Validate all certfiles on startup
This commit is contained in:
parent
d7878ef131
commit
268065e5c4
|
@ -27,7 +27,7 @@
|
||||||
|
|
||||||
%% API
|
%% API
|
||||||
-export([start_link/0, add_certfile/1, format_error/1, opt_type/1,
|
-export([start_link/0, add_certfile/1, format_error/1, opt_type/1,
|
||||||
get_certfile/1, route_registered/1]).
|
get_certfile/1, try_certfile/1, route_registered/1]).
|
||||||
%% gen_server callbacks
|
%% gen_server callbacks
|
||||||
-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
|
-export([init/1, handle_call/3, handle_cast/2, handle_info/2,
|
||||||
terminate/2, code_change/3]).
|
terminate/2, code_change/3]).
|
||||||
|
@ -56,15 +56,16 @@
|
||||||
%%%===================================================================
|
%%%===================================================================
|
||||||
-spec add_certfile(filename:filename())
|
-spec add_certfile(filename:filename())
|
||||||
-> ok | {error, cert_error() | file:posix()}.
|
-> ok | {error, cert_error() | file:posix()}.
|
||||||
add_certfile(Path0) ->
|
add_certfile(Path) ->
|
||||||
Path = case filename:pathtype(Path0) of
|
gen_server:call(?MODULE, {add_certfile, prep_path(Path)}).
|
||||||
relative ->
|
|
||||||
{ok, CWD} = file:get_cwd(),
|
-spec try_certfile(filename:filename()) -> binary().
|
||||||
iolist_to_binary(filename:join(CWD, Path0));
|
try_certfile(Path0) ->
|
||||||
_ ->
|
Path = prep_path(Path0),
|
||||||
iolist_to_binary(Path0)
|
case mk_cert_state(Path, false) of
|
||||||
end,
|
{ok, _} -> Path;
|
||||||
gen_server:call(?MODULE, {add_certfile, Path}).
|
{error, _} -> erlang:error(badarg)
|
||||||
|
end.
|
||||||
|
|
||||||
route_registered(Route) ->
|
route_registered(Route) ->
|
||||||
gen_server:call(?MODULE, {route_registered, Route}).
|
gen_server:call(?MODULE, {route_registered, Route}).
|
||||||
|
@ -515,6 +516,16 @@ get_cert_path(G, [Root|_] = Acc) ->
|
||||||
end, Es)
|
end, Es)
|
||||||
end.
|
end.
|
||||||
|
|
||||||
|
-spec prep_path(filename:filename()) -> binary().
|
||||||
|
prep_path(Path0) ->
|
||||||
|
case filename:pathtype(Path0) of
|
||||||
|
relative ->
|
||||||
|
{ok, CWD} = file:get_cwd(),
|
||||||
|
iolist_to_binary(filename:join(CWD, Path0));
|
||||||
|
_ ->
|
||||||
|
iolist_to_binary(Path0)
|
||||||
|
end.
|
||||||
|
|
||||||
-ifdef(SHORT_NAME_HASH).
|
-ifdef(SHORT_NAME_HASH).
|
||||||
short_name_hash(IssuerID) ->
|
short_name_hash(IssuerID) ->
|
||||||
public_key:short_name_hash(IssuerID).
|
public_key:short_name_hash(IssuerID).
