Software / code / prosody
Annotate
plugins/mod_authz_internal.lua @ 12731:a314f5bff9f0
mod_muc: Better map restrict_room_creation to role permissions (behaviour change)
With this change and 427dd01f0864, room creation is now effectively restricted
to parent-host users by default. This is a better default than previous
Prosody versions (where room creation was not restricted).
The "local" option for restrict_room_creation is no longer used (any value
other than true/false won't change the default behaviour).
restrict_room_creation = true will grant prosody:admin the ability to create
rooms.
restrict_room_creation = false disables all permission checks.
Anything between these two can be achieved using custom roles and permissions.
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Thu, 29 Sep 2022 12:30:52 +0100 |
| parent | 12730:427dd01f0864 |
| child | 12733:2167e1639aab |
| rev | line source |
|---|---|
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
1 local array = require "util.array"; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
2 local it = require "util.iterators"; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
3 local set = require "util.set"; |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
4 local jid_split, jid_bare, jid_host = import("util.jid", "split", "bare", "host"); |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 local normalize = require "util.jid".prep; |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
6 local roles = require "util.roles"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
7 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
8 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize; |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
9 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
10 local host = module.host; |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
11 local host_suffix = host:gsub("^[^%.]+%.", ""); |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
12 |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
13 local hosts = prosody.hosts; |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
14 local is_component = hosts[host].type == "component"; |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
15 local host_user_role, server_user_role; |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
16 if is_component then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
17 host_user_role = module:get_option_string("host_user_role", "prosody:user"); |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
18 server_user_role = module:get_option_string("server_user_role"); |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
19 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
20 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
21 local role_store = module:open_store("account_roles"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
22 local role_map_store = module:open_store("account_roles", "map"); |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
23 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
24 local role_registry = {}; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
25 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
26 function register_role(role) |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
27 if role_registry[role.name] ~= nil then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
28 return error("A role '"..role.name.."' is already registered"); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
29 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
30 if not roles.is_role(role) then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
31 -- Convert table syntax to real role object |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
32 for i, inherited_role in ipairs(role.inherits or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
33 if type(inherited_role) == "string" then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
34 role.inherits[i] = assert(role_registry[inherited_role], "The named role '"..inherited_role.."' is not registered"); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
35 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
36 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
37 if not role.permissions then role.permissions = {}; end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
38 for _, allow_permission in ipairs(role.allow or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
39 role.permissions[allow_permission] = true; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
40 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
41 for _, deny_permission in ipairs(role.deny or {}) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
42 role.permissions[deny_permission] = false; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
43 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
44 role = roles.new(role); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
45 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
46 role_registry[role.name] = role; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
47 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
48 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
49 -- Default roles |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
50 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
51 name = "prosody:restricted"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
52 priority = 15; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
53 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
54 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
55 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
56 name = "prosody:user"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
57 priority = 25; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
58 inherits = { "prosody:restricted" }; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
59 }; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
60 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
61 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
62 name = "prosody:admin"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
63 priority = 50; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
64 inherits = { "prosody:user" }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
65 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
66 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
67 register_role { |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
68 name = "prosody:operator"; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
69 priority = 75; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
70 inherits = { "prosody:admin" }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
71 }; |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
72 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
73 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
74 -- Process custom roles from config |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
75 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
76 local custom_roles = module:get_option("custom_roles", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
77 for n, role_config in ipairs(custom_roles) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
78 local ok, err = pcall(register_role, role_config); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
79 if not ok then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
80 module:log("error", "Error registering custom role %s: %s", role_config.name or tostring(n), err); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
81 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
82 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
83 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
84 -- Process custom permissions from config |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
85 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
86 local config_add_perms = module:get_option("add_permissions", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
87 local config_remove_perms = module:get_option("remove_permissions", {}); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
88 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
89 for role_name, added_permissions in pairs(config_add_perms) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
90 if not role_registry[role_name] then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
91 module:log("error", "Cannot add permissions to unknown role '%s'", role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
92 else |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
93 for _, permission in ipairs(added_permissions) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
94 role_registry[role_name]:set_permission(permission, true, true); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
95 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
96 end |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
97 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
98 |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
99 for role_name, removed_permissions in pairs(config_remove_perms) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
100 if not role_registry[role_name] then |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
101 module:log("error", "Cannot remove permissions from unknown role '%s'", role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
102 else |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
103 for _, permission in ipairs(removed_permissions) do |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
104 role_registry[role_name]:set_permission(permission, false, true); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
