Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 528:1737c08fde30
mod_host_guard: stick to one code "punctuation" style.
author | Marco Cirillo <maranda@lightwitch.org> |
---|---|
date | Sat, 07 Jan 2012 18:09:48 +0000 |
parents | 219ffe3541ff |
children | 47b9053dba38 |
comparison
equal
deleted
inserted
replaced
527:caf28c2c56a1 | 528:1737c08fde30 |
---|---|
6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) | 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) |
7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) | 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) |
8 local guard_protect = module:get_option_set("host_guard_selective", {}) | 8 local guard_protect = module:get_option_set("host_guard_selective", {}) |
9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
10 | 10 |
11 local s2smanager = require "core.s2smanager"; | 11 local s2smanager = require "core.s2smanager" |
12 local config = require "core.configmanager"; | 12 local config = require "core.configmanager" |
13 local nameprep = require "util.encodings".stringprep.nameprep; | 13 local nameprep = require "util.encodings".stringprep.nameprep |
14 | 14 |
15 local _make_connect = s2smanager.make_connect; | 15 local _make_connect = s2smanager.make_connect |
16 function s2smanager.make_connect(session, connect_host, connect_port) | 16 function s2smanager.make_connect(session, connect_host, connect_port) |
17 if not session.s2sValidation then | 17 if not session.s2sValidation then |
18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or | 18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or |
19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then | 19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then |
20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); | 20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host) |
21 s2smanager.destroy_session(session, "You're not authorized, good bye."); | 21 s2smanager.destroy_session(session, "You're not authorized, good bye.") |
22 return false; | 22 return false; |
23 end | 23 end |
24 end | 24 end |
25 return _make_connect(session, connect_host, connect_port); | 25 return _make_connect(session, connect_host, connect_port) |
26 end | 26 end |
27 | 27 |
28 local _stream_opened = s2smanager.streamopened; | 28 local _stream_opened = s2smanager.streamopened |
29 function s2smanager.streamopened(session, attr) | 29 function s2smanager.streamopened(session, attr) |
30 local host = attr.to and nameprep(attr.to); | 30 local host = attr.to and nameprep(attr.to) |
31 local from = attr.from and nameprep(attr.from); | 31 local from = attr.from and nameprep(attr.from) |
32 if not from then | 32 if not from then |
33 session.s2sValidation = false; | 33 session.s2sValidation = false |
34 else | 34 else |
35 session.s2sValidation = true; | 35 session.s2sValidation = true |
36 end | 36 end |
37 | 37 |
38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or | 38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or |
39 guard_block_bl:contains(from) and guard_protect:contains(host) then | 39 guard_block_bl:contains(from) and guard_protect:contains(host) then |
40 module:log("error", "remote service %s attempted to access restricted host %s", from, host); | 40 module:log("error", "remote service %s attempted to access restricted host %s", from, host) |
41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}) |
42 return false; | 42 return false; |
43 end | 43 end |
44 _stream_opened(session, attr); | 44 _stream_opened(session, attr) |
45 end | 45 end |
46 | 46 |
47 local function sdr_hook (event) | 47 local function sdr_hook (event) |
48 local origin, stanza = event.origin, event.stanza; | 48 local origin, stanza = event.origin, event.stanza |
49 | 49 |
50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or | 51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or |
52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then | 52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then |
53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); | 53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to) |
54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}) |
55 return false; | 55 return false |
56 end | 56 end |
57 end | 57 end |
58 | 58 |
59 return nil; | 59 return nil |
60 end | 60 end |
61 | 61 |
62 local function handle_activation (host) | 62 local function handle_activation (host) |
63 if guard_blockall:contains(host) or guard_protect:contains(host) then | 63 if guard_blockall:contains(host) or guard_protect:contains(host) then |
64 if hosts[host] and hosts[host].events then | 64 if hosts[host] and hosts[host].events then |
65 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100); | 65 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100) |
66 module:log ("debug", "adding host protection for: "..host); | 66 module:log ("debug", "adding host protection for: "..host) |
67 end | 67 end |
68 end | 68 end |
69 end | 69 end |
70 | 70 |
71 local function handle_deactivation (host) | 71 local function handle_deactivation (host) |
72 if guard_blockall:contains(host) or guard_protect:contains(host) then | 72 if guard_blockall:contains(host) or guard_protect:contains(host) then |
73 if hosts[host] and hosts[host].events then | 73 if hosts[host] and hosts[host].events then |
74 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | 74 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook) |
75 module:log ("debug", "removing host protection for: "..host); | 75 module:log ("debug", "removing host protection for: "..host) |
76 end | 76 end |
77 end | 77 end |
78 end | 78 end |
79 | 79 |
80 local function reload() | 80 local function reload() |
81 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); | 81 module:log ("debug", "server configuration reloaded, rehashing plugin tables...") |
82 guard_blockall = module:get_option_set("host_guard_blockall", {}); | 82 guard_blockall = module:get_option_set("host_guard_blockall", {}) |
83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}); | 83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) |
84 guard_protect = module:get_option_set("host_guard_components", {}); | 84 guard_protect = module:get_option_set("host_guard_components", {}) |
85 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); | 85 guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
86 end | 86 end |
87 | 87 |
88 local function setup() | 88 local function setup() |
89 module:log ("debug", "initializing host guard module..."); | 89 module:log ("debug", "initializing host guard module...") |
90 | 90 |
91 module:hook ("component-activated", handle_activation); | 91 module:hook ("component-activated", handle_activation) |
92 module:hook ("component-deactivated", handle_deactivation); | 92 module:hook ("component-deactivated", handle_deactivation) |
93 module:hook ("config-reloaded", reload); | 93 module:hook ("config-reloaded", reload) |
94 | 94 |
95 for n,table in pairs(hosts) do | 95 for n,table in pairs(hosts) do |
96 if table.type == "component" then | 96 if table.type == "component" then |
97 if guard_blockall:contains(n) or guard_protect:contains(n) then | 97 if guard_blockall:contains(n) or guard_protect:contains(n) then |
98 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | 98 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook) |
99 handle_activation(n); | 99 handle_activation(n) |
100 end | 100 end |
101 end | 101 end |
102 end | 102 end |
103 end | 103 end |
104 | 104 |
105 if prosody.start_time then | 105 if prosody.start_time then |
106 setup(); | 106 setup() |
107 else | 107 else |
108 prosody.events.add_handler("server-started", setup); | 108 prosody.events.add_handler("server-started", setup) |
109 end | 109 end |