Mercurial > prosody-modules
annotate mod_client_certs/mod_client_certs.lua @ 697:c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
| author | Thijs Alkemade <thijsalkemade@gmail.com> |
|---|---|
| date | Tue, 05 Jun 2012 19:31:03 +0200 |
| parents | f6be46f15b74 |
| children | 3a3293f37139 |
| rev | line source |
|---|---|
|
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
1 -- XEP-0257: Client Certificates Management implementation for Prosody |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
2 -- Copyright (C) 2012 Thijs Alkemade |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
3 -- |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
4 -- This file is MIT/X11 licensed. |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
5 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
6 local st = require "util.stanza"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
7 local jid_bare = require "util.jid".bare; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
8 local xmlns_saslcert = "urn:xmpp:saslcert:0"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
9 local xmlns_pubkey = "urn:xmpp:tmp:pubkey"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
10 local dm_load = require "util.datamanager".load; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
11 local dm_store = require "util.datamanager".store; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
12 local dm_table = "client_certs"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
13 local x509 = require "ssl.x509"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
14 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
15 local digest_algo = "sha1"; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
16 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
17 local function enable_cert(username, cert, info) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
18 local certs = dm_load(username, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
19 local all_certs = dm_load(nil, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
20 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
21 info.pem = cert:pem(); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
22 local digest = cert:digest(digest_algo); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
23 info.digest = digest; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
24 certs[info.id] = info; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
25 all_certs[digest] = username; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
26 -- Or, have it be keyed by the entire PEM representation |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
27 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
28 dm_store(username, module.host, dm_table, certs); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
29 dm_store(nil, module.host, dm_table, all_certs); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
30 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
31 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
32 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
33 local function disable_cert(username, name) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
34 local certs = dm_load(username, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
35 local all_certs = dm_load(nil, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
36 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
37 local info = certs[name]; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
38 local cert; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
39 if info then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
40 certs[name] = nil; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
41 cert = x509.cert_from_pem(info.pem); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
42 all_certs[cert:digest(digest_algo)] = nil; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
43 else |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
44 return nil, "item-not-found" |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
45 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
46 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
47 dm_store(username, module.host, dm_table, certs); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
48 dm_store(nil, module.host, dm_table, all_certs); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
49 return cert; -- So we can compare it with stuff |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
50 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
51 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
52 module:hook("iq/self/"..xmlns_saslcert..":items", function(event) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
53 local origin, stanza = event.origin, event.stanza; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
54 if stanza.attr.type == "get" then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
55 module:log("debug", "%s requested items", origin.full_jid); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
56 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
57 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert }); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
58 local certs = dm_load(origin.username, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
59 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
60 for digest,info in pairs(certs) do |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
61 reply:tag("item", { id = info.id }) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
62 :tag("name"):text(info.name):up() |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
63 :tag("keyinfo", { xmlns = xmlns_pubkey }):tag("name"):text(info["key_name"]):up() |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
64 :tag("x509cert"):text(info.x509cert) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
65 :up(); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
66 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
67 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
68 origin.send(reply); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
69 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
70 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
71 end); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
72 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
73 module:hook("iq/self/"..xmlns_saslcert..":append", function(event) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
74 local origin, stanza = event.origin, event.stanza; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
75 if stanza.attr.type == "set" then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
76 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
77 local append = stanza:get_child("append", xmlns_saslcert); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
78 local name = append:get_child_text("name", xmlns_saslcert); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
79 local key_info = append:get_child("keyinfo", xmlns_pubkey); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
80 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
81 if not key_info or not name then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
82 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify? |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
83 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
84 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
85 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
86 local id = key_info:get_child_text("name", xmlns_pubkey); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
87 local x509cert = key_info:get_child_text("x509cert", xmlns_pubkey); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
88 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
89 if not id or not x509cert then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
90 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No certificate found.")); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
91 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
92 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
93 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
94 local can_manage = key_info:get_child("no-cert-management", xmlns_saslcert) ~= nil; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
95 local x509cert = key_info:get_child_text("x509cert"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
96 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
97 local cert = x509.cert_from_pem( |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
98 "-----BEGIN CERTIFICATE-----\n" |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
99 .. x509cert .. |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
100 "\n-----END CERTIFICATE-----\n"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
101 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
102 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
103 if not cert then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
104 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate")); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
105 return true; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
106 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
107 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
108 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr? |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
109 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
110 --[[ the method expired doesn't exist in luasec .. yet? |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
111 if cert:expired() then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
112 module:log("debug", "This certificate is already expired."); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
113 origin.send(st.error_reply(stanza, "cancel", "bad-request", "This certificate is expired.")); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
114 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
115 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
116 --]] |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
117 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
118 if not cert:valid_at(os.time()) then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
119 module:log("debug", "This certificate is not valid at this moment."); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
120 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
121 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
122 local valid_id_on_xmppAddrs; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
123 local require_id_on_xmppAddr = false; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
124 if require_id_on_xmppAddr then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
125 --local info = {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
126 valid_id_on_xmppAddrs = {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
127 for _,v in ipairs(cert:subject()) do |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
128 --info[#info+1] = (v.name or v.oid) ..":" .. v.value; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
129 if v.oid == id_on_xmppAddr then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
