prosody
9061f9621330
plugins/mod_authz_internal.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Comparison

plugins/mod_authz_internal.lua @ 12642:9061f9621330

Switch to a new role-based authorization framework, removing is_admin() We began moving away from simple "is this user an admin?" permission checks before 0.12, with the introduction of mod_authz_internal and the ability to dynamically change the roles of individual users. The approach in 0.12 still had various limitations however, and apart from the introduction of roles other than "admin" and the ability to pull that info from storage, not much actually changed. This new framework shakes things up a lot, though aims to maintain the same functionality and behaviour on the surface for a default Prosody configuration. That is, if you don't take advantage of any of the new features, you shouldn't notice any change. The biggest change visible to developers is that usermanager.is_admin() (and the auth provider is_admin() method) have been removed. Gone. Completely. Permission checks should now be performed using a new module API method: module:may(action_name, context) This method accepts an action name, followed by either a JID (string) or (preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g. the standard object passed to most events). It will return true if the action should be permitted, or false/nil otherwise. Modules should no longer perform permission checks based on the role name. E.g. a lot of code previously checked if the user's role was prosody:admin before permitting some action. Since many roles might now exist with similar permissions, and the permissions of prosody:admin may be redefined dynamically, it is no longer suitable to use this method for permission checks. Use module:may(). If you start an action name with ':' (recommended) then the current module's name will automatically be used as a prefix. To define a new permission, use the new module API: module:default_permission(role_name, action_name) module:default_permissions(role_name, { action_name[, action_name...] }) This grants the specified role permission to execute the named action(s) by default. This may be overridden via other mechanisms external to your module. The built-in roles that developers should use are: - prosody:user (normal user) - prosody:admin (host admin) - prosody:operator (global admin) The new prosody:operator role is intended for server-wide actions (such as shutting down Prosody). Finally, all usage of is_admin() in modules has been fixed by this commit. Some of these changes were trickier than others, but no change is expected to break existing deployments. EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's very possible nobody is using this, but if someone is then we can later update it to pull roles from LDAP somehow.
author Matthew Wild <mwild1@gmail.com>
date Wed, 15 Jun 2022 12:15:01 +0100
parent 11745:3a2d58a39872
child 12648:f299e570a0fe
comparison
equal deleted inserted replaced
12641:e9865b0cfb89 12642:9061f9621330
1 local array = require "util.array"; 1 local array = require "util.array";
2 local it = require "util.iterators"; 2 local it = require "util.iterators";
3 local set = require "util.set"; 3 local set = require "util.set";
4 local jid_split = require "util.jid".split; 4 local jid_split, jid_bare = require "util.jid".split, require "util.jid".bare;
5 local normalize = require "util.jid".prep; 5 local normalize = require "util.jid".prep;
6 local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize;
6 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; 7 local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
7 local host = module.host; 8 local host = module.host;
8 local role_store = module:open_store("roles"); 9 local role_store = module:open_store("roles");
9 local role_map_store = module:open_store("roles", "map"); 10 local role_map_store = module:open_store("roles", "map");
10 11
11 local admin_role = { ["prosody:admin"] = true }; 12 local role_methods = {};
13 local role_mt = { __index = role_methods };
14
15 local role_registry = {
16 ["prosody:operator"] = {
17 default = true;
18 priority = 75;
19 includes = { "prosody:admin" };
20 };
21 ["prosody:admin"] = {
22 default = true;
23 priority = 50;
24 includes = { "prosody:user" };
25 };
26 ["prosody:user"] = {
27 default = true;
28 priority = 25;
29 includes = { "prosody:restricted" };
30 };
31 ["prosody:restricted"] = {
32 default = true;
33 priority = 15;
34 };
35 };
36
37 -- Some processing on the role registry
38 for role_name, role_info in pairs(role_registry) do
39 role_info.name = role_name;
40 role_info.includes = set.new(role_info.includes) / function (included_role_name)
41 return role_registry[included_role_name];
42 end;
43 if not role_info.permissions then
44 role_info.permissions = {};
45 end
46 setmetatable(role_info, role_mt);
47 end
48
49 function role_methods:may(action, context)
50 local policy = self.permissions[action];
