Software /
code /
prosody
Annotate
plugins/mod_authz_internal.lua @ 12925:6cb339423928
mod_authz_internal: Fix wrong role name field in user_can_assume_role()
Made it reject the primary role since it compares against a non-existent
field, i.e. nil.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 09 Mar 2023 16:02:55 +0100 |
parent | 12920:cdb996637b08 |
child | 12977:74b9e05af71e |
rev | line source |
---|---|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
1 local array = require "util.array"; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
2 local it = require "util.iterators"; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
3 local set = require "util.set"; |
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
4 local jid_split, jid_bare, jid_host = import("util.jid", "split", "bare", "host"); |
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local normalize = require "util.jid".prep; |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
6 local roles = require "util.roles"; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
7 |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
8 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize; |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; |
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local host = module.host; |
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
11 local host_suffix = host:gsub("^[^%.]+%.", ""); |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
12 |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
13 local hosts = prosody.hosts; |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
14 local is_component = hosts[host].type == "component"; |
12740
f58c6ae5edc1
mod_authz_internal: Fix warning due to global use
Kim Alvefur <zash@zash.se>
parents:
12733
diff
changeset
|
15 local host_user_role, server_user_role, public_user_role; |
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
16 if is_component then |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
17 host_user_role = module:get_option_string("host_user_role", "prosody:user"); |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
18 server_user_role = module:get_option_string("server_user_role"); |
12733
2167e1639aab
mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents:
12730
diff
changeset
|
19 public_user_role = module:get_option_string("public_user_role"); |
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
20 end |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
21 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
22 local role_store = module:open_store("account_roles"); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
23 local role_map_store = module:open_store("account_roles", "map"); |
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
24 |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
25 local role_registry = {}; |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
26 |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
27 function register_role(role) |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
28 if role_registry[role.name] ~= nil then |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
29 return error("A role '"..role.name.."' is already registered"); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
30 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
31 if not roles.is_role(role) then |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
32 -- Convert table syntax to real role object |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
33 for i, inherited_role in ipairs(role.inherits or {}) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
34 if type(inherited_role) == "string" then |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
35 role.inherits[i] = assert(role_registry[inherited_role], "The named role '"..inherited_role.."' is not registered"); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
36 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
37 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
38 if not role.permissions then role.permissions = {}; end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
39 for _, allow_permission in ipairs(role.allow or {}) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
40 role.permissions[allow_permission] = true; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
41 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
42 for _, deny_permission in ipairs(role.deny or {}) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
43 role.permissions[deny_permission] = false; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
44 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
45 role = roles.new(role); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
46 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
47 role_registry[role.name] = role; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
48 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
49 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
50 -- Default roles |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
51 register_role { |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
52 name = "prosody:restricted"; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
53 priority = 15; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
54 }; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
55 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
56 register_role { |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
57 name = "prosody:user"; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
58 priority = 25; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
59 inherits = { "prosody:restricted" }; |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
60 }; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
61 |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
62 register_role { |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
63 name = "prosody:admin"; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
64 priority = 50; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
65 inherits = { "prosody:user" }; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
66 }; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
67 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
68 register_role { |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
69 name = "prosody:operator"; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
70 priority = 75; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
71 inherits = { "prosody:admin" }; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
72 }; |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
73 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
74 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
75 -- Process custom roles from config |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
76 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
77 local custom_roles = module:get_option("custom_roles", {}); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
78 for n, role_config in ipairs(custom_roles) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
79 local ok, err = pcall(register_role, role_config); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
80 if not ok then |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
81 module:log("error", "Error registering custom role %s: %s", role_config.name or tostring(n), err); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
82 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
83 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
84 |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
85 -- Process custom permissions from config |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
86 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
87 local config_add_perms = module:get_option("add_permissions", {}); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
88 local config_remove_perms = module:get_option("remove_permissions", {}); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
89 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
90 for role_name, added_permissions in pairs(config_add_perms) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
91 if not role_registry[role_name] then |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
92 module:log("error", "Cannot add permissions to unknown role '%s'", role_name); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
93 else |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
94 for _, permission in ipairs(added_permissions) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
95 role_registry[role_name]:set_permission(permission, true, true); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
96 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
97 end |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
98 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
99 |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
100 for role_name, removed_permissions in pairs(config_remove_perms) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
101 if not role_registry[role_name] then |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
102 module:log("error", "Cannot remove permissions from unknown role '%s'", role_name); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
103 else |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
104 for _, permission in ipairs(removed_permissions) do |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
105 role_registry[role_name]:set_permission(permission, false, true); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
106 end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
107 end |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
108 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
109 |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
