From 868ae999f7bbc17f3b61d08cb0caff4ec7bbe22e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 13:21:47 +0200 Subject: prosodyctl: Fix indentation --- prosodyctl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 06550151..3fe14011 100755 --- a/prosodyctl +++ b/prosodyctl @@ -20,8 +20,8 @@ CFG_DATADIR=CFG_DATADIR or os.getenv("PROSODY_DATADIR"); local function is_relative(path) local path_sep = package.config:sub(1,1); - return ((path_sep == "/" and path:sub(1,1) ~= "/") - or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\"))) + return ((path_sep == "/" and path:sub(1,1) ~= "/") + or (path_sep == "\\" and (path:sub(1,1) ~= "/" and path:sub(2,3) ~= ":\\"))) end -- Tell Lua where to find our libraries @@ -250,7 +250,7 @@ local prosodyctl = require "util.prosodyctl" local socket = require "socket" ----------------------- - -- FIXME: Duplicate code waiting for util.startup +-- FIXME: Duplicate code waiting for util.startup function read_version() -- Try to determine version local version_file = io.open((CFG_SOURCEDIR or ".").."/prosody.version"); -- cgit v1.2.3 From 3c2a15fa08b2253125d5a0f6934a2357083c4ef8 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 13:29:04 +0200 Subject: prosodyctl: Remove example showing deprecated config option --- prosodyctl | 1 - 1 file changed, 1 deletion(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 3fe14011..4d947179 100755 --- a/prosodyctl +++ b/prosodyctl @@ -818,7 +818,6 @@ function cert_commands.generate(arg) days=365, sha256=true, utf8=true, config=conf_filename, out=cert_filename} then show_message("Certificate written to ".. cert_filename); print(); - show_message(("Example config:\n\nssl = {\n\tcertificate = %q;\n\tkey = %q;\n}"):format(cert_filename, key_filename)); else show_message("There was a problem, see OpenSSL output"); end -- cgit v1.2.3 From c732b4835fde723ab0555688a7e8f3b40ef86b11 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 14:20:46 +0200 Subject: prosodyctl: Return non-zero status to indicate error --- prosodyctl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 4d947179..57899607 100755 --- a/prosodyctl +++ b/prosodyctl @@ -838,7 +838,7 @@ function commands.cert(arg) end if arg[1] ~= "--help" and not hosts[arg[1]] then show_message(error_messages["no-such-host"]); - return + return 1; end return cert_commands[subcmd](arg); end -- cgit v1.2.3 From 1dfc20f031a3e697f9dcc74d7b63afc15e9ebc59 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 14:24:59 +0200 Subject: prosodyctl: Verify permissions on directory that certificates are written to --- prosodyctl | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 57899607..86e2ccc4 100755 --- a/prosodyctl +++ b/prosodyctl @@ -830,6 +830,14 @@ function commands.cert(arg) if #arg >= 1 and arg[1] ~= "--help" then openssl = require "util.openssl"; lfs = require "lfs"; + local cert_dir_attrs = lfs.attributes(cert_basedir); + if pposix.getuid() ~= cert_dir_attrs.uid then + show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it"); + return 1; + elseif cert_dir_attrs.permissions:match("^%.w..%-..%-.$") then + show_warning("The directory "..cert_basedir.." not only writable by its owner"); + return 1; + end local subcmd = table.remove(arg, 1); if type(cert_commands[subcmd]) == "function" then if not arg[1] then -- cgit v1.2.3 From 31c0689963768851472a6d2d82328a9a63725a77 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 14:34:53 +0200 Subject: prosodyctl: Verify that directory certs are written to exists --- prosodyctl | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 86e2ccc4..74792c58 100755 --- a/prosodyctl +++ b/prosodyctl @@ -831,6 +831,10 @@ function commands.cert(arg) openssl = require "util.openssl"; lfs = require "lfs"; local cert_dir_attrs = lfs.attributes(cert_basedir); + if not cert_dir_attrs then + show_warning("The directory "..cert_basedir.." does not exist"); + return 1; -- TODO Should we create it? + end if pposix.getuid() ~= cert_dir_attrs.uid then show_warning("The directory "..cert_basedir.." is not owned by the current user, won't be able to write files to it"); return 1; -- cgit v1.2.3 From c89f88fd5484334093692f4268be3d1358bf1dfa Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 14:43:52 +0200 Subject: prosodyctl: Normalize inconsistent whitespace [luacheck] --- prosodyctl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 74792c58..0827a215 100755 --- a/prosodyctl +++ b/prosodyctl @@ -959,11 +959,11 @@ function commands.check(arg) end local subdomain = host:match("^[^.]+"); if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp" - or subdomain == "chat" or subdomain == "im") then - print(""); - print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to"); - print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host.."