Mercurial > prosody-modules
comparison mod_watchuntrusted/mod_watchuntrusted.lua @ 1188:5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
| author | Thijs Alkemade <me@thijsalkema.de> |
|---|---|
| date | Fri, 06 Sep 2013 13:07:57 +0200 |
| parents | |
| children | 116488cced16 |
comparison
equal
deleted
inserted
replaced
| 1187:d677d1807bb0 | 1188:5eaecb7f680d |
|---|---|
| 1 local jid_prep = require "util.jid".prep; | |
| 2 | |
| 3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); | |
| 4 local secure_domains, insecure_domains = | |
| 5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; | |
| 6 | |
| 7 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; | |
| 8 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha1. $errors"); | |
| 9 | |
| 10 local st = require "util.stanza"; | |
| 11 | |
| 12 module:hook_global("s2s-check-certificate", function (event) | |
| 13 local session, host = event.session, event.host; | |
| 14 local conn = session.conn:socket(); | |
| 15 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; | |
| 16 | |
| 17 if not (local_host == module:get_host()) then return end | |
| 18 | |
| 19 module:log("debug", "Checking certificate..."); | |
| 20 local must_secure = secure_auth; | |
| 21 | |
| 22 if not must_secure and secure_domains[host] then | |
| 23 must_secure = true; | |
| 24 elseif must_secure and insecure_domains[host] then | |
| 25 must_secure = false; | |
| 26 end | |
| 27 | |
| 28 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") then | |
| 29 local _, errors = conn:getpeerverification(); | |
| 30 local error_message = ""; | |
| 31 | |
| 32 for depth, t in pairs(errors or {}) do | |
| 33 if #t > 0 then | |
| 34 error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". "; | |
| 35 end | |
| 36 end | |
| 37 | |
| 38 if session.cert_identity_status then | |
| 39 error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. "."; | |
| 40 end | |
| 41 | |
| 42 local replacements = { sha1 = event.cert and event.cert:digest("sha1"), errors = error_message }; | |
| 43 | |
| 44 local message = st.message{ type = "chat", from = local_host } | |
| 45 :tag("body") | |
| 46 :text(untrusted_fail_notification:gsub("%$([%w_]+)", function (v) | |
| 47 return event[v] or session and session[v] or replacements and replacements[v] or nil; | |
| 48 end)); | |
| 49 for jid in untrusted_fail_watchers do | |
| 50 module:log("debug", "Notifying %s", jid); | |
| 51 message.attr.to = jid; | |
| 52 module:send(message); | |
| 53 end | |
| 54 end | |
| 55 end, -0.5); | |
| 56 |