Mercurial > prosody-modules
comparison mod_host_guard/mod_host_guard.lua @ 515:e98fe28c50b0
mod_host_guard: added exceptions/whitelisting to the blockall logic (makes little sense otherwise has s2s_disallow = true does the same)
| author | Marco Cirillo <maranda@lightwitch.org> |
|---|---|
| date | Tue, 20 Dec 2011 20:19:53 +0000 |
| parents | 376c4a90249c |
| children | 219ffe3541ff |
comparison
equal
deleted
inserted
replaced
| 514:46e1983486e9 | 515:e98fe28c50b0 |
|---|---|
| 2 -- Block or restrict by blacklist remote access to local components. | 2 -- Block or restrict by blacklist remote access to local components. |
| 3 | 3 |
| 4 module:set_global() | 4 module:set_global() |
| 5 | 5 |
| 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) | 6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) |
| 7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}) | |
| 7 local guard_protect = module:get_option_set("host_guard_selective", {}) | 8 local guard_protect = module:get_option_set("host_guard_selective", {}) |
| 8 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) | 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
| 9 | 10 |
| 10 local s2smanager = require "core.s2smanager"; | 11 local s2smanager = require "core.s2smanager"; |
| 11 local config = require "core.configmanager"; | 12 local config = require "core.configmanager"; |
| 12 local nameprep = require "util.encodings".stringprep.nameprep; | 13 local nameprep = require "util.encodings".stringprep.nameprep; |
| 13 | 14 |
| 14 local _make_connect = s2smanager.make_connect; | 15 local _make_connect = s2smanager.make_connect; |
| 15 function s2smanager.make_connect(session, connect_host, connect_port) | 16 function s2smanager.make_connect(session, connect_host, connect_port) |
| 16 if not session.s2sValidation then | 17 if not session.s2sValidation then |
| 17 if guard_blockall:contains(session.from_host) or | 18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or |
| 18 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then | 19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then |
| 19 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); | 20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); |
| 20 s2smanager.destroy_session(session, "You're not authorized, good bye."); | 21 s2smanager.destroy_session(session, "You're not authorized, good bye."); |
| 21 return false; | 22 return false; |
| 22 end | 23 end |
| 32 session.s2sValidation = false; | 33 session.s2sValidation = false; |
| 33 else | 34 else |
| 34 session.s2sValidation = true; | 35 session.s2sValidation = true; |
| 35 end | 36 end |
| 36 | 37 |
| 37 if guard_blockall:contains(host) or | 38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or |
| 38 guard_block_bl:contains(from) and guard_protect:contains(host) then | 39 guard_block_bl:contains(from) and guard_protect:contains(host) then |
| 39 module:log("error", "remote service %s attempted to access restricted host %s", from, host); | 40 module:log("error", "remote service %s attempted to access restricted host %s", from, host); |
| 40 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
| 41 return false; | 42 return false; |
| 42 end | 43 end |
| 45 | 46 |
| 46 local function sdr_hook (event) | 47 local function sdr_hook (event) |
| 47 local origin, stanza = event.origin, event.stanza; | 48 local origin, stanza = event.origin, event.stanza; |
| 48 | 49 |
| 49 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
| 50 if guard_blockall:contains(stanza.attr.to) or | 51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or |
| 51 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then | 52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then |
| 52 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); | 53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); |
| 53 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
| 54 return false; | 55 return false; |
| 55 end | 56 end |
| 77 end | 78 end |
| 78 | 79 |
| 79 local function reload() | 80 local function reload() |
| 80 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); | 81 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); |
| 81 guard_blockall = module:get_option_set("host_guard_blockall", {}); | 82 guard_blockall = module:get_option_set("host_guard_blockall", {}); |
| 83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {}); | |
| 82 guard_protect = module:get_option_set("host_guard_components", {}); | 84 guard_protect = module:get_option_set("host_guard_components", {}); |
| 83 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); | 85 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); |
| 84 end | 86 end |
| 85 | 87 |
| 86 local function setup() | 88 local function setup() |