Mercurial > prosody-modules

diff mod_authz_delegate/mod_authz_delegate.lua @ 5650:0eb2d5ea2428

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge
author Stephen Paul Weber <singpolyma@singpolyma.net>
date Sat, 06 May 2023 19:40:23 -0500
parents 98d5acb93439
children
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/mod_authz_delegate/mod_authz_delegate.lua	Sat May 06 19:40:23 2023 -0500
@@ -0,0 +1,96 @@
+local target_host = assert(module:get_option("authz_delegate_to"));
+local this_host = module:get_host();
+
+local array = require"util.array";
+local jid_split = import("prosody.util.jid", "split");
+
+local hosts = prosody.hosts;
+
+function get_jids_with_role(role)  --luacheck: ignore 212/role
+	return nil
+end
+
+function get_user_role(user)
+	-- this is called where the JID belongs to the host this module is loaded on
+	-- that means we have to delegate that to get_jid_role with an appropriately composed JID
+	return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host)
+end
+
+function set_user_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return false, "cannot set user role on delegation target"
+end
+
+function get_user_secondary_roles(user)  --luacheck: ignore 212/user
+	-- no roles for entities on this host.
+	return {}
+end
+
+function add_user_secondary_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return nil, "cannot set user role on delegation target"
+end
+
+function remove_user_secondary_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return nil, "cannot set user role on delegation target"
+end
+
+function user_can_assume_role(user, role_name)  --luacheck: ignore 212/user 212/role_name
+	-- no roles for entities on this host.
+	return false
+end
+
+function get_jid_role(jid)
+	local user, host = jid_split(jid);
+	if host == target_host then
+		return hosts[target_host].authz.get_user_role(user);
+	end
+	return hosts[target_host].authz.get_jid_role(jid);
+end
+
+function set_jid_role(jid)  --luacheck: ignore 212/jid
+	-- TODO: figure out if there are actually legitimate uses for this...
+	return nil, "cannot set jid role on delegation target"
+end
+
+local default_permission_queue = array{};
+
+function add_default_permission(role_name, action, policy)
+	-- NOTE: we always record default permissions, because the delegated-to
+	-- host may be re-activated.
+	default_permission_queue:push({
+		role_name = role_name,
+		action = action,
+		policy = policy,
+	});
+	local target_host_object = hosts[target_host];
+	local authz = target_host_object and target_host_object.authz;
+	if not authz then
+		module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host);
+		return;
+	end
+	return authz.add_default_permission(role_name, action, policy)
+end
+
+function get_role_by_name(role_name)
+	return hosts[target_host].authz.get_role_by_name(role_name)
+end
+
+function get_all_roles()
+	return hosts[target_host].authz.get_all_roles()
+end
+
+module:hook_global("host-activated", function(host)
+	if host == target_host then
+		local authz = hosts[target_host].authz;
+		module:log("debug", "replaying %d queued permission changes", #default_permission_queue);
+		assert(authz);
+		-- replay default permission changes, if any
+		for i, item in ipairs(default_permission_queue) do
+			authz.add_default_permission(item.role_name, item.action, item.policy);
+		end
+		-- NOTE: we do not clear that array here -- in case the target_host is
+		-- re-activated
+	end
+end, -10000)