Mercurial Mercurial > prosody > prosody / annotate
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
plugins/mod_authz_internal.lua
author Matthew Wild <mwild1@gmail.com>
Wed, 15 Jun 2022 12:15:01 +0100
changeset 12646 9061f9621330
parent 11749 3a2d58a39872
child 12652 f299e570a0fe
permissions -rw-r--r--
Switch to a new role-based authorization framework, removing is_admin() We began moving away from simple "is this user an admin?" permission checks before 0.12, with the introduction of mod_authz_internal and the ability to dynamically change the roles of individual users. The approach in 0.12 still had various limitations however, and apart from the introduction of roles other than "admin" and the ability to pull that info from storage, not much actually changed. This new framework shakes things up a lot, though aims to maintain the same functionality and behaviour on the surface for a default Prosody configuration. That is, if you don't take advantage of any of the new features, you shouldn't notice any change. The biggest change visible to developers is that usermanager.is_admin() (and the auth provider is_admin() method) have been removed. Gone. Completely. Permission checks should now be performed using a new module API method: module:may(action_name, context) This method accepts an action name, followed by either a JID (string) or (preferably) a table containing 'origin'/'session' and 'stanza' fields (e.g. the standard object passed to most events). It will return true if the action should be permitted, or false/nil otherwise. Modules should no longer perform permission checks based on the role name. E.g. a lot of code previously checked if the user's role was prosody:admin before permitting some action. Since many roles might now exist with similar permissions, and the permissions of prosody:admin may be redefined dynamically, it is no longer suitable to use this method for permission checks. Use module:may(). If you start an action name with ':' (recommended) then the current module's name will automatically be used as a prefix. To define a new permission, use the new module API: module:default_permission(role_name, action_name) module:default_permissions(role_name, { action_name[, action_name...] }) This grants the specified role permission to execute the named action(s) by default. This may be overridden via other mechanisms external to your module. The built-in roles that developers should use are: - prosody:user (normal user) - prosody:admin (host admin) - prosody:operator (global admin) The new prosody:operator role is intended for server-wide actions (such as shutting down Prosody). Finally, all usage of is_admin() in modules has been fixed by this commit. Some of these changes were trickier than others, but no change is expected to break existing deployments. EXCEPT: mod_auth_ldap no longer supports the ldap_admin_filter option. It's very possible nobody is using this, but if someone is then we can later update it to pull roles from LDAP somehow.
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
11749
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11478
diff changeset 
     1
 
local array = require "util.array";
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11478
diff changeset 
     2
 
local it = require "util.iterators";
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11478
diff changeset 
     3
 
local set = require "util.set";
12646
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11749
diff changeset 
     4
 
local jid_split, jid_bare = require "util.jid".split, require "util.jid".bare;
10663
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset 
     5
 
local normalize = require "util.jid".prep;
12646
9061f9621330 Switch to a new role-based authorization framework, removing is_admin()
Matthew Wild <mwild1@gmail.com>
parents: 11749
diff changeset 
     6
 
local config_global_admin_jids = module:context("*"):get_option_set("admins", {}) / normalize;
11749
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11478
diff changeset 
     7
 
local config_admin_jids = module:get_option_inherited_set("admins", {}) / normalize;
10663
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset 
     8
 
local host = module.host;
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset 
     9
 
local role_store = module:open_store("roles");
11749
3a2d58a39872 usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role
Matthew Wild <mwild1@gmail.com>
parents: 11478
diff changeset 
    10
 
local role_map_store = module:open_store("roles", "map");
10663
8f95308c3c45 usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter
Matthew Wild <mwild1@gmail.com>
parents:
diff changeset 
    11
 







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    12


local role_methods = {};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    13


local role_mt = { __index = role_methods };












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    14














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    15


local role_registry = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    16


	["prosody:operator"] = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    17


		default = true;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    18


		priority = 75;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    19


		includes = { "prosody:admin" };












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    20


	};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    21


	["prosody:admin"] = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    22


		default = true;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    23


		priority = 50;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    24


		includes = { "prosody:user" };












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    25


	};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    26


	["prosody:user"] = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    27


		default = true;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    28


		priority = 25;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    29


		includes = { "prosody:restricted" };












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    30


	};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    31


	["prosody:restricted"] = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    32


		default = true;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    33


		priority = 15;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    34


	};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    35


};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    36














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    37


-- Some processing on the role registry












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    38


for role_name, role_info in pairs(role_registry) do












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    39


	role_info.name = role_name;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    40


	role_info.includes = set.new(role_info.includes) / function (included_role_name)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    41


		return role_registry[included_role_name];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    42


	end;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    43


	if not role_info.permissions then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    44


		role_info.permissions = {};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    45


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    46


	setmetatable(role_info, role_mt);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    47


end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    48














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    49


function role_methods:may(action, context)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    50


	local policy = self.permissions[action];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    51


	if policy ~= nil then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    52


		return policy;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    53


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    54


	for inherited_role in self.includes do












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    55


		module:log("debug", "Checking included role '%s' for %s", inherited_role.name, action);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    56


		policy = inherited_role:may(action, context);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    57


		if policy ~= nil then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    58


			return policy;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    59


		end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    60


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    61


	return false;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    62


end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    63














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    64


-- Public API












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    65














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    66


local config_operator_role_set = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    67


