aboutsummaryrefslogtreecommitdiffstats
path: root/prosodyctl
diff options
context:
space:
mode:
Diffstat (limited to 'prosodyctl')
-rwxr-xr-xprosodyctl889
1 files changed, 777 insertions, 112 deletions
diff --git a/prosodyctl b/prosodyctl
index e736b13e..fcfc4c2e 100755
--- a/prosodyctl
+++ b/prosodyctl
@@ -2,7 +2,7 @@
-- Prosody IM
-- Copyright (C) 2008-2010 Matthew Wild
-- Copyright (C) 2008-2010 Waqas Hussain
---
+--
-- This project is MIT/X11 licensed. Please see the
-- COPYING file in the source package for more information.
--
@@ -11,17 +11,17 @@
-- Will be modified by configure script if run --
-CFG_SOURCEDIR=os.getenv("PROSODY_SRCDIR");
-CFG_CONFIGDIR=os.getenv("PROSODY_CFGDIR");
-CFG_PLUGINDIR=os.getenv("PROSODY_PLUGINDIR");
-CFG_DATADIR=os.getenv("PROSODY_DATADIR");
+CFG_SOURCEDIR=CFG_SOURCEDIR or os.getenv("PROSODY_SRCDIR");
+CFG_CONFIGDIR=CFG_CONFIGDIR or os.getenv("PROSODY_CFGDIR");
+CFG_PLUGINDIR=CFG_PLUGINDIR or os.getenv("PROSODY_PLUGINDIR");
+CFG_DATADIR=CFG_DATADIR or os.getenv("PROSODY_DATADIR");
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
local function is_relative(path)
local path_sep = package.config:sub(1,1);
- return ((path_sep == "/" and path:sub(1,1) ~= "/")
- or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\")))
+ return ((path_sep == "/" and path:sub(1,1) ~= "/")
+ or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\")))
end
-- Tell Lua where to find our libraries
@@ -65,7 +65,7 @@ config = require "core.configmanager"
local ENV_CONFIG;
do
local filenames = {};
-
+
local filename;
if arg[1] == "--config" and arg[2] then
table.insert(filenames, arg[2]);
@@ -93,13 +93,13 @@ do
print("\n");
print("**************************");
if level == "parser" then
- print("A problem occured while reading the config file "..(CFG_CONFIGDIR or ".").."/prosody.cfg.lua");
+ print("A problem occured while reading the config file "..filename);
local err_line, err_message = tostring(err):match("%[string .-%]:(%d*): (.*)");
print("Error"..(err_line and (" on line "..err_line) or "")..": "..(err_message or tostring(err)));
print("");
elseif level == "file" then
print("Prosody was unable to find the configuration file.");
- print("We looked for: "..(CFG_CONFIGDIR or ".").."/prosody.cfg.lua");
+ print("We looked for: "..filename);
print("A sample config file is included in the Prosody download called prosody.cfg.lua.dist");
print("Copy or rename it to prosody.cfg.lua and edit as necessary.");
end
@@ -120,7 +120,7 @@ if custom_plugin_paths then
-- path1;path2;path3;defaultpath...
CFG_PLUGINDIR = table.concat(custom_plugin_paths, path_sep)..path_sep..(CFG_PLUGINDIR or "plugins");
end
-prosody.paths = { source = CFG_SOURCEDIR, config = CFG_CONFIGDIR,
+prosody.paths = { source = CFG_SOURCEDIR, config = CFG_CONFIGDIR,
plugins = CFG_PLUGINDIR or "plugins", data = data_path };
if prosody.installed then
@@ -135,13 +135,18 @@ dependencies.log_warnings();
-- Switch away from root and into the prosody user --
local switched_user, current_uid;
-local want_pposix_version = "0.3.6";
-local ok, pposix = pcall(require, "util.pposix");
+local want_pposix_version = "0.4.0";
+local have_pposix, pposix = pcall(require, "util.pposix");
-if ok and pposix then
- if pposix._VERSION ~= want_pposix_version then print(string.format("Unknown version (%s) of binary pposix module, expected %s", tostring(pposix._VERSION), want_pposix_version)); return; end
+if have_pposix and pposix then
+ if pposix._VERSION ~= want_pposix_version then
+ print(string.format("Unknown version (%s) of binary pposix module, expected %s",
+ tostring(pposix._VERSION), want_pposix_version)); return;
+ end
current_uid = pposix.getuid();
- if current_uid == 0 then
+ local arg_root = arg[1] == "--root";
+ if arg_root then table.remove(arg, 1); end
+ if current_uid == 0 and config.get("*", "run_as_root") ~= true and not arg_root then
-- We haz root!
local desired_user = config.get("*", "prosody_user") or "prosody";
local desired_group = config.get("*", "prosody_group") or desired_user;
@@ -159,9 +164,20 @@ if ok and pposix then
if not switched_user then
-- Boo!
