Software / code / prosody-modules
Annotate
mod_watchuntrusted/mod_watchuntrusted.lua @ 1675:116488cced16
mod_watchuntrusted: Only notify once per host per day
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Wed, 22 Apr 2015 13:20:47 +0200 |
| parent | 1188:5eaecb7f680d |
| child | 1693:2328cbc41045 |
| rev | line source |
|---|---|
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
1 local jid_prep = require "util.jid".prep; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
2 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
3 local secure_auth = module:get_option_boolean("s2s_secure_auth", false); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
4 local secure_domains, insecure_domains = |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
5 module:get_option_set("s2s_secure_domains", {})._items, module:get_option_set("s2s_insecure_domains", {})._items; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
6 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
7 local untrusted_fail_watchers = module:get_option_set("untrusted_fail_watchers", module:get_option("admins", {})) / jid_prep; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
8 local untrusted_fail_notification = module:get_option("untrusted_fail_notification", "Establishing a secure connection from $from_host to $to_host failed. Certificate hash: $sha1. $errors"); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
9 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
10 local st = require "util.stanza"; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
11 |
|
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
12 local notified_about_already = { }; |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
13 |
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
14 module:hook_global("s2s-check-certificate", function (event) |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
15 local session, host = event.session, event.host; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
16 local conn = session.conn:socket(); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
17 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
18 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
19 if not (local_host == module:get_host()) then return end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
20 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
21 module:log("debug", "Checking certificate..."); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
22 local must_secure = secure_auth; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
23 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
24 if not must_secure and secure_domains[host] then |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
25 must_secure = true; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
26 elseif must_secure and insecure_domains[host] then |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
27 must_secure = false; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
28 end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
29 |
|
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
30 if must_secure and (session.cert_chain_status ~= "valid" or session.cert_identity_status ~= "valid") and not notified_about_already[host] then |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
31 notified_about_already[host] = os.time(); |
|
1188
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
32 local _, errors = conn:getpeerverification(); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
33 local error_message = ""; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
34 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
35 for depth, t in pairs(errors or {}) do |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
36 if #t > 0 then |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
37 error_message = error_message .. "Error with certificate " .. (depth - 1) .. ": " .. table.concat(t, ", ") .. ". "; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
38 end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
39 end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
40 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
41 if session.cert_identity_status then |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
42 error_message = error_message .. "This certificate is " .. session.cert_identity_status .. " for " .. host .. "."; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
43 end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
44 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
45 local replacements = { sha1 = event.cert and event.cert:digest("sha1"), errors = error_message }; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
46 |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
47 local message = st.message{ type = "chat", from = local_host } |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
48 :tag("body") |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
49 :text(untrusted_fail_notification:gsub("%$([%w_]+)", function (v) |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
50 return event[v] or session and session[v] or replacements and replacements[v] or nil; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
51 end)); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
52 for jid in untrusted_fail_watchers do |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
53 module:log("debug", "Notifying %s", jid); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
54 message.attr.to = jid; |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
55 module:send(message); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
56 end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
57 end |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
58 end, -0.5); |
|
5eaecb7f680d
mod_watchuntrusted: New module that will warn admins about s2s connections that fail due to lack of encryption or invalid certificates.
Thijs Alkemade <me@thijsalkema.de>
parents:
diff
changeset
|
59 |
|
1675
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
60 module:add_timer(14400, function (now) |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
61 for host, time in pairs(notified_about_already) do |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
62 if time + 86400 > now then |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
63 notified_about_already[host] = nil; |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
64 end |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
65 end |
|
116488cced16
mod_watchuntrusted: Only notify once per host per day
Kim Alvefur <zash@zash.se>
parents:
1188
diff
changeset
|
66 end) |
