Mercurial > prosody-modules
changeset 1413:cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Mon, 19 May 2014 11:56:49 +0200 (2014-05-19) |
parents | d85695be0441 |
children | 48141957f719 |
files | mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua |
diffstat | 1 files changed, 59 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua Mon May 19 11:56:49 2014 +0200 @@ -0,0 +1,59 @@ +module:set_global(); + +local http_request = require"socket.http".request; +local ltn12 = require"ltn12"; +local json = require"util.json"; +local json_encode, json_decode = json.encode, json.decode; +local gettime = require"socket".gettime; +local serialize = require"util.serialization".serialize; + +local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET", + "MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert"; + +local function check_with_monkeysphere(event) + local session, host, cert = event.session, event.host, event.cert; + local result = {}; + local post_body = json_encode { + peer = { + name = host; + type = "peer"; + }; + context = "https"; + -- context = "xmpp"; -- Monkeysphere needs to be extended to understand this + pkc = { + type = "x509pem"; + data = cert:pem(); + }; + } + local req = { + method = "POST"; + url = msva_url; + headers = { + ["Content-Type"] = "application/json"; + ["Content-Length"] = tostring(#post_body); + }; + sink = ltn12.sink.table(result); + source = ltn12.source.string(post_body); + }; + session.log("debug", "Asking what Monkeysphere thinks about this certificate"); + local starttime = gettime(); + local ok, code = http_request(req); + module:log("debug", "Request took %fs", gettime() - starttime); + local body = table.concat(result); + if ok and code == 200 and body then + body = json_decode(body); + if body then + session.log(body.valid and "info" or "warn", "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message); + if body.valid then + session.cert_chain_status = "valid"; + session.cert_identity_status = "valid"; + return true; + end + end + else + module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body)); + module:log("debug", serialize(req)); + end +end + +module:hook("s2s-check-certificate", check_with_monkeysphere);