Mercurial > prosody-modules

annotate mod_isolate_host/mod_isolate_host.lua @ 4293:edde5905744a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_s2s_keepalive: Don't send whitespace keepalives before s2sin stream is open Could possibly result in whitespace before the XML and stream header, which isn't allowed by the parser. Don't think s2sout is affected, as the stream is opened early and doesn't have to wait for the other end. Thanks Ge0rG
author Kim Alvefur <zash@zash.se>
date Thu, 10 Dec 2020 11:57:03 +0100
parents 8e19b943c2cd
children bc75fc9400ae
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1011
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
1 local jid = require "util.jid";
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
2 local jid_bare, jid_split = jid.bare, jid.split;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
3 local is_admin = require "core.usermanager".is_admin;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
4 local set = require "util.set";
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
5 local st = require "util.stanza";
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
6
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
7 local stanza_types = set.new{"message", "presence", "iq"};
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
8 local jid_types = set.new{"bare", "full", "host"};
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
9
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 local except_domains = module:get_option_inherited_set("isolate_except_domains", {});
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
11 local except_users = module:get_option_inherited_set("isolate_except_users", {});
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
12
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
13 function check_stanza(event)
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
14 local origin, stanza = event.origin, event.stanza;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
15 if origin.no_host_isolation then return; end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
16 local to_user, to_host = jid_split(event.stanza.attr.to);
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
17 if to_host and to_host ~= origin.host and not except_domains:contains(to_host) then
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
18 if to_host:match("^[^.]+%.(.+)$") == origin.host then -- Permit subdomains
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
19 except_domains:add(to_host);
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
20 return;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
21 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
22 module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to);
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
23 origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available"));
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24 return true;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
25 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
26 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
28 for stanza_type in stanza_types do
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
29 for jid_type in jid_types do
1792
8e19b943c2cd mod_isolate_host: Bump event hook priorities to make sure they are above the core plugins
Kim Alvefur <zash@zash.se>
parents: 1011
diff changeset
30 module:hook("pre-"..stanza_type.."/"..jid_type, check_stanza, 1);
1011
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
31 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
32 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
33
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
34 function check_user_isolated(event)
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
35 local session = event.session;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
36 local bare_jid = jid_bare(session.full_jid);
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
37 if is_admin(bare_jid, module.host) or except_users:contains(bare_jid) then
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
38 session.no_host_isolation = true;
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
39 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
40 module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not ");
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
41 end
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
42
9466efd10af9 mod_isolate_host: Prevent communication between hosts, even internal ones
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
43 module:hook("resource-bind", check_user_isolated);