changeset 6325:ba2c344e1bdd

mod_restrict_federation: Yet another module for restricting s2s for (some) users
author Matthew Wild <mwild1@gmail.com>
date Thu, 25 Sep 2025 13:09:57 +0100
parents a41d5d511948
children 2623515d8507
files mod_restrict_federation/README.md mod_restrict_federation/mod_restrict_federation.lua
diffstat 2 files changed, 128 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_restrict_federation/README.md	Thu Sep 25 13:09:57 2025 +0100
@@ -0,0 +1,61 @@
+---
+labels:
+- 'Stage-Beta'
+summary: Restrict federation for some user roles
+...
+
+Introduction
+============
+
+This module allows you to control which user roles have permission to
+communicate with remote servers.
+
+Details
+=======
+
+There are quite a few modules that have similar functionality. The properties
+of this one are:
+
+- Uses the new [permissions and roles](https://prosody.im/doc/roles) feature introduced in Prosody 13.0
+- Blocks both incoming and outgoing traffic
+- Permits server-originated traffic (such as push notifications)
+- Permits traffic between hosts on the same server
+
+Configuration
+=============
+
+Simply load the module as usual:
+
+``` {.lua}
+modules_enabled = {
+  ...
+    "restrict_federation";
+  ...
+}
+```
+
+Any user without the `xmpp:federate` permission will be unable to communicate
+with remote domains. By default this module does not grant this permission to
+any role, meaning all users will be restricted.
+
+To grant permission to certain roles, you can use the `add_permission`
+configuration option (assuming you are using Prosody's [default authorization
+module](https://prosody.im/doc/modules/mod_authz_internal)):
+
+``` {.lua}
+-- Allow registered users to federate (i.e. this excludes prosody:guest)
+-- As prosody:admin inherits all permissions from this role too, admins will
+-- also be able to communicate with other servers.
+add_permissions = {
+	["prosody:registered"] = {
+		"xmpp:federate";
+	};
+}
+```
+
+Compatibility
+=============
+
+  ----- -------
+  13.0  Works
+  ----- -------
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_restrict_federation/mod_restrict_federation.lua	Thu Sep 25 13:09:57 2025 +0100
@@ -0,0 +1,67 @@
+local jid_node = require "prosody.util.jid".node;
+local st = require "prosody.util.stanza";
+
+local get_user_role = require "prosody.core.usermanager".get_user_role;
+
+function check_outgoing_stanza(event)
+	local origin, stanza = event.origin, event.stanza;
+
+	if not origin or origin.type ~= "c2s" then
+		-- We only filter user-originated traffic, so
+		-- pass this through.
+		return;
+	end
+
+	if module:may("xmpp:federate", event) then
+		-- Pass through
+		return;
+	end
+
+	-- Block
+	module:log("debug", "Forbidding outgoing %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to);
+	local err_reply = st.error_reply(event.stanza, "auth", "policy-violation", "Communication with remote domains is not permitted");
+	origin.send(err_reply);
+	return true;
+end
+
+function check_incoming_stanza(event)
+	local origin, stanza = event.origin, event.stanza;
+
+	if origin.type ~= "s2sin" then
+		-- We only filter incoming traffic from remote domains
+		-- Pass through
+		return;
+	end
+
+	local recipient_username = jid_node(stanza.attr.to);
+	if not recipient_username then
+		return;
+	end
+
+	local recipient_role, role_err = get_user_role(recipient_username, module.host);
+	if not recipient_role then
+		module:log("warn", "Unable to determine recipient role: %s", role_err);
+		-- No idea what the role is, we'll pass it through
+		return;
+	end
+
+	if recipient_role:may("xmpp:federate") then
+		-- Allowed, pass through
+		return;
+	end
+
+	-- Block
+	module:log("debug", "Forbidding incoming %s stanza from <%s> to <%s>", stanza.name, stanza.attr.from, stanza.attr.to);
+	local err_reply = st.error_reply(event.stanza, "cancel", "service-unavailable");
+	origin.send(err_reply);
+	return true;
+end
+
+module:hook("message/bare", check_incoming_stanza, 500);
+module:hook("message/full", check_incoming_stanza, 500);
+module:hook("presence/bare", check_incoming_stanza, 500);
+module:hook("presence/full", check_incoming_stanza, 500);
+module:hook("iq/bare", check_incoming_stanza, 500);
+module:hook("iq/full", check_incoming_stanza, 500);
+
+module:hook("route/remote", check_outgoing_stanza, 500);