Mercurial > prosody-modules
comparison mod_watchuntrusted/mod_watchuntrusted.lua @ 3220:0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
author | Michel Le Bihan <michel@lebihan.pl> |
---|---|
date | Wed, 08 Aug 2018 15:58:50 +0200 |
parents | 3996437ff64f |
children |
comparison
equal
deleted
inserted
replaced
3219:58d61459cdb1 | 3220:0e78523f8c20 |
---|---|
1 local jid_prep = require "util.jid".prep; | 1 local jid_prep = require "util.jid".prep; |
2 | 2 |
3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); | 3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); |
4 local secure_domains, insecure_domains = | 4 local secure_domains, insecure_domains = |
5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; | 5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; |
6 | |
7 local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items; | |
6 | 8 |
7 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; | 9 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; |
8 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); | 10 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); |
9 | 11 |
10 local msg_type = module:get_option_string("untrusted_message_type", "chat"); | 12 local msg_type = module:get_option_string("untrusted_message_type", "chat"); |
20 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; | 22 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
21 | 23 |
22 if not (local_host == module:get_host()) then return end | 24 if not (local_host == module:get_host()) then return end |
23 | 25 |
24 module:log("debug", "Checking certificate..."); | 26 module:log("debug", "Checking certificate..."); |
27 local certificate_is_valid = false; | |
28 | |
29 if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then | |
30 certificate_is_valid = true; | |
31 end | |
32 | |
25 local must_secure = secure_auth; | 33 local must_secure = secure_auth; |
26 | 34 |
27 if not must_secure and secure_domains[host] then | 35 if not must_secure and secure_domains[host] then |
28 must_secure = true; | 36 must_secure = true; |
29 elseif must_secure and insecure_domains[host] then | 37 elseif must_secure and insecure_domains[host] then |
30 must_secure = false; | 38 must_secure = false; |
31 end | 39 end |
32 | 40 |
33 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then | 41 if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then |
34 notified_about_already[host] = os.time(); | 42 notified_about_already[host] = os.time(); |
35 local _, errors = conn:getpeerverification(); | 43 local _, errors = conn:getpeerverification(); |
36 local error_message = ""; | 44 local error_message = ""; |
37 | 45 |
38 for depth, t in pairs(errors or {}) do | 46 for depth, t in pairs(errors or {}) do |