aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Wild <mwild1@gmail.com>2020-06-02 08:01:21 +0100
committerMatthew Wild <mwild1@gmail.com>2020-06-02 08:01:21 +0100
commit46022b09886badc89425865ae1ac02651995f8c8 (patch)
treedbe128d782ec9d5f2ce9b373c6e4834da25429dc
parente2b8325088e588ab4ccc00ce738dad223228114d (diff)
downloadprosody-46022b09886badc89425865ae1ac02651995f8c8.tar.gz
prosody-46022b09886badc89425865ae1ac02651995f8c8.zip
prosodyctl+util.prosodyctl.*: Start breaking up the ever-growing prosodyctl
-rwxr-xr-xprosodyctl836
-rw-r--r--util/prosodyctl.lua109
-rw-r--r--util/prosodyctl/cert.lua293
-rw-r--r--util/prosodyctl/check.lua530
-rw-r--r--util/prosodyctl/shell.lua2
5 files changed, 851 insertions, 919 deletions
diff --git a/prosodyctl b/prosodyctl
index 43ed47c3..3b5291d6 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -49,20 +49,6 @@ startup.prosodyctl();
-----------
-local error_messages = setmetatable({
- ["invalid-username"] = "The given username is invalid in a Jabber ID";
- ["invalid-hostname"] = "The given hostname is invalid";
- ["no-password"] = "No password was supplied";
- ["no-such-user"] = "The given user does not exist on the server";
- ["no-such-host"] = "The given hostname does not exist in the config";
- ["unable-to-save-data"] = "Unable to store, perhaps you don't have permission?";
- ["no-pidfile"] = "There is no 'pidfile' option in the configuration file, see https://prosody.im/doc/prosodyctl#pidfile for help";
- ["invalid-pidfile"] = "The 'pidfile' option in the configuration file is not a string, see https://prosody.im/doc/prosodyctl#pidfile for help";
- ["no-posix"] = "The mod_posix module is not enabled in the Prosody config file, see https://prosody.im/doc/prosodyctl for more info";
- ["no-such-method"] = "This module has no commands";
- ["not-running"] = "Prosody is not running";
- }, { __index = function (_,k) return "Error: "..(tostring(k):gsub("%-", " "):gsub("^.", string.upper)); end });
-
local configmanager = require "core.configmanager";
local modulemanager = require "core.modulemanager"
local prosodyctl = require "util.prosodyctl"
@@ -72,12 +58,13 @@ local lfs = dependencies.softreq "lfs";
-----------------------
+local human_io = require "util.human.io";
+
local show_message, show_warning = prosodyctl.show_message, prosodyctl.show_warning;
local show_usage = prosodyctl.show_usage;
-local show_yesno = prosodyctl.show_yesno;
-local show_prompt = prosodyctl.show_prompt;
-local read_password = prosodyctl.read_password;
+local read_password = human_io.read_password;
local call_luarocks = prosodyctl.call_luarocks;
+local error_messages = prosodyctl.error_messages;
local jid_split = require "util.jid".prepped_split;
@@ -552,814 +539,6 @@ function commands.unregister(arg)
return 1;
end
-local openssl;
-
-local cert_commands = {};
-
--- If a file already exists, ask if the user wants to use it or replace it
--- Backups the old file if replaced
-local function use_existing(filename)
- local attrs = lfs.attributes(filename);
- if attrs then
- if show_yesno(filename .. " exists, do you want to replace it? [y/n]") then
- local backup = filename..".bkp~"..os.date("%FT%T", attrs.change);
- os.rename(filename, backup);
- show_message(filename.." backed up to "..backup);
- else
- -- Use the existing file
- return true;
- end
- end
-end
-
-local have_pposix, pposix = pcall(require, "util.pposix");
-local cert_basedir = prosody.paths.data == "." and "./certs" or prosody.paths.data;
-if have_pposix and pposix.getuid() == 0 then
- -- FIXME should be enough to check if this directory is writable
- local cert_dir = configmanager.get("*", "certificates") or "certs";
- cert_basedir = configmanager.resolve_relative_path(prosody.paths.config, cert_dir);
-end
-
-function cert_commands.config(arg)
- if #arg >= 1 and arg[1] ~= "--help" then
- local conf_filename = cert_basedir .. "/" .. arg[1] .. ".cnf";
- if use_existing(conf_filename) then
- return nil, conf_filename;
- end
- local distinguished_name;
- if arg[#arg]:find("^/") then
- distinguished_name = table.remove(arg);
- end
- local conf = openssl.config.new();
- conf:from_prosody(prosody.hosts, configmanager, arg);
- if distinguished_name then
- local dn = {};
- for k, v in distinguished_name:gmatch("/([^=/]+)=([^/]+)") do
- table.insert(dn, k);
- dn[k] = v;
- end
- conf.distinguished_name = dn;
- else
- show_message("Please provide details to include in the certificate config file.");
- show_message("Leave the field empty to use the default value or '.' to exclude the field.")
- for _, k in ipairs(openssl._DN_order) do
- local v = conf.distinguished_name[k];
- if v then
- local nv = nil;
- if k == "commonName" then
- v = arg[1]
- elseif k == "emailAddress" then
- v = "xmpp@" .. arg[1];
- elseif k == "countryName" then
- local tld = arg[1]:match"%.([a-z]+)$";
- if tld and #tld == 2 and tld ~= "uk" then
- v = tld:upper();
- end
- end
- nv = show_prompt(("%s (%s):"):format(k, nv or v));
- nv = (not nv or nv == "") and v or nv;
- if nv:find"[\192-\252][\128-\191]+" then
- conf.req.string_mask = "utf8only"
- end
- conf.distinguished_name[k] = nv ~= "." and nv or nil;
- end
- end
- end
- local conf_file, err = io.open(conf_filename, "w");
- if not conf_file then
- show_warning("Could not open OpenSSL config file for writing");
- show_warning(err);
- os.exit(1);
- end
- conf_file:write(conf:serialize());
- conf_file:close();
- print("");
- show_message("Config written to " .. conf_filename);
- return nil, conf_filename;
- else
- show_usage("cert config HOSTNAME [HOSTNAME+]", "Builds a certificate config file covering the supplied hostname(s)")
- end
-end
-
-function cert_commands.key(arg)
- if #arg >= 1 and arg[1] ~= "--help" then
- local key_filename = cert_basedir .. "/" .. arg[1] .. ".key";
- if use_existing(key_filename) then
- return nil, key_filename;
- end
- os.remove(key_filename); -- This file, if it exists is unlikely to have write permissions
- local key_size = tonumber(arg[2] or show_prompt("Choose key size (2048):") or 2048);
- local old_umask = pposix.umask("0377");
- if openssl.genrsa{out=key_filename, key_size} then
- os.execute(("chmod 400 '%s'"):format(key_filename));
- show_message("Key written to ".. key_filename);
- pposix.umask(old_umask);
- return nil, key_filename;
- end
- show_message("There was a problem, see OpenSSL output");
- else
- show_usage("cert key HOSTNAME <bits>", "Generates a RSA key named HOSTNAME.key\n "
- .."Prompts for a key size if none given")
- end
-end
-
-function cert_commands.request(arg)
- if #arg >= 1 and arg[1] ~= "--help" then
- local req_filename = cert_basedir .. "/" .. arg[1] .. ".req";
- if use_existing(req_filename) then
- return nil, req_filename;
- end
- local _, key_filename = cert_commands.key({arg[1]});
- local _, conf_filename = cert_commands.config(arg);
- if openssl.req{new=true, key=key_filename, utf8=true, sha256=true, config=conf_filename, out=req_filename} then
- show_message("Certificate request written to ".. req_filename);
- else
- show_message("There was a problem, see OpenSSL output");
- end
- else
- show_usage("cert request HOSTNAME [HOSTNAME+]", "Generates a certificate request for the supplied hostname(s)")
- end
-end
-
-function cert_commands.generate(arg)
- if #arg >= 1 and arg[1] ~= "--help" then
- local cert_filename = cert_basedir .. "/" .. arg[1] .. ".crt";
- if use_existing(cert_filename) then
- return nil, cert_filename;
- end
- local _, key_filename = cert_commands.key({arg[1]});
- local _, conf_filename = cert_commands.config(arg);
- if key_filename and conf_filename and cert_filename
- and openssl.req{new=true, x509=true, nodes=true, key=key_filename,
- days=365, sha256=true, utf8=true, config=conf_filename, out=cert_filename} then
- show_message("Certificate written to ".. cert_filename);
- print();
- else
- show_message("There was a problem, see OpenSSL output");
- end
- else
- show_usage("cert generate HOSTNAME [HOSTNAME+]", "Generates a self-signed certificate for the current hostname(s)")
- end
-end
-
-local function sh_esc(s)
- return "'" .. s:gsub("'", "'\\''") .. "'";
-end
-
-local function copy(from, to, umask, owner, group)
- local old_umask = umask and pposix.umask(umask);
- local attrs = lfs.attributes(to);
- if attrs then -- Move old file out of the way
- local backup = to..".bkp~"..os.date("%FT%T", attrs.change);
- os.rename(to, backup);
- end
- -- FIXME friendlier error handling, maybe move above backup back?
