#!/usr/bin/env lua
-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
-- prosodyctl - command-line controller for Prosody XMPP server
-- Will be modified by configure script if run --
CFG_SOURCEDIR=CFG_SOURCEDIR or os.getenv("PROSODY_SRCDIR");
CFG_CONFIGDIR=CFG_CONFIGDIR or os.getenv("PROSODY_CFGDIR");
CFG_PLUGINDIR=CFG_PLUGINDIR or os.getenv("PROSODY_PLUGINDIR");
CFG_DATADIR=CFG_DATADIR or os.getenv("PROSODY_DATADIR");
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
local function is_relative(path)
local path_sep = package.config:sub(1,1);
return ((path_sep == "/" and path:sub(1,1) ~= "/")
or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\")))
end
-- Tell Lua where to find our libraries
if CFG_SOURCEDIR then
local function filter_relative_paths(path)
if is_relative(path) then return ""; end
end
local function sanitise_paths(paths)
return (paths:gsub("[^;]+;?", filter_relative_paths):gsub(";;+", ";"));
end
package.path = sanitise_paths(CFG_SOURCEDIR.."/?.lua;"..package.path);
package.cpath = sanitise_paths(CFG_SOURCEDIR.."/?.so;"..package.cpath);
end
-- Substitute ~ with path to home directory in data path
if CFG_DATADIR then
if os.getenv("HOME") then
CFG_DATADIR = CFG_DATADIR:gsub("^~", os.getenv("HOME"));
end
end
-----------
local startup = require "util.startup";
startup.prosodyctl();
-----------
local error_messages = setmetatable({
["invalid-username"] = "The given username is invalid in a Jabber ID";
["invalid-hostname"] = "The given hostname is invalid";
["no-password"] = "No password was supplied";
["no-such-user"] = "The given user does not exist on the server";
["no-such-host"] = "The given hostname does not exist in the config";
["unable-to-save-data"] = "Unable to store, perhaps you don't have permission?";
["no-pidfile"] = "There is no 'pidfile' option in the configuration file, see https://prosody.im/doc/prosodyctl#pidfile for help";
["invalid-pidfile"] = "The 'pidfile' option in the configuration file is not a string, see https://prosody.im/doc/prosodyctl#pidfile for help";
["no-posix"] = "The mod_posix module is not enabled in the Prosody config file, see https://prosody.im/doc/prosodyctl for more info";
["no-such-method"] = "This module has no commands";
["not-running"] = "Prosody is not running";
}, { __index = function (_,k) return "Error: "..(tostring(k):gsub("%-", " "):gsub("^.", string.upper)); end });
local configmanager = require "core.configmanager";
local modulemanager = require "core.modulemanager"
local prosodyctl = require "util.prosodyctl"
local socket = require "socket"
local dependencies = require "util.dependencies";
local lfs = dependencies.softreq "lfs";
-----------------------
local show_message, show_warning = prosodyctl.show_message, prosodyctl.show_warning;
local show_usage = prosodyctl.show_usage;
local show_yesno = prosodyctl.show_yesno;
local show_prompt = prosodyctl.show_prompt;
local read_password = prosodyctl.read_password;
local jid_split = require "util.jid".prepped_split;
local prosodyctl_timeout = (configmanager.get("*", "prosodyctl_timeout") or 5) * 2;
-----------------------
local commands = {};
local command = arg[1];
function commands.adduser(arg)
if not arg[1] or arg[1] == "--help" then
show_usage([[adduser JID]], [[Create the specified user account in Prosody]]);
return 1;
end
local user, host = jid_split(arg[1]);
if not user and host then
show_message [[Failed to understand JID, please supply the JID you want to create]]
show_usage [[adduser user@host]]
return 1;
end
if not host then
show_message [[Please specify a JID, including a host. e.g. alice@example.com]];
return 1;
end
if not prosody.hosts[host] then
show_warning("The host '%s' is not listed in the configuration file (or is not enabled).", host)
show_warning("The user will not be able to log in until this is changed.");
prosody.hosts[host] = startup.make_host(host); --luacheck: ignore 122
end
if prosodyctl.user_exists{ user = user, host = host } then
show_message [[That user already exists]];
return 1;
end
local password = read_password();
if not password then return 1; end
local ok, msg = prosodyctl.adduser { user = user, host = host, password = password };
if ok then return 0; end
show_message(msg)
return 1;
end
function commands.passwd(arg)
if not arg[1] or arg[1] == "--help" then
show_usage([[passwd JID]], [[Set the password for the specified user account in Prosody]]);
return 1;
end
local user, host = jid_split(arg[1]);
if not user and host then
show_message [[Failed to understand JID, please supply the JID you want to set the password for]]
show_usage [[passwd user@host]]
return 1;
end
if not host then
show_message [[Please specify a JID, including a host. e.g. alice@example.com]];
return 1;
end
if not prosody.hosts[host] then
show_warning("The host '%s' is not listed in the configuration file (or is not enabled).", host)
show_warning("The user will not be able to log in until this is changed.");
prosody.hosts[host] = startup.make_host(host); --luacheck: ignore 122
end
if not prosodyctl.user_exists { user = user, host = host } then
show_message [[That user does not exist, use prosodyctl adduser to create a new user]]
return 1;
end
local password = read_password();
if not password then return 1; end
local ok, msg = prosodyctl.passwd { user = user, host = host, password = password };
if ok then return 0; end
show_message(error_messages[msg])
return 1;
end
function commands.deluser(arg)
if not arg[1] or arg[1] == "--help" then
