Diff

mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua @ 1413:cfe360d9d82c

mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
author Kim Alvefur <zash@zash.se>
date Mon, 19 May 2014 11:56:49 +0200
child 2186:a100f4a720cb
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_s2s_auth_monkeysphere/mod_s2s_auth_monkeysphere.lua	Mon May 19 11:56:49 2014 +0200
@@ -0,0 +1,59 @@
+module:set_global();
+
+local http_request = require"socket.http".request;
+local ltn12 = require"ltn12";
+local json = require"util.json";
+local json_encode, json_decode = json.encode, json.decode;
+local gettime = require"socket".gettime;
+local serialize = require"util.serialization".serialize;
+
+local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET",
+	"MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert";
+
+local function check_with_monkeysphere(event)
+	local session, host, cert = event.session, event.host, event.cert;
+	local result = {};
+	local post_body = json_encode {
+		peer = {
+			name = host;
+			type = "peer";
+		};
+		context = "https";
+		-- context = "xmpp"; -- Monkeysphere needs to be extended to understand this
+		pkc = {
+			type = "x509pem";
+			data = cert:pem();
+		};
+	}
+	local req = {
+		method = "POST";
+		url = msva_url;
+		headers = {
+			["Content-Type"] = "application/json";
+			["Content-Length"] = tostring(#post_body);
+		};
+		sink = ltn12.sink.table(result);
+		source = ltn12.source.string(post_body);
+	};
+	session.log("debug", "Asking what Monkeysphere thinks about this certificate");
+	local starttime = gettime();
+	local ok, code = http_request(req);
+	module:log("debug", "Request took %fs", gettime() - starttime);
+	local body = table.concat(result);
+	if ok and code == 200 and body then
+		body = json_decode(body);
+		if body then
+			session.log(body.valid and "info" or "warn", "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message);
+			if body.valid then
+				session.cert_chain_status = "valid";
+				session.cert_identity_status = "valid";
+				return true;
+			end
+		end
+	else
+		module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body));
+		module:log("debug", serialize(req));
+	end
+end
+
+module:hook("s2s-check-certificate", check_with_monkeysphere);