Annotate

plugins/mod_authz_internal.lua @ 13249:5884d58707fa

mod_http: Generate URL from configuration in prosodyctl This removes the need to configure e.g. http_external_url or similar settings in order to get correct URLs out of prosodyctl, as the API depends on portmanager to know the actual ports that are used.
author Kim Alvefur <zash@zash.se>
date Wed, 26 Jul 2023 14:39:36 +0200
parent 13232:e0ab20519ce5
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
1 local array = require "prosody.util.array";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
2 local it = require "prosody.util.iterators";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
3 local set = require "prosody.util.set";
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
4 local jid_split, jid_bare, jid_host = import("prosody.util.jid", "split", "bare", "host");
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
5 local normalize = require "prosody.util.jid".prep;
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
6 local roles = require "prosody.util.roles";
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
7
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
8 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize;
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
10 local host = module.host;
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
11 local host_suffix = host:gsub("^[^%.]+%.", "");
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
12
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
13 local hosts = prosody.hosts;
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
14 local is_anon_host = module:get_option_string("authentication") == "anonymous";
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
15 local default_user_role = module:get_option_string("default_user_role", is_anon_host and "prosody:guest" or "prosody:registered");
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
16
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
17 local is_component = hosts[host].type == "component";
12740
f58c6ae5edc1 mod_authz_internal: Fix warning due to global use
Kim Alvefur <zash@zash.se>
parents: 12733
diff changeset
18 local host_user_role, server_user_role, public_user_role;
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
19 if is_component then
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
20 host_user_role = module:get_option_string("host_user_role", "prosody:registered");
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
21 server_user_role = module:get_option_string("server_user_role");
12733
2167e1639aab mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents: 12730
diff changeset
22 public_user_role = module:get_option_string("public_user_role");
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
23 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
24
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
25 local role_store = module:open_store("account_roles");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
26 local role_map_store = module:open_store("account_roles", "map");
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
27
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
28 local role_registry = {};
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
29
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
30 function register_role(role)
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
31 if role_registry[role.name] ~= nil then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
32 return error("A role '"..role.name.."' is already registered");
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
33 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
34 if not roles.is_role(role) then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
35 -- Convert table syntax to real role object
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
36 for i, inherited_role in ipairs(role.inherits or {}) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
37 if type(inherited_role) == "string" then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
38 role.inherits[i] = assert(role_registry[inherited_role], "The named role '"..inherited_role.."' is not registered");
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
39 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
40 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
41 if not role.permissions then role.permissions = {}; end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
42 for _, allow_permission in ipairs(role.allow or {}) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
43 role.permissions[allow_permission] = true;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
44 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
45 for _, deny_permission in ipairs(role.deny or {}) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
46 role.permissions[deny_permission] = false;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
47 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
48 role = roles.new(role);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
49 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
50 role_registry[role.name] = role;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
51 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
52
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
53 -- Default roles
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
54
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
55 -- For untrusted guest/anonymous users
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
56 register_role {
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
57 name = "prosody:guest";
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
58 priority = 15;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
59 };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
60
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
61 -- For e.g. self-registered accounts
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
62 register_role {
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
63 name = "prosody:registered";
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
64 priority = 25;
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
65 inherits = { "prosody:guest" };
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
66 };
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
67
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
68
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
69 -- For trusted/provisioned accounts
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
70 register_role {
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
71 name = "prosody:member";
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
72 priority = 35;
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
73 inherits = { "prosody:registered" };
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
74 };
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
75
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
76 -- For administrators, e.g. of a host
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
77 register_role {
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
78 name = "prosody:admin";
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
79 priority = 50;
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
80 inherits = { "prosody:member" };
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
81 };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
82
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
83 -- For server operators (full access)
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
84 register_role {
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
85 name = "prosody:operator";
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
86 priority = 75;
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
87 inherits = { "prosody:admin" };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
88 };
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
89
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
90
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
91 -- Process custom roles from config
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
92
13232
e0ab20519ce5 plugins: Use get_option_array for some list shaped options
Kim Alvefur <zash@zash.se>
parents: 13170
diff changeset
93 local custom_roles = module:get_option_array("custom_roles", {});
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
94 for n, role_config in ipairs(custom_roles) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
95 local ok, err = pcall(register_role, role_config);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
96 if not ok then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
97 module:log("error", "Error registering custom role %s: %s", role_config.name or tostring(n), err);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
98 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
99 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
100
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
101 -- Process custom permissions from config
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
102
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
103 local config_add_perms = module:get_option("add_permissions", {});
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
104 local config_remove_perms = module:get_option("remove_permissions", {});
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
105
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
106 for role_name, added_permissions in pairs(config_add_perms) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
107 if not role_registry[role_name] then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
108 module:log("error", "Cannot add permissions to unknown role '%s'", role_name);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
109 else
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
110 for _, permission in ipairs(added_permissions) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
111 role_registry[role_name]:set_permission(permission, true, true);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
112 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
113 end
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
114 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
115
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
