Mercurial > prosody-modules
annotate mod_firewall/conditions.lib.lua @ 5416:2393dbae51ed
mod_http_oauth2: Add option for specifying TTL of registered clients
Meant to simplify configuration, since TTL vs ignoring expiration is
expected to be the main thing one would want to configure.
Unsure what the implications of having unlimited lifetime of clients
are, given no way to revoke them currently, short of rotating the
signing secret.
On one hand, it would be annoying to have the client expire.
On the other hand, it is trivial to re-register it.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 04 May 2023 18:41:33 +0200 |
parents | 84997bc3f92e |
children | 8226ac08484e |
rev | line source |
---|---|
2125
edf5cf3c474b
mod_firewall: Move meta() function to main module, and make it a global so libs can use it
Matthew Wild <mwild1@gmail.com>
parents:
2119
diff
changeset
|
1 --luacheck: globals meta idsafe |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local condition_handlers = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local jid = require "util.jid"; |
3973
df6227e288e5
mod_firewall: Fix use of unpack() on Lua 5.3
Kim Alvefur <zash@zash.se>
parents:
2928
diff
changeset
|
5 local unpack = table.unpack or unpack; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
7 -- Helper to convert user-input strings (yes/true//no/false) to a bool |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
8 local function string_to_boolean(s) |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
9 s = s:lower(); |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
10 return s == "yes" or s == "true"; |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
11 end |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
12 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 -- Return a code string for a condition that checks whether the contents |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 -- of variable with the name 'name' matches any of the values in the |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 -- comma/space/pipe delimited list 'values'. |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local function compile_comparison_list(name, values) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 local conditions = {}; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 for value in values:gmatch("[^%s,|]+") do |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 table.insert(conditions, ("%s == %q"):format(name, value)); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 return table.concat(conditions, " or "); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 function condition_handlers.KIND(kind) |
2582
ac3140cd89a2
mod_firewall: Fix compilation error if TYPE/KIND had no parameter
Matthew Wild <mwild1@gmail.com>
parents:
2577
diff
changeset
|
25 assert(kind, "Expected stanza kind to match against"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 return compile_comparison_list("name", kind), { "name" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 local wildcard_equivs = { ["*"] = ".*", ["?"] = "." }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 local function compile_jid_match_part(part, match) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 if not match then |
2071
4161ff87e5a4
mod_firewall/conditions: Add semicolon
Kim Alvefur <zash@zash.se>
parents:
2070
diff
changeset
|
33 return part.." == nil"; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 end |
2072
eda5c54dfa30
mod_firewall: Anchor pattern at beginning and end
Kim Alvefur <zash@zash.se>
parents:
2071
diff
changeset
|
35 local pattern = match:match("^<(.*)>$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 if pattern then |
962
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
37 if pattern == "*" then |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
38 return part; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 end |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
2036
diff
changeset
|
40 if pattern:find("^<.*>$") then |
962
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
41 pattern = pattern:match("^<(.*)>$"); |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
42 else |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
43 pattern = pattern:gsub("%p", "%%%0"):gsub("%%(%p)", wildcard_equivs); |
93ffa3ffc66f
mod_firewall/conditions: Support Lua patterns in JID matching, and make <*>@example.com NOT match example.com
Matthew Wild <mwild1@gmail.com>
parents:
954
diff
changeset
|
44 end |
2074
86427261e3c4
mod_firewall: Use string.find in JID match, faster since the result is unused
Kim Alvefur <zash@zash.se>
parents:
2073
diff
changeset
|
45 return ("(%s and %s:find(%q))"):format(part, part, "^"..pattern.."$"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 else |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 return ("%s == %q"):format(part, match); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
49 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
50 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
51 local function compile_jid_match(which, match_jid) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
52 local match_node, match_host, match_resource = jid.split(match_jid); |
963
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
53 local conditions = {}; |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
54 conditions[#conditions+1] = compile_jid_match_part(which.."_node", match_node); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
55 conditions[#conditions+1] = compile_jid_match_part(which.."_host", match_host); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
56 if match_resource then |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
57 conditions[#conditions+1] = compile_jid_match_part(which.."_resource", match_resource); |
c7fca2c9e24f
