Mercurial > prosody-modules
comparison mod_muc_ban_ip/mod_muc_ban_ip.lua @ 5015:47d9f704d14b
mod_muc_ban_ip: Support for service-wide IP bans from trusted services
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Fri, 26 Aug 2022 11:30:44 +0100 |
parents | a7a06c8cea37 |
children |
comparison
equal
deleted
inserted
replaced
5014:eb3f99d0e72d | 5015:47d9f704d14b |
---|---|
1 module:set_global(); | 1 module:set_global(); |
2 | 2 |
3 local jid_bare = require "util.jid".bare; | 3 local jid_bare, jid_host = require "util.jid".bare, require "util.jid".host; |
4 local st = require "util.stanza"; | 4 local st = require "util.stanza"; |
5 local xmlns_muc_user = "http://jabber.org/protocol/muc#user"; | 5 local xmlns_muc_user = "http://jabber.org/protocol/muc#user"; |
6 | 6 |
7 local trusted_services = module:get_option_inherited_set("muc_ban_ip_trusted_services", {}); | |
8 local trust_local_restricted_services = module:get_option_boolean("muc_ban_ip_trust_local_restricted_services", true); | |
9 | |
7 local ip_bans = module:shared("bans"); | 10 local ip_bans = module:shared("bans"); |
8 local full_sessions = prosody.full_sessions; | 11 local full_sessions = prosody.full_sessions; |
12 | |
13 local function is_local_restricted_service(host) | |
14 local muc_service = prosody.hosts[host] and prosody.hosts[host].modules.muc; | |
15 if muc_service and module:context(host):get_option("restrict_room_creation") ~= nil then -- COMPAT: May need updating post-0.12 | |
16 return true; | |
17 end | |
18 return false; | |
19 end | |
9 | 20 |
10 local function ban_ip(session, from) | 21 local function ban_ip(session, from) |
11 local ip = session.ip; | 22 local ip = session.ip; |
12 if not ip then | 23 if not ip then |
13 module:log("warn", "Failed to ban IP (IP unknown) for %s", session.full_jid); | 24 module:log("warn", "Failed to ban IP (IP unknown) for %s", session.full_jid); |
14 return; | 25 return; |
26 end | |
27 local from_host = jid_host(from); | |
28 if trusted_services:contains(from_host) or (trust_local_restricted_services and is_local_restricted_service(from_host)) then | |
29 from = from_host; -- Ban from entire host | |
15 end | 30 end |
16 local banned_from = ip_bans[ip]; | 31 local banned_from = ip_bans[ip]; |
17 if not banned_from then | 32 if not banned_from then |
18 banned_from = {}; | 33 banned_from = {}; |
19 ip_bans[ip] = banned_from; | 34 ip_bans[ip] = banned_from; |
43 end | 58 end |
44 | 59 |
45 local function check_for_ban(event) | 60 local function check_for_ban(event) |
46 local origin, stanza = event.origin, event.stanza; | 61 local origin, stanza = event.origin, event.stanza; |
47 local ip = origin.ip; | 62 local ip = origin.ip; |
48 local to = jid_bare(stanza.attr.to); | 63 local to, to_host = jid_bare(stanza.attr.to), jid_host(stanza.attr.to); |
49 if ip_bans[ip] and ip_bans[ip][to] then | 64 if ip_bans[ip] and (ip_bans[ip][to] or ip_bans[ip][to_host]) then |
50 (origin.log or module._log)("debug", "IP banned: %s is banned from %s", ip, to) | 65 (origin.log or module._log)("debug", "IP banned: %s is banned from %s", ip, to) |
51 if stanza.attr.type ~= "error" then | 66 if stanza.attr.type ~= "error" then |
52 origin.send(st.error_reply(stanza, "auth", "forbidden") | 67 origin.send(st.error_reply(stanza, "auth", "forbidden") |
53 :tag("x", { xmlns = xmlns_muc_user }) | 68 :tag("x", { xmlns = xmlns_muc_user }) |
54 :tag("status", { code = '301' })); | 69 :tag("status", { code = '301' })); |