116 for role_name, removed_permissions in pairs(config_remove_perms) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
117 if not role_registry[role_name] then
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
118 module:log("error", "Cannot remove permissions from unknown role '%s'", role_name);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
119 else
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
120 for _, permission in ipairs(removed_permissions) do
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
121 role_registry[role_name]:set_permission(permission, false, true);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
122 end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
123 end
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
124 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
125
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
126 -- Public API
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
127
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
128 -- Get the primary role of a user
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
129 function get_user_role(user)
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
130 local bare_jid = user.."@"..host;
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
131
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
132 -- Check config first
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
133 if config_global_admin_jids:contains(bare_jid) then
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
134 return role_registry["prosody:operator"];
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
135 elseif config_admin_jids:contains(bare_jid) then
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
136 return role_registry["prosody:admin"];
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
137 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
138
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
139 -- Check storage
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
140 local stored_roles, err = role_store:get(user);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
141 if not stored_roles then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
142 if err then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
143 -- Unable to fetch role, fail
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
144 return nil, err;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
145 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
146 -- No role set, use default role
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
147 return role_registry[default_user_role];
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
148 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
149 if stored_roles._default == nil then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
150 -- No primary role explicitly set, return default
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
151 return role_registry[default_user_role];
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
152 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
153 local primary_stored_role = role_registry[stored_roles._default];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
154 if not primary_stored_role then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
155 return nil, "unknown-role";
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
156 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
157 return primary_stored_role;
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
158 end
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
159
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
160 -- Set the primary role of a user
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
161 function set_user_role(user, role_name)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
162 local role = role_registry[role_name];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
163 if not role then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
164 return error("Cannot assign default user an unknown role: "..tostring(role_name));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
165 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
166 local keys_update = {
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
167 _default = role_name;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
168 -- Primary role cannot be secondary role
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
169 [role_name] = role_map_store.remove;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
170 };
13170
082c7d856e61 core, plugins: Split prosody:user role into prosody:{guest,registered,member}
Matthew Wild <mwild1@gmail.com>
parents: 12977
diff changeset
171 if role_name == default_user_role then
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
172 -- Don't store default
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
173 keys_update._default = role_map_store.remove;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
174 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
175 local ok, err = role_map_store:set_keys(user, keys_update);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
176 if not ok then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
177 return nil, err;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
178 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
179 return role;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
180 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
181
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
182 function add_user_secondary_role(user, role_name)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
183 if not role_registry[role_name] then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
184 return error("Cannot assign default user an unknown role: "..tostring(role_name));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
185 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
186 role_map_store:set(user, role_name, true);
11472
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
187 end
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
188
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
189 function remove_user_secondary_role(user, role_name)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
190 role_map_store:set(user, role_name, nil);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
191 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
192
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
193 function get_user_secondary_roles(user)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
194 local stored_roles, err = role_store:get(user);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
195 if not stored_roles then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
196 if err then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
197 -- Unable to fetch role, fail
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
198 return nil, err;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
199 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
200 -- No role set
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
201 return {};
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
202 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
203 stored_roles._default = nil;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
204 for role_name in pairs(stored_roles) do
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
205 stored_roles[role_name] = role_registry[role_name];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
206 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
207 return stored_roles;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
208 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
209
12663
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
210 function user_can_assume_role(user, role_name)
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
211 local primary_role = get_user_role(user);
12925
6cb339423928 mod_authz_internal: Fix wrong role name field in user_can_assume_role()
Kim Alvefur <zash@zash.se>
parents: 12920
diff changeset
212 if primary_role and primary_role.name == role_name then
12663
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
213 return true;
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
214 end
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
215 local secondary_roles = get_user_secondary_roles(user);
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
216 if secondary_roles and secondary_roles[role_name] then
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
217 return true;
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
218 end
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
219 return false;
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
220 end
cf88f6b03942 mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents: 12662
diff changeset
221
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
222 -- This function is *expensive*
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
223 function get_users_with_role(role_name)
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
224 local function role_filter(username, default_role) --luacheck: ignore 212/username
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
225 return default_role == role_name;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
226 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
227 local primary_role_users = set.new(it.to_array(it.filter(role_filter, pairs(role_map_store:get_all("_default") or {}))));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
228 local secondary_role_users = set.new(it.to_array(it.keys(role_map_store:get_all(role_name) or {})));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
229
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
230 local config_set;
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
231 if role_name == "prosody:admin" then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
232 config_set = config_admin_jids;
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
233 elseif role_name == "prosody:operator" then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
234 config_set = config_global_admin_jids;
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
235 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
236 if config_set then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