print("Warning: Couldn't switch to Prosody user/group '"..tostring(desired_user).."'/'"..tostring(desired_group).."': "..tostring(err));
+ else
+ -- Make sure the Prosody user can read the config
+ local conf, err, errno = io.open(ENV_CONFIG);
+ if conf then
+ conf:close();
+ else
+ print("The config file is not readable by the '"..desired_user.."' user.");
+ print("Prosody will not be able to read it.");
+ print("Error was "..err);
+ os.exit(1);
+ end
end
end
-
+
-- Set our umask to protect data files
pposix.umask(config.get("*", "umask") or "027");
pposix.setenv("HOME", data_path);
@@ -212,7 +228,7 @@ if #unwriteable_files > 0 then
end
-local error_messages = setmetatable({
+local error_messages = setmetatable({
["invalid-username"] = "The given username is invalid in a Jabber ID";
["invalid-hostname"] = "The given hostname is invalid";
["no-password"] = "No password was supplied";
@@ -233,6 +249,7 @@ local function make_host(hostname)
type = "local",
events = prosody.events,
modules = {},
+ sessions = {},
users = require "core.usermanager".new_null_provider(hostname)
};
end
@@ -240,17 +257,25 @@ end
for hostname, config in pairs(config.getconfig()) do
hosts[hostname] = make_host(hostname);
end
-
+
local modulemanager = require "core.modulemanager"
local prosodyctl = require "util.prosodyctl"
-require "socket"
+local socket = require "socket"
+
+local http = require "net.http"
+local config_ssl = config.get("*", "ssl") or {}
+local https_client = config.get("*", "client_https_ssl")
+http.default.options.sslctx = require "core.certmanager".create_context("client_https port 0", "client",
+ { capath = config_ssl.capath, cafile = config_ssl.cafile, verify = "peer", }, https_client);
+
-----------------------
- -- FIXME: Duplicate code waiting for util.startup
+-- FIXME: Duplicate code waiting for util.startup
function read_version()
-- Try to determine version
local version_file = io.open((CFG_SOURCEDIR or ".").."/prosody.version");
+ prosody.version = "unknown";
if version_file then
prosody.version = version_file:read("*a"):gsub("%s*$", "");
version_file:close();
@@ -258,13 +283,14 @@ function read_version()
prosody.version = "hg:"..prosody.version;
end
else
- prosody.version = "unknown";
+ local hg = require"util.mercurial";
+ local hgid = hg.check_id(CFG_SOURCEDIR or ".");
+ if hgid then prosody.version = "hg:" .. hgid; end
end
end
local show_message, show_warning = prosodyctl.show_message, prosodyctl.show_warning;
local show_usage = prosodyctl.show_usage;
-local getchar, getpass = prosodyctl.getchar, prosodyctl.getpass;
local show_yesno = prosodyctl.show_yesno;
local show_prompt = prosodyctl.show_prompt;
local read_password = prosodyctl.read_password;
@@ -287,30 +313,30 @@ function commands.adduser(arg)
show_usage [[adduser user@host]]
return 1;
end
-
+
if not host then
show_message [[Please specify a JID, including a host. e.g. alice@example.com]];
return 1;
end
-
+
if not hosts[host] then
show_warning("The host '%s' is not listed in the configuration file (or is not enabled).", host)
show_warning("The user will not be able to log in until this is changed.");
hosts[host] = make_host(host);
end
-
+
if prosodyctl.user_exists{ user = user, host = host } then
show_message [[That user already exists]];
return 1;
end
-
+
local password = read_password();
if not password then return 1; end
-
+
local ok, msg = prosodyctl.adduser { user = user, host = host, password = password };
-
+
if ok then return 0; end
-
+
show_message(msg)
return 1;
end
@@ -320,36 +346,36 @@ function commands.passwd(arg)
show_usage([[passwd JID]], [[Set the password for the specified user account in Prosody]]);
return 1;
end
- local user, host = jid_split(arg[1])
+ local user, host = jid_split(arg[1]);
if not user and host then
show_message [[Failed to understand JID, please supply the JID you want to set the password for]]
show_usage [[passwd user@host]]
return 1;
end
-
+
if not host then
show_message [[Please specify a JID, including a host. e.g. alice@example.com]];
return 1;
end
-
+
if not hosts[host] then
show_warning("The host '%s' is not listed in the configuration file (or is not enabled).", host)
show_warning("The user will not be able to log in until this is changed.");
hosts[host] = make_host(host);
end
-
+
if not prosodyctl.user_exists { user = user, host = host } then
show_message [[That user does not exist, use prosodyctl adduser to create a new user]]
return 1;
end
-
+
local password = read_password();
if not password then return 1; end
-
+
local ok, msg = prosodyctl.passwd { user = user, host = host, password = password };
-
+
if ok then return 0; end
-
+
show_message(error_messages[msg])
return 1;
end
@@ -365,12 +391,12 @@ function commands.deluser(arg)
show_usage [[deluser user@host]]
return 1;
end
-
+
if not host then
show_message [[Please specify a JID, including a host. e.g. alice@example.com]];
return 1;
end
-
+
if not hosts[host] then
show_warning("The host '%s' is not listed in the configuration file (or is not enabled).", host)
hosts[host] = make_host(host);
@@ -380,11 +406,11 @@ function commands.deluser(arg)
show_message [[That user does not exist on this server]]
return 1;
end
-
+
local ok, msg = prosodyctl.deluser { user = user, host = host };
-
+
if ok then return 0; end
-
+
show_message(error_messages[msg])
return 1;
end
@@ -399,7 +425,7 @@ function commands.start(arg)
show_message(error_messages[ret]);
return 1;
end
-
+
if ret then
local ok, ret = prosodyctl.getpid();
if not ok then
@@ -410,10 +436,14 @@ function commands.start(arg)
show_message("Prosody is already running with PID %s", ret or "(unknown)");
return 1;
end
-
+
local ok, ret = prosodyctl.start();
if ok then
- if config.get("*", "daemonize") ~= false then
+ local daemonize = config.get("*", "daemonize");
+ if daemonize == nil then
+ daemonize = prosody.installed;
