| author | Kim Alvefur <zash@zash.se> |
| Mon, 30 May 2016 16:44:31 +0200 | |
| changeset 2190 | a100f4a720cb |
| parent 1413 | cfe360d9d82c |
| child 3396 | 8d1141025b43 |
| permissions | -rw-r--r-- |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
module:set_global(); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
local http_request = require"socket.http".request; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
local ltn12 = require"ltn12"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 |
local json = require"util.json"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
local json_encode, json_decode = json.encode, json.decode; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
local gettime = require"socket".gettime; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
local serialize = require"util.serialization".serialize; |
|
2190
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
9 |
local have_async, async = pcall(require, "util.async"); |
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
|
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
local msva_url = assert(os.getenv"MONKEYSPHERE_VALIDATION_AGENT_SOCKET", |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
"MONKEYSPHERE_VALIDATION_AGENT_SOCKET is unset, please set it").."/reviewcert"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
|
|
2190
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
14 |
if have_async then |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
15 |
local _http_request = require "net.http".request; |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
16 |
function http_request(url, ex) |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
17 |
local wait, done = async.waiter(); |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
18 |
local content, code, request, response; |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
19 |
_http_request(url, ex, function (_content, _code, _request, _response) |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
20 |
content, code, request, response = _content, _code, _request, _response; |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
21 |
done(); |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
22 |
end); |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
23 |
wait(); |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
24 |
return content, code, request, response; |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
25 |
end |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
26 |
end |
|
a100f4a720cb
mod_s2s_auth_monkeysphere: Query Monkeysphere asynchronously if util.async is available
Kim Alvefur <zash@zash.se>
parents:
1413
diff
changeset
|
27 |
|
|
1413
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
local function check_with_monkeysphere(event) |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
local session, host, cert = event.session, event.host, event.cert; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
local result = {}; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
local post_body = json_encode { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
peer = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 |
name = host; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
type = "peer"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
}; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
context = "https"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
-- context = "xmpp"; -- Monkeysphere needs to be extended to understand this |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
pkc = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
type = "x509pem"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
data = cert:pem(); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
}; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 |
} |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
local req = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
method = "POST"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
url = msva_url; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
headers = { |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
["Content-Type"] = "application/json"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 |
["Content-Length"] = tostring(#post_body); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
}; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 |
sink = ltn12.sink.table(result); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 |
source = ltn12.source.string(post_body); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
}; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
session.log("debug", "Asking what Monkeysphere thinks about this certificate"); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
local starttime = gettime(); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
local ok, code = http_request(req); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
module:log("debug", "Request took %fs", gettime() - starttime); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
local body = table.concat(result); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
if ok and code == 200 and body then |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
body = json_decode(body); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
if body then |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
session.log(body.valid and "info" or "warn", "Monkeysphere thinks the cert is %salid: %s", body.valid and "V" or "Inv", body.message); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
if body.valid then |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 |
session.cert_chain_status = "valid"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 |
session.cert_identity_status = "valid"; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 |
return true; |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 |
end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 |
end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 |
else |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 |
module:log("warn", "Request failed: %s, %s", tostring(code), tostring(body)); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 |
module:log("debug", serialize(req)); |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 |
end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 |
end |
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |
|
|
cfe360d9d82c
mod_s2s_auth_monkeysphere: Uses Monkeysphere for certificate validation
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
74 |
module:hook("s2s-check-certificate", check_with_monkeysphere); |