prosody-modules
0eb2d5ea2428
mod_authz_delegate/mod_authz_delegate.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody-modules

Comparison

mod_authz_delegate/mod_authz_delegate.lua @ 5673:0eb2d5ea2428

merge
author Stephen Paul Weber <singpolyma@singpolyma.net>
date Sat, 06 May 2023 19:40:23 -0500
parent 5295:98d5acb93439
comparison
equal deleted inserted replaced
5672:2c69577b28c2 5673:0eb2d5ea2428
1 local target_host = assert(module:get_option("authz_delegate_to"));
2 local this_host = module:get_host();
3
4 local array = require"util.array";
5 local jid_split = import("prosody.util.jid", "split");
6
7 local hosts = prosody.hosts;
8
9 function get_jids_with_role(role) --luacheck: ignore 212/role
10 return nil
11 end
12
13 function get_user_role(user)
14 -- this is called where the JID belongs to the host this module is loaded on
15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID
16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
17 end
18
19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name
20 -- no roles for entities on this host.
21 return false, "cannot set user role on delegation target"
22 end
23
24 function get_user_secondary_roles(user) --luacheck: ignore 212/user
25 -- no roles for entities on this host.
26 return {}
27 end
28
29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
30 -- no roles for entities on this host.
31 return nil, "cannot set user role on delegation target"
32 end
33
34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
35 -- no roles for entities on this host.
36 return nil, "cannot set user role on delegation target"
37 end
38
39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name
40 -- no roles for entities on this host.
41 return false
42 end
43
44 function get_jid_role(jid)
45 local user, host = jid_split(jid);
46 if host == target_host then
47 return hosts[target_host].authz.get_user_role(user);
48 end
49 return hosts[target_host].authz.get_jid_role(jid);
50 end
51
52 function set_jid_role(jid) --luacheck: ignore 212/jid
53 -- TODO: figure out if there are actually legitimate uses for this...
54 return nil, "cannot set jid role on delegation target"
55 end
56
57 local default_permission_queue = array{};
58
59 function add_default_permission(role_name, action, policy)
60 -- NOTE: we always record default permissions, because the delegated-to
61 -- host may be re-activated.
62 default_permission_queue:push({
63 role_name = role_name,
64 action = action,
65 policy = policy,
66 });
67 local target_host_object = hosts[target_host];
68 local authz = target_host_object and target_host_object.authz;
69 if not authz then
70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host);
71 return;
72 end
73 return authz.add_default_permission(role_name, action, policy)
74 end
75
76 function get_role_by_name(role_name)
77 return hosts[target_host].authz.get_role_by_name(role_name)
78 end
79
80 function get_all_roles()
81 return hosts[target_host].authz.get_all_roles()
82 end
83
84 module:hook_global("host-activated", function(host)
85 if host == target_host then
86 local authz = hosts[target_host].authz;
87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue);
88 assert(authz);
89 -- replay default permission changes, if any
90 for i, item in ipairs(default_permission_queue) do
91 authz.add_default_permission(item.role_name, item.action, item.policy);
92 end
93 -- NOTE: we do not clear that array here -- in case the target_host is
94 -- re-activated
95 end
96 end, -10000)