prosody-modules: mod_authz_delegate/mod_authz

annotate mod_authz_delegate/mod_authz_delegate.lua @ 5290:dddac5a3f447

mod_vcard_muc: take roles into account for access check This allows admins on the MUC component to force-set avatars, even if they are not owners in a particular MUC, similar to how they are granted auto-ownership in other contexts.

author	Jonas Schäfer <jonas@wielicki.name>
date	Wed, 29 Mar 2023 17:52:21 +0200
parents	308024be6d6f
children	98d5acb93439

rev	line source
5289 308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	1 local target_host = assert(module:get_option("authz_delegate_to"));
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	2 local this_host = module:get_host();
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	3
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	4 local jid_split = import("prosody.util.jid", "split");
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	5
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	6 local hosts = prosody.hosts;
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	7
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	8 function get_jids_with_role(role) --luacheck: ignore 212/role
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	9 return nil
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	10 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	11
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	12 function get_user_role(user)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	13 -- this is called where the JID belongs to the host this module is loaded on
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	14 -- that means we have to delegate that to get_jid_role with an appropriately composed JID
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	15 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	16 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	17
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	18 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	19 -- no roles for entities on this host.
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	20 return false, "cannot set user role on delegation target"
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	21 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	22
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	23 function get_user_secondary_roles(user) --luacheck: ignore 212/user
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	24 -- no roles for entities on this host.
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	25 return {}
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	26 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	27
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	28 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	29 -- no roles for entities on this host.
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	30 return nil, "cannot set user role on delegation target"
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	31 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	32
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	33 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	34 -- no roles for entities on this host.
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	35 return nil, "cannot set user role on delegation target"
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	36 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	37
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	38 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	39 -- no roles for entities on this host.
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	40 return false
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	41 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	42
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	43 function get_jid_role(jid)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	44 local user, host = jid_split(jid);
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	45 if host == target_host then
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	46 return hosts[target_host].authz.get_user_role(user);
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	47 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	48 return hosts[target_host].authz.get_jid_role(jid);
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	49 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	50
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	51 function set_jid_role(jid) --luacheck: ignore 212/jid
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	52 -- TODO: figure out if there are actually legitimate uses for this...
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	53 return nil, "cannot set jid role on delegation target"
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	54 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	55
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	56 function add_default_permission(role_name, action, policy)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	57 return hosts[target_host].authz.add_default_permission(role_name, action, policy)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	58 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	59
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	60 function get_role_by_name(role_name)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	61 return hosts[target_host].authz.get_role_by_name(role_name)
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	62 end
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	63
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	64 function get_all_roles()
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	65 return hosts[target_host].authz.get_all_roles()
308024be6d6f mod_authz_delegate: introduce module to "link" authorization of hosts Jonas Schäfer <jonas@wielicki.name> parents: diff changeset	66 end

Mercurial > prosody-modules

annotate mod_authz_delegate/mod_authz_delegate.lua @ 5290:dddac5a3f447