prosody-modules
73f06a14390a
mod_component_guard/mod_component_guard.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Comparison

mod_component_guard/mod_component_guard.lua @ 456:73f06a14390a

mod_component_guard: initial commit.
author Marco Cirillo <maranda@lightwitch.org>
date Sat, 22 Oct 2011 17:34:14 +0000
child 457:79ba4f95d65c
comparison
equal deleted inserted replaced
455:52f2188ec47d 456:73f06a14390a
1 -- Block or restrict by blacklist remote access to local components.
2
3 local guard_blockall = module:get_option_set("component_guard_blockall") -- blocks all s2s irregardless
4 local guard_protect = module:get_option_set("component_guard_components") -- add hook for blacklisting check
5 local guard_block_bl = module:get_option_set("component_guard_blacklist")
6
7 local s2smanager = require "core.s2smanager";
8 local config = require "core.configmanager";
9 local nameprep = require "util.encodings".stringprep.nameprep;
10
11 local _make_connect = s2smanager.make_connect;
12 function s2smanager.make_connect(session, connect_host, connect_port)
13 if not session.s2sValidation then
14 if guard_blockall:contains(session.from_host) or guard_block_bl:contains(session.to_host) then
15 module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host);
16 s2smanager.destroy_session(session, "You're not authorized, good bye.");
17 return false;
18 end
19 end
20 return _make_connect(session, connect_host, connect_port);
21 end
22
23 local _stream_opened = s2smanager.streamopened;
24 function s2smanager.streamopened(session, attr)
25 local host = attr.to and nameprep(attr.to);
26 local from = attr.from and nameprep(attr.from);
27 if not from then
28 session.s2sValidation = false;
29 else
30 session.s2sValidation = true;
31 end
32
33 if guard_blockall:contains(host) or
34 guard_block_bl:contains(from) then
35 module:log("error", "remote service %s attempted to access restricted component %s", from, host);
36 session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
37 return false;
38 end
39 _stream_opened(session, attr);
40 end
41
42 local function sdr_hook (event)
43 local origin, stanza = event.origin, event.stanza;
44
45 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
46 if guard_blockall:contains(stanza.attr.to) or guard_block_bl:contains(stanza.attr.from) then
47 module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to);
48 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
49 return false;
50 end
51 end
52
53 return nil;
54 end
55
56 local function handle_activation (host)
57 if guard_blockall:contains(host) or guard_protect:contains(host) then
58 if hosts[host] and hosts[host].events then
59 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook);
60 module:log ("debug", "adding component protection for: "..host);
61 end
62 end
63 end
64
65 local function handle_deactivation (host)
66 if guard_blockall:contains(host) or guard_protect:contains(host) then
67 if hosts[host] and hosts[host].events then
68 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
69 module:log ("debug", "removing component protection for: "..host);
70 end
71 end
72 end
73
74 prosody.events.add_handler("component-activated", handle_activation);
75 prosody.events.add_handler("component-deactivated", handle_deactivation);
76
77 for n,table in pairs(hosts) do
78 if table.type == "component" then
79 if guard_blockall:contains(n) or guard_protect:contains(n) then
80 handle_activation(n);
81 end
82 end
83 end