mirror of
https://github.com/processone/ejabberd.git
synced 2024-12-22 17:28:25 +01:00
Merge branch 'lets_encrypt_acme_support' of git://github.com/angelhof/ejabberd into angelhof-lets_encrypt_acme_support
Conflicts: rebar.config src/ejabberd_pkix.erl
This commit is contained in:
commit
b04c6b7d75
@ -655,6 +655,38 @@ language: "en"
|
||||
##
|
||||
## captcha_limit: 5
|
||||
|
||||
###. ====
|
||||
###' ACME
|
||||
##
|
||||
## In order to use the acme certificate acquiring through "Let's Encrypt"
|
||||
## an http listener has to be configured to listen to port 80 so that
|
||||
## the authorization challenges posed by "Let's Encrypt" can be solved.
|
||||
##
|
||||
## A simple way of doing this would be to add the following in the listen
|
||||
## configuration field:
|
||||
## -
|
||||
## port: 80
|
||||
## ip: "::"
|
||||
## module: ejabberd_http
|
||||
|
||||
acme:
|
||||
|
||||
## A contact mail that the ACME Certificate Authority can contact in case of
|
||||
## an authorization issue, such as a server-initiated certificate revocation.
|
||||
## It is not mandatory to provide an email address but it is highly suggested.
|
||||
contact: "mailto:example-admin@example.com"
|
||||
|
||||
|
||||
## The ACME Certificate Authority URL.
|
||||
## This could either be:
|
||||
## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA
|
||||
## - https://acme-staging.api.letsencrypt.org - for the staging CA
|
||||
## - http://localhost:4000 - for a local version of the CA
|
||||
ca_url: "https://acme-v01.api.letsencrypt.org"
|
||||
|
||||
## The directory in which certificates will be saved
|
||||
cert_dir: "/usr/local/var/lib/ejabberd/"
|
||||
|
||||
###. =======
|
||||
###' MODULES
|
||||
|
||||
|
53
include/ejabberd_acme.hrl
Normal file
53
include/ejabberd_acme.hrl
Normal file
@ -0,0 +1,53 @@
|
||||
|
||||
-record(challenge, {
|
||||
type = <<"http-01">> :: bitstring(),
|
||||
status = pending :: pending | valid | invalid,
|
||||
uri = "" :: url(),
|
||||
token = <<"">> :: bitstring()
|
||||
}).
|
||||
|
||||
-record(data_acc, {
|
||||
id :: list(),
|
||||
ca_url :: url(),
|
||||
key :: jose_jwk:key()
|
||||
}).
|
||||
-type data_acc() :: #data_acc{}.
|
||||
|
||||
-record(data_cert, {
|
||||
domain :: bitstring(),
|
||||
pem :: pem(),
|
||||
path :: string()
|
||||
}).
|
||||
-type data_cert() :: #data_cert{}.
|
||||
|
||||
%%
|
||||
%% Types
|
||||
%%
|
||||
|
||||
%% Acme configuration
|
||||
-type acme_config() :: [{ca_url, url()} | {contact, bitstring()}].
|
||||
|
||||
%% The main data type that ejabberd_acme keeps
|
||||
-type acme_data() :: proplist().
|
||||
|
||||
%% The list of certificates kept in data
|
||||
-type data_certs() :: proplist(bitstring(), data_cert()).
|
||||
|
||||
%% The certificate saved in pem format
|
||||
-type pem() :: bitstring().
|
||||
|
||||
-type nonce() :: string().
|
||||
-type url() :: string().
|
||||
-type proplist() :: [{_, _}].
|
||||
-type proplist(X,Y) :: [{X,Y}].
|
||||
-type dirs() :: #{string() => url()}.
|
||||
-type jws() :: map().
|
||||
-type handle_resp_fun() :: fun(({ok, proplist(), proplist()}) -> {ok, _, nonce()}).
|
||||
|
||||
-type acme_challenge() :: #challenge{}.
|
||||
|
||||
%% Options
|
||||
-type account_opt() :: string().
|
||||
-type verbose_opt() :: string().
|
||||
-type domains_opt() :: string().
|
||||
|
@ -30,6 +30,7 @@
|
||||
{jiffy, ".*", {git, "https://github.com/davisp/jiffy", {tag, "0.14.8"}}},
|
||||
{p1_oauth2, ".*", {git, "https://github.com/processone/p1_oauth2", {tag, "0.6.2"}}},
|
||||
{luerl, ".*", {git, "https://github.com/rvirding/luerl", {tag, "v0.2"}}},
|
||||
{jose, ".*", {git, "git://github.com/potatosalad/erlang-jose.git", {tag, "1.8.4"}}},
|
||||
{fs, ".*", {git, "https://github.com/synrc/fs.git", {tag, "2.12.0"}}},
|
||||
{if_var_true, stun, {stun, ".*", {git, "https://github.com/processone/stun", {tag, "1.0.15"}}}},
|
||||
{if_var_true, sip, {esip, ".*", {git, "https://github.com/processone/esip", {tag, "1.0.16"}}}},
|
||||
|
145
src/acme_challenge.erl
Normal file
145
src/acme_challenge.erl
Normal file
@ -0,0 +1,145 @@
|
||||
-module(acme_challenge).
