Mercurial > prosody-modules
changeset 3220:0e78523f8c20
mod_watchuntrusted: Add option to ignore domains
author | Michel Le Bihan <michel@lebihan.pl> |
---|---|
date | Wed, 08 Aug 2018 15:58:50 +0200 |
parents | 58d61459cdb1 |
children | b98c7c33550e |
files | mod_watchuntrusted/README.markdown mod_watchuntrusted/mod_watchuntrusted.lua |
diffstat | 2 files changed, 12 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/mod_watchuntrusted/README.markdown Wed Aug 08 15:20:52 2018 +0200 +++ b/mod_watchuntrusted/README.markdown Wed Aug 08 15:58:50 2018 +0200 @@ -32,6 +32,7 @@ untrusted\_fail\_watchers All admins The users to send the message to untrusted\_fail\_notification "Establishing a secure connection from \$from\_host to \$to\_host failed. Certificate hash: \$sha1. \$errors" The message to send, \$from\_host, \$to\_host, \$sha1 and \$errors are replaced untrusted\_message\_type `"chat"` Which kind of message to send. `"normal"` or `"headline"` are other sensible options + untrusted\_ignore\_domains Empty The domains that this module should not warn about Compatibility =============
--- a/mod_watchuntrusted/mod_watchuntrusted.lua Wed Aug 08 15:20:52 2018 +0200 +++ b/mod_watchuntrusted/mod_watchuntrusted.lua Wed Aug 08 15:58:50 2018 +0200 @@ -4,6 +4,8 @@ local secure_domains, insecure_domains = module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; +local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items; + local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors"); @@ -22,15 +24,21 @@ if not (local_host == module:get_host()) then return end module:log("debug", "Checking certificate..."); + local certificate_is_valid = false; + + if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then + certificate_is_valid = true; + end + local must_secure = secure_auth; if not must_secure and secure_domains[host] then - must_secure = true; + must_secure = true; elseif must_secure and insecure_domains[host] then - must_secure = false; + must_secure = false; end - if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then + if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then notified_about_already[host] = os.time(); local _, errors = conn:getpeerverification(); local error_message = "";