Mercurial > prosody-modules
comparison mod_client_certs/mod_client_certs.lua @ 3267:4b43b317e8f5
mod_client_certs: Simplify iq handling by hooking on iq-get/ and iq-set/ instead of iq/.
| author | Emmanuel Gil Peyrot <linkmauve@linkmauve.fr> |
|---|---|
| date | Fri, 24 Aug 2018 20:49:54 +0200 |
| parents | bdf1de953fd9 |
| children | 5f2eeebcf899 |
comparison
equal
deleted
inserted
replaced
| 3266:ebd78514bbec | 3267:4b43b317e8f5 |
|---|---|
| 107 | 107 |
| 108 dm_store(username, module.host, dm_table, certs); | 108 dm_store(username, module.host, dm_table, certs); |
| 109 return info; | 109 return info; |
| 110 end | 110 end |
| 111 | 111 |
| 112 module:hook("iq/self/"..xmlns_saslcert..":items", function(event) | 112 module:hook("iq-get/self/"..xmlns_saslcert..":items", function(event) |
| 113 local origin, stanza = event.origin, event.stanza; | 113 local origin, stanza = event.origin, event.stanza; |
| 114 if stanza.attr.type == "get" then | 114 module:log("debug", "%s requested items", origin.full_jid); |
| 115 module:log("debug", "%s requested items", origin.full_jid); | 115 |
| 116 | 116 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert }); |
| 117 local reply = st.reply(stanza):tag("items", { xmlns = xmlns_saslcert }); | 117 local certs = dm_load(origin.username, module.host, dm_table) or {}; |
| 118 local certs = dm_load(origin.username, module.host, dm_table) or {}; | 118 |
| 119 | 119 for digest,info in pairs(certs) do |
| 120 for digest,info in pairs(certs) do | 120 reply:tag("item") |
| 121 reply:tag("item") | 121 :tag("name"):text(info.name):up() |
| 122 :tag("name"):text(info.name):up() | 122 :tag("x509cert"):text(info.x509cert):up() |
| 123 :tag("x509cert"):text(info.x509cert):up() | 123 :up(); |
| 124 :up(); | 124 end |
| 125 end | 125 |
| 126 | 126 origin.send(reply); |
| 127 origin.send(reply); | 127 return true |
| 128 end); | |
| 129 | |
| 130 module:hook("iq-set/self/"..xmlns_saslcert..":append", function(event) | |
| 131 local origin, stanza = event.origin, event.stanza; | |
| 132 local append = stanza:get_child("append", xmlns_saslcert); | |
| 133 local name = append:get_child_text("name", xmlns_saslcert); | |
| 134 local x509cert = append:get_child_text("x509cert", xmlns_saslcert); | |
| 135 | |
| 136 if not x509cert or not name then | |
| 137 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify? | |
| 128 return true | 138 return true |
| 129 end | 139 end |
| 130 end); | 140 |
| 131 | 141 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil; |
| 132 module:hook("iq/self/"..xmlns_saslcert..":append", function(event) | 142 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1"); |
| 133 local origin, stanza = event.origin, event.stanza; | 143 |
| 134 if stanza.attr.type == "set" then | 144 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert))); |
| 135 | 145 |
| 136 local append = stanza:get_child("append", xmlns_saslcert); | 146 if not cert then |
| 137 local name = append:get_child_text("name", xmlns_saslcert); | 147 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate")); |
| 138 local x509cert = append:get_child_text("x509cert", xmlns_saslcert); | 148 return true; |
| 139 | 149 end |
| 140 if not x509cert or not name then | 150 |
| 141 origin.send(st.error_reply(stanza, "cancel", "bad-request", "Missing fields.")); -- cancel? not modify? | 151 local ok, err = enable_cert(origin.username, cert, { |
| 142 return true | 152 name = name, |
| 143 end | 153 x509cert = x509cert, |
| 144 | 154 no_cert_management = can_manage, |
| 145 local can_manage = append:get_child("no-cert-management", xmlns_saslcert) ~= nil; | 155 }); |
| 146 x509cert = x509cert:gsub("^%s*(.-)%s*$", "%1"); | 156 |
| 147 | 157 if not ok then |
| 148 local cert = ssl_x509.load(util_x509.der2pem(base64.decode(x509cert))); | 158 origin.send(st.error_reply(stanza, "cancel", "bad-request", err)); |
| 149 | 159 return true -- REJECT?! |
| 150 if not cert then | 160 end |
| 151 origin.send(st.error_reply(stanza, "modify", "not-acceptable", "Could not parse X.509 certificate")); | 161 |
| 152 return true; | 162 module:log("debug", "%s added certificate named %s", origin.full_jid, name); |
| 153 end | 163 |
| 154 | 164 origin.send(st.reply(stanza)); |
| 155 local ok, err = enable_cert(origin.username, cert, { | 165 |
| 156 name = name, | 166 return true |
| 157 x509cert = x509cert, | |
| 158 no_cert_management = can_manage, | |
| 159 }); | |
| 160 | |
| 161 if not ok then | |
| 162 origin.send(st.error_reply(stanza, "cancel", "bad-request", err)); | |
| 163 return true -- REJECT?! | |
| 164 end | |
| 165 | |
| 166 module:log("debug", "%s added certificate named %s", origin.full_jid, name); | |
| 167 | |
| 168 origin.send(st.reply(stanza)); | |
| 169 | |
| 170 return true | |
| 171 end | |
| 172 end); | 167 end); |
| 173 | 168 |
| 174 | 169 |
| 175 local function handle_disable(event) | 170 local function handle_disable(event) |
| 176 local origin, stanza = event.origin, event.stanza; | 171 local origin, stanza = event.origin, event.stanza; |
| 177 if stanza.attr.type == "set" then | 172 local disable = stanza.tags[1]; |
| 178 local disable = stanza.tags[1]; | 173 module:log("debug", "%s disabled a certificate", origin.full_jid); |
| 179 module:log("debug", "%s disabled a certificate", origin.full_jid); | 174 |
| 180 | 175 local name = disable:get_child_text("name"); |
| 181 local name = disable:get_child_text("name"); | 176 |
| 182 | 177 if not name then |
| 183 if not name then | 178 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); |
| 184 origin.send(st.error_reply(stanza, "cancel", "bad-request", "No key specified.")); | |
| 185 return true | |
| 186 end | |
| 187 | |
| 188 disable_cert(origin.username, name, disable.name == "revoke"); | |
| 189 | |
| 190 origin.send(st.reply(stanza)); | |
| 191 | |
| 192 return true | 179 return true |
| 193 end | 180 end |
| 194 end | 181 |
| 195 | 182 disable_cert(origin.username, name, disable.name == "revoke"); |
| 196 module:hook("iq/self/"..xmlns_saslcert..":disable", handle_disable); | 183 |
| 197 module:hook("iq/self/"..xmlns_saslcert..":revoke", handle_disable); | 184 origin.send(st.reply(stanza)); |
| 185 | |
| 186 return true | |
| 187 end | |
| 188 | |
| 189 module:hook("iq-set/self/"..xmlns_saslcert..":disable", handle_disable); | |
| 190 module:hook("iq-set/self/"..xmlns_saslcert..":revoke", handle_disable); | |
| 198 | 191 |
| 199 -- Ad-hoc command | 192 -- Ad-hoc command |
| 200 local adhoc_new = module:require "adhoc".new; | 193 local adhoc_new = module:require "adhoc".new; |
| 201 local dataforms_new = require "util.dataforms".new; | 194 local dataforms_new = require "util.dataforms".new; |
| 202 | 195 |