- local input = assert(io.open(from));
- local output = assert(io.open(to, "w"));
- local data = input:read(2^11);
- while data and output:write(data) do
- data = input:read(2^11);
- end
- assert(input:close());
- assert(output:close());
- if not prosody.installed then
- -- FIXME this is possibly specific to GNU chown
- os.execute(("chown -c --reference=%s %s"):format(sh_esc(cert_basedir), sh_esc(to)));
- elseif owner and group then
- local ok = os.execute(("chown %s:%s %s"):format(sh_esc(owner), sh_esc(group), sh_esc(to)));
- assert(ok == true or ok == 0, "Failed to change ownership of "..to);
- end
- if old_umask then pposix.umask(old_umask); end
- return true;
-end
-
-function cert_commands.import(arg)
- local hostnames = {};
- -- Move hostname arguments out of arg, the rest should be a list of paths
- while arg[1] and prosody.hosts[ arg[1] ] do
- table.insert(hostnames, table.remove(arg, 1));
- end
- if hostnames[1] == nil then
- local domains = os.getenv"RENEWED_DOMAINS"; -- Set if invoked via certbot
- if domains then
- for host in domains:gmatch("%S+") do
- table.insert(hostnames, host);
- end
- else
- for host in pairs(prosody.hosts) do
- if host ~= "*" and configmanager.get(host, "enabled") ~= false then
- table.insert(hostnames, host);
- end
- end
- end
- end
- if not arg[1] or arg[1] == "--help" then -- Probably forgot the path
- show_usage("cert import [HOSTNAME+] /path/to/certs [/other/paths/]+",
- "Copies certificates to "..cert_basedir);
- return 1;
- end
- local owner, group;
- if pposix.getuid() == 0 then -- We need root to change ownership
- owner = configmanager.get("*", "prosody_user") or "prosody";
- group = configmanager.get("*", "prosody_group") or owner;
- end
- local cm = require "core.certmanager";
- local imported = {};
- for _, host in ipairs(hostnames) do
- for _, dir in ipairs(arg) do
- local paths = cm.find_cert(dir, host);
- if paths then
- copy(paths.certificate, cert_basedir .. "/" .. host .. ".crt", nil, owner, group);
- copy(paths.key, cert_basedir .. "/" .. host .. ".key", "0377", owner, group);
- table.insert(imported, host);
- else
- -- TODO Say where we looked
- show_warning("No certificate for host "..host.." found :(");
- end
- -- TODO Additional checks
- -- Certificate names matches the hostname
- -- Private key matches public key in certificate
- end
- end
- if imported[1] then
- show_message("Imported certificate and key for hosts "..table.concat(imported, ", "));
- local ok, err = prosodyctl.reload();
- if not ok and err ~= "not-running" then
- show_message(error_messages[err]);
- end
- else
- show_warning("No certificates imported :(");
- return 1;
- end
-end
-
-function commands.cert(arg)
- if #arg >= 1 and arg[1] ~= "--help" then
- openssl = require "util.openssl";
- lfs = require "lfs";
- local cert_dir_attrs = lfs.attributes(cert_basedir);
- if not cert_dir_attrs then
- show_warning("The directory "..cert_basedir.." does not exist");
- return 1; -- TODO Should we create it?
- end
- local uid = pposix.getuid();
- if uid ~= 0 and uid ~= cert_dir_attrs.uid then
- show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it");
- return 1;
- elseif not cert_dir_attrs.permissions then -- COMPAT with LuaFilesystem < 1.6.2 (hey CentOS!)
- show_message("Unable to check permissions on "..cert_basedir.." (LuaFilesystem 1.6.2+ required)");
- show_message("Please confirm that Prosody (and only Prosody) can write to this directory)");
- elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then
- show_warning("The directory "..cert_basedir.." not only writable by its owner");
- return 1;
- end
- local subcmd = table.remove(arg, 1);
- if type(cert_commands[subcmd]) == "function" then
- if subcmd ~= "import" then -- hostnames are optional for import
- if not arg[1] then
- show_message"You need to supply at least one hostname"
- arg = { "--help" };
- end
- if arg[1] ~= "--help" and not prosody.hosts[arg[1]] then
- show_message(error_messages["no-such-host"]);
- return 1;
- end
- end
- return cert_commands[subcmd](arg);
- elseif subcmd == "check" then
- return commands.check({"certs"});
- end
- end
- show_usage("cert config|request|generate|key|import", "Helpers for generating X.509 certificates and keys.")
- for _, cmd in pairs(cert_commands) do
- print()
- cmd{ "--help" }
- end
-end
-
-function commands.check(arg)
- if arg[1] == "--help" then
- show_usage([[check]], [[Perform basic checks on your Prosody installation]]);
- return 1;
- end
- local what = table.remove(arg, 1);
- local set = require "util.set";
- local it = require "util.iterators";
- local ok = true;
- local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end
- local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end
- if not (what == nil or what == "disabled" or what == "config" or what == "dns" or what == "certs") then
- show_warning("Don't know how to check '%s'. Try one of 'config', 'dns', 'certs' or 'disabled'.", what);
- return 1;
- end
- if not what or what == "disabled" then
- local disabled_hosts_set = set.new();
- for host, host_options in it.filter("*", pairs(configmanager.getconfig())) do
- if host_options.enabled == false then
- disabled_hosts_set:add(host);
- end
- end
- if not disabled_hosts_set:empty() then
- local msg = "Checks will be skipped for these disabled hosts: %s";
- if what then msg = "These hosts are disabled: %s"; end
- show_warning(msg, tostring(disabled_hosts_set));
- if what then return 0; end
- print""
- end
- end
- if not what or what == "config" then
- print("Checking config...");
- local deprecated = set.new({
- "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", "require_encryption",
- "vcard_compatibility", "cross_domain_bosh", "cross_domain_websocket", "daemonize",
- });
- local known_global_options = set.new({
- "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
- "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings",
- "network_backend", "http_default_host",
- "statistics_interval", "statistics", "statistics_config",
- });
- local config = configmanager.getconfig();
- -- Check that we have any global options (caused by putting a host at the top)
- if it.count(it.filter("log", pairs(config["*"]))) == 0 then
- ok = false;
- print("");
- print(" No global options defined. Perhaps you have put a host definition at the top")
- print(" of the config file? They should be at the bottom, see https://prosody.im/doc/configure#overview");
- end
- if it.count(enabled_hosts()) == 0 then
- ok = false;
- print("");
- if it.count(it.filter("*", pairs(config))) == 0 then
- print(" No hosts are defined, please add at least one VirtualHost section")
- elseif config["*"]["enabled"] == false then
- print(" No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section")
- else
- print(" All hosts are disabled. Remove enabled = false from at least one VirtualHost section")
- end
- end
- if not config["*"].modules_enabled then
- print(" No global modules_enabled is set?");
- local suggested_global_modules;
- for host, options in enabled_hosts() do --luacheck: ignore 213/host
- if not options.component_module and options.modules_enabled then
- suggested_global_modules = set.intersection(suggested_global_modules or set.new(options.modules_enabled), set.new(options.modules_enabled));
- end
- end
- if suggested_global_modules and not suggested_global_modules:empty() then
- print(" Consider moving these modules into modules_enabled in the global section:")
- print(" "..tostring(suggested_global_modules / function (x) return ("%q"):format(x) end));
- end
- print();
- end
-
- do -- Check for modules enabled both normally and as components
- local modules = set.new(config["*"]["modules_enabled"]);
- for host, options in enabled_hosts() do
- local component_module = options.component_module;
- if component_module and modules:contains(component_module) then
- print((" mod_%s is enabled both in modules_enabled and as Component %q %q"):format(component_module, host, component_module));
- print(" This means the service is enabled on all VirtualHosts as well as the Component.");
- print(" Are you sure this what you want? It may cause unexpected behaviour.");
- end
- end
- end
-
- -- Check for global options under hosts
- local global_options = set.new(it.to_array(it.keys(config["*"])));
- local deprecated_global_options = set.intersection(global_options, deprecated);
- if not deprecated_global_options:empty() then
- print("");
- print(" You have some deprecated options in the global section:");
- print(" "..tostring(deprecated_global_options))
- ok = false;
- end
- for host, options in it.filter(function (h) return h ~= "*" end, pairs(configmanager.getconfig())) do
- local host_options = set.new(it.to_array(it.keys(options)));
- local misplaced_options = set.intersection(host_options, known_global_options);
- for name in pairs(options) do
- if name:match("^interfaces?")
