* Adding experimental branch.

SVN Revision: 1324
author: Mickaël Rémond <mickael.remond@process-one.net> 2008-05-14 17:49:23 +0000
committer: Mickaël Rémond <mickael.remond@process-one.net> 2008-05-14 17:49:23 +0000
commit: 1f91eb0b1139e7a134e3c8300a9d74f07cdda911 (patch)
tree: 7927b5b848ad0626064e37f16980d63ead96b68f
parent: Added missing ejabberd-2.0.0 tag. (diff)
5 files changed, 180 insertions, 33 deletions
diff --git a/ChangeLog b/ChangeLog
index 5a123e441..27796169a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2008-05-05  Mickael Remond  <mremond@process-one.net>
+
+        * src/ejabberd_c2s.erl: Added C2S blacklist support (EJAB-625).
+        * src/mod_ip_blacklist.erl: Likewise.
+        * src/jlib.erl: Added IP format tuple to string function.
+        * src/ejabberd_socket.erl: Properly handled c2s start failure (happen
+        for blacklisted IP).
+
 2008-02-21  Badlop  <badlop@process-one.net>
 
 	* doc/release_notes_2.0.0.txt: Small fixes and update date
diff --git a/src/ejabberd_c2s.erl b/src/ejabberd_c2s.erl
index 7239829e5..f2b7f7e70 100644
--- a/src/ejabberd_c2s.erl
+++ b/src/ejabberd_c2s.erl
@@ -174,26 +174,35 @@ init([{SockMod, Socket}, Opts]) ->
 			      (_) -> false
 			   end, Opts),
     IP = peerip(SockMod, Socket),
-    Socket1 =
-	if
-	    TLSEnabled ->
-		SockMod:starttls(Socket, TLSOpts);
-	    true ->
-		Socket
-	end,
-    SocketMonitor = SockMod:monitor(Socket1),
-    {ok, wait_for_stream, #state{socket         = Socket1,
-				 sockmod        = SockMod,
-				 socket_monitor = SocketMonitor,
-				 zlib           = Zlib,
-				 tls            = TLS,
-				 tls_required   = StartTLSRequired,
-				 tls_enabled    = TLSEnabled,
-				 tls_options    = TLSOpts,
-				 streamid       = new_id(),
-				 access         = Access,
-				 shaper         = Shaper,
-				 ip             = IP}, ?C2S_OPEN_TIMEOUT}.
+    %% Check if IP is blacklisted:
+    case is_ip_blacklisted(IP) of
+	true ->
+	    ?INFO_MSG("Connection attempt from blacklisted IP: ~s",
+		      [jlib:ip_to_list(IP)]),
+	    {stop, normal};
+	false ->
+	    Socket1 =
+		if
+		    TLSEnabled ->
+			SockMod:starttls(Socket, TLSOpts);
+		    true ->
+			Socket
+		end,
+	    SocketMonitor = SockMod:monitor(Socket1),
+	    {ok, wait_for_stream, #state{socket         = Socket1,
+					 sockmod        = SockMod,
+					 socket_monitor = SocketMonitor,
+					 zlib           = Zlib,
+					 tls            = TLS,
+					 tls_required   = StartTLSRequired,
+					 tls_enabled    = TLSEnabled,
+					 tls_options    = TLSOpts,
+					 streamid       = new_id(),
+					 access         = Access,
+					 shaper         = Shaper,
+					 ip             = IP},
+	     ?C2S_OPEN_TIMEOUT}
+    end.
 
 %% Return list of all available resources of contacts,
 %% in form [{JID, Caps}].
@@ -842,8 +851,6 @@ wait_for_session(closed, StateData) ->
     {stop, normal, StateData}.
 