110 -- Public API |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
111 |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
112 -- Get the primary role of a user |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
113 function get_user_role(user) |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
114 local bare_jid = user.."@"..host; |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
115 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
116 -- Check config first |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
117 if config_global_admin_jids:contains(bare_jid) then |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
118 return role_registry["prosody:operator"]; |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
119 elseif config_admin_jids:contains(bare_jid) then |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
120 return role_registry["prosody:admin"]; |
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
121 end |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
122 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
123 -- Check storage |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
124 local stored_roles, err = role_store:get(user); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
125 if not stored_roles then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
126 if err then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
127 -- Unable to fetch role, fail |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
128 return nil, err; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
129 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
130 -- No role set, use default role |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
131 return role_registry["prosody:user"]; |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
132 end |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
133 if stored_roles._default == nil then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
134 -- No primary role explicitly set, return default |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
135 return role_registry["prosody:user"]; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
136 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
137 local primary_stored_role = role_registry[stored_roles._default]; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
138 if not primary_stored_role then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
139 return nil, "unknown-role"; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
140 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
141 return primary_stored_role; |
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
142 end |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
143 |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
144 -- Set the primary role of a user |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
145 function set_user_role(user, role_name) |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
146 local role = role_registry[role_name]; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
147 if not role then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
148 return error("Cannot assign default user an unknown role: "..tostring(role_name)); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
149 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
150 local keys_update = { |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
151 _default = role_name; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
152 -- Primary role cannot be secondary role |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
153 [role_name] = role_map_store.remove; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
154 }; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
155 if role_name == "prosody:user" then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
156 -- Don't store default |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
157 keys_update._default = role_map_store.remove; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
158 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
159 local ok, err = role_map_store:set_keys(user, keys_update); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
160 if not ok then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
161 return nil, err; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
162 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
163 return role; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
164 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
165 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
166 function add_user_secondary_role(user, role_name) |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
167 if not role_registry[role_name] then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
168 return error("Cannot assign default user an unknown role: "..tostring(role_name)); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
169 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
170 role_map_store:set(user, role_name, true); |
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
171 end |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
172 |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
173 function remove_user_secondary_role(user, role_name) |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
174 role_map_store:set(user, role_name, nil); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
175 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
176 |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
177 function get_user_secondary_roles(user) |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
178 local stored_roles, err = role_store:get(user); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
179 if not stored_roles then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
180 if err then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
181 -- Unable to fetch role, fail |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
182 return nil, err; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
183 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
184 -- No role set |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
185 return {}; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
186 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
187 stored_roles._default = nil; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
188 for role_name in pairs(stored_roles) do |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
189 stored_roles[role_name] = role_registry[role_name]; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
190 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
191 return stored_roles; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
192 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
193 |
12663
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
194 function user_can_assume_role(user, role_name) |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
195 local primary_role = get_user_role(user); |
12925
6cb339423928
mod_authz_internal: Fix wrong role name field in user_can_assume_role()
Kim Alvefur <zash@zash.se>
parents:
12920
diff
changeset
|
196 if primary_role and primary_role.name == role_name then |
12663
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
197 return true; |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
198 end |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
199 local secondary_roles = get_user_secondary_roles(user); |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
200 if secondary_roles and secondary_roles[role_name] then |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
201 return true; |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
202 end |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
203 return false; |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
204 end |
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
205 |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
206 -- This function is *expensive* |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
207 function get_users_with_role(role_name) |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
208 local function role_filter(username, default_role) --luacheck: ignore 212/username |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
209 return default_role == role_name; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
210 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
211 local primary_role_users = set.new(it.to_array(it.filter(role_filter, pairs(role_map_store:get_all("_default") or {})))); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
212 local secondary_role_users = set.new(it.to_array(it.keys(role_map_store:get_all(role_name) or {}))); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
213 |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
214 local config_set; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
215 if role_name == "prosody:admin" then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
216 config_set = config_admin_jids; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
217 elseif role_name == "prosody:operator" then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
218 config_set = config_global_admin_jids; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
219 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
220 if config_set then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
221 local config_admin_users = config_set / function (admin_jid) |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
222 local j_node, j_host = jid_split(admin_jid); |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
223 if j_host == host then |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
224 return j_node; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
