Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 493:b1b80319bbf6
mod_host_guard: renamed mod_component_guard to mod_host_guard, as it really works with all hosts, finally decided to wiki it out and not merge it with the s2s_blackwhitelisting module.
| author | Marco Cirillo <maranda@lightwitch.org> |
|---|---|
| date | Sun, 04 Dec 2011 15:47:24 +0000 |
| parents | mod_component_guard/mod_component_guard.lua@9bb9343f3c7a |
| children | 376c4a90249c |
comparison
equal
deleted
inserted
replaced
| 492:f806c8a7f985 | 493:b1b80319bbf6 |
|---|---|
| 1 -- (C) 2011, Marco Cirillo (LW.Org) | |
| 2 -- Block or restrict by blacklist remote access to local components. | |
| 3 | |
| 4 module:set_global() | |
| 5 | |
| 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) | |
| 7 local guard_protect = module:get_option_set("host_guard_selective", {}) | |
| 8 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | |
| 9 | |
| 10 local s2smanager = require "core.s2smanager"; | |
| 11 local config = require "core.configmanager"; | |
| 12 local nameprep = require "util.encodings".stringprep.nameprep; | |
| 13 | |
| 14 local _make_connect = s2smanager.make_connect; | |
| 15 function s2smanager.make_connect(session, connect_host, connect_port) | |
| 16 if not session.s2sValidation then | |
| 17 if guard_blockall:contains(session.from_host) or | |
| 18 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then | |
| 19 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); | |
| 20 s2smanager.destroy_session(session, "You're not authorized, good bye."); | |
| 21 return false; | |
| 22 end | |
| 23 end | |
| 24 return _make_connect(session, connect_host, connect_port); | |
| 25 end | |
| 26 | |
| 27 local _stream_opened = s2smanager.streamopened; | |
| 28 function s2smanager.streamopened(session, attr) | |
| 29 local host = attr.to and nameprep(attr.to); | |
| 30 local from = attr.from and nameprep(attr.from); | |
| 31 if not from then | |
| 32 session.s2sValidation = false; | |
| 33 else | |
| 34 session.s2sValidation = true; | |
| 35 end | |
| 36 | |
| 37 if guard_blockall:contains(host) or | |
| 38 guard_block_bl:contains(from) and guard_protect:contains(host) then | |
| 39 module:log("error", "remote service %s attempted to access restricted host %s", from, host); | |
| 40 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | |
| 41 return false; | |
| 42 end | |
| 43 _stream_opened(session, attr); | |
| 44 end | |
| 45 | |
| 46 local function sdr_hook (event) | |
| 47 local origin, stanza = event.origin, event.stanza; | |
| 48 | |
| 49 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | |
| 50 if guard_blockall:contains(stanza.attr.to) or | |
| 51 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then | |
| 52 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); | |
| 53 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | |
| 54 return false; | |
| 55 end | |
| 56 end | |
| 57 | |
| 58 return nil; | |
| 59 end | |
| 60 | |
| 61 local function handle_activation (host) | |
| 62 if guard_blockall:contains(host) or guard_protect:contains(host) then | |
| 63 if hosts[host] and hosts[host].events then | |
| 64 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100); | |
| 65 module:log ("debug", "adding host protection for: "..host); | |
| 66 end | |
| 67 end | |
| 68 end | |
| 69 | |
| 70 local function handle_deactivation (host) | |
| 71 if guard_blockall:contains(host) or guard_protect:contains(host) then | |
| 72 if hosts[host] and hosts[host].events then | |
| 73 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | |
| 74 module:log ("debug", "removing host protection for: "..host); | |
| 75 end | |
| 76 end | |
| 77 end | |
| 78 | |
| 79 local function reload() | |
| 80 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); | |
| 81 guard_blockall = module:get_option_set("host_guard_blockall"); | |
| 82 guard_protect = module:get_option_set("host_guard_components"); | |
| 83 guard_block_bl = module:get_option_set("host_guard_blacklist"); | |
| 84 end | |
| 85 | |
| 86 local function setup() | |
| 87 module:log ("debug", "initializing host guard module..."); | |
| 88 | |
| 89 module:hook ("component-activated", handle_activation); | |
| 90 module:hook ("component-deactivated", handle_deactivation); | |
| 91 module:hook ("config-reloaded", reload); | |
| 92 | |
| 93 for n,table in pairs(hosts) do | |
| 94 if table.type == "component" then | |
| 95 if guard_blockall:contains(n) or guard_protect:contains(n) then | |
| 96 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | |
| 97 handle_activation(n); | |
| 98 end | |
| 99 end | |
| 100 end | |
| 101 end | |
| 102 | |
| 103 if prosody.start_time then | |
| 104 setup(); | |
| 105 else | |
| 106 prosody.events.add_handler("server-started", setup); | |
| 107 end |