Annotate

core/usermanager.lua @ 12642:9061f9621330

Switch to a new role-based authorization framework, removing is_admin() We began moving away from simple "is this user an admin?" permission checks before 0.12, with the introduction of mod_authz_internal and the ability to dynamically change the roles of individual users. The approach in 0.12 still had various limitations however, and apart from the introduction of roles other than "admin" and the ability to pull that info from storage, not much actually changed. This new framework shakes things up a lot, though aims to maintain the same functionality and behaviour on the surface for a default Prosody configuration. That is, if you don't take advantage of any of the new features, you shouldn't notice any change. The biggest change visible to developers is that usermanager.is_admin() (and the auth provider is_admin() method) have been removed. Gone. Completely. Permission checks should now be performed using a new module API method: module:may(action_name, context) This method accepts an action name, followed by either a JID (string) or (preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g. the standard object passed to most events). It will return true if the action should be permitted, or false/nil otherwise. Modules should no longer perform permission checks based on the role name. E.g. a lot of code previously checked if the user's role was prosody:admin before permitting some action. Since many roles might now exist with similar permissions, and the permissions of prosody:admin may be redefined dynamically, it is no longer suitable to use this method for permission checks. Use module:may(). If you start an action name with ':' (recommended) then the current module's name will automatically be used as a prefix. To define a new permission, use the new module API: module:default_permission(role_name, action_name) module:default_permissions(role_name, { action_name[, action_name...] }) This grants the specified role permission to execute the named action(s) by default. This may be overridden via other mechanisms external to your module. The built-in roles that developers should use are: - prosody:user (normal user) - prosody:admin (host admin) - prosody:operator (global admin) The new prosody:operator role is intended for server-wide actions (such as shutting down Prosody). Finally, all usage of is_admin() in modules has been fixed by this commit. Some of these changes were trickier than others, but no change is expected to break existing deployments. EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's very possible nobody is using this, but if someone is then we can later update it to pull roles from LDAP somehow.
author Matthew Wild <mwild1@gmail.com>
date Wed, 15 Jun 2022 12:15:01 +0100
parent 12333:ed8a4f8dfd27
child 12646:3f38f4735c7a
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1523
841d61be198f Remove version number from copyright headers
Matthew Wild <mwild1@gmail.com>
parents: 896
diff changeset
1 -- Prosody IM
2923
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2032
diff changeset
2 -- Copyright (C) 2008-2010 Matthew Wild
b7049746bd29 Update copyright headers for 2010
Matthew Wild <mwild1@gmail.com>
parents: 2032
diff changeset
3 -- Copyright (C) 2008-2010 Waqas Hussain
1585
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1523
diff changeset
4 --
758
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
5 -- This project is MIT/X11 licensed. Please see the
b1885732e979 GPL->MIT!
Matthew Wild <mwild1@gmail.com>
parents: 615
diff changeset
6 -- COPYING file in the source package for more information.
519
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
7 --
cccd610a0ef9 Insert copyright/license headers
Matthew Wild <mwild1@gmail.com>
parents: 449
diff changeset
8
3180
99be525bcfb4 Rename mod_defaultauth -> mod_auth_internal, mod_hashpassauth -> mod_auth_internal_hashed, and the providers to internal and internal_hashed respectively. Also no longer auto-load defaultauth, but instead auto-load the plugin selected for each host at startup based on the provider name.
Matthew Wild <mwild1@gmail.com>
parents: 3177
diff changeset
9 local modulemanager = require "core.modulemanager";
53
14ea0fe6ca86 Session destruction fixes, some debugging code while we fix the rest. Also change logger to be more useful.
