Software `/` code `/` prosody

Comparison

core/usermanager.lua @ 12674:72f431b4dc2c

Merge role-auth->trunk

author	Matthew Wild <mwild1@gmail.com>
date	Mon, 22 Aug 2022 13:53:35 +0100
parent	12667:0278987b8687
child	12683:75f0c69eba71

comparison

equal deleted inserted replaced

-:6d9ee0a3eb4b
+:72f431b4dc2c
 --
 local modulemanager = require "core.modulemanager";
 local log = require "util.logger".init("usermanager");
 local type = type;
-local it = require "util.iterators";
-local jid_bare = require "util.jid".bare;
 local jid_split = require "util.jid".split;
-local jid_prep = require "util.jid".prep;
 local config = require "core.configmanager";
 local sasl_new = require "util.sasl".new;
 local storagemanager = require "core.storagemanager";
-local set = require "util.set";
 local prosody = _G.prosody;
 local hosts = prosody.hosts;
 local setmetatable = setmetatable;
 local default_provider = "internal_hashed";
+local debug = debug;
 local _ENV = nil;
 -- luacheck: std none
 local function new_null_provider()
 	return setmetatable({name = "null", get_sasl_handler = dummy_get_sasl_handler}, {
 		__index = function(self, method) return dummy; end --luacheck: ignore 212
 	});
 end
-local global_admins_config = config.get("*", "admins");
+local fallback_authz_provider = {
-if type(global_admins_config) ~= "table" then
+	-- luacheck: ignore 212
-	global_admins_config = nil; -- TODO: factor out moduleapi magic config handling and use it here
+	get_jids_with_role = function (role) end;
-end
-local global_admins = set.new(global_admins_config) / jid_prep;
+	get_user_role = function (user) end;
+	set_user_role = function (user, role_name) end;
-local admin_role = { ["prosody:admin"] = true };
-local global_authz_provider = {
+	get_user_secondary_roles = function (user) end;
-	get_user_roles = function (user) end; --luacheck: ignore 212/user
+	add_user_secondary_role = function (user, host, role_name) end;
-	get_jid_roles = function (jid)
+	remove_user_secondary_role = function (user, host, role_name) end;
-		if global_admins:contains(jid) then
-			return admin_role;
+	user_can_assume_role = function(user, role_name) end;
-		end
-	end;
+	get_jid_role = function (jid) end;
-	get_jids_with_role = function (role)
+	set_jid_role = function (jid, role) end;
-		if role ~= "prosody:admin" then return {}; end
-		return it.to_array(global_admins);
+	get_users_with_role = function (role_name) end;
-	end;
+	add_default_permission = function (role_name, action, policy) end;
-	set_user_roles = function (user, roles) end; -- luacheck: ignore 212
+	get_role_by_name = function (role_name) end;
-	set_jid_roles = function (jid, roles) end; -- luacheck: ignore 212
 };
 local provider_mt = { __index = new_null_provider() };
 local function initialize_host(host)
 	local host_session = hosts[host];
 	local authz_provider_name = config.get(host, "authorization") or "internal";
 	local authz_mod = modulemanager.load(host, "authz_"..authz_provider_name);
-	host_session.authz = authz_mod or global_authz_provider;
+	host_session.authz = authz_mod or fallback_authz_provider;
 	if host_session.type ~= "local" then return; end
 	host_session.events.add_handler("item-added/auth-provider", function (event)
 		local provider = event.item;
 		prosody.events.fire_event("user-password-changed", { username = username, host = host, resource = resource });
 	end
 	return ok, err;
 end
+local function get_account_info(username, host)
+	local method = hosts[host].users.get_account_info;
+	if not method then return nil, "method-not-supported"; end
+	return method(username);
+end
 local function user_exists(username, host)
 	if hosts[host].sessions[username] then return true; end
 	return hosts[host].users.user_exists(username);
 end
 local function get_provider(host)
 	return hosts[host].users;
 end
-local function get_roles(jid, host)
+local function get_user_role(user, host)
 	if host and not hosts[host] then return false; end
-	if type(jid) ~= "string" then return false; end
+	if type(user) ~= "string" then return false; end
-	jid = jid_bare(jid);
+	return hosts[host].authz.get_user_role(user);
-	host = host or "*";
+end
-	local actor_user, actor_host = jid_split(jid);
+local function set_user_role(user, host, role_name)
-	local roles;
+	if host and not hosts[host] then return false; end
+	if type(user) ~= "string" then return false; end
-	local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
+	local role, err = hosts[host].authz.set_user_role(user, role_name);
-	if actor_user and actor_host == host then -- Local user
+	if role then
-		roles = authz_provider.get_user_roles(actor_user);
+		prosody.events.fire_event("user-role-changed", {
-	else -- Remote user/JID
+			username = user, host = host, role = role;
-		roles = authz_provider.get_jid_roles(jid);
+		});
 	end
+	return role, err;
-	return roles;
+end
-end
+local function user_can_assume_role(user, host, role_name)
-local function set_roles(jid, host, roles)
