prosody-modules
4149fcacbbf1
mod_component_guard/mod_component_guard.lua
Software / code / prosody-modules
Comparison
mod_component_guard/mod_component_guard.lua @ 458:4149fcacbbf1
mod_component_guard: refactored init code, added reloading logic to prevent events pollution with stale dupes.
| author | Marco Cirillo <maranda@lightwitch.org> |
|---|---|
| date | Sat, 22 Oct 2011 22:11:53 +0000 |
| parent | 457:79ba4f95d65c |
| child | 459:3117d7e207c5 |
comparison
equal
deleted
inserted
replaced
| 457:79ba4f95d65c | 458:4149fcacbbf1 |
|---|---|
| 1 -- Block or restrict by blacklist remote access to local components. | 1 -- Block or restrict by blacklist remote access to local components. |
| 2 | 2 |
| 3 local guard_blockall = module:get_option_set("component_guard_blockall") -- blocks all s2s irregardless | 3 local guard_blockall = module:get_option_set("component_guard_blockall") |
| 4 local guard_protect = module:get_option_set("component_guard_components") -- add hook for blacklisting check | 4 local guard_protect = module:get_option_set("component_guard_components") |
| 5 local guard_block_bl = module:get_option_set("component_guard_blacklist") | 5 local guard_block_bl = module:get_option_set("component_guard_blacklist") |
| 6 | 6 |
| 7 local s2smanager = require "core.s2smanager"; | 7 local s2smanager = require "core.s2smanager"; |
| 8 local config = require "core.configmanager"; | 8 local config = require "core.configmanager"; |
| 9 local nameprep = require "util.encodings".stringprep.nameprep; | 9 local nameprep = require "util.encodings".stringprep.nameprep; |
| 10 | 10 |
| 11 local _make_connect = s2smanager.make_connect; | 11 local _make_connect = s2smanager.make_connect; |
| 12 function s2smanager.make_connect(session, connect_host, connect_port) | 12 function s2smanager.make_connect(session, connect_host, connect_port) |
| 13 if not session.s2sValidation then | 13 if not session.s2sValidation then |
| 14 if guard_blockall:contains(session.from_host) or guard_block_bl:contains(session.to_host) then | 14 if guard_blockall:contains(session.from_host) or |
| 15 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then | |
| 15 module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host); | 16 module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host); |
| 16 s2smanager.destroy_session(session, "You're not authorized, good bye."); | 17 s2smanager.destroy_session(session, "You're not authorized, good bye."); |
| 17 return false; | 18 return false; |
| 18 end | 19 end |
| 19 end | 20 end |
| 29 else | 30 else |
| 30 session.s2sValidation = true; | 31 session.s2sValidation = true; |
| 31 end | 32 end |
| 32 | 33 |
| 33 if guard_blockall:contains(host) or | 34 if guard_blockall:contains(host) or |
| 34 guard_block_bl:contains(from) then | 35 guard_block_bl:contains(from) and guard_protect:contains(host) then |
| 35 module:log("error", "remote service %s attempted to access restricted component %s", from, host); | 36 module:log("error", "remote service %s attempted to access restricted component %s", from, host); |
| 36 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 37 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
| 37 return false; | 38 return false; |
| 38 end | 39 end |
| 39 _stream_opened(session, attr); | 40 _stream_opened(session, attr); |
| 41 | 42 |
| 42 local function sdr_hook (event) | 43 local function sdr_hook (event) |
| 43 local origin, stanza = event.origin, event.stanza; | 44 local origin, stanza = event.origin, event.stanza; |
| 44 | 45 |
| 45 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then | 46 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
| 46 if guard_blockall:contains(stanza.attr.to) or guard_block_bl:contains(stanza.attr.from) then | 47 if guard_blockall:contains(stanza.attr.to) or |
| 48 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then | |
| 47 module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to); | 49 module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to); |
| 48 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); | 50 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
| 49 return false; | 51 return false; |
| 50 end | 52 end |
| 51 end | 53 end |
| 69 module:log ("debug", "removing component protection for: "..host); | 71 module:log ("debug", "removing component protection for: "..host); |
| 70 end | 72 end |
| 71 end | 73 end |
| 72 end | 74 end |
| 73 | 75 |
| 74 prosody.events.add_handler("component-activated", handle_activation); | 76 local function reload() |
| 75 prosody.events.add_handler("component-deactivated", handle_deactivation); | 77 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); |
| 78 guard_blockall = module:get_option_set("component_guard_blockall"); | |
| 79 guard_protect = module:get_option_set("component_guard_components"); | |
| 80 guard_block_bl = module:get_option_set("component_guard_blacklist"); | |
| 81 end | |
| 76 | 82 |
| 77 for n,table in pairs(hosts) do | 83 local function setup() |
| 78 if table.type == "component" then | 84 module:log ("debug", "initializing component guard module..."); |
| 79 if guard_blockall:contains(n) or guard_protect:contains(n) then | 85 |
| 80 handle_activation(n); | 86 prosody.events.remove_handler("component-activated", handle_activation); |
| 87 prosody.events.add_handler("component-activated", handle_activation); | |
| 88 prosody.events.remove_handler("component-deactivated", handle_deactivation); | |
| 89 prosody.events.add_handler("component-deactivated", handle_deactivation); | |
| 90 prosody.events.remove_handler("config-reloaded", reload); | |
| 91 prosody.events.add_handler("config-reloaded", reload); | |
| 92 | |
| 93 for n,table in pairs(hosts) do | |
| 94 if table.type == "component" then | |
| 95 if guard_blockall:contains(n) or guard_protect:contains(n) then | |
| 96 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); | |
| 97 handle_activation(n); | |
| 98 end | |
| 81 end | 99 end |
| 82 end | 100 end |
| 83 end | 101 end |
| 102 | |
| 103 if prosody.start_time then | |
| 104 setup(); | |
| 105 else | |
| 106 prosody.events.add_handler("server-started", setup); | |
| 107 end |