show_usage([[deluser JID]], [[Permanently remove the specified user account from Prosody]]);
return 1;
end
local user, host = jid_split(arg[1]);
if not user and host then
show_message [[Failed to understand JID, please supply the JID to the user account you want to delete]]
show_usage [[deluser user@host]]
return 1;
end
if not host then
show_message [[Please specify a JID, including a host. e.g. alice@example.com]];
return 1;
end
if not prosody.hosts[host] then
show_warning("The host '%s' is not listed in the configuration file (or is not enabled).", host)
prosody.hosts[host] = startup.make_host(host); --luacheck: ignore 122
end
if not prosodyctl.user_exists { user = user, host = host } then
show_message [[That user does not exist on this server]]
return 1;
end
local ok, msg = prosodyctl.deluser { user = user, host = host };
if ok then return 0; end
show_message(error_messages[msg])
return 1;
end
local function service_command_warning(service_command)
if prosody.installed and configmanager.get("*", "prosodyctl_service_warnings") ~= false then
show_warning("WARNING: Use of prosodyctl start/stop/restart/reload is not recommended");
show_warning(" if Prosody is managed by an init system - use that directly instead.");
lfs = lfs or require"lfs";
if lfs.attributes("/etc/systemd") then
show_warning(" e.g. systemctl %s prosody", service_command);
elseif lfs.attributes("/etc/init.d/prosody") then
show_warning(" e.g. /etc/init.d/prosody %s", service_command);
end
show_warning("");
end
end
function commands.start(arg)
if arg[1] == "--help" then
show_usage([[start]], [[Start Prosody]]);
return 1;
end
service_command_warning("start");
local ok, ret = prosodyctl.isrunning();
if not ok then
show_message(error_messages[ret]);
return 1;
end
if ret then
--luacheck: ignore 421/ret
local ok, ret = prosodyctl.getpid();
if not ok then
show_message("Couldn't get running Prosody's PID");
show_message(error_messages[ret]);
return 1;
end
show_message("Prosody is already running with PID %s", ret or "(unknown)");
return 1;
end
--luacheck: ignore 411/ret
local ok, ret = prosodyctl.start(prosody.paths.source);
if ok then
local daemonize = configmanager.get("*", "daemonize");
if daemonize == nil then
daemonize = prosody.installed;
end
if daemonize then
local i=1;
while true do
local ok, running = prosodyctl.isrunning();
if ok and running then
break;
elseif i == 5 then
show_message("Still waiting...");
elseif i >= prosodyctl_timeout then
show_message("Prosody is still not running. Please give it some time or check your log files for errors.");
return 2;
end
socket.sleep(0.5);
i = i + 1;
end
show_message("Started");
end
return 0;
end
show_message("Failed to start Prosody");
show_message(error_messages[ret])
return 1;
end
function commands.status(arg)
if arg[1] == "--help" then
show_usage([[status]], [[Reports the running status of Prosody]]);
return 1;
end
local ok, ret = prosodyctl.isrunning();
if not ok then
show_message(error_messages[ret]);
return 1;
end
if ret then
--luacheck: ignore 421/ret
local ok, ret = prosodyctl.getpid();
if not ok then
show_message("Couldn't get running Prosody's PID");
show_message(error_messages[ret]);
return 1;
end
show_message("Prosody is running with PID %s", ret or "(unknown)");
return 0;
else
show_message("Prosody is not running");
if not prosody.switched_user and prosody.current_uid ~= 0 then
print("\nNote:")
print(" You will also see this if prosodyctl is not running under");
print(" the same user account as Prosody. Try running as root (e.g. ");
print(" with 'sudo' in front) to gain access to Prosody's real status.");
end
return 2
end
end
function commands.stop(arg)
if arg[1] == "--help" then
show_usage([[stop]], [[Stop a running Prosody server]]);
return 1;
end
service_command_warning("stop");
if not prosodyctl.isrunning() then
show_message("Prosody is not running");
return 1;
end
local ok, ret = prosodyctl.stop();
if ok then
local i=1;
while true do
local ok, running = prosodyctl.isrunning();
if ok and not running then
break;
elseif i == 5 then
show_message("Still waiting...");
elseif i >= prosodyctl_timeout then
show_message("Prosody is still running. Please give it some time or check your log files for errors.");
return 2;
end
socket.sleep(0.5);
i = i + 1;
end
show_message("Stopped");
return 0;
end
show_message(error_messages[ret]);
return 1;
end
function commands.restart(arg)
if arg[1] == "--help" then
show_usage([[restart]], [[Restart a running Prosody server]]);
return 1;
end
service_command_warning("restart");
commands.stop(arg);
return commands.start(arg);
end
function commands.about(arg)
if arg[1] == "--help" then
show_usage([[about]], [[Show information about this Prosody installation]]);
return 1;
end
local pwd = ".";
local array = require "util.array";
local keys = require "util.iterators".keys;
local hg = require"util.mercurial";
local relpath = configmanager.resolve_relative_path;
print("Prosody "..(prosody.version or "(unknown version)"));
print("");
print("# Prosody directories");
print("Data directory: "..relpath(pwd, prosody.paths.data));
print("Config directory: "..relpath(pwd, prosody.paths.config or "."));
print("Source directory: "..relpath(pwd, prosody.paths.source or "."));
print("Plugin directories:")
print(" "..(prosody.paths.plugins:gsub("([^;]+);?", function(path)
path = configmanager.resolve_relative_path(pwd, path);
local hgid, hgrepo = hg.check_id(path);
if not hgid and hgrepo then
return path.." - "..hgrepo .."!\n ";
