prosody-modules: mod_s2s_log_certs/mod_s2s_log_certs.lua@97c9b76867ca (annotated)

1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	1	module:set_global();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	2
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	3	local dm_load = require "util.datamanager".load;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	4	local dm_store = require "util.datamanager".store;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	5	local datetime = require "util.datetime".datetime;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	6
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	7	local do_store = module:get_option_boolean(module:get_name().."_persist", false);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	8	local digest_algo = module:get_option_string(module:get_name().."_digest", "sha1");
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	9
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	10	local function note_cert_digest(event)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	11	local session, remote_host, cert = event.session, event.host, event.cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	12
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	13	if not (remote_host and cert and cert.digest) then return end;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	14	local digest = cert:digest(digest_algo);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	15
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	16	local local_host = session.direction == "outgoing" and session.from_host or session.to_host;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	17	local chain_status = session.cert_chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	18	local identity_status = session.cert_identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	19
1091 79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	20	module:log("info", "%s has a %s %s certificate with %s: %s",
79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	21	remote_host,
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	22	chain_status == "valid" and "trusted" or "untrusted",
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	23	identity_status or "invalid",
1091 79ef0427765f mod_s2s_log_certs: Minor grammar change Kim Alvefur <zash@zash.se> parents: 1009 diff changeset	24	digest_algo:upper(),
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	25	digest:upper():gsub("..",":%0"):sub(2));
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	26
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	27	if do_store then
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	28	local seen_certs = dm_load(remote_host, local_host, "s2s_certs") or {};
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	29
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	30	digest = digest_algo..":"..digest;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	31	local this_cert = seen_certs[digest] or { first = datetime(); times = 0; }
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	32	this_cert.last = datetime();
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	33	this_cert.times = this_cert.times + 1;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	34	seen_certs[digest] = this_cert;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	35	chain_status = chain_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	36	identity_status = identity_status;
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	37	dm_store(remote_host, local_host, "s2s_certs", seen_certs);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	38	end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	39	end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	40
1791 663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	41	if module.wrap_event then
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	42	-- 0.10
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	43	module:wrap_event("s2s-check-certificate", function (handlers, event_name, event_data)
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	44	local ret = handlers(event_name, event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	45	note_cert_digest(event_data);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	46	return ret;
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	47	end);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	48	else
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	49	-- 0.9
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	50	module:hook("s2s-check-certificate", note_cert_digest, 1000);
663e5d923ef0 mod_s2s_log_certs: Use new 0.10 API for wrapping event handlers in order to always print log message after all s2s cert checks Kim Alvefur <zash@zash.se> parents: 1091 diff changeset	51	end
1009 fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	52	--[[
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	53	function module.add_host(module)
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	54	module:hook("s2s-check-certificate", note_cert_digest, 1000);
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	55	end
fcba646eb20a mod_s2s_log_certs: Log certificate status and fingerprints Kim Alvefur <zash@zash.se> parents: diff changeset	56	]]

author	Kim Alvefur <zash@zash.se>
	Sun, 03 Mar 2024 11:23:40 +0100
changeset 5857	97c9b76867ca
parent 1791	663e5d923ef0
permissions	-rw-r--r--