Changeset

458:4149fcacbbf1

mod_component_guard: refactored init code, added reloading logic to prevent events pollution with stale dupes.
author Marco Cirillo <maranda@lightwitch.org>
date Sat, 22 Oct 2011 22:11:53 +0000
parents 457:79ba4f95d65c
children 459:3117d7e207c5
files mod_component_guard/mod_component_guard.lua
diffstat 1 files changed, 35 insertions(+), 11 deletions(-) [+]
line wrap: on
line diff
--- a/mod_component_guard/mod_component_guard.lua	Sat Oct 22 19:30:43 2011 +0000
+++ b/mod_component_guard/mod_component_guard.lua	Sat Oct 22 22:11:53 2011 +0000
@@ -1,7 +1,7 @@
 -- Block or restrict by blacklist remote access to local components.
 
-local guard_blockall = module:get_option_set("component_guard_blockall") -- blocks all s2s irregardless
-local guard_protect = module:get_option_set("component_guard_components") -- add hook for blacklisting check
+local guard_blockall = module:get_option_set("component_guard_blockall")
+local guard_protect = module:get_option_set("component_guard_components")
 local guard_block_bl = module:get_option_set("component_guard_blacklist")
 
 local s2smanager = require "core.s2smanager";
@@ -11,7 +11,8 @@
 local _make_connect = s2smanager.make_connect;
 function s2smanager.make_connect(session, connect_host, connect_port)
   if not session.s2sValidation then
-    if guard_blockall:contains(session.from_host) or guard_block_bl:contains(session.to_host) then
+    if guard_blockall:contains(session.from_host) or
+       guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
          module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host);
          s2smanager.destroy_session(session, "You're not authorized, good bye.");
          return false;
@@ -31,7 +32,7 @@
     end
 
     if guard_blockall:contains(host) or
-       guard_block_bl:contains(from) then
+       guard_block_bl:contains(from) and guard_protect:contains(host) then
          module:log("error", "remote service %s attempted to access restricted component %s", from, host);
          session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
          return false;
@@ -43,7 +44,8 @@
 	local origin, stanza = event.origin, event.stanza;
 
 	if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
-	   if guard_blockall:contains(stanza.attr.to) or guard_block_bl:contains(stanza.attr.from) then
+	   if guard_blockall:contains(stanza.attr.to) or 
+	      guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
                 module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to);
                 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
                 return false;
@@ -71,13 +73,35 @@
 	end
 end
 
-prosody.events.add_handler("component-activated", handle_activation);
-prosody.events.add_handler("component-deactivated", handle_deactivation);
+local function reload()
+	module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
+	guard_blockall = module:get_option_set("component_guard_blockall");
+	guard_protect = module:get_option_set("component_guard_components");
+	guard_block_bl = module:get_option_set("component_guard_blacklist");
+end
+
+local function setup()
+	module:log ("debug", "initializing component guard module...");
 
-for n,table in pairs(hosts) do
-	if table.type == "component" then
-		if guard_blockall:contains(n) or guard_protect:contains(n) then
-			handle_activation(n);
+	prosody.events.remove_handler("component-activated", handle_activation);
+	prosody.events.add_handler("component-activated", handle_activation);
+	prosody.events.remove_handler("component-deactivated", handle_deactivation);
+	prosody.events.add_handler("component-deactivated", handle_deactivation);
+	prosody.events.remove_handler("config-reloaded", reload);
+	prosody.events.add_handler("config-reloaded", reload);
+
+	for n,table in pairs(hosts) do
+		if table.type == "component" then
+			if guard_blockall:contains(n) or guard_protect:contains(n) then
+				hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
+				handle_activation(n);
+			end
 		end
 	end
 end
+
+if prosody.start_time then
+	setup();
+else
+	prosody.events.add_handler("server-started", setup);
+end