annotate mod_client_certs/mod_client_certs.lua @ 938:d0e71a3bd2c4

mod_s2s_auth_fingerprint: New module for authenticating s2s connections based on preconfigured fingerprints.
author Kim Alvefur <zash@zash.se>
date Mon, 25 Mar 2013 03:54:32 +0100
parents 88ef66a65b13
children 17ba2c59d661
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
1 -- XEP-0257: Client Certificates Management implementation for Prosody
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
2 -- Copyright (C) 2012 Thijs Alkemade
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
3 --
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
4 -- This file is MIT/X11 licensed.
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
5
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
6 local st = require "util.stanza";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
7 local jid_bare = require "util.jid".bare;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
8 local jid_split = require "util.jid".split;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
9 local xmlns_saslcert = "urn:xmpp:saslcert:0";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
10 local xmlns_pubkey = "urn:xmpp:tmp:pubkey";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
11 local dm_load = require "util.datamanager".load;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
12 local dm_store = require "util.datamanager".store;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
13 local dm_table = "client_certs";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
14 local x509 = require "ssl.x509";
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
15 local id_on_xmppAddr = "1.3.6.1.5.5.7.8.5";
698
3a3293f37139 mod_client_certs: Fix the checking of valid id_on_xmppAddr fields.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 697
diff changeset
16 local id_ce_subjectAltName = "2.5.29.17";
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
17 local digest_algo = "sha1";
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
18 local base64 = require "util.encodings".base64;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
19
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
20 local function get_id_on_xmpp_addrs(cert)
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
21 local id_on_xmppAddrs = {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
22 for k,ext in pairs(cert:extensions()) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
23 if k == id_ce_subjectAltName then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
24 for e,extv in pairs(ext) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
25 if e == id_on_xmppAddr then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
26 for i,v in ipairs(extv) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
27 id_on_xmppAddrs[#id_on_xmppAddrs+1] = v;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
28 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
29 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
30 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
31 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
32 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
33 module:log("debug", "Found JIDs: (%d) %s", #id_on_xmppAddrs, table.concat(id_on_xmppAddrs, ", "));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
34 return id_on_xmppAddrs;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
35 end
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
36
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
37 local function enable_cert(username, cert, info)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
38 -- Check the certificate. Is it not expired? Does it include id-on-xmppAddr?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
39
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
40 --[[ the method expired doesn't exist in luasec .. yet?
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
41 if cert:expired() then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
42 module:log("debug", "This certificate is already expired.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
43 return nil, "This certificate is expired.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
44 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
45 --]]
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
46
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
47 if not cert:valid_at(os.time()) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
48 module:log("debug", "This certificate is not valid at this moment.");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
49 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
50
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
51 local valid_id_on_xmppAddrs;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
52 local require_id_on_xmppAddr = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
53 if require_id_on_xmppAddr then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
54 valid_id_on_xmppAddrs = get_id_on_xmpp_addrs(cert);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
55
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
56 local found = false;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
57 for i,k in pairs(valid_id_on_xmppAddrs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
58 if jid_bare(k) == (username .. "@" .. module.host) then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
59 found = true;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
60 break;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
61 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
62 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
63
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
64 if not found then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
65 return nil, "This certificate is has no valid id-on-xmppAddr field.";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
66 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
67 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
68
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
69 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
70
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
71 info.pem = cert:pem();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
72 local digest = cert:digest(digest_algo);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
73 info.digest = digest;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
74 certs[info.id] = info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
75
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
76 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
77 return true
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
78 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
79
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
80 local function disable_cert(username, name, disconnect)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
81 local certs = dm_load(username, module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
82
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
83 local info = certs[name];
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
84
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
85 if not info then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
86 return nil, "item-not-found"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
87 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
88
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
89 certs[name] = nil;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
90
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
91 if disconnect then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
92 module:log("debug", "%s revoked a certificate! Disconnecting all clients that used it", username);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
93 local sessions = hosts[module.host].sessions[username].sessions;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
94 local disabled_cert_pem = info.pem;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
95
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
96 for _, session in pairs(sessions) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
97 if session and session.conn then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
98 local cert = session.conn:socket():getpeercertificate();
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
99
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
100 if cert and cert:pem() == disabled_cert_pem then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
101 module:log("debug", "Found a session that should be closed: %s", tostring(session));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