|
||||
|
||||
-export ([key_authorization/2,
|
||||
solve_challenge/3,
|
||||
process/2,
|
||||
register_hooks/1,
|
||||
unregister_hooks/1,
|
||||
acme_handler/3
|
||||
]).
|
||||
%% Challenge Types
|
||||
%% ================
|
||||
%% 1. http-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.2
|
||||
%% 2. dns-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.3
|
||||
%% 3. tls-sni-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.4
|
||||
%% 4. (?) oob-01: https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-7.5
|
||||
|
||||
-include("ejabberd.hrl").
|
||||
-include("logger.hrl").
|
||||
-include("xmpp.hrl").
|
||||
-include("ejabberd_http.hrl").
|
||||
-include("ejabberd_acme.hrl").
|
||||
|
||||
%% This is the default endpoint for the http challenge
|
||||
%% This hooks is called from ejabberd_http
|
||||
acme_handler(Handlers, _Host, Request) ->
|
||||
case Request#request.path of
|
||||
[<<".well-known">>|_] ->
|
||||
[{[<<".well-known">>],acme_challenge}|Handlers];
|
||||
_ ->
|
||||
Handlers
|
||||
end.
|
||||
|
||||
%% TODO: Maybe validate request here??
|
||||
process(LocalPath, _Request) ->
|
||||
Result = ets_get_key_authorization(LocalPath),
|
||||
{200,
|
||||
[{<<"Content-Type">>, <<"text/plain">>}],
|
||||
Result}.
|
||||
|
||||
register_hooks(_Domain) ->
|
||||
?INFO_MSG("Registering hook for ACME HTTP headers", []),
|
||||
ejabberd_hooks:add(http_request_handlers, ?MODULE, acme_handler, 50).
|
||||
|
||||
unregister_hooks(_Domain) ->
|
||||
?INFO_MSG("Unregistering hook for ACME HTTP headers", []),
|
||||
ejabberd_hooks:delete(http_request_handlers, ?MODULE, acme_handler, 50).
|
||||
|
||||
-spec key_authorization(bitstring(), jose_jwk:key()) -> bitstring().
|
||||
key_authorization(Token, Key) ->
|
||||
Thumbprint = jose_jwk:thumbprint(Key),
|
||||
KeyAuthorization = erlang:iolist_to_binary([Token, <<".">>, Thumbprint]),
|
||||
KeyAuthorization.
|
||||
|
||||
-spec parse_challenge({proplist()}) -> {ok, acme_challenge()} | {error, _}.
|
||||
parse_challenge(Challenge0) ->
|
||||
try
|
||||
{Challenge} = Challenge0,
|
||||
{<<"type">>,Type} = proplists:lookup(<<"type">>, Challenge),
|
||||
{<<"status">>,Status} = proplists:lookup(<<"status">>, Challenge),
|
||||
{<<"uri">>,Uri} = proplists:lookup(<<"uri">>, Challenge),
|
||||
{<<"token">>,Token} = proplists:lookup(<<"token">>, Challenge),
|
||||
Res =
|
||||
#challenge{
|
||||
type = Type,
|
||||
status = list_to_atom(bitstring_to_list(Status)),
|
||||
uri = bitstring_to_list(Uri),
|
||||
token = Token
|
||||
},
|
||||
{ok, Res}
|
||||
catch
|
||||
_:Error ->
|
||||
{error, Error}
|
||||
end.
|
||||
|
||||
|
||||
|
||||
-spec solve_challenge(bitstring(), [{proplist()}], _) ->
|
||||
{ok, url(), bitstring()} | {error, _}.
|
||||
solve_challenge(ChallengeType, Challenges, Options) ->
|
||||
ParsedChallenges = [parse_challenge(Chall) || Chall <- Challenges],
|
||||
case lists:any(fun is_error/1, ParsedChallenges) of
|
||||
true ->
|
||||
?ERROR_MSG("Error parsing challenges: ~p~n", [Challenges]),
|
||||
{error, parse_challenge};
|
||||
false ->
|
||||
case [C || {ok, C} <- ParsedChallenges, is_challenge_type(ChallengeType, C)] of
|
||||
[Challenge] ->
|
||||
solve_challenge1(Challenge, Options);
|
||||
_ ->
|
||||
?ERROR_MSG("Challenge ~p not found in challenges: ~p~n", [ChallengeType, Challenges]),
|
||||
{error, not_found}
|
||||
end
|
||||
end.
