Software / code / prosody
Annotate
plugins/mod_authz_internal.lua @ 13744:34ac05f6bd10 13.0
core.configmanager: Fix reporting delayed warnings from global section
A Credential in the global section would be stored at
delayed_warnings["*/secret"], but get("example.com","secret") would look
for delayed_warnings["example.com/secret"]
Storing the warnings in the config itself has the unfortunate
side-effect that the config now contains util.error objects, which may
be awkward if something bypasses get(). Should rawget() also do this
filtering? getconfig() too?
Currently this only affects prosodyctl, so maybe it won't be much of a
problem.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 22 Feb 2025 00:08:18 +0100 |
| parent | 13679:f5c7fe7bbe3b |
| rev | line source |
|---|---|
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
1 local array = require "prosody.util.array"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
2 local it = require "prosody.util.iterators"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
3 local set = require "prosody.util.set"; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
4 local jid_split, jid_bare, jid_host = import("prosody.util.jid", "split", "bare", "host"); |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
5 local normalize = require "prosody.util.jid".prep; |
|
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
6 local roles = require "prosody.util.roles"; |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
7 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
8 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize; |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local host = module.host; |
|
13621
eb676b6f05e3
mod_authz_internal: Make host considered the parent configurable
Kim Alvefur <zash@zash.se>
parents:
13587
diff
changeset
|
11 local host_suffix = module:get_option_string("parent_host", (host:gsub("^[^%.]+%.", ""))); |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
12 |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
13 local hosts = prosody.hosts; |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
14 local is_anon_host = module:get_option_string("authentication") == "anonymous"; |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
15 local default_user_role = module:get_option_string("default_user_role", is_anon_host and "prosody:guest" or "prosody:registered"); |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
16 |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
17 local is_component = hosts[host].type == "component"; |
|
12740
f58c6ae5edc1
mod_authz_internal: Fix warning due to global use
Kim Alvefur <zash@zash.se>
parents:
12733
diff
changeset
|
18 local host_user_role, server_user_role, public_user_role; |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
19 if is_component then |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
20 host_user_role = module:get_option_string("host_user_role", "prosody:registered"); |
|
13587
fdb2e0568cf8
mod_authz_internal: Make 'prosody:guest' default role for all unknown JIDs
Matthew Wild <mwild1@gmail.com>
parents:
13541
diff
changeset
|
21 server_user_role = module:get_option_string("server_user_role", "prosody:guest"); |
|
fdb2e0568cf8
mod_authz_internal: Make 'prosody:guest' default role for all unknown JIDs
Matthew Wild <mwild1@gmail.com>
parents:
13541
diff
changeset
|
22 public_user_role = module:get_option_string("public_user_role", "prosody:guest"); |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
23 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
24 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
25 local role_store = module:open_store("account_roles"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
26 local role_map_store = module:open_store("account_roles", "map"); |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
27 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
28 local role_registry = {}; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
29 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
30 function register_role(role) |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
31 if role_registry[role.name] ~= nil then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
32 return error("A role '"..role.name.."' is already registered"); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
33 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
34 if not roles.is_role(role) then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
35 -- Convert table syntax to real role object |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
36 for i, inherited_role in ipairs(role.inherits or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
37 if type(inherited_role) == "string" then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
38 role.inherits[i] = assert(role_registry[inherited_role], "The named role '"..inherited_role.."' is not registered"); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
39 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
40 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
41 if not role.permissions then role.permissions = {}; end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
42 for _, allow_permission in ipairs(role.allow or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
43 role.permissions[allow_permission] = true; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
44 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
45 for _, deny_permission in ipairs(role.deny or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
46 role.permissions[deny_permission] = false; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
47 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
48 role = roles.new(role); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
49 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
50 role_registry[role.name] = role; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
51 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
52 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
53 -- Default roles |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
54 |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
55 -- For untrusted guest/anonymous users |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
56 register_role { |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
57 name = "prosody:guest"; |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
58 priority = 15; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
59 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
60 |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
61 -- For e.g. self-registered accounts |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
62 register_role { |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
63 name = "prosody:registered"; |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
64 priority = 25; |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
65 inherits = { "prosody:guest" }; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
66 }; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
67 |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
68 |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
69 -- For trusted/provisioned accounts |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
70 register_role { |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
71 name = "prosody:member"; |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
72 priority = 35; |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
73 inherits = { "prosody:registered" }; |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
74 }; |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
75 |
|
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
76 -- For administrators, e.g. of a host |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
77 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
78 name = "prosody:admin"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
79 priority = 50; |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
