Mercurial > prosody-modules
annotate mod_s2s_auth_samecert/mod_s2s_auth_samecert.lua @ 5536:96dec7681af8
mod_firewall: Update user marks to store instantly via map store
The original approach was to keep marks in memory only, and persist them at
shutdown. That saves I/O, at the cost of potentially losing marks on an
unclean shutdown.
This change persists marks instantly, which may have some performance overhead
but should be more "correct".
It also splits the marking/unmarking into an event which may be watched or
even fired by other modules.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 08 Jun 2023 16:20:42 +0100 |
| parents | c9397cd5cfe6 |
| children |
| rev | line source |
|---|---|
|
2204
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 module:set_global() |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 local hosts = prosody.hosts; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
5 module:hook("s2s-check-certificate", function(event) |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 local session, cert = event.session, event.cert; |
|
4675
c9397cd5cfe6
mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents:
2234
diff
changeset
|
7 if not cert or session.direction ~= "incoming" then return end |
|
c9397cd5cfe6
mod_s2s_auth_samecert: Handle lack of provided client certificate
Kim Alvefur <zash@zash.se>
parents:
2234
diff
changeset
|
8 |
|
2204
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 local outgoing = hosts[session.to_host].s2sout[session.from_host]; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 if outgoing and outgoing.type == "s2sout" and outgoing.secure and outgoing.conn:socket():getpeercertificate():pem() == cert:pem() then |
|
2234
3024116d6093
mod_s2s_auth_samecert: Log which s2sout has a matching cert
Kim Alvefur <zash@zash.se>
parents:
2204
diff
changeset
|
11 session.log("debug", "Certificate matches that of s2sout%s", tostring(outgoing):match("[a-f0-9]+$")); |
|
2204
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 session.cert_identity_status = outgoing.cert_identity_status; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 session.cert_chain_status = outgoing.cert_chain_status; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 return true; |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 end |
|
affccf479f89
mod_s2s_auth_samecert: Authenticate incoming s2s connection if certificate matches that of an established outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 end, 1000); |