mod_firewall/conditions: Don't use table.insert, so things are happy when compile_jid_match() returns nil
Matthew Wild <mwild1@gmail.com>
parents:
962
diff
changeset
|
58 end |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
59 return table.concat(conditions, " and "); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
60 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
61 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
62 function condition_handlers.TO(to) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
63 return compile_jid_match("to", to), { "split_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
64 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
65 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
66 function condition_handlers.FROM(from) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
67 return compile_jid_match("from", from), { "split_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
68 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
69 |
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
70 function condition_handlers.FROM_EXACTLY(from) |
2552
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
71 local metadeps = {}; |
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
72 return ("from == %s"):format(metaq(from, metadeps)), { "from", unpack(metadeps) }; |
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
73 end |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
74 |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
75 function condition_handlers.TO_EXACTLY(to) |
2552
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
76 local metadeps = {}; |
18b6a55dd5d6
mod_firewall: Support expressions in TO/FROM EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
2545
diff
changeset
|
77 return ("to == %s"):format(metaq(to, metadeps)), { "to", unpack(metadeps) }; |
2036
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
78 end |
7ba6ed553c93
mod_firewall/conditions: Add FROM_EXACTLY and TO_EXACTLY
Matthew Wild <mwild1@gmail.com>
parents:
997
diff
changeset
|
79 |
2465
bd69ffe071e6
mod_firewall: Add 'TO SELF' check ('NOT TO?' worked until commit 9159f9166893)
Matthew Wild <mwild1@gmail.com>
parents:
2403
diff
changeset
|
80 function condition_handlers.TO_SELF() |
2563
2f1e25706f81
mod_firewall: TO SELF: Use raw stanza.attr.to directly, as 'to' defaults to bare JID if nil
Matthew Wild <mwild1@gmail.com>
parents:
2555
diff
changeset
|
81 -- Intentionally not using 'to' here, as that defaults to bare JID when nil |
2f1e25706f81
mod_firewall: TO SELF: Use raw stanza.attr.to directly, as 'to' defaults to bare JID if nil
Matthew Wild <mwild1@gmail.com>
parents:
2555
diff
changeset
|
82 return ("stanza.attr.to == nil"); |
2465
bd69ffe071e6
mod_firewall: Add 'TO SELF' check ('NOT TO?' worked until commit 9159f9166893)
Matthew Wild <mwild1@gmail.com>
parents:
2403
diff
changeset
|
83 end |
bd69ffe071e6
mod_firewall: Add 'TO SELF' check ('NOT TO?' worked until commit 9159f9166893)
Matthew Wild <mwild1@gmail.com>
parents:
2403
diff
changeset
|
84 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
85 function condition_handlers.TYPE(type) |
2582
ac3140cd89a2
mod_firewall: Fix compilation error if TYPE/KIND had no parameter
Matthew Wild <mwild1@gmail.com>
parents:
2577
diff
changeset
|
86 assert(type, "Expected 'type' value to match against"); |
979
cec42f884475
mod_firewall: The default value of the 'type' attribute on message stanzas is 'normal'
Kim Alvefur <zash@zash.se>
parents:
971
diff
changeset
|
87 return compile_comparison_list("(type or (name == 'message' and 'normal') or (name == 'presence' and 'available'))", type), { "type", "name" }; |
964
04e85eb3dfef
mod_firewall/conditions: Default types for message and presence
Matthew Wild <mwild1@gmail.com>
parents:
963
diff
changeset
|
88 end |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
89 |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
90 local function zone_check(zone, which) |
2928
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
91 local zone_var = zone; |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
92 if zone == "$local" then zone_var = "_local" end |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
93 local which_not = which == "from" and "to" or "from"; |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
94 return ("(zone_%s[%s_host] or zone_%s[%s] or zone_%s[bare_%s]) " |
2119
5f6c18fd0161
mod_firewall: Correct zone condition to check bare JID
Kim Alvefur <zash@zash.se>
parents:
2116
diff
changeset
|
95 .."and not(zone_%s[%s_host] or zone_%s[%s] or zone_%s[bare_%s])" |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
96 ) |
2928
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
97 :format(zone_var, which, zone_var, which, zone_var, which, |
b0d92332b87f
mod_firewall: Add special case for $local zone (fixes #1090)
Kim Alvefur <zash@zash.se>
parents:
2916
diff
changeset
|
98 zone_var, which_not, zone_var, which_not, zone_var, which_not), { |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
99 "split_to", "split_from", "bare_to", "bare_from", "zone:"..zone |
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
100 }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
101 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
102 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
103 function condition_handlers.ENTERING(zone) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
104 return zone_check(zone, "to"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
105 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
106 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
107 function condition_handlers.LEAVING(zone) |
965
d4e24fb289c0
mod_firewall: Improve zone handling, make it more efficient, and support dynamic dependencies in the compiler. ENTERING and LEAVING conditions now work at expected (not matching stanzas flowing within a zone).