 
-
-
 session_established({xmlstreamelement, El}, StateData) ->
     {xmlelement, Name, Attrs, _Els} = El,
     User = StateData#state.user,
@@ -1944,3 +1951,7 @@ fsm_reply(Reply, session_established, StateData) ->
     {reply, Reply, session_established, StateData, ?C2S_HIBERNATE_TIMEOUT};
 fsm_reply(Reply, StateName, StateData) ->
     {reply, Reply, StateName, StateData, ?C2S_OPEN_TIMEOUT}.
+
+%% Used by c2s blacklist plugins
+is_ip_blacklisted({IP,_Port}) ->
+    ejabberd_hooks:run_fold(check_bl_c2s, false, [IP]).	
diff --git a/src/ejabberd_socket.erl b/src/ejabberd_socket.erl
index f94a0a0e1..389b3a106 100644
--- a/src/ejabberd_socket.erl
+++ b/src/ejabberd_socket.erl
@@ -65,19 +65,27 @@ start(Module, SockMod, Socket, Opts) ->
 	    SocketData = #socket_state{sockmod = SockMod,
 				       socket = Socket,
 				       receiver = Receiver},
-	    {ok, Pid} = Module:start({?MODULE, SocketData}, Opts),
-	    case SockMod:controlling_process(Socket, Receiver) of
-		ok ->
-		    ok;
+	    case Module:start({?MODULE, SocketData}, Opts) of
+		{ok, Pid} ->
+		    case SockMod:controlling_process(Socket, Receiver) of
+			ok ->
+			    ok;
+			{error, _Reason} ->
+			    SockMod:close(Socket)
+		    end,
+		    ejabberd_receiver:become_controller(Receiver, Pid);
 		{error, _Reason} ->
 		    SockMod:close(Socket)
-	    end,
-	    ejabberd_receiver:become_controller(Receiver, Pid);
+	    end;
 	raw ->
-	    {ok, Pid} = Module:start({SockMod, Socket}, Opts),
-	    case SockMod:controlling_process(Socket, Pid) of
-		ok ->
-		    ok;
+	    case Module:start({SockMod, Socket}, Opts) of
+		{ok, Pid} ->
+		    case SockMod:controlling_process(Socket, Pid) of
+			ok ->
+			    ok;
+			{error, _Reason} ->
+			    SockMod:close(Socket)
+		    end;
 		{error, _Reason} ->
 		    SockMod:close(Socket)
 	    end
diff --git a/src/jlib.erl b/src/jlib.erl
index 1ee2e4ffa..4fd897599 100644
--- a/src/jlib.erl
+++ b/src/jlib.erl
@@ -59,7 +59,8 @@
 	 now_to_local_string/1,
 	 datetime_string_to_timestamp/1,
 	 decode_base64/1,
-	 encode_base64/1]).
+	 encode_base64/1,
+	 ip_to_list/1]).
 
 -include("jlib.hrl").
 
