Mercurial > prosody-modules
comparison mod_restrict_federation/mod_restrict_federation.lua @ 6325:ba2c344e1bdd
mod_restrict_federation: Yet another module for restricting s2s for (some) users
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 25 Sep 2025 13:09:57 +0100 |
| parents | |
| children | 981c14bb8975 |
comparison
equal
deleted
inserted
replaced
| 6324:a41d5d511948 | 6325:ba2c344e1bdd |
|---|---|
| 1 local jid_node = require "prosody.util.jid".node; | |
| 2 local st = require "prosody.util.stanza"; | |
| 3 | |
| 4 local get_user_role = require "prosody.core.usermanager".get_user_role; | |
| 5 | |
| 6 function check_outgoing_stanza(event) | |
| 7 local origin, stanza = event.origin, event.stanza; | |
| 8 | |
| 9 if not origin or origin.type ~= "c2s" then | |
| 10 -- We only filter user-originated traffic, so | |
| 11 -- pass this through. | |
| 12 return; | |
| 13 end | |
| 14 | |
| 15 if module:may("xmpp:federate", event) then | |
| 16 -- Pass through | |
| 17 return; | |
| 18 end | |
| 19 | |
| 20 -- Block | |
| 21 module:log("debug", "Forbidding outgoing %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); | |
| 22 local err_reply = st.error_reply(event.stanza, "auth", "policy-violation", "Communication with remote domains is not permitted"); | |
| 23 origin.send(err_reply); | |
| 24 return true; | |
| 25 end | |
| 26 | |
| 27 function check_incoming_stanza(event) | |
| 28 local origin, stanza = event.origin, event.stanza; | |
| 29 | |
| 30 if origin.type ~= "s2sin" then | |
| 31 -- We only filter incoming traffic from remote domains | |
| 32 -- Pass through | |
| 33 return; | |
| 34 end | |
| 35 | |
| 36 local recipient_username = jid_node(stanza.attr.to); | |
| 37 if not recipient_username then | |
| 38 return; | |
| 39 end | |
| 40 | |
| 41 local recipient_role, role_err = get_user_role(recipient_username, module.host); | |
| 42 if not recipient_role then | |
| 43 module:log("warn", "Unable to determine recipient role: %s", role_err); | |
| 44 -- No idea what the role is, we'll pass it through | |
| 45 return; | |
| 46 end | |
| 47 | |
| 48 if recipient_role:may("xmpp:federate") then | |
| 49 -- Allowed, pass through | |
| 50 return; | |
| 51 end | |
| 52 | |
| 53 -- Block | |
| 54 module:log("debug", "Forbidding incoming %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); | |
| 55 local err_reply = st.error_reply(event.stanza, "cancel", "service-unavailable"); | |
| 56 origin.send(err_reply); | |
| 57 return true; | |
| 58 end | |
| 59 | |
| 60 module:hook("message/bare", check_incoming_stanza, 500); | |
| 61 module:hook("message/full", check_incoming_stanza, 500); | |
| 62 module:hook("presence/bare", check_incoming_stanza, 500); | |
| 63 module:hook("presence/full", check_incoming_stanza, 500); | |
| 64 module:hook("iq/bare", check_incoming_stanza, 500); | |
| 65 module:hook("iq/full", check_incoming_stanza, 500); | |
| 66 | |
| 67 module:hook("route/remote", check_outgoing_stanza, 500); |
