OF-1007: Add blacklist support

This complements the existing whitelist with blacklist functionality for
client-to-server connections.

src/i18n/openfire_i18n_cs_CZ.properties

@@ -2444,6 +2444,13 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
+
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_de.properties

@@ -2407,6 +2407,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_en.properties

@@ -1399,9 +1399,15 @@ reg.settings.only_registered_login=Only registered users may login.
 reg.settings.allowed_ips=Restrict Login
 reg.settings.allowed_ips_info=Use the form below to define the IP addresses or IP address ranges \
         that are allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
-        that clients will be able to connect from any IP address.
-reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
-reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+        that clients will be able to connect from any IP address (unless a blacklist is in place).
+reg.settings.ips_all=Restrict ALL (including anonymous) logins to these IP's:
+reg.settings.ips_anonymous=Restrict anonymous logins to these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 
 # Server db Page
 

src/i18n/openfire_i18n_es.properties

@@ -2465,6 +2465,12 @@ user.properties.isadmin=El usuario tiene privilegios de administrador.
 
 reg.settings.ips_all=Restringir TODOS los ingresos de estas IPs:
 reg.settings.ips_anonymous=Restringir ingresos anonimos de estas IPs:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Aceptar certificados auto-firmados. Server dialback sobre TLS esta habilitado.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_fr.properties

@@ -2020,6 +2020,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_ja_JP.properties

@@ -2391,6 +2391,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_nl.properties

@@ -2409,6 +2409,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_pl_PL.properties

@@ -2378,6 +2378,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_pt_BR.properties

@@ -2411,6 +2411,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_pt_PT.properties

@@ -1381,6 +1381,12 @@ reg.settings.allowed_ips_info=Utilize o formul\u00e1rio abaixo para definir ende
         que os clientes est\u00e3o habilitados a ligar com qualquer IP.
 reg.settings.ips_all=Restringir TODAS (incluindo as anonimas) tentativas de acesso destes IP's:
 reg.settings.ips_anonymous=Restringir tentativas de acesso anonimas destes IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 
 # Server db Page
 

src/i18n/openfire_i18n_ru_RU.properties

@@ -821,6 +821,12 @@ reg.settings.inband_account_info=\ \u0412\u043D\u0443\u0442\u0440\u0435\u043D\u0
 reg.settings.info=\u0418\u0441\u043F\u043E\u043B\u044C\u0437\u0443\u0439\u0442\u0435 \u0444\u043E\u0440\u043C\u044B \u043D\u0438\u0436\u0435, \u0447\u0442\u043E\u0431\u044B \u0438\u0437\u043C\u0435\u043D\u044F\u0442\u044C \u0440\u0430\u0437\u043B\u0438\u0447\u043D\u044B\u0435 \u0430\u0441\u043F\u0435\u043A\u0442\u044B \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0435\u0439 \u0438 \u0432\u0445\u043E\u0434\u0430.
 reg.settings.ips_all=\u041E\u0433\u0440\u0430\u043D\u0438\u0447\u0438\u0442\u044C \u0434\u043E\u0441\u0442\u0443\u043F \u043A\u043E \u0432\u0441\u0435\u043C (\u0432 \u0442\u043E\u043C \u0447\u0438\u0441\u043B\u0435 \u0430\u043D\u043E\u043D\u0438\u043C\u043D\u044B\u043C) \u043B\u043E\u0433\u0438\u043D\u0430\u043C \u044D\u0442\u0438\u0445 IP's\:
 reg.settings.ips_anonymous=\u041E\u0433\u0440\u0430\u043D\u0438\u0447\u0438\u0442\u044C \u0430\u043D\u043E\u043D\u0438\u043C\u043D\u044B\u0435 \u043B\u043E\u0433\u0438\u043D\u044B \u044D\u0442\u0438\u0445 IP's\:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 reg.settings.not_auto_create=\u041F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0438 \u043D\u0435 \u043C\u043E\u0433\u0443\u0442 \u0430\u0432\u0442\u043E\u043C\u0430\u0442\u0438\u0447\u0435\u0441\u043A\u0438 \u0441\u043E\u0437\u0434\u0430\u0432\u0430\u0442\u044C \u043D\u043E\u0432\u044B\u0435 \u0443\u0447\u0435\u0442\u043D\u044B\u0435 \u0437\u0430\u043F\u0438\u0441\u0438.
 reg.settings.only_registered_login=\u0422\u043E\u043B\u044C\u043A\u043E \u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043E\u0432\u0430\u043D\u043D\u044B\u0435 \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0438 \u043C\u043E\u0433\u0443\u0442 \u0432\u043E\u0439\u0442\u0438.
 reg.settings.title=\u041D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0430 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438

src/i18n/openfire_i18n_sk.properties

@@ -2247,6 +2247,12 @@ security.audit.viewer.view_url=Nasledovn\u00fd URL odkazuje na prehliada\u010d z
 security.audit.viewer.view_url.url=URL
 reg.settings.ips_all=Obmedzi\u0165 V\u0160ETKY (vr\u00e1tane anonymn\u00fdch) prihl\u00e1sen\u00ed na tieto IP adresy:
 reg.settings.ips_anonymous=Obmedzi\u0165 anonymn\u00e9 prihl\u00e1senia na tieto IP adresy:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Akceptova\u0165 certifik\u00e1ty podp\u00edsan\u00e9 sebou sam\u00fd. Sp\u00e4tn\u00e9 volanie servera prostredn\u00edctvom TLS je teraz dostupn\u00e9.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_zh_CN.properties

