prosody
a071b20ccc0f
plugins/mod_admin_shell.lua

Find changesets by keywords by author, files, the commit message, revision number or hash, or revset expression.

Software / code / prosody

Diff

plugins/mod_admin_shell.lua @ 13828:a071b20ccc0f 13.0

mod_admin_shell: Add role:list() and role:show() commands
author Matthew Wild <mwild1@gmail.com>
date Fri, 04 Apr 2025 16:50:25 +0100
parent 13823:e78e79f1b5f5
child 13869:f44f2a8a8c37
line wrap: on
line diff
--- a/plugins/mod_admin_shell.lua	Fri Apr 04 16:49:55 2025 +0100
+++ b/plugins/mod_admin_shell.lua	Fri Apr 04 16:50:25 2025 +0100
@@ -139,6 +139,8 @@
   prosody:admin      - Host administrator
   prosody:operator   - Server administrator
 
+To view roles and policies, see the commands in 'help role'.
+
 Roles can be assigned using the user management commands (see 'help user').
 ]];
 
@@ -2458,6 +2460,64 @@
 	return true, ("Showing %d certificates in %s"):format(c, path);
 end
 
+def_env.role = new_section("Role and access management");
+
+describe_command [[role:list(host) - List known roles]]
+function def_env.role:list(host)
+	if not host then
+		return nil, "Specify which host to list roles for";
+	end
+	local role_list = {};
+	for _, role in it.sorted_pairs(um.get_all_roles(host)) do
+		table.insert(role_list, role);
+	end
+	table.sort(role_list, function (a, b)
+		if a.priority ~= b.priority then
+			return (a.priority or 0) > (b.priority or 0);
+		end
+		return a.name < b.name;
+	end);
+	for _, role in ipairs(role_list) do
+		self.session.print(role.name);
+	end
+	return true, ("Showing %d roles on %s"):format(#role_list, host);
+end
+
+describe_command [[role:show(host, role_name) - Show information about a role]]
+function def_env.role:show(host, role_name)
+	if not host or not role_name then
+		return nil, "Specify the host and role to show";
+	end
+
+	local print = self.session.print;
+	local role = um.get_role_by_name(role_name, host);
+
+	if not role then
+		return nil, ("Unable to find role %s on host %s"):format(role_name, host);
+	end
+
+	local inherits = {};
+	for _, inherited_role in ipairs(role.inherits or {}) do
+		table.insert(inherits, inherited_role.name);
+	end
+
+	local permissions = {};
+	for permission, is_allowed in role:policies() do
+		permissions[permission] = is_allowed and "allowed" or "denied";
+	end
+
+	print("Name:    ", role.name);
+	print("Inherits:", table.concat(inherits, ", "));
+	print("Policies:");
+	local c = 0;
+	for permission, policy in it.sorted_pairs(permissions) do
+		c = c + 1;
+		print("  ["..(policy == "allowed" and "+" or " ").."] " .. permission);
+	end
+	print("");
+	return true, ("Showing role %s with %d policies"):format(role.name, c);
+end
+
 def_env.stats = new_section("Commands to show internal statistics");
 
 local short_units = {