annotate mod_muc_restrict_rooms/mod_muc_restrict_rooms.lua @ 5298:12f7d8b901e0

mod_audit: Support for adding location (GeoIP) to audit events This can be more privacy-friendly than logging full IP addresses, and also more informative to a user - IP addresses don't mean much to the average person, however if they see activity from outside their expected country, they can immediately identify suspicious activity. As with IPs, this field is configurable for deployments that would like to disable it. Location is also not logged when the geoip library is not available.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 13:11:53 +0100
parents 79adec50b24d
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
1 local st = require "util.stanza";
1613
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
2 local jid = require "util.jid";
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
3 local nodeprep = require "util.encodings".stringprep.nodeprep;
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
4
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
5 local rooms = module:shared "muc/rooms";
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
6 if not rooms then
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
7 module:log("error", "This module only works on MUC components!");
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
8 return;
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
9 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
10
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
11 local restrict_patterns = module:get_option("muc_restrict_matching", {});
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
12 local restrict_excepts = module:get_option_set("muc_restrict_exceptions", {});
1613
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
13 local restrict_allow_admins = module:get_option_boolean("muc_restrict_allow_admins", false);
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
14
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
15 local function is_restricted(room, who)
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
16 -- If admins can join prohibited rooms, we allow them to
1613
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
17 if restrict_allow_admins and usermanager.is_admin(who, module.host) then
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
18 module:log("debug", "Admins are allowed to enter restricted rooms (%s on %s)", who, room)
1613
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
19 return nil;
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
20 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
21
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
22 -- Don't evaluate exceptions
1613
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
23 if restrict_excepts:contains(room) then
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
24 module:log("debug", "Room %s is amongst restriction exceptions", room())
ca04f75958f7 mod_muc_restrict_rooms: Some fixes based on Matthew's comments + a few more
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1612
diff changeset
25 return nil;
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
26 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
27
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
28 -- Evaluate regexps of restricted patterns
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
29 for pattern,reason in pairs(restrict_patterns) do
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
30 if room:match(pattern) then
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
31 module:log("debug", "Room %s is restricted by pattern %s, user %s is not allowed to join (%s)", room, pattern, who, reason)
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
32 return reason;
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
33 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
34 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
35
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
36 return nil
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
37 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
38
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
39 module:hook("presence/full", function(event)
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
40 local stanza = event.stanza;
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
41
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
42 if stanza.name == "presence" and stanza.attr.type == "unavailable" then -- Leaving events get discarded
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
43 return;
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
44 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
45
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
46 -- Get the room
1614
79adec50b24d mod_muc_restrict_rooms: Fixed the way of getting room and user
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1613
diff changeset
47 local room = jid.split(stanza.attr.to);
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
48 if not room then return; end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
49
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
50 -- Get who has tried to join it
1614
79adec50b24d mod_muc_restrict_rooms: Fixed the way of getting room and user
Nicolás Kovac <nkneumann(at)gmail.com>
parents: 1613
diff changeset
51 local who = jid.bare(stanza.attr.from)
1612
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
52
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
53 -- Checking whether room is restricted
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
54 local check_restricted = is_restricted(room, who)
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
55 if check_restricted ~= nil then
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
56 event.allowed = false;
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
57 event.stanza.attr.type = 'error';
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
58 return event.origin.send(st.error_reply(event.stanza, "cancel", "forbidden", "You're not allowed to enter this room: " .. check_restricted));
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
59 end
247e6e43843e Adding new mod_muc_restrict_rooms module
Nicolás Kovac <nkneumann(at)gmail.com>
parents:
diff changeset
60 end, 10);