aboutsummaryrefslogtreecommitdiffstats
path: root/plugins
diff options
context:
space:
mode:
Diffstat (limited to 'plugins')
-rw-r--r--plugins/mod_admin_shell.lua443
1 files changed, 245 insertions, 198 deletions
diff --git a/plugins/mod_admin_shell.lua b/plugins/mod_admin_shell.lua
index 5e675e93..62906ec0 100644
--- a/plugins/mod_admin_shell.lua
+++ b/plugins/mod_admin_shell.lua
@@ -42,6 +42,10 @@ local t_concat = table.concat;
local format_number = require "util.human.units".format;
local format_table = require "util.human.io".table;
+local function capitalize(s)
+ return (s:gsub("^%a", string.upper):gsub("_", " "));
+end
+
local commands = module:shared("commands")
local def_env = module:shared("env");
local default_env_mt = { __index = def_env };
@@ -205,15 +209,13 @@ function commands.help(session, data)
print [[config - Reloading the configuration, etc.]]
print [[console - Help regarding the console itself]]
elseif section == "c2s" then
- print [[c2s:show(jid) - Show all client sessions with the specified JID (or all if no JID given)]]
- print [[c2s:show_insecure() - Show all unencrypted client connections]]
- print [[c2s:show_secure() - Show all encrypted client connections]]
- print [[c2s:show_tls() - Show TLS cipher info for encrypted sessions]]
+ print [[c2s:show(jid, columns) - Show all client sessions with the specified JID (or all if no JID given)]]
+ print [[c2s:show_tls(jid) - Show TLS cipher info for encrypted sessions]]
print [[c2s:count() - Count sessions without listing them]]
print [[c2s:close(jid) - Close all sessions for the specified JID]]
print [[c2s:closeall() - Close all active c2s connections ]]
elseif section == "s2s" then
- print [[s2s:show(domain) - Show all s2s connections for the given domain (or all if no domain given)]]
+ print [[s2s:show(domain, columns) - Show all s2s connections for the given domain (or all if no domain given)]]
print [[s2s:show_tls(domain) - Show TLS cipher info for encrypted sessions]]
print [[s2s:close(from, to) - Close a connection from one domain to another]]
print [[s2s:closeall(host) - Close all the incoming/outgoing s2s sessions to specified host]]
@@ -582,101 +584,6 @@ function def_env.config:reload()
return ok, (ok and "Config reloaded (you may need to reload modules to take effect)") or tostring(err);
end
-local function common_info(session, line)
- if session.id then
- line[#line+1] = "["..session.id.."]"
- else
- line[#line+1] = "["..session.type..(tostring(session):match("%x*$")).."]"
- end
-end
-
-local function session_flags(session, line)
- line = line or {};
- common_info(session, line);
- if session.type == "c2s" then
- local status, priority = "unavailable", tostring(session.priority or "-");
- if session.presence then
- status = session.presence:get_child_text("show") or "available";
- end
- line[#line+1] = status.."("..priority..")";
- end
- if session.cert_identity_status == "valid" then
- line[#line+1] = "(authenticated)";
- end
- if session.dialback_key then
- line[#line+1] = "(dialback)";
- end
- if session.external_auth then
- line[#line+1] = "(SASL)";
- end
- if session.secure then
- line[#line+1] = "(encrypted)";
- end
- if session.compressed then
- line[#line+1] = "(compressed)";
- end
- if session.smacks then
- line[#line+1] = "(sm)";
- end
- if session.state then
- if type(session.csi_counter) == "number" then
- line[#line+1] = string.format("(csi:%s queue #%d)", session.state, session.csi_counter);
- else
- line[#line+1] = string.format("(csi:%s)", session.state);
- end
- end
- if session.ip and session.ip:match(":") then
- line[#line+1] = "(IPv6)";
- end
- if session.remote then
- line[#line+1] = "(remote)";
- end
- if session.incoming and session.outgoing then
- line[#line+1] = "(bidi)";
- elseif session.is_bidi or session.bidi_session then
- line[#line+1] = "(bidi)";
- end
- if session.bosh_version then
- line[#line+1] = "(bosh)";
- end
- if session.websocket_request then
