prosody
08e9c9d0beb3
prosodyctl

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

prosodyctl @ 6158:08e9c9d0beb3

prosodyctl: Only perform checks on enabled hosts
author Kim Alvefur <zash@zash.se>
date Fri, 02 May 2014 08:11:11 +0200
parent 6062:6cc6b4d407df
child 6159:4ee14b7ef2cc
comparison
equal deleted inserted replaced
6156:6b1aee6536e8 6158:08e9c9d0beb3
795 end 795 end
796 local what = table.remove(arg, 1); 796 local what = table.remove(arg, 1);
797 local array, set = require "util.array", require "util.set"; 797 local array, set = require "util.array", require "util.set";
798 local it = require "util.iterators"; 798 local it = require "util.iterators";
799 local ok = true; 799 local ok = true;
800 local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end
801 local function enabled_hosts() return it.filter(disabled_hosts, pairs(config.getconfig())); end
800 if not what or what == "config" then 802 if not what or what == "config" then
801 print("Checking config..."); 803 print("Checking config...");
802 local known_global_options = set.new({ 804 local known_global_options = set.new({
803 "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", 805 "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
804 "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings" 806 "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings"
811 print(" No global options defined. Perhaps you have put a host definition at the top") 813 print(" No global options defined. Perhaps you have put a host definition at the top")
812 print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview"); 814 print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview");
813 end 815 end
814 -- Check for global options under hosts 816 -- Check for global options under hosts
815 local global_options = set.new(it.to_array(it.keys(config["*"]))); 817 local global_options = set.new(it.to_array(it.keys(config["*"])));
816 for host, options in it.filter("*", pairs(config)) do 818 for host, options in enabled_hosts() do
817 local host_options = set.new(it.to_array(it.keys(options))); 819 local host_options = set.new(it.to_array(it.keys(options)));
818 local misplaced_options = set.intersection(host_options, known_global_options); 820 local misplaced_options = set.intersection(host_options, known_global_options);
819 for name in pairs(options) do 821 for name in pairs(options) do
820 if name:match("^interfaces?") 822 if name:match("^interfaces?")
821 or name:match("_ports?$") or name:match("_interfaces?$") 823 or name:match("_ports?$") or name:match("_interfaces?$")
896 c2s_srv_required, s2s_srv_required = true, true; 898 c2s_srv_required, s2s_srv_required = true, true;
897 end 899 end
898 900
899 local v6_supported = not not socket.tcp6; 901 local v6_supported = not not socket.tcp6;
900 902
901 for host, host_options in it.filter("*", pairs(config.getconfig())) do 903 for host, host_options in enabled_hosts() do
902 local all_targets_ok, some_targets_ok = true, false; 904 local all_targets_ok, some_targets_ok = true, false;
903 905
904 local is_component = not not host_options.component_module; 906 local is_component = not not host_options.component_module;
905 print("Checking DNS for "..(is_component and "component" or "host").." "..host.."..."); 907 print("Checking DNS for "..(is_component and "component" or "host").." "..host.."...");
906 local target_hosts = set.new(); 908 local target_hosts = set.new();
1045 if what == "certs" then cert_ok = false end 1047 if what == "certs" then cert_ok = false end
1046 elseif not load_cert then 1048 elseif not load_cert then
1047 print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking"); 1049 print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
1048 cert_ok = false 1050 cert_ok = false
1049 else 1051 else
1050 for host in pairs(hosts) do 1052 for host in enabled_hosts() do
1051 if host ~= "*" then -- Should check global certs too. 1053 print("Checking certificate for "..host);
1052 print("Checking certificate for "..host); 1054 -- First, let's find out what certificate this host uses.
1053 -- First, let's find out what certificate this host uses. 1055 local ssl_config = config.rawget(host, "ssl");
1054 local ssl_config = config.rawget(host, "ssl"); 1056 if not ssl_config then
1055 if not ssl_config then 1057 local base_host = host:match("%.(.*)");
1056 local base_host = host:match("%.(.*)"); 1058 ssl_config = config.get(base_host, "ssl");
1057 ssl_config = config.get(base_host, "ssl"); 1059 end
1058 end 1060 if not ssl_config then
1059 if not ssl_config then 1061 print(" No 'ssl' option defined for "..host)
1060 print(" No 'ssl' option defined for "..host) 1062 cert_ok = false
1061 cert_ok = false 1063 elseif not ssl_config.certificate then
1062 elseif not ssl_config.certificate then 1064 print(" No 'certificate' set in ssl option for "..host)
1063 print(" No 'certificate' set in ssl option for "..host) 1065 cert_ok = false
1064 cert_ok = false 1066 elseif not ssl_config.key then
1065 elseif not ssl_config.key then 1067 print(" No 'key' set in ssl option for "..host)
1066 print(" No 'key' set in ssl option for "..host) 1068 cert_ok = false
1069 else
1070 local key, err = io.open(ssl_config.key); -- Permissions check only
1071 if not key then
1072 print(" Could not open "..ssl_config.key..": "..err);
1067 cert_ok = false 1073 cert_ok = false
1068 else 1074 else
1069 local key, err = io.open(ssl_config.key); -- Permissions check only 1075 key:close();
1070 if not key then 1076 end
1071 print(" Could not open "..ssl_config.key..": "..err); 1077 local cert_fh, err = io.open(ssl_config.certificate); -- Load the file.
1078 if not cert_fh then
1079 print(" Could not open "..ssl_config.certificate..": "..err);
1080 cert_ok = false
1081 else
1082 print(" Certificate: "..ssl_config.certificate)
1083 local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close();
1084 if not cert:validat(os.time()) then
1085 print(" Certificate has expired.")
1072 cert_ok = false 1086 cert_ok = false
1073 else
1074 key:close();
1075 end 1087 end
1076 local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. 1088 if config.get(host, "component_module") == nil
1077 if not cert_fh then 1089 and not x509_verify_identity(host, "_xmpp-client", cert) then
1078 print(" Could not open "..ssl_config.certificate..": "..err); 1090 print(" Not vaild for client connections to "..host..".")
1079 cert_ok = false 1091 cert_ok = false
1080 else 1092 end
1081 print(" Certificate: "..ssl_config.certificate) 1093 if (not (config.get(name, "anonymous_login")
1082 local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); 1094 or config.get(name, "authentication") == "anonymous"))
1083 if not cert:validat(os.time()) then
1084 print(" Certificate has expired.")
1085 cert_ok = false
1086 end
1087 if config.get(host, "component_module") == nil
1088 and not x509_verify_identity(host, "_xmpp-client", cert) then 1095 and not x509_verify_identity(host, "_xmpp-client", cert) then
1089 print(" Not vaild for client connections to "..host..".") 1096 print(" Not vaild for server-to-server connections to "..host..".")
1090 cert_ok = false 1097 cert_ok = false
1091 end
1092 if (not (config.get(name, "anonymous_login")
1093 or config.get(name, "authentication") == "anonymous"))
1094 and not x509_verify_identity(host, "_xmpp-client", cert) then
1095 print(" Not vaild for server-to-server connections to "..host..".")
1096 cert_ok = false
1097 end
1098 end 1098 end
1099 end 1099 end
1100 end 1100 end
1101 end 1101 end
1102 if cert_ok == false then 1102 if cert_ok == false then