Matthew Wild <mwild1@gmail.com>
parents:
964
diff
changeset
|
108 return zone_check(zone, "from"); |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
109 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
110 |
2537
acdc1767a715
mod_firewall: Make parameter to 'IN ROSTER' optional
Matthew Wild <mwild1@gmail.com>
parents:
2534
diff
changeset
|
111 -- IN ROSTER? (parameter is deprecated) |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
112 function condition_handlers.IN_ROSTER(yes_no) |
2537
acdc1767a715
mod_firewall: Make parameter to 'IN ROSTER' optional
Matthew Wild <mwild1@gmail.com>
parents:
2534
diff
changeset
|
113 local in_roster_requirement = string_to_boolean(yes_no or "yes"); -- COMPAT w/ older scripts |
2342
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
114 return "not "..(in_roster_requirement and "not" or "").." roster_entry", { "roster_entry" }; |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
115 end |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
116 |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
117 function condition_handlers.IN_ROSTER_GROUP(group) |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
118 return ("not not (roster_entry and roster_entry.groups[%q])"):format(group), { "roster_entry" }; |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
119 end |
6848297cf40a
mod_firewall: Add conditions for testing whether a sender of a stanza is in the recipient's roster (or in a certain roster group)
Matthew Wild <mwild1@gmail.com>
parents:
2128
diff
changeset
|
120 |
2403
f96bdfd81eba
mod_firewall: SUBSCRIBED - condition that is true if the receiver of a stanza is subscribed to the sender
Kim Alvefur <zash@zash.se>
parents:
2386
diff
changeset
|
121 function condition_handlers.SUBSCRIBED() |
2857
ff1666716d10
mod_firewall: Make SUBSCRIBED match for stanzas sent to self (fixes #1052)
Kim Alvefur <zash@zash.se>
parents:
2618
diff
changeset
|
122 return "(bare_to == bare_from or to_node and rostermanager.is_contact_subscribed(to_node, to_host, bare_from))", |
ff1666716d10
mod_firewall: Make SUBSCRIBED match for stanzas sent to self (fixes #1052)
Kim Alvefur <zash@zash.se>
parents:
2618
diff
changeset
|
123 { "rostermanager", "split_to", "bare_to", "bare_from" }; |
2403
f96bdfd81eba
mod_firewall: SUBSCRIBED - condition that is true if the receiver of a stanza is subscribed to the sender
Kim Alvefur <zash@zash.se>
parents:
2386
diff
changeset
|
124 end |
f96bdfd81eba
mod_firewall: SUBSCRIBED - condition that is true if the receiver of a stanza is subscribed to the sender
Kim Alvefur <zash@zash.se>
parents:
2386
diff
changeset
|
125 |
2916
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
126 function condition_handlers.PENDING_SUBSCRIPTION_FROM_SENDER() |
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
127 return "(bare_to == bare_from or to_node and rostermanager.is_contact_pending_in(to_node, to_host, bare_from))", |
3982
ab065ff4628b
mod_firewall: Remove trailing whitespace
Kim Alvefur <zash@zash.se>
parents:
3973
diff
changeset
|
128 { "rostermanager", "split_to", "bare_to", "bare_from" }; |
2916
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
129 end |
b1cdcbcd1c90
mod_firewall: Add PENDING SUBSCRIPTION FROM SENDER? condition
Matthew Wild <mwild1@gmail.com>
parents:
2894
diff
changeset
|
130 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
131 function condition_handlers.PAYLOAD(payload_ns) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 return ("stanza:get_child(nil, %q)"):format(payload_ns); |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
134 |
954
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
135 function condition_handlers.INSPECT(path) |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
136 if path:find("=") then |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
137 local query, match_type, value = path:match("(.-)([~/$]*)=(.*)"); |
2362
c065ab67d807
mod_firewall: INSPECT: Emit compilation error when the given stanza path is used for comparison but doesn't return a string
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
138 if not(query:match("#$") or query:match("@[^/]+")) then |
c065ab67d807
mod_firewall: INSPECT: Emit compilation error when the given stanza path is used for comparison but doesn't return a string
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
139 error("Stanza path does not return a string (append # for text content or @name for value of named attribute)", 0); |
c065ab67d807
mod_firewall: INSPECT: Emit compilation error when the given stanza path is used for comparison but doesn't return a string
Matthew Wild <mwild1@gmail.com>
parents:
2342
diff
changeset
|
140 end |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
141 local meta_deps = {}; |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
142 local quoted_value = ("%q"):format(value); |