102 session:close{ condition = "not-authorized", text = "This client side certificate has been revoked."};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
103 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
104 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
105 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
106 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
107
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
108 dm_store(username, module.host, dm_table, certs);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
109 return info;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
110 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
111
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
112 module:hook("iq/self/"..xmlns_saslcert..":items", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
113 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
114 if stanza.attr.type == "get" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
115 module:log("debug", "%s requested items", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
116
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
117 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
118 local certs = dm_load(origin.username, module.host, dm_table) or {};
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
119
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
120 for digest,info in pairs(certs) do
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
121 reply:tag("item", { id = info.id })
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
122 :tag("name"):text(info.name):up()
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
123 :tag("keyinfo", { xmlns = xmlns_pubkey }):tag("name"):text(info["key_name"]):up()
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
124 :tag("x509cert"):text(info.x509cert)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
125 :up();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
126 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
127
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
128 origin.send(reply);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
129 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
130 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
131 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
132
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
133 module:hook("iq/self/"..xmlns_saslcert..":append", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
134 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
135 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
136
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
137 local append = stanza:get_child("append", xmlns_saslcert);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
138 local name = append:get_child_text("name", xmlns_saslcert);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
139 local key_info = append:get_child("keyinfo", xmlns_pubkey);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
140
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
141 if not key_info or not name then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
142 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify?
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
143 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
144 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
145
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
146 local id = key_info:get_child_text("name", xmlns_pubkey);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
147 local x509cert = key_info:get_child_text("x509cert", xmlns_pubkey);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
148
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
149 if not id or not x509cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
150 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No certificate found."));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
151 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
152 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
153
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
154 local can_manage = key_info:get_child("no-cert-management", xmlns_saslcert) ~= nil;
712
227d48f927ff mod_client_certs: Strip x509 data
Florian Zeitz <florob@babelmonkeys.de>
parents: 709
diff changeset
155 local x509cert = key_info:get_child_text("x509cert"):gsub("^%s*(.-)%s*$", "%1");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
156
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
157 local cert = x509.cert_from_pem(
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
158 "-----BEGIN CERTIFICATE-----\n"
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
159 .. x509cert ..
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
160 "\n-----END CERTIFICATE-----\n");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
161
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
162
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
163 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
164 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate"));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
165 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
166 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
167
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
168 local ok, err = enable_cert(origin.username, cert, {
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
169 id = id,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
170 name = name,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
171 x509cert = x509cert,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
172 no_cert_management = can_manage,
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
173 });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
174
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
175 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
176 origin.send(st.error_reply(stanza, "cancel", "bad-request", err));
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
177 return true -- REJECT?!
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
178 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
179
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
180 module:log("debug", "%s added certificate named %s", origin.full_jid, name);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
181
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
182 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
183
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
184 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
185 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
186 end);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
187
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
188
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
189 local function handle_disable(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
190 local origin, stanza = event.origin, event.stanza;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
191 if stanza.attr.type == "set" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
192 local disable = stanza.tags[1];
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
193 module:log("debug", "%s disabled a certificate", origin.full_jid);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
194
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
195 local item = disable:get_child("item");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
196 local name = item and item.attr.id;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
197
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
198 if not name then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
199 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified."));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
200 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
201 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
202
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
203 disable_cert(origin.username, name, disable.name == "revoke");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
204
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
205 origin.send(st.reply(stanza));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
206
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
207 return true
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
208 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
209 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
210
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
211 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
212 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
213
713
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
214 -- Ad-hoc command
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