|
||||
|
||||
-spec solve_challenge1(acme_challenge(), {jose_jwk:key(), string()}) ->
|
||||
{ok, url(), bitstring()} | {error, _}.
|
||||
solve_challenge1(Chal = #challenge{type = <<"http-01">>, token=Tkn}, Key) ->
|
||||
KeyAuthz = key_authorization(Tkn, Key),
|
||||
%% save_key_authorization(Chal, Tkn, KeyAuthz, HttpDir);
|
||||
ets_put_key_authorization(Tkn, KeyAuthz),
|
||||
{ok, Chal#challenge.uri, KeyAuthz};
|
||||
solve_challenge1(Challenge, _Key) ->
|
||||
?ERROR_MSG("Unkown Challenge Type: ~p", [Challenge]),
|
||||
{error, unknown_challenge}.
|
||||
|
||||
|
||||
-spec ets_put_key_authorization(bitstring(), bitstring()) -> ok.
|
||||
ets_put_key_authorization(Tkn, KeyAuthz) ->
|
||||
Tab = ets_get_acme_table(),
|
||||
Key = [<<"acme-challenge">>, Tkn],
|
||||
ets:insert(Tab, {Key, KeyAuthz}),
|
||||
ok.
|
||||
|
||||
-spec ets_get_key_authorization([bitstring()]) -> bitstring().
|
||||
ets_get_key_authorization(Key) ->
|
||||
Tab = ets_get_acme_table(),
|
||||
case ets:lookup(Tab, Key) of
|
||||
[{Key, KeyAuthz}] ->
|
||||
ets:delete(Tab, Key),
|
||||
KeyAuthz;
|
||||
_ ->
|
||||
?ERROR_MSG("Unable to serve key authorization in: ~p", [Key]),
|
||||
<<"">>
|
||||
end.
|
||||
|
||||
-spec ets_get_acme_table() -> atom().
|
||||
ets_get_acme_table() ->
|
||||
case ets:info(acme) of
|
||||
undefined ->
|
||||
ets:new(acme, [named_table, public]);
|
||||
_ ->
|
||||
acme
|
||||
end.
|
||||
|
||||
%% Useful functions
|
||||
|
||||
is_challenge_type(DesiredType, #challenge{type = Type}) when DesiredType =:= Type ->
|
||||
true;
|
||||
is_challenge_type(_DesiredType, #challenge{type = _Type}) ->
|
||||
false.
|
||||
|
||||
-spec is_error({'error', _}) -> 'true';
|
||||
({'ok', _}) -> 'false'.
|
||||
is_error({error, _}) -> true;
|
||||
is_error(_) -> false.
|
1166
src/ejabberd_acme.erl
Normal file
1166
src/ejabberd_acme.erl
Normal file
File diff suppressed because it is too large
Load Diff
393
src/ejabberd_acme_comm.erl
Normal file
393
src/ejabberd_acme_comm.erl
Normal file
@ -0,0 +1,393 @@
|
||||
-module(ejabberd_acme_comm).
|
||||
-export([%% Directory
|
||||
directory/1,
|
||||
%% Account
|
||||
new_account/4,
|
||||
update_account/4,
|
||||
get_account/3,
|
||||
delete_account/3,
|
||||
%% Authorization
|
||||
new_authz/4,
|
||||
get_authz/1,
|
||||
complete_challenge/4,
|
||||
%% Authorization polling
|
||||
get_authz_until_valid/1,
|
||||
%% Certificate
|
||||
new_cert/4,
|
||||
get_cert/1,
|
||||
revoke_cert/4
|
||||
%% Not yet implemented
|
||||
%% key_roll_over/5
|
||||
%% delete_authz/3
|
||||
]).
|
||||
|
||||
-include("ejabberd.hrl").
|
||||
-include("logger.hrl").
|
||||
-include("xmpp.hrl").
|
||||
|
||||
-include("ejabberd_acme.hrl").
|
||||
-include_lib("public_key/include/public_key.hrl").
|
||||
|
||||
-define(REQUEST_TIMEOUT, 5000). % 5 seconds.
|
||||
-define(MAX_POLL_REQUESTS, 20).
|
||||
-define(POLL_WAIT_TIME, 500). % 500 ms.
|
||||
|
||||
%%%
|
||||
%%% This module contains functions that implement all necessary http
|
||||
%%% requests to the ACME Certificate Authority. Its purpose is to
|
||||
%%% facilitate the acme client implementation by separating the
|
||||
%%% handling/validating/parsing of all the needed http requests.
|
||||
%%%
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Directory
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec directory(url()) -> {ok, dirs(), nonce()} | {error, _}.
|
||||
directory(CAUrl) ->
|
||||
Url = CAUrl ++ "/directory",
|
||||
prepare_get_request(Url, fun get_dirs/1).