Matthew Wild <mwild1@gmail.com>
parents: 38
diff changeset
10 local log = require "util.logger".init("usermanager");
890
5b8da51b0843 usermanager: Added is_admin(jid)
Waqas Hussain <waqas20@gmail.com>
parents: 760
diff changeset
11 local type = type;
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
12 local it = require "util.iterators";
890
5b8da51b0843 usermanager: Added is_admin(jid)
Waqas Hussain <waqas20@gmail.com>
parents: 760
diff changeset
13 local jid_bare = require "util.jid".bare;
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
14 local jid_split = require "util.jid".split;
4459
2ccc386b9913 usermanager: Prep admin JIDs (fixes issue#276).
Waqas Hussain <waqas20@gmail.com>
parents: 4237
diff changeset
15 local jid_prep = require "util.jid".prep;
890
5b8da51b0843 usermanager: Added is_admin(jid)
Waqas Hussain <waqas20@gmail.com>
parents: 760
diff changeset
16 local config = require "core.configmanager";
3362
90bf162303f3 usermanager: Return a non-nil SASL handler from the null auth provider (fixes a traceback).
Waqas Hussain <waqas20@gmail.com>
parents: 3336
diff changeset
17 local sasl_new = require "util.sasl".new;
5042
ce823b32225e usermanager: Add method for deleting a user
Kim Alvefur <zash@zash.se>
parents: 4943
diff changeset
18 local storagemanager = require "core.storagemanager";
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
19 local set = require "util.set";
0
3e3171b59028 First commit, where do you want to go tomorrow?
matthew
parents:
diff changeset
20
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
21 local prosody = _G.prosody;
8717
9ddd0fbbe53a core: Use prosody.hosts instead of _G.hosts for consistency
Kim Alvefur <zash@zash.se>
parents: 8555
diff changeset
22 local hosts = prosody.hosts;
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
23
3161
73e93a48c0c1 Update usermanager to not crash, etc.
Jeff Mitchell <jeff@jefferai.org>
parents: 3160
diff changeset
24 local setmetatable = setmetatable;
73e93a48c0c1 Update usermanager to not crash, etc.
Jeff Mitchell <jeff@jefferai.org>
parents: 3160
diff changeset
25
12333
ed8a4f8dfd27 usermanager, mod_saslauth: Default to internal_hashed if no auth module specified
Matthew Wild <mwild1@gmail.com>
parents: 12020
diff changeset
26 local default_provider = "internal_hashed";
3180
99be525bcfb4 Rename mod_defaultauth -> mod_auth_internal, mod_hashpassauth -> mod_auth_internal_hashed, and the providers to internal and internal_hashed respectively. Also no longer auto-load defaultauth, but instead auto-load the plugin selected for each host at startup based on the provider name.
Matthew Wild <mwild1@gmail.com>
parents: 3177
diff changeset
27
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
28 local _ENV = nil;
8555
4f0f5b49bb03 vairious: Add annotation when an empty environment is set [luacheck]
Kim Alvefur <zash@zash.se>
parents: 8192
diff changeset
29 -- luacheck: std none
0
3e3171b59028 First commit, where do you want to go tomorrow?
matthew
parents:
diff changeset
30
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
31 local function new_null_provider()
3991
2b86d7705f4e usermanager: Change dummy provider method to return an error string also (method not implemented)
Matthew Wild <mwild1@gmail.com>
parents: 3982
diff changeset
32 local function dummy() return nil, "method not implemented"; end;
3362
90bf162303f3 usermanager: Return a non-nil SASL handler from the null auth provider (fixes a traceback).
Waqas Hussain <waqas20@gmail.com>
parents: 3336
diff changeset
33 local function dummy_get_sasl_handler() return sasl_new(nil, {}); end
3991
2b86d7705f4e usermanager: Change dummy provider method to return an error string also (method not implemented)
Matthew Wild <mwild1@gmail.com>
parents: 3982
diff changeset
34 return setmetatable({name = "null", get_sasl_handler = dummy_get_sasl_handler}, {
6663
d3023dd07cb6 portmanager, s2smanager, sessionmanager, stanza_router, storagemanager, usermanager, util.xml: Add luacheck annotations
Matthew Wild <mwild1@gmail.com>
parents: 6628
diff changeset
35 __index = function(self, method) return dummy; end --luacheck: ignore 212
3991
2b86d7705f4e usermanager: Change dummy provider method to return an error string also (method not implemented)
Matthew Wild <mwild1@gmail.com>
parents: 3982
diff changeset
36 });
3161
73e93a48c0c1 Update usermanager to not crash, etc.