- or name:match("_ports?$") or name:match("_interfaces?$")
- or (name:match("_ssl$") and not name:match("^[cs]2s_ssl$")) then
- misplaced_options:add(name);
- end
- end
- if not misplaced_options:empty() then
- ok = false;
- print("");
- local n = it.count(misplaced_options);
- print(" You have "..n.." option"..(n>1 and "s " or " ").."set under "..host.." that should be");
- print(" in the global section of the config file, above any VirtualHost or Component definitions,")
- print(" see https://prosody.im/doc/configure#overview for more information.")
- print("");
- print(" You need to move the following option"..(n>1 and "s" or "")..": "..table.concat(it.to_array(misplaced_options), ", "));
- end
- end
- for host, options in enabled_hosts() do
- local host_options = set.new(it.to_array(it.keys(options)));
- local subdomain = host:match("^[^.]+");
- if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp"
- or subdomain == "chat" or subdomain == "im") then
- print("");
- print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to");
- print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host..".");
- print(" For more information see: https://prosody.im/doc/dns");
- end
- end
- local all_modules = set.new(config["*"].modules_enabled);
- local all_options = set.new(it.to_array(it.keys(config["*"])));
- for host in enabled_hosts() do
- all_options:include(set.new(it.to_array(it.keys(config[host]))));
- all_modules:include(set.new(config[host].modules_enabled));
- end
- for mod in all_modules do
- if mod:match("^mod_") then
- print("");
- print(" Modules in modules_enabled should not have the 'mod_' prefix included.");
- print(" Change '"..mod.."' to '"..mod:match("^mod_(.*)").."'.");
- elseif mod:match("^auth_") then
- print("");
- print(" Authentication modules should not be added to modules_enabled,");
- print(" but be specified in the 'authentication' option.");
- print(" Remove '"..mod.."' from modules_enabled and instead add");
- print(" authentication = '"..mod:match("^auth_(.*)").."'");
- print(" For more information see https://prosody.im/doc/authentication");
- elseif mod:match("^storage_") then
- print("");
- print(" storage modules should not be added to modules_enabled,");
- print(" but be specified in the 'storage' option.");
- print(" Remove '"..mod.."' from modules_enabled and instead add");
- print(" storage = '"..mod:match("^storage_(.*)").."'");
- print(" For more information see https://prosody.im/doc/storage");
- end
- end
- if all_modules:contains("vcard") and all_modules:contains("vcard_legacy") then
- print("");
- print(" Both mod_vcard_legacy and mod_vcard are enabled but they conflict");
- print(" with each other. Remove one.");
- end
- if all_modules:contains("pep") and all_modules:contains("pep_simple") then
- print("");
- print(" Both mod_pep_simple and mod_pep are enabled but they conflict");
- print(" with each other. Remove one.");
- end
- for host, host_config in pairs(config) do --luacheck: ignore 213/host
- if type(rawget(host_config, "storage")) == "string" and rawget(host_config, "default_storage") then
- print("");
- print(" The 'default_storage' option is not needed if 'storage' is set to a string.");
- break;
- end
- end
- local require_encryption = set.intersection(all_options, set.new({
- "require_encryption", "c2s_require_encryption", "s2s_require_encryption"
- })):empty();
- local ssl = dependencies.softreq"ssl";
- if not ssl then
- if not require_encryption then
- print("");
- print(" You require encryption but LuaSec is not available.");
- print(" Connections will fail.");
- ok = false;
- end
- elseif not ssl.loadcertificate then
- if all_options:contains("s2s_secure_auth") then
- print("");
- print(" You have set s2s_secure_auth but your version of LuaSec does ");
- print(" not support certificate validation, so all s2s connections will");
- print(" fail.");
- ok = false;
- elseif all_options:contains("s2s_secure_domains") then
- local secure_domains = set.new();
- for host in enabled_hosts() do
- if config[host].s2s_secure_auth == true then
- secure_domains:add("*");
- else
- secure_domains:include(set.new(config[host].s2s_secure_domains));
- end
- end
- if not secure_domains:empty() then
- print("");
- print(" You have set s2s_secure_domains but your version of LuaSec does ");
- print(" not support certificate validation, so s2s connections to/from ");
- print(" these domains will fail.");
- ok = false;
- end
- end
- elseif require_encryption and not all_modules:contains("tls") then
- print("");
- print(" You require encryption but mod_tls is not enabled.");
- print(" Connections will fail.");
- ok = false;
- end
-
- print("Done.\n");
- end
- if not what or what == "dns" then
- local dns = require "net.dns";
- local idna = require "util.encodings".idna;
- local ip = require "util.ip";
- local c2s_ports = set.new(configmanager.get("*", "c2s_ports") or {5222});
- local s2s_ports = set.new(configmanager.get("*", "s2s_ports") or {5269});
-
- local c2s_srv_required, s2s_srv_required;
- if not c2s_ports:contains(5222) then
- c2s_srv_required = true;
- end
- if not s2s_ports:contains(5269) then
- s2s_srv_required = true;
- end
-
- local problem_hosts = set.new();
-
- local external_addresses, internal_addresses = set.new(), set.new();
-
- local fqdn = socket.dns.tohostname(socket.dns.gethostname());
- if fqdn then
- do
- local res = dns.lookup(idna.to_ascii(fqdn), "A");
- if res then
- for _, record in ipairs(res) do
- external_addresses:add(record.a);
- end
- end
- end
- do
- local res = dns.lookup(idna.to_ascii(fqdn), "AAAA");
- if res then
- for _, record in ipairs(res) do
- external_addresses:add(record.aaaa);
- end
- end
- end
- end
-
- local local_addresses = require"util.net".local_addresses() or {};
-
- for addr in it.values(local_addresses) do
- if not ip.new_ip(addr).private then
- external_addresses:add(addr);
- else
- internal_addresses:add(addr);
- end
- end
-
- if external_addresses:empty() then
- print("");
- print(" Failed to determine the external addresses of this server. Checks may be inaccurate.");
- c2s_srv_required, s2s_srv_required = true, true;
- end
-
- local v6_supported = not not socket.tcp6;
-
- for jid, host_options in enabled_hosts() do
- local all_targets_ok, some_targets_ok = true, false;
- local node, host = jid_split(jid);
-
- local modules, component_module = modulemanager.get_modules_for_host(host);
- if component_module then
- modules:add(component_module);
- end
-
- local is_component = not not host_options.component_module;
- print("Checking DNS for "..(is_component and "component" or "host").." "..jid.."...");
- if node then
- print("Only the domain part ("..host..") is used in DNS.")