."); - print(" For more information see: http://prosody.im/doc/dns"); + or subdomain == "chat" or subdomain == "im") then + print(""); + print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to"); + print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host.."."); + print(" For more information see: http://prosody.im/doc/dns"); end end local all_modules = set.new(config["*"].modules_enabled); -- cgit v1.2.3 From e90ec99152efd2932a3c0ae32215e968cbf5ac8f Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 14:44:28 +0200 Subject: prosodyctl: Split long line [luacheck] --- prosodyctl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 0827a215..637fdd12 100755 --- a/prosodyctl +++ b/prosodyctl @@ -139,7 +139,10 @@ local want_pposix_version = "0.4.0"; local have_pposix, pposix = pcall(require, "util.pposix"); if have_pposix and pposix then - if pposix._VERSION ~= want_pposix_version then print(string.format("Unknown version (%s) of binary pposix module, expected %s", tostring(pposix._VERSION), want_pposix_version)); return; end + if pposix._VERSION ~= want_pposix_version then + print(string.format("Unknown version (%s) of binary pposix module, expected %s", + tostring(pposix._VERSION), want_pposix_version)); return; + end current_uid = pposix.getuid(); local arg_root = arg[1] == "--root"; if arg_root then table.remove(arg, 1); end -- cgit v1.2.3 From 279badc8aec122e4533560e2b34cf9021a8a75c4 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 21 Apr 2017 15:11:25 +0200 Subject: prosodyctl: cert import: Command to copy certificates into prosodys certificate directory (fixes #892) --- prosodyctl | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 637fdd12..cc410f5a 100755 --- a/prosodyctl +++ b/prosodyctl @@ -829,6 +829,72 @@ function cert_commands.generate(arg) end end +local function sh_esc(s) + return "'" .. s:gsub("'", "'\\''") .. "'"; +end + +local function copy(from, to, umask, owner, group) + local old_umask = umask and pposix.umask(umask); + local attrs = lfs.attributes(to); + if attrs then -- Move old file out of the way + local backup = to..".bkp~"..os.date("%FT%T", attrs.change); + os.rename(to, backup); + end + -- FIXME friendlier error handling, maybe move above backup back? + local input = assert(io.open(from)); + local output = assert(io.open(to, "w")); + local data = input:read(2^11); + while data and output:write(data) do + data = input:read(2^11); + end + assert(input:close()); + assert(output:close()); + if owner and group then + local ok = os.execute(("chown %s.%s %s"):format(sh_esc(owner), sh_esc(group), sh_esc(to))); + assert(ok == true or ok == 0, "Failed to change ownership of "..to); + end + if old_umask then pposix.umask(old_umask); end + return true; +end + +function cert_commands.import(arg) + local hostnames = {}; + -- Move hostname arguments out of arg, the rest should be a list of paths + while arg[1] and prosody.hosts[ arg[1] ] do + table.insert(hostnames, table.remove(arg, 1)); + end + if not arg[1] or arg[1] == "--help" then -- Probably forgot the path + show_usage("cert import HOSTNAME [HOSTNAME+] /path/to/certs [/other/paths/]+", + "Copies certificates to "..cert_basedir); + return 1; + end + local owner, group; + if pposix.getuid() == 0 then -- We need root to change ownership + owner = config.get("*", "prosody_user") or "prosody"; + group = config.get("*", "prosody_group") or owner; + end + for _, host in ipairs(hostnames) do + for _, dir in ipairs(arg) do + if lfs.attributes(dir .. "/" .. host .. "/fullchain.pem") + and lfs.attributes(dir .. "/" .. host .. "/privkey.pem") then + copy(dir .. "/" .. host .. "/fullchain.pem", cert_basedir .. "/" .. host .. ".crt", nil, owner, group); + copy(dir .. "/" .. host .. "/privkey.pem", cert_basedir .. "/" .. host .. ".key", "0377", owner, group); + show_message("Imported certificate and key for "..host); + elseif lfs.attributes(dir .. "/" .. host .. ".crt") + and lfs.attributes(dir .. "/" .. host .. ".key") then + copy(dir .. "/" .. host .. ".crt", cert_basedir .. "/" .. host .. ".crt", nil, owner, group); + copy(dir .. "/" .. host .. ".key", cert_basedir .. "/" .. host .. ".key", "0377", owner, group); + show_message("Imported certificate and key for "..host); + else + show_warning("No certificate for host "..host.." found :("); + end + -- TODO Additional checks + -- Certificate names matches the hostname + -- Private key matches public key in certificate + end + end +end + function commands.cert(arg) if #arg >= 1 and arg[1] ~= "--help" then openssl = require "util.openssl"; -- cgit v1.2.3