|
1 -- (C) 2011, Marco Cirillo (LW.Org) |
|
2 -- Block or restrict by blacklist remote access to local components. |
|
3 |
|
4 module:set_global() |
|
5 |
|
6 local guard_blockall = module:get_option_set("host_guard_blockall", {}) |
|
7 local guard_protect = module:get_option_set("host_guard_selective", {}) |
|
8 local guard_block_bl = module:get_option_set("host_guard_blacklist", {}) |
|
9 |
|
10 local s2smanager = require "core.s2smanager"; |
|
11 local config = require "core.configmanager"; |
|
12 local nameprep = require "util.encodings".stringprep.nameprep; |
|
13 |
|
14 local _make_connect = s2smanager.make_connect; |
|
15 function s2smanager.make_connect(session, connect_host, connect_port) |
|
16 if not session.s2sValidation then |
|
17 if guard_blockall:contains(session.from_host) or |
|
18 guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then |
|
19 module:log("error", "remote service %s attempted to access restricted host %s", session.to_host, session.from_host); |
|
20 s2smanager.destroy_session(session, "You're not authorized, good bye."); |
|
21 return false; |
|
22 end |
|
23 end |
|
24 return _make_connect(session, connect_host, connect_port); |
|
25 end |
|
26 |
|
27 local _stream_opened = s2smanager.streamopened; |
|
28 function s2smanager.streamopened(session, attr) |
|
29 local host = attr.to and nameprep(attr.to); |
|
30 local from = attr.from and nameprep(attr.from); |
|
31 if not from then |
|
32 session.s2sValidation = false; |
|
33 else |
|
34 session.s2sValidation = true; |
|
35 end |
|
36 |
|
37 if guard_blockall:contains(host) or |
|
38 guard_block_bl:contains(from) and guard_protect:contains(host) then |
|
39 module:log("error", "remote service %s attempted to access restricted host %s", from, host); |
|
40 session:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
|
41 return false; |
|
42 end |
|
43 _stream_opened(session, attr); |
|
44 end |
|
45 |
|
46 local function sdr_hook (event) |
|
47 local origin, stanza = event.origin, event.stanza; |
|
48 |
|
49 if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then |
|
50 if guard_blockall:contains(stanza.attr.to) or |
|
51 guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then |
|
52 module:log("error", "remote service %s attempted to access restricted host %s", stanza.attr.from, stanza.attr.to); |
|
53 origin:close({condition = "policy-violation", text = "You're not authorized, good bye."}); |
|
54 return false; |
|
55 end |
|
56 end |
|
57 |
|
58 return nil; |
|
59 end |
|
60 |
|
61 local function handle_activation (host) |
|
62 if guard_blockall:contains(host) or guard_protect:contains(host) then |
|
63 if hosts[host] and hosts[host].events then |
|
64 hosts[host].events.add_handler("stanza/jabber:server:dialback:result", sdr_hook, 100); |
|
65 module:log ("debug", "adding host protection for: "..host); |
|
66 end |
|
67 end |
|
68 end |
|
69 |
|
70 local function handle_deactivation (host) |
|
71 if guard_blockall:contains(host) or guard_protect:contains(host) then |
|
72 if hosts[host] and hosts[host].events then |
|
73 hosts[host].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); |
|
74 module:log ("debug", "removing host protection for: "..host); |
|
75 end |
|
76 end |
|
77 end |
|
78 |
|
79 local function reload() |
|
80 module:log ("debug", "server configuration reloaded, rehashing plugin tables..."); |
|
81 guard_blockall = module:get_option_set("host_guard_blockall"); |
|
82 guard_protect = module:get_option_set("host_guard_components"); |
|
83 guard_block_bl = module:get_option_set("host_guard_blacklist"); |
|
84 end |
|
85 |
|
86 local function setup() |
|
87 module:log ("debug", "initializing host guard module..."); |
|
88 |
|
89 module:hook ("component-activated", handle_activation); |
|
90 module:hook ("component-deactivated", handle_deactivation); |
|
91 module:hook ("config-reloaded", reload); |
|
92 |
|
93 for n,table in pairs(hosts) do |
|
94 if table.type == "component" then |
|
95 if guard_blockall:contains(n) or guard_protect:contains(n) then |
|
96 hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook); |
|
97 handle_activation(n); |
|
98 end |
|
99 end |
|
100 end |
|
101 end |
|
102 |
|
103 if prosody.start_time then |
|
104 setup(); |
|
105 else |
|
106 prosody.events.add_handler("server-started", setup); |
|
107 end |