Comparison

mod_http_oauth2/mod_http_oauth2.lua @ 5449:9c19a6b8e542

mod_http_oauth2: Describe type signatures of scope handling functions
author Kim Alvefur <zash@zash.se>
date Thu, 11 May 2023 21:41:37 +0200
parent 5448:9d542e86e19a
child 5450:d2594bbf7c36
comparison
equal deleted inserted replaced
5448:9d542e86e19a 5449:9c19a6b8e542
89 -- Tie it to the host if global 89 -- Tie it to the host if global
90 verification_key = hashes.hmac_sha256(registration_key, module.host); 90 verification_key = hashes.hmac_sha256(registration_key, module.host);
91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); 91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options);
92 end 92 end
93 93
94 -- scope : string | array | set
95 --
96 -- at each step, allow the same or a subset of scopes
97 -- (all ( client ( grant ( token ) ) ))
98 -- preserve order since it determines role if more than one granted
99
100 -- string -> array
94 local function parse_scopes(scope_string) 101 local function parse_scopes(scope_string)
95 return array(scope_string:gmatch("%S+")); 102 return array(scope_string:gmatch("%S+"));
96 end 103 end
97 104
98 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); 105 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" });
99 106
107 -- array -> array, array, array
100 local function split_scopes(scope_list) 108 local function split_scopes(scope_list)
101 local claims, roles, unknown = array(), array(), array(); 109 local claims, roles, unknown = array(), array(), array();
102 local all_roles = usermanager.get_all_roles(module.host); 110 local all_roles = usermanager.get_all_roles(module.host);
103 for _, scope in ipairs(scope_list) do 111 for _, scope in ipairs(scope_list) do
104 if openid_claims:contains(scope) then 112 if openid_claims:contains(scope) then
114 122
115 local function can_assume_role(username, requested_role) 123 local function can_assume_role(username, requested_role)
116 return usermanager.user_can_assume_role(username, module.host, requested_role); 124 return usermanager.user_can_assume_role(username, module.host, requested_role);
117 end 125 end
118 126
127 -- function (string) : function(string) : boolean
119 local function role_assumable_by(username) 128 local function role_assumable_by(username)
120 return function(role) 129 return function(role)
121 return can_assume_role(username, role); 130 return can_assume_role(username, role);
122 end 131 end
123 end 132 end
124 133
134 -- string, array --> array
125 local function user_assumable_roles(username, requested_roles) 135 local function user_assumable_roles(username, requested_roles)
126 return array.filter(requested_roles, role_assumable_by(username)); 136 return array.filter(requested_roles, role_assumable_by(username));
127 end 137 end
128 138
139 -- string, string|nil --> string, string
129 local function filter_scopes(username, requested_scope_string) 140 local function filter_scopes(username, requested_scope_string)
130 local requested_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string or "")); 141 local requested_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string or ""));
131 142
132 local granted_roles = user_assumable_roles(username, requested_roles); 143 local granted_roles = user_assumable_roles(username, requested_roles);
133 local granted_scopes = requested_scopes + granted_roles; 144 local granted_scopes = requested_scopes + granted_roles;