+ end
+ if daemonize then
local i=1;
while true do
local ok, running = prosodyctl.isrunning();
@@ -434,8 +464,8 @@ function commands.start(arg)
end
show_message("Failed to start Prosody");
- show_message(error_messages[ret])
- return 1;
+ show_message(error_messages[ret])
+ return 1;
end
function commands.status(arg)
@@ -449,7 +479,7 @@ function commands.status(arg)
show_message(error_messages[ret]);
return 1;
end
-
+
if ret then
local ok, ret = prosodyctl.getpid();
if not ok then
@@ -482,7 +512,7 @@ function commands.stop(arg)
show_message("Prosody is not running");
return 1;
end
-
+
local ok, ret = prosodyctl.stop();
if ok then
local i=1;
@@ -512,7 +542,7 @@ function commands.restart(arg)
show_usage([[restart]], [[Restart a running Prosody server]]);
return 1;
end
-
+
commands.stop(arg);
return commands.start(arg);
end
@@ -523,17 +553,32 @@ function commands.about(arg)
show_usage([[about]], [[Show information about this Prosody installation]]);
return 1;
end
-
+
+ local pwd = ".";
+ local lfs = require "lfs";
local array = require "util.array";
local keys = require "util.iterators".keys;
-
+ local hg = require"util.mercurial";
+ local relpath = config.resolve_relative_path;
+
print("Prosody "..(prosody.version or "(unknown version)"));
print("");
print("# Prosody directories");
- print("Data directory: ", CFG_DATADIR or "./");
- print("Plugin directory:", CFG_PLUGINDIR or "./");
- print("Config directory:", CFG_CONFIGDIR or "./");
- print("Source directory:", CFG_SOURCEDIR or "./");
+ print("Data directory: "..relpath(pwd, data_path));
+ print("Config directory: "..relpath(pwd, CFG_CONFIGDIR or "."));
+ print("Source directory: "..relpath(pwd, CFG_SOURCEDIR or "."));
+ print("Plugin directories:")
+ print(" "..(prosody.paths.plugins:gsub("([^;]+);?", function(path)
+ path = config.resolve_relative_path(pwd, path);
+ local hgid, hgrepo = hg.check_id(path);
+ if not hgid and hgrepo then
+ return path.." - "..hgrepo .."!\n ";
+ end
+ -- 010452cfaf53 is the first commit in the prosody-modules repository
+ hgrepo = hgrepo == "010452cfaf53" and "prosody-modules";
+ return path..(hgid and " - "..(hgrepo or "HG").." rev: "..hgid or "")
+ .."\n ";
+ end)));
print("");
print("# Lua environment");
print("Lua version: ", _G._VERSION);
@@ -555,6 +600,8 @@ function commands.about(arg)
print("");
print("# Lua module versions");
local module_versions, longest_name = {}, 8;
+ local luaevent =dependencies.softreq"luaevent";
+ local ssl = dependencies.softreq"ssl";
for name, module in pairs(package.loaded) do
if type(module) == "table" and rawget(module, "_VERSION")
and name ~= "_G" and not name:match("%.") then
@@ -564,8 +611,11 @@ function commands.about(arg)
module_versions[name] = module._VERSION;
end
end
+ if luaevent then
+ module_versions["libevent"] = luaevent.core.libevent_version();
+ end
local sorted_keys = array.collect(keys(module_versions)):sort();
- for _, name in ipairs(array.collect(keys(module_versions)):sort()) do
+ for _, name in ipairs(sorted_keys) do
print(name..":"..string.rep(" ", longest_name-#name), module_versions[name]);
end
print("");
@@ -581,10 +631,10 @@ function commands.reload(arg)
show_message("Prosody is not running");
return 1;
end
-
+
local ok, ret = prosodyctl.reload();
if ok then
-
+
show_message("Prosody log files re-opened and config file reloaded. You may need to reload modules for some changes to take effect.");
return 0;
end
@@ -594,6 +644,8 @@ function commands.reload(arg)
end
-- ejabberdctl compatibility
+local unpack = table.unpack or unpack; -- luacheck: ignore 113
+
function commands.register(arg)
local user, host, password = unpack(arg);
if (not (user and host)) or arg[1] == "--help" then
@@ -614,11 +666,11 @@ function commands.register(arg)
return 1;
end
end
-
+
local ok, msg = prosodyctl.adduser { user = user, host = host, password = password };
-
+
if ok then return 0; end
-
+
show_message(error_messages[msg])
return 1;
end
@@ -638,9 +690,9 @@ function commands.unregister(arg)
end
local ok, msg = prosodyctl.deluser { user = user, host = host };
-
+
if ok then return 0; end
-
+
show_message(error_messages[msg])
return 1;
end
@@ -650,40 +702,72 @@ local lfs;
local cert_commands = {};
-local function ask_overwrite(filename)
- return lfs.attributes(filename) and not show_yesno("Overwrite "..filename .. "?");
+-- If a file already exists, ask if the user wants to use it or replace it
+-- Backups the old file if replaced
+local function use_existing(filename)
+ local attrs = lfs.attributes(filename);
+ if attrs then
+ if show_yesno(filename .. " exists, do you want to replace it? [y/n]") then
+ local backup = filename..".bkp~"..os.date("%FT%T", attrs.change);
+ os.rename(filename, backup);
+ show_message(filename.." backed up to "..backup);
+ else
+ -- Use the existing file
+ return true;
+ end
+ end
+end
+
+local cert_basedir = CFG_DATADIR or "./certs";
+if have_pposix and pposix.getuid() == 0 then
+ -- FIXME should be enough to check if this directory is writable
+ local cert_dir = config.get("*", "certificates") or "certs";
+ cert_basedir = config.resolve_relative_path(prosody.paths.config, cert_dir);
end
function cert_commands.config(arg)
if #arg >= 1 and arg[1] ~= "--help" then
- local conf_filename = (CFG_DATADIR or "./certs") .. "/" .. arg[1] .. ".cnf";
- if ask_overwrite(conf_filename) then
+ local conf_filename = cert_basedir .. "/" .. arg[1] .. ".cnf";
+ if use_existing(conf_filename) then
return nil, conf_filename;
end
+ local distinguished_name;
+ if arg[#arg]:find("^/") then
+ distinguished_name = table.remove(arg);
+ end
local conf = openssl.config.new();
conf:from_prosody(hosts, config, arg);
- show_message("Please provide details to include in the certificate config file.");
- show_message("Leave the field empty to use the default value or '.' to exclude the field.")
