Mercurial > prosody-modules

changeset 3220:0e78523f8c20

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_watchuntrusted: Add option to ignore domains
author Michel Le Bihan <michel@lebihan.pl>
date Wed, 08 Aug 2018 15:58:50 +0200
parents 58d61459cdb1
children b98c7c33550e
files mod_watchuntrusted/README.markdown mod_watchuntrusted/mod_watchuntrusted.lua
diffstat 2 files changed, 12 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/mod_watchuntrusted/README.markdown	Wed Aug 08 15:20:52 2018 +0200
+++ b/mod_watchuntrusted/README.markdown	Wed Aug 08 15:58:50 2018 +0200
@@ -32,6 +32,7 @@
   untrusted\_fail\_watchers       All admins                                                                                                      The users to send the message to
   untrusted\_fail\_notification   "Establishing a secure connection from \$from\_host to \$to\_host failed. Certificate hash: \$sha1. \$errors"   The message to send, \$from\_host, \$to\_host, \$sha1 and \$errors are replaced
   untrusted\_message\_type        `"chat"`                                                                                                        Which kind of message to send. `"normal"` or `"headline"` are other sensible options
+  untrusted\_ignore\_domains      Empty                                                                                                           The domains that this module should not warn about
 
 Compatibility
 =============
--- a/mod_watchuntrusted/mod_watchuntrusted.lua	Wed Aug 08 15:20:52 2018 +0200
+++ b/mod_watchuntrusted/mod_watchuntrusted.lua	Wed Aug 08 15:58:50 2018 +0200
@@ -4,6 +4,8 @@
 local secure_domains, insecure_domains =
 	module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items;
 
+local ignore_domains = module:get_option_set("untrusted_ignore_domains", {})._items;
+
 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep;
 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha256. $errors");
 
@@ -22,15 +24,21 @@
     if not (local_host == module:get_host()) then return end
 
     module:log("debug", "Checking certificate...");
+    local certificate_is_valid = false;
+
+    if session.cert_chain_status == "valid" and session.cert_identity_status == "valid" then
+        certificate_is_valid = true;
+    end
+
     local must_secure = secure_auth;
 
     if not must_secure and secure_domains[host] then
-            must_secure = true;
+        must_secure = true;
     elseif must_secure and insecure_domains[host] then
-            must_secure = false;
+        must_secure = false;
     end
 
-    if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then
+    if must_secure and not certificate_is_valid and not notified_about_already[host] and not ignore_domains[host] then
 		notified_about_already[host] = os.time();
 		local _, errors = conn:getpeerverification();
 		local error_message = "";