# HG changeset patch # User Matthew Wild # Date 1758802197 -3600 # Node ID ba2c344e1bdd1a831a0fda4d9fc5ea8c0311026c # Parent a41d5d511948e90fa99bb8d021d650a5524ef10c mod_restrict_federation: Yet another module for restricting s2s for (some) users diff -r a41d5d511948 -r ba2c344e1bdd mod_restrict_federation/README.md --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_restrict_federation/README.md Thu Sep 25 13:09:57 2025 +0100 @@ -0,0 +1,61 @@ +--- +labels: +- 'Stage-Beta' +summary: Restrict federation for some user roles +... + +Introduction +============ + +This module allows you to control which user roles have permission to +communicate with remote servers. + +Details +======= + +There are quite a few modules that have similar functionality. The properties +of this one are: + +- Uses the new [permissions and roles](https://prosody.im/doc/roles) feature introduced in Prosody 13.0 +- Blocks both incoming and outgoing traffic +- Permits server-originated traffic (such as push notifications) +- Permits traffic between hosts on the same server + +Configuration +============= + +Simply load the module as usual: + +``` {.lua} +modules_enabled = { + ... + "restrict_federation"; + ... +} +``` + +Any user without the `xmpp:federate` permission will be unable to communicate +with remote domains. By default this module does not grant this permission to +any role, meaning all users will be restricted. + +To grant permission to certain roles, you can use the `add_permission` +configuration option (assuming you are using Prosody's [default authorization +module](https://prosody.im/doc/modules/mod_authz_internal)): + +``` {.lua} +-- Allow registered users to federate (i.e. this excludes prosody:guest) +-- As prosody:admin inherits all permissions from this role too, admins will +-- also be able to communicate with other servers. +add_permissions = { + ["prosody:registered"] = { + "xmpp:federate"; + }; +} +``` + +Compatibility +============= + + ----- ------- + 13.0 Works + ----- ------- diff -r a41d5d511948 -r ba2c344e1bdd mod_restrict_federation/mod_restrict_federation.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_restrict_federation/mod_restrict_federation.lua Thu Sep 25 13:09:57 2025 +0100 @@ -0,0 +1,67 @@ +local jid_node = require "prosody.util.jid".node; +local st = require "prosody.util.stanza"; + +local get_user_role = require "prosody.core.usermanager".get_user_role; + +function check_outgoing_stanza(event) + local origin, stanza = event.origin, event.stanza; + + if not origin or origin.type ~= "c2s" then + -- We only filter user-originated traffic, so + -- pass this through. + return; + end + + if module:may("xmpp:federate", event) then + -- Pass through + return; + end + + -- Block + module:log("debug", "Forbidding outgoing %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); + local err_reply = st.error_reply(event.stanza, "auth", "policy-violation", "Communication with remote domains is not permitted"); + origin.send(err_reply); + return true; +end + +function check_incoming_stanza(event) + local origin, stanza = event.origin, event.stanza; + + if origin.type ~= "s2sin" then + -- We only filter incoming traffic from remote domains + -- Pass through + return; + end + + local recipient_username = jid_node(stanza.attr.to); + if not recipient_username then + return; + end + + local recipient_role, role_err = get_user_role(recipient_username, module.host); + if not recipient_role then + module:log("warn", "Unable to determine recipient role: %s", role_err); + -- No idea what the role is, we'll pass it through + return; + end + + if recipient_role:may("xmpp:federate") then + -- Allowed, pass through + return; + end + + -- Block + module:log("debug", "Forbidding incoming %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); + local err_reply = st.error_reply(event.stanza, "cancel", "service-unavailable"); + origin.send(err_reply); + return true; +end + +module:hook("message/bare", check_incoming_stanza, 500); +module:hook("message/full", check_incoming_stanza, 500); +module:hook("presence/bare", check_incoming_stanza, 500); +module:hook("presence/full", check_incoming_stanza, 500); +module:hook("iq/bare", check_incoming_stanza, 500); +module:hook("iq/full", check_incoming_stanza, 500); + +module:hook("route/remote", check_outgoing_stanza, 500);