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
143 if match_type:find("$", 1, true) then |
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
144 match_type = match_type:gsub("%$", ""); |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
145 quoted_value = meta(quoted_value, meta_deps); |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
146 end |
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
147 if match_type == "~" then -- Lua pattern match |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
148 return ("(stanza:find(%q) or ''):match(%s)"):format(query, quoted_value), meta_deps; |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
149 elseif match_type == "/" then -- find literal substring |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
150 return ("(stanza:find(%q) or ''):find(%s, 1, true)"):format(query, quoted_value), meta_deps; |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
151 elseif match_type == "" then -- exact match |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
152 return ("stanza:find(%q) == %s"):format(query, quoted_value), meta_deps; |
2109
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2107
diff
changeset
|
153 else |
2386
00eed68f63bf
mod_firewall: INSPECT: support for literal substring search and expressions
Matthew Wild <mwild1@gmail.com>
parents:
2363
diff
changeset
|
154 error("Unrecognised comparison '"..match_type.."='", 0); |
2109
9db4113d0cb5
mod_firewall: INSPECT: Support for pattern matches (confusingly using ~= instead of =)
Matthew Wild <mwild1@gmail.com>
parents:
2107
diff
changeset
|
155 end |
954
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
156 end |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
157 return ("stanza:find(%q)"):format(path); |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
158 end |
bec5b6e2eab8
mod_firewall: Add INSPECT conditional, for deeper inspection of stanzas
Kim Alvefur <zash@zash.se>
parents:
947
diff
changeset
|
159 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
160 function condition_handlers.FROM_GROUP(group_name) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
161 return ("group_contains(%q, bare_from)"):format(group_name), { "group_contains", "bare_from" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
162 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
163 |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
164 function condition_handlers.TO_GROUP(group_name) |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
165 return ("group_contains(%q, bare_to)"):format(group_name), { "group_contains", "bare_to" }; |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
166 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
167 |
2594
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
168 function condition_handlers.CROSSING_GROUPS(group_names) |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
169 local code = {}; |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
170 for group_name in group_names:gmatch("([^, ][^,]+)") do |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
171 group_name = group_name:match("^%s*(.-)%s*$"); -- Trim leading/trailing whitespace |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
172 -- Just check that's it is crossing from outside group to inside group |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
173 table.insert(code, ("(group_contains(%q, bare_to) and group_contains(%q, bare_from))"):format(group_name, group_name)) |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
174 end |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
175 return "not "..table.concat(code, " or "), { "group_contains", "bare_to", "bare_from" }; |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
176 end |
1e1c929c1aa5
mod_firewall: Add and document CROSSING GROUPS condition
Matthew Wild <mwild1@gmail.com>
parents:
2584
diff
changeset
|
177 |
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
178 -- COMPAT w/0.12: Deprecated |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
179 function condition_handlers.FROM_ADMIN_OF(host) |
2577
00cef058df8d
mod_firewall: TO/FROM ADMIN OF: Fix string quoting
Matthew Wild <mwild1@gmail.com>
parents:
2575
diff
changeset
|
180 return ("is_admin(bare_from, %s)"):format(host ~= "*" and metaq(host) or nil), { "is_admin", "bare_from" }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
181 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
182 |
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
183 -- COMPAT w/0.12: Deprecated |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
184 function condition_handlers.TO_ADMIN_OF(host) |
2577
00cef058df8d
mod_firewall: TO/FROM ADMIN OF: Fix string quoting
Matthew Wild <mwild1@gmail.com>
parents:
2575
diff
changeset
|
