Mercurial > prosody-modules
annotate mod_isolate_host/mod_isolate_host.lua @ 5271:3a1df3adad0c
mod_http_oauth2: Allow user to decide which requested scopes to grant
These should at the very least be shown to the user, so they can decide
whether to grant them.
Considered whether to filter the requested scopes down to actually
understood scopes that would be granted, but decided that this was a bit
complex for a first step, since role role selection and other kinds of
scopes are mixed into the same field here.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 23 Mar 2023 16:28:08 +0100 |
parents | 16db0a6e868c |
children | 0f5657db1cfc |
rev | line source |
---|---|
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local jid = require "util.jid"; |
5004
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
2 local jid_bare, jid_host = jid.bare, jid.host; |
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local set = require "util.set"; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local st = require "util.stanza"; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 local stanza_types = set.new{"message", "presence", "iq"}; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 local jid_types = set.new{"bare", "full", "host"}; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 local except_domains = module:get_option_inherited_set("isolate_except_domains", {}); |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local except_users = module:get_option_inherited_set("isolate_except_users", {}); |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
5004
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
12 if not module.may then |
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
13 module:depends("compat_roles"); |
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
14 end |
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
15 |
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 function check_stanza(event) |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 local origin, stanza = event.origin, event.stanza; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 if origin.no_host_isolation then return; end |
5004
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
19 local to_host = jid_host(event.stanza.attr.to); |
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 if to_host and to_host ~= origin.host and not except_domains:contains(to_host) then |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 if to_host:match("^[^.]+%.(.+)$") == origin.host then -- Permit subdomains |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 except_domains:add(to_host); |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 return; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 return true; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 for stanza_type in stanza_types do |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 for jid_type in jid_types do |
1792
8e19b943c2cd
mod_isolate_host: Bump event hook priorities to make sure they are above the core plugins
Kim Alvefur <zash@zash.se>
parents:
1011
diff
changeset
|
33 module:hook("pre-"..stanza_type.."/"..jid_type, check_stanza, 1); |
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 |
5004
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
37 module:default_permission("prosody:admin", "xmpp:federate"); |
bc75fc9400ae
mod_isolate_host: Switch to module:may() (back compatible via compat_roles)
Matthew Wild <mwild1@gmail.com>
parents:
1792
diff
changeset
|
38 |
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 function check_user_isolated(event) |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 local session = event.session; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 local bare_jid = jid_bare(session.full_jid); |
5096
16db0a6e868c
mod_isolate_host: Pass context to module:may() (thanks cc)
Matthew Wild <mwild1@gmail.com>
parents:
5004
diff
changeset
|
42 if module:may("xmpp:federate", event) or except_users:contains(bare_jid) then |
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 session.no_host_isolation = true; |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
44 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
45 module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
46 end |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
47 |
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
48 module:hook("resource-bind", check_user_isolated); |