Mercurial > prosody-modules
comparison mod_watchuntrusted/mod_watchuntrusted.lua @ 3220:0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
| author | Michel Le Bihan <michel@lebihan.pl> |
|---|---|
| date | Wed, 08 Aug 2018 15:58:50 +0200 |
| parents | 3996437ff64f |
| children |
comparison
equal
deleted
inserted
replaced
| 3219:58d61459cdb1 | 3220:0e78523f8c20 |
|---|---|
| 1 local jid_prep = require "util.jid".prep; | 1 local jid_prep = require "util.jid".prep; |
| 2 | 2 |
| 3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); | 3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); |
| 4 local secure_domains, insecure_domains = | 4 local secure_domains, insecure_domains = |
| 5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; | 5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; |
| 6 | |
| 7 local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items; | |
| 6 | 8 |
| 7 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; | 9 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; |
| 8 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); | 10 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); |
| 9 | 11 |
| 10 local msg_type = module:get_option_string("untrusted_message_type", "chat"); | 12 local msg_type = module:get_option_string("untrusted_message_type", "chat"); |
| 20 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; | 22 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
| 21 | 23 |
| 22 if not (local_host == module:get_host()) then return end | 24 if not (local_host == module:get_host()) then return end |
| 23 | 25 |
| 24 module:log("debug", "Checking certificate..."); | 26 module:log("debug", "Checking certificate..."); |
| 27 local certificate_is_valid = false; | |
| 28 | |
| 29 if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then | |
| 30 certificate_is_valid = true; | |
| 31 end | |
| 32 | |
| 25 local must_secure = secure_auth; | 33 local must_secure = secure_auth; |
| 26 | 34 |
| 27 if not must_secure and secure_domains[host] then | 35 if not must_secure and secure_domains[host] then |
| 28 must_secure = true; | 36 must_secure = true; |
| 29 elseif must_secure and insecure_domains[host] then | 37 elseif must_secure and insecure_domains[host] then |
| 30 must_secure = false; | 38 must_secure = false; |
| 31 end | 39 end |
| 32 | 40 |
| 33 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then | 41 if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then |
| 34 notified_about_already[host] = os.time(); | 42 notified_about_already[host] = os.time(); |
| 35 local _, errors = conn:getpeerverification(); | 43 local _, errors = conn:getpeerverification(); |
| 36 local error_message = ""; | 44 local error_message = ""; |
| 37 | 45 |
| 38 for depth, t in pairs(errors or {}) do | 46 for depth, t in pairs(errors or {}) do |