annotate mod_client_certs/mod_client_certs.lua @ 735:c1b0f0c33c6a

mod_archive: Fix hour offset in stored message date os.date expect a timestamp in local time, that is subject to daylight saving. But since we pass an UTC timestamp to os.date one hour is (wrongly) added in the summer. The only sensible thing is to call the os.date only once with the ! parametter. And then parsing this sting to get the utc_timestamp. Calling os.date with an UTC timestamp is not possible, and calling os.date twice without timestamp could give different results.
author Olivier Goffart <ogoffart@woboq.com>
date Wed, 04 Jul 2012 13:49:57 +0200
parents 88ef66a65b13
children 17ba2c59d661
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
1 -- XEP-0257: Client Certificates Management implementation for Prosody
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2012 Thijs Alkemade
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
3 --
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
4 -- This file is MIT/X11 licensed.
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
5
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
6 local st = require "util.stanza";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
7 local jid_bare = require "util.jid".bare;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
8 local jid_split = require "util.jid".split;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
9 local xmlns_saslcert = "urn:xmpp:saslcert:0";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
10 local xmlns_pubkey = "urn:xmpp:tmp:pubkey";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
11 local dm_load = require "util.datamanager".load;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
12 local dm_store = require "util.datamanager".store;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
13 local dm_table = "client_certs";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
14 local x509 = require "ssl.x509";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
15 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
698
3a3293f37139 mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 697
diff changeset
16 local id_ce_subjectAltName = "2.5.29.17";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
17 local digest_algo = "sha1";
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
18 local base64 = require "util.encodings".base64;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
19
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
20 local function get_id_on_xmpp_addrs(cert)
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
21 local id_on_xmppAddrs = {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
22 for k,ext in pairs(cert:extensions()) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
23 if k == id_ce_subjectAltName then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
24 for e,extv in pairs(ext) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
25 if e == id_on_xmppAddr then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
26 for i,v in ipairs(extv) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
27 id_on_xmppAddrs[#id_on_xmppAddrs+1] = v;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
28 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
29 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
30 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
31 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
32 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
33 module:log("debug", "Found JIDs: (%d) %s", #id_on_xmppAddrs, table.concat(id_on_xmppAddrs, ", "));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
34 return id_on_xmppAddrs;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
35 end
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
36
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
37 local function enable_cert(username, cert, info)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
38 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
39
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
40 --[[ the method expired doesn't exist in luasec .. yet?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
41 if cert:expired() then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
42 module:log("debug", "This certificate is already expired.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
43 return nil, "This certificate is expired.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
44 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
45 --]]
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
46
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
47 if not cert:valid_at(os.time()) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
48 module:log("debug", "This certificate is not valid at this moment.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
49 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
50
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
51 local valid_id_on_xmppAddrs;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
52 local require_id_on_xmppAddr = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
53 if require_id_on_xmppAddr then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
54 valid_id_on_xmppAddrs = get_id_on_xmpp_addrs(cert);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
55
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
56 local found = false;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
57 for i,k in pairs(valid_id_on_xmppAddrs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
58 if jid_bare(k) == (username .. "@" .. module.host) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
59 found = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
60 break;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
61 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
62 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
63
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
64 if not found then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
65 return nil, "This certificate is has no valid id-on-xmppAddr field.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
66 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
67 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
68
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
69 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
70
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
71 info.pem = cert:pem();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
72 local digest = cert:digest(digest_algo);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
73 info.digest = digest;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
74 certs[info.id] = info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
75
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
76 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
77 return true
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
78 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
79
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
80 local function disable_cert(username, name, disconnect)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
81 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
82
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
83 local info = certs[name];
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
84
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
85 if not info then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
86 return nil, "item-not-found"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
87 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
88
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
89 certs[name] = nil;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
90
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
91 if disconnect then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
93 local sessions = hosts[module.host].sessions[username].sessions;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
94 local disabled_cert_pem = info.pem;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
95
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
96 for _, session in pairs(sessions) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
97 if session and session.conn then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
98 local cert = session.conn:socket():getpeercertificate();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
99
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
100 if cert and cert:pem() == disabled_cert_pem then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
101 module:log("debug", "Found a session that should be closed: %s", tostring(session));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
103 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
104 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
105 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
106 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
107
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
108 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
109 return info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
110 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
111
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
112 module:hook("iq/self/"..xmlns_saslcert..":items", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
113 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
114 if stanza.attr.type == "get" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
115 module:log("debug", "%s requested items", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
116
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
117 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
118 local certs = dm_load(origin.username, module.host, dm_table) or {};
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
119
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
120 for digest,info in pairs(certs) do
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
121 reply:tag("item", { id = info.id })
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
122 :tag("name"):text(info.name):up()
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
123 :tag("keyinfo", { xmlns = xmlns_pubkey }):tag("name"):text(info["key_name"]):up()
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
124 :tag("x509cert"):text(info.x509cert)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
125 :up();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
126 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
127
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
128 origin.send(reply);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
129 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
130 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
131 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
132
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
133 module:hook("iq/self/"..xmlns_saslcert..":append", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
134 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
135 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
136
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
137 local append = stanza:get_child("append", xmlns_saslcert);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
138 local name = append:get_child_text("name", xmlns_saslcert);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
139 local key_info = append:get_child("keyinfo", xmlns_pubkey);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
140
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
141 if not key_info or not name then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
142 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify?
