Software /
code /
prosody-modules
Comparison
mod_client_certs/mod_client_certs.lua @ 3267:4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
author | Emmanuel Gil Peyrot <linkmauve@linkmauve.fr> |
---|---|
date | Fri, 24 Aug 2018 20:49:54 +0200 |
parent | 1779:bdf1de953fd9 |
child | 3447:5f2eeebcf899 |
comparison
equal
deleted
inserted
replaced
3266:ebd78514bbec | 3267:4b43b317e8f5 |
---|---|
107 | 107 |
108 dm_store(username, module.host, dm_table, certs); | 108 dm_store(username, module.host, dm_table, certs); |
109 return info; | 109 return info; |
110 end | 110 end |
111 | 111 |
112 module:hook("iq/self/"..xmlns_saslcert..":items", function(event) | 112 module:hook("iq-get/self/"..xmlns_saslcert..":items", function(event) |
113 local origin, stanza = event.origin, event.stanza; | 113 local origin, stanza = event.origin, event.stanza; |
114 if stanza.attr.type == "get" then | 114 module:log("debug", "%s requested items", origin.full_jid); |
115 module:log("debug", "%s requested items", origin.full_jid); | 115 |
116 | 116 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert }); |
117 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert }); | 117 local certs = dm_load(origin.username, module.host, dm_table) or {}; |
118 local certs = dm_load(origin.username, module.host, dm_table) or {}; | 118 |
119 | 119 for digest,info in pairs(certs) do |
120 for digest,info in pairs(certs) do | 120 reply:tag("item") |
121 reply:tag("item") | 121 :tag("name"):text(info.name):up() |
122 :tag("name"):text(info.name):up() | 122 :tag("x509cert"):text(info.x509cert):up() |
123 :tag("x509cert"):text(info.x509cert):up() | 123 :up(); |
124 :up(); | 124 end |
125 end | 125 |
126 | 126 origin.send(reply); |
127 origin.send(reply); | 127 return true |
128 end); | |
129 | |
130 module:hook("iq-set/self/"..xmlns_saslcert..":append", function(event) | |
131 local origin, stanza = event.origin, event.stanza; | |
132 local append = stanza:get_child("append", xmlns_saslcert); | |
133 local name = append:get_child_text("name", xmlns_saslcert); | |
134 local x509cert = append:get_child_text("x509cert", xmlns_saslcert); | |
135 | |
136 if not x509cert or not name then | |
137 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify? | |
128 return true | 138 return true |
129 end | 139 end |
130 end); | 140 |
131 | 141 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil; |
132 module:hook("iq/self/"..xmlns_saslcert..":append", function(event) | 142 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1"); |
133 local origin, stanza = event.origin, event.stanza; | 143 |
134 if stanza.attr.type == "set" then | 144 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert))); |
135 | 145 |
136 local append = stanza:get_child("append", xmlns_saslcert); | 146 if not cert then |
137 local name = append:get_child_text("name", xmlns_saslcert); | 147 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate")); |
138 local x509cert = append:get_child_text("x509cert", xmlns_saslcert); | 148 return true; |
139 | 149 end |
140 if not x509cert or not name then | 150 |
141 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify? | 151 local ok, err = enable_cert(origin.username, cert, { |
142 return true | 152 name = name, |
143 end | 153 x509cert = x509cert, |
144 | 154 no_cert_management = can_manage, |
145 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil; | 155 }); |
146 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1"); | 156 |
147 | 157 if not ok then |
148 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert))); | 158 origin.send(st.error_reply(stanza, "cancel", "bad-request", err)); |
149 | 159 return true -- REJECT?! |
150 if not cert then | 160 end |
151 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate")); | 161 |
152 return true; | 162 module:log("debug", "%s added certificate named %s", origin.full_jid, name); |
153 end | 163 |
154 | 164 origin.send(st.reply(stanza)); |
155 local ok, err = enable_cert(origin.username, cert, { | 165 |
156 name = name, | 166 return true |
157 x509cert = x509cert, | |
158 no_cert_management = can_manage, | |
159 }); | |
160 | |
161 if not ok then | |
162 origin.send(st.error_reply(stanza, "cancel", "bad-request", err)); | |
163 return true -- REJECT?! | |
164 end | |
165 | |
166 module:log("debug", "%s added certificate named %s", origin.full_jid, name); | |
167 | |
168 origin.send(st.reply(stanza)); | |
169 | |
170 return true | |
171 end | |
172 end); | 167 end); |
173 | 168 |
174 | 169 |
175 local function handle_disable(event) | 170 local function handle_disable(event) |
176 local origin, stanza = event.origin, event.stanza; | 171 local origin, stanza = event.origin, event.stanza; |
177 if stanza.attr.type == "set" then | 172 local disable = stanza.tags[1]; |
178 local disable = stanza.tags[1]; | 173 module:log("debug", "%s disabled a certificate", origin.full_jid); |
179 module:log("debug", "%s disabled a certificate", origin.full_jid); | 174 |
180 | 175 local name = disable:get_child_text("name"); |
181 local name = disable:get_child_text("name"); | 176 |
182 | 177 if not name then |
183 if not name then | 178 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); |
184 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); | |
185 return true | |
186 end | |
187 | |
188 disable_cert(origin.username, name, disable.name == "revoke"); | |
189 | |
190 origin.send(st.reply(stanza)); | |
191 | |
192 return true | 179 return true |
193 end | 180 end |
194 end | 181 |
195 | 182 disable_cert(origin.username, name, disable.name == "revoke"); |
196 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable); | 183 |
197 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable); | 184 origin.send(st.reply(stanza)); |
185 | |
186 return true | |
187 end | |
188 | |
189 module:hook("iq-set/self/"..xmlns_saslcert..":disable", handle_disable); | |
190 module:hook("iq-set/self/"..xmlns_saslcert..":revoke", handle_disable); | |
198 | 191 |
199 -- Ad-hoc command | 192 -- Ad-hoc command |
200 local adhoc_new = module:require "adhoc".new; | 193 local adhoc_new = module:require "adhoc".new; |
201 local dataforms_new = require "util.dataforms".new; | 194 local dataforms_new = require "util.dataforms".new; |
202 | 195 |