author | Matthew Wild <mwild1@gmail.com> |
Tue, 16 Apr 2024 15:01:40 +0100 | |
changeset 5892 | 432efc39572f |
parent 5299 | 98d5acb93439 |
permissions | -rw-r--r-- |
5292
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
1 |
local target_host = assert(module:get_option("authz_delegate_to")); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
2 |
local this_host = module:get_host(); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
3 |
|
5299
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
4 |
local array = require"util.array"; |
5292
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
5 |
local jid_split = import("prosody.util.jid", "split"); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
6 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
7 |
local hosts = prosody.hosts; |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
8 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
9 |
function get_jids_with_role(role) --luacheck: ignore 212/role |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
10 |
return nil |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
11 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
12 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
13 |
function get_user_role(user) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
14 |
-- this is called where the JID belongs to the host this module is loaded on |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
15 |
-- that means we have to delegate that to get_jid_role with an appropriately composed JID |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
16 |
return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
17 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
18 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
19 |
function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
20 |
-- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
21 |
return false, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
22 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
23 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
24 |
function get_user_secondary_roles(user) --luacheck: ignore 212/user |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
25 |
-- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
26 |
return {} |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
27 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
28 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
29 |
function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
30 |
-- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
31 |
return nil, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
32 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
33 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
34 |
function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
35 |
-- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
36 |
return nil, "cannot set user role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
37 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
38 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
39 |
function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
40 |
-- no roles for entities on this host. |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
41 |
return false |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
42 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
43 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
44 |
function get_jid_role(jid) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
45 |
local user, host = jid_split(jid); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
46 |
if host == target_host then |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
47 |
return hosts[target_host].authz.get_user_role(user); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
48 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
49 |
return hosts[target_host].authz.get_jid_role(jid); |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
50 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
51 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
52 |
function set_jid_role(jid) --luacheck: ignore 212/jid |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
53 |
-- TODO: figure out if there are actually legitimate uses for this... |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
54 |
return nil, "cannot set jid role on delegation target" |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
55 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
56 |
|
5299
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
57 |
local default_permission_queue = array{}; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
58 |
|
5292
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
59 |
function add_default_permission(role_name, action, policy) |
5299
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
60 |
-- NOTE: we always record default permissions, because the delegated-to |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
61 |
-- host may be re-activated. |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
62 |
default_permission_queue:push({ |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
63 |
role_name = role_name, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
64 |
action = action, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
65 |
policy = policy, |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
66 |
}); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
67 |
local target_host_object = hosts[target_host]; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
68 |
local authz = target_host_object and target_host_object.authz; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
69 |
if not authz then |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
70 |
module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
71 |
return; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
72 |
end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
73 |
return authz.add_default_permission(role_name, action, policy) |
5292
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
74 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
75 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
76 |
function get_role_by_name(role_name) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
77 |
return hosts[target_host].authz.get_role_by_name(role_name) |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
78 |
end |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
79 |
|
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
80 |
function get_all_roles() |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
81 |
return hosts[target_host].authz.get_all_roles() |
f61564b522f7
mod_authz_delegate: introduce module to "link" authorization of hosts
Jonas Schäfer <jonas@wielicki.name>
parents:
diff
changeset
|
82 |
end |
5299
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
83 |
|
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
84 |
module:hook_global("host-activated", function(host) |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
85 |
if host == target_host then |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
86 |
local authz = hosts[target_host].authz; |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
87 |
module:log("debug", "replaying %d queued permission changes", #default_permission_queue); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
88 |
assert(authz); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
89 |
-- replay default permission changes, if any |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
90 |
for i, item in ipairs(default_permission_queue) do |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
91 |
authz.add_default_permission(item.role_name, item.action, item.policy); |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
92 |
end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
93 |
-- NOTE: we do not clear that array here -- in case the target_host is |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
94 |
-- re-activated |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
95 |
end |
98d5acb93439
mod_authz_delegate: make resistant against startup order issues
Jonas Schäfer <jonas@wielicki.name>
parents:
5292
diff
changeset
|
96 |
end, -10000) |