- for i, k in ipairs(openssl._DN_order) do
- local v = conf.distinguished_name[k];
- if v then
- local nv;
- if k == "commonName" then
- v = arg[1]
- elseif k == "emailAddress" then
- v = "xmpp@" .. arg[1];
- elseif k == "countryName" then
- local tld = arg[1]:match"%.([a-z]+)$";
- if tld and #tld == 2 and tld ~= "uk" then
- v = tld:upper();
+ if distinguished_name then
+ local dn = {};
+ for k, v in distinguished_name:gmatch("/([^=/]+)=([^/]+)") do
+ table.insert(dn, k);
+ dn[k] = v;
+ end
+ conf.distinguished_name = dn;
+ else
+ show_message("Please provide details to include in the certificate config file.");
+ show_message("Leave the field empty to use the default value or '.' to exclude the field.")
+ for _, k in ipairs(openssl._DN_order) do
+ local v = conf.distinguished_name[k];
+ if v then
+ local nv;
+ if k == "commonName" then
+ v = arg[1]
+ elseif k == "emailAddress" then
+ v = "xmpp@" .. arg[1];
+ elseif k == "countryName" then
+ local tld = arg[1]:match"%.([a-z]+)$";
+ if tld and #tld == 2 and tld ~= "uk" then
+ v = tld:upper();
+ end
end
+ nv = show_prompt(("%s (%s):"):format(k, nv or v));
+ nv = (not nv or nv == "") and v or nv;
+ if nv:find"[\192-\252][\128-\191]+" then
+ conf.req.string_mask = "utf8only"
+ end
+ conf.distinguished_name[k] = nv ~= "." and nv or nil;
end
- nv = show_prompt(("%s (%s):"):format(k, nv or v));
- nv = (not nv or nv == "") and v or nv;
- if nv:find"[\192-\252][\128-\191]+" then
- conf.req.string_mask = "utf8only"
- end
- conf.distinguished_name[k] = nv ~= "." and nv or nil;
end
end
local conf_file, err = io.open(conf_filename, "w");
@@ -704,8 +788,8 @@ end
function cert_commands.key(arg)
if #arg >= 1 and arg[1] ~= "--help" then
- local key_filename = (CFG_DATADIR or "./certs") .. "/" .. arg[1] .. ".key";
- if ask_overwrite(key_filename) then
+ local key_filename = cert_basedir .. "/" .. arg[1] .. ".key";
+ if use_existing(key_filename) then
return nil, key_filename;
end
os.remove(key_filename); -- This file, if it exists is unlikely to have write permissions
@@ -726,13 +810,13 @@ end
function cert_commands.request(arg)
if #arg >= 1 and arg[1] ~= "--help" then
- local req_filename = (CFG_DATADIR or "./certs") .. "/" .. arg[1] .. ".req";
- if ask_overwrite(req_filename) then
+ local req_filename = cert_basedir .. "/" .. arg[1] .. ".req";
+ if use_existing(req_filename) then
return nil, req_filename;
end
local _, key_filename = cert_commands.key({arg[1]});
local _, conf_filename = cert_commands.config(arg);
- if openssl.req{new=true, key=key_filename, utf8=true, config=conf_filename, out=req_filename} then
+ if openssl.req{new=true, key=key_filename, utf8=true, sha256=true, config=conf_filename, out=req_filename} then
show_message("Certificate request written to ".. req_filename);
else
show_message("There was a problem, see OpenSSL output");
@@ -744,17 +828,17 @@ end
function cert_commands.generate(arg)
if #arg >= 1 and arg[1] ~= "--help" then
- local cert_filename = (CFG_DATADIR or "./certs") .. "/" .. arg[1] .. ".crt";
- if ask_overwrite(cert_filename) then
+ local cert_filename = cert_basedir .. "/" .. arg[1] .. ".crt";
+ if use_existing(cert_filename) then
return nil, cert_filename;
end
local _, key_filename = cert_commands.key({arg[1]});
local _, conf_filename = cert_commands.config(arg);
- local ret;
if key_filename and conf_filename and cert_filename
and openssl.req{new=true, x509=true, nodes=true, key=key_filename,
- days=365, sha1=true, utf8=true, config=conf_filename, out=cert_filename} then
+ days=365, sha256=true, utf8=true, config=conf_filename, out=cert_filename} then
show_message("Certificate written to ".. cert_filename);
+ print();
else
show_message("There was a problem, see OpenSSL output");
end
@@ -763,24 +847,605 @@ function cert_commands.generate(arg)
end
end
+local function sh_esc(s)
+ return "'" .. s:gsub("'", "'\\''") .. "'";
+end
+
+local function copy(from, to, umask, owner, group)
+ local old_umask = umask and pposix.umask(umask);
+ local attrs = lfs.attributes(to);
+ if attrs then -- Move old file out of the way
+ local backup = to..".bkp~"..os.date("%FT%T", attrs.change);
+ os.rename(to, backup);
+ end
+ -- FIXME friendlier error handling, maybe move above backup back?