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Account Handling
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec new_account(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||
new_account(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"new-reg" := Url} = Dirs,
|
||||
EJson = {[{ <<"resource">>, <<"new-reg">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
||||
|
||||
-spec update_account({url(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
update_account({CAUrl, AccId}, PrivateKey, Req, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
EJson = {[{ <<"resource">>, <<"reg">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||
|
||||
-spec get_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||
get_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
EJson = {[{<<"resource">>, <<"reg">>}]},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_tos/1).
|
||||
|
||||
-spec delete_account({url(), string()}, jose_jwk:key(), nonce()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
delete_account({CAUrl, AccId}, PrivateKey, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/reg/" ++ AccId,
|
||||
EJson =
|
||||
{[{<<"resource">>, <<"reg">>},
|
||||
{<<"status">>, <<"deactivated">>}]},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Authorization Handling
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec new_authz(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, {url(), proplist()}, nonce()} | {error, _}.
|
||||
new_authz(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"new-authz" := Url} = Dirs,
|
||||
EJson = {[{<<"resource">>, <<"new-authz">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1).
|
||||
|
||||
-spec get_authz({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz({CAUrl, AuthzId}) ->
|
||||
Url = CAUrl ++ "/acme/authz/" ++ AuthzId,
|
||||
prepare_get_request(Url, fun get_response/1).
|
||||
|
||||
-spec complete_challenge({url(), string(), string()}, jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
complete_challenge({CAUrl, AuthzId, ChallId}, PrivateKey, Req, Nonce) ->
|
||||
Url = CAUrl ++ "/acme/challenge/" ++ AuthzId ++ "/" ++ ChallId,
|
||||
EJson = {[{<<"resource">>, <<"challenge">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1).
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Certificate Handling
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec new_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, {url(), list()}, nonce()} | {error, _}.
|
||||
new_cert(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"new-cert" := Url} = Dirs,
|
||||
EJson = {[{<<"resource">>, <<"new-cert">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response_location/1,
|
||||
"application/pkix-cert").
|
||||
|
||||
-spec get_cert({url(), string()}) -> {ok, list(), nonce()} | {error, _}.
|
||||
get_cert({CAUrl, CertId}) ->
|
||||
Url = CAUrl ++ "/acme/cert/" ++ CertId,
|
||||
prepare_get_request(Url, fun get_response/1, "application/pkix-cert").
|
||||
|
||||
-spec revoke_cert(dirs(), jose_jwk:key(), proplist(), nonce()) ->
|
||||
{ok, _, nonce()} | {error, _}.
|
||||
revoke_cert(Dirs, PrivateKey, Req, Nonce) ->
|
||||
#{"revoke-cert" := Url} = Dirs,
|
||||
EJson = {[{<<"resource">>, <<"revoke-cert">>}] ++ Req},
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, fun get_response/1,
|
||||
"application/pkix-cert").
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Handle Response Functions
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec get_dirs({ok, proplist(), proplist()}) -> {ok, map(), nonce()}.
|
||||
get_dirs({ok, Head, Return}) ->
|
||||
NewNonce = get_nonce(Head),
|
||||
StrDirectories = [{bitstring_to_list(X), bitstring_to_list(Y)} ||
|
||||
{X, Y} <- Return, is_bitstring(X) andalso is_bitstring(Y)],
|
||||
NewDirs = maps:from_list(StrDirectories),
|
||||
{ok, NewDirs, NewNonce}.
|
||||
|
||||
-spec get_response({ok, proplist(), proplist()}) -> {ok, proplist(), nonce()}.
|
||||
get_response({ok, Head, Return}) ->
|
||||
NewNonce = get_nonce(Head),
|
||||
{ok, Return, NewNonce}.
|
||||
|
||||
-spec get_response_tos({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
||||
get_response_tos({ok, Head, Return}) ->
|
||||
TOSUrl = get_tos(Head),
|
||||
NewNonce = get_nonce(Head),
|
||||
{ok, {TOSUrl, Return}, NewNonce}.
|
||||
|
||||
-spec get_response_location({ok, proplist(), proplist()}) -> {ok, {url(), proplist()}, nonce()}.
|
||||
get_response_location({ok, Head, Return}) ->
|
||||
Location = get_location(Head),
|
||||
NewNonce = get_nonce(Head),
|
||||
{ok, {Location, Return}, NewNonce}.
|
||||
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Authorization Polling
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec get_authz_until_valid({url(), string()}) -> {ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz_until_valid({CAUrl, AuthzId}) ->
|
||||
get_authz_until_valid({CAUrl, AuthzId}, ?MAX_POLL_REQUESTS).
|
||||
|
||||
-spec get_authz_until_valid({url(), string()}, non_neg_integer()) ->
|
||||
{ok, proplist(), nonce()} | {error, _}.
