Mercurial > prosody-modules
comparison mod_muc_ban_ip/mod_muc_ban_ip.lua @ 5015:47d9f704d14b
mod_muc_ban_ip: Support for service-wide IP bans from trusted services
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Fri, 26 Aug 2022 11:30:44 +0100 |
| parents | a7a06c8cea37 |
| children |
comparison
equal
deleted
inserted
replaced
| 5014:eb3f99d0e72d | 5015:47d9f704d14b |
|---|---|
| 1 module:set_global(); | 1 module:set_global(); |
| 2 | 2 |
| 3 local jid_bare = require "util.jid".bare; | 3 local jid_bare, jid_host = require "util.jid".bare, require "util.jid".host; |
| 4 local st = require "util.stanza"; | 4 local st = require "util.stanza"; |
| 5 local xmlns_muc_user = "http://jabber.org/protocol/muc#user"; | 5 local xmlns_muc_user = "http://jabber.org/protocol/muc#user"; |
| 6 | 6 |
| 7 local trusted_services = module:get_option_inherited_set("muc_ban_ip_trusted_services", {}); | |
| 8 local trust_local_restricted_services = module:get_option_boolean("muc_ban_ip_trust_local_restricted_services", true); | |
| 9 | |
| 7 local ip_bans = module:shared("bans"); | 10 local ip_bans = module:shared("bans"); |
| 8 local full_sessions = prosody.full_sessions; | 11 local full_sessions = prosody.full_sessions; |
| 12 | |
| 13 local function is_local_restricted_service(host) | |
| 14 local muc_service = prosody.hosts[host] and prosody.hosts[host].modules.muc; | |
| 15 if muc_service and module:context(host):get_option("restrict_room_creation") ~= nil then -- COMPAT: May need updating post-0.12 | |
| 16 return true; | |
| 17 end | |
| 18 return false; | |
| 19 end | |
| 9 | 20 |
| 10 local function ban_ip(session, from) | 21 local function ban_ip(session, from) |
| 11 local ip = session.ip; | 22 local ip = session.ip; |
| 12 if not ip then | 23 if not ip then |
| 13 module:log("warn", "Failed to ban IP (IP unknown) for %s", session.full_jid); | 24 module:log("warn", "Failed to ban IP (IP unknown) for %s", session.full_jid); |
| 14 return; | 25 return; |
| 26 end | |
| 27 local from_host = jid_host(from); | |
| 28 if trusted_services:contains(from_host) or (trust_local_restricted_services and is_local_restricted_service(from_host)) then | |
| 29 from = from_host; -- Ban from entire host | |
| 15 end | 30 end |
| 16 local banned_from = ip_bans[ip]; | 31 local banned_from = ip_bans[ip]; |
| 17 if not banned_from then | 32 if not banned_from then |
| 18 banned_from = {}; | 33 banned_from = {}; |
| 19 ip_bans[ip] = banned_from; | 34 ip_bans[ip] = banned_from; |
| 43 end | 58 end |
| 44 | 59 |
| 45 local function check_for_ban(event) | 60 local function check_for_ban(event) |
| 46 local origin, stanza = event.origin, event.stanza; | 61 local origin, stanza = event.origin, event.stanza; |
| 47 local ip = origin.ip; | 62 local ip = origin.ip; |
| 48 local to = jid_bare(stanza.attr.to); | 63 local to, to_host = jid_bare(stanza.attr.to), jid_host(stanza.attr.to); |
| 49 if ip_bans[ip] and ip_bans[ip][to] then | 64 if ip_bans[ip] and (ip_bans[ip][to] or ip_bans[ip][to_host]) then |
| 50 (origin.log or module._log)("debug", "IP banned: %s is banned from %s", ip, to) | 65 (origin.log or module._log)("debug", "IP banned: %s is banned from %s", ip, to) |
| 51 if stanza.attr.type ~= "error" then | 66 if stanza.attr.type ~= "error" then |
| 52 origin.send(st.error_reply(stanza, "auth", "forbidden") | 67 origin.send(st.error_reply(stanza, "auth", "forbidden") |
| 53 :tag("x", { xmlns = xmlns_muc_user }) | 68 :tag("x", { xmlns = xmlns_muc_user }) |
| 54 :tag("status", { code = '301' })); | 69 :tag("status", { code = '301' })); |