- end
- local target_hosts = set.new();
- if modules:contains("c2s") then
- local res = dns.lookup("_xmpp-client._tcp."..idna.to_ascii(host)..".", "SRV");
- if res then
- for _, record in ipairs(res) do
- target_hosts:add(record.srv.target);
- if not c2s_ports:contains(record.srv.port) then
- print(" SRV target "..record.srv.target.." contains unknown client port: "..record.srv.port);
- end
- end
- else
- if c2s_srv_required then
- print(" No _xmpp-client SRV record found for "..host..", but it looks like you need one.");
- all_targets_ok = false;
- else
- target_hosts:add(host);
- end
- end
- end
- if modules:contains("s2s") then
- local res = dns.lookup("_xmpp-server._tcp."..idna.to_ascii(host)..".", "SRV");
- if res then
- for _, record in ipairs(res) do
- target_hosts:add(record.srv.target);
- if not s2s_ports:contains(record.srv.port) then
- print(" SRV target "..record.srv.target.." contains unknown server port: "..record.srv.port);
- end
- end
- else
- if s2s_srv_required then
- print(" No _xmpp-server SRV record found for "..host..", but it looks like you need one.");
- all_targets_ok = false;
- else
- target_hosts:add(host);
- end
- end
- end
- if target_hosts:empty() then
- target_hosts:add(host);
- end
-
- if target_hosts:contains("localhost") then
- print(" Target 'localhost' cannot be accessed from other servers");
- target_hosts:remove("localhost");
- end
-
- if modules:contains("proxy65") then
- local proxy65_target = configmanager.get(host, "proxy65_address") or host;
- if type(proxy65_target) == "string" then
- local A, AAAA = dns.lookup(idna.to_ascii(proxy65_target), "A"), dns.lookup(idna.to_ascii(proxy65_target), "AAAA");
- local prob = {};
- if not A then
- table.insert(prob, "A");
- end
- if v6_supported and not AAAA then
- table.insert(prob, "AAAA");
- end
- if #prob > 0 then
- print(" File transfer proxy "..proxy65_target.." has no "..table.concat(prob, "/")
- .." record. Create one or set 'proxy65_address' to the correct host/IP.");
- end
- else
- print(" proxy65_address for "..host.." should be set to a string, unable to perform DNS check");
- end
- end
-
- for target_host in target_hosts do
- local host_ok_v4, host_ok_v6;
- do
- local res = dns.lookup(idna.to_ascii(target_host), "A");
- if res then
- for _, record in ipairs(res) do
- if external_addresses:contains(record.a) then
- some_targets_ok = true;
- host_ok_v4 = true;
- elseif internal_addresses:contains(record.a) then
- host_ok_v4 = true;
- some_targets_ok = true;
- print(" "..target_host.." A record points to internal address, external connections might fail");
- else
- print(" "..target_host.." A record points to unknown address "..record.a);
- all_targets_ok = false;
- end
- end
- end
- end
- do
- local res = dns.lookup(idna.to_ascii(target_host), "AAAA");
- if res then
- for _, record in ipairs(res) do
- if external_addresses:contains(record.aaaa) then
- some_targets_ok = true;
- host_ok_v6 = true;
- elseif internal_addresses:contains(record.aaaa) then
- host_ok_v6 = true;
- some_targets_ok = true;
- print(" "..target_host.." AAAA record points to internal address, external connections might fail");
- else
- print(" "..target_host.." AAAA record points to unknown address "..record.aaaa);
- all_targets_ok = false;
- end
- end
- end
- end
-
- local bad_protos = {}
- if not host_ok_v4 then
- table.insert(bad_protos, "IPv4");
- end
- if not host_ok_v6 then
- table.insert(bad_protos, "IPv6");
- end
- if #bad_protos > 0 then
- print(" Host "..target_host.." does not seem to resolve to this server ("..table.concat(bad_protos, "/")..")");
- end
- if host_ok_v6 and not v6_supported then
- print(" Host "..target_host.." has AAAA records, but your version of LuaSocket does not support IPv6.");
- print(" Please see https://prosody.im/doc/ipv6 for more information.");
- end
- end
- if not all_targets_ok then
- print(" "..(some_targets_ok and "Only some" or "No").." targets for "..host.." appear to resolve to this server.");
- if is_component then
- print(" DNS records are necessary if you want users on other servers to access this component.");
- end
- problem_hosts:add(host);
- end
- print("");
- end
- if not problem_hosts:empty() then
- print("");
- print("For more information about DNS configuration please see https://prosody.im/doc/dns");
- print("");
- ok = false;
- end
- end
- if not what or what == "certs" then
- local cert_ok;
- print"Checking certificates..."
- local x509_verify_identity = require"util.x509".verify_identity;
- local create_context = require "core.certmanager".create_context;
- local ssl = dependencies.softreq"ssl";
- -- local datetime_parse = require"util.datetime".parse_x509;
- local load_cert = ssl and ssl.loadcertificate;
- -- or ssl.cert_from_pem
- if not ssl then
- print("LuaSec not available, can't perform certificate checks")
- if what == "certs" then cert_ok = false end
- elseif not load_cert then
- print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
- cert_ok = false
- else
- local function skip_bare_jid_hosts(host)
- if jid_split(host) then
- -- See issue #779
- return false;
- end
- return true;
- end
- for host in it.filter(skip_bare_jid_hosts, enabled_hosts()) do
- print("Checking certificate for "..host);
- -- First, let's find out what certificate this host uses.
- local host_ssl_config = configmanager.rawget(host, "ssl")
- or configmanager.rawget(host:match("%.(.*)"), "ssl");
- local global_ssl_config = configmanager.rawget("*", "ssl");
- local ok, err, ssl_config = create_context(host, "server", host_ssl_config, global_ssl_config);
- if not ok then
- print(" Error: "..err);
- cert_ok = false
- elseif not ssl_config.certificate then
- print(" No 'certificate' found for "..host)
- cert_ok = false
- elseif not ssl_config.key then
- print(" No 'key' found for "..host)
- cert_ok = false
- else
- local key, err = io.open(ssl_config.key); -- Permissions check only
- if not key then
- print(" Could not open "..ssl_config.key..": "..err);
- cert_ok = false
- else
- key:close();
- end
- local cert_fh, err = io.open(ssl_config.certificate); -- Load the file.
- if not cert_fh then
- print(" Could not open "..ssl_config.certificate..": "..err);
- cert_ok = false
- else
- print(" Certificate: "..ssl_config.certificate)
- local cert = load_cert(cert_fh:read"*a"); cert_fh:close();
- if not cert:validat(os.time()) then
- print(" Certificate has expired.")
- cert_ok = false
- elseif not cert:validat(os.time() + 86400) then
- print(" Certificate expires within one day.")
- cert_ok = false
- elseif not cert:validat(os.time() + 86400*7) then
- print(" Certificate expires within one week.")
- elseif not cert:validat(os.time() + 86400*31) then
- print(" Certificate expires within one month.")
- end
- if configmanager.get(host, "component_module") == nil
- and not x509_verify_identity(host, "_xmpp-client", cert) then
- print(" Not valid for client connections to "..host..".")
- cert_ok = false
- end
- if (not (configmanager.get(host, "anonymous_login")
- or configmanager.get(host, "authentication") == "anonymous"))
- and not x509_verify_identity(host, "_xmpp-server", cert) then
- print(" Not valid for server-to-server connections to "..host..".")
- cert_ok = false
- end
- end
- end
- end
- end
- if cert_ok == false then
- print("")
- print("For more information about certificates please see https://prosody.im/doc/certificates");
- ok = false
- end
- print("")
- end
- if not ok then
- print("Problems found, see above.");
- else
- print("All checks passed, congratulations!");
- end
- return ok and 0 or 2;
-end
-
-function commands.shell(arg)
- require "util.prosodyctl.shell".start(arg);
-end
-
---------------------
local async = require "util.async";
@@ -1408,6 +587,13 @@ local command_runner = async.runner(function ()
end
end
+ if not commands[command] then
+ local ok, command_module = pcall(require, "util.prosodyctl."..command);
+ if ok and command_module[command] then
+ commands[command] = command_module[command];
+ end
+ end
+
if not commands[command] then -- Show help for all commands
function show_usage(usage, desc)
print(" "..usage);
diff --git a/util/prosodyctl.lua b/util/prosodyctl.lua
index ea697ffc..cb86a5a1 100644
--- a/util/prosodyctl.lua
+++ b/util/prosodyctl.lua
@@ -15,7 +15,6 @@ local usermanager = require "core.usermanager";
local signal = require "util.signal";
local set = require "util.set";
local lfs = require "lfs";
-local pcall = pcall;
local type = type;
local nodeprep, nameprep = stringprep.nodeprep, stringprep.nameprep;
@@ -27,10 +26,22 @@ local tonumber = tonumber;
local _G = _G;
local prosody = prosody;
+local error_messages = setmetatable({
+ ["invalid-username"] = "The given username is invalid in a Jabber ID";
+ ["invalid-hostname"] = "The given hostname is invalid";
+ ["no-password"] = "No password was supplied";
+ ["no-such-user"] = "The given user does not exist on the server";
+ ["no-such-host"] = "The given hostname does not exist in the config";
+ ["unable-to-save-data"] = "Unable to store, perhaps you don't have permission?";
+ ["no-pidfile"] = "There is no 'pidfile' option in the configuration file, see https://prosody.im/doc/prosodyctl#pidfile for help";
+ ["invalid-pidfile"] = "The 'pidfile' option in the configuration file is not a string, see https://prosody.im/doc/prosodyctl#pidfile for help";
+ ["no-posix"] = "The mod_posix module is not enabled in the Prosody config file, see https://prosody.im/doc/prosodyctl for more info";
+ ["no-such-method"] = "This module has no commands";
+ ["not-running"] = "Prosody is not running";
+ }, { __index = function (_,k) return "Error: "..(tostring(k):gsub("%-", " "):gsub("^.", string.upper)); end });
+
-- UI helpers
-local function show_message(msg, ...)