- line[#line+1] = "(websocket)";
- end
- return table.concat(line, " ");
-end
-
-local function tls_info(session, line)
- line = line or {};
- common_info(session, line);
- if session.secure then
- local sock = session.conn and session.conn.socket and session.conn:socket();
- if sock then
- local info = sock.info and sock:info();
- if info then
- line[#line+1] = ("(%s with %s)"):format(info.protocol, info.cipher);
- else
- -- TLS session might not be ready yet
- line[#line+1] = "(cipher info unavailable)";
- end
- if sock.getsniname then
- local name = sock:getsniname();
- if name then
- line[#line+1] = ("(SNI:%q)"):format(name);
- end
- end
- if sock.getalpn then
- local proto = sock:getalpn();
- if proto then
- line[#line+1] = ("(ALPN:%q)"):format(proto);
- end
- end
- end
- else
- line[#line+1] = "(insecure)";
- end
- return table.concat(line, " ");
-end
-
def_env.c2s = {};
local function get_jid(session)
@@ -700,16 +607,16 @@ local function get_c2s()
return c2s;
end
+local function _sort_by_jid(a, b)
+ if a.host == b.host then
+ if a.username == b.username then return (a.resource or "") > (b.resource or ""); end
+ return (a.username or "") > (b.username or "");
+ end
+ return _sort_hosts(a.host or "", b.host or "");
+end
+
local function show_c2s(callback)
- get_c2s():sort(function(a, b)
- if a.host == b.host then
- if a.username == b.username then
- return (a.resource or "") > (b.resource or "");
- end
- return (a.username or "") > (b.username or "");
- end
- return _sort_hosts(a.host or "", b.host or "");
- end):map(function (session)
+ get_c2s():sort(_sort_by_jid):map(function (session)
callback(get_jid(session), session)
end);
end
@@ -719,47 +626,223 @@ function def_env.c2s:count()
return true, "Total: ".. #c2s .." clients";
end
-function def_env.c2s:show(match_jid, annotate)
- local print, count = self.session.print, 0;
- annotate = annotate or session_flags;
- local curr_host = false;
- show_c2s(function (jid, session)
- if curr_host ~= session.host then
- curr_host = session.host;
- print(curr_host or "(not connected to any host yet)");
+local function get_s2s_hosts(session) --> local,remote
+ if session.direction == "outgoing" then
+ return session.host or session.from_host, session.to_host;
+ elseif session.direction == "incoming" then
+ return session.host or session.to_host, session.from_host;
+ end
+end
+
+local available_columns = {
+ jid = {
+ title = "JID";
+ width = 32;
+ key = "full_jid";
+ mapper = function(full_jid, session) return full_jid or get_jid(session) end;
+ };
+ host = {
+ title = "Host";
+ key = "host";
+ width = 22;
+ mapper = function(host, session)
+ if host ~= "" then return host; end
+ return get_s2s_hosts(session) or "?";
+ end;
+ };
+ remote = {
+ title = "Remote";
+ width = 22;
+ mapper = function(_, session)
+ return select(2, get_s2s_hosts(session));
+ end;
+ };
+ dir = {
+ title = "Dir";
+ width = 3;
+ key = "direction";
+ mapper = function (dir)
+ if dir == "outgoing" then return "-->"; end
+ if dir == "incoming" then return "<--"; end
+ return ""
+ end;
+ };
+ id = { title = "Session ID"; width = 20; key = "id" };
+ type = { title = "Type"; width = #"c2s_unauthed"; key = "type" };
+ method = {
+ title = "Method";
+ width = 10;
+ mapper = function(_, session)
+ if session.bosh_version then
+ return "BOSH";
+ elseif session.websocket_request then
+ return "WebSocket";
+ else
+ return "TCP";
+ end
+ end;
+ };
+ ipv = {
+ title = "IPv";
+ width = 4;
+ key = "ip";
+ mapper = function(ip) return ip:find(":") and "IPv6" or "IPv4"; end;
+ };
+ ip = { title = "IP address"; width = 40; key = "ip" };
+ status = {
+ title = "Status";
+ width = 11;
+ key = "presence";
+ mapper = function(p)
+ if not p or p == "" then return "unavailable"; end
+ return p:get_child_text("show") or "available";
+ end;
+ };
+ secure = {
+ title = "Security";
+ key = "conn";
+ width = 11;
+ mapper = function(conn, session)
