Comparison

mod_host_guard/mod_host_guard.lua @ 493:b1b80319bbf6

mod_host_guard: renamed mod_component_guard to mod_host_guard, as it really works with all hosts, finally decided to wiki it out and not merge it with the s2s_blackwhitelisting module.
author Marco Cirillo <maranda@lightwitch.org>
date Sun, 04 Dec 2011 15:47:24 +0000
parent 460:mod_component_guard/mod_component_guard.lua@9bb9343f3c7a
child 494:376c4a90249c
comparison
equal deleted inserted replaced
492:f806c8a7f985 493:b1b80319bbf6
1 -- (C) 2011, Marco Cirillo (LW.Org)
2 -- Block or restrict by blacklist remote access to local components.
3
4 module:set_global()
5
6 local guard_blockall = module:get_option_set("host_guard_blockall", {})
7 local guard_protect = module:get_option_set("host_guard_selective", {})
8 local guard_block_bl = module:get_option_set("host_guard_blacklist", {})
9
10 local s2smanager = require "core.s2smanager";
11 local config = require "core.configmanager";
12 local nameprep = require "util.encodings".stringprep.nameprep;
13
14 local _make_connect = s2smanager.make_connect;
15 function s2smanager.make_connect(session, connect_host, connect_port)
16 if not session.s2sValidation then
17 if guard_blockall:contains(session.from_host) or
18 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
19 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host);
20 s2smanager.destroy_session(session, "You're not authorized, good bye.");
21 return false;
22 end
23 end
24 return _make_connect(session, connect_host, connect_port);
25 end
26
27 local _stream_opened = s2smanager.streamopened;
28 function s2smanager.streamopened(session, attr)
29 local host = attr.to and nameprep(attr.to);
30 local from = attr.from and nameprep(attr.from);
31 if not from then
32 session.s2sValidation = false;
33 else
34 session.s2sValidation = true;
35 end
36
37 if guard_blockall:contains(host) or
38 guard_block_bl:contains(from) and guard_protect:contains(host) then
39 module:log("error", "remote service %s attempted to access restricted host %s", from, host);
40 session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
41 return false;
42 end
43 _stream_opened(session, attr);
44 end
45
46 local function sdr_hook (event)
47 local origin, stanza = event.origin, event.stanza;
48
49 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
50 if guard_blockall:contains(stanza.attr.to) or
51 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
52 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to);
53 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
54 return false;
55 end
56 end
57
58 return nil;
59 end
60
61 local function handle_activation (host)
62 if guard_blockall:contains(host) or guard_protect:contains(host) then
63 if hosts[host] and hosts[host].events then
64 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100);
65 module:log ("debug", "adding host protection for: "..host);
66 end
67 end
68 end
69
70 local function handle_deactivation (host)
71 if guard_blockall:contains(host) or guard_protect:contains(host) then
72 if hosts[host] and hosts[host].events then
73 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
74 module:log ("debug", "removing host protection for: "..host);
75 end
76 end
77 end
78
79 local function reload()
80 module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
81 guard_blockall = module:get_option_set("host_guard_blockall");
82 guard_protect = module:get_option_set("host_guard_components");
83 guard_block_bl = module:get_option_set("host_guard_blacklist");
84 end
85
86 local function setup()
87 module:log ("debug", "initializing host guard module...");
88
89 module:hook ("component-activated", handle_activation);
90 module:hook ("component-deactivated", handle_deactivation);
91 module:hook ("config-reloaded", reload);
92
93 for n,table in pairs(hosts) do
94 if table.type == "component" then
95 if guard_blockall:contains(n) or guard_protect:contains(n) then
96 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
97 handle_activation(n);
98 end
99 end
100 end
101 end
102
103 if prosody.start_time then
104 setup();
105 else
106 prosody.events.add_handler("server-started", setup);
107 end