Comparison

mod_host_guard/mod_host_guard.lua @ 515:e98fe28c50b0

mod_host_guard: added exceptions/whitelisting to the blockall logic (makes little sense otherwise has s2s_disallow = true does the same)
author Marco Cirillo <maranda@lightwitch.org>
date Tue, 20 Dec 2011 20:19:53 +0000
parent 494:376c4a90249c
child 519:219ffe3541ff
comparison
equal deleted inserted replaced
514:46e1983486e9 515:e98fe28c50b0
2 -- Block or restrict by blacklist remote access to local components. 2 -- Block or restrict by blacklist remote access to local components.
3 3
4 module:set_global() 4 module:set_global()
5 5
6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) 6 local guard_blockall = module:get_option_set("host_guard_blockall", {})
7 local guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {})
7 local guard_protect = module:get_option_set("host_guard_selective", {}) 8 local guard_protect = module:get_option_set("host_guard_selective", {})
8 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) 9 local guard_block_bl = module:get_option_set("host_guard_blacklist", {})
9 10
10 local s2smanager = require "core.s2smanager"; 11 local s2smanager = require "core.s2smanager";
11 local config = require "core.configmanager"; 12 local config = require "core.configmanager";
12 local nameprep = require "util.encodings".stringprep.nameprep; 13 local nameprep = require "util.encodings".stringprep.nameprep;
13 14
14 local _make_connect = s2smanager.make_connect; 15 local _make_connect = s2smanager.make_connect;
15 function s2smanager.make_connect(session, connect_host, connect_port) 16 function s2smanager.make_connect(session, connect_host, connect_port)
16 if not session.s2sValidation then 17 if not session.s2sValidation then
17 if guard_blockall:contains(session.from_host) or 18 if guard_blockall:contains(session.from_host) and not guard_ball_wl:contains(session.to_host) or
18 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then 19 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
19 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); 20 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host);
20 s2smanager.destroy_session(session, "You're not authorized, good bye."); 21 s2smanager.destroy_session(session, "You're not authorized, good bye.");
21 return false; 22 return false;
22 end 23 end
32 session.s2sValidation = false; 33 session.s2sValidation = false;
33 else 34 else
34 session.s2sValidation = true; 35 session.s2sValidation = true;
35 end 36 end
36 37
37 if guard_blockall:contains(host) or 38 if guard_blockall:contains(host) and not guard_ball_wl:contains(from) or
38 guard_block_bl:contains(from) and guard_protect:contains(host) then 39 guard_block_bl:contains(from) and guard_protect:contains(host) then
39 module:log("error", "remote service %s attempted to access restricted host %s", from, host); 40 module:log("error", "remote service %s attempted to access restricted host %s", from, host);
40 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); 41 session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
41 return false; 42 return false;
42 end 43 end
45 46
46 local function sdr_hook (event) 47 local function sdr_hook (event)
47 local origin, stanza = event.origin, event.stanza; 48 local origin, stanza = event.origin, event.stanza;
48 49
49 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then 50 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
50 if guard_blockall:contains(stanza.attr.to) or 51 if guard_blockall:contains(stanza.attr.to) and not guard_ball_wl:contains(stanza.attr.from) or
51 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then 52 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
52 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); 53 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to);
53 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); 54 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
54 return false; 55 return false;
55 end 56 end
77 end 78 end
78 79
79 local function reload() 80 local function reload()
80 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); 81 module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
81 guard_blockall = module:get_option_set("host_guard_blockall", {}); 82 guard_blockall = module:get_option_set("host_guard_blockall", {});
83 guard_ball_wl = module:get_option_set("host_guard_blockall_exceptions", {});
82 guard_protect = module:get_option_set("host_guard_components", {}); 84 guard_protect = module:get_option_set("host_guard_components", {});
83 guard_block_bl = module:get_option_set("host_guard_blacklist", {}); 85 guard_block_bl = module:get_option_set("host_guard_blacklist", {});
84 end 86 end
85 87
86 local function setup() 88 local function setup()