Annotate

mod_authz_delegate/mod_authz_delegate.lua @ 5447:aa4828f040c5

mod_http_oauth2: Enforce client scope restrictions in authorization When registering a client, a scope field can be included as a promise to only ever use those. Here we enforce that promise, if given, ensuring a client can't request or be granted a scope it didn't provide in its registration. While currently there is no restrictions at registration time, this could be changed in the future in various ways.
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 19:33:44 +0200
parent 5295:98d5acb93439
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
1 local target_host = assert(module:get_option("authz_delegate_to"));
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
2 local this_host = module:get_host();
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
3
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
4 local array = require"util.array";
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
5 local jid_split = import("prosody.util.jid", "split");
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
6
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
7 local hosts = prosody.hosts;
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
8
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
9 function get_jids_with_role(role) --luacheck: ignore 212/role
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
10 return nil
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
11 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
12
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
13 function get_user_role(user)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
14 -- this is called where the JID belongs to the host this module is loaded on
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
17 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
18
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
20 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
21 return false, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
22 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
23
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
24 function get_user_secondary_roles(user) --luacheck: ignore 212/user
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
25 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
26 return {}
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
27 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
28
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
30 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
31 return nil, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
32 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
33
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
35 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
36 return nil, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
37 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
38
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
40 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
41 return false
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
42 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
43
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
44 function get_jid_role(jid)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
45 local user, host = jid_split(jid);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
46 if host == target_host then
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
47 return hosts[target_host].authz.get_user_role(user);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
48 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
49 return hosts[target_host].authz.get_jid_role(jid);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
50 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
51
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
52 function set_jid_role(jid) --luacheck: ignore 212/jid
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
53 -- TODO: figure out if there are actually legitimate uses for this...
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
54 return nil, "cannot set jid role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
55 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
56
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
57 local default_permission_queue = array{};
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
58
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
59 function add_default_permission(role_name, action, policy)
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
60 -- NOTE: we always record default permissions, because the delegated-to
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
61 -- host may be re-activated.
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
62 default_permission_queue:push({
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
63 role_name = role_name,
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
64 action = action,
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
65 policy = policy,
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
66 });
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
67 local target_host_object = hosts[target_host];
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
68 local authz = target_host_object and target_host_object.authz;
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
69 if not authz then
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
71 return;
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
72 end
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
73 return authz.add_default_permission(role_name, action, policy)
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
74 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
75
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
76 function get_role_by_name(role_name)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
77 return hosts[target_host].authz.get_role_by_name(role_name)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
78 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
79
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
80 function get_all_roles()
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
81 return hosts[target_host].authz.get_all_roles()
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
82 end
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
83
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
84 module:hook_global("host-activated", function(host)
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
85 if host == target_host then
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
86 local authz = hosts[target_host].authz;
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
88 assert(authz);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
89 -- replay default permission changes, if any
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
90 for i, item in ipairs(default_permission_queue) do
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
91 authz.add_default_permission(item.role_name, item.action, item.policy);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
92 end
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
93 -- NOTE: we do not clear that array here -- in case the target_host is
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
94 -- re-activated
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
95 end
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
96 end, -10000)