130 if jid_bare(v.value) == jid_bare(origin.full_jid) then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
131 module:log("debug", "The certificate contains a id-on-xmppAddr key, and it is valid."); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
132 valid_id_on_xmppAddrs[#valid_id_on_xmppAddrs+1] = v.value; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
133 -- Is there a point in having >1 ids? Reject?! |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
134 else |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
135 module:log("debug", "The certificate contains a id-on-xmppAddr key, but it is for %s.", v.value); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
136 -- Reject? |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
137 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
138 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
139 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
140 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
141 if #valid_id_on_xmppAddrs == 0 then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
142 origin.send(st.error_reply(stanza, "cancel", "bad-request", "This certificate is has no valid id-on-xmppAddr field.")); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
143 return true -- REJECT?! |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
144 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
145 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
146 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
147 enable_cert(origin.username, cert, { |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
148 id = id, |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
149 name = name, |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
150 x509cert = x509cert, |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
151 no_cert_management = can_manage, |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
152 jids = valid_id_on_xmppAddrs, |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
153 }); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
154 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
155 module:log("debug", "%s added certificate named %s", origin.full_jid, name); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
156 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
157 origin.send(st.reply(stanza)); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
158 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
159 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
160 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
161 end); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
162 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
163 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
164 local function handle_disable(event) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
165 local origin, stanza = event.origin, event.stanza; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
166 if stanza.attr.type == "set" then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
167 local disable = stanza.tags[1]; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
168 module:log("debug", "%s disabled a certificate", origin.full_jid); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
169 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
170 local item = disable:get_child("item"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
171 local name = item and item.attr.id; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
172 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
173 if not name then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
174 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
175 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
176 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
177 |
|
697
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
178 local disabled_cert = disable_cert(origin.username, name):pem(); |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
179 |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
180 if disable.name == "revoke" then |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
181 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", origin.full_jid); |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
182 local sessions = hosts[module.host].sessions[origin.username].sessions; |
|
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
183 |
|
697
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
184 for _, session in pairs(sessions) do |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
185 local cert = session.external_auth_cert; |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
186 |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
187 if cert and cert == disabled_cert then |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
188 module:log("debug", "Found a session that should be closed: %s", tostring(session)); |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
189 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."}; |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
190 end |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
191 end |
|
c3337f62a538
mod_client_certs: Disconnect every session that was using that cert when revoking a client certificate.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
695
diff
changeset
|
192 end |
|
695
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
193 origin.send(st.reply(stanza)); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
194 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
195 return true |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
196 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
197 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
198 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
199 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
200 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
201 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
202 -- Here comes the SASL EXTERNAL stuff |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
203 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
204 local now = os.time; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
205 module:hook("stream-features", function(event) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
206 local session, features = event.origin, event.features; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
207 if session.secure and session.type == "c2s_unauthed" then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
208 local cert = session.conn:socket():getpeercertificate(); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
209 if not cert then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
210 module:log("error", "No Client Certificate"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
211 return |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
212 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
213 module:log("info", "Client Certificate: %s", cert:digest(digest_algo)); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
214 local all_certs = dm_load(nil, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
215 local digest = cert:digest(digest_algo); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
216 local username = all_certs[digest]; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
217 if not cert:valid_at(now()) then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
218 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo)); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
219 return |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
220 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
221 if username then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
222 local certs = dm_load(username, module.host, dm_table) or {}; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
223 local pem = cert:pem(); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
224 for name,info in pairs(certs) do |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
225 if info.digest == digest and info.pem == pem then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
226 session.external_auth_cert, session.external_auth_user = pem, username; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
227 module:log("debug", "Stream features:\n%s", tostring(features)); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
228 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
229 if mechs then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
230 mechs:tag("mechanism"):text("EXTERNAL"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
231 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
232 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
233 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
234 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
235 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
236 end, -1); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
237 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
238 local sm_make_authenticated = require "core.sessionmanager".make_authenticated; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
239 |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
240 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event) |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
241 local session, stanza = event.origin, event.stanza; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
242 if session.type == "c2s_unauthed" and event.stanza.attr.mechanism == "EXTERNAL" then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
243 if session.secure then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
244 local cert = session.conn:socket():getpeercertificate(); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
245 if cert:pem() == session.external_auth_cert then |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
246 sm_make_authenticated(session, session.external_auth_user); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
247 module:fire_event("authentication-success", { session = session }); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
248 session.external_auth, session.external_auth_user = nil, nil; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
249 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"})); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
250 session:reset_stream(); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
251 else |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
252 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" }); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
253 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
254 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
255 else |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
256 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required"); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
257 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
258 return true; |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
259 end |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
260 end, 1); |
|
f6be46f15b74
mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff
changeset
|
261 |