X-Git-Url: https://git.enpas.org/?a=blobdiff_plain;f=prosodyctl;h=d9ae9b736ce0cbb1f8724845a536fb7112188e3f;hb=151f30adfab7fd2c6e8e136e868aeb70f0fac42c;hp=11c6296b5c869e8d9fbe530a3ff0bc8231d6d6c6;hpb=1361d5e33aaa1bb80c63069aea5239f99faebabd;p=prosody.git diff --git a/prosodyctl b/prosodyctl index 11c6296b..d9ae9b73 100755 --- a/prosodyctl +++ b/prosodyctl @@ -274,11 +274,12 @@ local commands = {}; local command = arg[1]; function commands.adduser(arg) + local jid_split = require "util.jid".split; if not arg[1] or arg[1] == "--help" then show_usage([[adduser JID]], [[Create the specified user account in Prosody]]); return 1; end - local user, host = arg[1]:match("([^@]+)@(.+)"); + local user, host = jid_split(arg[1]); if not user and host then show_message [[Failed to understand JID, please supply the JID you want to create]] show_usage [[adduser user@host]] @@ -313,11 +314,12 @@ function commands.adduser(arg) end function commands.passwd(arg) + local jid_split = require "util.jid".split; if not arg[1] or arg[1] == "--help" then show_usage([[passwd JID]], [[Set the password for the specified user account in Prosody]]); return 1; end - local user, host = arg[1]:match("([^@]+)@(.+)"); + local user, host = jid_split(arg[1]); if not user and host then show_message [[Failed to understand JID, please supply the JID you want to set the password for]] show_usage [[passwd user@host]] @@ -352,11 +354,12 @@ function commands.passwd(arg) end function commands.deluser(arg) + local jid_split = require "util.jid".split; if not arg[1] or arg[1] == "--help" then show_usage([[deluser JID]], [[Permanently remove the specified user account from Prosody]]); return 1; end - local user, host = arg[1]:match("([^@]+)@(.+)"); + local user, host = jid_split(arg[1]); if not user and host then show_message [[Failed to understand JID, please supply the JID you want to set the password for]] show_usage [[passwd user@host]] @@ -411,7 +414,11 @@ function commands.start(arg) local ok, ret = prosodyctl.start(); if ok then - if config.get("*", "daemonize") ~= false then + local daemonize = config.get("*", "daemonize"); + if daemonize == nil then + daemonize = prosody.installed; + end + if daemonize then local i=1; while true do local ok, running = prosodyctl.isrunning(); @@ -684,7 +691,12 @@ function cert_commands.config(arg) conf.distinguished_name[k] = nv ~= "." and nv or nil; end end - local conf_file = io.open(conf_filename, "w"); + local conf_file, err = io.open(conf_filename, "w"); + if not conf_file then + show_warning("Could not open OpenSSL config file for writing"); + show_warning(err); + os.exit(1); + end conf_file:write(conf:serialize()); conf_file:close(); print(""); @@ -777,12 +789,36 @@ function commands.cert(arg) end function commands.check(arg) + if arg[1] == "--help" then + show_usage([[check]], [[Perform basic checks on your Prosody installation]]); + return 1; + end local what = table.remove(arg, 1); local array, set = require "util.array", require "util.set"; local it = require "util.iterators"; local ok = true; + local function disabled_hosts(host, conf) return host ~= "*" and conf.enabled ~= false; end + local function enabled_hosts() return it.filter(disabled_hosts, pairs(config.getconfig())); end + if not what or what == "disabled" then + local disabled_hosts = set.new(); + for host, host_options in it.filter("*", pairs(config.getconfig())) do + if host_options.enabled == false then + disabled_hosts:add(host); + end + end + if not disabled_hosts:empty() then + local msg = "Checks will be skipped for these disabled hosts: %s"; + if what then msg = "These hosts are disabled: %s"; end + show_warning(msg, tostring(disabled_hosts)); + if what then return 0; end + print"" + end + end if not what or what == "config" then print("Checking config..."); + local deprecated = set.new({ + "bosh_ports", "disallow_s2s", "no_daemonize", "anonymous_login", + }); local known_global_options = set.new({ "pidfile", "log", "plugin_paths", "prosody_user", "prosody_group", "daemonize", "umask", "prosodyctl_timeout", "use_ipv6", "use_libevent", "network_settings" @@ -795,9 +831,27 @@ function commands.check(arg) print(" No global options defined. Perhaps you have put a host definition at the top") print(" of the config file? They should be at the bottom, see http://prosody.im/doc/configure#overview"); end + if it.count(enabled_hosts()) == 0 then + ok = false; + print(""); + if it.count(it.filter("*", pairs(config))) == 0 then + print(" No hosts are defined, please add at least one VirtualHost section") + elseif config["*"]["enabled"] == false then + print(" No hosts are enabled. Remove enabled = false from the global section or put enabled = true under at least one VirtualHost section") + else + print(" All hosts are disabled. Remove enabled = false from at least one VirtualHost section") + end + end -- Check for global options under hosts local global_options = set.new(it.to_array(it.keys(config["*"]))); - for host, options in it.filter("*", pairs(config)) do + local deprecated_global_options = set.intersection(global_options, deprecated); + if not deprecated_global_options:empty() then + print(""); + print(" You have some deprecated options in the global section:"); + print(" "..tostring(deprecated_global_options)) + ok = false; + end + for host, options in enabled_hosts() do local host_options = set.new(it.to_array(it.keys(options))); local misplaced_options = set.intersection(host_options, known_global_options); for name in pairs(options) do @@ -817,11 +871,22 @@ function commands.check(arg) print(""); print(" You need to move the following option"..(n>1 and "s" or "")..": "..table.concat(it.to_array(misplaced_options), ", ")); end + local subdomain = host:match("^[^.]+"); + if not(host_options:contains("component_module")) and (subdomain == "jabber" or subdomain == "xmpp" + or subdomain == "chat" or subdomain == "im") then + print(""); + print(" Suggestion: If "..host.. " is a new host with no real users yet, consider renaming it now to"); + print(" "..host:gsub("^[^.]+%.", "")..". You can use SRV records to redirect XMPP clients and servers to "..host.."."); + print(" For more information see: http://prosody.im/doc/dns"); + end end + print("Done.\n"); end if not what or what == "dns" then local dns = require "net.dns"; + local idna = require "util.encodings".idna; + local ip = require "util.ip"; local c2s_ports = set.new(config.get("*", "c2s_ports") or {5222}); local s2s_ports = set.new(config.get("*", "s2s_ports") or {5269}); @@ -835,17 +900,17 @@ function commands.check(arg) local problem_hosts = set.new(); - local external_addresses = set.new(); + local external_addresses, internal_addresses = set.new(), set.new(); local fqdn = socket.dns.tohostname(socket.dns.gethostname()); if fqdn then - local res = dns.lookup(fqdn, "A"); + local res = dns.lookup(idna.to_ascii(fqdn), "A"); if res then for _, record in ipairs(res) do external_addresses:add(record.a); end end - local res = dns.lookup(fqdn, "AAAA"); + local res = dns.lookup(idna.to_ascii(fqdn), "AAAA"); if res then for _, record in ipairs(res) do external_addresses:add(record.aaaa); @@ -853,6 +918,16 @@ function commands.check(arg) end end + local local_addresses = require"util.net".local_addresses() or {}; + + for addr in it.values(local_addresses) do + if not ip.new_ip(addr).private then + external_addresses:add(addr); + else + internal_addresses:add(addr); + end + end + if external_addresses:empty() then print(""); print(" Failed to determine the external addresses of this server. Checks may be inaccurate."); @@ -861,14 +936,14 @@ function commands.check(arg) local v6_supported = not not socket.tcp6; - for host, host_options in it.filter("*", pairs(config.getconfig())) do + for host, host_options in enabled_hosts() do local all_targets_ok, some_targets_ok = true, false; local is_component = not not host_options.component_module; print("Checking DNS for "..(is_component and "component" or "host").." "..host.."..."); local target_hosts = set.new(); if not is_component then - local res = dns.lookup("_xmpp-client._tcp."..host..".", "SRV"); + local res = dns.lookup("_xmpp-client._tcp."..idna.to_ascii(host)..".", "SRV"); if res then for _, record in ipairs(res) do target_hosts:add(record.srv.target); @@ -885,7 +960,7 @@ function commands.check(arg) end end end - local res = dns.lookup("_xmpp-server._tcp."..host..".", "SRV"); + local res = dns.lookup("_xmpp-server._tcp."..idna.to_ascii(host)..".", "SRV"); if res then for _, record in ipairs(res) do target_hosts:add(record.srv.target); @@ -910,26 +985,53 @@ function commands.check(arg) target_hosts:remove("localhost"); end + local modules = set.new(it.to_array(it.values(host_options.modules_enabled))) + + set.new(it.to_array(it.values(config.get("*", "modules_enabled")))) + + set.new({ config.get(host, "component_module") }); + + if modules:contains("proxy65") then + local proxy65_target = config.get(host, "proxy65_address") or host; + local A, AAAA = dns.lookup(idna.to_ascii(proxy65_target), "A"), dns.lookup(idna.to_ascii(proxy65_target), "AAAA"); + local prob = {}; + if not A then + table.insert(prob, "A"); + end + if v6_supported and not AAAA then + table.insert(prob, "AAAA"); + end + if #prob > 0 then + print(" File transfer proxy "..proxy65_target.." has no "..table.concat(prob, "/").." record. Create one or set 'proxy65_address' to the correct host/IP."); + end + end + for host in target_hosts do local host_ok_v4, host_ok_v6; - local res = dns.lookup(host, "A"); + local res = dns.lookup(idna.to_ascii(host), "A"); if res then for _, record in ipairs(res) do if external_addresses:contains(record.a) then some_targets_ok = true; host_ok_v4 = true; + elseif internal_addresses:contains(record.a) then + host_ok_v4 = true; + some_targets_ok = true; + print(" "..host.." A record points to internal address, external connections might fail"); else print(" "..host.." A record points to unknown address "..record.a); all_targets_ok = false; end end end - local res = dns.lookup(host, "AAAA"); + local res = dns.lookup(idna.to_ascii(host), "AAAA"); if res then for _, record in ipairs(res) do if external_addresses:contains(record.aaaa) then some_targets_ok = true; host_ok_v6 = true; + elseif internal_addresses:contains(record.aaaa) then + host_ok_v6 = true; + some_targets_ok = true; + print(" "..host.." AAAA record points to internal address, external connections might fail"); else print(" "..host.." AAAA record points to unknown address "..record.aaaa); all_targets_ok = false; @@ -937,12 +1039,17 @@ function commands.check(arg) end end + local bad_protos = {} if not host_ok_v4 then - print(" Host "..host.." does not seem to resolve to this server for IPv4"); + table.insert(bad_protos, "IPv4"); + end + if not host_ok_v6 then + table.insert(bad_protos, "IPv6"); + end + if #bad_protos > 0 then + print(" Host "..host.." does not seem to resolve to this server ("..table.concat(bad_protos, "/")..")"); end - if not host_ok_v6 and v6_supported then - print(" Host "..host.." does not seem to resolve to this server for IPv6"); - elseif host_ok_v6 and not v6_supported then + if host_ok_v6 and not v6_supported then print(" Host "..host.." has AAAA records, but your version of LuaSocket does not support IPv6."); print(" Please see http://prosody.im/doc/ipv6 for more information."); end @@ -952,9 +1059,9 @@ function commands.check(arg) if is_component then print(" DNS records are necessary if you want users on other servers to access this component."); end - print(""); problem_hosts:add(host); end + print(""); end if not problem_hosts:empty() then print(""); @@ -963,6 +1070,79 @@ function commands.check(arg) ok = false; end end + if not what or what == "certs" then + local cert_ok; + print"Checking certificates..." + local x509_verify_identity = require"util.x509".verify_identity; + local ssl = dependencies.softreq"ssl"; + -- local datetime_parse = require"util.datetime".parse_x509; + local load_cert = ssl and ssl.x509 and ssl.x509.load; + -- or ssl.cert_from_pem + if not ssl then + print("LuaSec not available, can't perform certificate checks") + if what == "certs" then cert_ok = false end + elseif not load_cert then + print("This version of LuaSec (" .. ssl._VERSION .. ") does not support certificate checking"); + cert_ok = false + else + for host in enabled_hosts() do + print("Checking certificate for "..host); + -- First, let's find out what certificate this host uses. + local ssl_config = config.rawget(host, "ssl"); + if not ssl_config then + local base_host = host:match("%.(.*)"); + ssl_config = config.get(base_host, "ssl"); + end + if not ssl_config then + print(" No 'ssl' option defined for "..host) + cert_ok = false + elseif not ssl_config.certificate then + print(" No 'certificate' set in ssl option for "..host) + cert_ok = false + elseif not ssl_config.key then + print(" No 'key' set in ssl option for "..host) + cert_ok = false + else + local key, err = io.open(ssl_config.key); -- Permissions check only + if not key then + print(" Could not open "..ssl_config.key..": "..err); + cert_ok = false + else + key:close(); + end + local cert_fh, err = io.open(ssl_config.certificate); -- Load the file. + if not cert_fh then + print(" Could not open "..ssl_config.certificate..": "..err); + cert_ok = false + else + print(" Certificate: "..ssl_config.certificate) + local cert = load_cert(cert_fh:read"*a"); cert_fh = cert_fh:close(); + if not cert:validat(os.time()) then + print(" Certificate has expired.") + cert_ok = false + end + if config.get(host, "component_module") == nil + and not x509_verify_identity(host, "_xmpp-client", cert) then + print(" Not vaild for client connections to "..host..".") + cert_ok = false + end + if (not (config.get(host, "anonymous_login") + or config.get(host, "authentication") == "anonymous")) + and not x509_verify_identity(host, "_xmpp-client", cert) then + print(" Not vaild for server-to-server connections to "..host..".") + cert_ok = false + end + end + end + end + if cert_ok == false then + print("") + print("For more information about certificates please see http://prosody.im/doc/certificates"); + ok = false + end + end + print("") + end if not ok then print("Problems found, see above."); else