51 if policy ~= nil then
52 return policy;
53 end
54 for inherited_role in self.includes do
55 module:log("debug", "Checking included role '%s' for %s", inherited_role.name, action);
56 policy = inherited_role:may(action, context);
57 if policy ~= nil then
58 return policy;
59 end
60 end
61 return false;
62 end
63
64 -- Public API
65
66 local config_operator_role_set = {
67 ["prosody:operator"] = role_registry["prosody:operator"];
68 };
69 local config_admin_role_set = {
70 ["prosody:admin"] = role_registry["prosody:admin"];
71 };
12 72
13 function get_user_roles(user) 73 function get_user_roles(user)
14 if config_admin_jids:contains(user.."@"..host) then 74 local bare_jid = user.."@"..host;
15 return admin_role; 75 if config_global_admin_jids:contains(bare_jid) then
76 return config_operator_role_set;
77 elseif config_admin_jids:contains(bare_jid) then
78 return config_admin_role_set;
16 end 79 end
17 return role_store:get(user); 80 local role_names = role_store:get(user);
81 if not role_names then return {}; end
82 local roles = {};
83 for role_name in pairs(role_names) do
84 roles[role_name] = role_registry[role_name];
85 end
86 return roles;
18 end 87 end
19 88
20 function set_user_roles(user, roles) 89 function set_user_roles(user, roles)
21 role_store:set(user, roles) 90 role_store:set(user, roles)
22 return true; 91 return true;
23 end 92 end
24 93
25 function get_users_with_role(role) 94 function get_user_default_role(user)
26 local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role) or {})); 95 local roles = get_user_roles(user);
27 if role == "prosody:admin" then 96 if not roles then return nil; end
28 local config_admin_users = config_admin_jids / function (admin_jid) 97 local default_role;
98 for role_name, role_info in pairs(roles) do --luacheck: ignore 213/role_name
99 if role_info.default and (not default_role or role_info.priority > default_role.priority) then
100 default_role = role_info;
101 end
102 end
103 if not default_role then return nil; end
104 return default_role;
105 end
106
107 function get_users_with_role(role_name)
108 local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role_name) or {}));
109 local config_set;
110 if role_name == "prosody:admin" then
111 config_set = config_admin_jids;
112 elseif role_name == "prosody:operator" then
113 config_set = config_global_admin_jids;
114 end
115 if config_set then
116 local config_admin_users = config_set / function (admin_jid)
29 local j_node, j_host = jid_split(admin_jid); 117 local j_node, j_host = jid_split(admin_jid);
30 if j_host == host then 118 if j_host == host then
31 return j_node; 119 return j_node;
32 end 120 end
33 end; 121 end;
34 return it.to_array(config_admin_users + set.new(storage_role_users)); 122 return it.to_array(config_admin_users + set.new(storage_role_users));
35 end 123 end
36 return storage_role_users; 124 return storage_role_users;
37 end 125 end
38 126
39 function get_jid_roles(jid) 127 function get_jid_role(jid)
40 if config_admin_jids:contains(jid) then 128 local bare_jid = jid_bare(jid);
41 return admin_role; 129 if config_global_admin_jids:contains(bare_jid) then
130 return role_registry["prosody:operator"];
131 elseif config_admin_jids:contains(bare_jid) then
132 return role_registry["prosody:admin"];
42 end 133 end
43 return nil; 134 return nil;
44 end 135 end
45 136
46 function set_jid_roles(jid) -- luacheck: ignore 212 137 function set_jid_role(jid) -- luacheck: ignore 212
47 return false; 138 return false;
48 end 139 end
49 140
50 function get_jids_with_role(role) 141 function get_jids_with_role(role_name)
51 -- Fetch role users from storage 142 -- Fetch role users from storage
52 local storage_role_jids = array.map(get_users_with_role(role), function (username) 143 local storage_role_jids = array.map(get_users_with_role(role_name), function (username)
53 return username.."@"..host; 144 return username.."@"..host;
54 end); 145 end);
55 if role == "prosody:admin" then 146 if role_name == "prosody:admin" then
56 return it.to_array(config_admin_jids + set.new(storage_role_jids)); 147 return it.to_array(config_admin_jids + set.new(storage_role_jids));
148 elseif role_name == "prosody:operator" then
149 return it.to_array(config_global_admin_jids + set.new(storage_role_jids));
57 end 150 end
58 return storage_role_jids; 151 return storage_role_jids;
59 end 152 end
153
154 function add_default_permission(role_name, action, policy)
155 local role = role_registry[role_name];
156 if not role then
157 module:log("warn", "Attempt to add default permission for unknown role: %s", role_name);
158 return nil, "no-such-role";
159 end
160 if role.permissions[action] == nil then
161 if policy == nil then
162 policy = true;
163 end
164 module:log("debug", "Adding permission, role '%s' may '%s': %s", role_name, action, policy and "allow" or "deny");
165 role.permissions[action] = policy;
166 end
167 return true;
168 end
169
170 function get_role_info(role_name)
171 return role_registry[role_name];
172 end