Annotate

plugins/mod_authz_internal.lua @ 13014:06453c564141

util.startup: Add prosody.started promise to easily execute code after startup To avoid a race where server-started fires before the promise function body is run (on next tick), I moved server-started to fire on the next tick, which seems sensible anyway. Errors are logged, I'm not sure if we ought to be doing something more here. I'm sure we'll find out.
author Matthew Wild <mwild1@gmail.com>
date Sat, 01 Apr 2023 11:56:38 +0100
parent 12977:74b9e05af71e
child 13170:082c7d856e61
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
1 local array = require "prosody.util.array";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
2 local it = require "prosody.util.iterators";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
3 local set = require "prosody.util.set";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
4 local jid_split, jid_bare, jid_host = import("prosody.util.jid", "split", "bare", "host");
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
5 local normalize = require "prosody.util.jid".prep;
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
6 local roles = require "prosody.util.roles";
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
7
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
8 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize;
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 local host = module.host;
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
11 local host_suffix = host:gsub("^[^%.]+%.", "");
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
12
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
13 local hosts = prosody.hosts;
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
14 local is_component = hosts[host].type == "component";
12740
f58c6ae5edc1 mod_authz_internal: Fix warning due to global use
Kim Alvefur <zash@zash.se>
parents: 12733
diff changeset
15 local host_user_role, server_user_role, public_user_role;
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
16 if is_component then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
17 host_user_role = module:get_option_string("host_user_role", "prosody:user");
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
18 server_user_role = module:get_option_string("server_user_role");
12733
2167e1639aab mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents: 12730
diff changeset
19 public_user_role = module:get_option_string("public_user_role");
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
20 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
21
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
22 local role_store = module:open_store("account_roles");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
23 local role_map_store = module:open_store("account_roles", "map");
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
24
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
25 local role_registry = {};
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
26
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
27 function register_role(role)
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
28 if role_registry[role.name] ~= nil then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
29 return error("A role '"..role.name.."' is already registered");
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
30 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
31 if not roles.is_role(role) then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
32 -- Convert table syntax to real role object
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
33 for i, inherited_role in ipairs(role.inherits or {}) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
34 if type(inherited_role) == "string" then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
35 role.inherits[i] = assert(role_registry[inherited_role], "The named role '"..inherited_role.."' is not registered");
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
36 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
37 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
38 if not role.permissions then role.permissions = {}; end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
39 for _, allow_permission in ipairs(role.allow or {}) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
40 role.permissions[allow_permission] = true;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
41 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
42 for _, deny_permission in ipairs(role.deny or {}) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
43 role.permissions[deny_permission] = false;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
44 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
45 role = roles.new(role);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
46 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
47 role_registry[role.name] = role;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
48 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
49
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
50 -- Default roles
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
51 register_role {
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
52 name = "prosody:restricted";
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
53 priority = 15;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
54 };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
55
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
56 register_role {
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
57 name = "prosody:user";
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
58 priority = 25;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
59 inherits = { "prosody:restricted" };
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
60 };
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
61
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
62 register_role {
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
63 name = "prosody:admin";
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
64 priority = 50;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
65 inherits = { "prosody:user" };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
66 };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
67
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
68 register_role {
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
69 name = "prosody:operator";
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
70 priority = 75;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
71 inherits = { "prosody:admin" };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
72 };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
73
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
74
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
75 -- Process custom roles from config
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
76
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
77 local custom_roles = module:get_option("custom_roles", {});
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
78 for n, role_config in ipairs(custom_roles) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
79 local ok, err = pcall(register_role, role_config);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
80 if not ok then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
81 module:log("error", "Error registering custom role %s: %s", role_config.name or tostring(n), err);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
82 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
83 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
84
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
85 -- Process custom permissions from config
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
86
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
87 local config_add_perms = module:get_option("add_permissions", {});
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
88 local config_remove_perms = module:get_option("remove_permissions", {});
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
89
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
90 for role_name, added_permissions in pairs(config_add_perms) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
91 if not role_registry[role_name] then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
92 module:log("error", "Cannot add permissions to unknown role '%s'", role_name);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
93 else
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
94 for _, permission in ipairs(added_permissions) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
95 role_registry[role_name]:set_permission(permission, true, true);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
96 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
97 end
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
98 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
99
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
100 for role_name, removed_permissions in pairs(config_remove_perms) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
101 if not role_registry[role_name] then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
102 module:log("error", "Cannot remove permissions from unknown role '%s'", role_name);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
103 else
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
104 for _, permission in ipairs(removed_permissions) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
105 role_registry[role_name]:set_permission(permission, false, true);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
106 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
107 end
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