Jeff Mitchell <jeff@jefferai.org>
parents: 3160
diff changeset
37 end
73e93a48c0c1 Update usermanager to not crash, etc.
Jeff Mitchell <jeff@jefferai.org>
parents: 3160
diff changeset
38
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
39 local global_admins_config = config.get("*", "admins");
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
40 if type(global_admins_config) ~= "table" then
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
41 global_admins_config = nil; -- TODO: factor out moduleapi magic config handling and use it here
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
42 end
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
43 local global_admins = set.new(global_admins_config) / jid_prep;
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
44
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
45 local admin_role = { ["prosody:admin"] = true };
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
46 local global_authz_provider = {
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
47 get_user_roles = function (user) end; --luacheck: ignore 212/user
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
48 get_jid_roles = function (jid)
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
49 if global_admins:contains(jid) then
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
50 return admin_role;
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
51 end
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
52 end;
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
53 get_jids_with_role = function (role)
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
54 if role ~= "prosody:admin" then return {}; end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
55 return it.to_array(global_admins);
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
56 end;
12020
a949f1aae171 core.usermanager: Implement noop role writes on global authz provider
Kim Alvefur <zash@zash.se>
parents: 11898
diff changeset
57 set_user_roles = function (user, roles) end; -- luacheck: ignore 212
a949f1aae171 core.usermanager: Implement noop role writes on global authz provider
Kim Alvefur <zash@zash.se>
parents: 11898
diff changeset
58 set_jid_roles = function (jid, roles) end; -- luacheck: ignore 212
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
59 };
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
60
3992
73075b004e77 usermanager: Have methods not implemented in the active provider fall back to the null provider (later we can add support for chains of providers)
Matthew Wild <mwild1@gmail.com>
parents: 3991
diff changeset
61 local provider_mt = { __index = new_null_provider() };
73075b004e77 usermanager: Have methods not implemented in the active provider fall back to the null provider (later we can add support for chains of providers)
Matthew Wild <mwild1@gmail.com>
parents: 3991
diff changeset
62
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
63 local function initialize_host(host)
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
64 local host_session = hosts[host];
10634
c9e1cb7a38b8 usermanager: Load authz providers on components also
Matthew Wild <mwild1@gmail.com>
parents: 10633
diff changeset
65
10659
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents: 10640
diff changeset
66 local authz_provider_name = config.get(host, "authorization") or "internal";
10634
c9e1cb7a38b8 usermanager: Load authz providers on components also
Matthew Wild <mwild1@gmail.com>
parents: 10633
diff changeset
67
c9e1cb7a38b8 usermanager: Load authz providers on components also
Matthew Wild <mwild1@gmail.com>
parents: 10633
diff changeset
68 local authz_mod = modulemanager.load(host, "authz_"..authz_provider_name);
c9e1cb7a38b8 usermanager: Load authz providers on components also
Matthew Wild <mwild1@gmail.com>
parents: 10633
diff changeset
69 host_session.authz = authz_mod or global_authz_provider;
c9e1cb7a38b8 usermanager: Load authz providers on components also
Matthew Wild <mwild1@gmail.com>
parents: 10633
diff changeset
70
3612
5547acd18a9f usermanager: Don't load auth modules for components.
