mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-04 21:57:45 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

usermanager: Remove concept of global authz provider

Browse source 
Rationale:

- Removes a bunch of code!
- We don't have many cases where an actor is not bound to one of our hosts
- A notable exception is the admin shell, but if we ever attempt to lock those
  sessions down, there is a load of other work that also has to be done. And
  it's not clear if we would need a global authz provider for that anyway.
- Removes an extra edge case from the necessary mental model for operators
- Sessions that aren't bound to a host generally are anonymous or have an
  alternative auth model (such as by IP addres).
- With the encapsulation now provided by util.roles, ad-hoc "detached roles"
  can still be created anyway by code that needs them.
This commit is contained in:
Matthew Wild 2022-08-12 16:21:57 +01:00
parent bd2b2af7b7
commit 7ccf41ebb5
1 changed files with 12 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

58
core/usermanager.lua
View file

@ -9,12 +9,10 @@
local modulemanager = require "core.modulemanager";
local log = require "util.logger".init("usermanager");
local type = type;
local it = require "util.iterators";
local jid_prep, jid_split = require "util.jid".prep, require "util.jid".split;
local jid_split = require "util.jid".split;
local config = require "core.configmanager";
local sasl_new = require "util.sasl".new;
local storagemanager = require "core.storagemanager";
local set = require "util.set";
local prosody = _G.prosody;
local hosts = prosody.hosts;
@ -34,19 +32,9 @@ local function new_null_provider()
});
end
local global_admins_config = config.get("*", "admins");
if type(global_admins_config) ~= "table" then
global_admins_config = nil; -- TODO: factor out moduleapi magic config handling and use it here
end
local global_admins = set.new(global_admins_config) / jid_prep;
local admin_role = { ["prosody:admin"] = true };
local global_authz_provider = {
local fallback_authz_provider = {
get_user_roles = function (user) end; --luacheck: ignore 212/user
get_jids_with_role = function (role)
if role ~= "prosody:admin" then return {}; end
return it.to_array(global_admins);
end;
get_jids_with_role = function (role) end; --luacheck: ignore 212
set_user_roles = function (user, roles) end; -- luacheck: ignore 212
set_jid_roles = function (jid, roles) end; -- luacheck: ignore 212
@ -66,7 +54,7 @@ local function initialize_host(host)
local authz_provider_name = config.get(host, "authorization") or "internal";
local authz_mod = modulemanager.load(host, "authz_"..authz_provider_name);
host_session.authz = authz_mod or global_authz_provider;
host_session.authz = authz_mod or fallback_authz_provider;
if host_session.type ~= "local" then return; end
@ -155,20 +143,14 @@ local function get_user_roles(user, host)
if host and not hosts[host] then return false; end
if type(user) ~= "string" then return false; end
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
return authz_provider.get_user_roles(user);
return hosts[host].authz.get_user_roles(user);
end
local function get_user_default_role(user, host)
if host and not hosts[host] then return false; end
if type(user) ~= "string" then return false; end
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
return authz_provider.get_user_default_role(user);
return hosts[host].authz.get_user_default_role(user);
end
-- Accepts a set of role names which the user is allowed to assume
@ -176,10 +158,7 @@ local function set_user_roles(user, host, roles)
if host and not hosts[host] then return false; end
if type(user) ~= "string" then return false; end
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
local ok, err = authz_provider.set_user_roles(user, roles);
local ok, err = hosts[host].authz.set_user_roles(user, roles);
if ok then
prosody.events.fire_event("user-roles-changed", {
username = user, host = host
@ -189,50 +168,37 @@ local function set_user_roles(user, host, roles)
end
local function get_jid_role(jid, host)
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
local jid_node, jid_host = jid_split(jid);
if host == jid_host and jid_node then
return authz_provider.get_user_default_role(jid_node);
return hosts[host].authz.get_user_default_role(jid_node);
end
return authz_provider.get_jid_role(jid);
return hosts[host].authz.get_jid_role(jid);
end
local function set_jid_role(jid, host, role_name)
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
local _, jid_host = jid_split(jid);
if host == jid_host then
return nil, "unexpected-local-jid";
end
return authz_provider.set_jid_role(jid, role_name)
return hosts[host].authz.set_jid_role(jid, role_name)
end
local function get_users_with_role(role, host)
if not hosts[host] then return false; end
if type(role) ~= "string" then return false; end
return hosts[host].authz.get_users_with_role(role);
end
local function get_jids_with_role(role, host)
if host and not hosts[host] then return false; end
if type(role) ~= "string" then return false; end
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
return authz_provider.get_jids_with_role(role);
return hosts[host].authz.get_jids_with_role(role);
end
local function get_role_by_name(role_name, host)
if host and not hosts[host] then return false; end
if type(role_name) ~= "string" then return false; end
host = host or "*";
local authz_provider = (host ~= "*" and hosts[host].authz) or global_authz_provider;
return authz_provider.get_role_by_name(role_name);
return hosts[host].authz.get_role_by_name(role_name);
end
return {