annotate mod_e2e_policy/mod_e2e_policy.lua @ 5425:3b30635d215c

mod_http_oauth2: Support granting zero role-scopes It seems Very Bad that if you uncheck all roles on the consent page, you get the default scopes, which seems the opposite of what you probably intended. Currently, mod_tokenauth will do the same thing, so work is needed there too to allow issuing tokens without roles. A token without a role could be used for OIDC login, and not much else. This seems like a valuable thing to support.
author Kim Alvefur <zash@zash.se>
date Sun, 07 May 2023 19:29:15 +0200
parents a76c420eca61
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
1 local st = require "util.stanza";
3385
762c7e7ee64b mod_e2e_policy: Verify that the bare JID of stanza to and from is not in the whitelist
Michel Le Bihan <michel@lebihan.pl>
parents: 3219
diff changeset
2 local jid_bare = require "util.jid".bare;
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
3 local host = module.host;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
4 local e2e_policy_chat = module:get_option_string("e2e_policy_chat", "optional"); -- possible values: none, optional and required
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
5 local e2e_policy_muc = module:get_option_string("e2e_policy_muc", "optional"); -- possible values: none, optional and required
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
6 local e2e_policy_whitelist = module:get_option_set("e2e_policy_whitelist", { }); -- make this module ignore messages sent to and from this JIDs or MUCs
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
7
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
8 local e2e_policy_message_optional_chat = module:get_option_string("e2e_policy_message_optional_chat", "For security reasons, OMEMO, OTR or PGP encryption is STRONGLY recommended for conversations on this server.");
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
9 local e2e_policy_message_required_chat = module:get_option_string("e2e_policy_message_required_chat", "For security reasons, OMEMO, OTR or PGP encryption is required for conversations on this server.");
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
10 local e2e_policy_message_optional_muc = module:get_option_string("e2e_policy_message_optional_muc", "For security reasons, OMEMO, OTR or PGP encryption is STRONGLY recommended for MUC on this server.");
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
11 local e2e_policy_message_required_muc = module:get_option_string("e2e_policy_message_required_muc", "For security reasons, OMEMO, OTR or PGP encryption is required for MUC on this server.");
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
12
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
13 function warn_on_plaintext_messages(event)
2331
611a787e6d08 mod_e2e_policy: Do not reply to error stenzas
Michel Le Bihan <michel@lebihan.pl>
parents: 2212
diff changeset
14 -- check if JID is whitelisted
3386
a76c420eca61 mod_e2e_policy: Fix an error with getting stanza from event
Michel Le Bihan <michel@lebihan.pl>
parents: 3385
diff changeset
15 if e2e_policy_whitelist:contains(jid_bare(event.stanza.attr.from)) or e2e_policy_whitelist:contains(jid_bare(event.stanza.attr.to)) then
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
16 return nil;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
17 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
18 local body = event.stanza:get_child_text("body");
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
19 -- do not warn for status messages
2331
611a787e6d08 mod_e2e_policy: Do not reply to error stenzas
Michel Le Bihan <michel@lebihan.pl>
parents: 2212
diff changeset
20 if not body or event.stanza.attr.type == "error" then
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
21 return nil;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
22 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
23 -- check otr
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
24 if body and body:sub(1,4) == "?OTR" then
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
25 return nil;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
26 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
27 -- check omemo https://xmpp.org/extensions/inbox/omemo.html
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
28 if event.stanza:get_child("encrypted", "eu.siacs.conversations.axolotl") or event.stanza:get_child("encrypted", "urn:xmpp:omemo:0") then
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
29 return nil;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
30 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
31 -- check xep27 pgp https://xmpp.org/extensions/xep-0027.html
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
32 if event.stanza:get_child("x", "jabber:x:encrypted") then
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
33 return nil;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
34 end
2331
611a787e6d08 mod_e2e_policy: Do not reply to error stenzas
Michel Le Bihan <michel@lebihan.pl>
parents: 2212
diff changeset
35 -- check xep373 pgp (OX) https://xmpp.org/extensions/xep-0373.html
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
36 if event.stanza:get_child("openpgp", "urn:xmpp:openpgp:0") then
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
37 return nil;
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
38 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
39 -- no valid encryption found
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
40 if e2e_policy_chat == "optional" and event.stanza.attr.type ~= "groupchat" then
3219
58d61459cdb1 mod_e2e_policy: Always add the 'to' in warning stanzas
Michel Le Bihan <michel@lebihan.pl>
parents: 2331
diff changeset
41 event.origin.send(st.message({ from = host, to = event.stanza.attr.from, type = "headline" }, e2e_policy_message_optional_chat));
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
42 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
43 if e2e_policy_chat == "required" and event.stanza.attr.type ~= "groupchat" then
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
44 return event.origin.send(st.error_reply(event.stanza, "modify", "policy-violation", e2e_policy_message_required_chat));
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
45 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
46 if e2e_policy_muc == "optional" and event.stanza.attr.type == "groupchat" then
3219
58d61459cdb1 mod_e2e_policy: Always add the 'to' in warning stanzas
Michel Le Bihan <michel@lebihan.pl>
parents: 2331
diff changeset
47 event.origin.send(st.message({ from = host, to = event.stanza.attr.from, type = "headline" }, e2e_policy_message_optional_muc));
2212
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
48 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
49 if e2e_policy_muc == "required" and event.stanza.attr.type == "groupchat" then
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
50 return event.origin.send(st.error_reply(event.stanza, "modify", "policy-violation", e2e_policy_message_required_muc));
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
51 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
52 end
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
53
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
54 module:hook("pre-message/bare", warn_on_plaintext_messages, 300);
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
55 module:hook("pre-message/full", warn_on_plaintext_messages, 300);
57dcad6543c9 mod_e2e_policy: Initial commit
Michel Le Bihan <michel@lebihan.pl>
parents:
diff changeset
56 module:hook("pre-message/host", warn_on_plaintext_messages, 300);