Mercurial > prosody-modules
annotate mod_tls_policy/mod_tls_policy.lua @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 30 Mar 2019 21:16:13 +0100 |
| parents | a43ed0d28918 |
| children | 1b701f208b1b |
| rev | line source |
|---|---|
|
1600
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 assert(require"ssl.core".info, "Incompatible LuaSec version"); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local function hook(event_name, typ, policy) |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 if not policy then return end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 if policy == "FS" then |
|
1891
a43ed0d28918
mod_tls_policy: Change the FS shortcut to match on ciphers with (EC)DHE (produces nicer stream error)
Kim Alvefur <zash@zash.se>
parents:
1615
diff
changeset
|
7 policy = { cipher = "^E?C?DHE%-" }; |
|
1600
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 elseif type(policy) == "string" then |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 policy = { cipher = policy }; |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 module:hook(event_name, function (event) |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local origin = event.origin; |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 if origin.encrypted then |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 local info = origin.conn:socket():info(); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 for key, what in pairs(policy) do |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 module:log("debug", "Does info[%q] = %s match %s ?", key, tostring(info[key]), tostring(what)); |
|
1601
c5ca63ac0e1b
mod_tls_policy: Fix pattern matching
Kim Alvefur <zash@zash.se>
parents:
1600
diff
changeset
|
18 if (type(what) == "number" and what < info[key] ) or (type(what) == "string" and not info[key]:match(what)) then |
|
1615
d0fd8a29b724
mod_tls_policy: Include which part of the cipher that did not match the policy in stream error
Kim Alvefur <zash@zash.se>
parents:
1601
diff
changeset
|
19 origin:close({ condition = "policy-violation", text = ("TLS %s '%s' not acceptable"):format(key, tostring(info[key])) }); |
|
1600
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 return false; |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
21 end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 module:log("debug", "Seems so"); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 module:log("debug", "Policy matches"); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 end, 1000); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 local policy = module:get_option(module.name, {}); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 if type(policy) == "string" then |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 policy = { c2s = policy, s2s = policy }; |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 end |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 hook("stream-features", "c2s", policy.c2s); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 hook("s2s-stream-features", "s2sin", policy.s2sin or policy.s2s); |
|
1e90054c3ac5
mod_tls_policy: New module to enforce per-host TLS parameter policies
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 hook("stanza/http://etherx.jabber.org/streams:features", "s2sout", policy.s2sout or policy.s2s); |