185 return ("is_admin(bare_to, %s)"):format(host ~= "*" and metaq(host) or nil), { "is_admin", "bare_to" }; |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
186 end |
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
187 |
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
188 -- COMPAT w/0.12: Deprecated |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
189 function condition_handlers.FROM_ADMIN() |
2575
214b49d05ea1
mod_firewall: Fix TO/FROM ADMIN to use current (module) host
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
190 return ("is_admin(bare_from, current_host)"), { "is_admin", "bare_from", "current_host" }; |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
191 end |
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
192 |
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
193 -- COMPAT w/0.12: Deprecated |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
194 function condition_handlers.TO_ADMIN() |
2575
214b49d05ea1
mod_firewall: Fix TO/FROM ADMIN to use current (module) host
Matthew Wild <mwild1@gmail.com>
parents:
2564
diff
changeset
|
195 return ("is_admin(bare_to, current_host)"), { "is_admin", "bare_to", "current_host" }; |
2553
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
196 end |
7ed2a66bfabd
mod_firewall: Add TO/FROM ADMIN
Matthew Wild <mwild1@gmail.com>
parents:
2552
diff
changeset
|
197 |
5002
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
198 -- MAY: permission_to_check |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
199 function condition_handlers.MAY(permission_to_check) |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
200 return ("module:may(%q, event)"):format(permission_to_check); |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
201 end |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
202 |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
203 function condition_handlers.TO_ROLE(role_name) |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
204 return ("get_jid_role(bare_to, current_host) == %q"):format(role_name), { "get_jid_role", "current_host", "bare_to" }; |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
205 end |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
206 |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
207 function condition_handlers.FROM_ROLE(role_name) |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
208 return ("get_jid_role(bare_from, current_host) == %q"):format(role_name), { "get_jid_role", "current_host", "bare_from" }; |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
209 end |
84997bc3f92e
mod_firewall: Update for role-auth (backwards compatible)
Matthew Wild <mwild1@gmail.com>
parents:
4608
diff
changeset
|
210 |
968
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
211 local day_numbers = { sun = 0, mon = 2, tue = 3, wed = 4, thu = 5, fri = 6, sat = 7 }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
212 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
213 local function current_time_check(op, hour, minute) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
214 hour, minute = tonumber(hour), tonumber(minute); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
215 local adj_op = op == "<" and "<" or ">="; -- Start time inclusive, end time exclusive |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
216 if minute == 0 then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
217 return "(current_hour"..adj_op..hour..")"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
218 else |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
219 return "((current_hour"..op..hour..") or (current_hour == "..hour.." and current_minute"..adj_op..minute.."))"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
220 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
221 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
222 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
223 local function resolve_day_number(day_name) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
224 return assert(day_numbers[day_name:sub(1,3):lower()], "Unknown day name: "..day_name); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
225 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
226 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
227 function condition_handlers.DAY(days) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
228 local conditions = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
229 for day_range in days:gmatch("[^,]+") do |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
230 local day_start, day_end = day_range:match("(%a+)%s*%-%s*(%a+)"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
231 if day_start and day_end then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
232 local day_start_num, day_end_num = resolve_day_number(day_start), resolve_day_number(day_end); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
