Mercurial > prosody-modules
annotate mod_authz_delegate/mod_authz_delegate.lua @ 5516:f25df3af02c1
mod_client_management: Include client software version number in listing
Should you ever wish to revoke a client by version number, e.g. for
security reasons affecting certain versions, then it would be good to at
the very least see which version is used.
Also includes the OAuth2 software ID, an optional unique identifier that
should be the same for all installations of a particular software.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sat, 03 Jun 2023 19:21:39 +0200 |
| parents | 98d5acb93439 |
| children |
| rev | line source |
|---|---|
|
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
1 local target_host = assert(module:get_option("authz_delegate_to")); |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
2 local this_host = module:get_host(); |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
3 |
|
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
4 local array = require"util.array"; |
|
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 local jid_split = import("prosody.util.jid", "split"); |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
6 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 local hosts = prosody.hosts; |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
8 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
9 function get_jids_with_role(role) --luacheck: ignore 212/role |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
10 return nil |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
11 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
12 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
13 function get_user_role(user) |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 -- this is called where the JID belongs to the host this module is loaded on |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
17 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
18 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
20 -- no roles for entities on this host. |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
21 return false, "cannot set user role on delegation target" |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
22 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
23 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
24 function get_user_secondary_roles(user) --luacheck: ignore 212/user |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
25 -- no roles for entities on this host. |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
26 return {} |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
27 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
28 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 -- no roles for entities on this host. |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 return nil, "cannot set user role on delegation target" |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
33 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 -- no roles for entities on this host. |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
36 return nil, "cannot set user role on delegation target" |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
37 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
38 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
40 -- no roles for entities on this host. |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
41 return false |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
42 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
43 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
44 function get_jid_role(jid) |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
45 local user, host = jid_split(jid); |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
46 if host == target_host then |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
47 return hosts[target_host].authz.get_user_role(user); |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
48 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
49 return hosts[target_host].authz.get_jid_role(jid); |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
50 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
51 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
52 function set_jid_role(jid) --luacheck: ignore 212/jid |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 -- TODO: figure out if there are actually legitimate uses for this... |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 return nil, "cannot set jid role on delegation target" |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
55 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
56 |
|
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
57 local default_permission_queue = array{}; |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
58 |
|
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
59 function add_default_permission(role_name, action, policy) |
|
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
60 -- NOTE: we always record default permissions, because the delegated-to |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
61 -- host may be re-activated. |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
62 default_permission_queue:push({ |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
63 role_name = role_name, |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
64 action = action, |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
65 policy = policy, |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
66 }); |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
67 local target_host_object = hosts[target_host]; |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
68 local authz = target_host_object and target_host_object.authz; |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
69 if not authz then |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host); |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
71 return; |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
72 end |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
73 return authz.add_default_permission(role_name, action, policy) |
|
5288
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
74 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
75 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
76 function get_role_by_name(role_name) |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
77 return hosts[target_host].authz.get_role_by_name(role_name) |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
78 end |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
79 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
80 function get_all_roles() |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
81 return hosts[target_host].authz.get_all_roles() |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
82 end |
|
5295
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
83 |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
84 module:hook_global("host-activated", function(host) |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
85 if host == target_host then |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
86 local authz = hosts[target_host].authz; |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue); |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
88 assert(authz); |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
89 -- replay default permission changes, if any |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
90 for i, item in ipairs(default_permission_queue) do |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
91 authz.add_default_permission(item.role_name, item.action, item.policy); |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
92 end |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
93 -- NOTE: we do not clear that array here -- in case the target_host is |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
94 -- re-activated |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
95 end |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5288
diff
changeset
|
96 end, -10000) |