author | Matthew Wild <mwild1@gmail.com> |
Wed, 15 Jun 2022 12:15:01 +0100 | |
changeset 12646 | 9061f9621330 |
parent 11749 | 3a2d58a39872 |
child 12652 | f299e570a0fe |
permissions | -rw-r--r-- |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
1 |
local array = require "util.array"; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
2 |
local it = require "util.iterators"; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
3 |
local set = require "util.set"; |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
4 |
local jid_split, jid_bare = require "util.jid".split, require "util.jid".bare; |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
5 |
local normalize = require "util.jid".prep; |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
6 |
local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize; |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
7 |
local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize; |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
8 |
local host = module.host; |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
9 |
local role_store = module:open_store("roles"); |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
10 |
local role_map_store = module:open_store("roles", "map"); |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
11 |
|
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
12 |
local role_methods = {}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
13 |
local role_mt = { __index = role_methods }; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
14 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
15 |
local role_registry = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
16 |
["prosody:operator"] = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
17 |
default = true; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
18 |
priority = 75; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
19 |
includes = { "prosody:admin" }; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
20 |
}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
21 |
["prosody:admin"] = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
22 |
default = true; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
23 |
priority = 50; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
24 |
includes = { "prosody:user" }; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
25 |
}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
26 |
["prosody:user"] = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
27 |
default = true; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
28 |
priority = 25; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
29 |
includes = { "prosody:restricted" }; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
30 |
}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
31 |
["prosody:restricted"] = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
32 |
default = true; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
33 |
priority = 15; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
34 |
}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
35 |
}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
36 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
37 |
-- Some processing on the role registry |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
38 |
for role_name, role_info in pairs(role_registry) do |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
39 |
role_info.name = role_name; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
40 |
role_info.includes = set.new(role_info.includes) / function (included_role_name) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
41 |
return role_registry[included_role_name]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
42 |
end; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
43 |
if not role_info.permissions then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
44 |
role_info.permissions = {}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
45 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
46 |
setmetatable(role_info, role_mt); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
47 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
48 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
49 |
function role_methods:may(action, context) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
50 |
local policy = self.permissions[action]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
51 |
if policy ~= nil then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
52 |
return policy; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
53 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
54 |
for inherited_role in self.includes do |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
55 |
module:log("debug", "Checking included role '%s' for %s", inherited_role.name, action); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
56 |
policy = inherited_role:may(action, context); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
57 |
if policy ~= nil then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
58 |
return policy; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
59 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
60 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
61 |
return false; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
62 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
63 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
64 |
-- Public API |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
65 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
66 |
local config_operator_role_set = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
67 |
["prosody:operator"] = role_registry["prosody:operator"]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
68 |
}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
69 |
local config_admin_role_set = { |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
70 |
["prosody:admin"] = role_registry["prosody:admin"]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
71 |
}; |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
72 |
|
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
73 |
function get_user_roles(user) |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
74 |
local bare_jid = user.."@"..host; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
75 |
if config_global_admin_jids:contains(bare_jid) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
76 |
return config_operator_role_set; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
77 |
elseif config_admin_jids:contains(bare_jid) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
78 |
return config_admin_role_set; |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
79 |
end |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
80 |
local role_names = role_store:get(user); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
81 |
if not role_names then return {}; end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
82 |
local roles = {}; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
83 |
for role_name in pairs(role_names) do |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
84 |
roles[role_name] = role_registry[role_name]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
85 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
86 |
return roles; |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
87 |
end |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
88 |
|
11476
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
89 |
function set_user_roles(user, roles) |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
90 |
role_store:set(user, roles) |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
91 |
return true; |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
92 |
end |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
93 |
|
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
94 |
function get_user_default_role(user) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
95 |
local roles = get_user_roles(user); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
96 |
if not roles then return nil; end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
97 |
local default_role; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
98 |
for role_name, role_info in pairs(roles) do --luacheck: ignore 213/role_name |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
99 |
if role_info.default and (not default_role or role_info.priority > default_role.priority) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
100 |
default_role = role_info; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
101 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
102 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
103 |
if not default_role then return nil; end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
104 |
return default_role; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
105 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
106 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
107 |
function get_users_with_role(role_name) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
108 |
local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role_name) or {})); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
109 |
local config_set; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
110 |
if role_name == "prosody:admin" then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
111 |
config_set = config_admin_jids; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
112 |
elseif role_name == "prosody:operator" then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
113 |
config_set = config_global_admin_jids; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
114 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
115 |
if config_set then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
116 |
local config_admin_users = config_set / function (admin_jid) |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
117 |
local j_node, j_host = jid_split(admin_jid); |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
118 |
if j_host == host then |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
119 |
return j_node; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
120 |
end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
121 |
end; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
122 |
return it.to_array(config_admin_users + set.new(storage_role_users)); |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
123 |
end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
124 |
return storage_role_users; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
125 |
end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
126 |
|
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
127 |
function get_jid_role(jid) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
128 |
local bare_jid = jid_bare(jid); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
129 |
if config_global_admin_jids:contains(bare_jid) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
130 |
return role_registry["prosody:operator"]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
131 |
elseif config_admin_jids:contains(bare_jid) then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
132 |
return role_registry["prosody:admin"]; |
10663
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
133 |
end |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
134 |
return nil; |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
135 |
end |
8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff
changeset
|
136 |
|
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
137 |
function set_jid_role(jid) -- luacheck: ignore 212 |
11476
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
138 |
return false; |
c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user
Jonas Schäfer <jonas@wielicki.name>
parents:
10663
diff
changeset
|
139 |
end |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
140 |
|
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
141 |
function get_jids_with_role(role_name) |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
142 |
-- Fetch role users from storage |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
143 |
local storage_role_jids = array.map(get_users_with_role(role_name), function (username) |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
144 |
return username.."@"..host; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
145 |
end); |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
146 |
if role_name == "prosody:admin" then |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
147 |
return it.to_array(config_admin_jids + set.new(storage_role_jids)); |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
148 |
elseif role_name == "prosody:operator" then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
149 |
return it.to_array(config_global_admin_jids + set.new(storage_role_jids)); |
11749
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
150 |
end |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
151 |
return storage_role_jids; |
3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents:
11478
diff
changeset
|
152 |
end |
12646
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
153 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
154 |
function add_default_permission(role_name, action, policy) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
155 |
local role = role_registry[role_name]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
156 |
if not role then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
157 |
module:log("warn", "Attempt to add default permission for unknown role: %s", role_name); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
158 |
return nil, "no-such-role"; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
159 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
160 |
if role.permissions[action] == nil then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
161 |
if policy == nil then |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
162 |
policy = true; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
163 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
164 |
module:log("debug", "Adding permission, role '%s' may '%s': %s", role_name, action, policy and "allow" or "deny"); |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
165 |
role.permissions[action] = policy; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
166 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
167 |
return true; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
168 |
end |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
169 |
|
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
170 |
function get_role_info(role_name) |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
171 |
return role_registry[role_name]; |
9061f9621330
Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents:
11749
diff
changeset
|
172 |
end |