108 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
109
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
110 -- Public API
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
111
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
112 -- Get the primary role of a user
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
113 function get_user_role(user)
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
114 local bare_jid = user.."@"..host;
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
115
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
116 -- Check config first
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
117 if config_global_admin_jids:contains(bare_jid) then
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
118 return role_registry["prosody:operator"];
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
119 elseif config_admin_jids:contains(bare_jid) then
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
120 return role_registry["prosody:admin"];
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
121 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
122
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
123 -- Check storage
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
124 local stored_roles, err = role_store:get(user);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
125 if not stored_roles then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
126 if err then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
127 -- Unable to fetch role, fail
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
128 return nil, err;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
129 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
130 -- No role set, use default role
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
131 return role_registry["prosody:user"];
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
132 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
133 if stored_roles._default == nil then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
134 -- No primary role explicitly set, return default
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
135 return role_registry["prosody:user"];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
136 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
137 local primary_stored_role = role_registry[stored_roles._default];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
138 if not primary_stored_role then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
139 return nil, "unknown-role";
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
140 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
141 return primary_stored_role;
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
142 end
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
143
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
144 -- Set the primary role of a user
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
145 function set_user_role(user, role_name)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
146 local role = role_registry[role_name];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
147 if not role then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
148 return error("Cannot assign default user an unknown role: "..tostring(role_name));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
149 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
150 local keys_update = {
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
151 _default = role_name;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
152 -- Primary role cannot be secondary role
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
153 [role_name] = role_map_store.remove;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
154 };
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
155 if role_name == "prosody:user" then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
156 -- Don't store default
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
157 keys_update._default = role_map_store.remove;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
158 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
159 local ok, err = role_map_store:set_keys(user, keys_update);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
160 if not ok then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
161 return nil, err;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
162 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
163 return role;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
164 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
165
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
166 function add_user_secondary_role(user, role_name)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
167 if not role_registry[role_name] then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
168 return error("Cannot assign default user an unknown role: "..tostring(role_name));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
169 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
170 role_map_store:set(user, role_name, true);
11472
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
171 end
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
172
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
173 function remove_user_secondary_role(user, role_name)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
174 role_map_store:set(user, role_name, nil);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
175 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
176
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
177 function get_user_secondary_roles(user)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
178 local stored_roles, err = role_store:get(user);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
179 if not stored_roles then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
180 if err then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
181 -- Unable to fetch role, fail
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
182 return nil, err;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
183 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
184 -- No role set
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
185 return {};
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
186 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
187 stored_roles._default = nil;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
188 for role_name in pairs(stored_roles) do
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
189 stored_roles[role_name] = role_registry[role_name];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
190 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
191 return stored_roles;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
192 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
193
12663
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
194 function user_can_assume_role(user, role_name)
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
195 local primary_role = get_user_role(user);
12925
6cb339423928 mod_authz_internal: Fix wrong role name field in user_can_assume_role()
Kim Alvefur <zash@zash.se>
parents: 12920
diff changeset
196 if primary_role and primary_role.name == role_name then
12663
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
197 return true;
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
198 end
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
199 local secondary_roles = get_user_secondary_roles(user);
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
200 if secondary_roles and secondary_roles[role_name] then
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
201 return true;
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
202 end
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
203 return false;
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
204 end
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
205
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
206 -- This function is *expensive*
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
207 function get_users_with_role(role_name)
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
208 local function role_filter(username, default_role) --luacheck: ignore 212/username
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
209 return default_role == role_name;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
210 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
211 local primary_role_users = set.new(it.to_array(it.filter(role_filter, pairs(role_map_store:get_all("_default") or {}))));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
212 local secondary_role_users = set.new(it.to_array(it.keys(role_map_store:get_all(role_name) or {})));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
213
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
214 local config_set;
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
215 if role_name == "prosody:admin" then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
216 config_set = config_admin_jids;
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
217 elseif role_name == "prosody:operator" then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
218 config_set = config_global_admin_jids;
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
219 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
220 if config_set then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
221 local config_admin_users = config_set / function (admin_jid)
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
222 local j_node, j_host = jid_split(admin_jid);
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
223 if j_host == host then
