Mercurial > prosody-modules
comparison mod_http_admin_api/mod_http_admin_api.lua @ 5008:bd63feda3704
Merge role-auth
| author | Matthew Wild <mwild1@gmail.com> |
|---|---|
| date | Mon, 22 Aug 2022 15:39:02 +0100 |
| parents | d68348323406 |
| children | cc89c97befe7 |
comparison
equal
deleted
inserted
replaced
| 4994:cce12a660b98 | 5008:bd63feda3704 |
|---|---|
| 1 local usermanager = require "core.usermanager"; | 1 local usermanager = require "core.usermanager"; |
| 2 | 2 |
| 3 local it = require "util.iterators"; | |
| 3 local json = require "util.json"; | 4 local json = require "util.json"; |
| 4 local st = require "util.stanza"; | 5 local st = require "util.stanza"; |
| 5 local array = require "util.array"; | 6 local array = require "util.array"; |
| 6 local statsmanager = require "core.statsmanager"; | 7 local statsmanager = require "core.statsmanager"; |
| 7 | 8 |
| 31 if not (auth_type and auth_data) then | 32 if not (auth_type and auth_data) then |
| 32 return false; | 33 return false; |
| 33 end | 34 end |
| 34 | 35 |
| 35 if auth_type == "Bearer" then | 36 if auth_type == "Bearer" then |
| 36 local token_info = tokens.get_token_info(auth_data); | 37 return tokens.get_token_session(auth_data); |
| 37 if not token_info or not token_info.session then | |
| 38 return false; | |
| 39 end | |
| 40 return token_info.session; | |
| 41 end | 38 end |
| 42 return nil; | 39 return nil; |
| 43 end | 40 end |
| 41 | |
| 42 module:default_permission("prosody:admin", ":access-admin-api"); | |
| 44 | 43 |
| 45 function check_auth(routes) | 44 function check_auth(routes) |
| 46 local function check_request_auth(event) | 45 local function check_request_auth(event) |
| 47 local session = check_credentials(event.request); | 46 local session = check_credentials(event.request); |
| 48 if not session then | 47 if not session then |
| 49 event.response.headers.authorization = www_authenticate_header; | 48 event.response.headers.authorization = www_authenticate_header; |
| 50 return false, 401; | 49 return false, 401; |
| 51 elseif session.auth_scope ~= "prosody:scope:admin" then | 50 end |
| 51 event.session = session; | |
| 52 if not module:may(":access-admin-api", event) then | |
| 52 return false, 403; | 53 return false, 403; |
| 53 end | 54 end |
| 54 event.session = session; | |
| 55 return true; | 55 return true; |
| 56 end | 56 end |
| 57 | 57 |
| 58 for route, handler in pairs(routes) do | 58 for route, handler in pairs(routes) do |
| 59 routes[route] = function (event, ...) | 59 routes[route] = function (event, ...) |
| 177 if ok and nick_item then | 177 if ok and nick_item then |
| 178 display_name = nick_item:get_child_text("nick", xmlns_nick); | 178 display_name = nick_item:get_child_text("nick", xmlns_nick); |
| 179 end | 179 end |
| 180 end | 180 end |
| 181 | 181 |
| 182 local roles = nil; | 182 local primary_role, secondary_roles, legacy_roles; |
| 183 if usermanager.get_roles then | 183 if usermanager.get_user_role then |
| 184 local roles_map = usermanager.get_roles(username.."@"..module.host, module.host) | 184 primary_role = usermanager.get_user_role(username, module.host); |
| 185 roles = array() | 185 secondary_roles = array.collect(it.keys(usermanager.get_user_secondary_roles(username, module.host))); |
| 186 if roles_map then | 186 elseif usermanager.get_user_roles then -- COMPAT w/0.12 |
| 187 for role in pairs(roles_map) do | 187 legacy_roles = array(); |
| 188 roles:push(role) | 188 local roles_map = usermanager.get_user_roles(username, module.host); |
| 189 end | 189 for role_name in pairs(roles_map) do |
| 190 legacy_roles:push(role_name); | |
| 190 end | 191 end |
| 191 end | 192 end |
| 192 | 193 |
| 193 return { | 194 return { |
| 194 username = username; | 195 username = username; |
| 195 display_name = display_name; | 196 display_name = display_name; |
| 196 roles = roles; | 197 role = primary_role and primary_role.name or nil; |
| 198 secondary_roles = secondary_roles; | |
| 199 roles = legacy_roles; -- COMPAT w/0.12 | |
| 197 }; | 200 }; |
| 198 end | 201 end |
| 199 | 202 |
| 200 local function get_session_debug_info(session) | 203 local function get_session_debug_info(session) |
| 201 local info = { | 204 local info = { |
| 307 local debug_info = { | 310 local debug_info = { |
| 308 time = os.time(); | 311 time = os.time(); |
| 309 }; | 312 }; |
| 310 -- Online sessions | 313 -- Online sessions |
| 311 do | 314 do |
| 312 local user_sessions = hosts[module.host].sessions[username]; | 315 local user_sessions = prosody.hosts[module.host].sessions[username]; |
| 313 if user_sessions then | 316 if user_sessions then |
| 314 user_sessions = user_sessions.sessions | 317 user_sessions = user_sessions.sessions |
| 315 end | 318 end |
| 316 local sessions = {}; | 319 local sessions = {}; |
| 317 if user_sessions then | 320 if user_sessions then |
| 413 }) then | 416 }) then |
| 414 final_user.display_name = new_user.display_name; | 417 final_user.display_name = new_user.display_name; |
| 415 end | 418 end |
| 416 end | 419 end |
| 417 | 420 |
| 418 if new_user.roles then | 421 if new_user.role then |
| 419 if not usermanager.set_roles then | 422 if not usermanager.set_user_role then |
| 423 return 500, "feature-not-implemented"; | |
| 424 end | |
| 425 if not usermanager.set_user_role(username, module.host, new_user.role) then | |
| 426 module:log("error", "failed to set role %s for %s", new_user.role, username); | |
| 427 return 500; | |
| 428 end | |
| 429 end | |
| 430 | |
| 431 if new_user.roles then -- COMPAT w/0.12 | |
| 432 if not usermanager.set_user_roles then | |
| 420 return 500, "feature-not-implemented" | 433 return 500, "feature-not-implemented" |
| 421 end | 434 end |
| 422 | 435 |
| 423 local backend_roles = {}; | 436 local backend_roles = {}; |
| 424 for _, role in ipairs(new_user.roles) do | 437 for _, role in ipairs(new_user.roles) do |
| 425 backend_roles[role] = true; | 438 backend_roles[role] = true; |
| 426 end | 439 end |
| 427 local jid = username.."@"..module.host; | 440 local jid = username.."@"..module.host; |
| 428 if not usermanager.set_roles(jid, module.host, backend_roles) then | 441 if not usermanager.set_user_roles(username, module.host, backend_roles) then |
| 429 module:log("error", "failed to set roles %q for %s", backend_roles, jid) | 442 module:log("error", "failed to set roles %q for %s", backend_roles, jid) |
| 430 return 500 | 443 return 500 |
| 431 end | 444 end |
| 432 end | 445 end |
| 433 | 446 |