225 end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
226 end; |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
227 return it.to_array(config_admin_users + primary_role_users + secondary_role_users); |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
228 end |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
229 return it.to_array(primary_role_users + secondary_role_users); |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
230 end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
231 |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
232 function get_jid_role(jid) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
233 local bare_jid = jid_bare(jid); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
234 if config_global_admin_jids:contains(bare_jid) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
235 return role_registry["prosody:operator"]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
236 elseif config_admin_jids:contains(bare_jid) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
237 return role_registry["prosody:admin"]; |
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
238 elseif is_component then |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
239 local user_host = jid_host(bare_jid); |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
240 if host_user_role and user_host == host_suffix then |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
241 return role_registry[host_user_role]; |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
242 elseif server_user_role and hosts[user_host] then |
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
243 return role_registry[server_user_role]; |
12733
2167e1639aab
mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents:
12730
diff
changeset
|
244 elseif public_user_role then |
2167e1639aab
mod_authz_internal: Allow specifying default role for public (remote) users
Matthew Wild <mwild1@gmail.com>
parents:
12730
diff
changeset
|
245 return role_registry[public_user_role]; |
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
246 end |
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 end |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
248 return nil; |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
249 end |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
250 |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
251 function set_jid_role(jid, role_name) -- luacheck: ignore 212 |
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
252 return false; |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
253 end |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
254 |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
255 function get_jids_with_role(role_name) |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
256 -- Fetch role users from storage |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
257 local storage_role_jids = array.map(get_users_with_role(role_name), function (username) |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
258 return username.."@"..host; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
259 end); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
260 if role_name == "prosody:admin" then |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
261 return it.to_array(config_admin_jids + set.new(storage_role_jids)); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
262 elseif role_name == "prosody:operator" then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
263 return it.to_array(config_global_admin_jids + set.new(storage_role_jids)); |
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
264 end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
265 return storage_role_jids; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
266 end |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
267 |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
268 function add_default_permission(role_name, action, policy) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
269 local role = role_registry[role_name]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
270 if not role then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
271 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
272 return nil, "no-such-role"; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
273 end |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
274 if policy == nil then policy = true; end |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
275 module:log("debug", "Adding policy %s for permission %s on role %s", policy, action, role_name); |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
276 return role:set_permission(action, policy); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
277 end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
278 |
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
279 function get_role_by_name(role_name) |
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
280 return assert(role_registry[role_name], role_name); |
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
281 end |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
282 |
12920
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
283 function get_all_roles() |
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
284 return role_registry; |
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
285 end |
cdb996637b08
authz: Add method for retrieving all roles
Kim Alvefur <zash@zash.se>
parents:
12740
diff
changeset
|
286 |
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
287 -- COMPAT: Migrate from 0.12 role storage |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
288 local function do_migration(migrate_host) |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
289 local old_role_store = assert(module:context(migrate_host):open_store("roles")); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
290 local new_role_store = assert(module:context(migrate_host):open_store("account_roles")); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
291 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
292 local migrated, failed, skipped = 0, 0, 0; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
293 -- Iterate all users |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
294 for username in assert(old_role_store:users()) do |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
295 local old_roles = it.to_array(it.filter(function (k) return k:sub(1,1) ~= "_"; end, it.keys(old_role_store:get(username)))); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
296 if #old_roles == 1 then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
297 local ok, err = new_role_store:set(username, { |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
298 _default = old_roles[1]; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
299 }); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
300 if ok then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
301 migrated = migrated + 1; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
302 else |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
303 failed = failed + 1; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
304 print("EE: Failed to store new role info for '"..username.."': "..err); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
305 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
306 else |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
307 print("WW: User '"..username.."' has multiple roles and cannot be automatically migrated"); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
308 skipped = skipped + 1; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
309 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
310 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
311 return migrated, failed, skipped; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
312 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
313 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
314 function module.command(arg) |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
315 if arg[1] == "migrate" then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
316 table.remove(arg, 1); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
317 local migrate_host = arg[1]; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
318 if not migrate_host or not prosody.hosts[migrate_host] then |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
319 print("EE: Please supply a valid host to migrate to the new role storage"); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
320 return 1; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
321 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
322 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
323 -- Initialize storage layer |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
324 require "core.storagemanager".initialize_host(migrate_host); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
325 |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
326 print("II: Migrating roles..."); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
327 local migrated, failed, skipped = do_migration(migrate_host); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
328 print(("II: %d migrated, %d failed, %d skipped"):format(migrated, failed, skipped)); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
329 return (failed + skipped == 0) and 0 or 1; |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
330 else |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
331 print("EE: Unknown command: "..(arg[1] or "<none given>")); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
332 print(" Hint: try 'migrate'?"); |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
333 end |
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
334 end |