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
224 return j_node;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
225 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
226 end;
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
227 return it.to_array(config_admin_users + primary_role_users + secondary_role_users);
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
228 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
229 return it.to_array(primary_role_users + secondary_role_users);
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
230 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
231
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
232 function get_jid_role(jid)
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
233 local bare_jid = jid_bare(jid);
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
234 if config_global_admin_jids:contains(bare_jid) then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
235 return role_registry["prosody:operator"];
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
236 elseif config_admin_jids:contains(bare_jid) then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
237 return role_registry["prosody:admin"];
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
238 elseif is_component then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
239 local user_host = jid_host(bare_jid);
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
240 if host_user_role and user_host == host_suffix then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
241 return role_registry[host_user_role];
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
242 elseif server_user_role and hosts[user_host] then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
243 return role_registry[server_user_role];
12733
2167e1639aab mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents: 12730
diff changeset
244 elseif public_user_role then
2167e1639aab mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents: 12730
diff changeset
245 return role_registry[public_user_role];
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
246 end
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
247 end
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
248 return nil;
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
249 end
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
250
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
251 function set_jid_role(jid, role_name) -- luacheck: ignore 212
11472
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
252 return false;
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
253 end
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
254
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
255 function get_jids_with_role(role_name)
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
256 -- Fetch role users from storage
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
257 local storage_role_jids = array.map(get_users_with_role(role_name), function (username)
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
258 return username.."@"..host;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
259 end);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
260 if role_name == "prosody:admin" then
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
261 return it.to_array(config_admin_jids + set.new(storage_role_jids));
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
262 elseif role_name == "prosody:operator" then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
263 return it.to_array(config_global_admin_jids + set.new(storage_role_jids));
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
264 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
265 return storage_role_jids;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
266 end
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
267
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
268 function add_default_permission(role_name, action, policy)
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
269 local role = role_registry[role_name];
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
270 if not role then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
271 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name);
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
272 return nil, "no-such-role";
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
273 end
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
274 if policy == nil then policy = true; end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
275 module:log("debug", "Adding policy %s for permission %s on role %s", policy, action, role_name);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
276 return role:set_permission(action, policy);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
277 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
278
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
279 function get_role_by_name(role_name)
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
280 return assert(role_registry[role_name], role_name);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
281 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
282
12920
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
283 function get_all_roles()
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
284 return role_registry;
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
285 end
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
286
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
287 -- COMPAT: Migrate from 0.12 role storage
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
288 local function do_migration(migrate_host)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
289 local old_role_store = assert(module:context(migrate_host):open_store("roles"));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
290 local new_role_store = assert(module:context(migrate_host):open_store("account_roles"));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
291
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
292 local migrated, failed, skipped = 0, 0, 0;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
293 -- Iterate all users
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
294 for username in assert(old_role_store:users()) do
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
295 local old_roles = it.to_array(it.filter(function (k) return k:sub(1,1) ~= "_"; end, it.keys(old_role_store:get(username))));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
296 if #old_roles == 1 then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
297 local ok, err = new_role_store:set(username, {
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
298 _default = old_roles[1];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
299 });
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
300 if ok then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
301 migrated = migrated + 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
302 else
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
303 failed = failed + 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
304 print("EE: Failed to store new role info for '"..username.."': "..err);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
305 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
306 else
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
307 print("WW: User '"..username.."' has multiple roles and cannot be automatically migrated");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
308 skipped = skipped + 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
309 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
310 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
311 return migrated, failed, skipped;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
312 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
313
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
314 function module.command(arg)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
315 if arg[1] == "migrate" then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
316 table.remove(arg, 1);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
317 local migrate_host = arg[1];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
318 if not migrate_host or not prosody.hosts[migrate_host] then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
319 print("EE: Please supply a valid host to migrate to the new role storage");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
320 return 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
321 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
322
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
323 -- Initialize storage layer
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
324 require "prosody.core.storagemanager".initialize_host(migrate_host);
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
325
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
326 print("II: Migrating roles...");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
327 local migrated, failed, skipped = do_migration(migrate_host);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
328 print(("II: %d migrated, %d failed, %d skipped"):format(migrated, failed, skipped));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
329 return (failed + skipped == 0) and 0 or 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
330 else
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
331 print("EE: Unknown command: "..(arg[1] or "<none given>"));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
332 print(" Hint: try 'migrate'?");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
333 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
334 end