|
||||||
|
|
|
@ -1104,7 +1104,7 @@ opt_type(sql_server) -> fun iolist_to_binary/1;
|
||||||
opt_type(sql_username) -> fun iolist_to_binary/1;
|
opt_type(sql_username) -> fun iolist_to_binary/1;
|
||||||
opt_type(sql_ssl) -> fun(B) when is_boolean(B) -> B end;
|
opt_type(sql_ssl) -> fun(B) when is_boolean(B) -> B end;
|
||||||
opt_type(sql_ssl_verify) -> fun(B) when is_boolean(B) -> B end;
|
opt_type(sql_ssl_verify) -> fun(B) when is_boolean(B) -> B end;
|
||||||
opt_type(sql_ssl_certfile) -> fun misc:try_read_file/1;
|
opt_type(sql_ssl_certfile) -> fun ejabberd_pkix:try_certfile/1;
|
||||||
opt_type(sql_ssl_cafile) -> fun misc:try_read_file/1;
|
opt_type(sql_ssl_cafile) -> fun misc:try_read_file/1;
|
||||||
opt_type(sql_query_timeout) ->
|
opt_type(sql_query_timeout) ->
|
||||||
fun (I) when is_integer(I), I > 0 -> I end;
|
fun (I) when is_integer(I), I > 0 -> I end;
|
||||||
|
@ -1115,6 +1115,6 @@ opt_type(sql_queue_type) ->
|
||||||
opt_type(_) ->
|
opt_type(_) ->
|
||||||
[sql_database, sql_keepalive_interval,
|
[sql_database, sql_keepalive_interval,
|
||||||
sql_password, sql_port, sql_server,
|
sql_password, sql_port, sql_server,
|
||||||
sql_username, sql_ssl, sql_ssl_verify, sql_ssl_cerfile,
|
sql_username, sql_ssl, sql_ssl_verify, sql_ssl_certfile,
|
||||||
sql_ssl_cafile, sql_queue_type, sql_query_timeout,
|
sql_ssl_cafile, sql_queue_type, sql_query_timeout,
|
||||||
sql_connect_timeout].
|
sql_connect_timeout].
|
||||||
|
|
|
@ -130,7 +130,8 @@
|
||||||
port = 389 :: inet:port_number(),
|
port = 389 :: inet:port_number(),
|
||||||
sockmod = gen_tcp :: ssl | gen_tcp,
|
sockmod = gen_tcp :: ssl | gen_tcp,
|
||||||
tls = none :: none | tls,
|
tls = none :: none | tls,
|
||||||
tls_options = [] :: [{cacertfile, string()} |
|
tls_options = [] :: [{certfile, string()} |
|
||||||
|
{cacertfile, string()} |
|
||||||
{depth, non_neg_integer()} |
|
{depth, non_neg_integer()} |
|
||||||
{verify, non_neg_integer()}],
|
{verify, non_neg_integer()}],
|
||||||
fd :: gen_tcp:socket() | undefined,
|
fd :: gen_tcp:socket() | undefined,
|
||||||
|
@ -577,11 +578,17 @@ init([Hosts, Port, Rootdn, Passwd, Opts]) ->
|
||||||
end;
|
end;
|
||||||
PT -> PT
|
PT -> PT
|
||||||
end,
|
end,
|
||||||
|
CertOpts = case proplists:get_value(tls_certfile, Opts) of
|
||||||
|
undefined ->
|
||||||
|
[];
|
||||||
|
Path1 ->
|
||||||
|
[{certfile, Path1}]
|
||||||
|
end,
|
||||||
CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of
|
CacertOpts = case proplists:get_value(tls_cacertfile, Opts) of
|
||||||
undefined ->
|
undefined ->
|
||||||
[];
|
[];
|
||||||
Path ->
|
Path2 ->
|
||||||
[{cacertfile, Path}]
|
[{cacertfile, Path2}]
|
||||||
end,
|
end,
|
||||||
