From 5212d9be5c2b3ce6c0f537bbb2a7ce0e566c70a1 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 2 May 2014 08:11:11 +0200 Subject: prosodyctl: Only perform checks on enabled hosts --- prosodyctl | 86 +++++++++++++++++++++++++++++++------------------------------- 1 file changed, 43 insertions(+), 43 deletions(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 00aeac40..a1849033 100755 --- a/prosodyctl +++ b/prosodyctl @@ -797,6 +797,8 @@ function commands.check(arg) local array, set = require "util.array", require "util.set"; local it = require "util.iterators"; local ok = true; + local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end + local function enabled_hosts() return it.filter(disabled_hosts, pairs(config.getconfig())); end if not what or what == "config" then print("Checking config..."); local known_global_options = set.new({ @@ -813,7 +815,7 @@ function commands.check(arg) end -- Check for global options under hosts local global_options = set.new(it.to_array(it.keys(config["*"]))); - for host, options in it.filter("*", pairs(config)) do + for host, options in enabled_hosts() do local host_options = set.new(it.to_array(it.keys(options))); local misplaced_options = set.intersection(host_options, known_global_options); for name in pairs(options) do @@ -898,7 +900,7 @@ function commands.check(arg) local v6_supported = not not socket.tcp6; - for host, host_options in it.filter("*", pairs(config.getconfig())) do + for host, host_options in enabled_hosts() do local all_targets_ok, some_targets_ok = true, false; local is_component = not not host_options.component_module; @@ -1047,54 +1049,52 @@ function commands.check(arg) print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking"); cert_ok = false else - for host in pairs(hosts) do - if host ~= "*" then -- Should check global certs too. - print("Checking certificate for "..host); - -- First, let's find out what certificate this host uses. - local ssl_config = config.rawget(host, "ssl"); - if not ssl_config then - local base_host = host:match("%.(.*)"); - ssl_config = config.get(base_host, "ssl"); - end - if not ssl_config then - print(" No 'ssl' option defined for "..host) - cert_ok = false - elseif not ssl_config.certificate then - print(" No 'certificate' set in ssl option for "..host) + for host in enabled_hosts() do + print("Checking certificate for "..host); + -- First, let's find out what certificate this host uses. + local ssl_config = config.rawget(host, "ssl"); + if not ssl_config then + local base_host = host:match("%.(.*)"); + ssl_config = config.get(base_host, "ssl"); + end + if not ssl_config then + print(" No 'ssl' option defined for "..host) + cert_ok = false + elseif not ssl_config.certificate then + print(" No 'certificate' set in ssl option for "..host) + cert_ok = false + elseif not ssl_config.key then + print(" No 'key' set in ssl option for "..host) + cert_ok = false + else + local key, err = io.open(ssl_config.key); -- Permissions check only + if not key then + print(" Could not open "..ssl_config.key..": "..err); cert_ok = false - elseif not ssl_config.key then - print(" No 'key' set in ssl option for "..host) + else + key:close(); + end + local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. + if not cert_fh then + print(" Could not open "..ssl_config.certificate..": "..err); cert_ok = false else - local key, err = io.open(ssl_config.key); -- Permissions check only - if not key then - print(" Could not open "..ssl_config.key..": "..err); + print(" Certificate: "..ssl_config.certificate) + local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); + if not cert:validat(os.time()) then + print(" Certificate has expired.") cert_ok = false - else - key:close(); end - local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. - if not cert_fh then - print(" Could not open "..ssl_config.certificate..": "..err); - cert_ok = false - else - print(" Certificate: "..ssl_config.certificate) - local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); - if not cert:validat(os.time()) then - print(" Certificate has expired.") - cert_ok = false - end - if config.get(host, "component_module") == nil + if config.get(host, "component_module") == nil and not x509_verify_identity(host, "_xmpp-client", cert) then - print(" Not vaild for client connections to "..host..".") - cert_ok = false - end - if (not (config.get(name, "anonymous_login") - or config.get(name, "authentication") == "anonymous")) + print(" Not vaild for client connections to "..host..".") + cert_ok = false + end + if (not (config.get(name, "anonymous_login") + or config.get(name, "authentication") == "anonymous")) and not