end
-- 010452cfaf53 is the first commit in the prosody-modules repository
hgrepo = hgrepo == "010452cfaf53" and "prosody-modules";
return path..(hgid and " - "..(hgrepo or "HG").." rev: "..hgid or "")
.."\n ";
end)));
print("");
print("# Lua environment");
print("Lua version: ", _G._VERSION);
print("");
print("Lua module search paths:");
for path in package.path:gmatch("[^;]+") do
print(" "..path);
end
print("");
print("Lua C module search paths:");
for path in package.cpath:gmatch("[^;]+") do
print(" "..path);
end
print("");
local luarocks_status = "Not installed"
if pcall(require, "luarocks.loader") then
luarocks_status = "Installed (2.x+)";
if package.loaded["luarocks.cfg"] then
luarocks_status = "Installed ("..(package.loaded["luarocks.cfg"].program_version or "2.x+")..")";
end
elseif pcall(require, "luarocks.require") then
luarocks_status = "Installed (1.x)";
end
print("LuaRocks: ", luarocks_status);
print("");
print("# Network");
print("");
print("Backend: "..require "net.server".get_backend());
print("");
print("# Lua module versions");
local module_versions, longest_name = {}, 8;
local luaevent = dependencies.softreq"luaevent";
local lxp = dependencies.softreq"lxp";
dependencies.softreq"ssl";
dependencies.softreq"DBI";
for name, module in pairs(package.loaded) do
if type(module) == "table" and rawget(module, "_VERSION")
and name ~= "_G" and not name:match("%.") then
if #name > longest_name then
longest_name = #name;
end
module_versions[name] = module._VERSION;
end
end
if luaevent then
module_versions["libevent"] = luaevent.core.libevent_version();
end
if lxp then
module_versions["libexpat"] = lxp._EXPAT_VERSION;
end
local sorted_keys = array.collect(keys(module_versions)):sort();
for _, name in ipairs(sorted_keys) do
print(name..":"..string.rep(" ", longest_name-#name), module_versions[name]);
end
print("");
end
function commands.reload(arg)
if arg[1] == "--help" then
show_usage([[reload]], [[Reload Prosody's configuration and re-open log files]]);
return 1;
end
service_command_warning("reload");
if not prosodyctl.isrunning() then
show_message("Prosody is not running");
return 1;
end
local ok, ret = prosodyctl.reload();
if ok then
show_message("Prosody log files re-opened and config file reloaded. You may need to reload modules for some changes to take effect.");
return 0;
end
show_message(error_messages[ret]);
return 1;
end
-- ejabberdctl compatibility
local unpack = table.unpack or unpack; -- luacheck: ignore 113
function commands.register(arg)
local user, host, password = unpack(arg);
if (not (user and host)) or arg[1] == "--help" then
if user ~= "--help" then
if not user then
show_message [[No username specified]]
elseif not host then
show_message [[Please specify which host you want to register the user on]];
end
end
show_usage("register USER HOST [PASSWORD]", "Register a user on the server, with the given password");
return 1;
end
if not password then
password = read_password();
if not password then
show_message [[Unable to register user with no password]];
return 1;
end
end
local ok, msg = prosodyctl.adduser { user = user, host = host, password = password };
if ok then return 0; end
show_message(error_messages[msg])
return 1;
end
function commands.unregister(arg)
local user, host = unpack(arg);
if (not (user and host)) or arg[1] == "--help" then
if user ~= "--help" then
if not user then
show_message [[No username specified]]
elseif not host then
show_message [[Please specify which host you want to unregister the user from]];
end
end
show_usage("unregister USER HOST [PASSWORD]", "Permanently remove a user account from the server");
return 1;
end
local ok, msg = prosodyctl.deluser { user = user, host = host };
if ok then return 0; end
show_message(error_messages[msg])
return 1;
end
local openssl;
local cert_commands = {};
-- If a file already exists, ask if the user wants to use it or replace it
-- Backups the old file if replaced
local function use_existing(filename)
local attrs = lfs.attributes(filename);
if attrs then
if show_yesno(filename .. " exists, do you want to replace it? [y/n]") then
local backup = filename..".bkp~"..os.date("%FT%T", attrs.change);
os.rename(filename, backup);
show_message(filename.." backed up to "..backup);
else
-- Use the existing file
return true;
end
end
end
local have_pposix, pposix = pcall(require, "util.pposix");
local cert_basedir = prosody.paths.data == "." and "./certs" or prosody.paths.data;
if have_pposix and pposix.getuid() == 0 then
-- FIXME should be enough to check if this directory is writable
local cert_dir = configmanager.get("*", "certificates") or "certs";
cert_basedir = configmanager.resolve_relative_path(prosody.paths.config, cert_dir);
end
function cert_commands.config(arg)
if #arg >= 1 and arg[1] ~= "--help" then
local conf_filename = cert_basedir .. "/" .. arg[1] .. ".cnf";
if use_existing(conf_filename) then
return nil, conf_filename;
end
local distinguished_name;
if arg[#arg]:find("^/") then
distinguished_name = table.remove(arg);
end
local conf = openssl.config.new();
conf:from_prosody(prosody.hosts, configmanager, arg);
if distinguished_name then
local dn = {};
for k, v in distinguished_name:gmatch("/([^=/]+)=([^/]+)") do
table.insert(dn, k);
dn[k] = v;
end
conf.distinguished_name = dn;
else
show_message("Please provide details to include in the certificate config file.");
show_message("Leave the field empty to use the default value or '.' to exclude the field.")