DepthOpts = case proplists:get_value(tls_depth, Opts) of
|
DepthOpts = case proplists:get_value(tls_depth, Opts) of
|
||||||
undefined ->
|
undefined ->
|
||||||
|
@ -596,11 +603,11 @@ init([Hosts, Port, Rootdn, Passwd, Opts]) ->
|
||||||
"certfiles configured, so verification "
|
"certfiles configured, so verification "
|
||||||
"is disabled.",
|
"is disabled.",
|
||||||
[]),
|
[]),
|
||||||
[];
|
CertOpts;
|
||||||
Verify == soft ->
|
Verify == soft ->
|
||||||
[{verify, 1}] ++ CacertOpts ++ DepthOpts;
|
[{verify, 1}] ++ CertOpts ++ CacertOpts ++ DepthOpts;
|
||||||
Verify == hard ->
|
Verify == hard ->
|
||||||
[{verify, 2}] ++ CacertOpts ++ DepthOpts;
|
[{verify, 2}] ++ CertOpts ++ CacertOpts ++ DepthOpts;
|
||||||
true -> []
|
true -> []
|
||||||
end,
|
end,
|
||||||
{ok, connecting,
|
{ok, connecting,
|
||||||
|
|
|
@ -177,6 +177,7 @@ get_config(Host, Opts) ->
|
||||||
Backups = get_opt(ldap_backups, Host, Opts, []),
|
Backups = get_opt(ldap_backups, Host, Opts, []),
|
||||||
Encrypt = get_opt(ldap_encrypt, Host, Opts, none),
|
Encrypt = get_opt(ldap_encrypt, Host, Opts, none),
|
||||||
TLSVerify = get_opt(ldap_tls_verify, Host, Opts, false),
|
TLSVerify = get_opt(ldap_tls_verify, Host, Opts, false),
|
||||||
|
TLSCertFile = get_opt(ldap_tls_certfile, Host, Opts),
|
||||||
TLSCAFile = get_opt(ldap_tls_cacertfile, Host, Opts),
|
TLSCAFile = get_opt(ldap_tls_cacertfile, Host, Opts),
|
||||||
TLSDepth = get_opt(ldap_tls_depth, Host, Opts),
|
TLSDepth = get_opt(ldap_tls_depth, Host, Opts),
|
||||||
Port = get_opt(ldap_port, Host, Opts,
|
Port = get_opt(ldap_port, Host, Opts,
|
||||||
|
@ -203,6 +204,7 @@ get_config(Host, Opts) ->
|
||||||
backups = Backups,
|
backups = Backups,
|
||||||
tls_options = [{encrypt, Encrypt},
|
tls_options = [{encrypt, Encrypt},
|
||||||
{tls_verify, TLSVerify},
|
{tls_verify, TLSVerify},
|
||||||
|
{tls_certfile, TLSCertFile},
|
||||||
{tls_cacertfile, TLSCAFile},
|
{tls_cacertfile, TLSCAFile},
|
||||||
{tls_depth, TLSDepth}],
|
{tls_depth, TLSDepth}],
|
||||||
port = Port,
|
port = Port,
|
||||||
|
@ -339,6 +341,7 @@ collect_parts_bit([],Acc,Uacc) ->
|
||||||
(ldap_rootdn) -> fun((binary()) -> binary());
|
(ldap_rootdn) -> fun((binary()) -> binary());
|
||||||
(ldap_servers) -> fun(([binary()]) -> [binary()]);
|
(ldap_servers) -> fun(([binary()]) -> [binary()]);
|
||||||
(ldap_tls_certfile) -> fun((binary()) -> string());
|
(ldap_tls_certfile) -> fun((binary()) -> string());
|
||||||
|
(ldap_tls_cacertfile) -> fun((binary()) -> string());
|
||||||
(ldap_tls_depth) -> fun((non_neg_integer()) -> non_neg_integer());
|
(ldap_tls_depth) -> fun((non_neg_integer()) -> non_neg_integer());
|
||||||
(ldap_tls_verify) -> fun((hard | soft | false) -> hard | soft | false);
|