x509_verify_identity(host, "_xmpp-client", cert) then - print(" Not vaild for server-to-server connections to "..host..".") - cert_ok = false - end + print(" Not vaild for server-to-server connections to "..host..".") + cert_ok = false end end end -- cgit v1.2.3 From 960486904550db5e32646e8356ef19e8b7ad050a Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 2 May 2014 08:16:26 +0200 Subject: prosodyctl: Add check that points out any disabled hosts --- prosodyctl | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index a1849033..79d714eb 100755 --- a/prosodyctl +++ b/prosodyctl @@ -799,6 +799,21 @@ function commands.check(arg) local ok = true; local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end local function enabled_hosts() return it.filter(disabled_hosts, pairs(config.getconfig())); end + if not what or what == "disabled" then + local disabled_hosts = set.new(); + for host, host_options in it.filter("*", pairs(config.getconfig())) do + if host_options.enabled == false then + disabled_hosts:add(host); + end + end + if not disabled_hosts:empty() then + local msg = "Checks will be skipped for these disabled hosts: %s"; + if what then msg = "These hosts are disabled: %s"; end + show_warning(msg, tostring(disabled_hosts)); + if what then return 0; end + print"" + end + end if not what or what == "config" then print("Checking config..."); local known_global_options = set.new({ -- cgit v1.2.3 From f329e3d045cebabbc1a6bb3736bc01583a6c148d Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 2 May 2014 08:21:56 +0200 Subject: prosodyctl: Check for deprecated config options --- prosodyctl | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 79d714eb..7280ab88 100755 --- a/prosodyctl +++ b/prosodyctl @@ -816,6 +816,9 @@ function commands.check(arg) end if not what or what == "config" then print("Checking config..."); + local deprecated = set.new({ + "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", + }); local known_global_options = set.new({ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings" @@ -830,6 +833,13 @@ function commands.check(arg) end -- Check for global options under hosts local global_options = set.new(it.to_array(it.keys(config["*"]))); + local deprecated_global_options = set.intersection(global_options, deprecated); + if not deprecated_global_options:empty() then + print(""); + print(" You have some deprecated options in the global section:"); + print(" "..tostring(deprecated_global_options)) + ok = false; + end for host, options in enabled_hosts() do local host_options = set.new(it.to_array(it.keys(options))); local misplaced_options = set.intersection(host_options, known_global_options); -- cgit v1.2.3 From 400bdbc4380af9e0cb61d3c88529aab77983a03c Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 2 May 2014 08:27:29 +0200 Subject: prosodyctl: Use correct variable in check certs --- prosodyctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 7280ab88..2f9a7849 100755 --- a/prosodyctl +++ b/prosodyctl @@ -1115,8 +1115,8 @@ function commands.check(arg) print(" Not vaild for client connections to "..host..".") cert_ok = false end - if (not (config.get(name, "anonymous_login") - or config.get(name, "authentication") == "anonymous")) + if (not (config.get(host, "anonymous_login") + or config.get(host, "authentication") == "anonymous")) and not x509_verify_identity(host, "_xmpp-client", cert) then print(" Not vaild for server-to-server connections to "..host..".") cert_ok = false -- cgit v1.2.3 From a39b07906f534a6fc85be2e70fe0aa4faac0cf4e Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Fri, 2 May 2014 08:56:03 +0200 Subject: prosodyctl: Check that there is at least one enabled VirtualHost (or Component) defined --- prosodyctl | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 2f9a7849..d9ae9b73 100755 --- a/prosodyctl +++ b/prosodyctl @@ -831,6 +831,17 @@ function commands.check(arg) print(" No global options defined. Perhaps you have put a host definition at the top") print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview"); end + if it.count(enabled_hosts()) == 0 then + ok = false; + print(""); + if it.count(it.filter("*", pairs(config))) == 0 then + print(" No hosts are defined, please add at least one VirtualHost section") + elseif config["*"]["enabled"] == false then + print(" No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section") + else + print(" All hosts are disabled. Remove enabled = false from at least one VirtualHost section") + end + end -- Check for global options under hosts local global_options = set.new(it.to_array(it.keys(config["*"]))); local deprecated_global_options = set.intersection(global_options, deprecated); -- cgit v1.2.3