|
||||
get_authz_until_valid({_CAUrl, _AuthzId}, 0) ->
|
||||
?ERROR_MSG("Maximum request limit waiting for validation reached", []),
|
||||
{error, max_request_limit};
|
||||
get_authz_until_valid({CAUrl, AuthzId}, N) ->
|
||||
case get_authz({CAUrl, AuthzId}) of
|
||||
{ok, Resp, Nonce} ->
|
||||
case is_authz_valid(Resp) of
|
||||
true ->
|
||||
{ok, Resp, Nonce};
|
||||
false ->
|
||||
timer:sleep(?POLL_WAIT_TIME),
|
||||
get_authz_until_valid({CAUrl, AuthzId}, N-1)
|
||||
end;
|
||||
{error, _} = Err ->
|
||||
Err
|
||||
end.
|
||||
|
||||
-spec is_authz_valid(proplist()) -> boolean().
|
||||
is_authz_valid(Authz) ->
|
||||
case proplists:lookup(<<"status">>, Authz) of
|
||||
{<<"status">>, <<"valid">>} ->
|
||||
true;
|
||||
_ ->
|
||||
false
|
||||
end.
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Request Functions
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
%% TODO: Fix the duplicated code at the below 4 functions
|
||||
-spec make_post_request(url(), bitstring(), string()) ->
|
||||
{ok, proplist(), proplist()} | {error, _}.
|
||||
make_post_request(Url, ReqBody, ResponseType) ->
|
||||
Options = [],
|
||||
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
||||
case httpc:request(post,
|
||||
{Url, [], "application/jose+json", ReqBody}, HttpOptions, Options) of
|
||||
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
||||
decode_response(Head, Body, ResponseType);
|
||||
Error ->
|
||||
failed_http_request(Error, Url)
|
||||
end.
|
||||
|
||||
-spec make_get_request(url(), string()) ->
|
||||
{ok, proplist(), proplist()} | {error, _}.
|
||||
make_get_request(Url, ResponseType) ->
|
||||
Options = [],
|
||||
HttpOptions = [{timeout, ?REQUEST_TIMEOUT}],
|
||||
case httpc:request(get, {Url, []}, HttpOptions, Options) of
|
||||
{ok, {{_, Code, _}, Head, Body}} when Code >= 200, Code =< 299 ->
|
||||
decode_response(Head, Body, ResponseType);
|
||||
Error ->
|
||||
failed_http_request(Error, Url)
|
||||
end.
|
||||
|
||||
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
||||
nonce(), handle_resp_fun()) -> {ok, _, nonce()} | {error, _}.
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun) ->
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, "application/jose+json").
|
||||
|
||||
-spec prepare_post_request(url(), jose_jwk:key(), jiffy:json_value(),
|
||||
nonce(), handle_resp_fun(), string()) -> {ok, _, nonce()} | {error, _}.
|
||||
prepare_post_request(Url, PrivateKey, EJson, Nonce, HandleRespFun, ResponseType) ->
|
||||
case encode(EJson) of
|
||||
{ok, ReqBody} ->
|
||||
FinalBody = sign_encode_json_jose(PrivateKey, ReqBody, Nonce),
|
||||
case make_post_request(Url, FinalBody, ResponseType) of
|
||||
{ok, Head, Return} ->
|
||||
HandleRespFun({ok, Head, Return});
|
||||
Error ->
|
||||
Error
|
||||
end;
|
||||
{error, Reason} ->
|
||||
?ERROR_MSG("Error: ~p when encoding: ~p", [Reason, EJson]),
|
||||
{error, Reason}
|
||||
end.
|
||||
|
||||
-spec prepare_get_request(url(), handle_resp_fun()) ->
|
||||
{ok, _, nonce()} | {error, _}.
|
||||
prepare_get_request(Url, HandleRespFun) ->
|
||||
prepare_get_request(Url, HandleRespFun, "application/jose+json").
|
||||
|
||||
-spec prepare_get_request(url(), handle_resp_fun(), string()) ->
|
||||
{ok, _, nonce()} | {error, _}.
|
||||
prepare_get_request(Url, HandleRespFun, ResponseType) ->
|
||||
case make_get_request(Url, ResponseType) of
|
||||
{ok, Head, Return} ->
|
||||
HandleRespFun({ok, Head, Return});
|
||||
Error ->
|
||||
Error
|
||||
end.
