Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 515:e98fe28c50b0
mod_host_guard: added exceptions/whitelisting to the blockall logic (makes little sense otherwise has s2s_disallow = true does the same)
author | Marco Cirillo <maranda@lightwitch.org> |
---|---|
date | Tue, 20 Dec 2011 20:19:53 +0000 |
parents | 376c4a90249c |
children | 219ffe3541ff |
comparison
equal
deleted
inserted
replaced
514:46e1983486e9 | 515:e98fe28c50b0 |
---|---|
2 -- Block or restrict by blacklist remote access to local components. | 2 -- Block or restrict by blacklist remote access to local components. |
3 | 3 |
4 module:set_global() | 4 module:set_global() |
5 | 5 |
6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) | 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) |
7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) | |
7 local guard_protect = module:get_option_set("host_guard_selective", {}) | 8 local guard_protect = module:get_option_set("host_guard_selective", {}) |
8 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
9 | 10 |
10 local s2smanager = require "core.s2smanager"; | 11 local s2smanager = require "core.s2smanager"; |
11 local config = require "core.configmanager"; | 12 local config = require "core.configmanager"; |
12 local nameprep = require "util.encodings".stringprep.nameprep; | 13 local nameprep = require "util.encodings".stringprep.nameprep; |
13 | 14 |
14 local _make_connect = s2smanager.make_connect; | 15 local _make_connect = s2smanager.make_connect; |
15 function s2smanager.make_connect(session, connect_host, connect_port) | 16 function s2smanager.make_connect(session, connect_host, connect_port) |
16 if not session.s2sValidation then | 17 if not session.s2sValidation then |
17 if guard_blockall:contains(session.from_host) or | 18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or |
18 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then | 19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then |
19 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); | 20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); |
20 s2smanager.destroy_session(session, "You're not authorized, good bye."); | 21 s2smanager.destroy_session(session, "You're not authorized, good bye."); |
21 return false; | 22 return false; |
22 end | 23 end |
32 session.s2sValidation = false; | 33 session.s2sValidation = false; |
33 else | 34 else |
34 session.s2sValidation = true; | 35 session.s2sValidation = true; |
35 end | 36 end |
36 | 37 |
37 if guard_blockall:contains(host) or | 38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or |
38 guard_block_bl:contains(from) and guard_protect:contains(host) then | 39 guard_block_bl:contains(from) and guard_protect:contains(host) then |
39 module:log("error", "remote service %s attempted to access restricted host %s", from, host); | 40 module:log("error", "remote service %s attempted to access restricted host %s", from, host); |
40 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
41 return false; | 42 return false; |
42 end | 43 end |
45 | 46 |
46 local function sdr_hook (event) | 47 local function sdr_hook (event) |
47 local origin, stanza = event.origin, event.stanza; | 48 local origin, stanza = event.origin, event.stanza; |
48 | 49 |
49 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
50 if guard_blockall:contains(stanza.attr.to) or | 51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or |
51 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then | 52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then |
52 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); | 53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); |
53 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
54 return false; | 55 return false; |
55 end | 56 end |
77 end | 78 end |
78 | 79 |
79 local function reload() | 80 local function reload() |
80 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); | 81 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); |
81 guard_blockall = module:get_option_set("host_guard_blockall", {}); | 82 guard_blockall = module:get_option_set("host_guard_blockall", {}); |
83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}); | |
82 guard_protect = module:get_option_set("host_guard_components", {}); | 84 guard_protect = module:get_option_set("host_guard_components", {}); |
83 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); | 85 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); |
84 end | 86 end |
85 | 87 |
86 local function setup() | 88 local function setup() |