80 inherits = { "prosody:member" }; |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
81 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
82 |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
83 -- For server operators (full access) |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
84 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
85 name = "prosody:operator"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
86 priority = 75; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
87 inherits = { "prosody:admin" }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
88 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
89 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
90 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
91 -- Process custom roles from config |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
92 |
|
13232
e0ab20519ce5
plugins: Use get_option_array for some list shaped options
Kim Alvefur <zash@zash.se>
parents:
13170
diff
changeset
|
93 local custom_roles = module:get_option_array("custom_roles", {}); |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
94 for n, role_config in ipairs(custom_roles) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
95 local ok, err = pcall(register_role, role_config); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
96 if not ok then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
97 module:log("error", "Error registering custom role %s: %s", role_config.name or tostring(n), err); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
98 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
99 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
100 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
101 -- Process custom permissions from config |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
102 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
103 local config_add_perms = module:get_option("add_permissions", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
104 local config_remove_perms = module:get_option("remove_permissions", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
105 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
106 for role_name, added_permissions in pairs(config_add_perms) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
107 if not role_registry[role_name] then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
108 module:log("error", "Cannot add permissions to unknown role '%s'", role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
109 else |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
110 for _, permission in ipairs(added_permissions) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
111 role_registry[role_name]:set_permission(permission, true, true); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
112 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
113 end |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
114 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
115 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
116 for role_name, removed_permissions in pairs(config_remove_perms) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
117 if not role_registry[role_name] then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
118 module:log("error", "Cannot remove permissions from unknown role '%s'", role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
119 else |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
120 for _, permission in ipairs(removed_permissions) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
121 role_registry[role_name]:set_permission(permission, false, true); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
122 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
123 end |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
124 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
125 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
126 -- Public API |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
127 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
128 -- Get the primary role of a user |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
129 function get_user_role(user) |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
130 local bare_jid = user.."@"..host; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
131 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
132 -- Check config first |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
133 if config_global_admin_jids:contains(bare_jid) then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
134 return role_registry["prosody:operator"]; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
135 elseif config_admin_jids:contains(bare_jid) then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
136 return role_registry["prosody:admin"]; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
137 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
138 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
139 -- Check storage |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
140 local stored_roles, err = role_store:get(user); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
141 if not stored_roles then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
142 if err then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
143 -- Unable to fetch role, fail |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
144 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
145 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
146 -- No role set, use default role |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
147 return role_registry[default_user_role]; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
148 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
149 if stored_roles._default == nil then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
150 -- No primary role explicitly set, return default |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
151 return role_registry[default_user_role]; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
152 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
153 local primary_stored_role = role_registry[stored_roles._default]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
154 if not primary_stored_role then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
155 return nil, "unknown-role"; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
156 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
157 return primary_stored_role; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
158 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
159 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
160 -- Set the primary role of a user |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
161 function set_user_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
162 local role = role_registry[role_name]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
163 if not role then |
|
13679
f5c7fe7bbe3b
mod_authz_internal: Fix error messages
Matthew Wild <mwild1@gmail.com>
parents:
13678
diff
changeset
|
164 return error("Cannot assign user an unknown role: "..tostring(role_name)); |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
165 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
166 local keys_update = { |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
167 _default = role_name; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
168 -- Primary role cannot be secondary role |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
169 [role_name] = role_map_store.remove; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
170 }; |
|
13170
082c7d856e61
core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents:
12977
diff
changeset
|
171 if role_name == default_user_role then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
172 -- Don't store default |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
173 keys_update._default = role_map_store.remove; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