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Jose Json Functions
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec sign_json_jose(jose_jwk:key(), bitstring(), nonce()) -> {_, jws()}.
|
||||
sign_json_jose(Key, Json, Nonce) ->
|
||||
PubKey = ejabberd_acme:to_public(Key),
|
||||
{_, BinaryPubKey} = jose_jwk:to_binary(PubKey),
|
||||
PubKeyJson = jiffy:decode(BinaryPubKey),
|
||||
%% TODO: Ensure this works for all cases
|
||||
AlgMap = jose_jwk:signer(Key),
|
||||
JwsMap =
|
||||
#{ <<"jwk">> => PubKeyJson,
|
||||
%% <<"b64">> => true,
|
||||
<<"nonce">> => list_to_bitstring(Nonce)
|
||||
},
|
||||
JwsObj0 = maps:merge(JwsMap, AlgMap),
|
||||
JwsObj = jose_jws:from(JwsObj0),
|
||||
jose_jws:sign(Key, Json, JwsObj).
|
||||
|
||||
-spec sign_encode_json_jose(jose_jwk:key(), bitstring(), nonce()) -> bitstring().
|
||||
sign_encode_json_jose(Key, Json, Nonce) ->
|
||||
{_, Signed} = sign_json_jose(Key, Json, Nonce),
|
||||
%% This depends on jose library, so we can consider it safe
|
||||
jiffy:encode(Signed).
|
||||
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Useful funs
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec get_nonce(proplist()) -> nonce() | 'none'.
|
||||
get_nonce(Head) ->
|
||||
case proplists:lookup("replay-nonce", Head) of
|
||||
{"replay-nonce", Nonce} -> Nonce;
|
||||
none -> none
|
||||
end.
|
||||
|
||||
-spec get_location(proplist()) -> url() | 'none'.
|
||||
get_location(Head) ->
|
||||
case proplists:lookup("location", Head) of
|
||||
{"location", Location} -> Location;
|
||||
none -> none
|
||||
end.
|
||||
|
||||
%% Very bad way to extract this
|
||||
%% TODO: Find a better way
|
||||
-spec get_tos(proplist()) -> url() | 'none'.
|
||||
get_tos(Head) ->
|
||||
try
|
||||
[{_, Link}] = [{K, V} || {K, V} <- Head,
|
||||
K =:= "link" andalso
|
||||
lists:suffix("\"terms-of-service\"", V)],
|
||||
[Link1, _] = string:tokens(Link, ";"),
|
||||
Link2 = string:strip(Link1, left, $<),
|
||||
string:strip(Link2, right, $>)
|
||||
catch
|
||||
_:_ ->
|
||||
none
|
||||
end.
|
||||
|
||||
decode_response(Head, Body, "application/pkix-cert") ->
|
||||
{ok, Head, Body};
|
||||
decode_response(Head, Body, "application/jose+json") ->
|
||||
case decode(Body) of
|
||||
{ok, Return} ->
|
||||
{ok, Head, Return};
|
||||
{error, Reason} ->
|
||||
?ERROR_MSG("Problem decoding: ~s", [Body]),
|
||||
{error, Reason}
|
||||
end.
|
||||
|
||||
encode(EJson) ->
|
||||
try
|
||||
{ok, jiffy:encode(EJson)}
|
||||
catch
|
||||
_:Reason ->
|
||||
{error, Reason}
|
||||
end.
|
||||
|
||||
decode(Json) ->
|
||||
try
|
||||
{Result} = jiffy:decode(Json),
|
||||
{ok, Result}
|
||||
catch
|
||||
_:Reason ->
|
||||
{error, Reason}
|
||||
end.
|
||||
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%%
|
||||
%% Handle Failed HTTP Requests
|
||||
%%
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
|
||||
-spec failed_http_request({ok, _} | {error, _}, url()) -> {error, _}.
|
||||
failed_http_request({ok, {{_, Code, Reason}, _Head, Body}}, Url) ->
|
||||
?ERROR_MSG("Got unexpected status code from <~s>: ~B, Body: ~s",
|
||||
[Url, Code, Body]),
|
||||
throw({error, {unexpected_code, Code, Reason}});
|
||||
failed_http_request({error, Reason}, Url) ->
|
||||
?ERROR_MSG("Error making a request to <~s>: ~p",
|
||||
[Url, Reason]),
|
||||
throw({error, Reason}).
