annotate mod_authz_delegate/mod_authz_delegate.lua @ 5424:b45d9a81b3da

mod_http_oauth2: Revert role selector, going to try something else Back out f2c7bb3af600 Allowing only a single role to be encoded into the grant takes away the possibility of having multiple roles in the grant, one of which is selected when issuing an access token. It also takes away the ability to have zero roles granted, which could be useful e.g. when you only need OIDC scopes.
author Kim Alvefur <zash@zash.se>
date Sun, 07 May 2023 19:40:57 +0200
parents 98d5acb93439
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
1 local target_host = assert(module:get_option("authz_delegate_to"));
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
2 local this_host = module:get_host();
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
3
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
4 local array = require"util.array";
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
5 local jid_split = import("prosody.util.jid", "split");
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
6
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
7 local hosts = prosody.hosts;
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
8
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
9 function get_jids_with_role(role) --luacheck: ignore 212/role
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
10 return nil
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
11 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
12
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
13 function get_user_role(user)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
14 -- this is called where the JID belongs to the host this module is loaded on
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
17 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
18
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
20 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
21 return false, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
22 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
23
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
24 function get_user_secondary_roles(user) --luacheck: ignore 212/user
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
25 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
26 return {}
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
27 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
28
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
30 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
31 return nil, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
32 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
33
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
35 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
36 return nil, "cannot set user role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
37 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
38
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
40 -- no roles for entities on this host.
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
41 return false
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
42 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
43
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
44 function get_jid_role(jid)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
45 local user, host = jid_split(jid);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
46 if host == target_host then
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
47 return hosts[target_host].authz.get_user_role(user);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
48 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
49 return hosts[target_host].authz.get_jid_role(jid);
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
50 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
51
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
52 function set_jid_role(jid) --luacheck: ignore 212/jid
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
53 -- TODO: figure out if there are actually legitimate uses for this...
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
54 return nil, "cannot set jid role on delegation target"
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
55 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
56
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
57 local default_permission_queue = array{};
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
58
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
59 function add_default_permission(role_name, action, policy)
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
60 -- NOTE: we always record default permissions, because the delegated-to
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
61 -- host may be re-activated.
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
62 default_permission_queue:push({
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
63 role_name = role_name,
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
64 action = action,
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
65 policy = policy,
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
66 });
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
67 local target_host_object = hosts[target_host];
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
68 local authz = target_host_object and target_host_object.authz;
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
69 if not authz then
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
71 return;
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
72 end
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
73 return authz.add_default_permission(role_name, action, policy)
5288
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
74 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
75
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
76 function get_role_by_name(role_name)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
77 return hosts[target_host].authz.get_role_by_name(role_name)
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
78 end
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
79
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
80 function get_all_roles()
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
81 return hosts[target_host].authz.get_all_roles()
f61564b522f7 mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff changeset
82 end
5295
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
83
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
84 module:hook_global("host-activated", function(host)
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
85 if host == target_host then
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
86 local authz = hosts[target_host].authz;
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
88 assert(authz);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
89 -- replay default permission changes, if any
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
90 for i, item in ipairs(default_permission_queue) do
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
91 authz.add_default_permission(item.role_name, item.action, item.policy);
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
92 end
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
93 -- NOTE: we do not clear that array here -- in case the target_host is
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
94 -- re-activated
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
95 end
98d5acb93439 mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents: 5288
diff changeset
96 end, -10000)