# HG changeset patch # User Marco Cirillo # Date 1319321513 0 # Node ID 4149fcacbbf1948643aa098d442fd0a911d5f6f2 # Parent 79ba4f95d65ca348e0119e49ac5fd773c3159aab mod_component_guard: refactored init code, added reloading logic to prevent events pollution with stale dupes. diff -r 79ba4f95d65c -r 4149fcacbbf1 mod_component_guard/mod_component_guard.lua --- a/mod_component_guard/mod_component_guard.lua Sat Oct 22 19:30:43 2011 +0000 +++ b/mod_component_guard/mod_component_guard.lua Sat Oct 22 22:11:53 2011 +0000 @@ -1,7 +1,7 @@ -- Block or restrict by blacklist remote access to local components. -local guard_blockall = module:get_option_set("component_guard_blockall") -- blocks all s2s irregardless -local guard_protect = module:get_option_set("component_guard_components") -- add hook for blacklisting check +local guard_blockall = module:get_option_set("component_guard_blockall") +local guard_protect = module:get_option_set("component_guard_components") local guard_block_bl = module:get_option_set("component_guard_blacklist") local s2smanager = require "core.s2smanager"; @@ -11,7 +11,8 @@ local _make_connect = s2smanager.make_connect; function s2smanager.make_connect(session, connect_host, connect_port) if not session.s2sValidation then - if guard_blockall:contains(session.from_host) or guard_block_bl:contains(session.to_host) then + if guard_blockall:contains(session.from_host) or + guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host); s2smanager.destroy_session(session, "You're not authorized, good bye."); return false; @@ -31,7 +32,7 @@ end if guard_blockall:contains(host) or - guard_block_bl:contains(from) then + guard_block_bl:contains(from) and guard_protect:contains(host) then module:log("error", "remote service %s attempted to access restricted component %s", from, host); session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); return false; @@ -43,7 +44,8 @@ local origin, stanza = event.origin, event.stanza; if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then - if guard_blockall:contains(stanza.attr.to) or guard_block_bl:contains(stanza.attr.from) then + if guard_blockall:contains(stanza.attr.to) or + guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to); origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); return false; @@ -71,13 +73,35 @@ end end -prosody.events.add_handler("component-activated", handle_activation); -prosody.events.add_handler("component-deactivated", handle_deactivation); +local function reload() + module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); + guard_blockall = module:get_option_set("component_guard_blockall"); + guard_protect = module:get_option_set("component_guard_components"); + guard_block_bl = module:get_option_set("component_guard_blacklist"); +end + +local function setup() + module:log ("debug", "initializing component guard module..."); -for n,table in pairs(hosts) do - if table.type == "component" then - if guard_blockall:contains(n) or guard_protect:contains(n) then - handle_activation(n); + prosody.events.remove_handler("component-activated", handle_activation); + prosody.events.add_handler("component-activated", handle_activation); + prosody.events.remove_handler("component-deactivated", handle_deactivation); + prosody.events.add_handler("component-deactivated", handle_deactivation); + prosody.events.remove_handler("config-reloaded", reload); + prosody.events.add_handler("config-reloaded", reload); + + for n,table in pairs(hosts) do + if table.type == "component" then + if guard_blockall:contains(n) or guard_protect:contains(n) then + hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); + handle_activation(n); + end end end end + +if prosody.start_time then + setup(); +else + prosody.events.add_handler("server-started", setup); +end