+ local input = assert(io.open(from));
+ local output = assert(io.open(to, "w"));
+ local data = input:read(2^11);
+ while data and output:write(data) do
+ data = input:read(2^11);
+ end
+ assert(input:close());
+ assert(output:close());
+ if owner and group then
+ local ok = os.execute(("chown %s:%s %s"):format(sh_esc(owner), sh_esc(group), sh_esc(to)));
+ assert(ok == true or ok == 0, "Failed to change ownership of "..to);
+ end
+ if old_umask then pposix.umask(old_umask); end
+ return true;
+end
+
+function cert_commands.import(arg)
+ local hostnames = {};
+ -- Move hostname arguments out of arg, the rest should be a list of paths
+ while arg[1] and prosody.hosts[ arg[1] ] do
+ table.insert(hostnames, table.remove(arg, 1));
+ end
+ if hostnames[1] == nil then
+ local domains = os.getenv"RENEWED_DOMAINS"; -- Set if invoked via certbot
+ if domains then
+ for host in domains:gmatch("%S+") do
+ table.insert(hostnames, host);
+ end
+ else
+ for host in pairs(prosody.hosts) do
+ if host ~= "*" and config.get(host, "enabled") ~= false then
+ table.insert(hostnames, host);
+ end
+ end
+ end
+ end
+ if not arg[1] or arg[1] == "--help" then -- Probably forgot the path
+ show_usage("cert import [HOSTNAME+] /path/to/certs [/other/paths/]+",
+ "Copies certificates to "..cert_basedir);
+ return 1;
+ end
+ local owner, group;
+ if pposix.getuid() == 0 then -- We need root to change ownership
+ owner = config.get("*", "prosody_user") or "prosody";
+ group = config.get("*", "prosody_group") or owner;
+ end
+ local cm = require "core.certmanager";
+ local imported = {};
+ for _, host in ipairs(hostnames) do
+ for _, dir in ipairs(arg) do
+ local paths = cm.find_cert(dir, host);
+ if paths then
+ copy(paths.certificate, cert_basedir .. "/" .. host .. ".crt", nil, owner, group);
+ copy(paths.key, cert_basedir .. "/" .. host .. ".key", "0377", owner, group);
+ table.insert(imported, host);
+ else
+ -- TODO Say where we looked
+ show_warning("No certificate for host "..host.." found :(");
+ end
+ -- TODO Additional checks
+ -- Certificate names matches the hostname
+ -- Private key matches public key in certificate
+ end
+ end
+ if imported[1] then
+ show_message("Imported certificate and key for hosts "..table.concat(imported, ", "));
+ local ok, err = prosodyctl.reload();
+ if not ok and err ~= "not-running" then
+ show_message(error_messages[err]);
+ end
+ else
+ show_warning("No certificates imported :(");
+ return 1;
+ end
+end
+
function commands.cert(arg)
if #arg >= 1 and arg[1] ~= "--help" then
openssl = require "util.openssl";
lfs = require "lfs";
+ local cert_dir_attrs = lfs.attributes(cert_basedir);
+ if not cert_dir_attrs then
+ show_warning("The directory "..cert_basedir.." does not exist");
+ return 1; -- TODO Should we create it?
+ end
+ if pposix.getuid() ~= cert_dir_attrs.uid then
+ show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it");
+ return 1;
+ elseif not cert_dir_attrs.permissions then -- COMPAT with LuaFilesystem < 1.6.2 (hey CentOS!)
+ show_message("Unable to check permissions on "..cert_basedir.." (LuaFilesystem 1.6.2+ required)");
+ show_message("Please confirm that Prosody (and only Prosody) can write to this directory)");
+ elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then
+ show_warning("The directory "..cert_basedir.." not only writable by its owner");
+ return 1;
+ end
local subcmd = table.remove(arg, 1);
if type(cert_commands[subcmd]) == "function" then
- if not arg[1] then
- show_message"You need to supply at least one hostname"
- arg = { "--help" };
- end
- if arg[1] ~= "--help" and not hosts[arg[1]] then
- show_message(error_messages["no-such-host"]);
- return
+ if subcmd ~= "import" then -- hostnames are optional for import
+ if not arg[1] then
+ show_message"You need to supply at least one hostname"
+ arg = { "--help" };
+ end
+ if arg[1] ~= "--help" and not hosts[arg[1]] then
+ show_message(error_messages["no-such-host"]);
+ return 1;
+ end
end
return cert_commands[subcmd](arg);
+ elseif subcmd == "check" then
+ return commands.check({"certs"});
+ end
+ end
+ show_usage("cert config|request|generate|key|import", "Helpers for generating X.509 certificates and keys.")