237 local config_admin_users = config_set / function (admin_jid)
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
238 local j_node, j_host = jid_split(admin_jid);
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
239 if j_host == host then
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
240 return j_node;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
241 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
242 end;
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
243 return it.to_array(config_admin_users + primary_role_users + secondary_role_users);
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
244 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
245 return it.to_array(primary_role_users + secondary_role_users);
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
246 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
247
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
248 function get_jid_role(jid)
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
249 local bare_jid = jid_bare(jid);
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
250 if config_global_admin_jids:contains(bare_jid) then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
251 return role_registry["prosody:operator"];
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
252 elseif config_admin_jids:contains(bare_jid) then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
253 return role_registry["prosody:admin"];
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
254 elseif is_component then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
255 local user_host = jid_host(bare_jid);
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
256 if host_user_role and user_host == host_suffix then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
257 return role_registry[host_user_role];
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
258 elseif server_user_role and hosts[user_host] then
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
259 return role_registry[server_user_role];
12733
2167e1639aab mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents: 12730
diff changeset
260 elseif public_user_role then
2167e1639aab mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents: 12730
diff changeset
261 return role_registry[public_user_role];
12730
427dd01f0864 mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents: 12663
diff changeset
262 end
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
263 end
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
264 return nil;
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
265 end
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset
266
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
267 function set_jid_role(jid, role_name) -- luacheck: ignore 212
11472
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
268 return false;
c32753ceb0f0 mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents: 10659
diff changeset
269 end
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
270
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
271 function get_jids_with_role(role_name)
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
272 -- Fetch role users from storage
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
273 local storage_role_jids = array.map(get_users_with_role(role_name), function (username)
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
274 return username.."@"..host;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
275 end);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
276 if role_name == "prosody:admin" then
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
277 return it.to_array(config_admin_jids + set.new(storage_role_jids));
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
278 elseif role_name == "prosody:operator" then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
279 return it.to_array(config_global_admin_jids + set.new(storage_role_jids));
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
280 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
281 return storage_role_jids;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11474
diff changeset
282 end
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
283
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
284 function add_default_permission(role_name, action, policy)
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
285 local role = role_registry[role_name];
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
286 if not role then
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
287 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name);
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
288 return nil, "no-such-role";
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
289 end
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
290 if policy == nil then policy = true; end
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
291 module:log("debug", "Adding policy %s for permission %s on role %s", policy, action, role_name);
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
292 return role:set_permission(action, policy);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
293 end
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
294
12648
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
295 function get_role_by_name(role_name)
f299e570a0fe mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents: 12642
diff changeset
296 return assert(role_registry[role_name], role_name);
12642
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
297 end
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
298
12920
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
299 function get_all_roles()
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
300 return role_registry;
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
301 end
cdb996637b08 authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents: 12740
diff changeset
302
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
303 -- COMPAT: Migrate from 0.12 role storage
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
304 local function do_migration(migrate_host)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
305 local old_role_store = assert(module:context(migrate_host):open_store("roles"));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
306 local new_role_store = assert(module:context(migrate_host):open_store("account_roles"));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
307
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
308 local migrated, failed, skipped = 0, 0, 0;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
309 -- Iterate all users
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
310 for username in assert(old_role_store:users()) do
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
311 local old_roles = it.to_array(it.filter(function (k) return k:sub(1,1) ~= "_"; end, it.keys(old_role_store:get(username))));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
312 if #old_roles == 1 then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
313 local ok, err = new_role_store:set(username, {
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
314 _default = old_roles[1];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
315 });
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
316 if ok then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
317 migrated = migrated + 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
318 else
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
319 failed = failed + 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
320 print("EE: Failed to store new role info for '"..username.."': "..err);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
321 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
322 else
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
323 print("WW: User '"..username.."' has multiple roles and cannot be automatically migrated");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
324 skipped = skipped + 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
325 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
326 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
327 return migrated, failed, skipped;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
328 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
329
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
330 function module.command(arg)
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
331 if arg[1] == "migrate" then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
332 table.remove(arg, 1);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
333 local migrate_host = arg[1];
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
334 if not migrate_host or not prosody.hosts[migrate_host] then
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
335 print("EE: Please supply a valid host to migrate to the new role storage");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
336 return 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
337 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
338
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
339 -- Initialize storage layer
12977
74b9e05af71e plugins: Prefix module imports with prosody namespace
Kim Alvefur <zash@zash.se>
parents: 12925
diff changeset
340 require "prosody.core.storagemanager".initialize_host(migrate_host);
12662
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
341
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
342 print("II: Migrating roles...");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
343 local migrated, failed, skipped = do_migration(migrate_host);
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
344 print(("II: %d migrated, %d failed, %d skipped"):format(migrated, failed, skipped));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
345 return (failed + skipped == 0) and 0 or 1;
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
346 else
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
347 print("EE: Unknown command: "..(arg[1] or "<none given>"));
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
348 print(" Hint: try 'migrate'?");
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
349 end
07424992d7fc mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents: 12648
diff changeset
350 end