+ if not session.secure then return "insecure"; end
+ if conn == "" or not conn:ssl() then return "secure" end
+ local sock = conn ~= "" and conn:socket();
+ if not sock then return "unknown TLS"; end
+ local tls_info = sock.info and sock:info();
+ return tls_info and tls_info.protocol or "unknown TLS";
+ end;
+ };
+ encryption = {
+ title = "Encryption";
+ width = 30;
+ key = "conn";
+ mapper = function(conn)
+ local sock = conn ~= "" and conn:socket();
+ local info = sock and sock.info and sock:info();
+ if info then return info.cipher end
+ return ""
+ end;
+ };
+ cert = {
+ title = "Certificate";
+ key = "cert_identity_status";
+ mapper = function(cert_status, session)
+ if cert_status ~= "" then return capitalize(cert_status); end
+ if session.cert_chain_status == "Invalid" then
+ local cert_errors = set.new(session.cert_chain_errors[1]);
+ if cert_errors:contains("certificate has expired") then
+ return "Expired";
+ elseif cert_errors:contains("self signed certificate") then
+ return "Self-signed";
+ end
+ return "Untrusted";
+ elseif session.cert_identity_status == "invalid" then
+ return "Mismatched";
+ end
+ return "Not validated";
+ end;
+ };
+ sni = {
+ title = "SNI";
+ width = 22;
+ mapper = function(_, session)
+ if not session.conn then return "" end
+ local sock = session.conn:socket();
+ return sock and sock.getsniname and sock:getsniname() or "";
+ end;
+ };
+ alpn = {
+ title = "ALPN";
+ width = 11;
+ mapper = function(_, session)
+ if not session.conn then return "" end
+ local sock = session.conn:socket();
+ return sock and sock.getalpn and sock:getalpn() or "";
+ end;
+ };
+ smacks = {
+ title = "SM";
+ key = "smacks";
+ width = 11;
+ mapper = function(smacks_xmlns, session)
+ if smacks_xmlns == "" then return "no"; end
+ if session.hibernating then return "hibernating"; end
+ return "yes";
+ end;
+ };
+ smacks_queue = {
+ title = "SM Queue";
+ key = "outgoing_stanza_queue";
+ width = 8;
+ align = "right";
+ mapper = function (queue)
+ return tostring(#queue);
end
- if (not match_jid) or jid:match(match_jid) then
- count = count + 1;
- print(annotate(session, { " ", jid }));
+ };
+ csi = {
+ title = "CSI State";
+ key = "state";
+ -- TODO include counter
+ };
+ s2s_sasl = {
+ title = "SASL";
+ key = "external_auth";
+ width = 10;
+ mapper = capitalize
+ };
+ dialback = {
+ title = "Dialback";
+ key = "dialback_key";
+ width = 13;
+ mapper = function (dialback_key, session)
+ if dialback_key == "" then
+ if session.type == "s2sin" or session.type == "s2sout" then
+ return "Not used";
+ end
+ return "Not initiated";
+ elseif session.type == "s2sin_unauthed" or session.type == "s2sout_unauthed" then
+ return "Initiated";
+ else
+ return "Completed";
+ end
end
- end);
- return true, "Total: "..count.." clients";
-end
+ };
+};
-function def_env.c2s:show_insecure(match_jid)
- local print, count = self.session.print, 0;
- show_c2s(function (jid, session)
- if ((not match_jid) or jid:match(match_jid)) and not session.secure then
- count = count + 1;
- print(jid);
+local function get_colspec(colspec, default)
+ local columns = {};
+ for i, col in pairs(colspec or default) do
+ if type(col) == "string" then
+ columns[i] = available_columns[col] or { title = capitalize(col); width = 20; key = col };
+ elseif type(col) ~= "table" then
+ return false, ("argument %d: expected string|table but got %s"):format(i, type(col));
+ else
+ columns[i] = col;
end
- end);
- return true, "Total: "..count.." insecure client connections";
+ end
+
+ return columns;
end
-function def_env.c2s:show_secure(match_jid)
- local print, count = self.session.print, 0;
- show_c2s(function (jid, session)
- if ((not match_jid) or jid:match(match_jid)) and session.secure then
- count = count + 1;
- print(jid);
- end
- end);
- return true, "Total: "..count.." secure client connections";
+function def_env.c2s:show(match_jid, colspec)
+ local print = self.session.print;