Waqas Hussain <waqas20@gmail.com>
parents: 3608
diff changeset
71 if host_session.type ~= "local" then return; end
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5377
diff changeset
72
3163
a23168cc4af5 Working defaultauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3161
diff changeset
73 host_session.events.add_handler("item-added/auth-provider", function (event)
a23168cc4af5 Working defaultauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3161
diff changeset
74 local provider = event.item;
5377
898454038524 core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents: 5157
diff changeset
75 local auth_provider = config.get(host, "authentication") or default_provider;
898454038524 core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents: 5157
diff changeset
76 if config.get(host, "anonymous_login") then
4773
ee55956597f4 usermanager: Add log error for use of COMPAT config option 'anonymous_login'. To be removed in next version.
Matthew Wild <mwild1@gmail.com>
parents: 4459
diff changeset
77 log("error", "Deprecated config option 'anonymous_login'. Use authentication = 'anonymous' instead.");
ee55956597f4 usermanager: Add log error for use of COMPAT config option 'anonymous_login'. To be removed in next version.
Matthew Wild <mwild1@gmail.com>
parents: 4459
diff changeset
78 auth_provider = "anonymous";
ee55956597f4 usermanager: Add log error for use of COMPAT config option 'anonymous_login'. To be removed in next version.
Matthew Wild <mwild1@gmail.com>
parents: 4459
diff changeset
79 end -- COMPAT 0.7
3180
99be525bcfb4 Rename mod_defaultauth -> mod_auth_internal, mod_hashpassauth -> mod_auth_internal_hashed, and the providers to internal and internal_hashed respectively. Also no longer auto-load defaultauth, but instead auto-load the plugin selected for each host at startup based on the provider name.
Matthew Wild <mwild1@gmail.com>
parents: 3177
diff changeset
80 if provider.name == auth_provider then
3992
73075b004e77 usermanager: Have methods not implemented in the active provider fall back to the null provider (later we can add support for chains of providers)
Matthew Wild <mwild1@gmail.com>
parents: 3991
diff changeset
81 host_session.users = setmetatable(provider, provider_mt);
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
82 end
3164
db9def53fe9c Check in mod_hashpassauth -- works!
Jeff Mitchell <jeff@jefferai.org>
parents: 3163
diff changeset
83 if host_session.users ~= nil and host_session.users.name ~= nil then
6628
8495734da243 usermanager: Capitalize log message
Kim Alvefur <zash@zash.se>
parents: 5795
diff changeset
84 log("debug", "Host '%s' now set to use user provider '%s'", host, host_session.users.name);
3163
a23168cc4af5 Working defaultauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3161
diff changeset
85 end
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
86 end);
3163
a23168cc4af5 Working defaultauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3161
diff changeset
87 host_session.events.add_handler("item-removed/auth-provider", function (event)
a23168cc4af5 Working defaultauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3161
diff changeset
88 local provider = event.item;
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
89 if host_session.users == provider then
3161
73e93a48c0c1 Update usermanager to not crash, etc.
Jeff Mitchell <jeff@jefferai.org>
parents: 3160
diff changeset
90 host_session.users = new_null_provider();
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
91 end
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
92 end);
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3466
diff changeset
93 host_session.users = new_null_provider(); -- Start with the default usermanager provider
5377
898454038524 core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents: 5157
diff changeset
94 local auth_provider = config.get(host, "authentication") or default_provider;
898454038524 core.*: Complete removal of all traces of the "core" section and section-related code.
Kim Alvefur <zash@zash.se>
parents: 5157
diff changeset
95 if config.get(host, "anonymous_login") then auth_provider = "anonymous"; end -- COMPAT 0.7
3540
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3466
diff changeset
96 if auth_provider ~= "null" then
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3466
diff changeset
97 modulemanager.load(host, "auth_"..auth_provider);
bc139431830b Monster whitespace commit (beware the whitespace monster).