|
@ -44,6 +44,11 @@
|
||||
registered_users/1,
|
||||
%% Migration jabberd1.4
|
||||
import_file/1, import_dir/1,
|
||||
%% Acme
|
||||
get_certificate/1,
|
||||
renew_certificate/0,
|
||||
list_certificates/1,
|
||||
revoke_certificate/1,
|
||||
%% Purge DB
|
||||
delete_expired_messages/0, delete_old_messages/1,
|
||||
%% Mnesia
|
||||
@ -104,7 +109,7 @@ get_commands_spec() ->
|
||||
module = ?MODULE, function = status,
|
||||
result_desc = "Result tuple",
|
||||
result_example = {ok, <<"The node ejabberd@localhost is started with status: started"
|
||||
"ejabberd X.X is running in that node">>},
|
||||
"ejabberd X.X is running in that node">>},
|
||||
args = [], result = {res, restuple}},
|
||||
#ejabberd_commands{name = stop, tags = [server],
|
||||
desc = "Stop ejabberd gracefully",
|
||||
@ -126,9 +131,9 @@ get_commands_spec() ->
|
||||
#ejabberd_commands{name = stop_kindly, tags = [server],
|
||||
desc = "Inform users and rooms, wait, and stop the server",
|
||||
longdesc = "Provide the delay in seconds, and the "
|
||||
"announcement quoted, for example: \n"
|
||||
"ejabberdctl stop_kindly 60 "
|
||||
"\\\"The server will stop in one minute.\\\"",
|
||||
"announcement quoted, for example: \n"
|
||||
"ejabberdctl stop_kindly 60 "
|
||||
"\\\"The server will stop in one minute.\\\"",
|
||||
module = ?MODULE, function = stop_kindly,
|
||||
args_desc = ["Seconds to wait", "Announcement to send, with quotes"],
|
||||
args_example = [60, <<"Server will stop now.">>],
|
||||
@ -192,7 +197,7 @@ get_commands_spec() ->
|
||||
result_example = [<<"user1">>, <<"user2">>],
|
||||
args = [{host, binary}],
|
||||
result = {users, {list, {username, string}}}},
|
||||
#ejabberd_commands{name = registered_vhosts, tags = [server],
|
||||
#ejabberd_commands{name = registered_vhosts, tags = [server],
|
||||
desc = "List all registered vhosts in SERVER",
|
||||
module = ?MODULE, function = registered_vhosts,
|
||||
result_desc = "List of available vhosts",
|
||||
@ -215,7 +220,7 @@ get_commands_spec() ->
|
||||
#ejabberd_commands{name = leave_cluster, tags = [cluster],
|
||||
desc = "Remove and shutdown Node from the running cluster",
|
||||
longdesc = "This command can be run from any running node of the cluster, "
|
||||
"even the node to be removed.",
|
||||
"even the node to be removed.",
|
||||
module = ?MODULE, function = leave_cluster,
|
||||
args_desc = ["Nodename of the node to kick from the cluster"],
|
||||
args_example = [<<"ejabberd1@machine8">>],
|
||||
@ -242,6 +247,30 @@ get_commands_spec() ->
|
||||
args_example = ["/var/lib/ejabberd/jabberd14/"],
|
||||
args = [{file, string}],
|
||||
result = {res, restuple}},
|
||||
#ejabberd_commands{name = get_certificate, tags = [acme],
|
||||
desc = "Gets a certificate for all or the specified domains {all|domain1;domain2;...}.",
|
||||
module = ?MODULE, function = get_certificate,
|
||||
args_desc = ["Domains for which to acquire a certificate"],
|
||||
args_example = ["all | www.example.com;www.example1.net"],
|
||||
args = [{domains, string}],
|
||||
result = {certificates, string}},
|
||||
#ejabberd_commands{name = renew_certificate, tags = [acme],
|
||||
desc = "Renews all certificates that are close to expiring",
|
||||
module = ?MODULE, function = renew_certificate,
|
||||
args = [],
|
||||
result = {certificates, string}},
|
||||
#ejabberd_commands{name = list_certificates, tags = [acme],
|
||||
desc = "Lists all curently handled certificates and their respective domains in {plain|verbose} format",
|
||||
module = ?MODULE, function = list_certificates,
|
||||
args_desc = ["Whether to print the whole certificate or just some metadata. Possible values: plain | verbose"],
|
||||
args = [{option, string}],
|
||||
result = {certificates, {list, {certificate, string}}}},
|
||||
#ejabberd_commands{name = revoke_certificate, tags = [acme],
|
||||
desc = "Revokes the selected certificate",
|
||||
module = ?MODULE, function = revoke_certificate,
|
||||
args_desc = ["The domain or file (in pem format) of the certificate in question {domain:Domain | file:File}"],
|
||||
args = [{domain_or_file, string}],
|
||||
result = {res, restuple}},
|
||||
|
||||
#ejabberd_commands{name = import_piefxis, tags = [mnesia],
|
||||
desc = "Import users data from a PIEFXIS file (XEP-0227)",
|
||||
@ -321,9 +350,9 @@ get_commands_spec() ->
|
||||
desc = "Change the erlang node name in a backup file",
|
||||
module = ?MODULE, function = mnesia_change_nodename,
|
||||
args_desc = ["Name of the old erlang node", "Name of the new node",
|
||||
"Path to old backup file", "Path to the new backup file"],
|
||||
"Path to old backup file", "Path to the new backup file"],
|
||||
args_example = ["ejabberd@machine1", "ejabberd@machine2",
|
||||
"/var/lib/ejabberd/old.backup", "/var/lib/ejabberd/new.backup"],
|
||||
"/var/lib/ejabberd/old.backup", "/var/lib/ejabberd/new.backup"],
|
||||
args = [{oldnodename, string}, {newnodename, string},
|
||||
{oldbackup, string}, {newbackup, string}],
|
||||
result = {res, restuple}},
|
||||
@ -421,7 +450,7 @@ stop_kindly(DelaySeconds, AnnouncementTextString) ->
|
||||
{"Stopping ejabberd", application, stop, [ejabberd]},
|
||||
{"Stopping Mnesia", mnesia, stop, []},
|
||||
{"Stopping Erlang node", init, stop, []}
|
||||
],
|
||||
],
|
||||
NumberLast = length(Steps),
|
||||
TimestampStart = calendar:datetime_to_gregorian_seconds({date(), time()}),
|
||||
lists:foldl(
|
||||
@ -469,8 +498,8 @@ update_module(ModuleNameBin) when is_binary(ModuleNameBin) ->
|
||||
update_module(ModuleNameString) ->
|
||||
ModuleName = list_to_atom(ModuleNameString),
|
||||
case ejabberd_update:update([ModuleName]) of
|
||||
{ok, _Res} -> {ok, []};
|
||||
{error, Reason} -> {error, Reason}
|
||||
{ok, _Res} -> {ok, []};
|
||||
{error, Reason} -> {error, Reason}
|
||||
end.
