comparison mod_component_guard/mod_component_guard.lua @ 458:4149fcacbbf1

mod_component_guard: refactored init code, added reloading logic to prevent events pollution with stale dupes.
author Marco Cirillo <maranda@lightwitch.org>
date Sat, 22 Oct 2011 22:11:53 +0000
parents 79ba4f95d65c
children 3117d7e207c5
comparison
equal deleted inserted replaced
457:79ba4f95d65c 458:4149fcacbbf1
1 -- Block or restrict by blacklist remote access to local components. 1 -- Block or restrict by blacklist remote access to local components.
2 2
3 local guard_blockall = module:get_option_set("component_guard_blockall") -- blocks all s2s irregardless 3 local guard_blockall = module:get_option_set("component_guard_blockall")
4 local guard_protect = module:get_option_set("component_guard_components") -- add hook for blacklisting check 4 local guard_protect = module:get_option_set("component_guard_components")
5 local guard_block_bl = module:get_option_set("component_guard_blacklist") 5 local guard_block_bl = module:get_option_set("component_guard_blacklist")
6 6
7 local s2smanager = require "core.s2smanager"; 7 local s2smanager = require "core.s2smanager";
8 local config = require "core.configmanager"; 8 local config = require "core.configmanager";
9 local nameprep = require "util.encodings".stringprep.nameprep; 9 local nameprep = require "util.encodings".stringprep.nameprep;
10 10
11 local _make_connect = s2smanager.make_connect; 11 local _make_connect = s2smanager.make_connect;
12 function s2smanager.make_connect(session, connect_host, connect_port) 12 function s2smanager.make_connect(session, connect_host, connect_port)
13 if not session.s2sValidation then 13 if not session.s2sValidation then
14 if guard_blockall:contains(session.from_host) or guard_block_bl:contains(session.to_host) then 14 if guard_blockall:contains(session.from_host) or
15 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
15 module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host); 16 module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host);
16 s2smanager.destroy_session(session, "You're not authorized, good bye."); 17 s2smanager.destroy_session(session, "You're not authorized, good bye.");
17 return false; 18 return false;
18 end 19 end
19 end 20 end
29 else 30 else
30 session.s2sValidation = true; 31 session.s2sValidation = true;
31 end 32 end
32 33
33 if guard_blockall:contains(host) or 34 if guard_blockall:contains(host) or
34 guard_block_bl:contains(from) then 35 guard_block_bl:contains(from) and guard_protect:contains(host) then
35 module:log("error", "remote service %s attempted to access restricted component %s", from, host); 36 module:log("error", "remote service %s attempted to access restricted component %s", from, host);
36 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); 37 session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
37 return false; 38 return false;
38 end 39 end
39 _stream_opened(session, attr); 40 _stream_opened(session, attr);
41 42
42 local function sdr_hook (event) 43 local function sdr_hook (event)
43 local origin, stanza = event.origin, event.stanza; 44 local origin, stanza = event.origin, event.stanza;
44 45
45 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then 46 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
46 if guard_blockall:contains(stanza.attr.to) or guard_block_bl:contains(stanza.attr.from) then 47 if guard_blockall:contains(stanza.attr.to) or
48 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
47 module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to); 49 module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to);
48 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); 50 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
49 return false; 51 return false;
50 end 52 end
51 end 53 end
69 module:log ("debug", "removing component protection for: "..host); 71 module:log ("debug", "removing component protection for: "..host);
70 end 72 end
71 end 73 end
72 end 74 end
73 75
74 prosody.events.add_handler("component-activated", handle_activation); 76 local function reload()
75 prosody.events.add_handler("component-deactivated", handle_deactivation); 77 module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
78 guard_blockall = module:get_option_set("component_guard_blockall");
79 guard_protect = module:get_option_set("component_guard_components");
80 guard_block_bl = module:get_option_set("component_guard_blacklist");
81 end
76 82
77 for n,table in pairs(hosts) do 83 local function setup()
78 if table.type == "component" then 84 module:log ("debug", "initializing component guard module...");
79 if guard_blockall:contains(n) or guard_protect:contains(n) then 85
80 handle_activation(n); 86 prosody.events.remove_handler("component-activated", handle_activation);
87 prosody.events.add_handler("component-activated", handle_activation);
88 prosody.events.remove_handler("component-deactivated", handle_deactivation);
89 prosody.events.add_handler("component-deactivated", handle_deactivation);
90 prosody.events.remove_handler("config-reloaded", reload);
91 prosody.events.add_handler("config-reloaded", reload);
92
93 for n,table in pairs(hosts) do
94 if table.type == "component" then
95 if guard_blockall:contains(n) or guard_protect:contains(n) then
96 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
97 handle_activation(n);
98 end
81 end 99 end
82 end 100 end
83 end 101 end
102
103 if prosody.start_time then
104 setup();
105 else
106 prosody.events.add_handler("server-started", setup);
107 end