Mercurial > prosody-modules
comparison mod_authz_delegate/mod_authz_delegate.lua @ 5650:0eb2d5ea2428
merge
| author | Stephen Paul Weber <singpolyma@singpolyma.net> |
|---|---|
| date | Sat, 06 May 2023 19:40:23 -0500 |
| parents | 98d5acb93439 |
| children | 6ebda1e5b4f3 |
comparison
equal
deleted
inserted
replaced
| 5649:2c69577b28c2 | 5650:0eb2d5ea2428 |
|---|---|
| 1 local target_host = assert(module:get_option("authz_delegate_to")); | |
| 2 local this_host = module:get_host(); | |
| 3 | |
| 4 local array = require"util.array"; | |
| 5 local jid_split = import("prosody.util.jid", "split"); | |
| 6 | |
| 7 local hosts = prosody.hosts; | |
| 8 | |
| 9 function get_jids_with_role(role) --luacheck: ignore 212/role | |
| 10 return nil | |
| 11 end | |
| 12 | |
| 13 function get_user_role(user) | |
| 14 -- this is called where the JID belongs to the host this module is loaded on | |
| 15 -- that means we have to delegate that to get_jid_role with an appropriately composed JID | |
| 16 return hosts[target_host].authz.get_jid_role(user .. "@" .. this_host) | |
| 17 end | |
| 18 | |
| 19 function set_user_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 20 -- no roles for entities on this host. | |
| 21 return false, "cannot set user role on delegation target" | |
| 22 end | |
| 23 | |
| 24 function get_user_secondary_roles(user) --luacheck: ignore 212/user | |
| 25 -- no roles for entities on this host. | |
| 26 return {} | |
| 27 end | |
| 28 | |
| 29 function add_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 30 -- no roles for entities on this host. | |
| 31 return nil, "cannot set user role on delegation target" | |
| 32 end | |
| 33 | |
| 34 function remove_user_secondary_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 35 -- no roles for entities on this host. | |
| 36 return nil, "cannot set user role on delegation target" | |
| 37 end | |
| 38 | |
| 39 function user_can_assume_role(user, role_name) --luacheck: ignore 212/user 212/role_name | |
| 40 -- no roles for entities on this host. | |
| 41 return false | |
| 42 end | |
| 43 | |
| 44 function get_jid_role(jid) | |
| 45 local user, host = jid_split(jid); | |
| 46 if host == target_host then | |
| 47 return hosts[target_host].authz.get_user_role(user); | |
| 48 end | |
| 49 return hosts[target_host].authz.get_jid_role(jid); | |
| 50 end | |
| 51 | |
| 52 function set_jid_role(jid) --luacheck: ignore 212/jid | |
| 53 -- TODO: figure out if there are actually legitimate uses for this... | |
| 54 return nil, "cannot set jid role on delegation target" | |
| 55 end | |
| 56 | |
| 57 local default_permission_queue = array{}; | |
| 58 | |
| 59 function add_default_permission(role_name, action, policy) | |
| 60 -- NOTE: we always record default permissions, because the delegated-to | |
| 61 -- host may be re-activated. | |
| 62 default_permission_queue:push({ | |
| 63 role_name = role_name, | |
| 64 action = action, | |
| 65 policy = policy, | |
| 66 }); | |
| 67 local target_host_object = hosts[target_host]; | |
| 68 local authz = target_host_object and target_host_object.authz; | |
| 69 if not authz then | |
| 70 module:log("debug", "queueing add_default_permission call for later, %s is not active yet", target_host); | |
| 71 return; | |
| 72 end | |
| 73 return authz.add_default_permission(role_name, action, policy) | |
| 74 end | |
| 75 | |
| 76 function get_role_by_name(role_name) | |
| 77 return hosts[target_host].authz.get_role_by_name(role_name) | |
| 78 end | |
| 79 | |
| 80 function get_all_roles() | |
| 81 return hosts[target_host].authz.get_all_roles() | |
| 82 end | |
| 83 | |
| 84 module:hook_global("host-activated", function(host) | |
| 85 if host == target_host then | |
| 86 local authz = hosts[target_host].authz; | |
| 87 module:log("debug", "replaying %d queued permission changes", #default_permission_queue); | |
| 88 assert(authz); | |
| 89 -- replay default permission changes, if any | |
| 90 for i, item in ipairs(default_permission_queue) do | |
| 91 authz.add_default_permission(item.role_name, item.action, item.policy); | |
| 92 end | |
| 93 -- NOTE: we do not clear that array here -- in case the target_host is | |
| 94 -- re-activated | |
| 95 end | |
| 96 end, -10000) |
