annotate mod_auth_ldap2/mod_auth_ldap2.lua @ 5416:2393dbae51ed

mod_http_oauth2: Add option for specifying TTL of registered clients Meant to simplify configuration, since TTL vs ignoring expiration is expected to be the main thing one would want to configure. Unsure what the implications of having unlimited lifetime of clients are, given no way to revoke them currently, short of rotating the signing secret. On one hand, it would be annoying to have the client expire. On the other hand, it is trivial to re-register it.
author Kim Alvefur <zash@zash.se>
date Thu, 04 May 2023 18:41:33 +0200
parents f2b29183ef08
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
1 -- vim:sts=4 sw=4
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
2
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
3 -- Prosody IM
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
4 -- Copyright (C) 2008-2010 Matthew Wild
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
5 -- Copyright (C) 2008-2010 Waqas Hussain
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
6 -- Copyright (C) 2012 Rob Hoelz
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
7 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
8 -- This project is MIT/X11 licensed. Please see the
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
9 -- COPYING file in the source package for more information.
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
10 --
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
11 -- http://code.google.com/p/prosody-modules/source/browse/mod_auth_ldap/mod_auth_ldap.lua
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
12 -- adapted to use common LDAP store
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
13
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
14 local ldap = module:require 'ldap';
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
15 local new_sasl = require 'util.sasl'.new;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
16 local jsplit = require 'util.jid'.split;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
17
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
18 if not ldap then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
19 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
20 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
21
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 809
diff changeset
22 local provider = {}
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
23
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
24 function provider.test_password(username, password)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
25 return ldap.bind(username, password);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
26 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
27
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
28 function provider.user_exists(username)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
29 local params = ldap.getparams()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
30
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
31 local filter = ldap.filter.combine_and(params.user.filter, params.user.usernamefield .. '=' .. username);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
32
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
33 return ldap.singlematch {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
34 base = params.user.basedn,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
35 filter = filter,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
36 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
37 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
38
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
39 function provider.get_password(username)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
40 return nil, "Passwords unavailable for LDAP.";
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
41 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
42
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
43 function provider.set_password(username, password)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
44 return nil, "Passwords unavailable for LDAP.";
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
45 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
46
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
47 function provider.create_user(username, password)
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
48 return nil, "Account creation/modification not available with LDAP.";
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
49 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
50
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
51 function provider.get_sasl_handler()
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
52 local testpass_authentication_profile = {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
53 plain_test = function(sasl, username, password, realm)
902
490cb9161c81 mod_auth_{external,internal_yubikey,ldap,ldap2,sql}: No need to nodeprep in SASL handler.
Waqas Hussain <waqas20@gmail.com>
parents: 862
diff changeset
54 return provider.test_password(username, password), true;
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
55 end,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
56 mechanisms = { PLAIN = true },
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
57 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
58 return new_sasl(module.host, testpass_authentication_profile);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
59 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
60
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
61 function provider.is_admin(jid)
3869
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
62 local username, userhost = jsplit(jid);
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
63 if userhost ~= module.host then
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
64 return false;
f2b29183ef08 mod_auth_ldap, mod_auth_ldap2: Ensure is_admin() checks of remote JIDs never return positive
Matthew Wild <mwild1@gmail.com>
parents: 902
diff changeset
65 end
809
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
66 local admin_config = ldap.getparams().admin;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
67
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
68 if not admin_config then
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
69 return;
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
70 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
71
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
72 local ld = ldap:getconnection();
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
73 local filter = ldap.filter.combine_and(admin_config.filter, admin_config.namefield .. '=' .. username);
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
74
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
75 return ldap.singlematch {
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
76 base = admin_config.basedn,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
77 filter = filter,
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
78 };
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
79 end
1d51c5e38faa Add LDAP plugin suite
rob@hoelz.ro
parents:
diff changeset
80
814
881ec9919144 mod_auth_*: Use module:provides(), and don't explicitly specify provider.name.
Waqas Hussain <waqas20@gmail.com>
parents: 809
diff changeset
81 module:provides("auth", provider);