233 local op = "and"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
234 if day_end_num < day_start_num then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
235 op = "or"; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
236 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
237 table.insert(conditions, ("current_day >= %d %s current_day <= %d"):format(day_start_num, op, day_end_num)); |
2070
2356114ff505
mod_firewall: Optimize string match operations, string.find is faster than .match since no string is returned
Kim Alvefur <zash@zash.se>
parents:
2036
diff
changeset
|
238 elseif day_range:find("%a") then |
968
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
239 local day = resolve_day_number(day_range:match("%a+")); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
240 table.insert(conditions, "current_day == "..day); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
241 else |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
242 error("Unable to parse day/day range: "..day_range); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
243 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
244 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
245 assert(#conditions>0, "Expected a list of days or day ranges"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
246 return "("..table.concat(conditions, ") or (")..")", { "time:day" }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
247 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
248 |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
249 function condition_handlers.TIME(ranges) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
250 local conditions = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
251 for range in ranges:gmatch("([^,]+)") do |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
252 local clause = {}; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
253 range = range:lower() |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
254 :gsub("(%d+):?(%d*) *am", function (h, m) return tostring(tonumber(h)%12)..":"..(tonumber(m) or "00"); end) |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
255 :gsub("(%d+):?(%d*) *pm", function (h, m) return tostring(tonumber(h)%12+12)..":"..(tonumber(m) or "00"); end); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
256 local start_hour, start_minute = range:match("(%d+):(%d+) *%-"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
257 local end_hour, end_minute = range:match("%- *(%d+):(%d+)"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
258 local op = tonumber(start_hour) > tonumber(end_hour) and " or " or " and "; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
259 if start_hour and end_hour then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
260 table.insert(clause, current_time_check(">", start_hour, start_minute)); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
261 table.insert(clause, current_time_check("<", end_hour, end_minute)); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
262 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
263 if #clause == 0 then |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
264 error("Unable to parse time range: "..range); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
265 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
266 table.insert(conditions, "("..table.concat(clause, " "..op.." ")..")"); |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
267 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
268 return table.concat(conditions, " or "), { "time:hour,min" }; |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
269 end |
f3b0ddeebd9d
mod_firewall/conditions: Add DAY and TIME conditions
Matthew Wild <mwild1@gmail.com>
parents:
965
diff
changeset
|
270 |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
271 function condition_handlers.LIMIT(spec) |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
272 local name, param = spec:match("^(%w+) on (.+)$"); |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
273 local meta_deps = {}; |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
274 |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
275 if not name then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
276 name = spec:match("^%w+$"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
277 if not name then |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
278 error("Unable to parse LIMIT specification"); |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
279 end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
280 else |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
281 param = meta(("%q"):format(param), meta_deps); |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
282 end |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
283 |
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