@@ -676,3 +677,9 @@ e(X) when X>51, X<62 ->     X-4;
 e(62) ->                    $+;
 e(63) ->                    $/;
 e(X) ->                     exit({bad_encode_base64_token, X}).
+
+%% Convert Erlang inet IP to list
+ip_to_list({IP, _Port}) ->
+    ip_to_list(IP);
+ip_to_list({A,B,C,D}) ->
+    lists:flatten(io_lib:format("~w.~w.~w.~w",[A,B,C,D])).
diff --git a/src/mod_ip_blacklist.erl b/src/mod_ip_blacklist.erl
new file mode 100644
index 000000000..095c501a4
--- /dev/null
+++ b/src/mod_ip_blacklist.erl
@@ -0,0 +1,113 @@
+%%%----------------------------------------------------------------------
+%%% File    : mod_ip_blacklist.erl
+%%% Author  : Mickael Remond <mremond@process-one.net>
+%%% Purpose : Download blacklists from ProcessOne
+%%% Created : 5 May 2008 by Mickael Remond <mremond@process-one.net>
+%%% Usage   : Add the following line in modules section of ejabberd.cfg:
+%%%              {mod_ip_blacklist, []}
+%%%
+%%%
+%%% ejabberd, Copyright (C) 2002-2008   Process-one
+%%%
+%%% This program is free software; you can redistribute it and/or
+%%% modify it under the terms of the GNU General Public License as
+%%% published by the Free Software Foundation; either version 2 of the
+%%% License, or (at your option) any later version.
+%%%
+%%% This program is distributed in the hope that it will be useful,
+%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
+%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+%%% General Public License for more details.
+%%%                         
+%%% You should have received a copy of the GNU General Public License
+%%% along with this program; if not, write to the Free Software
+%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+%%% 02111-1307 USA
+%%%
+%%%----------------------------------------------------------------------
+
+-module(mod_ip_blacklist).
+-author('mremond@process-one.net').
+
+-behaviour(gen_mod).
+
+%% API:
+-export([start/2,
+         init/1,
+         stop/1]).
+-export([update_bl_c2s/0]).
+%% Hooks:
+-export([is_ip_in_c2s_blacklist/2]).
+
+-include("ejabberd.hrl").
+
+-define(PROCNAME, ?MODULE).
+-define(BLC2S, "http://xaai.process-one.net/bl_c2s.txt").
+-define(UPDATE_INTERVAL, 6). %% in hours
+
+-record(state, {timer}).
+-record(bl_c2s, {ip}).
+
+%% Start once for all vhost
+start(Host, Opts) ->
+    case whereis(?PROCNAME) of
+        undefined ->
+            ?DEBUG("Starting mod_ip_blacklist ~p  ~p~n", [Host, Opts]),
+              register(?PROCNAME,
+                     spawn(?MODULE, init, [#state{}]));
+        _ ->
+            ok
+    end.
+
+%% TODO:
+stop(_Host) ->
+    ok.
+
+init(State)->
+    inets:start(),
+    ets:new(bl_c2s, [named_table, public, {keypos, #bl_c2s.ip}]),
+    update_bl_c2s(),
+    %% Register hooks for blacklist
+    ejabberd_hooks:add(check_bl_c2s, ?MODULE, is_ip_in_c2s_blacklist, 50),
+    %% Set timer: Download the blacklist file every 6 hours
+    timer:apply_interval(timer:hours(?UPDATE_INTERVAL), ?MODULE, update_bl_c2s, []),
+    loop(State).
+
+%% Remove timer when stop is received.
+loop(_State) ->
+    receive
+	stop ->
+	    ok
+    end.
+
+%% Download blacklist file from ProcessOne XAAI
+%% and update the table internal table
+%% TODO: Support comment lines starting by %
+update_bl_c2s() ->
+    ?INFO_MSG("Updating C2S Blacklist", []),
+    {ok, {{_Version, 200, _Reason}, _Headers, Body}} = http:request(?BLC2S),
+    IPs = string:tokens(Body,"\n"),
+    ets:delete_all_objects(bl_c2s),
+    lists:foreach(
+      fun(IP) ->
+	      ets:insert(bl_c2s, #bl_c2s{ip=list_to_binary(IP)})
+      end, IPs).
+
+%% Hook is run with:
+%% ejabberd_hooks:run_fold(check_bl_c2s, false, [IP]),
+%% Return: false: IP not blacklisted
+%%         true: IP is blacklisted
+%% IPV4 IP tuple:
+is_ip_in_c2s_blacklist(_Val, IP) ->
+    BinaryIP = list_to_binary(jlib:ip_to_list(IP)),
+    case ets:lookup(bl_c2s, BinaryIP) of
+	[] -> %% Not in blacklist
+	    false;
+	[_] -> %% Blacklisted!
+	    {stop, true}
+    end.
+
+
+%% TODO:
+%% - For now, we do not kick user already logged on a given IP after
+%%    we update the blacklist.
author	Mickaël Rémond <mickael.remond@process-one.net>	2008-05-14 17:49:23 +0000
committer	Mickaël Rémond <mickael.remond@process-one.net>	2008-05-14 17:49:23 +0000
commit	1f91eb0b1139e7a134e3c8300a9d74f07cdda911 (patch)
tree	7927b5b848ad0626064e37f16980d63ead96b68f
parent	Added missing ejabberd-2.0.0 tag. (diff)