|
||||
|
||||
%%%
|
||||
@ -500,7 +529,7 @@ registered_users(Host) ->
|
||||
lists:map(fun({U, _S}) -> U end, SUsers).
|
||||
|
||||
registered_vhosts() ->
|
||||
?MYHOSTS.
|
||||
?MYHOSTS.
|
||||
|
||||
reload_config() ->
|
||||
ejabberd_config:reload_file().
|
||||
@ -542,6 +571,38 @@ import_dir(Path) ->
|
||||
{cannot_import_dir, String}
|
||||
end.
|
||||
|
||||
%%%
|
||||
%%% Acme
|
||||
%%%
|
||||
|
||||
get_certificate(Domains) ->
|
||||
case ejabberd_acme:is_valid_domain_opt(Domains) of
|
||||
true ->
|
||||
ejabberd_acme:get_certificates(Domains);
|
||||
false ->
|
||||
io_lib:format("Invalid domains: ~p", [Domains])
|
||||
end.
|
||||
|
||||
renew_certificate() ->
|
||||
ejabberd_acme:renew_certificates().
|
||||
|
||||
list_certificates(Verbose) ->
|
||||
case ejabberd_acme:is_valid_verbose_opt(Verbose) of
|
||||
true ->
|
||||
ejabberd_acme:list_certificates(Verbose);
|
||||
false ->
|
||||
String = io_lib:format("Invalid verbose option: ~p", [Verbose]),
|
||||
{invalid_option, String}
|
||||
end.
|
||||
|
||||
revoke_certificate(DomainOrFile) ->
|
||||
case ejabberd_acme:is_valid_revoke_cert(DomainOrFile) of
|
||||
true ->
|
||||
ejabberd_acme:revoke_certificate(DomainOrFile);
|
||||
false ->
|
||||
String = io_lib:format("Bad argument: ~s", [DomainOrFile]),
|
||||
{invalid_argument, String}
|
||||
end.
|
||||
|
||||
%%%
|
||||
%%% Purge DB
|
||||
|
@ -465,7 +465,9 @@ process_request(#state{request_method = Method,
|
||||
opts = Options,
|
||||
headers = RequestHeaders,
|
||||
ip = IP},
|
||||
Res = case process(RequestHandlers, Request, Socket, SockMod, Trail) of
|
||||
RequestHandlers1 = ejabberd_hooks:run_fold(
|
||||
http_request_handlers, RequestHandlers, [Host, Request]),
|
||||
Res = case process(RequestHandlers1, Request, Socket, SockMod, Trail) of
|
||||
El when is_record(El, xmlel) ->
|
||||
make_xhtml_output(State, 200, CustomHeaders, El);
|
||||
{Status, Headers, El}
|
||||
|
@ -301,7 +301,14 @@ add_certfiles(Host, State) ->
|
||||
NewAccState
|
||||
end
|
||||
end, State, certfiles_from_config_options()),
|
||||
if State /= State1 ->
|
||||
State2 = case ejabberd_acme:certificate_exists(Host) of
|
||||
{true, Path} ->
|
||||
{_, State3} = add_certfile(Path, State1),
|
||||
State3;
|
||||
false ->
|
||||
State1
|
||||
end,
|
||||
if State /= State2 ->
|
||||
case build_chain_and_check(State1) of
|
||||
ok -> {ok, State1};
|
||||
{error, _} = Err -> Err
|
||||
|
Loading…
Reference in New Issue
Block a user