Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 528:1737c08fde30
mod_host_guard: stick to one code "punctuation" style.
| author | Marco Cirillo <maranda@lightwitch.org> |
|---|---|
| date | Sat, 07 Jan 2012 18:09:48 +0000 |
| parents | 219ffe3541ff |
| children | 47b9053dba38 |
comparison
equal
deleted
inserted
replaced
| 527:caf28c2c56a1 | 528:1737c08fde30 |
|---|---|
| 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) | 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) |
| 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) | 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) |
| 8 local guard_protect = module:get_option_set("host_guard_selective", {}) | 8 local guard_protect = module:get_option_set("host_guard_selective", {}) |
| 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
| 10 | 10 |
| 11 local s2smanager = require "core.s2smanager"; | 11 local s2smanager = require "core.s2smanager" |
| 12 local config = require "core.configmanager"; | 12 local config = require "core.configmanager" |
| 13 local nameprep = require "util.encodings".stringprep.nameprep; | 13 local nameprep = require "util.encodings".stringprep.nameprep |
| 14 | 14 |
| 15 local _make_connect = s2smanager.make_connect; | 15 local _make_connect = s2smanager.make_connect |
| 16 function s2smanager.make_connect(session, connect_host, connect_port) | 16 function s2smanager.make_connect(session, connect_host, connect_port) |
| 17 if not session.s2sValidation then | 17 if not session.s2sValidation then |
| 18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or | 18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or |
| 19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then | 19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then |
| 20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); | 20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host) |
| 21 s2smanager.destroy_session(session, "You're not authorized, good bye."); | 21 s2smanager.destroy_session(session, "You're not authorized, good bye.") |
| 22 return false; | 22 return false; |
| 23 end | 23 end |
| 24 end | 24 end |
| 25 return _make_connect(session, connect_host, connect_port); | 25 return _make_connect(session, connect_host, connect_port) |
| 26 end | 26 end |
| 27 | 27 |
| 28 local _stream_opened = s2smanager.streamopened; | 28 local _stream_opened = s2smanager.streamopened |
| 29 function s2smanager.streamopened(session, attr) | 29 function s2smanager.streamopened(session, attr) |
| 30 local host = attr.to and nameprep(attr.to); | 30 local host = attr.to and nameprep(attr.to) |
| 31 local from = attr.from and nameprep(attr.from); | 31 local from = attr.from and nameprep(attr.from) |
| 32 if not from then | 32 if not from then |
| 33 session.s2sValidation = false; | 33 session.s2sValidation = false |
| 34 else | 34 else |
| 35 session.s2sValidation = true; | 35 session.s2sValidation = true |
| 36 end | 36 end |
| 37 | 37 |
| 38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or | 38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or |
| 39 guard_block_bl:contains(from) and guard_protect:contains(host) then | 39 guard_block_bl:contains(from) and guard_protect:contains(host) then |
| 40 module:log("error", "remote service %s attempted to access restricted host %s", from, host); | 40 module:log("error", "remote service %s attempted to access restricted host %s", from, host) |
| 41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}) |
| 42 return false; | 42 return false; |
| 43 end | 43 end |
| 44 _stream_opened(session, attr); | 44 _stream_opened(session, attr) |
| 45 end | 45 end |
| 46 | 46 |
| 47 local function sdr_hook (event) | 47 local function sdr_hook (event) |
| 48 local origin, stanza = event.origin, event.stanza; | 48 local origin, stanza = event.origin, event.stanza |
| 49 | 49 |
| 50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
| 51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or | 51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or |
| 52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then | 52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then |
| 53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); | 53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to) |
| 54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) |
| 55 return false; | 55 return false |
| 56 end | 56 end |
| 57 end | 57 end |
| 58 | 58 |
| 59 return nil; | 59 return nil |
| 60 end | 60 end |
| 61 | 61 |
| 62 local function handle_activation (host) | 62 local function handle_activation (host) |
| 63 if guard_blockall:contains(host) or guard_protect:contains(host) then | 63 if guard_blockall:contains(host) or guard_protect:contains(host) then |
| 64 if hosts[host] and hosts[host].events then | 64 if hosts[host] and hosts[host].events then |
| 65 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100); | 65 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100) |
| 66 module:log ("debug", "adding host protection for: "..host); | 66 module:log ("debug", "adding host protection for: "..host) |
| 67 end | 67 end |
| 68 end | 68 end |
| 69 end | 69 end |
| 70 | 70 |
| 71 local function handle_deactivation (host) | 71 local function handle_deactivation (host) |
| 72 if guard_blockall:contains(host) or guard_protect:contains(host) then | 72 if guard_blockall:contains(host) or guard_protect:contains(host) then |
| 73 if hosts[host] and hosts[host].events then | 73 if hosts[host] and hosts[host].events then |
| 74 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | 74 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook) |
| 75 module:log ("debug", "removing host protection for: "..host); | 75 module:log ("debug", "removing host protection for: "..host) |
| 76 end | 76 end |
| 77 end | 77 end |
| 78 end | 78 end |
| 79 | 79 |
| 80 local function reload() | 80 local function reload() |
| 81 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); | 81 module:log ("debug", "server configuration reloaded, rehashing plugin tables...") |
| 82 guard_blockall = module:get_option_set("host_guard_blockall", {}); | 82 guard_blockall = module:get_option_set("host_guard_blockall", {}) |
| 83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}); | 83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) |
| 84 guard_protect = module:get_option_set("host_guard_components", {}); | 84 guard_protect = module:get_option_set("host_guard_components", {}) |
| 85 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); | 85 guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
| 86 end | 86 end |
| 87 | 87 |
| 88 local function setup() | 88 local function setup() |
| 89 module:log ("debug", "initializing host guard module..."); | 89 module:log ("debug", "initializing host guard module...") |
| 90 | 90 |
| 91 module:hook ("component-activated", handle_activation); | 91 module:hook ("component-activated", handle_activation) |
| 92 module:hook ("component-deactivated", handle_deactivation); | 92 module:hook ("component-deactivated", handle_deactivation) |
| 93 module:hook ("config-reloaded", reload); | 93 module:hook ("config-reloaded", reload) |
| 94 | 94 |
| 95 for n,table in pairs(hosts) do | 95 for n,table in pairs(hosts) do |
| 96 if table.type == "component" then | 96 if table.type == "component" then |
| 97 if guard_blockall:contains(n) or guard_protect:contains(n) then | 97 if guard_blockall:contains(n) or guard_protect:contains(n) then |
| 98 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | 98 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook) |
| 99 handle_activation(n); | 99 handle_activation(n) |
| 100 end | 100 end |
| 101 end | 101 end |
| 102 end | 102 end |
| 103 end | 103 end |
| 104 | 104 |
| 105 if prosody.start_time then | 105 if prosody.start_time then |
| 106 setup(); | 106 setup() |
| 107 else | 107 else |
| 108 prosody.events.add_handler("server-started", setup); | 108 prosody.events.add_handler("server-started", setup) |
| 109 end | 109 end |