Diff

mod_http_admin_api/mod_http_admin_api.lua @ 5008:bd63feda3704

Merge role-auth
author Matthew Wild <mwild1@gmail.com>
date Mon, 22 Aug 2022 15:39:02 +0100
parent 5005:d68348323406
child 5283:cc89c97befe7
line wrap: on
line diff
--- a/mod_http_admin_api/mod_http_admin_api.lua	Tue Aug 16 13:10:39 2022 +0200
+++ b/mod_http_admin_api/mod_http_admin_api.lua	Mon Aug 22 15:39:02 2022 +0100
@@ -1,5 +1,6 @@
 local usermanager = require "core.usermanager";
 
+local it = require "util.iterators";
 local json = require "util.json";
 local st = require "util.stanza";
 local array = require "util.array";
@@ -33,25 +34,24 @@
 	end
 
 	if auth_type == "Bearer" then
-		local token_info = tokens.get_token_info(auth_data);
-		if not token_info or not token_info.session then
-			return false;
-		end
-		return token_info.session;
+		return tokens.get_token_session(auth_data);
 	end
 	return nil;
 end
 
+module:default_permission("prosody:admin", ":access-admin-api");
+
 function check_auth(routes)
 	local function check_request_auth(event)
 		local session = check_credentials(event.request);
 		if not session then
 			event.response.headers.authorization = www_authenticate_header;
 			return false, 401;
-		elseif session.auth_scope ~= "prosody:scope:admin" then
+		end
+		event.session = session;
+		if not module:may(":access-admin-api", event) then
 			return false, 403;
 		end
-		event.session = session;
 		return true;
 	end
 
@@ -179,21 +179,24 @@
 		end
 	end
 
-	local roles = nil;
-	if usermanager.get_roles then
-		local roles_map = usermanager.get_roles(username.."@"..module.host, module.host)
-		roles = array()
-		if roles_map then
-			for role in pairs(roles_map) do
-				roles:push(role)
-			end
+	local primary_role, secondary_roles, legacy_roles;
+	if usermanager.get_user_role then
+		primary_role = usermanager.get_user_role(username, module.host);
+		secondary_roles = array.collect(it.keys(usermanager.get_user_secondary_roles(username, module.host)));
+	elseif usermanager.get_user_roles then -- COMPAT w/0.12
+		legacy_roles = array();
+		local roles_map = usermanager.get_user_roles(username, module.host);
+		for role_name in pairs(roles_map) do
+			legacy_roles:push(role_name);
 		end
 	end
 
 	return {
 		username = username;
 		display_name = display_name;
-		roles = roles;
+		role = primary_role and primary_role.name or nil;
+		secondary_roles = secondary_roles;
+		roles = legacy_roles; -- COMPAT w/0.12
 	};
 end
 
@@ -309,7 +312,7 @@
 	};
 	-- Online sessions
 	do
-		local user_sessions = hosts[module.host].sessions[username];
+		local user_sessions = prosody.hosts[module.host].sessions[username];
 		if user_sessions then
 			user_sessions = user_sessions.sessions
 		end
@@ -415,8 +418,18 @@
 		end
 	end
 
-	if new_user.roles then
-		if not usermanager.set_roles then
+	if new_user.role then
+		if not usermanager.set_user_role then
+			return 500, "feature-not-implemented";
+		end
+		if not usermanager.set_user_role(username, module.host, new_user.role) then
+			module:log("error", "failed to set role %s for %s", new_user.role, username);
+			return 500;
+		end
+	end
+
+	if new_user.roles then -- COMPAT w/0.12
+		if not usermanager.set_user_roles then
 			return 500, "feature-not-implemented"
 		end
 
@@ -425,7 +438,7 @@
 			backend_roles[role] = true;
 		end
 		local jid = username.."@"..module.host;
-		if not usermanager.set_roles(jid, module.host, backend_roles) then
+		if not usermanager.set_user_roles(username, module.host, backend_roles) then
 			module:log("error", "failed to set roles %q for %s", backend_roles, jid)
 			return 500
 		end