annotate mod_admin_blocklist/mod_admin_blocklist.lua @ 5596:d2561c1d26f5

mod_client_management: Allow revoking a specific client version Could be useful in case of a security issue affecting a particular version. Even if in that case, the more likely use case is revoking all older versions except the fixed one(s), this can be done with a loop or improved later.
author Kim Alvefur <zash@zash.se>
date Fri, 14 Jul 2023 15:16:06 +0200
parents 96e83b4a93f7
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1735
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
1 -- mod_admin_blocklist
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
2 --
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
3 -- If a local admin has blocked a domain, don't allow s2s to that domain
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
4 --
5017
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
5 -- Copyright (C) 2015-2022 Kim Alvefur
1735
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
6 --
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
7 -- This file is MIT/X11 licensed.
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
8 --
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
9
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
10 module:depends("blocklist");
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
11
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
12 local st = require"util.stanza";
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
13 local jid_split = require"util.jid".split;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
14
4805
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
15 local usermanager = require "core.usermanager";
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
16
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
17 local admins;
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
18 if usermanager.get_jids_with_role then
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
19 local set = require "util.set";
5017
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
20 local include_roles = module:get_option_set("admin_blocklist_roles", { "prosody:operator"; "prosody:admin" });
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
21
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
22 admins = set.new();
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
23 for role in include_roles do
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
24 admins:include(set.new(usermanager.get_jids_with_role(role, module.host)));
96e83b4a93f7 mod_admin_blocklist: Add config option for which role(s) to consider (0.12+)
Kim Alvefur <zash@zash.se>
parents: 5016
diff changeset
25 end
4805
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
26 else -- COMPAT w/pre-0.12
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
27 admins = module:get_option_inherited_set("admins", {});
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
28 end
683d1ad16b56 mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents: 2313
diff changeset
29 admins = admins /
1735
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
30 function (admin) -- Filter out non-local admins
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
31 local user, host = jid_split(admin);
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
32 if host == module.host then return user; end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
33 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
34
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
35 local blocklists = module:open_store("blocklist");
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
36
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
37 local function is_blocked(host)
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
38 for admin in admins do
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
39 local blocklist = blocklists:get(admin);
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
40 if blocklist and blocklist[host] then
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
41 return true;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
42 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
43 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
44 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
45
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
46 module:hook("route/remote", function (event)
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
47 local origin, stanza = event.origin, event.stanza;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
48 if is_blocked(event.to_host) then
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
49 if origin and stanza then
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
50 origin.send(st.error_reply(stanza, "cancel", "not-allowed", "Communication with this domain is not allowed"));
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
51 return true;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
52 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
53 return false;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
54 end
2313
5d05139d0555 mod_admin_blocklist: Do block check only when a stanza is about to trigger a new outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents: 1735
diff changeset
55 end, -9);
1735
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
56
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
57
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
58 module:hook("s2s-stream-features", function (event)
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
59 local session = event.origin;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
60 if is_blocked(session.from_host) then
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
61 session:close("policy-violation");
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
62 return false;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
63 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
64 end, 1000);
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
65
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
66 module:hook("stanza/http://etherx.jabber.org/streams:features", function (event)
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
67 local session = event.origin;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
68 if is_blocked(session.to_host) then
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
69 session:close("policy-violation");
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
70 return true;
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
71 end
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
72 end, 1000);
c2d43b568178 mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff changeset
73