0200 |
parents | dd1f0173f538 |
children | 9a3e51f348fe |
rev | line source |
---|---|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
1 local jid_prep = require "util.jid".prep; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
2 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
4 local secure_domains, insecure_domains = |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
6 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
7 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
8 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha1. $errors"); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
9 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
10 local st = require "util.stanza"; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
11 |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
12 local notified_about_already = { }; |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
13 |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
14 module:hook_global("s2s-check-certificate", function (event) |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
15 local session, host = event.session, event.host; |
1693
2328cbc41045
mod_watchuntrusted: Skip connections to/from unknown hosts (fixes possible traceback)
Kim Alvefur <zash@zash.se>
parents:
1675
diff
changeset
|
16 if not host then return end |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
17 local conn = session.conn:socket(); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
18 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
19 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
20 if not (local_host == module:get_host()) then return end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
21 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
22 module:log("debug", "Checking certificate..."); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
23 local must_secure = secure_auth; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
24 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
25 if not must_secure and secure_domains[host] then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
26 must_secure = true; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
27 elseif must_secure and insecure_domains[host] then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
28 must_secure = false; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
29 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
30 |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
31 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
32 notified_about_already[host] = os.time(); |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
33 local _, errors = conn:getpeerverification(); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
34 local error_message = ""; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
35 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
36 for depth, t in pairs(errors or {}) do |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
37 if #t > 0 then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
38 error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". "; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
39 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
40 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
41 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
42 if session.cert_identity_status then |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
43 error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. "."; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
44 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
45 |
1878
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1877
diff
changeset
|
46 local replacements = { |
1926
4c4a4191b825
mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents:
1878
diff
changeset
|
47 sha1 = event.cert and event.cert:digest("sha1") or "(No certificate)", |
4c4a4191b825
mod_watchuntrusted: Add a fallback string as hash if no certificate was provided
Kim Alvefur <zash@zash.se>
parents:
1878
diff
changeset
|
48 sha256 = event.cert and event.cert:digest("sha256") or "(No certificate)", |
1878
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1877
diff
changeset
|
49 errors = error_message |
7f96183a60ce
mod_watchuntrusted: Add support for SHA-256 hash in message
Kim Alvefur <zash@zash.se>
parents:
1877
diff
changeset
|
50 }; |
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
51 |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
52 local message = st.message{ type = "chat", from = local_host } |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
53 :tag("body") |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
54 :text(untrusted_fail_notification:gsub("%$([%w_]+)", function (v) |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
55 return event[v] or session and session[v] or replacements and replacements[v] or nil; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
56 end)); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
57 for jid in untrusted_fail_watchers do |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
58 module:log("debug", "Notifying %s", jid); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
59 message.attr.to = jid; |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
60 module:send(message); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
61 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
62 end |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
63 end, -0.5); |
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
64 |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
65 module:add_timer(14400, function (now) |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
66 for host, time in pairs(notified_about_already) do |
2346
dd1f0173f538
mod_watchuntrusted: Fix backwards time comparison
Kim Alvefur <zash@zash.se>
parents:
1926
diff
changeset
|
67 if time + 86400 < now then |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
68 notified_about_already[host] = nil; |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
69 end |
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
70 end |
1877
055b39c08fd0
mod_watchuntrusted: Fix periodic cleanup to run more than once
Kim Alvefur <zash@zash.se>
parents:
1693
diff
changeset
|
71 return 14400; |
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
72 end) |