174 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
175 local ok, err = role_map_store:set_keys(user, keys_update); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
176 if not ok then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
177 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
178 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
179 return role; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
180 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
181 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
182 function add_user_secondary_role(user, role_name) |
|
13678
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
183 local role = role_registry[role_name]; |
|
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
184 if not role then |
|
13679
f5c7fe7bbe3b
mod_authz_internal: Fix error messages
Matthew Wild <mwild1@gmail.com>
parents:
13678
diff
changeset
|
185 return error("Cannot assign user an unknown role: "..tostring(role_name)); |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
186 end |
|
13678
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
187 local ok, err = role_map_store:set(user, role_name, true); |
|
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
188 if not ok then |
|
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
189 return nil, err; |
|
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
190 end |
|
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
191 return role; |
|
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
192 end |
|
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
193 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
194 function remove_user_secondary_role(user, role_name) |
|
13678
acb87cc2d48b
mod_authz_internal: Fix return values of secondary role management methods
Matthew Wild <mwild1@gmail.com>
parents:
13621
diff
changeset
|
195 return role_map_store:set(user, role_name, nil); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
196 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
197 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
198 function get_user_secondary_roles(user) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
199 local stored_roles, err = role_store:get(user); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
200 if not stored_roles then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
201 if err then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
202 -- Unable to fetch role, fail |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
203 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
204 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
205 -- No role set |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
206 return {}; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
207 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
208 stored_roles._default = nil; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
209 for role_name in pairs(stored_roles) do |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
210 stored_roles[role_name] = role_registry[role_name]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
211 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
212 return stored_roles; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
213 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
214 |
|
12663
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
215 function user_can_assume_role(user, role_name) |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
216 local primary_role = get_user_role(user); |
|
12925
6cb339423928
mod_authz_internal: Fix wrong role name field in user_can_assume_role()
Kim Alvefur <zash@zash.se>
parents:
12920
diff
changeset
|
217 if primary_role and primary_role.name == role_name then |
|
12663
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
218 return true; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
219 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
220 local secondary_roles = get_user_secondary_roles(user); |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
221 if secondary_roles and secondary_roles[role_name] then |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
222 return true; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
223 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
224 return false; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
225 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
226 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
227 -- This function is *expensive* |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
228 function get_users_with_role(role_name) |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
229 local function role_filter(username, default_role) --luacheck: ignore 212/username |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
230 return default_role == role_name; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
231 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
232 local primary_role_users = set.new(it.to_array(it.filter(role_filter, pairs(role_map_store:get_all("_default") or {})))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
233 local secondary_role_users = set.new(it.to_array(it.keys(role_map_store:get_all(role_name) or {}))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
234 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
235 local config_set; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
236 if role_name == "prosody:admin" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
237 config_set = config_admin_jids; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
238 elseif role_name == "prosody:operator" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
239 config_set = config_global_admin_jids; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
240 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
241 if config_set then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
242 local config_admin_users = config_set / function (admin_jid) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
243 local j_node, j_host = jid_split(admin_jid); |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
244 if j_host == host then |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
245 return j_node; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
246 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
247 end; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
248 return it.to_array(config_admin_users + primary_role_users + secondary_role_users); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
249 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
250 return it.to_array(primary_role_users + secondary_role_users); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
251 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
252 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
253 function get_jid_role(jid) |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
254 local bare_jid = jid_bare(jid); |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
255 if config_global_admin_jids:contains(bare_jid) then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
256 return role_registry["prosody:operator"]; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
257 elseif config_admin_jids:contains(bare_jid) then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
258 return role_registry["prosody:admin"]; |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
259 elseif is_component then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
260 local user_host = jid_host(bare_jid); |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
261 if host_user_role and user_host == host_suffix then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
262 return role_registry[host_user_role]; |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
263 elseif server_user_role and hosts[user_host] then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
264 return role_registry[server_user_role]; |
|
12733
2167e1639aab
mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents:
12730
diff