215 local adhoc_new = module:require "adhoc".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
216 local dataforms_new = require "util.dataforms".new;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
217
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
218 local function generate_error_message(errors)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
219 local errmsg = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
220 for name, err in pairs(errors) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
221 errmsg[#errmsg + 1] = name .. ": " .. err;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
222 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
223 return table.concat(errmsg, "\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
224 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
225
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
226 local choose_subcmd_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
227 title = "Certificate management";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
228 instructions = "What action do you want to perform?";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
229
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
230 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#subcmd" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
231 { name = "subcmd", type = "list-single", label = "Actions", required = true,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
232 value = { {label = "Add certificate", value = "add"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
233 {label = "List certificates", value = "list"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
234 {label = "Disable certificate", value = "disable"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
235 {label = "Revoke certificate", value = "revoke"},
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
236 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
237 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
238 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
239
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
240 local add_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
241 title = "Adding a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
242 instructions = "Enter the certificate in PEM format";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
243
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
244 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
245 { name = "name", type = "text-single", label = "Name", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
246 { name = "cert", type = "text-multi", label = "PEM certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
247 { name = "manage", type = "boolean", label = "Can manage certificates", value = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
248 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
249
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
250
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
251 local disable_layout_stub = dataforms_new { { name = "cert", type = "list-single", label = "Certificate", required = true } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
252
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
253
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
254 local function adhoc_handler(self, data, state)
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
255 if data.action == "cancel" then return { status = "canceled" }; end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
256
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
257 if not state or data.action == "prev" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
258 return { status = "executing", form = choose_subcmd_layout, actions = { "next" } }, {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
259 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
260
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
261 if not state.subcmd then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
262 local fields, errors = choose_subcmd_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
263 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
264 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
265 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
266 local subcmd = fields.subcmd
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
267
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
268 if subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
269 return { status = "executing", form = add_layout, actions = { "prev", "next", "complete" } }, { subcmd = "add" };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
270 elseif subcmd == "list" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
271 local list_layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
272 title = "List of certificates";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
273 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
274
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
275 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
276
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
277 for digest, info in pairs(certs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
278 list_layout[#list_layout + 1] = { name = info.id, type = "text-multi", label = info.name, value = info.x509cert };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
279 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
280
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
281 return { status = "completed", result = list_layout };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
282 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
283 local layout = dataforms_new {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
284 { name = "FORM_TYPE", type = "hidden", value = "http://prosody.im/protocol/certs#" .. subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
285 { name = "cert", type = "list-single", label = "Certificate", required = true };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
286 };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
287
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
288 if subcmd == "disable" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
289 layout.title = "Disabling a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
290 layout.instructions = "Select the certificate to disable";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
291 elseif subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
292 layout.title = "Revoking a certificate";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
293 layout.instructions = "Select the certificate to revoke";
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
294 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
295
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
296 local certs = dm_load(jid_split(data.from), module.host, dm_table) or {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
297
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
298 local values = {};
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
299 for digest, info in pairs(certs) do
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
300 values[#values + 1] = { label = info.name, value = info.id };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
301 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
302
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
303 return { status = "executing", form = { layout = layout, values = { cert = values } }, actions = { "prev", "next", "complete" } },
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
304 { subcmd = subcmd };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
305 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
306 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
307
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
308 if state.subcmd == "add" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
309 local fields, errors = add_layout:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
310 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
311 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
312 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
313
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
314 local name = fields.name;
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
315 local x509cert = fields.cert:gsub("^%s*(.-)%s*$", "%1");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
316
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
317 local cert = x509.cert_from_pem(
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
318 "-----BEGIN CERTIFICATE-----\n"
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
319 .. x509cert ..
