Mercurial > prosody-modules
annotate mod_authz_delegate/mod_authz_delegate.lua @ 5536:96dec7681af8
mod_firewall: Update user marks to store instantly via map store
The original approach was to keep marks in memory only, and persist them at
shutdown. That saves I/O, at the cost of potentially losing marks on an
unclean shutdown.
This change persists marks instantly, which may have some performance overhead
but should be more "correct".
It also splits the marking/unmarking into an event which may be watched or
even fired by other modules.
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Thu, 08 Jun 2023 16:20:42 +0100 |
parents | 98d5acb93439 |
children |
rev | line source |
---|---|
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
1 local target_host = assert(module:get_option("authz_delegate_to")); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
2 local this_host = module:get_host(); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
3 |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
4 local array = require"util.array"; |
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 local jid_split = import("prosody.util.jid", "split"); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
6 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 local hosts = prosody.hosts; |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
8 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
9 function get_jids_with_role(role) --luacheck: ignore 212/role |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
10 return nil |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
11 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
12 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
13 function get_user_role(user) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 -- this is called where the JID belongs to the host this module is loaded on |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
17 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
18 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
20 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
21 return false, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
22 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
23 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
24 function get_user_secondary_roles(user) --luacheck: ignore 212/user |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
25 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
26 return {} |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
27 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
28 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 return nil, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
33 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
36 return nil, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
37 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
38 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
40 -- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
41 return false |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
42 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
43 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
44 function get_jid_role(jid) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
45 local user, host = jid_split(jid); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
46 if host == target_host then |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
47 return hosts[target_host].authz.get_user_role(user); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
48 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
49 return hosts[target_host].authz.get_jid_role(jid); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
50 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
51 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
52 function set_jid_role(jid) --luacheck: ignore 212/jid |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 -- TODO: figure out if there are actually legitimate uses for this... |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 return nil, "cannot set jid role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
55 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
56 |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
57 local default_permission_queue = array{}; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
58 |
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
59 function add_default_permission(role_name, action, policy) |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
60 -- NOTE: we always record default permissions, because the delegated-to |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
61 -- host may be re-activated. |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
62 default_permission_queue:push({ |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
63 role_name = role_name, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
64 action = action, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
65 policy = policy, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
66 }); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
67 local target_host_object = hosts[target_host]; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
68 local authz = target_host_object and target_host_object.authz; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
69 if not authz then |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
71 return; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
72 end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
73 return authz.add_default_permission(role_name, action, policy) |
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
74 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
75 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
76 function get_role_by_name(role_name) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
77 return hosts[target_host].authz.get_role_by_name(role_name) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
78 end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
79 |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
80 function get_all_roles() |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
81 return hosts[target_host].authz.get_all_roles() |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
82 end |
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
83 |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
84 module:hook_global("host-activated", function(host) |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
85 if host == target_host then |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
86 local authz = hosts[target_host].authz; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
88 assert(authz); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
89 -- replay default permission changes, if any |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
90 for i, item in ipairs(default_permission_queue) do |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
91 authz.add_default_permission(item.role_name, item.action, item.policy); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
92 end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
93 -- NOTE: we do not clear that array here -- in case the target_host is |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
94 -- re-activated |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
95 end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
96 end, -10000) |