Mercurial > prosody-modules
annotate mod_authz_delegate/mod_authz_delegate.lua @ 5289:308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
See the readme :-).
Motivation is allowing Snikket admins to change circle avatars via
the web portal without bypassing Prosody access checks.
| author | Jonas Schäfer <jonas@wielicki.name> |
|---|---|
| date | Wed, 29 Mar 2023 17:21:45 +0200 |
| parents | |
| children | 98d5acb93439 |
| rev | line source |
|---|---|
|
5289
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
1 local target_host = assert(module:get_option("authz_delegate_to")); |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
2 local this_host = module:get_host(); |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
3 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
4 local jid_split = import("prosody.util.jid", "split"); |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
6 local hosts = prosody.hosts; |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
8 function get_jids_with_role(role) --luacheck: ignore 212/role |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
9 return nil |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
10 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
11 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
12 function get_user_role(user) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
13 -- this is called where the JID belongs to the host this module is loaded on |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 -- that means we have to delegate that to get_jid_role with an appropriately composed JID |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
16 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
17 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
18 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
19 -- no roles for entities on this host. |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
20 return false, "cannot set user role on delegation target" |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
21 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
22 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
23 function get_user_secondary_roles(user) --luacheck: ignore 212/user |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
24 -- no roles for entities on this host. |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
25 return {} |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
26 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
27 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
28 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
29 -- no roles for entities on this host. |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 return nil, "cannot set user role on delegation target" |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
33 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 -- no roles for entities on this host. |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 return nil, "cannot set user role on delegation target" |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
36 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
37 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
38 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
39 -- no roles for entities on this host. |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
40 return false |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
41 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
42 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
43 function get_jid_role(jid) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
44 local user, host = jid_split(jid); |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
45 if host == target_host then |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
46 return hosts[target_host].authz.get_user_role(user); |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
47 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
48 return hosts[target_host].authz.get_jid_role(jid); |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
49 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
50 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
51 function set_jid_role(jid) --luacheck: ignore 212/jid |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
52 -- TODO: figure out if there are actually legitimate uses for this... |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 return nil, "cannot set jid role on delegation target" |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
55 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
56 function add_default_permission(role_name, action, policy) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
57 return hosts[target_host].authz.add_default_permission(role_name, action, policy) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
58 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
59 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
60 function get_role_by_name(role_name) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
61 return hosts[target_host].authz.get_role_by_name(role_name) |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
62 end |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
63 |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
64 function get_all_roles() |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
65 return hosts[target_host].authz.get_all_roles() |
|
308024be6d6f
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
66 end |