for _, k in ipairs(openssl._DN_order) do
local v = conf.distinguished_name[k];
if v then
local nv = nil;
if k == "commonName" then
v = arg[1]
elseif k == "emailAddress" then
v = "xmpp@" .. arg[1];
elseif k == "countryName" then
local tld = arg[1]:match"%.([a-z]+)$";
if tld and #tld == 2 and tld ~= "uk" then
v = tld:upper();
end
end
nv = show_prompt(("%s (%s):"):format(k, nv or v));
nv = (not nv or nv == "") and v or nv;
if nv:find"[\192-\252][\128-\191]+" then
conf.req.string_mask = "utf8only"
end
conf.distinguished_name[k] = nv ~= "." and nv or nil;
end
end
end
local conf_file, err = io.open(conf_filename, "w");
if not conf_file then
show_warning("Could not open OpenSSL config file for writing");
show_warning(err);
os.exit(1);
end
conf_file:write(conf:serialize());
conf_file:close();
print("");
show_message("Config written to " .. conf_filename);
return nil, conf_filename;
else
show_usage("cert config HOSTNAME [HOSTNAME+]", "Builds a certificate config file covering the supplied hostname(s)")
end
end
function cert_commands.key(arg)
if #arg >= 1 and arg[1] ~= "--help" then
local key_filename = cert_basedir .. "/" .. arg[1] .. ".key";
if use_existing(key_filename) then
return nil, key_filename;
end
os.remove(key_filename); -- This file, if it exists is unlikely to have write permissions
local key_size = tonumber(arg[2] or show_prompt("Choose key size (2048):") or 2048);
local old_umask = pposix.umask("0377");
if openssl.genrsa{out=key_filename, key_size} then
os.execute(("chmod 400 '%s'"):format(key_filename));
show_message("Key written to ".. key_filename);
pposix.umask(old_umask);
return nil, key_filename;
end
show_message("There was a problem, see OpenSSL output");
else
show_usage("cert key HOSTNAME <bits>", "Generates a RSA key named HOSTNAME.key\n "
.."Prompts for a key size if none given")
end
end
function cert_commands.request(arg)
if #arg >= 1 and arg[1] ~= "--help" then
local req_filename = cert_basedir .. "/" .. arg[1] .. ".req";
if use_existing(req_filename) then
return nil, req_filename;
end
local _, key_filename = cert_commands.key({arg[1]});
local _, conf_filename = cert_commands.config(arg);
if openssl.req{new=true, key=key_filename, utf8=true, sha256=true, config=conf_filename, out=req_filename} then
show_message("Certificate request written to ".. req_filename);
else
show_message("There was a problem, see OpenSSL output");
end
else
show_usage("cert request HOSTNAME [HOSTNAME+]", "Generates a certificate request for the supplied hostname(s)")
end
end
function cert_commands.generate(arg)
if #arg >= 1 and arg[1] ~= "--help" then
local cert_filename = cert_basedir .. "/" .. arg[1] .. ".crt";
if use_existing(cert_filename) then
return nil, cert_filename;
end
local _, key_filename = cert_commands.key({arg[1]});
local _, conf_filename = cert_commands.config(arg);
if key_filename and conf_filename and cert_filename
and openssl.req{new=true, x509=true, nodes=true, key=key_filename,
days=365, sha256=true, utf8=true, config=conf_filename, out=cert_filename} then
show_message("Certificate written to ".. cert_filename);
print();
else
show_message("There was a problem, see OpenSSL output");
end
else
show_usage("cert generate HOSTNAME [HOSTNAME+]", "Generates a self-signed certificate for the current hostname(s)")
end
end
local function sh_esc(s)
return "'" .. s:gsub("'", "'\\''") .. "'";
end
local function copy(from, to, umask, owner, group)
local old_umask = umask and pposix.umask(umask);
local attrs = lfs.attributes(to);
if attrs then -- Move old file out of the way
local backup = to..".bkp~"..os.date("%FT%T", attrs.change);
os.rename(to, backup);
end
-- FIXME friendlier error handling, maybe move above backup back?