Waqas Hussain <waqas20@gmail.com>
parents: 3466
diff changeset
98 end
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
99
3176
f77759710324 usermanager: Add hunk that got missed in a merge
Matthew Wild <mwild1@gmail.com>
parents: 3167
diff changeset
100 end;
3293
4ce9d569a99c usermanager: Expose host_handler() as initialize_host()
Matthew Wild <mwild1@gmail.com>
parents: 3285
diff changeset
101 prosody.events.add_handler("host-activated", initialize_host, 100);
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
102
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
103 local function test_password(username, host, password)
3158
3d42e0092888 Backed out changeset 8bd3857a75ee
Matthew Wild <mwild1@gmail.com>
parents: 3053
diff changeset
104 return hosts[host].users.test_password(username, password);
0
3e3171b59028 First commit, where do you want to go tomorrow?
matthew
parents:
diff changeset
105 end
38
Matthew Wild <mwild1@gmail.com>
parents: 0
diff changeset
106
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
107 local function get_password(username, host)
3158
3d42e0092888 Backed out changeset 8bd3857a75ee
Matthew Wild <mwild1@gmail.com>
parents: 3053
diff changeset
108 return hosts[host].users.get_password(username);
1585
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1523
diff changeset
109 end
2987
0acfae4da199 usermanager: Support for pluggable authentication providers
Matthew Wild <mwild1@gmail.com>
parents: 2934
diff changeset
110
8192
4354f556c5db core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents: 7177
diff changeset
111 local function set_password(username, password, host, resource)
4354f556c5db core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents: 7177
diff changeset
112 local ok, err = hosts[host].users.set_password(username, password);
4354f556c5db core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents: 7177
diff changeset
113 if ok then
4354f556c5db core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents: 7177
diff changeset
114 prosody.events.fire_event("user-password-changed", { username = username, host = host, resource = resource });
4354f556c5db core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents: 7177
diff changeset
115 end
4354f556c5db core.usermanager, various modules: Disconnect other resources on password change (thanks waqas) (fixes #512)
Kim Alvefur <zash@zash.se>
parents: 7177
diff changeset
116 return ok, err;
2934
060bb8217fea usermanager: Added function set_password.
Waqas Hussain <waqas20@gmail.com>
parents: 2929
diff changeset
117 end
1585
edc066730d11 Switch to using a more generic credentials_callback/handler for SASL auth.
nick@lupine.me.uk
parents: 1523
diff changeset
118
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
119 local function user_exists(username, host)
7177
1295e14614f4 usermanager: Shortcircuit user existence check if they have existing sessions
Kim Alvefur <zash@zash.se>
parents: 6979
diff changeset
120 if hosts[host].sessions[username] then return true; end
3158
3d42e0092888 Backed out changeset 8bd3857a75ee
Matthew Wild <mwild1@gmail.com>
parents: 3053
diff changeset
121 return hosts[host].users.user_exists(username);
60
44800be871f5 User registration, etc (jabber:iq:register)
Waqas Hussain <waqas20@gmail.com>
parents: 53
diff changeset
122 end
44800be871f5 User registration, etc (jabber:iq:register)
Waqas Hussain <waqas20@gmail.com>
parents: 53
diff changeset
123
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
124 local function create_user(username, password, host)
3158
3d42e0092888 Backed out changeset 8bd3857a75ee
Matthew Wild <mwild1@gmail.com>
parents: 3053
diff changeset
125 return hosts[host].users.create_user(username, password);
60
44800be871f5 User registration, etc (jabber:iq:register)
Waqas Hussain <waqas20@gmail.com>
parents: 53
diff changeset
126 end
44800be871f5 User registration, etc (jabber:iq:register)
Waqas Hussain <waqas20@gmail.com>
parents: 53
diff changeset
127
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
128 local function delete_user(username, host)
5042
ce823b32225e usermanager: Add method for deleting a user
Kim Alvefur <zash@zash.se>
parents: 4943
diff changeset
129 local ok, err = hosts[host].users.delete_user(username);
ce823b32225e usermanager: Add method for deleting a user
Kim Alvefur <zash@zash.se>
parents: 4943
diff changeset
130 if not ok then return nil, err; end
5094
e646c849d72f core.usermanager: Don't close sessions ourselves when deleting users. Instead, fire an event that modules can hook.
