Software / code / prosody-modules
Annotate
mod_s2s_log_certs/mod_s2s_log_certs.lua @ 4260:c539334dd01a
mod_http_oauth2: Rescope oauth client config into users' storage
This produces client_id of the form owner@host/random and prevents
clients from being deleted by registering an account with the same name
and then deleting the account, as well as having the client
automatically be deleted when the owner account is removed.
On one hand, this leaks the bare JID of the creator to users. On the
other hand, it makes it obvious who made the oauth application.
This module is experimental and only for developers, so this can be
changed if a better method comes up.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 21 Nov 2020 23:55:10 +0100 |
| parent | 1787:663e5d923ef0 |
| rev | line source |
|---|---|
|
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global(); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local dm_load = require "util.datamanager".load; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 local dm_store = require "util.datamanager".store; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 local datetime = require "util.datetime".datetime; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 local do_store = module:get_option_boolean(module:get_name().."_persist", false); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1"); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 local function note_cert_digest(event) |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 local session, remote_host, cert = event.session, event.host, event.cert; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 if not (remote_host and cert and cert.digest) then return end; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 local digest = cert:digest(digest_algo); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 local local_host = session.direction == "outgoing" and session.from_host or session.to_host; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 local chain_status = session.cert_chain_status; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
18 local identity_status = session.cert_identity_status; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
|
1091
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
20 module:log("info", "%s has a %s %s certificate with %s: %s", |
|
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
21 remote_host, |
|
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 chain_status == "valid" and "trusted" or "untrusted", |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 identity_status or "invalid", |
|
1091
79ef0427765f
mod_s2s_log_certs: Minor grammar change
Kim Alvefur <zash@zash.se>
parents:
1009
diff
changeset
|
24 digest_algo:upper(), |
|
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 digest:upper():gsub("..",":%0"):sub(2)); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 if do_store then |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {}; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 digest = digest_algo..":"..digest; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 local this_cert = seen_certs[digest] or { first = datetime(); times = 0; } |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 this_cert.last = datetime(); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 this_cert.times = this_cert.times + 1; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 seen_certs[digest] = this_cert; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 chain_status = chain_status; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 identity_status = identity_status; |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 dm_store(remote_host, local_host, "s2s_certs", seen_certs); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 end |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 end |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
|
1787
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
41 if module.wrap_event then |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
42 -- 0.10 |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
43 module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data) |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
44 local ret = handlers(event_name, event_data); |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
45 note_cert_digest(event_data); |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
46 return ret; |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
47 end); |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
48 else |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
49 -- 0.9 |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
50 module:hook("s2s-check-certificate", note_cert_digest, 1000); |
|
663e5d923ef0
mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks
Kim Alvefur <zash@zash.se>
parents:
1091
diff
changeset
|
51 end |
|
1009
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 --[[ |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 function module.add_host(module) |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 module:hook("s2s-check-certificate", note_cert_digest, 1000); |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 end |
|
fcba646eb20a
mod_s2s_log_certs: Log certificate status and fingerprints
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 ]] |