	["prosody:operator"] = role_registry["prosody:operator"];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    68


};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    69


local config_admin_role_set = {












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    70


	["prosody:admin"] = role_registry["prosody:admin"];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    71


};







10663






8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    72














8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    73


function get_user_roles(user)







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    74


	local bare_jid = user.."@"..host;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    75


	if config_global_admin_jids:contains(bare_jid) then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    76


		return config_operator_role_set;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    77


	elseif config_admin_jids:contains(bare_jid) then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    78


		return config_admin_role_set;







10663






8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    79


	end







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    80


	local role_names = role_store:get(user);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    81


	if not role_names then return {}; end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    82


	local roles = {};












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    83


	for role_name in pairs(role_names) do












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    84


		roles[role_name] = role_registry[role_name];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    85


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    86


	return roles;







10663






8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    87


end












8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




    88









11476






c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




    89


function set_user_roles(user, roles)












c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




    90


	role_store:set(user, roles)












c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




    91


	return true;












c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




    92


end












c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




    93









12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    94


function get_user_default_role(user)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    95


	local roles = get_user_roles(user);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    96


	if not roles then return nil; end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    97


	local default_role;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    98


	for role_name, role_info in pairs(roles) do --luacheck: ignore 213/role_name












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




    99


		if role_info.default and (not default_role or role_info.priority > default_role.priority) then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   100


			default_role = role_info;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   101


		end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   102


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   103


	if not default_role then return nil; end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   104


	return default_role;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   105


end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   106














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   107


function get_users_with_role(role_name)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   108


	local storage_role_users = it.to_array(it.keys(role_map_store:get_all(role_name) or {}));












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   109


	local config_set;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   110


	if role_name == "prosody:admin" then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   111


		config_set = config_admin_jids;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   112


	elseif role_name == "prosody:operator" then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   113


		config_set = config_global_admin_jids;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   114


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   115


	if config_set then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   116


		local config_admin_users = config_set / function (admin_jid)







11749






3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   117


			local j_node, j_host = jid_split(admin_jid);












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   118


			if j_host == host then












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   119


				return j_node;












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   120


			end












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   121


		end;












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   122


		return it.to_array(config_admin_users + set.new(storage_role_users));












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   123


	end












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   124


	return storage_role_users;












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   125


end












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   126









12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   127


function get_jid_role(jid)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   128


	local bare_jid = jid_bare(jid);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   129


	if config_global_admin_jids:contains(bare_jid) then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   130


		return role_registry["prosody:operator"];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   131


	elseif config_admin_jids:contains(bare_jid) then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   132


		return role_registry["prosody:admin"];







10663






8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




   133


	end












8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




   134


	return nil;












8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




   135


end












8f95308c3c45
usermanager, mod_authz_*: Merge mod_authz_config and mod_authz_internal into the latter



Matthew Wild <mwild1@gmail.com>


parents: 

diff
changeset




   136









12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   137


function set_jid_role(jid) -- luacheck: ignore 212







11476






c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




   138


	return false;












c32753ceb0f0
mod_authz_internal: add support for setting roles of a local user



Jonas Schäfer <jonas@wielicki.name>


parents: 
10663

diff
changeset




   139


end







11749






3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   140









12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   141


function get_jids_with_role(role_name)







11749






3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   142


	-- Fetch role users from storage







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   143


	local storage_role_jids = array.map(get_users_with_role(role_name), function (username)







11749






3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   144


		return username.."@"..host;












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   145


	end);







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   146


	if role_name == "prosody:admin" then







11749






3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   147


		return it.to_array(config_admin_jids + set.new(storage_role_jids));







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   148


	elseif role_name == "prosody:operator" then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   149


		return it.to_array(config_global_admin_jids + set.new(storage_role_jids));







11749






3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   150


	end












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   151


	return storage_role_jids;












3a2d58a39872
usermanager, mod_authz_internal: Add methods to fetch users/JIDs of given role



Matthew Wild <mwild1@gmail.com>


parents: 
11478

diff
changeset




   152


end







12646






9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   153














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   154


function add_default_permission(role_name, action, policy)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   155


	local role = role_registry[role_name];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   156


	if not role then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   157


		module:log("warn", "Attempt to add default permission for unknown role: %s", role_name);












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   158


		return nil, "no-such-role";












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   159


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   160


	if role.permissions[action] == nil then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   161


		if policy == nil then












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   162


			policy = true;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   163


		end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   164


		module:log("debug", "Adding permission, role '%s' may '%s': %s", role_name, action, policy and "allow" or "deny");












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   165


		role.permissions[action] = policy;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   166


	end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   167


	return true;












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   168


end












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   169














9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   170


function get_role_info(role_name)












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   171


	return role_registry[role_name];












9061f9621330
Switch to a new role-based authorization framework, removing is_admin()



Matthew Wild <mwild1@gmail.com>


parents: 
11749

diff
changeset




   172


end














prosody