Mercurial > prosody-modules
view mod_lib_ldap/ldap.lib.lua @ 5256:44f7edd4f845
mod_http_oauth2: Reject non-local hosts in more code paths
We're not issuing tokens for users on remote hosts, we can't even
authenticate them since they're remote. Thus the host is always the
local module.host so no need to pass around the host in most cases or
use it for anything but enforcing the same host.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Thu, 16 Mar 2023 17:52:10 +0100 |
parents | 66b3085ecc49 |
children |
line wrap: on
line source
-- vim:sts=4 sw=4 -- Prosody IM -- Copyright (C) 2008-2010 Matthew Wild -- Copyright (C) 2008-2010 Waqas Hussain -- Copyright (C) 2012 Rob Hoelz -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- local ldap; local connection; local params = module:get_option("ldap"); local format = string.format; local tconcat = table.concat; local _M = {}; local config_params = { hostname = 'string', user = { basedn = 'string', namefield = 'string', filter = 'string', usernamefield = 'string', }, groups = { basedn = 'string', namefield = 'string', memberfield = 'string', _member = { name = 'string', admin = 'boolean?', }, }, admin = { _optional = true, basedn = 'string', namefield = 'string', filter = 'string', } } local function run_validation(params, config, prefix) prefix = prefix or ''; -- verify that every required member of config is present in params for k, v in pairs(config) do if type(k) == 'string' and k:sub(1, 1) ~= '_' then local is_optional; if type(v) == 'table' then is_optional = v._optional; else is_optional = v:sub(-1) == '?'; end if not is_optional and params[k] == nil then return nil, prefix .. k .. ' is required'; end end end for k, v in pairs(params) do local expected_type = config[k]; local ok, err = true; if type(k) == 'string' then -- verify that this key is present in config if k:sub(1, 1) == '_' or expected_type == nil then return nil, 'invalid parameter ' .. prefix .. k; end -- type validation if type(expected_type) == 'string' then if expected_type:sub(-1) == '?' then expected_type = expected_type:sub(1, -2); end if type(v) ~= expected_type then return nil, 'invalid type for parameter ' .. prefix .. k; end else -- it's a table (or had better be) if type(v) ~= 'table' then return nil, 'invalid type for parameter ' .. prefix .. k; end -- recurse into child ok, err = run_validation(v, expected_type, prefix .. k .. '.'); end else -- it's an integer (or had better be) if not config._member then return nil, 'invalid parameter ' .. prefix .. tostring(k); end ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.'); end if not ok then return ok, err; end end return true; end local function validate_config() if true then return true; -- XXX for now end -- this is almost too clever (I mean that in a bad -- maintainability sort of way) -- -- basically this allows a free pass for a key in group members -- equal to params.groups.namefield setmetatable(config_params.groups._member, { __index = function(_, k) if k == params.groups.namefield then return 'string'; end end }); local ok, err = run_validation(params, config_params); setmetatable(config_params.groups._member, nil); if ok then -- a little extra validation that doesn't fit into -- my recursive checker local group_namefield = params.groups.namefield; for i, group in ipairs(params.groups) do if not group[group_namefield] then return nil, format('groups.%d.%s is required', i, group_namefield); end end -- fill in params.admin if you can if not params.admin and params.groups then local admingroup; for _, groupconfig in ipairs(params.groups) do if groupconfig.admin then admingroup = groupconfig; break; end end if admingroup then params.admin = { basedn = params.groups.basedn, namefield = params.groups.memberfield, filter = group_namefield .. '=' .. admingroup[group_namefield], }; end end end return ok, err; end -- what to do if connection isn't available? local function connect() return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls); end -- this is abstracted so we can maintain persistent connections at a later time function _M.getconnection() return assert(connect()); end function _M.getparams() return params; end -- XXX consider renaming this...it doesn't bind the current connection function _M.bind(username, password) local conn = _M.getconnection(); local filter = format('%s=%s', params.user.usernamefield, username); if filter then filter = _M.filter.combine_and(filter, params.user.filter); end local who = _M.singlematch { attrs = params.user.usernamefield, base = params.user.basedn, filter = filter, }; if who then who = who.dn; module:log('debug', '_M.bind - who: %s', who); else module:log('debug', '_M.bind - no DN found for username = %s', username); return nil, format('no DN found for username = %s', username); end local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls); if conn then conn:close(); return true; end return conn, err; end function _M.singlematch(query) local ld = _M.getconnection(); query.sizelimit = 1; query.scope = 'subtree'; for dn, attribs in ld:search(query) do attribs.dn = dn; return attribs; end end _M.filter = {}; function _M.filter.combine_and(...) local parts = { '(&' }; local arg = { ... }; for _, filter in ipairs(arg) do if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then filter = '(' .. filter .. ')' end parts[#parts + 1] = filter; end parts[#parts + 1] = ')'; return tconcat(parts, ''); end do local ok, err; prosody.unlock_globals(); ok, ldap = pcall(require, 'lualdap'); prosody.lock_globals(); if not ok then module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap); module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap"); return; end if not params then module:log("error", "LDAP configuration required to use the LDAP storage module"); return; end ok, err = validate_config(); if not ok then module:log("error", "LDAP configuration is invalid: %s", tostring(err)); return; end end return _M;