Mercurial > prosody-modules
annotate mod_admin_blocklist/mod_admin_blocklist.lua @ 5596:d2561c1d26f5
mod_client_management: Allow revoking a specific client version
Could be useful in case of a security issue affecting a particular
version. Even if in that case, the more likely use case is revoking all
older versions except the fixed one(s), this can be done with a loop or
improved later.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Fri, 14 Jul 2023 15:16:06 +0200 |
parents | 96e83b4a93f7 |
children |
rev | line source |
---|---|
1735
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 -- mod_admin_blocklist |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 -- |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 -- If a local admin has blocked a domain, don't allow s2s to that domain |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 -- |
5017
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
5 -- Copyright (C) 2015-2022 Kim Alvefur |
1735
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 -- |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 -- This file is MIT/X11 licensed. |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 -- |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 module:depends("blocklist"); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 local st = require"util.stanza"; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local jid_split = require"util.jid".split; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
4805
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
15 local usermanager = require "core.usermanager"; |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
16 |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
17 local admins; |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
18 if usermanager.get_jids_with_role then |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
19 local set = require "util.set"; |
5017
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
20 local include_roles = module:get_option_set("admin_blocklist_roles", { "prosody:operator"; "prosody:admin" }); |
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
21 |
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
22 admins = set.new(); |
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
23 for role in include_roles do |
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
24 admins:include(set.new(usermanager.get_jids_with_role(role, module.host))); |
96e83b4a93f7
mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents:
5016
diff
changeset
|
25 end |
4805
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
26 else -- COMPAT w/pre-0.12 |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
27 admins = module:get_option_inherited_set("admins", {}); |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
28 end |
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2313
diff
changeset
|
29 admins = admins / |
1735
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 function (admin) -- Filter out non-local admins |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 local user, host = jid_split(admin); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 if host == module.host then return user; end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 local blocklists = module:open_store("blocklist"); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 local function is_blocked(host) |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 for admin in admins do |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 local blocklist = blocklists:get(admin); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 if blocklist and blocklist[host] then |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 return true; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 module:hook("route/remote", function (event) |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 local origin, stanza = event.origin, event.stanza; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 if is_blocked(event.to_host) then |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 if origin and stanza then |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
50 origin.send(st.error_reply(stanza, "cancel", "not-allowed", "Communication with this domain is not allowed")); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 return true; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 return false; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 end |
2313
5d05139d0555
mod_admin_blocklist: Do block check only when a stanza is about to trigger a new outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
1735
diff
changeset
|
55 end, -9); |
1735
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 module:hook("s2s-stream-features", function (event) |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 local session = event.origin; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 if is_blocked(session.from_host) then |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 session:close("policy-violation"); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 return false; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 end, 1000); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 module:hook("stanza/http://etherx.jabber.org/streams:features", function (event) |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 local session = event.origin; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 if is_blocked(session.to_host) then |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
69 session:close("policy-violation"); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
70 return true; |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
71 end |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
72 end, 1000); |
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
73 |