prosody-modules: mod_s2s_log_certs/mod_s2s_log

annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 5648:c217f4edfc4f

misc/mtail: Start of an mtail config Stashing it here in case anyone wants to continue working on it. Currently it's only counting log messages by level. Due to the permissions set by systemd on Prosody logs, mtail never managed to start correctly until permissions were manually relaxed.

author	Kim Alvefur <zash@zash.se>
date	Sun, 17 Sep 2023 13:36:30 +0200
parents	663e5d923ef0
children

rev	line source
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	1 module:set_global();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	2
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	3 local dm_load = require "util.datamanager".load;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	4 local dm_store = require "util.datamanager".store;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	5 local datetime = require "util.datetime".datetime;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	6
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	7 local do_store = module:get_option_boolean(module:get_name().."_persist", false);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	9
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	10 local function note_cert_digest(event)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	11 local session, remote_host, cert = event.session, event.host, event.cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	12
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	13 if not (remote_host and cert and cert.digest) then return end;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	14 local digest = cert:digest(digest_algo);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	15
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	17 local chain_status = session.cert_chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	18 local identity_status = session.cert_identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	19
1091 79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	20 module:log("info", "%s has a %s %s certificate with %s: %s",
79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	21 remote_host,
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	22 chain_status == "valid" and "trusted" or "untrusted",
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	23 identity_status or "invalid",
1091 79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	24 digest_algo:upper(),
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	25 digest:upper():gsub("..",":%0"):sub(2));
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	26
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	27 if do_store then
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	28 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {};
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	29
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	30 digest = digest_algo..":"..digest;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	31 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; }
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	32 this_cert.last = datetime();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	33 this_cert.times = this_cert.times + 1;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	34 seen_certs[digest] = this_cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	35 chain_status = chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	36 identity_status = identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	37 dm_store(remote_host, local_host, "s2s_certs", seen_certs);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	38 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	39 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	40
1787 663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	41 if module.wrap_event then
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	42 -- 0.10
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	43 module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data)
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	44 local ret = handlers(event_name, event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	45 note_cert_digest(event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	46 return ret;
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	47 end);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	48 else
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	49 -- 0.9
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	50 module:hook("s2s-check-certificate", note_cert_digest, 1000);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	51 end
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	52 --[[
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	53 function module.add_host(module)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	54 module:hook("s2s-check-certificate", note_cert_digest, 1000);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	55 end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	56 ]]

Mercurial > prosody-modules

annotate mod_s2s_log_certs/mod_s2s_log_certs.lua @ 5648:c217f4edfc4f