comparison mod_authz_delegate/mod_authz_delegate.lua @ 5288:f61564b522f7

mod_authz_delegate: introduce module to "link" authorization of hosts See the readme :-). Motivation is allowing Snikket admins to change circle avatars via the web portal without bypassing Prosody access checks.
author Jonas Schäfer <jonas@wielicki.name>
date Wed, 29 Mar 2023 17:21:45 +0200
parents
children 98d5acb93439
comparison
equal deleted inserted replaced
5284:5178c13deb78 5288:f61564b522f7
1 local target_host = assert(module:get_option("authz_delegate_to"));
2 local this_host = module:get_host();
3
4 local jid_split = import("prosody.util.jid", "split");
5
6 local hosts = prosody.hosts;
7
8 function get_jids_with_role(role) --luacheck: ignore 212/role
9 return nil
10 end
11
12 function get_user_role(user)
13 -- this is called where the JID belongs to the host this module is loaded on
14 -- that means we have to delegate that to get_jid_role with an appropriately composed JID
15 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
16 end
17
18 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name
19 -- no roles for entities on this host.
20 return false, "cannot set user role on delegation target"
21 end
22
23 function get_user_secondary_roles(user) --luacheck: ignore 212/user
24 -- no roles for entities on this host.
25 return {}
26 end
27
28 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
29 -- no roles for entities on this host.
30 return nil, "cannot set user role on delegation target"
31 end
32
33 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name
34 -- no roles for entities on this host.
35 return nil, "cannot set user role on delegation target"
36 end
37
38 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name
39 -- no roles for entities on this host.
40 return false
41 end
42
43 function get_jid_role(jid)
44 local user, host = jid_split(jid);
45 if host == target_host then
46 return hosts[target_host].authz.get_user_role(user);
47 end
48 return hosts[target_host].authz.get_jid_role(jid);
49 end
50
51 function set_jid_role(jid) --luacheck: ignore 212/jid
52 -- TODO: figure out if there are actually legitimate uses for this...
53 return nil, "cannot set jid role on delegation target"
54 end
55
56 function add_default_permission(role_name, action, policy)
57 return hosts[target_host].authz.add_default_permission(role_name, action, policy)
58 end
59
60 function get_role_by_name(role_name)
61 return hosts[target_host].authz.get_role_by_name(role_name)
62 end
63
64 function get_all_roles()
65 return hosts[target_host].authz.get_all_roles()
66 end