Mercurial > prosody-modules
annotate mod_isolate_host/mod_isolate_host.lua @ 1011:9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Tue, 14 May 2013 16:25:59 +0100 |
| parents | |
| children | 8e19b943c2cd |
| rev | line source |
|---|---|
|
1011
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
1 local jid = require "util.jid"; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
2 local jid_bare, jid_split = jid.bare, jid.split; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
3 local is_admin = require "core.usermanager".is_admin; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
4 local set = require "util.set"; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local st = require "util.stanza"; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
6 |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
7 local stanza_types = set.new{"message", "presence", "iq"}; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 local jid_types = set.new{"bare", "full", "host"}; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local except_domains = module:get_option_inherited_set("isolate_except_domains", {}); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 local except_users = module:get_option_inherited_set("isolate_except_users", {}); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
12 |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
13 function check_stanza(event) |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 local origin, stanza = event.origin, event.stanza; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
15 if origin.no_host_isolation then return; end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
16 local to_user, to_host = jid_split(event.stanza.attr.to); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
17 if to_host and to_host ~= origin.host and not except_domains:contains(to_host) then |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
18 if to_host:match("^[^.]+%.(.+)$") == origin.host then -- Permit subdomains |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
19 except_domains:add(to_host); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
20 return; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
21 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
22 module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 return true; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
25 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
26 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
28 for stanza_type in stanza_types do |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
29 for jid_type in jid_types do |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
30 module:hook("pre-"..stanza_type.."/"..jid_type, check_stanza); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
31 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
32 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
33 |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
34 function check_user_isolated(event) |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
35 local session = event.session; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
36 local bare_jid = jid_bare(session.full_jid); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
37 if is_admin(bare_jid, module.host) or except_users:contains(bare_jid) then |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
38 session.no_host_isolation = true; |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
39 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
40 module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
41 end |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
42 |
|
9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
43 module:hook("resource-bind", check_user_isolated); |