Kim Alvefur <zash@zash.se> [Thu, 18 Aug 2022 15:42:07 +0200] rev 12671
core.usermanager: Update argument name in authz fallback method
It's not plural
Kim Alvefur <zash@zash.se> [Thu, 18 Aug 2022 15:38:18 +0200] rev 12670
core.usermanager: Remove obsolete authz fallback method
Kim Alvefur <zash@zash.se> [Thu, 18 Aug 2022 14:10:21 +0200] rev 12669
core.usermanager: Add missing methods to fallback authz provider
Kim Alvefur <zash@zash.se> [Thu, 18 Aug 2022 14:07:54 +0200] rev 12668
core.usermanager: Add scoped luacheck ignore rule to reduce clutter
Matthew Wild <mwild1@gmail.com> [Thu, 18 Aug 2022 10:37:59 +0100] rev 12667
mod_authz_internal: Expose convenience method to test if user can assume role
Matthew Wild <mwild1@gmail.com> [Wed, 17 Aug 2022 16:38:53 +0100] rev 12666
mod_authz_internal, and more: New iteration of role API
These changes to the API (hopefully the last) introduce a cleaner separation
between the user's primary (default) role, and their secondary (optional)
roles.
To keep the code sane and reduce complexity, a data migration is needed for
people using stored roles in 0.12. This can be performed with
prosodyctl mod_authz_internal migrate <host>
Kim Alvefur <zash@zash.se> [Fri, 12 Aug 2022 22:09:09 +0200] rev 12665
util.roles: Add Teal interface declaration
Kim Alvefur <zash@zash.se> [Mon, 15 Aug 2022 16:36:00 +0200] rev 12664
mod_admin_shell: Show session role in c2s:show
Matthew Wild <mwild1@gmail.com> [Mon, 15 Aug 2022 15:25:07 +0100] rev 12663
usermanager: Add back temporary is_admin to warn about deprecated API usage
Goal: Introduce role-auth with minimal disruption
is_admin() is unsafe in a system with per-session permissions, so it has been
deprecated.
Roll-out approach:
1) First, log a warning when is_admin() is used. It should continue to
function normally, backed by the new role API. Nothing is really using
per-session authz yet, so there is minimal security concern.
The 'strict_deprecate_is_admin' global setting can be set to 'true' to
force a hard failure of is_admin() attempts (it will log an error and
always return false).
2) In some time (at least 1 week), but possibly longer depending on the number
of affected deployments: switch 'strict_deprecate_is_admin' to 'true' by
default. It can still be disabled for systems that need it.
3) Further in the future, before the next release, the option will be removed
and is_admin() will be permanently disabled.
Matthew Wild <mwild1@gmail.com> [Fri, 12 Aug 2022 16:21:57 +0100] rev 12662
usermanager: Remove concept of global authz provider
Rationale:
- Removes a bunch of code!
- We don't have many cases where an actor is not bound to one of our hosts
- A notable exception is the admin shell, but if we ever attempt to lock those
sessions down, there is a load of other work that also has to be done. And
it's not clear if we would need a global authz provider for that anyway.
- Removes an extra edge case from the necessary mental model for operators
- Sessions that aren't bound to a host generally are anonymous or have an
alternative auth model (such as by IP addres).
- With the encapsulation now provided by util.roles, ad-hoc "detached roles"
can still be created anyway by code that needs them.