Software / code / prosody
Annotate
plugins/mod_authz_internal.lua @ 12671:32881d0c359f
mod_auth_insecure: Store creation and update timestamps on account
This ensures that the store is not empty in case no password is
provided, so the underlying data storage won't consider the store empty.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 18 Aug 2022 18:10:44 +0200 |
| parent | 12663:cf88f6b03942 |
| child | 12730:427dd01f0864 |
| rev | line source |
|---|---|
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
1 local array = require "util.array"; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
2 local it = require "util.iterators"; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
3 local set = require "util.set"; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
4 local jid_split, jid_bare = require "util.jid".split, require "util.jid".bare; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local normalize = require "util.jid".prep; |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
6 local roles = require "util.roles"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
7 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
8 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize; |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local host = module.host; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
11 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
12 local role_store = module:open_store("account_roles"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
13 local role_map_store = module:open_store("account_roles", "map"); |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
14 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
15 local role_registry = {}; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
16 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
17 function register_role(role) |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
18 if role_registry[role.name] ~= nil then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
19 return error("A role '"..role.name.."' is already registered"); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
20 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
21 if not roles.is_role(role) then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
22 -- Convert table syntax to real role object |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
23 for i, inherited_role in ipairs(role.inherits or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
24 if type(inherited_role) == "string" then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
25 role.inherits[i] = assert(role_registry[inherited_role], "The named role '"..inherited_role.."' is not registered"); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
26 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
27 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
28 if not role.permissions then role.permissions = {}; end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
29 for _, allow_permission in ipairs(role.allow or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
30 role.permissions[allow_permission] = true; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
31 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
32 for _, deny_permission in ipairs(role.deny or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
33 role.permissions[deny_permission] = false; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
34 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
35 role = roles.new(role); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
36 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
37 role_registry[role.name] = role; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
38 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
39 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
40 -- Default roles |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
41 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
42 name = "prosody:restricted"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
43 priority = 15; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
44 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
45 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
46 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
47 name = "prosody:user"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
48 priority = 25; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
49 inherits = { "prosody:restricted" }; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
50 }; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
51 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
52 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
53 name = "prosody:admin"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
54 priority = 50; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
55 inherits = { "prosody:user" }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
56 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
57 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
58 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
59 name = "prosody:operator"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
60 priority = 75; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
61 inherits = { "prosody:admin" }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
62 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
63 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
64 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
65 -- Process custom roles from config |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
66 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
67 local custom_roles = module:get_option("custom_roles", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
68 for n, role_config in ipairs(custom_roles) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
69 local ok, err = pcall(register_role, role_config); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
70 if not ok then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
71 module:log("error", "Error registering custom role %s: %s", role_config.name or tostring(n), err); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
72 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
73 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
74 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
75 -- Process custom permissions from config |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
76 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
77 local config_add_perms = module:get_option("add_permissions", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
78 local config_remove_perms = module:get_option("remove_permissions", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
79 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
80 for role_name, added_permissions in pairs(config_add_perms) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
81 if not role_registry[role_name] then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
82 module:log("error", "Cannot add permissions to unknown role '%s'", role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
83 else |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
84 for _, permission in ipairs(added_permissions) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
85 role_registry[role_name]:set_permission(permission, true, true); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
86 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
87 end |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
88 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
89 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
90 for role_name, removed_permissions in pairs(config_remove_perms) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
91 if not role_registry[role_name] then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
92 module:log("error", "Cannot remove permissions from unknown role '%s'", role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
93 else |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
94 for _, permission in ipairs(removed_permissions) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
95 role_registry[role_name]:set_permission(permission, false, true); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
96 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
97 end |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
98 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
99 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
100 -- Public API |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
101 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
102 -- Get the primary role of a user |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
103 function get_user_role(user) |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
104 local bare_jid = user.."@"..host; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
105 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
106 -- Check config first |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
107 if config_global_admin_jids:contains(bare_jid) then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
108 return role_registry["prosody:operator"]; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
109 elseif config_admin_jids:contains(bare_jid) then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
110 return role_registry["prosody:admin"]; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
111 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
112 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
113 -- Check storage |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
114 local stored_roles, err = role_store:get(user); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
115 if not stored_roles then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
116 if err then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
117 -- Unable to fetch role, fail |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
118 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
119 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
120 -- No role set, use default role |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
121 return role_registry["prosody:user"]; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
122 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
123 if stored_roles._default == nil then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
124 -- No primary role explicitly set, return default |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
125 return role_registry["prosody:user"]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
126 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
127 local primary_stored_role = role_registry[stored_roles._default]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
128 if not primary_stored_role then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
129 return nil, "unknown-role"; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
130 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
131 return primary_stored_role; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
132 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
134 -- Set the primary role of a user |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
135 function set_user_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
136 local role = role_registry[role_name]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
137 if not role then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
138 return error("Cannot assign default user an unknown role: "..tostring(role_name)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
139 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
140 local keys_update = { |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
141 _default = role_name; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
142 -- Primary role cannot be secondary role |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
143 [role_name] = role_map_store.remove; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
144 }; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
145 if role_name == "prosody:user" then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
146 -- Don't store default |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
147 keys_update._default = role_map_store.remove; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
148 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
149 local ok, err = role_map_store:set_keys(user, keys_update); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
150 if not ok then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
151 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
152 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
153 return role; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
154 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
155 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
156 function add_user_secondary_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
157 if not role_registry[role_name] then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
