Changeset

493:b1b80319bbf6

mod_host_guard: renamed mod_component_guard to mod_host_guard, as it really works with all hosts, finally decided to wiki it out and not merge it with the s2s_blackwhitelisting module.
author Marco Cirillo <maranda@lightwitch.org>
date Sun, 04 Dec 2011 15:47:24 +0000
parents 492:f806c8a7f985
children 494:376c4a90249c
files mod_component_guard/mod_component_guard.lua mod_host_guard/mod_host_guard.lua
diffstat 2 files changed, 107 insertions(+), 106 deletions(-) [+]
line wrap: on
line diff
--- a/mod_component_guard/mod_component_guard.lua	Sat Dec 03 15:29:00 2011 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,106 +0,0 @@
--- Block or restrict by blacklist remote access to local components.
-
-module:set_global()
-
-local guard_blockall = module:get_option_set("component_guard_blockall", {})
-local guard_protect = module:get_option_set("component_guard_components", {})
-local guard_block_bl = module:get_option_set("component_guard_blacklist", {})
-
-local s2smanager = require "core.s2smanager";
-local config = require "core.configmanager";
-local nameprep = require "util.encodings".stringprep.nameprep;
-
-local _make_connect = s2smanager.make_connect;
-function s2smanager.make_connect(session, connect_host, connect_port)
-  if not session.s2sValidation then
-    if guard_blockall:contains(session.from_host) or
-       guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
-         module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host);
-         s2smanager.destroy_session(session, "You're not authorized, good bye.");
-         return false;
-    end
-  end
-  return _make_connect(session, connect_host, connect_port);
-end
-
-local _stream_opened = s2smanager.streamopened;
-function s2smanager.streamopened(session, attr)
-  local host = attr.to and nameprep(attr.to);
-  local from = attr.from and nameprep(attr.from);
-    if not from then
-      session.s2sValidation = false;
-    else
-      session.s2sValidation = true;
-    end
-
-    if guard_blockall:contains(host) or
-       guard_block_bl:contains(from) and guard_protect:contains(host) then
-         module:log("error", "remote service %s attempted to access restricted component %s", from, host);
-         session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
-         return false;
-    end
-    _stream_opened(session, attr);
-end
-
-local function sdr_hook (event)
-	local origin, stanza = event.origin, event.stanza;
-
-	if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
-	   if guard_blockall:contains(stanza.attr.to) or 
-	      guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
-                module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to);
-                origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
-                return false;
-           end
-        end
-
-	return nil;
-end
-
-local function handle_activation (host)
-	if guard_blockall:contains(host) or guard_protect:contains(host) then
-		if hosts[host] and hosts[host].events then
-			hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100);
-                	module:log ("debug", "adding component protection for: "..host);
-		end
-	end
-end
-
-local function handle_deactivation (host)
-	if guard_blockall:contains(host) or guard_protect:contains(host) then
-		if hosts[host] and hosts[host].events then
-			hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
-                	module:log ("debug", "removing component protection for: "..host);
-		end
-	end
-end
-
-local function reload()
-	module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
-	guard_blockall = module:get_option_set("component_guard_blockall");
-	guard_protect = module:get_option_set("component_guard_components");
-	guard_block_bl = module:get_option_set("component_guard_blacklist");
-end
-
-local function setup()
-        module:log ("debug", "initializing component guard module...");
-
-        module:hook ("component-activated", handle_activation);
-        module:hook ("component-deactivated", handle_deactivation);
-        module:hook ("config-reloaded", reload);
-
-        for n,table in pairs(hosts) do
-                if table.type == "component" then
-                        if guard_blockall:contains(n) or guard_protect:contains(n) then
-                                hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
-                                handle_activation(n);
-                        end
-                end
-        end
-end
-
-if prosody.start_time then
-	setup();
-else
-	prosody.events.add_handler("server-started", setup);
-end
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_host_guard/mod_host_guard.lua	Sun Dec 04 15:47:24 2011 +0000
@@ -0,0 +1,107 @@
+-- (C) 2011, Marco Cirillo (LW.Org)
+-- Block or restrict by blacklist remote access to local components.
+
+module:set_global()
+
+local guard_blockall = module:get_option_set("host_guard_blockall", {})
+local guard_protect = module:get_option_set("host_guard_selective", {})
+local guard_block_bl = module:get_option_set("host_guard_blacklist", {})
+
+local s2smanager = require "core.s2smanager";
+local config = require "core.configmanager";
+local nameprep = require "util.encodings".stringprep.nameprep;
+
+local _make_connect = s2smanager.make_connect;
+function s2smanager.make_connect(session, connect_host, connect_port)
+  if not session.s2sValidation then
+    if guard_blockall:contains(session.from_host) or
+       guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
+         module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host);
+         s2smanager.destroy_session(session, "You're not authorized, good bye.");
+         return false;
+    end
+  end
+  return _make_connect(session, connect_host, connect_port);
+end
+
+local _stream_opened = s2smanager.streamopened;
+function s2smanager.streamopened(session, attr)
+  local host = attr.to and nameprep(attr.to);
+  local from = attr.from and nameprep(attr.from);
+    if not from then
+      session.s2sValidation = false;
+    else
+      session.s2sValidation = true;
+    end
+
+    if guard_blockall:contains(host) or
+       guard_block_bl:contains(from) and guard_protect:contains(host) then
+         module:log("error", "remote service %s attempted to access restricted host %s", from, host);
+         session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
+         return false;
+    end
+    _stream_opened(session, attr);
+end
+
+local function sdr_hook (event)
+	local origin, stanza = event.origin, event.stanza;
+
+	if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
+	   if guard_blockall:contains(stanza.attr.to) or 
+	      guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
+                module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to);
+                origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
+                return false;
+           end
+        end
+
+	return nil;
+end
+
+local function handle_activation (host)
+	if guard_blockall:contains(host) or guard_protect:contains(host) then
+		if hosts[host] and hosts[host].events then
+			hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100);
+                	module:log ("debug", "adding host protection for: "..host);
+		end
+	end
+end
+
+local function handle_deactivation (host)
+	if guard_blockall:contains(host) or guard_protect:contains(host) then
+		if hosts[host] and hosts[host].events then
+			hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
+                	module:log ("debug", "removing host protection for: "..host);
+		end
+	end
+end
+
+local function reload()
+	module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
+	guard_blockall = module:get_option_set("host_guard_blockall");
+	guard_protect = module:get_option_set("host_guard_components");
+	guard_block_bl = module:get_option_set("host_guard_blacklist");
+end
+
+local function setup()
+        module:log ("debug", "initializing host guard module...");
+
+        module:hook ("component-activated", handle_activation);
+        module:hook ("component-deactivated", handle_deactivation);
+        module:hook ("config-reloaded", reload);
+
+        for n,table in pairs(hosts) do
+                if table.type == "component" then
+                        if guard_blockall:contains(n) or guard_protect:contains(n) then
+                                hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
+                                handle_activation(n);
+                        end
+                end
+        end
+end
+
+if prosody.start_time then
+	setup();
+else
+	prosody.events.add_handler("server-started", setup);
+end