+ for _, cmd in pairs(cert_commands) do
+ print()
+ cmd{ "--help" }
+ end
+end
+
+function commands.check(arg)
+ if arg[1] == "--help" then
+ show_usage([[check]], [[Perform basic checks on your Prosody installation]]);
+ return 1;
+ end
+ local what = table.remove(arg, 1);
+ local array, set = require "util.array", require "util.set";
+ local it = require "util.iterators";
+ local ok = true;
+ local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end
+ local function enabled_hosts() return it.filter(disabled_hosts, pairs(config.getconfig())); end
+ if not what or what == "disabled" then
+ local disabled_hosts = set.new();
+ for host, host_options in it.filter("*", pairs(config.getconfig())) do
+ if host_options.enabled == false then
+ disabled_hosts:add(host);
+ end
+ end
+ if not disabled_hosts:empty() then
+ local msg = "Checks will be skipped for these disabled hosts: %s";
+ if what then msg = "These hosts are disabled: %s"; end
+ show_warning(msg, tostring(disabled_hosts));
+ if what then return 0; end
+ print""
+ end
+ end
+ if not what or what == "config" then
+ print("Checking config...");
+ local deprecated = set.new({
+ "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", "require_encryption",
+ "vcard_compatibility",
+ });
+ local known_global_options = set.new({
+ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize",
+ "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings",
+ "network_backend", "http_default_host",
+ });
+ local config = config.getconfig();
+ -- Check that we have any global options (caused by putting a host at the top)
+ if it.count(it.filter("log", pairs(config["*"]))) == 0 then
+ ok = false;
+ print("");
+ print(" No global options defined. Perhaps you have put a host definition at the top")
+ print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview");
+ end
+ if it.count(enabled_hosts()) == 0 then
+ ok = false;
+ print("");
+ if it.count(it.filter("*", pairs(config))) == 0 then
+ print(" No hosts are defined, please add at least one VirtualHost section")
+ elseif config["*"]["enabled"] == false then
+ print(" No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section")
+ else
+ print(" All hosts are disabled. Remove enabled = false from at least one VirtualHost section")
+ end
+ end
+ if not config["*"].modules_enabled then
+ print(" No global modules_enabled is set?");
+ local suggested_global_modules;
+ for host, options in enabled_hosts() do
+ if not options.component_module and options.modules_enabled then
+ suggested_global_modules = set.intersection(suggested_global_modules or set.new(options.modules_enabled), set.new(options.modules_enabled));
+ end
+ end
+ if suggested_global_modules and not suggested_global_modules:empty() then
+ print(" Consider moving these modules into modules_enabled in the global section:")
+ print(" "..tostring(suggested_global_modules / function (x) return ("%q"):format(x) end));
+ end
+ print();
+ end
+ -- Check for global options under hosts
+ local global_options = set.new(it.to_array(it.keys(config["*"])));
+ local deprecated_global_options = set.intersection(global_options, deprecated);
+ if not deprecated_global_options:empty() then
+ print("");
+ print(" You have some deprecated options in the global section:");
+ print(" "..tostring(deprecated_global_options))
+ ok = false;
end
+ for host, options in enabled_hosts() do
+ local host_options = set.new(it.to_array(it.keys(options)));
+ local misplaced_options = set.intersection(host_options, known_global_options);
+ for name in pairs(options) do
+ if name:match("^interfaces?")
+ or name:match("_ports?$") or name:match("_interfaces?$")
+ or (name:match("_ssl$") and not name:match("^[cs]2s_ssl$")) then
+ misplaced_options:add(name);
+ end
+ end
+ if not misplaced_options:empty() then
+ ok = false;
+ print("");
+ local n = it.count(misplaced_options);
+ print(" You have "..n.." option"..(n>1 and "s " or " ").."set under "..host.." that should be");
+ print(" in the global section of the config file, above any VirtualHost or Component definitions,")
+ print(" see http://prosody.im/doc/configure#overview for more information.")
+ print("");
+ print(" You need to move the following option"..(n>1 and "s" or "")..": "..table.concat(it.to_array(misplaced_options), ", "));
+ end
+ local subdomain = host:match("^[^.]+");
+ if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp"
+ or subdomain == "chat" or subdomain == "im") then
+ print("");
+ print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to");
+ print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host..".");
+ print(" For more information see: http://prosody.im/doc/dns");
+ end
+ end
+ local all_modules = set.new(config["*"].modules_enabled);
+ local all_options = set.new(it.to_array(it.keys(config["*"])));
+ for host in enabled_hosts() do
+ all_options:include(set.new(it.to_array(it.keys(config[host]))));
+ all_modules:include(set.new(config[host].modules_enabled));
+ end
+ for mod in all_modules do
+ if mod:match("^mod_") then
+ print("");
+ print(" Modules in modules_enabled should not have the 'mod_' prefix included.");
+ print(" Change '"..mod.."' to '"..mod:match("^mod_(.*)").."'.");
+ elseif mod:match("^auth_") then
+ print("");
+ print(" Authentication modules should not be added to modules_enabled,");
+ print(" but be specified in the 'authentication' option.");
+ print(" Remove '"..mod.."' from modules_enabled and instead add");
+ print(" authentication = '"..mod:match("^auth_(.*)").."'");
+ print(" For more information see https://prosody.im/doc/authentication");
+ elseif mod:match("^storage_") then
+ print("");
+ print(" storage modules should not be added to modules_enabled,");
+ print(" but be specified in the 'storage' option.");
+ print(" Remove '"..mod.."' from modules_enabled and instead add");
+ print(" storage = '"..mod:match("^storage_(.*)").."'");
+ print(" For more information see https://prosody.im/doc/storage");
+ end
+ end
+ for host, config in pairs(config) do
+ if type(rawget(config, "storage")) == "string" and rawget(config, "default_storage") then
+ print("");
+ print(" The 'default_storage' option is not needed if 'storage' is set to a string.");
+ break;
+ end
+ end
+ local require_encryption = set.intersection(all_options, set.new({"require_encryption", "c2s_require_encryption", "s2s_require_encryption"})):empty();
+ local ssl = dependencies.softreq"ssl";
+ if not ssl then
+ if not require_encryption then
+ print("");
+ print(" You require encryption but LuaSec is not available.");
+ print(" Connections will fail.");
+ ok = false;
+ end
+ elseif not ssl.loadcertificate then
+ if all_options:contains("s2s_secure_auth") then
+ print("");
+ print(" You have set s2s_secure_auth but your version of LuaSec does ");
+ print(" not support certificate validation, so all s2s connections will");
+ print(" fail.");
+ ok = false;
+ elseif all_options:contains("s2s_secure_domains") then
+ local secure_domains = set.new();
+ for host in enabled_hosts() do
+ if config[host].s2s_secure_auth == true then
+ secure_domains:add("*");
+ else
+ secure_domains:include(set.new(config[host].s2s_secure_domains));
+ end
+ end
+ if not secure_domains:empty() then
+ print("");
+ print(" You have set s2s_secure_domains but your version of LuaSec does ");
+ print(" not support certificate validation, so s2s connections to/from ");
+ print(" these domains will fail.");
+ ok = false;
+ end
+ end
+ elseif require_encryption and not all_modules:contains("tls") then
+ print("");
+ print(" You require encryption but mod_tls is not enabled.");
+ print(" Connections will fail.");
+ ok = false;
+ end
+
+ print("Done.\n");
end
- show_usage("cert config|request|generate|key", "Helpers for generating X.509 certificates and keys.")