- print(msg:format(...));
-end
+local show_message = require "util.human.io".printf;
local function show_usage(usage, desc)
print("Usage: ".._G.arg[0].." "..usage);
@@ -49,89 +60,6 @@ local function show_module_configuration_help(mod_name)
print(" "..mod_name..": https://modules.prosody.im/"..mod_name..".html")
end
-local function getchar(n)
- local stty_ret = os.execute("stty raw -echo 2>/dev/null");
- local ok, char;
- if stty_ret == true or stty_ret == 0 then
- ok, char = pcall(io.read, n or 1);
- os.execute("stty sane");
- else
- ok, char = pcall(io.read, "*l");
- if ok then
- char = char:sub(1, n or 1);
- end
- end
- if ok then
- return char;
- end
-end
-
-local function getline()
- local ok, line = pcall(io.read, "*l");
- if ok then
- return line;
- end
-end
-
-local function getpass()
- local stty_ret, _, status_code = os.execute("stty -echo 2>/dev/null");
- if status_code then -- COMPAT w/ Lua 5.1
- stty_ret = status_code;
- end
- if stty_ret ~= 0 then
- io.write("\027[08m"); -- ANSI 'hidden' text attribute
- end
- local ok, pass = pcall(io.read, "*l");
- if stty_ret == 0 then
- os.execute("stty sane");
- else
- io.write("\027[00m");
- end
- io.write("\n");
- if ok then
- return pass;
- end
-end
-
-local function show_yesno(prompt)
- io.write(prompt, " ");
- local choice = getchar():lower();
- io.write("\n");
- if not choice:match("%a") then
- choice = prompt:match("%[.-(%U).-%]$");
- if not choice then return nil; end
- end
- return (choice == "y");
-end
-
-local function read_password()
- local password;
- while true do
- io.write("Enter new password: ");
- password = getpass();
- if not password then
- show_message("No password - cancelled");
- return;
- end
- io.write("Retype new password: ");
- if getpass() ~= password then
- if not show_yesno [=[Passwords did not match, try again? [Y/n]]=] then
- return;
- end
- else
- break;
- end
- end
- return password;
-end
-
-local function show_prompt(prompt)
- io.write(prompt, " ");
- local line = getline();
- line = line and line:gsub("\n$","");
- return (line and #line > 0) and line or nil;
-end
-
-- Server control
local function adduser(params)
local user, host, password = nodeprep(params.user, true), nameprep(params.host), params.password;
@@ -318,12 +246,6 @@ return {
show_warning = show_message;
show_usage = show_usage;
show_module_configuration_help = show_module_configuration_help;
- getchar = getchar;
- getline = getline;
- getpass = getpass;
- show_yesno = show_yesno;
- read_password = read_password;
- show_prompt = show_prompt;
adduser = adduser;
user_exists = user_exists;
passwd = passwd;
@@ -335,4 +257,5 @@ return {
reload = reload;
get_path_custom_plugins = get_path_custom_plugins;
call_luarocks = call_luarocks;
+ error_messages = error_messages;
};
diff --git a/util/prosodyctl/cert.lua b/util/prosodyctl/cert.lua
new file mode 100644
index 00000000..29e26ed8
--- /dev/null
+++ b/util/prosodyctl/cert.lua
@@ -0,0 +1,293 @@
+local lfs = require "lfs";
+
+local pctl = require "util.prosodyctl";
+local configmanager = require "core.configmanager";
+
+local openssl;
+
+local cert_commands = {};
+
+-- If a file already exists, ask if the user wants to use it or replace it
+-- Backups the old file if replaced
+local function use_existing(filename)
+ local attrs = lfs.attributes(filename);
+ if attrs then
+ if pctl.show_yesno(filename .. " exists, do you want to replace it? [y/n]") then
+ local backup = filename..".bkp~"..os.date("%FT%T", attrs.change);
+ os.rename(filename, backup);
+ pctl.show_message("%s backed up to %s", filename, backup);
+ else
+ -- Use the existing file
+ return true;
+ end
+ end
+end
+
+local have_pposix, pposix = pcall(require, "util.pposix");
+local cert_basedir = prosody.paths.data == "." and "./certs" or prosody.paths.data;
+if have_pposix and pposix.getuid() == 0 then
+ -- FIXME should be enough to check if this directory is writable
+ local cert_dir = configmanager.get("*", "certificates") or "certs";
+ cert_basedir = configmanager.resolve_relative_path(prosody.paths.config, cert_dir);
+end
+
+function cert_commands.config(arg)
+ if #arg >= 1 and arg[1] ~= "--help" then
+ local conf_filename = cert_basedir .. "/" .. arg[1] .. ".cnf";
+ if use_existing(conf_filename) then
+ return nil, conf_filename;
+ end
+ local distinguished_name;
+ if arg[#arg]:find("^/") then
+ distinguished_name = table.remove(arg);
+ end
+ local conf = openssl.config.new();
+ conf:from_prosody(prosody.hosts, configmanager, arg);
+ if distinguished_name then
+ local dn = {};
+ for k, v in distinguished_name:gmatch("/([^=/]+)=([^/]+)") do
+ table.insert(dn, k);
+ dn[k] = v;
+ end
+ conf.distinguished_name = dn;
+ else
+ pctl.show_message("Please provide details to include in the certificate config file.");
+ pctl.show_message("Leave the field empty to use the default value or '.' to exclude the field.")
+ for _, k in ipairs(openssl._DN_order) do
+ local v = conf.distinguished_name[k];
+ if v then
+ local nv = nil;
+ if k == "commonName" then
+ v = arg[1]
+ elseif k == "emailAddress" then
+ v = "xmpp@" .. arg[1];
+ elseif k == "countryName" then
+ local tld = arg[1]:match"%.([a-z]+)$";
+ if tld and #tld == 2 and tld ~= "uk" then
+ v = tld:upper();
+ end
+ end
+ nv = pctl.show_prompt(("%s (%s):"):format(k, nv or v));
+ nv = (not nv or nv == "") and v or nv;
+ if nv:find"[\192-\252][\128-\191]+" then
+ conf.req.string_mask = "utf8only"
+ end
+ conf.distinguished_name[k] = nv ~= "." and nv or nil;
+ end
+ end
+ end
+ local conf_file, err = io.open(conf_filename, "w");
+ if not conf_file then
+ pctl.show_warning("Could not open OpenSSL config file for writing");
+ pctl.show_warning(err);
+ os.exit(1);
+ end
+ conf_file:write(conf:serialize());
+ conf_file:close();
+ print("");
+ pctl.show_message("Config written to %s", conf_filename);
+ return nil, conf_filename;
+ else
+ pctl.show_usage("cert config HOSTNAME [HOSTNAME+]", "Builds a certificate config file covering the supplied hostname(s)")
+ end
+end
+
+function cert_commands.key(arg)
+ if #arg >= 1 and arg[1] ~= "--help" then
+ local key_filename = cert_basedir .. "/" .. arg[1] .. ".key";
+ if use_existing(key_filename) then
+ return nil, key_filename;
+ end
+ os.remove(key_filename); -- This file, if it exists is unlikely to have write permissions
+ local key_size = tonumber(arg[2] or pctl.show_prompt("Choose key size (2048):") or 2048);
+ local old_umask = pposix.umask("0377");
+ if openssl.genrsa{out=key_filename, key_size} then
+ os.execute(("chmod 400 '%s'"):format(key_filename));
+ pctl.show_message("Key written to %s", key_filename);
+ pposix.umask(old_umask);
+ return nil, key_filename;
+ end
+ pctl.show_message("There was a problem, see OpenSSL output");
+ else
+ pctl.show_usage("cert key HOSTNAME <bits>", "Generates a RSA key named HOSTNAME.key\n "
+ .."Prompts for a key size if none given")
+ end
+end
+
+function cert_commands.request(arg)
+ if #arg >= 1 and arg[1] ~= "--help" then
+ local req_filename = cert_basedir .. "/" .. arg[1] .. ".req";
+ if use_existing(req_filename) then
+ return nil, req_filename;
+ end
+ local _, key_filename = cert_commands.key({arg[1]});
+ local _, conf_filename = cert_commands.config(arg);
+ if openssl.req{new=true, key=key_filename, utf8=true, sha256=true, config=conf_filename, out=req_filename} then
+ pctl.show_message("Certificate request written to %s", req_filename);
+ else
+ pctl.show_message("There was a problem, see OpenSSL output");
+ end
+ else
+ pctl.show_usage("cert request HOSTNAME [HOSTNAME+]", "Generates a certificate request for the supplied hostname(s)")
+ end
+end
+
+function cert_commands.generate(arg)
+ if #arg >= 1 and arg[1] ~= "--help" then
+ local cert_filename = cert_basedir .. "/" .. arg[1] .. ".crt";
+ if use_existing(cert_filename) then
+ return nil, cert_filename;
+ end
+ local _, key_filename = cert_commands.key({arg[1]});
+ local _, conf_filename = cert_commands.config(arg);
+ if key_filename and conf_filename and cert_filename
+ and openssl.req{new=true, x509=true, nodes=true, key=key_filename,
+ days=365, sha256=true, utf8=true, config=conf_filename, out=cert_filename} then
+ pctl.show_message("Certificate written to %s", cert_filename);
+ print();
+ else
+ pctl.show_message("There was a problem, see OpenSSL output");
+ end
+ else
+ pctl.show_usage("cert generate HOSTNAME [HOSTNAME+]", "Generates a self-signed certificate for the current hostname(s)")
+ end
+end
+
+local function sh_esc(s)
+ return "'" .. s:gsub("'", "'\\''") .. "'";
+end
+
+local function copy(from, to, umask, owner, group)
+ local old_umask = umask and pposix.umask(umask);
+ local attrs = lfs.attributes(to);
+ if attrs then -- Move old file out of the way
+ local backup = to..".bkp~"..os.date("%FT%T", attrs.change);
+ os.rename(to, backup);
+ end
+ -- FIXME friendlier error handling, maybe move above backup back?
