Mercurial > prosody-modules
view mod_lib_ldap/ldap.lib.lua @ 5681:8cb3da7df521
mod_http_oauth2: Restrict introspection to clients own tokens
The introspection code was added before the client hash was added in
0860497152af which allows connecting tokens to clients.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 29 Oct 2023 11:20:15 +0100 |
parents | 66b3085ecc49 |
children |
line wrap: on
line source
-- vim:sts=4 sw=4 -- Prosody IM -- Copyright (C) 2008-2010 Matthew Wild -- Copyright (C) 2008-2010 Waqas Hussain -- Copyright (C) 2012 Rob Hoelz -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- local ldap; local connection; local params = module:get_option("ldap"); local format = string.format; local tconcat = table.concat; local _M = {}; local config_params = { hostname = 'string', user = { basedn = 'string', namefield = 'string', filter = 'string', usernamefield = 'string', }, groups = { basedn = 'string', namefield = 'string', memberfield = 'string', _member = { name = 'string', admin = 'boolean?', }, }, admin = { _optional = true, basedn = 'string', namefield = 'string', filter = 'string', } } local function run_validation(params, config, prefix) prefix = prefix or ''; -- verify that every required member of config is present in params for k, v in pairs(config) do if type(k) == 'string' and k:sub(1, 1) ~= '_' then local is_optional; if type(v) == 'table' then is_optional = v._optional; else is_optional = v:sub(-1) == '?'; end if not is_optional and params[k] == nil then return nil, prefix .. k .. ' is required'; end end end for k, v in pairs(params) do local expected_type = config[k]; local ok, err = true; if type(k) == 'string' then -- verify that this key is present in config if k:sub(1, 1) == '_' or expected_type == nil then return nil, 'invalid parameter ' .. prefix .. k; end -- type validation if type(expected_type) == 'string' then if expected_type:sub(-1) == '?' then expected_type = expected_type:sub(1, -2); end if type(v) ~= expected_type then return nil, 'invalid type for parameter ' .. prefix .. k; end else -- it's a table (or had better be) if type(v) ~= 'table' then return nil, 'invalid type for parameter ' .. prefix .. k; end -- recurse into child ok, err = run_validation(v, expected_type, prefix .. k .. '.'); end else -- it's an integer (or had better be) if not config._member then return nil, 'invalid parameter ' .. prefix .. tostring(k); end ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.'); end if not ok then return ok, err; end end return true; end local function validate_config() if true then return true; -- XXX for now end -- this is almost too clever (I mean that in a bad -- maintainability sort of way) -- -- basically this allows a free pass for a key in group members -- equal to params.groups.namefield setmetatable(config_params.groups._member, { __index = function(_, k) if k == params.groups.namefield then return 'string'; end end }); local ok, err = run_validation(params, config_params); setmetatable(config_params.groups._member, nil); if ok then -- a little extra validation that doesn't fit into -- my recursive checker local group_namefield = params.groups.namefield; for i, group in ipairs(params.groups) do if not group[group_namefield] then return nil, format('groups.%d.%s is required', i, group_namefield); end end -- fill in params.admin if you can if not params.admin and params.groups then local admingroup; for _, groupconfig in ipairs(params.groups) do if groupconfig.admin then admingroup = groupconfig; break; end end if admingroup then params.admin = { basedn = params.groups.basedn, namefield = params.groups.memberfield, filter = group_namefield .. '=' .. admingroup[group_namefield], }; end end end return ok, err; end -- what to do if connection isn't available? local function connect() return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls); end -- this is abstracted so we can maintain persistent connections at a later time function _M.getconnection() return assert(connect()); end function _M.getparams() return params; end -- XXX consider renaming this...it doesn't bind the current connection function _M.bind(username, password) local conn = _M.getconnection(); local filter = format('%s=%s', params.user.usernamefield, username); if filter then filter = _M.filter.combine_and(filter, params.user.filter); end local who = _M.singlematch { attrs = params.user.usernamefield, base = params.user.basedn, filter = filter, }; if who then who = who.dn; module:log('debug', '_M.bind - who: %s', who); else module:log('debug', '_M.bind - no DN found for username = %s', username); return nil, format('no DN found for username = %s', username); end local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls); if conn then conn:close(); return true; end return conn, err; end function _M.singlematch(query) local ld = _M.getconnection(); query.sizelimit = 1; query.scope = 'subtree'; for dn, attribs in ld:search(query) do attribs.dn = dn; return attribs; end end _M.filter = {}; function _M.filter.combine_and(...) local parts = { '(&' }; local arg = { ... }; for _, filter in ipairs(arg) do if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then filter = '(' .. filter .. ')' end parts[#parts + 1] = filter; end parts[#parts + 1] = ')'; return tconcat(parts, ''); end do local ok, err; prosody.unlock_globals(); ok, ldap = pcall(require, 'lualdap'); prosody.lock_globals(); if not ok then module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap); module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap"); return; end if not params then module:log("error", "LDAP configuration required to use the LDAP storage module"); return; end ok, err = validate_config(); if not ok then module:log("error", "LDAP configuration is invalid: %s", tostring(err)); return; end end return _M;