diff --git a/ansible/files/prosody.cfg.lua b/ansible/files/prosody.cfg.lua index 962a3e1..a63ec33 100644 --- a/ansible/files/prosody.cfg.lua +++ b/ansible/files/prosody.cfg.lua @@ -75,6 +75,7 @@ modules_enabled = { "update_notify"; "turncredentials"; "admin_shell"; + "isolate_host"; "snikket_client_id"; "snikket_ios_preserve_push"; @@ -203,6 +204,9 @@ if ENV_SNIKKET_TWEAK_TURNSERVER ~= "0" or ENV_SNIKKET_TWEAK_TURNSERVER_DOMAIN th turncredentials_secret = ENV_SNIKKET_TWEAK_TURNSERVER_SECRET or assert(io.open("/snikket/prosody/turn-auth-secret-v2")):read("*l"); end +-- Allow restricted users access to push notification servers +isolate_except_domains = { "push.snikket.net", "push-ios.snikket.net" } + VirtualHost (DOMAIN) authentication = "internal_hashed" diff --git a/ansible/tasks/prosody.yml b/ansible/tasks/prosody.yml index 9921571..ee3c406 100644 --- a/ansible/tasks/prosody.yml +++ b/ansible/tasks/prosody.yml @@ -122,6 +122,7 @@ - mod_prometheus - mod_spam_reporting - mod_watch_spam_reports + - mod_isolate_host - name: Enable wanted modules (snikket-modules) file: @@ -135,6 +136,7 @@ - mod_invites_bootstrap - mod_snikket_client_id - mod_snikket_ios_preserve_push + - mod_snikket_restricted_users - name: "Install lua-ossl for encrypted push notifications" apt: diff --git a/snikket-modules/mod_snikket_restricted_users/mod_snikket_restricted_users.lua b/snikket-modules/mod_snikket_restricted_users/mod_snikket_restricted_users.lua new file mode 100644 index 0000000..58a42f2 --- /dev/null +++ b/snikket-modules/mod_snikket_restricted_users/mod_snikket_restricted_users.lua @@ -0,0 +1,16 @@ +local jid_bare = require "util.jid".bare; +local um_get_roles = require "core.usermanager".get_roles; + +local function check_user_isolated(event) + local session = event.session; + if not session.no_host_isolation then + local bare_jid = jid_bare(session.full_jid); + local roles = um_get_roles(bare_jid, module.host); + if roles and not roles["prosody:restricted"] then + -- Bypass isolation for all unrestricted users + session.no_host_isolation = true; + end + end +end + +module:hook("resource-bind", check_user_isolated, -0.5);