| author | Matthew Wild <mwild1@gmail.com> |
| Tue, 18 Jan 2022 17:01:18 +0000 | |
| changeset 4880 | 0f5f2d4475b9 |
| parent 4809 | 683d1ad16b56 |
| child 5020 | 964de9997552 |
| permissions | -rw-r--r-- |
|
1739
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
-- mod_admin_blocklist |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
2 |
-- |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
3 |
-- If a local admin has blocked a domain, don't allow s2s to that domain |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
4 |
-- |
|
4809
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
5 |
-- Copyright (C) 2015-2021 Kim Alvefur |
|
1739
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
6 |
-- |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
-- This file is MIT/X11 licensed. |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
-- |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
module:depends("blocklist"); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
11 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
local st = require"util.stanza"; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
local jid_split = require"util.jid".split; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
|
|
4809
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
15 |
local usermanager = require "core.usermanager"; |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
16 |
|
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
17 |
local admins; |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
18 |
if usermanager.get_jids_with_role then |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
19 |
local set = require "util.set"; |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
20 |
admins = set.new(usermanager.get_jids_with_role("prosody:admin"), module.host); |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
21 |
else -- COMPAT w/pre-0.12 |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
22 |
admins = module:get_option_inherited_set("admins", {}); |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
23 |
end |
|
683d1ad16b56
mod_admin_blocklist: Update admin check for new 0.12 role API
Kim Alvefur <zash@zash.se>
parents:
2317
diff
changeset
|
24 |
admins = admins / |
|
1739
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 |
function (admin) -- Filter out non-local admins |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
local user, host = jid_split(admin); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
if host == module.host then return user; end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 |
local blocklists = module:open_store("blocklist"); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
31 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
32 |
local function is_blocked(host) |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 |
for admin in admins do |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
34 |
local blocklist = blocklists:get(admin); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
35 |
if blocklist and blocklist[host] then |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
return true; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
37 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
39 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
module:hook("route/remote", function (event) |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
42 |
local origin, stanza = event.origin, event.stanza; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
if is_blocked(event.to_host) then |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
if origin and stanza then |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
origin.send(st.error_reply(stanza, "cancel", "not-allowed", "Communication with this domain is not allowed")); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
return true; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
48 |
return false; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
49 |
end |
|
2317
5d05139d0555
mod_admin_blocklist: Do block check only when a stanza is about to trigger a new outgoing s2s connection
Kim Alvefur <zash@zash.se>
parents:
1739
diff
changeset
|
50 |
end, -9); |
|
1739
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
51 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
52 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
53 |
module:hook("s2s-stream-features", function (event) |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
54 |
local session = event.origin; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
55 |
if is_blocked(session.from_host) then |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
56 |
session:close("policy-violation"); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 |
return false; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 |
end, 1000); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
|
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 |
module:hook("stanza/http://etherx.jabber.org/streams:features", function (event) |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
62 |
local session = event.origin; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
63 |
if is_blocked(session.to_host) then |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
64 |
session:close("policy-violation"); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
65 |
return true; |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
66 |
end |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
67 |
end, 1000); |
|
c2d43b568178
mod_admin_blocklist: Prevents s2s connections to/from domains blocked by a local admin using mod_blocklist (0.10+)
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
68 |