local input = assert(io.open(from));
local output = assert(io.open(to, "w"));
local data = input:read(2^11);
while data and output:write(data) do
data = input:read(2^11);
end
assert(input:close());
assert(output:close());
if not prosody.installed then
-- FIXME this is possibly specific to GNU chown
os.execute(("chown -c --reference=%s %s"):format(sh_esc(cert_basedir), sh_esc(to)));
elseif owner and group then
local ok = os.execute(("chown %s:%s %s"):format(sh_esc(owner), sh_esc(group), sh_esc(to)));
assert(ok == true or ok == 0, "Failed to change ownership of "..to);
end
if old_umask then pposix.umask(old_umask); end
return true;
end
function cert_commands.import(arg)
local hostnames = {};
-- Move hostname arguments out of arg, the rest should be a list of paths
while arg[1] and prosody.hosts[ arg[1] ] do
table.insert(hostnames, table.remove(arg, 1));
end
if hostnames[1] == nil then
local domains = os.getenv"RENEWED_DOMAINS"; -- Set if invoked via certbot
if domains then
for host in domains:gmatch("%S+") do
table.insert(hostnames, host);
end
else
for host in pairs(prosody.hosts) do
if host ~= "*" and configmanager.get(host, "enabled") ~= false then
table.insert(hostnames, host);
end
end
end
end
if not arg[1] or arg[1] == "--help" then -- Probably forgot the path
show_usage("cert import [HOSTNAME+] /path/to/certs [/other/paths/]+",
"Copies certificates to "..cert_basedir);
return 1;
end
local owner, group;
if pposix.getuid() == 0 then -- We need root to change ownership
owner = configmanager.get("*", "prosody_user") or "prosody";
group = configmanager.get("*", "prosody_group") or owner;
end
local cm = require "core.certmanager";
local imported = {};
for _, host in ipairs(hostnames) do
for _, dir in ipairs(arg) do
local paths = cm.find_cert(dir, host);
if paths then
copy(paths.certificate, cert_basedir .. "/" .. host .. ".crt", nil, owner, group);
copy(paths.key, cert_basedir .. "/" .. host .. ".key", "0377", owner, group);
table.insert(imported, host);
else
-- TODO Say where we looked
show_warning("No certificate for host "..host.." found :(");
end
-- TODO Additional checks
-- Certificate names matches the hostname
-- Private key matches public key in certificate
end
end
if imported[1] then
show_message("Imported certificate and key for hosts "..table.concat(imported, ", "));
local ok, err = prosodyctl.reload();
if not ok and err ~= "not-running" then
show_message(error_messages[err]);
end
else
show_warning("No certificates imported :(");
return 1;
end
end
function commands.cert(arg)
if #arg >= 1 and arg[1] ~= "--help" then
openssl = require "util.openssl";
lfs = require "lfs";
local cert_dir_attrs = lfs.attributes(cert_basedir);
if not cert_dir_attrs then
show_warning("The directory "..cert_basedir.." does not exist");
return 1; -- TODO Should we create it?
end
local uid = pposix.getuid();
if uid ~= 0 and uid ~= cert_dir_attrs.uid then
show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it");
return 1;
elseif not cert_dir_attrs.permissions then -- COMPAT with LuaFilesystem < 1.6.2 (hey CentOS!)
show_message("Unable to check permissions on "..cert_basedir.." (LuaFilesystem 1.6.2+ required)");
show_message("Please confirm that Prosody (and only Prosody) can write to this directory)");
elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then
show_warning("The directory "..cert_basedir.." not only writable by its owner");
return 1;
end
local subcmd = table.remove(arg, 1);
if type(cert_commands[subcmd]) == "function" then
if subcmd ~= "import" then -- hostnames are optional for import
if not arg[1] then
show_message"You need to supply at least one hostname"
arg = { "--help" };
end
if arg[1] ~= "--help" and not prosody.hosts[arg[1]] then
show_message(error_messages["no-such-host"]);
return 1;
end
end
return cert_commands[subcmd](arg);
elseif subcmd == "check" then
return commands.check({"certs"});
end
end
show_usage("cert config|request|generate|key|import", "Helpers for generating X.509 certificates and keys.")
for _, cmd in pairs(cert_commands) do
print()
cmd{ "--help" }
end
end
function commands.check(arg)
if arg[1] == "--help" then
show_usage([[check]], [[Perform basic checks on your Prosody installation]]);
return 1;
end
local what = table.remove(arg, 1);
local set = require "util.set";
local it = require "util.iterators";
local ok = true;
local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end
local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end
if not (what == nil or what == "disabled" or what == "config" or what == "dns" or what == "certs") then
show_warning("Don't know how to check '%s'. Try one of 'config', 'dns', 'certs' or 'disabled'.", what);
return 1;
end
if not what or what == "disabled" then
local disabled_hosts_set = set.new();
for host, host_options in it.filter("*", pairs(configmanager.getconfig())) do
if host_options.enabled == false then
disabled_hosts_set:add(host);
end
end
if not disabled_hosts_set:empty() then
local msg = "Checks will be skipped for these disabled hosts: %s";
if what then msg = "These hosts are disabled: %s"; end
show_warning(msg, tostring(disabled_hosts_set));
if what then return 0; end
print""
end
end
if not what or what == "config" then
print("Checking config...");
local deprecated = set.new({
"bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", "require_encryption",
"vcard_compatibility",
});
local known_global_options = set.new({
"pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
"umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings",
"network_backend", "http_default_host", "gc", "limits",
"statistics_interval", "statistics", "statistics_config",
});
local config = configmanager.getconfig();
-- Check that we have any global options (caused by putting a host at the top)
if it.count(it.filter("log", pairs(config["*"]))) == 0 then
ok = false;
print("");
print(" No global options defined. Perhaps you have put a host definition at the top")
print(" of the config file? They should be at the bottom, see https://prosody.im/doc/configure#overview");
end
if it.count(enabled_hosts()) == 0 then
ok = false;
print("");
if it.count(it.filter("*", pairs(config))) == 0 then
print(" No hosts are defined, please add at least one VirtualHost section")
elseif config["*"]["enabled"] == false then
print(" No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section")
else
print(" All hosts are disabled. Remove enabled = false from at least one VirtualHost section")
end
end
if not config["*"].modules_enabled then
print(" No global modules_enabled is set?");
local suggested_global_modules;
for host, options in enabled_hosts() do --luacheck: ignore 213/host
if not options.component_module and options.modules_enabled then
suggested_global_modules = set.intersection(suggested_global_modules or set.new(options.modules_enabled), set.new(options.modules_enabled));
end
end
if suggested_global_modules and not suggested_global_modules:empty() then
print(" Consider moving these modules into modules_enabled in the global section:")
print(" "..tostring(suggested_global_modules / function (x) return ("%q"):format(x) end));
end
print();
end
do -- Check for modules enabled both normally and as components
local modules = set.new(config["*"]["modules_enabled"]);
for host, options in enabled_hosts() do
local component_module = options.component_module;
if component_module and modules:contains(component_module) then
print((" mod_%s is enabled both in modules_enabled and as Component %q %q"):format(component_module, host, component_module));
print(" This means the service is enabled on all VirtualHosts as well as the Component.");
print(" Are you sure this what you want? It may cause unexpected behaviour.");
end
end
end
-- Check for global options under hosts
local global_options = set.new(it.to_array(it.keys(config["*"])));
local deprecated_global_options = set.intersection(global_options, deprecated);
if not deprecated_global_options:empty() then
print("");
print(" You have some deprecated options in the global section:");
print(" "..tostring(deprecated_global_options))
ok = false;
end
for host, options in it.filter(function (h) return h ~= "*" end, pairs(configmanager.getconfig())) do
local host_options = set.new(it.to_array(it.keys(options)));
local misplaced_options = set.intersection(host_options, known_global_options);
for name in pairs(options) do
if name:match("^interfaces?")