158 return error("Cannot assign default user an unknown role: "..tostring(role_name)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
159 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
160 role_map_store:set(user, role_name, true); |
|
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
161 end |
|
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
162 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
163 function remove_user_secondary_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
164 role_map_store:set(user, role_name, nil); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
165 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
166 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
167 function get_user_secondary_roles(user) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
168 local stored_roles, err = role_store:get(user); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
169 if not stored_roles then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
170 if err then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
171 -- Unable to fetch role, fail |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
172 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
173 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
174 -- No role set |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
175 return {}; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
176 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
177 stored_roles._default = nil; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
178 for role_name in pairs(stored_roles) do |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
179 stored_roles[role_name] = role_registry[role_name]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
180 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
181 return stored_roles; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
182 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
183 |
|
12663
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
184 function user_can_assume_role(user, role_name) |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
185 local primary_role = get_user_role(user); |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
186 if primary_role and primary_role.role_name == role_name then |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
187 return true; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
188 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
189 local secondary_roles = get_user_secondary_roles(user); |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
190 if secondary_roles and secondary_roles[role_name] then |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
191 return true; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
192 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
193 return false; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
194 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
195 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
196 -- This function is *expensive* |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
197 function get_users_with_role(role_name) |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
198 local function role_filter(username, default_role) --luacheck: ignore 212/username |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
199 return default_role == role_name; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
200 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
201 local primary_role_users = set.new(it.to_array(it.filter(role_filter, pairs(role_map_store:get_all("_default") or {})))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
202 local secondary_role_users = set.new(it.to_array(it.keys(role_map_store:get_all(role_name) or {}))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
203 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
204 local config_set; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
205 if role_name == "prosody:admin" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
206 config_set = config_admin_jids; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
207 elseif role_name == "prosody:operator" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
208 config_set = config_global_admin_jids; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
209 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
210 if config_set then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
211 local config_admin_users = config_set / function (admin_jid) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
212 local j_node, j_host = jid_split(admin_jid); |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
213 if j_host == host then |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
214 return j_node; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
215 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
216 end; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
217 return it.to_array(config_admin_users + primary_role_users + secondary_role_users); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
218 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
219 return it.to_array(primary_role_users + secondary_role_users); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
220 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
221 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
222 function get_jid_role(jid) |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
223 local bare_jid = jid_bare(jid); |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
224 if config_global_admin_jids:contains(bare_jid) then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
225 return role_registry["prosody:operator"]; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
226 elseif config_admin_jids:contains(bare_jid) then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
227 return role_registry["prosody:admin"]; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
228 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
229 return nil; |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
230 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
231 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
232 function set_jid_role(jid, role_name) -- luacheck: ignore 212 |
|
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
233 return false; |
|
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
234 end |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
235 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
236 function get_jids_with_role(role_name) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
237 -- Fetch role users from storage |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
238 local storage_role_jids = array.map(get_users_with_role(role_name), function (username) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
239 return username.."@"..host; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
240 end); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
241 if role_name == "prosody:admin" then |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
242 return it.to_array(config_admin_jids + set.new(storage_role_jids)); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
243 elseif role_name == "prosody:operator" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
244 return it.to_array(config_global_admin_jids + set.new(storage_role_jids)); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
245 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
246 return storage_role_jids; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
247 end |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
248 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
249 function add_default_permission(role_name, action, policy) |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
250 local role = role_registry[role_name]; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
251 if not role then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
252 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name); |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
253 return nil, "no-such-role"; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
254 end |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
255 if policy == nil then policy = true; end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
256 module:log("debug", "Adding policy %s for permission %s on role %s", policy, action, role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
257 return role:set_permission(action, policy); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
258 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
259 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
260 function get_role_by_name(role_name) |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
261 return assert(role_registry[role_name], role_name); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
262 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
263 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
264 -- COMPAT: Migrate from 0.12 role storage |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
265 local function do_migration(migrate_host) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
266 local old_role_store = assert(module:context(migrate_host):open_store("roles")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
267 local new_role_store = assert(module:context(migrate_host):open_store("account_roles")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
268 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
269 local migrated, failed, skipped = 0, 0, 0; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
270 -- Iterate all users |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
271 for username in assert(old_role_store:users()) do |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
272 local old_roles = it.to_array(it.filter(function (k) return k:sub(1,1) ~= "_"; end, it.keys(old_role_store:get(username)))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
273 if #old_roles == 1 then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
274 local ok, err = new_role_store:set(username, { |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
275 _default = old_roles[1]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
276 }); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
277 if ok then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
278 migrated = migrated + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
279 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
280 failed = failed + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
281 print("EE: Failed to store new role info for '"..username.."': "..err); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
282 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
283 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
284 print("WW: User '"..username.."' has multiple roles and cannot be automatically migrated"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
285 skipped = skipped + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
286 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
287 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
288 return migrated, failed, skipped; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
289 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
290 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
291 function module.command(arg) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
292 if arg[1] == "migrate" then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
293 table.remove(arg, 1); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
294 local migrate_host = arg[1]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
295 if not migrate_host or not prosody.hosts[migrate_host] then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
296 print("EE: Please supply a valid host to migrate to the new role storage"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
297 return 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
298 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
299 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
300 -- Initialize storage layer |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
301 require "core.storagemanager".initialize_host(migrate_host); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
302 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
303 print("II: Migrating roles..."); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
304 local migrated, failed, skipped = do_migration(migrate_host); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
305 print(("II: %d migrated, %d failed, %d skipped"):format(migrated, failed, skipped)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
306 return (failed + skipped == 0) and 0 or 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
307 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
308 print("EE: Unknown command: "..(arg[1] or "<none given>")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
309 print(" Hint: try 'migrate'?"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
310 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
311 end |