+ local input = assert(io.open(from));
+ local output = assert(io.open(to, "w"));
+ local data = input:read(2^11);
+ while data and output:write(data) do
+ data = input:read(2^11);
+ end
+ assert(input:close());
+ assert(output:close());
+ if not prosody.installed then
+ -- FIXME this is possibly specific to GNU chown
+ os.execute(("chown -c --reference=%s %s"):format(sh_esc(cert_basedir), sh_esc(to)));
+ elseif owner and group then
+ local ok = os.execute(("chown %s:%s %s"):format(sh_esc(owner), sh_esc(group), sh_esc(to)));
+ assert(ok == true or ok == 0, "Failed to change ownership of "..to);
+ end
+ if old_umask then pposix.umask(old_umask); end
+ return true;
+end
+
+function cert_commands.import(arg)
+ local hostnames = {};
+ -- Move hostname arguments out of arg, the rest should be a list of paths
+ while arg[1] and prosody.hosts[ arg[1] ] do
+ table.insert(hostnames, table.remove(arg, 1));
+ end
+ if hostnames[1] == nil then
+ local domains = os.getenv"RENEWED_DOMAINS"; -- Set if invoked via certbot
+ if domains then
+ for host in domains:gmatch("%S+") do
+ table.insert(hostnames, host);
+ end
+ else
+ for host in pairs(prosody.hosts) do
+ if host ~= "*" and configmanager.get(host, "enabled") ~= false then
+ table.insert(hostnames, host);
+ end
+ end
+ end
+ end
+ if not arg[1] or arg[1] == "--help" then -- Probably forgot the path
+ pctl.show_usage("cert import [HOSTNAME+] /path/to/certs [/other/paths/]+",
+ "Copies certificates to "..cert_basedir);
+ return 1;
+ end
+ local owner, group;
+ if pposix.getuid() == 0 then -- We need root to change ownership
+ owner = configmanager.get("*", "prosody_user") or "prosody";
+ group = configmanager.get("*", "prosody_group") or owner;
+ end
+ local cm = require "core.certmanager";
+ local imported = {};
+ for _, host in ipairs(hostnames) do
+ for _, dir in ipairs(arg) do
+ local paths = cm.find_cert(dir, host);
+ if paths then
+ copy(paths.certificate, cert_basedir .. "/" .. host .. ".crt", nil, owner, group);
+ copy(paths.key, cert_basedir .. "/" .. host .. ".key", "0377", owner, group);
+ table.insert(imported, host);
+ else
+ -- TODO Say where we looked
+ pctl.show_warning("No certificate for host "..host.." found :(");
+ end
+ -- TODO Additional checks
+ -- Certificate names matches the hostname
+ -- Private key matches public key in certificate
+ end
+ end
+ if imported[1] then
+ pctl.show_message("Imported certificate and key for hosts %s", table.concat(imported, ", "));
+ local ok, err = pctl.reload();
+ if not ok and err ~= "not-running" then
+ pctl.show_message(pctl.error_messages[err]);
+ end
+ else
+ pctl.show_warning("No certificates imported :(");
+ return 1;
+ end
+end
+
+local function cert(arg)
+ if #arg >= 1 and arg[1] ~= "--help" then
+ openssl = require "util.openssl";
+ lfs = require "lfs";
+ local cert_dir_attrs = lfs.attributes(cert_basedir);
+ if not cert_dir_attrs then
+ pctl.show_warning("The directory "..cert_basedir.." does not exist");
+ return 1; -- TODO Should we create it?
+ end
+ local uid = pposix.getuid();
+ if uid ~= 0 and uid ~= cert_dir_attrs.uid then
+ pctl.show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it");
+ return 1;
+ elseif not cert_dir_attrs.permissions then -- COMPAT with LuaFilesystem < 1.6.2 (hey CentOS!)
+ pctl.show_message("Unable to check permissions on %s (LuaFilesystem 1.6.2+ required)", cert_basedir);
+ pctl.show_message("Please confirm that Prosody (and only Prosody) can write to this directory)");
+ elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then
+ pctl.show_warning("The directory "..cert_basedir.." not only writable by its owner");
+ return 1;
+ end
+ local subcmd = table.remove(arg, 1);
+ if type(cert_commands[subcmd]) == "function" then
+ if subcmd ~= "import" then -- hostnames are optional for import
+ if not arg[1] then
+ pctl.show_message"You need to supply at least one hostname"
+ arg = { "--help" };
+ end
+ if arg[1] ~= "--help" and not prosody.hosts[arg[1]] then
+ pctl.show_message(pctl.error_messages["no-such-host"]);
+ return 1;
+ end
+ end
+ return cert_commands[subcmd](arg);
+ elseif subcmd == "check" then
+ return require "util.prosodyctl.check".check({"certs"});
+ end
+ end
+ pctl.show_usage("cert config|request|generate|key|import", "Helpers for generating X.509 certificates and keys.")
+ for _, cmd in pairs(cert_commands) do
+ print()
+ cmd{ "--help" }
+ end
+end
+
+return {
+ cert = cert;
+};
diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua
new file mode 100644
index 00000000..d22d5f45
--- /dev/null
+++ b/util/prosodyctl/check.lua
@@ -0,0 +1,530 @@
+local configmanager = require "core.configmanager";
+local show_usage = require "util.prosodyctl".show_usage;
+local show_warning = require "util.prosodyctl".show_warning;
+local dependencies = require "util.dependencies";
+local socket = require "socket";
+local jid_split = require "util.jid".prepped_split;
+local modulemanager = require "core.modulemanager";
+
+local function check(arg)
+ if arg[1] == "--help" then
+ show_usage([[check]], [[Perform basic checks on your Prosody installation]]);
+ return 1;
+ end
+ local what = table.remove(arg, 1);
+ local set = require "util.set";
+ local it = require "util.iterators";
+ local ok = true;
+ local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end
+ local function enabled_hosts() return it.filter(disabled_hosts, pairs(configmanager.getconfig())); end
+ if not (what == nil or what == "disabled" or what == "config" or what == "dns" or what == "certs") then
+ show_warning("Don't know how to check '%s'. Try one of 'config', 'dns', 'certs' or 'disabled'.", what);
+ return 1;
+ end
+ if not what or what == "disabled" then
+ local disabled_hosts_set = set.new();
+ for host, host_options in it.filter("*", pairs(configmanager.getconfig())) do
+ if host_options.enabled == false then
+ disabled_hosts_set:add(host);
+ end
+ end
+ if not disabled_hosts_set:empty() then
+ local msg = "Checks will be skipped for these disabled hosts: %s";
+ if what then msg = "These hosts are disabled: %s"; end
+ show_warning(msg, tostring(disabled_hosts_set));
+ if what then return 0; end
+ print""
+ end
+ end
+ if not what or what == "config" then
+ print("Checking config...");
+ local deprecated = set.new({
+ "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", "require_encryption",
+ "vcard_compatibility", "cross_domain_bosh", "cross_domain_websocket", "daemonize",
+ });
+ local known_global_options = set.new({
+ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
+ "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings",
+ "network_backend", "http_default_host",
+ "statistics_interval", "statistics", "statistics_config",
+ });
+ local config = configmanager.getconfig();
+ -- Check that we have any global options (caused by putting a host at the top)
+ if it.count(it.filter("log", pairs(config["*"]))) == 0 then
+ ok = false;
+ print("");
+ print(" No global options defined. Perhaps you have put a host definition at the top")
+ print(" of the config file? They should be at the bottom, see https://prosody.im/doc/configure#overview");
+ end
+ if it.count(enabled_hosts()) == 0 then
+ ok = false;
+ print("");
+ if it.count(it.filter("*", pairs(config))) == 0 then
+ print(" No hosts are defined, please add at least one VirtualHost section")
+ elseif config["*"]["enabled"] == false then
+ print(" No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section")
+ else
+ print(" All hosts are disabled. Remove enabled = false from at least one VirtualHost section")
+ end
+ end
+ if not config["*"].modules_enabled then
+ print(" No global modules_enabled is set?");
+ local suggested_global_modules;
+ for host, options in enabled_hosts() do --luacheck: ignore 213/host
+ if not options.component_module and options.modules_enabled then
+ suggested_global_modules = set.intersection(suggested_global_modules or set.new(options.modules_enabled), set.new(options.modules_enabled));
+ end
+ end
+ if suggested_global_modules and not suggested_global_modules:empty() then
+ print(" Consider moving these modules into modules_enabled in the global section:")
+ print(" "..tostring(suggested_global_modules / function (x) return ("%q"):format(x) end));
+ end
+ print();
+ end
+
+ do -- Check for modules enabled both normally and as components
+ local modules = set.new(config["*"]["modules_enabled"]);
+ for host, options in enabled_hosts() do
+ local component_module = options.component_module;
+ if component_module and modules:contains(component_module) then
+ print((" mod_%s is enabled both in modules_enabled and as Component %q %q"):format(component_module, host, component_module));
+ print(" This means the service is enabled on all VirtualHosts as well as the Component.");
+ print(" Are you sure this what you want? It may cause unexpected behaviour.");
+ end
+ end
+ end
+
+ -- Check for global options under hosts
+ local global_options = set.new(it.to_array(it.keys(config["*"])));
+ local deprecated_global_options = set.intersection(global_options, deprecated);
+ if not deprecated_global_options:empty() then
+ print("");
+ print(" You have some deprecated options in the global section:");
+ print(" "..tostring(deprecated_global_options))
+ ok = false;
+ end
+ for host, options in it.filter(function (h) return h ~= "*" end, pairs(configmanager.getconfig())) do
+ local host_options = set.new(it.to_array(it.keys(options)));
+ local misplaced_options = set.intersection(host_options, known_global_options);
+ for name in pairs(options) do
+ if name:match("^interfaces?")
