Annotate

mod_authz_delegate/mod_authz_delegate.lua @ 5288:f61564b522f7

mod_authz_delegate: introduce module to "link" authorization of hosts See the readme :-). Motivation is allowing Snikket admins to change circle avatars via the web portal without bypassing Prosody access checks.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 29 Mar 2023 17:21:45 +0200
child 5295:98d5acb93439
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
1 local target_host = assert(module:get_option("authz_delegate_to"));
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
2 local this_host = module:get_host();
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
3
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
4 local jid_split = import("prosody.util.jid", "split");
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
5
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
6 local hosts = prosody.hosts;
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
7
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
8 function get_jids_with_role(role) --luacheck: ignore 212/role
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
9 return nil
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
10 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
11
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
12 function get_user_role(user)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
13 -- this is called where the JID belongs to the host this module is loaded on
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
14 -- that means we have to delegate that to get_jid_role with an appropriately composed JID
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
15 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
16 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
17
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
18 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
19 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
20 return false, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
21 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
22
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
23 function get_user_secondary_roles(user) --luacheck: ignore 212/user
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
24 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
25 return {}
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
26 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
27
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
28 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
29 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
30 return nil, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
31 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
32
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
33 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
34 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
35 return nil, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
36 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
37
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
38 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
39 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
40 return false
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
41 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
42
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
43 function get_jid_role(jid)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
44 local user, host = jid_split(jid);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
45 if host == target_host then
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
46 return hosts[target_host].authz.get_user_role(user);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
47 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
48 return hosts[target_host].authz.get_jid_role(jid);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
49 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
50
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
51 function set_jid_role(jid) --luacheck: ignore 212/jid
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
52 -- TODO: figure out if there are actually legitimate uses for this...
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
53 return nil, "cannot set jid role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
54 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
55
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
56 function add_default_permission(role_name, action, policy)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
57 return hosts[target_host].authz.add_default_permission(role_name, action, policy)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
58 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
59
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
60 function get_role_by_name(role_name)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
61 return hosts[target_host].authz.get_role_by_name(role_name)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
62 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
63
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
64 function get_all_roles()
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
65 return hosts[target_host].authz.get_all_roles()
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
66 end