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
143 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
144 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
145
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
146 local id = key_info:get_child_text("name", xmlns_pubkey);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
147 local x509cert = key_info:get_child_text("x509cert", xmlns_pubkey);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
148
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
149 if not id or not x509cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
150 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No certificate found."));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
151 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
152 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
153
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
154 local can_manage = key_info:get_child("no-cert-management", xmlns_saslcert) ~= nil;
712
227d48f927ff mod_client_certs: Strip x509 data
Florian Zeitz <florob@babelmonkeys.de>
parents: 709
diff changeset
155 local x509cert = key_info:get_child_text("x509cert"):gsub("^%s*(.-)%s*$", "%1");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
156
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
157 local cert = x509.cert_from_pem(
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
158 "-----BEGIN CERTIFICATE-----\n"
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
159 .. x509cert ..
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
160 "\n-----END CERTIFICATE-----\n");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
161
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
162
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
163 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
164 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate"));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
165 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
166 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
167
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
168 local ok, err = enable_cert(origin.username, cert, {
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
169 id = id,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
170 name = name,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
171 x509cert = x509cert,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
172 no_cert_management = can_manage,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
173 });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
174
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
175 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
176 origin.send(st.error_reply(stanza, "cancel", "bad-request", err));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
177 return true -- REJECT?!
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
178 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
179
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
180 module:log("debug", "%s added certificate named %s", origin.full_jid, name);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
181
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
182 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
183
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
184 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
185 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
186 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
187
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
188
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
189 local function handle_disable(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
190 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
191 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
192 local disable = stanza.tags[1];
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
193 module:log("debug", "%s disabled a certificate", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
194
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
195 local item = disable:get_child("item");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
196 local name = item and item.attr.id;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
197
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
198 if not name then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
199 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified."));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
200 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
201 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
202
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
203 disable_cert(origin.username, name, disable.name == "revoke");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
204
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
205 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
206
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
207 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
208 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
209 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
210
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
211 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
212 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
213
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
214 -- Ad-hoc command
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
215 local adhoc_new = module:require "adhoc".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
216 local dataforms_new = require "util.dataforms".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
217
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
218 local function generate_error_message(errors)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
219 local errmsg = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
220 for name, err in pairs(errors) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
221 errmsg[#errmsg + 1] = name .. ": " .. err;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
222 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
223 return table.concat(errmsg, "\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
224 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
225
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
226 local choose_subcmd_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
227 title = "Certificate management";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
228 instructions = "What action do you want to perform?";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
229
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
230 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#subcmd" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
231 { name = "subcmd", type = "list-single", label = "Actions", required = true,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
232 value = { {label = "Add certificate", value = "add"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
233 {label = "List certificates", value = "list"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
234 {label = "Disable certificate", value = "disable"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
235 {label = "Revoke certificate", value = "revoke"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
236 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
237 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
238 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
239
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
240 local add_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
241 title = "Adding a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
242 instructions = "Enter the certificate in PEM format";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
243
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
244 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
245 { name = "name", type = "text-single", label = "Name", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
246 { name = "cert", type = "text-multi", label = "PEM certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
247 { name = "manage", type = "boolean", label = "Can manage certificates", value = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
248 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
249
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
250
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
251 local disable_layout_stub = dataforms_new { { name = "cert", type = "list-single", label = "Certificate", required = true } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
252
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
253
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
254 local function adhoc_handler(self, data, state)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
255 if data.action == "cancel" then return { status = "canceled" }; end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
256
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
257 if not state or data.action == "prev" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
258 return { status = "executing", form = choose_subcmd_layout, actions = { "next" } }, {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
259 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
260
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
261 if not state.subcmd then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
262 local fields, errors = choose_subcmd_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
263 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
264 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
265 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
266 local subcmd = fields.subcmd
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
267
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
268 if subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
269 return { status = "executing", form = add_layout, actions = { "prev", "next", "complete" } }, { subcmd = "add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
270 elseif subcmd == "list" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
271 local list_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
272 title = "List of certificates";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
273 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
274
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
275 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
276
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
277 for digest, info in pairs(certs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
278 list_layout[#list_layout + 1] = { name = info.id, type = "text-multi", label = info.name, value = info.x509cert };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
279 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
280
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
281 return { status = "completed", result = list_layout };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
282 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
283 local layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
284 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#" .. subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
285 { name = "cert", type = "list-single", label = "Certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
286 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
287
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
288 if subcmd == "disable" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
289 layout.title = "Disabling a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
290 layout.instructions = "Select the certificate to disable";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
291 elseif subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
292 layout.title = "Revoking a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
293 layout.instructions = "Select the certificate to revoke";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
294 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
295
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
296 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
297
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
298 local values = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
299 for digest, info in pairs(certs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
300 values[#values + 1] = { label = info.name, value = info.id };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
301 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
302
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
303 return { status = "executing", form = { layout = layout, values = { cert = values } }, actions = { "prev", "next", "complete" } },
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
304 { subcmd = subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
305 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
306 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
307
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
308 if state.subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
309 local fields, errors = add_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
310 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
311 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
312 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
313
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
314 local name = fields.name;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
315 local x509cert = fields.cert:gsub("^%s*(.-)%s*$", "%1");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
316
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
317 local cert = x509.cert_from_pem(
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
318 "-----BEGIN CERTIFICATE-----\n"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
319 .. x509cert ..
