prosody-modules
0f5657db1cfc
mod_isolate_host/mod_isolate_host.lua
Software / code / prosody-modules
Comparison
mod_isolate_host/mod_isolate_host.lua @ 5296:0f5657db1cfc
mod_isolate_host: handle server-generated stanzas
The hook for setting the no_host_isolation is only called for c2s
sessions. This does not work for stanzas generated by the server,
such as PEP notifications or presence probe answers.
To handle that, we do per-stanza checks for the case that the origin
is local.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Sat, 01 Apr 2023 12:03:08 +0200 |
| parent | 5096:16db0a6e868c |
| child | 5297:4bba2d27ffaf |
comparison
equal
deleted
inserted
replaced
| 5295:98d5acb93439 | 5296:0f5657db1cfc |
|---|---|
| 20 if to_host and to_host ~= origin.host and not except_domains:contains(to_host) then | 20 if to_host and to_host ~= origin.host and not except_domains:contains(to_host) then |
| 21 if to_host:match("^[^.]+%.(.+)$") == origin.host then -- Permit subdomains | 21 if to_host:match("^[^.]+%.(.+)$") == origin.host then -- Permit subdomains |
| 22 except_domains:add(to_host); | 22 except_domains:add(to_host); |
| 23 return; | 23 return; |
| 24 end | 24 end |
| 25 if origin.type == "local" then | |
| 26 -- this is code-generated, which means that set_session_isolation_flag has never triggered. | |
| 27 -- we need to check explicitly. | |
| 28 if not is_jid_isolated(jid_bare(event.stanza.attr.from)) then | |
| 29 module:log("debug", "server-generated stanza from %s is allowed, as the jid is not isolated", event.stanza.attr.from); | |
| 30 return; | |
| 31 end | |
| 32 end | |
| 25 module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); | 33 module:log("warn", "Forbidding stanza from %s to %s", stanza.attr.from or origin.full_jid, stanza.attr.to); |
| 26 origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); | 34 origin.send(st.error_reply(stanza, "auth", "forbidden", "Communication with "..to_host.." is not available")); |
| 27 return true; | 35 return true; |
| 28 end | 36 end |
| 29 end | 37 end |
| 34 end | 42 end |
| 35 end | 43 end |
| 36 | 44 |
| 37 module:default_permission("prosody:admin", "xmpp:federate"); | 45 module:default_permission("prosody:admin", "xmpp:federate"); |
| 38 | 46 |
| 39 function check_user_isolated(event) | 47 function is_jid_isolated(bare_jid) |
| 48 if module:may("xmpp:federate", bare_jid) or except_users:contains(bare_jid) then | |
| 49 return false; | |
| 50 else | |
| 51 return true; | |
| 52 end | |
| 53 end | |
| 54 | |
| 55 function set_session_isolation_flag(event) | |
| 40 local session = event.session; | 56 local session = event.session; |
| 41 local bare_jid = jid_bare(session.full_jid); | 57 local bare_jid = jid_bare(session.full_jid); |
| 42 if module:may("xmpp:federate", event) or except_users:contains(bare_jid) then | 58 if not is_jid_isolated(bare_jid) then |
| 43 session.no_host_isolation = true; | 59 session.no_host_isolation = true; |
| 44 end | 60 end |
| 45 module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); | 61 module:log("debug", "%s is %sisolated", session.full_jid or "[?]", session.no_host_isolation and "" or "not "); |
| 46 end | 62 end |
| 47 | 63 |
| 48 module:hook("resource-bind", check_user_isolated); | 64 module:hook("resource-bind", set_session_isolation_flag); |
