modules/key/server: Selective key occlusion blacklisting w/ conf items.

2025-01-22 04:20:03 +01:00 · 2023-03-15 00:24:23 -07:00 · 2023-03-15 00:24:23 -07:00 · 9558637c20
commit 9558637c20
parent e3edcefe17
1 changed files with 46 additions and 0 deletions
--- a/modules/key/server.cc
+++ b/modules/key/server.cc
@ -26,6 +26,20 @@ server_resource
 	}
 };

+conf::item<std::string>
+occlusion_blacklist
+{
+	{ "name",     "ircd.key.occlude.blacklist" },
+	{ "default",  ""                           },
+};
+
+conf::item<std::string>
+occlusion_whitelist
+{
+	{ "name",     "ircd.key.occlude.whitelist" },
+	{ "default",  ""                           },
+};
+
 m::resource::response
 handle_get(client &client,
           const m::resource::request &request)
@ -36,6 +50,38 @@ handle_get(client &client,
 		url::decode(key_id_buf, request.params)
 	};

+	const blackwhite::list acl
+	{
+		' ', occlusion_blacklist, occlusion_whitelist
+	};
+
+	char remote_buf[256];
+	const auto ip_str
+	{
+		occlusion_blacklist || occlusion_whitelist?
+			host(string(remote_buf, remote(client))):
+			string_view{}
+	};
+
+	const bool allow
+	{
+		acl(ip_str)
+	};
+
+	log::debug
+	{
+		m::log, "%s requested key %s (%s)",
+		loghead(client),
+		key_id?: "*"_sv,
+		allow? "ALLOWED": "DENIED",
+	};
+
+	if(!allow)
+		return m::resource::response
+		{
+			client, http::FORBIDDEN
+		};
+
 	m::keys::get(my_host(), key_id, [&client]
 	(const json::object &keys)
 	{