+ local columns = get_colspec(colspec, { "id"; "jid"; "ipv"; "status"; "secure"; "smacks"; "csi" });
+ local row = format_table(columns, 120);
+
+ local function match(session)
+ local jid = get_jid(session)
+ return (not match_jid) or jid:match(match_jid)
+ end
+
+ print(row());
+
+ for _, session in ipairs(get_c2s():filter(match):sort(_sort_by_jid)) do
+ print(row(session));
+ end
+ return true;
end
function def_env.c2s:show_tls(match_jid)
- return self:show(match_jid, tls_info);
+ return self:show(match_jid, { "jid"; "id"; "secure"; "encryption" });
end
local function build_reason(text, condition)
@@ -794,71 +877,35 @@ end
def_env.s2s = {};
-function def_env.s2s:show(match_jid, annotate)
- local print = self.session.print;
- annotate = annotate or session_flags;
+local function _sort_s2s(a, b)
+ local a_local, a_remote = get_s2s_hosts(a);
+ local b_local, b_remote = get_s2s_hosts(b);
+ if (a_local or "") == (b_local or "") then return _sort_hosts(a_remote or "", b_remote or ""); end
+ return _sort_hosts(a_local or "", b_local or "");
+end
- local count_in, count_out = 0,0;
- local s2s_list = { };
+function def_env.s2s:show(match_jid, colspec)
+ local print = self.session.print;
+ local columns = get_colspec(colspec, { "id"; "host"; "dir"; "remote"; "ipv"; "secure"; "s2s_sasl"; "dialback" });
+ local row = format_table(columns, 132);
- local s2s_sessions = module:shared"/*/s2s/sessions";
- for _, session in pairs(s2s_sessions) do
- local remotehost, localhost, direction;
- if session.direction == "outgoing" then
- direction = "->";
- count_out = count_out + 1;
- remotehost, localhost = session.to_host or "?", session.from_host or "?";
- else
- direction = "<-";
- count_in = count_in + 1;
- remotehost, localhost = session.from_host or "?", session.to_host or "?";
- end
- local sess_lines = { l = localhost, r = remotehost,
- annotate(session, { "", direction, remotehost or "?" })};
-
- if (not match_jid) or remotehost:match(match_jid) or localhost:match(match_jid) then
- table.insert(s2s_list, sess_lines);
- -- luacheck: ignore 421/print
- local print = function (s) table.insert(sess_lines, " "..s); end
- if session.sendq then
- print("There are "..#session.sendq.." queued outgoing stanzas for this connection");
- end
- if session.type == "s2sout_unauthed" then
- if session.notopen then
- print("The <stream> has not yet been opened");
- elseif not session.dialback_key then
- print("Dialback has not been initiated yet");
- elseif session.dialback_key then
- print("Dialback has been requested, but no result received");
- end
- end
- if session.type == "s2sin_unauthed" then
- print("Connection not yet authenticated");
- elseif session.type == "s2sin" then
- for name in pairs(session.hosts) do
- if name ~= session.from_host then
- print("also hosts "..tostring(name));
- end
- end
- end
- end
+ local function match(session)
+ local host, remote = get_s2s_hosts(session);
+ return not match_jid or (host or ""):match(match_jid) or (remote or ""):match(match_jid);
end
- -- Sort by local host, then remote host
- table.sort(s2s_list, function(a,b)
- if a.l == b.l then return _sort_hosts(a.r, b.r); end
- return _sort_hosts(a.l, b.l);
- end);
- local lasthost;
- for _, sess_lines in ipairs(s2s_list) do
- if sess_lines.l ~= lasthost then print(sess_lines.l); lasthost=sess_lines.l end
- for _, line in ipairs(sess_lines) do print(line); end
+ local s2s_sessions = array(iterators.values(module:shared"/*/s2s/sessions")):filter(match):sort(_sort_s2s);
+
+ print(row());
+
+ for _, session in ipairs(s2s_sessions) do
+ print(row(session));
end
- return true, "Total: "..count_out.." outgoing, "..count_in.." incoming connections";
+ return true; -- TODO counts
end
function def_env.s2s:show_tls(match_jid)
- return self:show(match_jid, tls_info);
+ return self:show(match_jid, { "id"; "host"; "dir"; "remote"; "secure"; "encryption"; "cert" });
end
local function print_subject(print, subject)