@@ -2303,6 +2303,12 @@ user.create.isadmin=\u662F\u5426\u4E3A\u7BA1\u7406\u5458?
 user.create.admin_info=\u6388\u4E88 Openfire \u7BA1\u7406\u6743\u9650
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/java/org/jivesoftware/openfire/session/ConnectionSettings.java

@@ -19,6 +19,7 @@ public final class ConnectionSettings {
 
         public static final String COMPRESSION_SETTINGS = "xmpp.client.compression.policy";
         public static final String LOGIN_ALLOWED = "xmpp.client.login.allowed";
+        public static final String LOGIN_BLOCKED = "xmpp.client.login.blocked";
         public static final String LOGIN_ANONYM_ALLOWED = "xmpp.client.login.allowedAnonym";
 
         public static final String MAX_THREADS = "xmpp.client.processing.threads";

src/web/reg-settings.jsp

@@ -48,6 +48,7 @@
     boolean anonLogin = ParamUtils.getBooleanParameter(request, "anonLogin");
     String allowedIPs = request.getParameter("allowedIPs");
     String allowedAnonymIPs = request.getParameter("allowedAnonymIPs");
+    String blockedIPs = request.getParameter("blockedIPs");
     // Get an IQRegisterHandler:
     IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
     IQAuthHandler authHandler = XMPPServer.getInstance().getIQAuthHandler();
@@ -66,7 +67,7 @@
         while (tokens.hasMoreTokens()) {
             String address = tokens.nextToken().trim();
             if (pattern.matcher(address).matches()) {
-                allowedSet.add(address);
+                allowedSet.add( address );
             }
         }
         
@@ -76,14 +77,24 @@
         while (tokens1.hasMoreTokens()) {
             String address = tokens1.nextToken().trim();
             if (pattern.matcher(address).matches()) {
-                allowedAnonymousSet.add(address);
+                allowedAnonymousSet.add( address );
+            }
+        }
+
+        Set<String> blockedSet = new HashSet<String>();
+        StringTokenizer tokens2 = new StringTokenizer(blockedIPs, ", ");
+        while (tokens2.hasMoreTokens()) {
+            String address = tokens2.nextToken().trim();
+            if (pattern.matcher(address).matches()) {
+                blockedSet.add( address );
             }
         }
         LocalClientSession.setWhitelistedIPs( allowedSet );
         LocalClientSession.setWhitelistedAnonymousIPs( allowedAnonymousSet );
+        LocalClientSession.setBlacklistedIPs( blockedSet );
 
         // Log the event
-        webManager.logEvent("edited registration settings", "inband enabled = "+inbandEnabled+"\ncan change password = "+canChangePassword+"\nanon login = "+anonLogin+"\nallowed ips = "+allowedIPs);
+        webManager.logEvent("edited registration settings", "inband enabled = "+inbandEnabled+"\ncan change password = "+canChangePassword+"\nanon login = "+anonLogin+"\nallowed ips = "+allowedIPs+"\nblocked ips = "+blockedIPs);
     }
 
     // Reset the value of page vars:
@@ -110,6 +121,17 @@
         buf1.append(", ").append(iter1.next());
     }
     allowedAnonymIPs = buf1.toString();
+
+    StringBuilder buf2 = new StringBuilder();
+    Iterator<String> iter2 = org.jivesoftware.openfire.session.LocalClientSession.getBlacklistedIPs().iterator();
+    if (iter2.hasNext()) {
+        buf2.append(iter2.next());
+    }
+    while (iter2.hasNext()) {
+        buf2.append(", ").append(iter2.next());
+    }
+    blockedIPs = buf2.toString();
+
 %>
 
 <p>
@@ -231,6 +253,20 @@
 	<br>
 
 	<h4><fmt:message key="reg.settings.allowed_ips" /></h4>
+    <p>
+        <fmt:message key="reg.settings.allowed_ips_blocked_info" />
+    </p>
+    <table cellpadding="3" cellspacing="0" border="0" width="100%">
+        <tbody>
+        <tr>
+            <td valign='top'><b><fmt:message key="reg.settings.ips_blocked" /></b></td>
+            <td>
+                <textarea name="blockedIPs" cols="40" rows="3" wrap="virtual"><%= ((blockedIPs != null) ? blockedIPs : "") %></textarea>
+            </td>
+        </tr>
+        </tbody>
+    </table>
+
 	<p>
     <fmt:message key="reg.settings.allowed_ips_info" />
     </p>