mod_component_guard: refactored init code, added reloading logic to prevent events pollution with stale dupes.
--- a/mod_component_guard/mod_component_guard.lua Sat Oct 22 19:30:43 2011 +0000
+++ b/mod_component_guard/mod_component_guard.lua Sat Oct 22 22:11:53 2011 +0000
@@ -1,7 +1,7 @@
-- Block or restrict by blacklist remote access to local components.
-local guard_blockall = module:get_option_set("component_guard_blockall") -- blocks all s2s irregardless
-local guard_protect = module:get_option_set("component_guard_components") -- add hook for blacklisting check
+local guard_blockall = module:get_option_set("component_guard_blockall")
+local guard_protect = module:get_option_set("component_guard_components")
local guard_block_bl = module:get_option_set("component_guard_blacklist")
local s2smanager = require "core.s2smanager";
@@ -11,7 +11,8 @@
local _make_connect = s2smanager.make_connect;
function s2smanager.make_connect(session, connect_host, connect_port)
if not session.s2sValidation then
- if guard_blockall:contains(session.from_host) or guard_block_bl:contains(session.to_host) then
+ if guard_blockall:contains(session.from_host) or
+ guard_block_bl:contains(session.to_host) and guard_protect:contains(session.from_host) then
module:log("error", "remote service %s attempted to access restricted component %s", session.to_host, session.from_host);
s2smanager.destroy_session(session, "You're not authorized, good bye.");
return false;
@@ -31,7 +32,7 @@
end
if guard_blockall:contains(host) or
- guard_block_bl:contains(from) then
+ guard_block_bl:contains(from) and guard_protect:contains(host) then
module:log("error", "remote service %s attempted to access restricted component %s", from, host);
session:close({condition = "policy-violation", text = "You're not authorized, good bye."});
return false;
@@ -43,7 +44,8 @@
local origin, stanza = event.origin, event.stanza;
if origin.type == "s2sin" or origin.type == "s2sin_unauthed" then
- if guard_blockall:contains(stanza.attr.to) or guard_block_bl:contains(stanza.attr.from) then
+ if guard_blockall:contains(stanza.attr.to) or
+ guard_block_bl:contains(stanza.attr.from) and guard_protect:contains(stanza.attr.to) then
module:log("error", "remote service %s attempted to access restricted component %s", stanza.attr.from, stanza.attr.to);
origin:close({condition = "policy-violation", text = "You're not authorized, good bye."});
return false;
@@ -71,13 +73,35 @@
end
end
-prosody.events.add_handler("component-activated", handle_activation);
-prosody.events.add_handler("component-deactivated", handle_deactivation);
+local function reload()
+ module:log ("debug", "server configuration reloaded, rehashing plugin tables...");
+ guard_blockall = module:get_option_set("component_guard_blockall");
+ guard_protect = module:get_option_set("component_guard_components");
+ guard_block_bl = module:get_option_set("component_guard_blacklist");
+end
+
+local function setup()
+ module:log ("debug", "initializing component guard module...");
-for n,table in pairs(hosts) do
- if table.type == "component" then
- if guard_blockall:contains(n) or guard_protect:contains(n) then
- handle_activation(n);
+ prosody.events.remove_handler("component-activated", handle_activation);
+ prosody.events.add_handler("component-activated", handle_activation);
+ prosody.events.remove_handler("component-deactivated", handle_deactivation);
+ prosody.events.add_handler("component-deactivated", handle_deactivation);
+ prosody.events.remove_handler("config-reloaded", reload);
+ prosody.events.add_handler("config-reloaded", reload);
+
+ for n,table in pairs(hosts) do
+ if table.type == "component" then
+ if guard_blockall:contains(n) or guard_protect:contains(n) then
+ hosts[n].events.remove_handler("stanza/jabber:server:dialback:result", sdr_hook);
+ handle_activation(n);
+ end
end
end
end
+
+if prosody.start_time then
+ setup();
+else
+ prosody.events.add_handler("server-started", setup);
+end