284 if not param then |
2519
d4bc434a60a4
mod_firewall: Update functions that use meta() to allow functions with deps inside expressions
Matthew Wild <mwild1@gmail.com>
parents:
2465
diff
changeset
|
285 return ("not global_throttle_%s:poll(1)"):format(name), { "globalthrottle:"..name, unpack(meta_deps) }; |
2128
21bc4d7cddae
mod_firewall: Add support for throttling based on user-defined properties (experimental)
Matthew Wild <mwild1@gmail.com>
parents:
2127
diff
changeset
|
286 end |
2859
22e11645a895
mod_firewall: Trim trailing whitespace [luacheck]
Kim Alvefur <zash@zash.se>
parents:
2857
diff
changeset
|
287 return ("not multi_throttle_%s:poll_on(%s, 1)"):format(name, param), { "multithrottle:"..name, unpack(meta_deps) }; |
971
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
968
diff
changeset
|
288 end |
53e158e44a44
mod_firewall: Add rate limiting capabilities, and keep zones and throttle objects in shared tables
Matthew Wild <mwild1@gmail.com>
parents:
968
diff
changeset
|
289 |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
290 function condition_handlers.ORIGIN_MARKED(name_and_time) |
2127
59023dffbdd4
mod_firewall: Allow underscore in mark names (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2125
diff
changeset
|
291 local name, time = name_and_time:match("^%s*([%w_]+)%s+%(([^)]+)s%)%s*$"); |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
292 if not name then |
2127
59023dffbdd4
mod_firewall: Allow underscore in mark names (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2125
diff
changeset
|
293 name = name_and_time:match("^%s*([%w_]+)%s*$"); |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
294 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
295 if not name then |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
296 error("Error parsing mark name, see documentation for usage examples"); |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
297 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
298 if time then |
2116
2bb42ba342f3
mod_firewall: Fix usage of incorrect variable current_time in ORIGIN_MARKED condition (thanks Ge0rG)
Matthew Wild <mwild1@gmail.com>
parents:
2109
diff
changeset
|
299 return ("(current_timestamp - (session.firewall_marked_%s or 0)) < %d"):format(idsafe(name), tonumber(time)), { "timestamp" }; |
2107
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
300 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
301 return ("not not session.firewall_marked_"..idsafe(name)); |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
302 end |
f445f43b9ba1
mod_firewall: Add support for session marking (MARK_ORIGIN, UNMARK_ORIGIN, ORIGIN_MARKED)
Matthew Wild <mwild1@gmail.com>
parents:
2075
diff
changeset
|
303 |
2894
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
304 function condition_handlers.USER_MARKED(name_and_time) |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
305 local name, time = name_and_time:match("^%s*([%w_]+)%s+%(([^)]+)s%)%s*$"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
306 if not name then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
307 name = name_and_time:match("^%s*([%w_]+)%s*$"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
308 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
309 if not name then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
310 error("Error parsing mark name, see documentation for usage examples"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
311 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
312 if time then |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
313 return ("(current_timestamp - (session.firewall_marks and session.firewall_marks.%s or 0)) < %d"):format(idsafe(name), tonumber(time)), { "timestamp" }; |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
314 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
315 return ("not not (session.firewall_marks and session.firewall_marks."..idsafe(name)..")"); |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
316 end |
165d2877eeac
mod_firewall: Add experimental user-centric persistent marks behind a feature flag
Kim Alvefur <zash@zash.se>
parents:
2882
diff
changeset
|
317 |
2554
19bb4606013f
mod_firewall: Fix everything wrong with SENT_DIRECTED_PRESENCE_TO_SENDER
Matthew Wild <mwild1@gmail.com>
parents:
2553
diff
changeset
|
318 function condition_handlers.SENT_DIRECTED_PRESENCE_TO_SENDER() |
2882
6f289283feb1
mod_firewall: Prevent traceback if no directed presence has been sent (fixes #1081)
Kim Alvefur <zash@zash.se>
parents:
2859
diff
changeset
|
319 return "not not (session.directed and session.directed[from])", { "from" }; |
2529
3fe4ca2b55c2
mod_firewall: Add 'SENT DIRECTED PRESENCE TO SENDER?'
Matthew Wild <mwild1@gmail.com>
parents:
2528
diff
changeset
|
320 end |
3fe4ca2b55c2
mod_firewall: Add 'SENT DIRECTED PRESENCE TO SENDER?'