(ldap_tls_verify) -> fun((hard | soft | false) -> hard | soft | false);
|
||||||
(ldap_filter) -> fun((binary()) -> binary());
|
(ldap_filter) -> fun((binary()) -> binary());
|
||||||
|
@ -366,6 +369,10 @@ opt_type(ldap_port) ->
|
||||||
opt_type(ldap_rootdn) -> fun iolist_to_binary/1;
|
opt_type(ldap_rootdn) -> fun iolist_to_binary/1;
|
||||||
opt_type(ldap_servers) ->
|
opt_type(ldap_servers) ->
|
||||||
fun (L) -> [iolist_to_binary(H) || H <- L] end;
|
fun (L) -> [iolist_to_binary(H) || H <- L] end;
|
||||||
|
opt_type(ldap_tls_certfile) ->
|
||||||
|
fun(S) ->
|
||||||
|
binary_to_list(ejabberd_pkix:try_certfile(S))
|
||||||
|
end;
|
||||||
opt_type(ldap_tls_cacertfile) ->
|
opt_type(ldap_tls_cacertfile) ->
|
||||||
fun(S) -> binary_to_list(misc:try_read_file(S)) end;
|
fun(S) -> binary_to_list(misc:try_read_file(S)) end;
|
||||||
opt_type(ldap_tls_depth) ->
|
opt_type(ldap_tls_depth) ->
|
||||||
|
@ -390,4 +397,5 @@ opt_type(_) ->
|
||||||
[deref_aliases, ldap_backups, ldap_base, ldap_uids,
|
[deref_aliases, ldap_backups, ldap_base, ldap_uids,
|
||||||
ldap_deref_aliases, ldap_encrypt, ldap_password,
|
ldap_deref_aliases, ldap_encrypt, ldap_password,
|
||||||
ldap_port, ldap_rootdn, ldap_servers, ldap_filter,
|
ldap_port, ldap_rootdn, ldap_servers, ldap_filter,
|
||||||
ldap_tls_cacertfile, ldap_tls_depth, ldap_tls_verify].
|
ldap_tls_certfile, ldap_tls_cacertfile, ldap_tls_depth,
|
||||||
|
ldap_tls_verify].
|
||||||
|
|
|
@ -583,7 +583,7 @@ mod_opt_type(ldap_servers) ->
|
||||||
mod_opt_type(ldap_tls_cacertfile) ->
|
mod_opt_type(ldap_tls_cacertfile) ->
|
||||||
fun misc:try_read_file/1;
|
fun misc:try_read_file/1;
|
||||||
mod_opt_type(ldap_tls_certfile) ->
|
mod_opt_type(ldap_tls_certfile) ->
|
||||||
fun misc:try_read_file/1;
|
fun ejabberd_pkix:try_certfile/1;
|
||||||
mod_opt_type(ldap_tls_depth) ->
|
mod_opt_type(ldap_tls_depth) ->
|
||||||
fun (I) when is_integer(I), I >= 0 -> I end;
|
fun (I) when is_integer(I), I >= 0 -> I end;
|
||||||
mod_opt_type(ldap_tls_verify) ->
|
mod_opt_type(ldap_tls_verify) ->
|
||||||
|
|
|
@ -469,7 +469,7 @@ mod_opt_type(ldap_servers) ->
|
||||||
mod_opt_type(ldap_tls_cacertfile) ->
|
mod_opt_type(ldap_tls_cacertfile) ->
|
||||||
fun misc:try_read_file/1;
|
fun misc:try_read_file/1;
|
||||||
mod_opt_type(ldap_tls_certfile) ->
|
mod_opt_type(ldap_tls_certfile) ->
|
||||||
fun misc:try_read_file/1;
|
fun ejabberd_pkix:try_certfile/1;
|
||||||
mod_opt_type(ldap_tls_depth) ->
|
mod_opt_type(ldap_tls_depth) ->
|
||||||
fun (I) when is_integer(I), I >= 0 -> I end;
|
fun (I) when is_integer(I), I >= 0 -> I end;
|
||||||
mod_opt_type(ldap_tls_verify) ->
|
mod_opt_type(ldap_tls_verify) ->
|
||||||
|
|
Loading…
Reference in New Issue