105 end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
106 end |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
107 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
108 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
109 -- Public API |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
110 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
111 -- Get the primary role of a user |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
112 function get_user_role(user) |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
113 local bare_jid = user.."@"..host; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
114 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
115 -- Check config first |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
116 if config_global_admin_jids:contains(bare_jid) then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
117 return role_registry["prosody:operator"]; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
118 elseif config_admin_jids:contains(bare_jid) then |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
119 return role_registry["prosody:admin"]; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
120 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
121 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
122 -- Check storage |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
123 local stored_roles, err = role_store:get(user); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
124 if not stored_roles then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
125 if err then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
126 -- Unable to fetch role, fail |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
127 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
128 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
129 -- No role set, use default role |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
130 return role_registry["prosody:user"]; |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
131 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
132 if stored_roles._default == nil then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
133 -- No primary role explicitly set, return default |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
134 return role_registry["prosody:user"]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
135 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
136 local primary_stored_role = role_registry[stored_roles._default]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
137 if not primary_stored_role then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
138 return nil, "unknown-role"; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
139 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
140 return primary_stored_role; |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
141 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
142 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
143 -- Set the primary role of a user |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
144 function set_user_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
145 local role = role_registry[role_name]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
146 if not role then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
147 return error("Cannot assign default user an unknown role: "..tostring(role_name)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
148 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
149 local keys_update = { |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
150 _default = role_name; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
151 -- Primary role cannot be secondary role |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
152 [role_name] = role_map_store.remove; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
153 }; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
154 if role_name == "prosody:user" then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
155 -- Don't store default |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
156 keys_update._default = role_map_store.remove; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
157 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
158 local ok, err = role_map_store:set_keys(user, keys_update); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
159 if not ok then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
160 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
161 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
162 return role; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
163 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
164 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
165 function add_user_secondary_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
166 if not role_registry[role_name] then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
167 return error("Cannot assign default user an unknown role: "..tostring(role_name)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
168 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
169 role_map_store:set(user, role_name, true); |
|
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
170 end |
|
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
171 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
172 function remove_user_secondary_role(user, role_name) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
173 role_map_store:set(user, role_name, nil); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
174 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
175 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
176 function get_user_secondary_roles(user) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
177 local stored_roles, err = role_store:get(user); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
178 if not stored_roles then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
179 if err then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
180 -- Unable to fetch role, fail |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
181 return nil, err; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
182 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
183 -- No role set |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
184 return {}; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
185 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
186 stored_roles._default = nil; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
187 for role_name in pairs(stored_roles) do |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
188 stored_roles[role_name] = role_registry[role_name]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
189 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
190 return stored_roles; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
191 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
192 |
|
12663
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
193 function user_can_assume_role(user, role_name) |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
194 local primary_role = get_user_role(user); |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
195 if primary_role and primary_role.role_name == role_name then |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
196 return true; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
197 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
198 local secondary_roles = get_user_secondary_roles(user); |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
199 if secondary_roles and secondary_roles[role_name] then |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
200 return true; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
201 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
202 return false; |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
203 end |
|
cf88f6b03942
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com>
parents:
12662
diff
changeset
|
204 |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
205 -- This function is *expensive* |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
206 function get_users_with_role(role_name) |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
207 local function role_filter(username, default_role) --luacheck: ignore 212/username |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
208 return default_role == role_name; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
209 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
210 local primary_role_users = set.new(it.to_array(it.filter(role_filter, pairs(role_map_store:get_all("_default") or {})))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
211 local secondary_role_users = set.new(it.to_array(it.keys(role_map_store:get_all(role_name) or {}))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
212 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
213 local config_set; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
214 if role_name == "prosody:admin" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
215 config_set = config_admin_jids; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
216 elseif role_name == "prosody:operator" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
217 config_set = config_global_admin_jids; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
218 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
219 if config_set then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
220 local config_admin_users = config_set / function (admin_jid) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
221 local j_node, j_host = jid_split(admin_jid); |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