or name:match("_ports?$") or name:match("_interfaces?$")
or (name:match("_ssl$") and not name:match("^[cs]2s_ssl$")) then
misplaced_options:add(name);
end
end
if not misplaced_options:empty() then
ok = false;
print("");
local n = it.count(misplaced_options);
print(" You have "..n.." option"..(n>1 and "s " or " ").."set under "..host.." that should be");
print(" in the global section of the config file, above any VirtualHost or Component definitions,")
print(" see https://prosody.im/doc/configure#overview for more information.")
print("");
print(" You need to move the following option"..(n>1 and "s" or "")..": "..table.concat(it.to_array(misplaced_options), ", "));
end
end
for host, options in enabled_hosts() do
local host_options = set.new(it.to_array(it.keys(options)));
local subdomain = host:match("^[^.]+");
if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp"
or subdomain == "chat" or subdomain == "im") then
print("");
print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to");
print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host..".");
print(" For more information see: https://prosody.im/doc/dns");
end
end
local all_modules = set.new(config["*"].modules_enabled);
local all_options = set.new(it.to_array(it.keys(config["*"])));
for host in enabled_hosts() do
all_options:include(set.new(it.to_array(it.keys(config[host]))));
all_modules:include(set.new(config[host].modules_enabled));
end
for mod in all_modules do
if mod:match("^mod_") then
print("");
print(" Modules in modules_enabled should not have the 'mod_' prefix included.");
print(" Change '"..mod.."' to '"..mod:match("^mod_(.*)").."'.");
elseif mod:match("^auth_") then
print("");
print(" Authentication modules should not be added to modules_enabled,");
print(" but be specified in the 'authentication' option.");
print(" Remove '"..mod.."' from modules_enabled and instead add");
print(" authentication = '"..mod:match("^auth_(.*)").."'");
print(" For more information see https://prosody.im/doc/authentication");
elseif mod:match("^storage_") then
print("");
print(" storage modules should not be added to modules_enabled,");
print(" but be specified in the 'storage' option.");
print(" Remove '"..mod.."' from modules_enabled and instead add");
print(" storage = '"..mod:match("^storage_(.*)").."'");
print(" For more information see https://prosody.im/doc/storage");
end
end
if all_modules:contains("vcard") and all_modules:contains("vcard_legacy") then
print("");
print(" Both mod_vcard_legacy and mod_vcard are enabled but they conflict");
print(" with each other. Remove one.");
end
if all_modules:contains("pep") and all_modules:contains("pep_simple") then
print("");
print(" Both mod_pep_simple and mod_pep are enabled but they conflict");
print(" with each other. Remove one.");
end
for host, host_config in pairs(config) do --luacheck: ignore 213/host
if type(rawget(host_config, "storage")) == "string" and rawget(host_config, "default_storage") then
print("");
print(" The 'default_storage' option is not needed if 'storage' is set to a string.");
break;
end
end
local require_encryption = set.intersection(all_options, set.new({
"require_encryption", "c2s_require_encryption", "s2s_require_encryption"
})):empty();
local ssl = dependencies.softreq"ssl";
if not ssl then
if not require_encryption then
print("");
print(" You require encryption but LuaSec is not available.");
print(" Connections will fail.");
ok = false;
end
elseif not ssl.loadcertificate then
if all_options:contains("s2s_secure_auth") then
print("");
print(" You have set s2s_secure_auth but your version of LuaSec does ");
print(" not support certificate validation, so all s2s connections will");
print(" fail.");
ok = false;
elseif all_options:contains("s2s_secure_domains") then
local secure_domains = set.new();
for host in enabled_hosts() do
if config[host].s2s_secure_auth == true then
secure_domains:add("*");
else
secure_domains:include(set.new(config[host].s2s_secure_domains));
end
end
if not secure_domains:empty() then
print("");
print(" You have set s2s_secure_domains but your version of LuaSec does ");
print(" not support certificate validation, so s2s connections to/from ");
print(" these domains will fail.");
ok = false;
end
end
elseif require_encryption and not all_modules:contains("tls") then
print("");
print(" You require encryption but mod_tls is not enabled.");
print(" Connections will fail.");
ok = false;
end
print("Done.\n");
end
if not what or what == "dns" then
local dns = require "net.dns";
local idna = require "util.encodings".idna;
local ip = require "util.ip";
local c2s_ports = set.new(configmanager.get("*", "c2s_ports") or {5222});
local s2s_ports = set.new(configmanager.get("*", "s2s_ports") or {5269});
local c2s_srv_required, s2s_srv_required;
if not c2s_ports:contains(5222) then
c2s_srv_required = true;
end
if not s2s_ports:contains(5269) then
s2s_srv_required = true;
end
local problem_hosts = set.new();
local external_addresses, internal_addresses = set.new(), set.new();
local fqdn = socket.dns.tohostname(socket.dns.gethostname());
if fqdn then
do
local res = dns.lookup(idna.to_ascii(fqdn), "A");
if res then
for _, record in ipairs(res) do
external_addresses:add(record.a);
end
end
end
do
