Changeset

5288:f61564b522f7

mod_authz_delegate: introduce module to "link" authorization of hosts See the readme :-). Motivation is allowing Snikket admins to change circle avatars via the web portal without bypassing Prosody access checks.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 29 Mar 2023 17:21:45 +0200
parents 5284:5178c13deb78
children 5291:2aecad5a6c54
files mod_authz_delegate/README.md mod_authz_delegate/mod_authz_delegate.lua
diffstat 2 files changed, 90 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_authz_delegate/README.md	Wed Mar 29 17:21:45 2023 +0200
@@ -0,0 +1,24 @@
+---
+summary: Authorization delegation
+rockspec: {}
+...
+
+This module allows delegating authorization questions (role assignment and
+role policies) to another host within prosody.
+
+The primary use of this is for a group of virtual hosts to use a common
+authorization database, for example to allow a MUC component to grant
+administrative access to an admin on a corresponding user virtual host.
+
+## Configuration
+
+The following example will make all role assignments for local and remote JIDs
+from domain.example effective on groups.domain.example:
+
+```
+VirtualHost "domain.example"
+
+Component "groups.domain.example" "muc"
+    authorization = "delegate"
+    authz_delegate_to = "domain.example"
+```
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_authz_delegate/mod_authz_delegate.lua	Wed Mar 29 17:21:45 2023 +0200
@@ -0,0 +1,66 @@
+local target_host = assert(module:get_option("authz_delegate_to"));
+local this_host = module:get_host();
+
+local jid_split = import("prosody.util.jid", "split");
+
+local hosts = prosody.hosts;
+
+function get_jids_with_role(role)  --luacheck: ignore 212/role
+	return nil
+end
+
+function get_user_role(user)
+	-- this is called where the JID belongs to the host this module is loaded on
+	-- that means we have to delegate that to get_jid_role with an appropriately composed JID
+	return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
+end
+
+function set_user_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return false, "cannot set user role on delegation target"
+end
+
+function get_user_secondary_roles(user)  --luacheck: ignore 212/user
+	-- no roles for entities on this host.
+	return {}
+end
+
+function add_user_secondary_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return nil, "cannot set user role on delegation target"
+end
+
+function remove_user_secondary_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return nil, "cannot set user role on delegation target"
+end
+
+function user_can_assume_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return false
+end
+
+function get_jid_role(jid)
+	local user, host = jid_split(jid);
+	if host == target_host then
+		return hosts[target_host].authz.get_user_role(user);
+	end
+	return hosts[target_host].authz.get_jid_role(jid);
+end
+
+function set_jid_role(jid)  --luacheck: ignore 212/jid
+	-- TODO: figure out if there are actually legitimate uses for this...
+	return nil, "cannot set jid role on delegation target"
+end
+
+function add_default_permission(role_name, action, policy)
+	return hosts[target_host].authz.add_default_permission(role_name, action, policy)
+end
+
+function get_role_by_name(role_name)
+	return hosts[target_host].authz.get_role_by_name(role_name)
+end
+
+function get_all_roles()
+	return hosts[target_host].authz.get_all_roles()
+end