+ if not what or what == "dns" then
+ local dns = require "net.dns";
+ local idna = require "util.encodings".idna;
+ local ip = require "util.ip";
+ local c2s_ports = set.new(config.get("*", "c2s_ports") or {5222});
+ local s2s_ports = set.new(config.get("*", "s2s_ports") or {5269});
+
+ local c2s_srv_required, s2s_srv_required;
+ if not c2s_ports:contains(5222) then
+ c2s_srv_required = true;
+ end
+ if not s2s_ports:contains(5269) then
+ s2s_srv_required = true;
+ end
+
+ local problem_hosts = set.new();
+
+ local external_addresses, internal_addresses = set.new(), set.new();
+
+ local fqdn = socket.dns.tohostname(socket.dns.gethostname());
+ if fqdn then
+ local res = dns.lookup(idna.to_ascii(fqdn), "A");
+ if res then
+ for _, record in ipairs(res) do
+ external_addresses:add(record.a);
+ end
+ end
+ local res = dns.lookup(idna.to_ascii(fqdn), "AAAA");
+ if res then
+ for _, record in ipairs(res) do
+ external_addresses:add(record.aaaa);
+ end
+ end
+ end
+
+ local local_addresses = require"util.net".local_addresses() or {};
+
+ for addr in it.values(local_addresses) do
+ if not ip.new_ip(addr).private then
+ external_addresses:add(addr);
+ else
+ internal_addresses:add(addr);
+ end
+ end
+
+ if external_addresses:empty() then
+ print("");
+ print(" Failed to determine the external addresses of this server. Checks may be inaccurate.");
+ c2s_srv_required, s2s_srv_required = true, true;
+ end
+
+ local v6_supported = not not socket.tcp6;
+
+ for jid, host_options in enabled_hosts() do
+ local all_targets_ok, some_targets_ok = true, false;
+ local node, host = jid_split(jid);
+
+ local is_component = not not host_options.component_module;
+ print("Checking DNS for "..(is_component and "component" or "host").." "..jid.."...");
+ if node then
+ print("Only the domain part ("..host..") is used in DNS.")
+ end
+ local target_hosts = set.new();
+ if not is_component then
+ local res = dns.lookup("_xmpp-client._tcp."..idna.to_ascii(host)..".", "SRV");
+ if res then
+ for _, record in ipairs(res) do
+ target_hosts:add(record.srv.target);
+ if not c2s_ports:contains(record.srv.port) then
+ print(" SRV target "..record.srv.target.." contains unknown client port: "..record.srv.port);
+ end
+ end
+ else
+ if c2s_srv_required then
+ print(" No _xmpp-client SRV record found for "..host..", but it looks like you need one.");
+ all_targets_ok = false;
+ else
+ target_hosts:add(host);
+ end
+ end
+ end
+ local res = dns.lookup("_xmpp-server._tcp."..idna.to_ascii(host)..".", "SRV");
+ if res then
+ for _, record in ipairs(res) do
+ target_hosts:add(record.srv.target);
+ if not s2s_ports:contains(record.srv.port) then
+ print(" SRV target "..record.srv.target.." contains unknown server port: "..record.srv.port);
+ end
+ end
+ else
+ if s2s_srv_required then
+ print(" No _xmpp-server SRV record found for "..host..", but it looks like you need one.");
+ all_targets_ok = false;
+ else
+ target_hosts:add(host);
+ end
+ end
+ if target_hosts:empty() then
+ target_hosts:add(host);
+ end
+
+ if target_hosts:contains("localhost") then
+ print(" Target 'localhost' cannot be accessed from other servers");
+ target_hosts:remove("localhost");
+ end
+
+ local modules = set.new(it.to_array(it.values(host_options.modules_enabled or {})))
+ + set.new(it.to_array(it.values(config.get("*", "modules_enabled") or {})))
+ + set.new({ config.get(host, "component_module") });
+
+ if modules:contains("proxy65") then
+ local proxy65_target = config.get(host, "proxy65_address") or host;
+ local A, AAAA = dns.lookup(idna.to_ascii(proxy65_target), "A"), dns.lookup(idna.to_ascii(proxy65_target), "AAAA");
+ local prob = {};
+ if not A then
+ table.insert(prob, "A");
+ end
+ if v6_supported and not AAAA then
+ table.insert(prob, "AAAA");
+ end
+ if #prob > 0 then
+ print(" File transfer proxy "..proxy65_target.." has no "..table.concat(prob, "/").." record. Create one or set 'proxy65_address' to the correct host/IP.");
+ end
+ end
+
+ for host in target_hosts do
+ local host_ok_v4, host_ok_v6;
+ local res = dns.lookup(idna.to_ascii(host), "A");
+ if res then
+ for _, record in ipairs(res) do
+ if external_addresses:contains(record.a) then
+ some_targets_ok = true;
+ host_ok_v4 = true;
+ elseif internal_addresses:contains(record.a) then
+ host_ok_v4 = true;
+ some_targets_ok = true;
+ print(" "..host.." A record points to internal address, external connections might fail");
+ else
+ print(" "..host.." A record points to unknown address "..record.a);
+ all_targets_ok = false;
+ end
+ end
+ end
+ local res = dns.lookup(idna.to_ascii(host), "AAAA");
+ if res then
+ for _, record in ipairs(res) do
+ if external_addresses:contains(record.aaaa) then
+ some_targets_ok = true;
+ host_ok_v6 = true;
+ elseif internal_addresses:contains(record.aaaa) then
+ host_ok_v6 = true;
+ some_targets_ok = true;
+ print(" "..host.." AAAA record points to internal address, external connections might fail");
+ else
+ print(" "..host.." AAAA record points to unknown address "..record.aaaa);
+ all_targets_ok = false;
+ end
+ end
+ end
+
+ local bad_protos = {}
+ if not host_ok_v4 then
+ table.insert(bad_protos, "IPv4");
+ end
+ if not host_ok_v6 then
+ table.insert(bad_protos, "IPv6");
+ end
+ if #bad_protos > 0 then
+ print(" Host "..host.." does not seem to resolve to this server ("..table.concat(bad_protos, "/")..")");
+ end
+ if host_ok_v6 and not v6_supported then
+ print(" Host "..host.." has AAAA records, but your version of LuaSocket does not support IPv6.");
+ print(" Please see http://prosody.im/doc/ipv6 for more information.");
+ end
+ end
+ if not all_targets_ok then
+ print(" "..(some_targets_ok and "Only some" or "No").." targets for "..host.." appear to resolve to this server.");
+ if is_component then
+ print(" DNS records are necessary if you want users on other servers to access this component.");
+ end
+ problem_hosts:add(host);
+ end
+ print("");
+ end
+ if not problem_hosts:empty() then
+ print("");
+ print("For more information about DNS configuration please see http://prosody.im/doc/dns");
+ print("");
+ ok = false;
+ end
+ end
+ if not what or what == "certs" then
+ local cert_ok;
+ print"Checking certificates..."