Kim Alvefur <zash@zash.se>
parents: 5042
diff changeset
131 prosody.events.fire_event("user-deleted", { username = username, host = host });
5129
e8253c931166 storagemanager: Add purge() for purging user data from all backends in use
Kim Alvefur <zash@zash.se>
parents: 5094
diff changeset
132 return storagemanager.purge(username, host);
3993
b71e5ecc694b usermanager: Add delete_user method
Matthew Wild <mwild1@gmail.com>
parents: 3992
diff changeset
133 end
b71e5ecc694b usermanager: Add delete_user method
Matthew Wild <mwild1@gmail.com>
parents: 3992
diff changeset
134
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
135 local function users(host)
5157
0e1686f334b8 usermanager: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents: 5129
diff changeset
136 return hosts[host].users.users();
0e1686f334b8 usermanager: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents: 5129
diff changeset
137 end
0e1686f334b8 usermanager: Add support for iterating over accounts
Kim Alvefur <zash@zash.se>
parents: 5129
diff changeset
138
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
139 local function get_sasl_handler(host, session)
4943
50f63f07245f usermanager: Pass session on to auth provider (missing half of commit 0545a574667b) (thanks Zash)
Matthew Wild <mwild1@gmail.com>
parents: 4773
diff changeset
140 return hosts[host].users.get_sasl_handler(session);
228
875842235836 Updated usermanager with DIGEST-MD5 support
Waqas Hussain <waqas20@gmail.com>
parents: 60
diff changeset
141 end
875842235836 Updated usermanager with DIGEST-MD5 support
Waqas Hussain <waqas20@gmail.com>
parents: 60
diff changeset
142
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
143 local function get_provider(host)
3167
546695e80e0a Correct out of order logic in mod_hashpassauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3166
diff changeset
144 return hosts[host].users;
546695e80e0a Correct out of order logic in mod_hashpassauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3166
diff changeset
145 end
546695e80e0a Correct out of order logic in mod_hashpassauth
Jeff Mitchell <jeff@jefferai.org>
parents: 3166
diff changeset
146
10640
5622eda7c5c5 usermanager: Add get_roles() function
Matthew Wild <mwild1@gmail.com>
parents: 10635
diff changeset
147 local function get_roles(jid, host)
4237
6b0d7d94eb7f usermanager: Check host exists before trying to look up admins for it
Matthew Wild <mwild1@gmail.com>
parents: 3993
diff changeset
148 if host and not hosts[host] then return false; end
4459
2ccc386b9913 usermanager: Prep admin JIDs (fixes issue#276).
Waqas Hussain <waqas20@gmail.com>
parents: 4237
diff changeset
149 if type(jid) ~= "string" then return false; end
4237
6b0d7d94eb7f usermanager: Check host exists before trying to look up admins for it
Matthew Wild <mwild1@gmail.com>
parents: 3993
diff changeset
150
3285
c116c4b2db5a usermanager: is_admin: Resume the old role of determining precisely whether a user is an admin for a given host (or a global admin) - auth providers checked for JIDs not listed in the config if they support it
Matthew Wild <mwild1@gmail.com>
parents: 3218
diff changeset
151 jid = jid_bare(jid);
c116c4b2db5a usermanager: is_admin: Resume the old role of determining precisely whether a user is an admin for a given host (or a global admin) - auth providers checked for JIDs not listed in the config if they support it
Matthew Wild <mwild1@gmail.com>
parents: 3218
diff changeset
152 host = host or "*";
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5377
diff changeset
153
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
154 local actor_user, actor_host = jid_split(jid);
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
155 local roles;
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
156
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
157 local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5377
diff changeset
158
10695
52886aad9ee1 usermanager: Fix traceback when checking admin status of host-only JIDs (fixes #1508)
Matthew Wild <mwild1@gmail.com>
parents: 10659
diff changeset
159 if actor_user and actor_host == host then -- Local user
10633
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
160 roles = authz_provider.get_user_roles(actor_user);
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
161 else -- Remote user/JID
d1cc6af0fb97 usermanager, mod_authz_internal: Move admin-checking functionality into a module. Fixes #517 (ish).