+ or name:match("_ports?$") or name:match("_interfaces?$")
+ or (name:match("_ssl$") and not name:match("^[cs]2s_ssl$")) then
+ misplaced_options:add(name);
+ end
+ end
+ if not misplaced_options:empty() then
+ ok = false;
+ print("");
+ local n = it.count(misplaced_options);
+ print(" You have "..n.." option"..(n>1 and "s " or " ").."set under "..host.." that should be");
+ print(" in the global section of the config file, above any VirtualHost or Component definitions,")
+ print(" see https://prosody.im/doc/configure#overview for more information.")
+ print("");
+ print(" You need to move the following option"..(n>1 and "s" or "")..": "..table.concat(it.to_array(misplaced_options), ", "));
+ end
+ end
+ for host, options in enabled_hosts() do
+ local host_options = set.new(it.to_array(it.keys(options)));
+ local subdomain = host:match("^[^.]+");
+ if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp"
+ or subdomain == "chat" or subdomain == "im") then
+ print("");
+ print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to");
+ print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host..".");
+ print(" For more information see: https://prosody.im/doc/dns");
+ end
+ end
+ local all_modules = set.new(config["*"].modules_enabled);
+ local all_options = set.new(it.to_array(it.keys(config["*"])));
+ for host in enabled_hosts() do
+ all_options:include(set.new(it.to_array(it.keys(config[host]))));
+ all_modules:include(set.new(config[host].modules_enabled));
+ end
+ for mod in all_modules do
+ if mod:match("^mod_") then
+ print("");
+ print(" Modules in modules_enabled should not have the 'mod_' prefix included.");
+ print(" Change '"..mod.."' to '"..mod:match("^mod_(.*)").."'.");
+ elseif mod:match("^auth_") then
+ print("");
+ print(" Authentication modules should not be added to modules_enabled,");
+ print(" but be specified in the 'authentication' option.");
+ print(" Remove '"..mod.."' from modules_enabled and instead add");
+ print(" authentication = '"..mod:match("^auth_(.*)").."'");
+ print(" For more information see https://prosody.im/doc/authentication");
+ elseif mod:match("^storage_") then
+ print("");
+ print(" storage modules should not be added to modules_enabled,");
+ print(" but be specified in the 'storage' option.");
+ print(" Remove '"..mod.."' from modules_enabled and instead add");
+ print(" storage = '"..mod:match("^storage_(.*)").."'");
+ print(" For more information see https://prosody.im/doc/storage");
+ end
+ end
+ if all_modules:contains("vcard") and all_modules:contains("vcard_legacy") then
+ print("");
+ print(" Both mod_vcard_legacy and mod_vcard are enabled but they conflict");
+ print(" with each other. Remove one.");
+ end
+ if all_modules:contains("pep") and all_modules:contains("pep_simple") then
+ print("");
+ print(" Both mod_pep_simple and mod_pep are enabled but they conflict");
+ print(" with each other. Remove one.");
+ end
+ for host, host_config in pairs(config) do --luacheck: ignore 213/host
+ if type(rawget(host_config, "storage")) == "string" and rawget(host_config, "default_storage") then
+ print("");
+ print(" The 'default_storage' option is not needed if 'storage' is set to a string.");
+ break;
+ end
+ end
+ local require_encryption = set.intersection(all_options, set.new({
+ "require_encryption", "c2s_require_encryption", "s2s_require_encryption"
+ })):empty();
+ local ssl = dependencies.softreq"ssl";
+ if not ssl then
+ if not require_encryption then
+ print("");
+ print(" You require encryption but LuaSec is not available.");
+ print(" Connections will fail.");
+ ok = false;
+ end
+ elseif not ssl.loadcertificate then
+ if all_options:contains("s2s_secure_auth") then
+ print("");
+ print(" You have set s2s_secure_auth but your version of LuaSec does ");
+ print(" not support certificate validation, so all s2s connections will");
+ print(" fail.");
+ ok = false;
+ elseif all_options:contains("s2s_secure_domains") then
+ local secure_domains = set.new();
+ for host in enabled_hosts() do
+ if config[host].s2s_secure_auth == true then
+ secure_domains:add("*");
+ else
+ secure_domains:include(set.new(config[host].s2s_secure_domains));
+ end
+ end
+ if not secure_domains:empty() then
+ print("");
+ print(" You have set s2s_secure_domains but your version of LuaSec does ");
+ print(" not support certificate validation, so s2s connections to/from ");
+ print(" these domains will fail.");
+ ok = false;
+ end
+ end
+ elseif require_encryption and not all_modules:contains("tls") then
+ print("");
+ print(" You require encryption but mod_tls is not enabled.");
+ print(" Connections will fail.");
+ ok = false;
+ end
+
+ print("Done.\n");
+ end
+ if not what or what == "dns" then
+ local dns = require "net.dns";
+ local idna = require "util.encodings".idna;
+ local ip = require "util.ip";
+ local c2s_ports = set.new(configmanager.get("*", "c2s_ports") or {5222});
+ local s2s_ports = set.new(configmanager.get("*", "s2s_ports") or {5269});
+
+ local c2s_srv_required, s2s_srv_required;
+ if not c2s_ports:contains(5222) then
+ c2s_srv_required = true;
+ end
+ if not s2s_ports:contains(5269) then
+ s2s_srv_required = true;
+ end
+
+ local problem_hosts = set.new();
+
+ local external_addresses, internal_addresses = set.new(), set.new();
+
+ local fqdn = socket.dns.tohostname(socket.dns.gethostname());
+ if fqdn then
+ do
+ local res = dns.lookup(idna.to_ascii(fqdn), "A");
+ if res then
+ for _, record in ipairs(res) do
+ external_addresses:add(record.a);
+ end
+ end
+ end
+ do
+ local res = dns.lookup(idna.to_ascii(fqdn), "AAAA");
+ if res then
+ for _, record in ipairs(res) do
+ external_addresses:add(record.aaaa);
+ end
+ end
+ end
+ end
+
+ local local_addresses = require"util.net".local_addresses() or {};
+
+ for addr in it.values(local_addresses) do
+ if not ip.new_ip(addr).private then
+ external_addresses:add(addr);
+ else
+ internal_addresses:add(addr);
+ end
+ end
+
+ if external_addresses:empty() then
+ print("");
+ print(" Failed to determine the external addresses of this server. Checks may be inaccurate.");
+ c2s_srv_required, s2s_srv_required = true, true;
+ end
+
+ local v6_supported = not not socket.tcp6;
+
+ for jid, host_options in enabled_hosts() do
+ local all_targets_ok, some_targets_ok = true, false;
+ local node, host = jid_split(jid);
+
+ local modules, component_module = modulemanager.get_modules_for_host(host);
+ if component_module then
+ modules:add(component_module);
+ end
+
+ local is_component = not not host_options.component_module;
+ print("Checking DNS for "..(is_component and "component" or "host").." "..jid.."...");
+ if node then
+ print("Only the domain part ("..host..") is used in DNS.")