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
320 "\n-----END CERTIFICATE-----\n");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
321
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
322 if not cert then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
323 return { status = "completed", error = { message = "Could not parse X.509 certificate" } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
324 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
325
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
326 local ok, err = enable_cert(jid_split(data.from), cert, {
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
327 id = cert:digest(digest_algo),
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
328 name = name,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
329 x509cert = x509cert,
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
330 no_cert_management = not fields.manage
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
331 });
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
332
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
333 if not ok then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
334 return { status = "completed", error = { message = err } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
335 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
336
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
337 module:log("debug", "%s added certificate named %s", data.from, name);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
338
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
339 return { status = "completed", info = "Successfully added certificate " .. name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
340 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
341 local fields, errors = disable_layout_stub:data(data.form);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
342 if errors then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
343 return { status = "completed", error = { message = generate_error_message(errors) } };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
344 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
345
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
346 local info = disable_cert(jid_split(data.from), fields.cert, state.subcmd == "revoke" );
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
347
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
348 if state.subcmd == "revoke" then
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
349 return { status = "completed", info = "Revoked certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
350 else
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
351 return { status = "completed", info = "Disabled certificate " .. info.name .. "." };
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
352 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
353 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
354 end
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
355
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
356 local cmd_desc = adhoc_new("Manage certificates", "http://prosody.im/protocol/certs", adhoc_handler, "user");
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
357 module:provides("adhoc", cmd_desc);
88ef66a65b13 mod_client_certs: Add Ad-Hoc commands for certificate management
Florian Zeitz <florob@babelmonkeys.de>
parents: 712
diff changeset
358
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
359 -- Here comes the SASL EXTERNAL stuff
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
360
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
361 local now = os.time;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
362 module:hook("stream-features", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
363 local session, features = event.origin, event.features;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
364 if session.secure and session.type == "c2s_unauthed" then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
365 local cert = session.conn:socket():getpeercertificate();
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
366 if not cert then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
367 module:log("error", "No Client Certificate");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
368 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
369 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
370 module:log("info", "Client Certificate: %s", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
371 if not cert:valid_at(now()) then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
372 module:log("debug", "Client has an expired certificate", cert:digest(digest_algo));
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
373 return
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
374 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
375 module:log("debug", "Stream features:\n%s", tostring(features));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
376 local mechs = features:get_child("mechanisms", "urn:ietf:params:xml:ns:xmpp-sasl");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
377 if mechs then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
378 mechs:tag("mechanism"):text("EXTERNAL");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
379 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
380 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
381 end, -1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
382
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
383 local sm_make_authenticated = require "core.sessionmanager".make_authenticated;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
384
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
385 module:hook("stanza/urn:ietf:params:xml:ns:xmpp-sasl:auth", function(event)
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
386 local session, stanza = event.origin, event.stanza;
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
387 if session.type == "c2s_unauthed" and stanza.attr.mechanism == "EXTERNAL" then
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
388 if session.secure then
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
389 local cert = session.conn:socket():getpeercertificate();
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
390 local username_data = stanza:get_text();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
391 local username = nil;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
392
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
393 if username_data == "=" then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
394 -- Check for either an id_on_xmppAddr
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
395 local jids = get_id_on_xmpp_addrs(cert);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
396
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
397 if not (#jids == 1) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
398 module:log("debug", "Client tried to authenticate as =, but certificate has multiple JIDs.");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
399 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
400 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
401 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
402 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
403
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
404 username = jids[1];
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
405 else
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
406 -- Check the base64 encoded username
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
407 username = base64.decode(username_data);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
408 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
409
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
410 local user, host, resource = jid_split(username);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
411
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
412 module:log("debug", "Inferred username: %s", user or "nil");
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
413
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
414 if (not username) or (not host == module.host) then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
415 module:log("debug", "No valid username found for %s", tostring(session));
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
416 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
417 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
418 return true;
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
419 end
709
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
420
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
421 local certs = dm_load(user, module.host, dm_table) or {};
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
422 local digest = cert:digest(digest_algo);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
423 local pem = cert:pem();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
424
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
425 for name,info in pairs(certs) do
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
426 if info.digest == digest and info.pem == pem then
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
427 sm_make_authenticated(session, user);
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
428 module:fire_event("authentication-success", { session = session });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
429 session.send(st.stanza("success", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}));
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
430 session:reset_stream();
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
431 return true;
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
432 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
433 end
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
434 module:fire_event("authentication-failure", { session = session, condition = "not-authorized" });
151743149f07 mod_client_certs: Follow the rules in XEP-0178 about the inclusion of the username when using EXTERNAL, instead of mapping one certificate to one user.
Thijs Alkemade <thijsalkemade@gmail.com>
parents: 698
diff changeset
435 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"not-authorized");
695
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
436 else
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
437 session.send(st.stanza("failure", { xmlns="urn:ietf:params:xml:ns:xmpp-sasl"}):tag"encryption-required");
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
438 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
439 return true;
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
440 end
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
441 end, 1);
f6be46f15b74 mod_client_certs: Checking in the latest version I have with Zash's changes.
Thijs Alkemade <thijsalkemade@gmail.com>
parents:
diff changeset
442