local res = dns.lookup(idna.to_ascii(fqdn), "AAAA");
if res then
for _, record in ipairs(res) do
external_addresses:add(record.aaaa);
end
end
end
end
local local_addresses = require"util.net".local_addresses() or {};
for addr in it.values(local_addresses) do
if not ip.new_ip(addr).private then
external_addresses:add(addr);
else
internal_addresses:add(addr);
end
end
if external_addresses:empty() then
print("");
print(" Failed to determine the external addresses of this server. Checks may be inaccurate.");
c2s_srv_required, s2s_srv_required = true, true;
end
local v6_supported = not not socket.tcp6;
for jid, host_options in enabled_hosts() do
local all_targets_ok, some_targets_ok = true, false;
local node, host = jid_split(jid);
local modules, component_module = modulemanager.get_modules_for_host(host);
if component_module then
modules:add(component_module);
end
local is_component = not not host_options.component_module;
print("Checking DNS for "..(is_component and "component" or "host").." "..jid.."...");
if node then
print("Only the domain part ("..host..") is used in DNS.")
end
local target_hosts = set.new();
if modules:contains("c2s") then
local res = dns.lookup("_xmpp-client._tcp."..idna.to_ascii(host)..".", "SRV");
if res then
for _, record in ipairs(res) do
target_hosts:add(record.srv.target);
if not c2s_ports:contains(record.srv.port) then
print(" SRV target "..record.srv.target.." contains unknown client port: "..record.srv.port);
end
end
else
if c2s_srv_required then
print(" No _xmpp-client SRV record found for "..host..", but it looks like you need one.");
all_targets_ok = false;
else
target_hosts:add(host);
end
end
end
if modules:contains("s2s") then
local res = dns.lookup("_xmpp-server._tcp."..idna.to_ascii(host)..".", "SRV");
if res then
for _, record in ipairs(res) do
target_hosts:add(record.srv.target);
if not s2s_ports:contains(record.srv.port) then
print(" SRV target "..record.srv.target.." contains unknown server port: "..record.srv.port);
end
end
else
if s2s_srv_required then
print(" No _xmpp-server SRV record found for "..host..", but it looks like you need one.");
all_targets_ok = false;
else
target_hosts:add(host);
end
end
end
if target_hosts:empty() then
target_hosts:add(host);
end
if target_hosts:contains("localhost") then
print(" Target 'localhost' cannot be accessed from other servers");
target_hosts:remove("localhost");
end
if modules:contains("proxy65") then
local proxy65_target = configmanager.get(host, "proxy65_address") or host;
if type(proxy65_target) == "string" then
local A, AAAA = dns.lookup(idna.to_ascii(proxy65_target), "A"), dns.lookup(idna.to_ascii(proxy65_target), "AAAA");
local prob = {};
if not A then
table.insert(prob, "A");
end
if v6_supported and not AAAA then
table.insert(prob, "AAAA");
end
if #prob > 0 then
print(" File transfer proxy "..proxy65_target.." has no "..table.concat(prob, "/")
.." record. Create one or set 'proxy65_address' to the correct host/IP.");
end
else
print(" proxy65_address for "..host.." should be set to a string, unable to perform DNS check");
end
end
for target_host in target_hosts do
local host_ok_v4, host_ok_v6;
do
local res = dns.lookup(idna.to_ascii(target_host), "A");
if res then
for _, record in ipairs(res) do
if external_addresses:contains(record.a) then
some_targets_ok = true;
host_ok_v4 = true;
elseif internal_addresses:contains(record.a) then
host_ok_v4 = true;
some_targets_ok = true;
print(" "..target_host.." A record points to internal address, external connections might fail");
else
print(" "..target_host.." A record points to unknown address "..record.a);
all_targets_ok = false;
end
end
end
end
do
local res = dns.lookup(idna.to_ascii(target_host), "AAAA");
if res then
for _, record in ipairs(res) do
if external_addresses:contains(record.aaaa) then
some_targets_ok = true;
host_ok_v6 = true;
elseif internal_addresses:contains(record.aaaa) then
host_ok_v6 = true;
some_targets_ok = true;
print(" "..target_host.." AAAA record points to internal address, external connections might fail");
else
print(" "..target_host.." AAAA record points to unknown address "..record.aaaa);
all_targets_ok = false;
end
end
end
end
local bad_protos = {}
if not host_ok_v4 then
table.insert(bad_protos, "IPv4");
end
if not host_ok_v6 then
table.insert(bad_protos, "IPv6");
end
if #bad_protos > 0 then
print(" Host "..target_host.." does not seem to resolve to this server ("..table.concat(bad_protos, "/")..")");
end
if host_ok_v6 and not v6_supported then
print(" Host "..target_host.." has AAAA records, but your version of LuaSocket does not support IPv6.");
print(" Please see https://prosody.im/doc/ipv6 for more information.");
end
end
if not all_targets_ok then
print(" "..(some_targets_ok and "Only some" or "No").." targets for "..host.." appear to resolve to this server.");
if is_component then
print(" DNS records are necessary if you want users on other servers to access this component.");
end
problem_hosts:add(host);
end
print("");
end
if not problem_hosts:empty() then
print("");
print("For more information about DNS configuration please see https://prosody.im/doc/dns");
print("");
ok = false;
end
end
if not what or what == "certs" then
local cert_ok;
print"Checking certificates..."