changeset
|
265 elseif public_user_role then |
|
2167e1639aab
mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents:
12730
diff
changeset
|
266 return role_registry[public_user_role]; |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
267 end |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
268 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
269 return nil; |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
270 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
271 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
272 function set_jid_role(jid, role_name) -- luacheck: ignore 212 |
|
13541
3dc3781d02cd
mod_authz_internal: Hint at roles for external JIDs being read-only
Kim Alvefur <zash@zash.se>
parents:
13232
diff
changeset
|
273 return false, "not-implemented"; |
|
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
274 end |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
275 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
276 function get_jids_with_role(role_name) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
277 -- Fetch role users from storage |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
278 local storage_role_jids = array.map(get_users_with_role(role_name), function (username) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
279 return username.."@"..host; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
280 end); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
281 if role_name == "prosody:admin" then |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
282 return it.to_array(config_admin_jids + set.new(storage_role_jids)); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
283 elseif role_name == "prosody:operator" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
284 return it.to_array(config_global_admin_jids + set.new(storage_role_jids)); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
285 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
286 return storage_role_jids; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
287 end |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
288 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
289 function add_default_permission(role_name, action, policy) |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
290 local role = role_registry[role_name]; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
291 if not role then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
292 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name); |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
293 return nil, "no-such-role"; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
294 end |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
295 if policy == nil then policy = true; end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
296 module:log("debug", "Adding policy %s for permission %s on role %s", policy, action, role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
297 return role:set_permission(action, policy); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
298 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
299 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
300 function get_role_by_name(role_name) |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
301 return assert(role_registry[role_name], role_name); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
302 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
303 |
|
12920
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
304 function get_all_roles() |
|
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
305 return role_registry; |
|
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
306 end |
|
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
307 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
308 -- COMPAT: Migrate from 0.12 role storage |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
309 local function do_migration(migrate_host) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
310 local old_role_store = assert(module:context(migrate_host):open_store("roles")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
311 local new_role_store = assert(module:context(migrate_host):open_store("account_roles")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
312 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
313 local migrated, failed, skipped = 0, 0, 0; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
314 -- Iterate all users |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
315 for username in assert(old_role_store:users()) do |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
316 local old_roles = it.to_array(it.filter(function (k) return k:sub(1,1) ~= "_"; end, it.keys(old_role_store:get(username)))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
317 if #old_roles == 1 then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
318 local ok, err = new_role_store:set(username, { |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
319 _default = old_roles[1]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
320 }); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
321 if ok then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
322 migrated = migrated + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
323 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
324 failed = failed + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
325 print("EE: Failed to store new role info for '"..username.."': "..err); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
326 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
327 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
328 print("WW: User '"..username.."' has multiple roles and cannot be automatically migrated"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
329 skipped = skipped + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
330 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
331 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
332 return migrated, failed, skipped; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
333 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
334 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
335 function module.command(arg) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
336 if arg[1] == "migrate" then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
337 table.remove(arg, 1); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
338 local migrate_host = arg[1]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
339 if not migrate_host or not prosody.hosts[migrate_host] then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
340 print("EE: Please supply a valid host to migrate to the new role storage"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
341 return 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
342 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
343 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
344 -- Initialize storage layer |
|
12977
74b9e05af71e
plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents:
12925
diff
changeset
|
345 require "prosody.core.storagemanager".initialize_host(migrate_host); |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
346 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
347 print("II: Migrating roles..."); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
348 local migrated, failed, skipped = do_migration(migrate_host); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
349 print(("II: %d migrated, %d failed, %d skipped"):format(migrated, failed, skipped)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
350 return (failed + skipped == 0) and 0 or 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
351 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
352 print("EE: Unknown command: "..(arg[1] or "<none given>")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
353 print(" Hint: try 'migrate'?"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
354 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
355 end |