Matthew Wild <mwild1@gmail.com>
parents:
2528
diff
changeset
|
321 |
2618
c6652d055ba3
mod_firewall: Add some more comments
Matthew Wild <mwild1@gmail.com>
parents:
2594
diff
changeset
|
322 -- TO FULL JID? |
2555
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
323 function condition_handlers.TO_FULL_JID() |
4608
4e8fa75cc678
mod_firewall: Remove reliance on full_sessions being a global
Kim Alvefur <zash@zash.se>
parents:
3982
diff
changeset
|
324 return "not not full_sessions[to]", { "to", "full_sessions" }; |
2555
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
325 end |
a9eb4d5566f3
mod_firewall: Add TO FULL JID
Matthew Wild <mwild1@gmail.com>
parents:
2554
diff
changeset
|
326 |
2520
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
327 -- CHECK LIST: spammers contains $<@from> |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
328 function condition_handlers.CHECK_LIST(list_condition) |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
329 local list_name, expr = list_condition:match("(%S+) contains (.+)$"); |
2521
66b81e144ded
mod_firewall: Fix CHECK LIST syntax check
Matthew Wild <mwild1@gmail.com>
parents:
2520
diff
changeset
|
330 if not (list_name and expr) then |
2520
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
331 error("Error parsing list check, syntax: LISTNAME contains EXPRESSION"); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
332 end |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
333 local meta_deps = {}; |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
334 expr = meta(("%q"):format(expr), meta_deps); |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
335 return ("list_%s:contains(%s) == true"):format(list_name, expr), { "list:"..list_name, unpack(meta_deps) }; |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
336 end |
c6fd8975704b
mod_firewall: Initial support for lists, in-memory and HTTP
Matthew Wild <mwild1@gmail.com>
parents:
2519
diff
changeset
|
337 |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
338 -- SCAN: body for word in badwords |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
339 function condition_handlers.SCAN(scan_expression) |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
340 local search_name, pattern_name, list_name = scan_expression:match("(%S+) for (%S+) in (%S+)$"); |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
341 if not (search_name) then |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
342 error("Error parsing SCAN expression, syntax: SEARCH for PATTERN in LIST"); |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
343 end |
2584
d64fc9c3cffd
mod_firewall: Remove ambiguity from tokens dep parameter
Matthew Wild <mwild1@gmail.com>
parents:
2582
diff
changeset
|
344 return ("scan_list(list_%s, %s)"):format(list_name, "tokens_"..search_name.."_"..pattern_name), { "scan_list", "tokens:"..search_name.."-"..pattern_name, "list:"..list_name }; |
2528
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
345 end |
44a71584521d
mod_firewall: Add SEARCH, PATTERN definitions and SCAN condition to check tokenized stanza:find() against a list
Matthew Wild <mwild1@gmail.com>
parents:
2521
diff
changeset
|
346 |
2618
c6652d055ba3
mod_firewall: Add some more comments
Matthew Wild <mwild1@gmail.com>
parents:
2594
diff
changeset
|
347 -- COUNT: lines in body < 10 |
2545
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
348 local valid_comp_ops = { [">"] = ">", ["<"] = "<", ["="] = "==", ["=="] = "==", ["<="] = "<=", [">="] = ">=" }; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
349 function condition_handlers.COUNT(count_expression) |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
350 local pattern_name, search_name, comparator_expression = count_expression:match("(%S+) in (%S+) (.+)$"); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
351 if not (pattern_name) then |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
352 error("Error parsing COUNT expression, syntax: PATTERN in SEARCH COMPARATOR"); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
353 end |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
354 local value; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
355 comparator_expression = comparator_expression:gsub("%d+", function (value_string) |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
356 value = tonumber(value_string); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
357 return ""; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
358 end); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
359 if not value then |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
360 error("Error parsing COUNT expression, expected value"); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
361 end |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
362 local comp_op = comparator_expression:gsub("%s+", ""); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
363 assert(valid_comp_ops[comp_op], "Error parsing COUNT expression, unknown comparison operator: "..comp_op); |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
364 return ("it_count(search_%s:gmatch(pattern_%s)) %s %d"):format(search_name, pattern_name, comp_op, value), { "it_count", "search:"..search_name, "pattern:"..pattern_name }; |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
365 end |
9b46d24edf0d
mod_firewall: Add and document COUNT condition
Matthew Wild <mwild1@gmail.com>
parents:
2537
diff
changeset
|
366 |
947
c91cac3b823f
mod_firewall: General stanza filtering plugin with a declarative rule-based syntax
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
367 return condition_handlers; |