222 if j_host == host then |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
223 return j_node; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
224 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
225 end; |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
226 return it.to_array(config_admin_users + primary_role_users + secondary_role_users); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
227 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
228 return it.to_array(primary_role_users + secondary_role_users); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
229 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
230 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
231 function get_jid_role(jid) |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
232 local bare_jid = jid_bare(jid); |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
233 if config_global_admin_jids:contains(bare_jid) then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
234 return role_registry["prosody:operator"]; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
235 elseif config_admin_jids:contains(bare_jid) then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
236 return role_registry["prosody:admin"]; |
|
12730
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
237 elseif is_component then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
238 local user_host = jid_host(bare_jid); |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
239 if host_user_role and user_host == host_suffix then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
240 return role_registry[host_user_role]; |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
241 elseif server_user_role and hosts[user_host] then |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
242 return role_registry[server_user_role]; |
|
427dd01f0864
mod_authz_internal: Allow configuring role of local-server/parent-host users
Matthew Wild <mwild1@gmail.com>
parents:
12663
diff
changeset
|
243 end |
|
10659
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
244 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
245 return nil; |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
246 end |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
247 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
248 function set_jid_role(jid, role_name) -- luacheck: ignore 212 |
|
11472
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
249 return false; |
|
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10659
diff
changeset
|
250 end |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
251 |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
252 function get_jids_with_role(role_name) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
253 -- Fetch role users from storage |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
254 local storage_role_jids = array.map(get_users_with_role(role_name), function (username) |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
255 return username.."@"..host; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
256 end); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
257 if role_name == "prosody:admin" then |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
258 return it.to_array(config_admin_jids + set.new(storage_role_jids)); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
259 elseif role_name == "prosody:operator" then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
260 return it.to_array(config_global_admin_jids + set.new(storage_role_jids)); |
|
11745
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
261 end |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
262 return storage_role_jids; |
|
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11474
diff
changeset
|
263 end |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
264 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
265 function add_default_permission(role_name, action, policy) |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
266 local role = role_registry[role_name]; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
267 if not role then |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
268 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name); |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
269 return nil, "no-such-role"; |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
270 end |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
271 if policy == nil then policy = true; end |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
272 module:log("debug", "Adding policy %s for permission %s on role %s", policy, action, role_name); |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
273 return role:set_permission(action, policy); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
274 end |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
275 |
|
12648
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
276 function get_role_by_name(role_name) |
|
f299e570a0fe
mod_authz_internal: Use util.roles, some API changes and config support
Matthew Wild <mwild1@gmail.com>
parents:
12642
diff
changeset
|
277 return assert(role_registry[role_name], role_name); |
|
12642
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11745
diff
changeset
|
278 end |
|
12662
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
279 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
280 -- COMPAT: Migrate from 0.12 role storage |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
281 local function do_migration(migrate_host) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
282 local old_role_store = assert(module:context(migrate_host):open_store("roles")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
283 local new_role_store = assert(module:context(migrate_host):open_store("account_roles")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
284 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
285 local migrated, failed, skipped = 0, 0, 0; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
286 -- Iterate all users |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
287 for username in assert(old_role_store:users()) do |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
288 local old_roles = it.to_array(it.filter(function (k) return k:sub(1,1) ~= "_"; end, it.keys(old_role_store:get(username)))); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
289 if #old_roles == 1 then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
290 local ok, err = new_role_store:set(username, { |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
291 _default = old_roles[1]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
292 }); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
293 if ok then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
294 migrated = migrated + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
295 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
296 failed = failed + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
297 print("EE: Failed to store new role info for '"..username.."': "..err); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
298 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
299 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
300 print("WW: User '"..username.."' has multiple roles and cannot be automatically migrated"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
301 skipped = skipped + 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
302 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
303 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
304 return migrated, failed, skipped; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
305 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
306 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
307 function module.command(arg) |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
308 if arg[1] == "migrate" then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
309 table.remove(arg, 1); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
310 local migrate_host = arg[1]; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
311 if not migrate_host or not prosody.hosts[migrate_host] then |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
312 print("EE: Please supply a valid host to migrate to the new role storage"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
313 return 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
314 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
315 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
316 -- Initialize storage layer |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
317 require "core.storagemanager".initialize_host(migrate_host); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
318 |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
319 print("II: Migrating roles..."); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
320 local migrated, failed, skipped = do_migration(migrate_host); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
321 print(("II: %d migrated, %d failed, %d skipped"):format(migrated, failed, skipped)); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
322 return (failed + skipped == 0) and 0 or 1; |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
323 else |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
324 print("EE: Unknown command: "..(arg[1] or "<none given>")); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
325 print(" Hint: try 'migrate'?"); |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
326 end |
|
07424992d7fc
mod_authz_internal, and more: New iteration of role API
Matthew Wild <mwild1@gmail.com>
parents:
12648
diff
changeset
|
327 end |
