Mercurial > prosody-modules

view mod_admin_blocklist/mod_admin_blocklist.lua @ 5715:8488ebde5739

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_http_oauth2: Skip consent screen if requested by client and same scopes already granted This follows the intent behind the OpenID Connect 'prompt' parameter when it does not include the 'consent' keyword, that is the client wishes to skip the consent screen. If the user has already granted the exact same scopes to the exact same client in the past, then one can assume that they may grant it again.
author Kim Alvefur <zash@zash.se>
date Tue, 14 Nov 2023 23:03:37 +0100
parents 96e83b4a93f7
children
line wrap: on
line source

-- mod_admin_blocklist
--
-- If a local admin has blocked a domain, don't allow s2s to that domain
--
-- Copyright (C) 2015-2022 Kim Alvefur
--
-- This file is MIT/X11 licensed.
--

module:depends("blocklist");

local st = require"util.stanza";
local jid_split = require"util.jid".split;

local usermanager = require "core.usermanager";

local admins;
if usermanager.get_jids_with_role then
	local set = require "util.set";
	local include_roles = module:get_option_set("admin_blocklist_roles", { "prosody:operator"; "prosody:admin" });

	admins = set.new();
	for role in include_roles do
		admins:include(set.new(usermanager.get_jids_with_role(role, module.host)));
	end
else -- COMPAT w/pre-0.12
	admins = module:get_option_inherited_set("admins", {});
end
admins = admins /
	function (admin) -- Filter out non-local admins
		local user, host = jid_split(admin);
		if host == module.host then return user; end
	end

local blocklists = module:open_store("blocklist");

local function is_blocked(host)
	for admin in admins do
		local blocklist = blocklists:get(admin);
		if blocklist and blocklist[host] then
			return true;
		end
	end
end

module:hook("route/remote", function (event)
	local origin, stanza = event.origin, event.stanza;
	if is_blocked(event.to_host) then
		if origin and stanza then
			origin.send(st.error_reply(stanza, "cancel", "not-allowed", "Communication with this domain is not allowed"));
			return true;
		end
		return false;
	end
end, -9);


module:hook("s2s-stream-features", function (event)
	local session = event.origin;
	if is_blocked(session.from_host) then
		session:close("policy-violation");
		return false;
	end
end, 1000);

module:hook("stanza/http://etherx.jabber.org/streams:features", function (event)
	local session = event.origin;
	if is_blocked(session.to_host) then
		session:close("policy-violation");
		return true;
	end
end, 1000);