local x509_verify_identity = require"util.x509".verify_identity;
local create_context = require "core.certmanager".create_context;
local ssl = dependencies.softreq"ssl";
-- local datetime_parse = require"util.datetime".parse_x509;
local load_cert = ssl and ssl.loadcertificate;
-- or ssl.cert_from_pem
if not ssl then
print("LuaSec not available, can't perform certificate checks")
if what == "certs" then cert_ok = false end
elseif not load_cert then
print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
cert_ok = false
else
local function skip_bare_jid_hosts(host)
if jid_split(host) then
-- See issue #779
return false;
end
return true;
end
for host in it.filter(skip_bare_jid_hosts, enabled_hosts()) do
print("Checking certificate for "..host);
-- First, let's find out what certificate this host uses.
local host_ssl_config = configmanager.rawget(host, "ssl")
or configmanager.rawget(host:match("%.(.*)"), "ssl");
local global_ssl_config = configmanager.rawget("*", "ssl");
local ok, err, ssl_config = create_context(host, "server", host_ssl_config, global_ssl_config);
if not ok then
print(" Error: "..err);
cert_ok = false
elseif not ssl_config.certificate then
print(" No 'certificate' found for "..host)
cert_ok = false
elseif not ssl_config.key then
print(" No 'key' found for "..host)
cert_ok = false
else
local key, err = io.open(ssl_config.key); -- Permissions check only
if not key then
print(" Could not open "..ssl_config.key..": "..err);
cert_ok = false
else
key:close();
end
local cert_fh, err = io.open(ssl_config.certificate); -- Load the file.
if not cert_fh then
print(" Could not open "..ssl_config.certificate..": "..err);
cert_ok = false
else
print(" Certificate: "..ssl_config.certificate)
local cert = load_cert(cert_fh:read"*a"); cert_fh:close();
if not cert:validat(os.time()) then
print(" Certificate has expired.")
cert_ok = false
elseif not cert:validat(os.time() + 86400) then
print(" Certificate expires within one day.")
cert_ok = false
elseif not cert:validat(os.time() + 86400*7) then
print(" Certificate expires within one week.")
elseif not cert:validat(os.time() + 86400*31) then
print(" Certificate expires within one month.")
end
if configmanager.get(host, "component_module") == nil
and not x509_verify_identity(host, "_xmpp-client", cert) then
print(" Not valid for client connections to "..host..".")
cert_ok = false
end
if (not (configmanager.get(host, "anonymous_login")
or configmanager.get(host, "authentication") == "anonymous"))
and not x509_verify_identity(host, "_xmpp-server", cert) then
print(" Not valid for server-to-server connections to "..host..".")
cert_ok = false
end
end
end
end
end
if cert_ok == false then
print("")
print("For more information about certificates please see https://prosody.im/doc/certificates");
ok = false
end
print("")
end
if not ok then
print("Problems found, see above.");
else
print("All checks passed, congratulations!");
end
return ok and 0 or 2;
end
---------------------
local async = require "util.async";
local server = require "net.server";
local watchers = {
error = function (_, err)
error(err);
end;
waiting = function ()
server.loop();
end;
};
local command_runner = async.runner(function ()
if command and command:match("^mod_") then -- Is a command in a module
local module_name = command:match("^mod_(.+)");
do
local ret, err = modulemanager.load("*", module_name);
if not ret then
show_message("Failed to load module '"..module_name.."': "..err);
os.exit(1);
end
end
table.remove(arg, 1);
local module = modulemanager.get_module("*", module_name);
if not module then
show_message("Failed to load module '"..module_name.."': Unknown error");
os.exit(1);
end
if not modulemanager.module_has_method(module, "command") then
show_message("Fail: mod_"..module_name.." does not support any commands");
os.exit(1);
end
local ok, ret = modulemanager.call_module_method(module, "command", arg);
if ok then
if type(ret) == "number" then
os.exit(ret);
elseif type(ret) == "string" then
show_message(ret);
end
os.exit(0); -- :)
else
show_message("Failed to execute command: "..error_messages[ret]);
os.exit(1); -- :(
end
end
if not commands[command] then -- Show help for all commands
function show_usage(usage, desc)
print(" "..usage);
print(" "..desc);
end
print("prosodyctl - Manage a Prosody server");
print("");
print("Usage: "..arg[0].." COMMAND [OPTIONS]");
print("");
print("Where COMMAND may be one of:\n");
local hidden_commands = require "util.set".new{ "register", "unregister", "addplugin" };
local commands_order = { "adduser", "passwd", "deluser", "start", "stop", "restart", "reload", "about" };
local done = {};
for _, command_name in ipairs(commands_order) do
local command_func = commands[command_name];
if command_func then
command_func{ "--help" };
print""
done[command_name] = true;
end
end
for command_name, command_func in pairs(commands) do
if not done[command_name] and not hidden_commands:contains(command_name) then
command_func{ "--help" };
print""
done[command_name] = true;
end
end
os.exit(0);
end
os.exit(commands[command]({ select(2, unpack(arg)) }));
end, watchers);
command_runner:run(true);