Mercurial > prosody-modules
comparison mod_http_oauth2/mod_http_oauth2.lua @ 5449:9c19a6b8e542
mod_http_oauth2: Describe type signatures of scope handling functions
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 11 May 2023 21:41:37 +0200 |
| parents | 9d542e86e19a |
| children | d2594bbf7c36 |
comparison
equal
deleted
inserted
replaced
| 5448:9d542e86e19a | 5449:9c19a6b8e542 |
|---|---|
| 89 -- Tie it to the host if global | 89 -- Tie it to the host if global |
| 90 verification_key = hashes.hmac_sha256(registration_key, module.host); | 90 verification_key = hashes.hmac_sha256(registration_key, module.host); |
| 91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); | 91 jwt_sign, jwt_verify = jwt.init(registration_algo, registration_key, registration_key, registration_options); |
| 92 end | 92 end |
| 93 | 93 |
| 94 -- scope : string | array | set | |
| 95 -- | |
| 96 -- at each step, allow the same or a subset of scopes | |
| 97 -- (all ( client ( grant ( token ) ) )) | |
| 98 -- preserve order since it determines role if more than one granted | |
| 99 | |
| 100 -- string -> array | |
| 94 local function parse_scopes(scope_string) | 101 local function parse_scopes(scope_string) |
| 95 return array(scope_string:gmatch("%S+")); | 102 return array(scope_string:gmatch("%S+")); |
| 96 end | 103 end |
| 97 | 104 |
| 98 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); | 105 local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" }); |
| 99 | 106 |
| 107 -- array -> array, array, array | |
| 100 local function split_scopes(scope_list) | 108 local function split_scopes(scope_list) |
| 101 local claims, roles, unknown = array(), array(), array(); | 109 local claims, roles, unknown = array(), array(), array(); |
| 102 local all_roles = usermanager.get_all_roles(module.host); | 110 local all_roles = usermanager.get_all_roles(module.host); |
| 103 for _, scope in ipairs(scope_list) do | 111 for _, scope in ipairs(scope_list) do |
| 104 if openid_claims:contains(scope) then | 112 if openid_claims:contains(scope) then |
| 114 | 122 |
| 115 local function can_assume_role(username, requested_role) | 123 local function can_assume_role(username, requested_role) |
| 116 return usermanager.user_can_assume_role(username, module.host, requested_role); | 124 return usermanager.user_can_assume_role(username, module.host, requested_role); |
| 117 end | 125 end |
| 118 | 126 |
| 127 -- function (string) : function(string) : boolean | |
| 119 local function role_assumable_by(username) | 128 local function role_assumable_by(username) |
| 120 return function(role) | 129 return function(role) |
| 121 return can_assume_role(username, role); | 130 return can_assume_role(username, role); |
| 122 end | 131 end |
| 123 end | 132 end |
| 124 | 133 |
| 134 -- string, array --> array | |
| 125 local function user_assumable_roles(username, requested_roles) | 135 local function user_assumable_roles(username, requested_roles) |
| 126 return array.filter(requested_roles, role_assumable_by(username)); | 136 return array.filter(requested_roles, role_assumable_by(username)); |
| 127 end | 137 end |
| 128 | 138 |
| 139 -- string, string|nil --> string, string | |
| 129 local function filter_scopes(username, requested_scope_string) | 140 local function filter_scopes(username, requested_scope_string) |
| 130 local requested_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string or "")); | 141 local requested_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string or "")); |
| 131 | 142 |
| 132 local granted_roles = user_assumable_roles(username, requested_roles); | 143 local granted_roles = user_assumable_roles(username, requested_roles); |
| 133 local granted_scopes = requested_scopes + granted_roles; | 144 local granted_scopes = requested_scopes + granted_roles; |