Matthew Wild <mwild1@gmail.com>
parents: 8717
diff changeset
162 roles = authz_provider.get_jid_roles(jid);
3030
2be7801474fb usermanager: Fix for is_admin to work with the new auth provider architecture
Matthew Wild <mwild1@gmail.com>
parents: 2999
diff changeset
163 end
5776
bd0ff8ae98a8 Remove all trailing whitespace
Florian Zeitz <florob@babelmonkeys.de>
parents: 5377
diff changeset
164
10640
5622eda7c5c5 usermanager: Add get_roles() function
Matthew Wild <mwild1@gmail.com>
parents: 10635
diff changeset
165 return roles;
5622eda7c5c5 usermanager: Add get_roles() function
Matthew Wild <mwild1@gmail.com>
parents: 10635
diff changeset
166 end
5622eda7c5c5 usermanager: Add get_roles() function
Matthew Wild <mwild1@gmail.com>
parents: 10635
diff changeset
167
11473
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
168 local function set_roles(jid, host, roles)
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
169 if host and not hosts[host] then return false; end
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
170 if type(jid) ~= "string" then return false; end
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
171
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
172 jid = jid_bare(jid);
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
173 host = host or "*";
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
174
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
175 local actor_user, actor_host = jid_split(jid);
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
176
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
177 local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
178 if actor_user and actor_host == host then -- Local user
11898
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
179 local ok, err = authz_provider.set_user_roles(actor_user, roles);
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
180 if ok then
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
181 prosody.events.fire_event("user-roles-changed", {
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
182 username = actor_user, host = actor_host
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
183 });
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
184 end
89aa591bb895 usermanager: Fire user-roles-changed event when updating roles of a local user
Matthew Wild <mwild1@gmail.com>
parents: 11745
diff changeset
185 return ok, err;
11473
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
186 else -- Remote entity
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
187 return authz_provider.set_jid_roles(jid, roles)
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
188 end
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
189 end
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
190
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
191 local function get_users_with_role(role, host)
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
192 if not hosts[host] then return false; end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
193 if type(role) ~= "string" then return false; end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
194
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
195 return hosts[host].authz.get_users_with_role(role);
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
196 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
197
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
198 local function get_jids_with_role(role, host)
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
199 if host and not hosts[host] then return false; end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
200 if type(role) ~= "string" then return false; end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
201
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
202 host = host or "*";
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
203
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
204 local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
205 return authz_provider.get_jids_with_role(role);
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
206 end
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
207
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
208 return {
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
209 new_null_provider = new_null_provider;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
210 initialize_host = initialize_host;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
211 test_password = test_password;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
212 get_password = get_password;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
213 set_password = set_password;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
214 user_exists = user_exists;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
215 create_user = create_user;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
216 delete_user = delete_user;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
217 users = users;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
218 get_sasl_handler = get_sasl_handler;
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
219 get_provider = get_provider;
10640
5622eda7c5c5 usermanager: Add get_roles() function
Matthew Wild <mwild1@gmail.com>
parents: 10635
diff changeset
220 get_roles = get_roles;
11473
afe80b64e209 usermanager: expose set_roles through API
Jonas Schäfer <jonas@wielicki.name>
parents: 10695
diff changeset
221 set_roles = set_roles;
11745
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
222 get_users_with_role = get_users_with_role;
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11473
diff changeset
223 get_jids_with_role = get_jids_with_role;
6779
6236668da30a core.*: Remove use of module() function
Kim Alvefur <zash@zash.se>
parents: 6663
diff changeset
224 };