Mercurial > prosody-modules
changeset 6325:ba2c344e1bdd
mod_restrict_federation: Yet another module for restricting s2s for (some) users
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 25 Sep 2025 13:09:57 +0100 |
| parents | a41d5d511948 |
| children | 2623515d8507 |
| files | mod_restrict_federation/README.md mod_restrict_federation/mod_restrict_federation.lua |
| diffstat | 2 files changed, 128 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_restrict_federation/README.md Thu Sep 25 13:09:57 2025 +0100 @@ -0,0 +1,61 @@ +--- +labels: +- 'Stage-Beta' +summary: Restrict federation for some user roles +... + +Introduction +============ + +This module allows you to control which user roles have permission to +communicate with remote servers. + +Details +======= + +There are quite a few modules that have similar functionality. The properties +of this one are: + +- Uses the new [permissions and roles](https://prosody.im/doc/roles) feature introduced in Prosody 13.0 +- Blocks both incoming and outgoing traffic +- Permits server-originated traffic (such as push notifications) +- Permits traffic between hosts on the same server + +Configuration +============= + +Simply load the module as usual: + +``` {.lua} +modules_enabled = { + ... + "restrict_federation"; + ... +} +``` + +Any user without the `xmpp:federate` permission will be unable to communicate +with remote domains. By default this module does not grant this permission to +any role, meaning all users will be restricted. + +To grant permission to certain roles, you can use the `add_permission` +configuration option (assuming you are using Prosody's [default authorization +module](https://prosody.im/doc/modules/mod_authz_internal)): + +``` {.lua} +-- Allow registered users to federate (i.e. this excludes prosody:guest) +-- As prosody:admin inherits all permissions from this role too, admins will +-- also be able to communicate with other servers. +add_permissions = { + ["prosody:registered"] = { + "xmpp:federate"; + }; +} +``` + +Compatibility +============= + + ----- ------- + 13.0 Works + ----- -------
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mod_restrict_federation/mod_restrict_federation.lua Thu Sep 25 13:09:57 2025 +0100 @@ -0,0 +1,67 @@ +local jid_node = require "prosody.util.jid".node; +local st = require "prosody.util.stanza"; + +local get_user_role = require "prosody.core.usermanager".get_user_role; + +function check_outgoing_stanza(event) + local origin, stanza = event.origin, event.stanza; + + if not origin or origin.type ~= "c2s" then + -- We only filter user-originated traffic, so + -- pass this through. + return; + end + + if module:may("xmpp:federate", event) then + -- Pass through + return; + end + + -- Block + module:log("debug", "Forbidding outgoing %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); + local err_reply = st.error_reply(event.stanza, "auth", "policy-violation", "Communication with remote domains is not permitted"); + origin.send(err_reply); + return true; +end + +function check_incoming_stanza(event) + local origin, stanza = event.origin, event.stanza; + + if origin.type ~= "s2sin" then + -- We only filter incoming traffic from remote domains + -- Pass through + return; + end + + local recipient_username = jid_node(stanza.attr.to); + if not recipient_username then + return; + end + + local recipient_role, role_err = get_user_role(recipient_username, module.host); + if not recipient_role then + module:log("warn", "Unable to determine recipient role: %s", role_err); + -- No idea what the role is, we'll pass it through + return; + end + + if recipient_role:may("xmpp:federate") then + -- Allowed, pass through + return; + end + + -- Block + module:log("debug", "Forbidding incoming %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to); + local err_reply = st.error_reply(event.stanza, "cancel", "service-unavailable"); + origin.send(err_reply); + return true; +end + +module:hook("message/bare", check_incoming_stanza, 500); +module:hook("message/full", check_incoming_stanza, 500); +module:hook("presence/bare", check_incoming_stanza, 500); +module:hook("presence/full", check_incoming_stanza, 500); +module:hook("iq/bare", check_incoming_stanza, 500); +module:hook("iq/full", check_incoming_stanza, 500); + +module:hook("route/remote", check_outgoing_stanza, 500);
