Software /
code /
prosody-modules
Annotate
mod_authz_delegate/mod_authz_delegate.lua @ 5738:8488ebde5739
mod_http_oauth2: Skip consent screen if requested by client and same scopes already granted
This follows the intent behind the OpenID Connect 'prompt' parameter
when it does not include the 'consent' keyword, that is the client
wishes to skip the consent screen. If the user has already granted the
exact same scopes to the exact same client in the past, then one can
assume that they may grant it again.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 14 Nov 2023 23:03:37 +0100 |
parent | 5295:98d5acb93439 |
rev | line source |
---|---|
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
1 local target_host = assert(module:get_option("authz_delegate_to")); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
2 local this_host = module:get_host(); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
3 |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
4 local array = require"util.array"; |
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 local jid_split = import("prosody.util.jid", "split"); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
6 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 local hosts = prosody.hosts; |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
8 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
9 function get_jids_with_role(role) --luacheck: ignore 212/role |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
10 return nil |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
11 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
12 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
13 function get_user_role(user) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 -- this is called where the JID belongs to the host this module is loaded on |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
17 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
18 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
20 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
21 return false, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
22 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
23 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
24 function get_user_secondary_roles(user) --luacheck: ignore 212/user |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
25 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
26 return {} |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
27 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
28 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 return nil, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
33 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
36 return nil, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
37 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
38 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
40 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
41 return false |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
42 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
43 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
44 function get_jid_role(jid) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
45 local user, host = jid_split(jid); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
46 if host == target_host then |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
47 return hosts[target_host].authz.get_user_role(user); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
48 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
49 return hosts[target_host].authz.get_jid_role(jid); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
50 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
51 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
52 function set_jid_role(jid) --luacheck: ignore 212/jid |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 -- TODO: figure out if there are actually legitimate uses for this... |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 return nil, "cannot set jid role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
55 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
56 |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
57 local default_permission_queue = array{}; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
58 |
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
59 function add_default_permission(role_name, action, policy) |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
60 -- NOTE: we always record default permissions, because the delegated-to |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
61 -- host may be re-activated. |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
62 default_permission_queue:push({ |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
63 role_name = role_name, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
64 action = action, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
65 policy = policy, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
66 }); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
67 local target_host_object = hosts[target_host]; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
68 local authz = target_host_object and target_host_object.authz; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
69 if not authz then |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
71 return; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
72 end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
73 return authz.add_default_permission(role_name, action, policy) |
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
74 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
75 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
76 function get_role_by_name(role_name) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
77 return hosts[target_host].authz.get_role_by_name(role_name) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
78 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
79 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
80 function get_all_roles() |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
81 return hosts[target_host].authz.get_all_roles() |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
82 end |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
83 |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
84 module:hook_global("host-activated", function(host) |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
85 if host == target_host then |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
86 local authz = hosts[target_host].authz; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
88 assert(authz); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
89 -- replay default permission changes, if any |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
90 for i, item in ipairs(default_permission_queue) do |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
91 authz.add_default_permission(item.role_name, item.action, item.policy); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
92 end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
93 -- NOTE: we do not clear that array here -- in case the target_host is |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
94 -- re-activated |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
95 end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
96 end, -10000) |