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
320 "\n-----END CERTIFICATE-----\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
321
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
322 if not cert then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
323 return { status = "completed", error = { message = "Could not parse X.509 certificate" } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
324 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
325
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
326 local ok, err = enable_cert(jid_split(data.from), cert, {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
327 id = cert:digest(digest_algo),
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
328 name = name,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
329 x509cert = x509cert,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
330 no_cert_management = not fields.manage
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
331 });
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
332
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
333 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
334 return { status = "completed", error = { message = err } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
335 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
336
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
337 module:log("debug", "%s added certificate named %s", data.from, name);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
338
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
339 return { status = "completed", info = "Successfully added certificate " .. name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
340 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
341 local fields, errors = disable_layout_stub:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
342 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
343 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
344 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
345
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
346 local info = disable_cert(jid_split(data.from), fields.cert, state.subcmd == "revoke" );
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
347
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
348 if state.subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
349 return { status = "completed", info = "Revoked certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
350 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
351 return { status = "completed", info = "Disabled certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
352 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
353 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
354 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
355
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
356 local cmd_desc = adhoc_new("Manage certificates", "http://prosody.im/protocol/certs", adhoc_handler, "user");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
357 module:provides("adhoc", cmd_desc);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
358
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
359 -- Here comes the SASL EXTERNAL stuff
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
360
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
361 local now = os.time;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
362 module:hook("stream-features", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
363 local session, features = event.origin, event.features;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
364 if session.secure and session.type == "c2s_unauthed" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
365 local cert = session.conn:socket():getpeercertificate();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
366 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
367 module:log("error", "No Client Certificate");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
368 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
369 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
370 module:log("info", "Client Certificate: %s", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
371 if not cert:valid_at(now()) then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
372 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
373 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
374 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
375 module:log("debug", "Stream features:\n%s", tostring(features));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
376 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
377 if mechs then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
378 mechs:tag("mechanism"):text("EXTERNAL");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
379 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
380 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
381 end, -1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
382
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
383 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
384
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
385 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
386 local session, stanza = event.origin, event.stanza;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
387 if session.type == "c2s_unauthed" and stanza.attr.mechanism == "EXTERNAL" then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
388 if session.secure then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
389 local cert = session.conn:socket():getpeercertificate();
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
390 local username_data = stanza:get_text();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
391 local username = nil;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
392
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
393 if username_data == "=" then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
394 -- Check for either an id_on_xmppAddr
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
395 local jids = get_id_on_xmpp_addrs(cert);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
396
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
397 if not (#jids == 1) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
398 module:log("debug", "Client tried to authenticate as =, but certificate has multiple JIDs.");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
399 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
400 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
401 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
402 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
403
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
404 username = jids[1];
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
405 else
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
406 -- Check the base64 encoded username
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
407 username = base64.decode(username_data);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
408 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
409
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
410 local user, host, resource = jid_split(username);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
411
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
412 module:log("debug", "Inferred username: %s", user or "nil");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
413
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
414 if (not username) or (not host == module.host) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
415 module:log("debug", "No valid username found for %s", tostring(session));
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
416 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
417 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
418 return true;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
419 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
420
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
421 local certs = dm_load(user, module.host, dm_table) or {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
422 local digest = cert:digest(digest_algo);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
423 local pem = cert:pem();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
424
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
425 for name,info in pairs(certs) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
426 if info.digest == digest and info.pem == pem then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
427 sm_make_authenticated(session, user);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
428 module:fire_event("authentication-success", { session = session });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
429 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
430 session:reset_stream();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
431 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
432 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
433 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
434 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
435 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
436 else
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
437 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
438 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
439 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
440 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
441 end, 1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
442