+	if host and not hosts[host] then return false; end
-	if host and not hosts[host] then return false; end
+	if type(user) ~= "string" then return false; end
-	if type(jid) ~= "string" then return false; end
+	return hosts[host].authz.user_can_assume_role(user, role_name);
-	jid = jid_bare(jid);
+end
-	host = host or "*";
+local function add_user_secondary_role(user, host, role_name)
-	local actor_user, actor_host = jid_split(jid);
+	if host and not hosts[host] then return false; end
+	if type(user) ~= "string" then return false; end
-	local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
-	if actor_user and actor_host == host then -- Local user
+	local role, err = hosts[host].authz.add_user_secondary_role(user, role_name);
-		local ok, err = authz_provider.set_user_roles(actor_user, roles);
+	if role then
-		if ok then
+		prosody.events.fire_event("user-role-added", {
-			prosody.events.fire_event("user-roles-changed", {
+			username = user, host = host, role = role;
-				username = actor_user, host = actor_host
+		});
-			});
+	end
-		end
+	return role, err;
-		return ok, err;
+end
-	else -- Remote entity
-		return authz_provider.set_jid_roles(jid, roles)
+local function remove_user_secondary_role(user, host, role_name)
-	end
+	if host and not hosts[host] then return false; end
-end
+	if type(user) ~= "string" then return false; end
+	local ok, err = hosts[host].authz.remove_user_secondary_role(user, role_name);
+	if ok then
+		prosody.events.fire_event("user-role-removed", {
+			username = user, host = host, role_name = role_name;
+		});
+	end
+	return ok, err;
+end
+local function get_user_secondary_roles(user, host)
+	if host and not hosts[host] then return false; end
+	if type(user) ~= "string" then return false; end
+	return hosts[host].authz.get_user_secondary_roles(user);
+end
+local function get_jid_role(jid, host)
+	local jid_node, jid_host = jid_split(jid);
+	if host == jid_host and jid_node then
+		return hosts[host].authz.get_user_role(jid_node);
+	end
+	return hosts[host].authz.get_jid_role(jid);
+end
+local function set_jid_role(jid, host, role_name)
+	local _, jid_host = jid_split(jid);
+	if host == jid_host then
+		return nil, "unexpected-local-jid";
+	end
+	return hosts[host].authz.set_jid_role(jid, role_name)
+end
+local strict_deprecate_is_admin;
+local legacy_admin_roles = { ["prosody:admin"] = true, ["prosody:operator"] = true };
 local function is_admin(jid, host)
-	local roles = get_roles(jid, host);
+	if strict_deprecate_is_admin == nil then
-	return roles and roles["prosody:admin"];
+		strict_deprecate_is_admin = (config.get("*", "strict_deprecate_is_admin") == true);
+	end
+	if strict_deprecate_is_admin then
+		log("error", "Attempt to use deprecated is_admin() API: %s", debug.traceback());
+		return false;
+	end
+	log("warn", "Usage of legacy is_admin() API, which will be disabled in a future build: %s", debug.traceback());
+	return legacy_admin_roles[get_jid_role(jid, host)] or false;
 end
 local function get_users_with_role(role, host)
 	if not hosts[host] then return false; end
 	if type(role) ~= "string" then return false; end
 	return hosts[host].authz.get_users_with_role(role);
 end
 local function get_jids_with_role(role, host)
 	if host and not hosts[host] then return false; end
 	if type(role) ~= "string" then return false; end
+	return hosts[host].authz.get_jids_with_role(role);
-	host = host or "*";
+end
-	local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
+local function get_role_by_name(role_name, host)
-	return authz_provider.get_jids_with_role(role);
+	if host and not hosts[host] then return false; end
+	if type(role_name) ~= "string" then return false; end
+	return hosts[host].authz.get_role_by_name(role_name);
 end
 return {
 	new_null_provider = new_null_provider;
 	initialize_host = initialize_host;
 	test_password = test_password;
 	get_password = get_password;
 	set_password = set_password;
+	get_account_info = get_account_info;
 	user_exists = user_exists;
 	create_user = create_user;
 	delete_user = delete_user;
 	users = users;
 	get_sasl_handler = get_sasl_handler;
 	get_provider = get_provider;
-	get_roles = get_roles;
+	get_user_role = get_user_role;
-	set_roles = set_roles;
+	set_user_role = set_user_role;
+	user_can_assume_role = user_can_assume_role;
+	add_user_secondary_role = add_user_secondary_role;
+	remove_user_secondary_role = remove_user_secondary_role;
+	get_user_secondary_roles = get_user_secondary_roles;
+	get_users_with_role = get_users_with_role;
+	get_jid_role = get_jid_role;
+	set_jid_role = set_jid_role;
+	get_jids_with_role = get_jids_with_role;
+	get_role_by_name = get_role_by_name;
+	-- Deprecated
 	is_admin = is_admin;
-	get_users_with_role = get_users_with_role;
-	get_jids_with_role = get_jids_with_role;
 };

prosody

72f431b4dc2c

core/usermanager.lua

Software / code / prosody

Comparison

core/usermanager.lua @ 12674:72f431b4dc2c

Software `/` code `/` prosody