+ local x509_verify_identity = require"util.x509".verify_identity;
+ local create_context = require "core.certmanager".create_context;
+ local ssl = dependencies.softreq"ssl";
+ -- local datetime_parse = require"util.datetime".parse_x509;
+ local load_cert = ssl and ssl.loadcertificate;
+ -- or ssl.cert_from_pem
+ if not ssl then
+ print("LuaSec not available, can't perform certificate checks")
+ if what == "certs" then cert_ok = false end
+ elseif not load_cert then
+ print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking");
+ cert_ok = false
+ else
+ local function skip_bare_jid_hosts(host)
+ if jid_split(host) then
+ -- See issue #779
+ return false;
+ end
+ return true;
+ end
+ for host in it.filter(skip_bare_jid_hosts, enabled_hosts()) do
+ print("Checking certificate for "..host);
+ -- First, let's find out what certificate this host uses.
+ local host_ssl_config = config.rawget(host, "ssl")
+ or config.rawget(host:match("%.(.*)"), "ssl");
+ local global_ssl_config = config.rawget("*", "ssl");
+ local ok, err, ssl_config = create_context(host, "server", host_ssl_config, global_ssl_config);
+ if not ok then
+ print(" Error: "..err);
+ cert_ok = false
+ elseif not ssl_config.certificate then
+ print(" No 'certificate' found for "..host)
+ cert_ok = false
+ elseif not ssl_config.key then
+ print(" No 'key' found for "..host)
+ cert_ok = false
+ else
+ local key, err = io.open(ssl_config.key); -- Permissions check only
+ if not key then
+ print(" Could not open "..ssl_config.key..": "..err);
+ cert_ok = false
+ else
+ key:close();
+ end
+ local cert_fh, err = io.open(ssl_config.certificate); -- Load the file.
+ if not cert_fh then
+ print(" Could not open "..ssl_config.certificate..": "..err);
+ cert_ok = false
+ else
+ print(" Certificate: "..ssl_config.certificate)
+ local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close();
+ if not cert:validat(os.time()) then
+ print(" Certificate has expired.")
+ cert_ok = false
+ elseif not cert:validat(os.time() + 86400) then
+ print(" Certificate expires within one day.")
+ cert_ok = false
+ elseif not cert:validat(os.time() + 86400*7) then
+ print(" Certificate expires within one week.")
+ elseif not cert:validat(os.time() + 86400*31) then
+ print(" Certificate expires within one month.")
+ end
+ if config.get(host, "component_module") == nil
+ and not x509_verify_identity(host, "_xmpp-client", cert) then
+ print(" Not valid for client connections to "..host..".")
+ cert_ok = false
+ end
+ if (not (config.get(host, "anonymous_login")
+ or config.get(host, "authentication") == "anonymous"))
+ and not x509_verify_identity(host, "_xmpp-server", cert) then
+ print(" Not valid for server-to-server connections to "..host..".")
+ cert_ok = false
+ end
+ end
+ end
+ end
+ if cert_ok == false then
+ print("")
+ print("For more information about certificates please see http://prosody.im/doc/certificates");
+ ok = false
+ end
+ end
+ print("")
+ end
+ if not ok then
+ print("Problems found, see above.");
+ else
+ print("All checks passed, congratulations!");
+ end
+ return ok and 0 or 2;
end
---------------------
@@ -792,20 +1457,20 @@ if command and command:match("^mod_") then -- Is a command in a module
show_message("Failed to load module '"..module_name.."': "..err);
os.exit(1);
end
-
+
table.remove(arg, 1);
-
+
local module = modulemanager.get_module("*", module_name);
if not module then
show_message("Failed to load module '"..module_name.."': Unknown error");
os.exit(1);
end
-
+
if not modulemanager.module_has_method(module, "command") then
show_message("Fail: mod_"..module_name.." does not support any commands");
os.exit(1);
end
-
+
local ok, ret = modulemanager.call_module_method(module, "command", arg);
if ok then
if type(ret) == "number" then
@@ -853,8 +1518,8 @@ if not commands[command] then -- Show help for all commands
done[command_name] = true;
end
end
-
-
+
+
os.exit(0);
end