+ end
+ local target_hosts = set.new();
+ if modules:contains("c2s") then
+ local res = dns.lookup("_xmpp-client._tcp."..idna.to_ascii(host)..".", "SRV");
+ if res then
+ for _, record in ipairs(res) do
+ target_hosts:add(record.srv.target);
+ if not c2s_ports:contains(record.srv.port) then
+ print(" SRV target "..record.srv.target.." contains unknown client port: "..record.srv.port);
+ end
+ end
+ else
+ if c2s_srv_required then
+ print(" No _xmpp-client SRV record found for "..host..", but it looks like you need one.");
+ all_targets_ok = false;
+ else
+ target_hosts:add(host);
+ end
+ end
+ end
+ if modules:contains("s2s") then
+ local res = dns.lookup("_xmpp-server._tcp."..idna.to_ascii(host)..".", "SRV");
+ if res then
+ for _, record in ipairs(res) do
+ target_hosts:add(record.srv.target);
+ if not s2s_ports:contains(record.srv.port) then
+ print(" SRV target "..record.srv.target.." contains unknown server port: "..record.srv.port);
+ end
+ end
+ else
+ if s2s_srv_required then
+ print(" No _xmpp-server SRV record found for "..host..", but it looks like you need one.");
+ all_targets_ok = false;
+ else
+ target_hosts:add(host);
+ end
+ end
+ end
+ if target_hosts:empty() then
+ target_hosts:add(host);
+ end
+
+ if target_hosts:contains("localhost") then
+ print(" Target 'localhost' cannot be accessed from other servers");
+ target_hosts:remove("localhost");
+ end
+
+ if modules:contains("proxy65") then
+ local proxy65_target = configmanager.get(host, "proxy65_address") or host;
+ if type(proxy65_target) == "string" then
+ local A, AAAA = dns.lookup(idna.to_ascii(proxy65_target), "A"), dns.lookup(idna.to_ascii(proxy65_target), "AAAA");
+ local prob = {};
+ if not A then
+ table.insert(prob, "A");
+ end
+ if v6_supported and not AAAA then
+ table.insert(prob, "AAAA");
+ end
+ if #prob > 0 then
+ print(" File transfer proxy "..proxy65_target.." has no "..table.concat(prob, "/")
+ .." record. Create one or set 'proxy65_address' to the correct host/IP.");
+ end
+ else
+ print(" proxy65_address for "..host.." should be set to a string, unable to perform DNS check");
+ end
+ end
+
+ for target_host in target_hosts do
+ local host_ok_v4, host_ok_v6;
+ do
+ local res = dns.lookup(idna.to_ascii(target_host), "A");
+ if res then
+ for _, record in ipairs(res) do
+ if external_addresses:contains(record.a) then
+ some_targets_ok = true;
+ host_ok_v4 = true;
+ elseif internal_addresses:contains(record.a) then
+ host_ok_v4 = true;
+ some_targets_ok = true;
+ print(" "..target_host.." A record points to internal address, external connections might fail");
+ else
+ print(" "..target_host.." A record points to unknown address "..record.a);
+ all_targets_ok = false;
+ end
+ end
+ end
+ end
+ do
+ local res = dns.lookup(idna.to_ascii(target_host), "AAAA");
+ if res then
+ for _, record in ipairs(res) do
+ if external_addresses:contains(record.aaaa) then
+ some_targets_ok = true;
+ host_ok_v6 = true;
+ elseif internal_addresses:contains(record.aaaa) then
+ host_ok_v6 = true;
+ some_targets_ok = true;
+ print(" "..target_host.." AAAA record points to internal address, external connections might fail");
+ else
+ print(" "..target_host.." AAAA record points to unknown address "..record.aaaa);
+ all_targets_ok = false;
+ end
+ end
+ end
+ end
+
+ local bad_protos = {}
+ if not host_ok_v4 then
+ table.insert(bad_protos, "IPv4");
+ end
+ if not host_ok_v6 then
+ table.insert(bad_protos, "IPv6");
+ end
+ if #bad_protos > 0 then
+ print(" Host "..target_host.." does not seem to resolve to this server ("..table.concat(bad_protos, "/")..")");
+ end
+ if host_ok_v6 and not v6_supported then
+ print(" Host "..target_host.." has AAAA records, but your version of LuaSocket does not support IPv6.");
+ print(" Please see https://prosody.im/doc/ipv6 for more information.");
+ end
+ end
+ if not all_targets_ok then
+ print(" "..(some_targets_ok and "Only some" or "No").." targets for "..host.." appear to resolve to this server.");
+ if is_component then
+ print(" DNS records are necessary if you want users on other servers to access this component.");
+ end
+ problem_hosts:add(host);
+ end
+ print("");
+ end
+ if not problem_hosts:empty() then
+ print("");
+ print("For more information about DNS configuration please see https://prosody.im/doc/dns");
+ print("");
+ ok = false;
+ end
+ end
+ if not what or what == "certs" then
+ local cert_ok;
+ print"Checking certificates..."
+ local x509_verify_identity = require"util.x509".verify_identity;
+ local create_context = require "core.certmanager".create_context;
+ local ssl = dependencies.softreq"ssl";
+ -- local datetime_parse = require"util.datetime".parse_x509;
+ local load_cert = ssl and ssl.loadcertificate;
+ -- or ssl.cert_from_pem
+ if not ssl then
+ print("LuaSec not available, can't perform certificate checks")
+ if what == "certs" then cert_ok = false end
+ elseif not load_cert then
+ print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
+ cert_ok = false
+ else
+ local function skip_bare_jid_hosts(host)
+ if jid_split(host) then
+ -- See issue #779
+ return false;
+ end
+ return true;
+ end
+ for host in it.filter(skip_bare_jid_hosts, enabled_hosts()) do
+ print("Checking certificate for "..host);
+ -- First, let's find out what certificate this host uses.
+ local host_ssl_config = configmanager.rawget(host, "ssl")
+ or configmanager.rawget(host:match("%.(.*)"), "ssl");
+ local global_ssl_config = configmanager.rawget("*", "ssl");
+ local ok, err, ssl_config = create_context(host, "server", host_ssl_config, global_ssl_config);
+ if not ok then
+ print(" Error: "..err);
+ cert_ok = false
+ elseif not ssl_config.certificate then
+ print(" No 'certificate' found for "..host)
+ cert_ok = false
+ elseif not ssl_config.key then
+ print(" No 'key' found for "..host)
+ cert_ok = false
+ else
+ local key, err = io.open(ssl_config.key); -- Permissions check only
+ if not key then
+ print(" Could not open "..ssl_config.key..": "..err);
+ cert_ok = false
+ else
+ key:close();
+ end
+ local cert_fh, err = io.open(ssl_config.certificate); -- Load the file.
+ if not cert_fh then
+ print(" Could not open "..ssl_config.certificate..": "..err);
+ cert_ok = false
+ else
+ print(" Certificate: "..ssl_config.certificate)
+ local cert = load_cert(cert_fh:read"*a"); cert_fh:close();
+ if not cert:validat(os.time()) then
+ print(" Certificate has expired.")
+ cert_ok = false
+ elseif not cert:validat(os.time() + 86400) then
+ print(" Certificate expires within one day.")
+ cert_ok = false
+ elseif not cert:validat(os.time() + 86400*7) then
+ print(" Certificate expires within one week.")
+ elseif not cert:validat(os.time() + 86400*31) then
+ print(" Certificate expires within one month.")
+ end
+ if configmanager.get(host, "component_module") == nil
+ and not x509_verify_identity(host, "_xmpp-client", cert) then
+ print(" Not valid for client connections to "..host..".")
+ cert_ok = false
+ end
+ if (not (configmanager.get(host, "anonymous_login")
+ or configmanager.get(host, "authentication") == "anonymous"))
+ and not x509_verify_identity(host, "_xmpp-server", cert) then
+ print(" Not valid for server-to-server connections to "..host..".")
+ cert_ok = false
+ end
+ end
+ end
+ end
+ end
+ if cert_ok == false then
+ print("")
+ print("For more information about certificates please see https://prosody.im/doc/certificates");
+ ok = false
+ end
+ print("")
+ end
+ if not ok then
+ print("Problems found, see above.");
+ else
+ print("All checks passed, congratulations!");
+ end
+ return ok and 0 or 2;
+end
+
+return {
+ check = check;
+};
diff --git a/util/prosodyctl/shell.lua b/util/prosodyctl/shell.lua
index cbcea927..1d07e6ec 100644
--- a/util/prosodyctl/shell.lua
+++ b/util/prosodyctl/shell.lua
@@ -126,5 +126,5 @@ local function start(arg) --luacheck: ignore 212/arg
end
return {
- start = start;
+ shell = start;
};