Project

General

Profile

IBR whitelist

Abmar Barros
Added over 4 years ago

Hi everyone,

I'm trying to implement something in the lines of Prosody's IBR whitelist (https://prosody.im/doc/modules/mod_register).

I suppose the right place to implement such a functionality is JabberIqRegister, however I can't seem to find enough information in the Packet or in the XMPPResourceConnection to perform this (although the Packet has the connectionId in its from field).

I've noticed that the XMPPIOService has all fields I need, eg.: remoteAdress, and ClientConnectionManager.processPacket(XMPPIOService) associates the connectionId to the packet, but I'm not sure on the cleanest way to pass this info to JabberIqRegister. I suppose parsing the connectionId out of the packet's from field is not very elegant :)

Suggestions?

Thanks!


Replies (9)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Indeed, parsing connectionId is not very elegant but right now is the only option. From the very beginning of XMPP?Jabber protocol, authors of the spec highlighted that IP address is user's own and protected information. It cannot be shared, distributed or stored. Therefore Tigase does not keep this information anywhere in user's session data. However, I agree that this information is available in user's connectionId anyway and it does make sense to keep it in user's online session data.

I think we will make the change in the future to have user's IP address available for plugins to access in an easier way than parsing connectionID.

Added by Abmar Barros over 4 years ago

Thanks, Artur.

I'm implementing it by parsing the connectionId, indeed. As soon as I have something ready I'll post a patch for appreciation.

Added by Abmar Barros over 4 years ago

Hi guys,

I've implemented the feature as we've discussed. The following options can be added to the configuration file and used by the JabberIqRegister plugin:

# A comma-separated list of IP addresses from where IBR will be blocked
sess-man/plugins-conf/registration-blacklist = 10.0.0.1,10.0.0.2,...

# Whether the plugin should only allow IPs in the whitelist to register
sess-man/plugins-conf/whitelist-registration-only = true|false

# A comma-separated list of IP addresses from where IBR will be allowed
sess-man/plugins-conf/registration-whitelist = 10.0.0.3,10.0.0.4,...

I'm attaching a patch with my changes and the corresponding unit tests.

Cheers

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Thank you for the patch. If you agree that we can release this code as part of the Tigase XMPP Server under any license, either open source or commercial we can incorporate this code to our software.

Added by Abmar Barros over 4 years ago

Go for it :)

Thanks

Added by Abmar Barros over 4 years ago

Hey guys,

I just realised that addresses in white/black lists should be in the CIDR format, so we could easily describe IP ranges. I'm attaching a patch that addresses this issue, with the corresponding unit tests.

Thanks!

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Thank you for updated patch. Just for the record, you know that you can disable user registration for any virtual domain on your Tigase server and then yuou can create/add user accounts using admin ad-hoc commands?

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Created a ticket for adding the patch to our code: #1994

Added by Abmar Barros over 4 years ago

Thanks, Artur.

Yeah, I'm aware of those features, but none of them match our requirements. We want external users (of any domain) to do IBR only via our API, which runs in the same IP range as Tigase. We also don't want to use ad-hoc commands because we don't want to add a dependency to an admin user in this API.

Cheers

    (1-9/9)