Software /
code /
prosody-modules
Comparison
mod_lib_ldap/ldap.lib.lua @ 809:1d51c5e38faa
Add LDAP plugin suite
author | rob@hoelz.ro |
---|---|
date | Sun, 02 Sep 2012 15:35:50 +0200 |
child | 864:16b007c7706c |
comparison
equal
deleted
inserted
replaced
808:ba2e207e1fb7 | 809:1d51c5e38faa |
---|---|
1 -- vim:sts=4 sw=4 | |
2 | |
3 -- Prosody IM | |
4 -- Copyright (C) 2008-2010 Matthew Wild | |
5 -- Copyright (C) 2008-2010 Waqas Hussain | |
6 -- Copyright (C) 2012 Rob Hoelz | |
7 -- | |
8 -- This project is MIT/X11 licensed. Please see the | |
9 -- COPYING file in the source package for more information. | |
10 -- | |
11 | |
12 local ldap; | |
13 local connection; | |
14 local params = module:get_option("ldap"); | |
15 local format = string.format; | |
16 local tconcat = table.concat; | |
17 | |
18 local _M = {}; | |
19 | |
20 local config_params = { | |
21 hostname = 'string', | |
22 user = { | |
23 basedn = 'string', | |
24 namefield = 'string', | |
25 filter = 'string', | |
26 usernamefield = 'string', | |
27 }, | |
28 groups = { | |
29 basedn = 'string', | |
30 namefield = 'string', | |
31 memberfield = 'string', | |
32 | |
33 _member = { | |
34 name = 'string', | |
35 admin = 'boolean?', | |
36 }, | |
37 }, | |
38 admin = { | |
39 _optional = true, | |
40 basedn = 'string', | |
41 namefield = 'string', | |
42 filter = 'string', | |
43 } | |
44 } | |
45 | |
46 local function run_validation(params, config, prefix) | |
47 prefix = prefix or ''; | |
48 | |
49 -- verify that every required member of config is present in params | |
50 for k, v in pairs(config) do | |
51 if type(k) == 'string' and k:sub(1, 1) ~= '_' then | |
52 local is_optional; | |
53 if type(v) == 'table' then | |
54 is_optional = v._optional; | |
55 else | |
56 is_optional = v:sub(-1) == '?'; | |
57 end | |
58 | |
59 if not is_optional and params[k] == nil then | |
60 return nil, prefix .. k .. ' is required'; | |
61 end | |
62 end | |
63 end | |
64 | |
65 for k, v in pairs(params) do | |
66 local expected_type = config[k]; | |
67 | |
68 local ok, err = true; | |
69 | |
70 if type(k) == 'string' then | |
71 -- verify that this key is present in config | |
72 if k:sub(1, 1) == '_' or expected_type == nil then | |
73 return nil, 'invalid parameter ' .. prefix .. k; | |
74 end | |
75 | |
76 -- type validation | |
77 if type(expected_type) == 'string' then | |
78 if expected_type:sub(-1) == '?' then | |
79 expected_type = expected_type:sub(1, -2); | |
80 end | |
81 | |
82 if type(v) ~= expected_type then | |
83 return nil, 'invalid type for parameter ' .. prefix .. k; | |
84 end | |
85 else -- it's a table (or had better be) | |
86 if type(v) ~= 'table' then | |
87 return nil, 'invalid type for parameter ' .. prefix .. k; | |
88 end | |
89 | |
90 -- recurse into child | |
91 ok, err = run_validation(v, expected_type, prefix .. k .. '.'); | |
92 end | |
93 else -- it's an integer (or had better be) | |
94 if not config._member then | |
95 return nil, 'invalid parameter ' .. prefix .. tostring(k); | |
96 end | |
97 ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.'); | |
98 end | |
99 | |
100 if not ok then | |
101 return ok, err; | |
102 end | |
103 end | |
104 | |
105 return true; | |
106 end | |
107 | |
108 local function validate_config() | |
109 if true then | |
110 return true; -- XXX for now | |
111 end | |
112 | |
113 -- this is almost too clever (I mean that in a bad | |
114 -- maintainability sort of way) | |
115 -- | |
116 -- basically this allows a free pass for a key in group members | |
117 -- equal to params.groups.namefield | |
118 setmetatable(config_params.groups._member, { | |
119 __index = function(_, k) | |
120 if k == params.groups.namefield then | |
121 return 'string'; | |
122 end | |
123 end | |
124 }); | |
125 | |
126 local ok, err = run_validation(params, config_params); | |
127 | |
128 setmetatable(config_params.groups._member, nil); | |
129 | |
130 if ok then | |
131 -- a little extra validation that doesn't fit into | |
132 -- my recursive checker | |
133 local group_namefield = params.groups.namefield; | |
134 for i, group in ipairs(params.groups) do | |
135 if not group[group_namefield] then | |
136 return nil, format('groups.%d.%s is required', i, group_namefield); | |
137 end | |
138 end | |
139 | |
140 -- fill in params.admin if you can | |
141 if not params.admin and params.groups then | |
142 local admingroup; | |
143 | |
144 for _, groupconfig in ipairs(params.groups) do | |
145 if groupconfig.admin then | |
146 admingroup = groupconfig; | |
147 break; | |
148 end | |
149 end | |
150 | |
151 if admingroup then | |
152 params.admin = { | |
153 basedn = params.groups.basedn, | |
154 namefield = params.groups.memberfield, | |
155 filter = group_namefield .. '=' .. admingroup[group_namefield], | |
156 }; | |
157 end | |
158 end | |
159 end | |
160 | |
161 return ok, err; | |
162 end | |
163 | |
164 -- what to do if connection isn't available? | |
165 local function connect() | |
166 return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls); | |
167 end | |
168 | |
169 -- this is abstracted so we can maintain persistent connections at a later time | |
170 function _M.getconnection() | |
171 return connect(); | |
172 end | |
173 | |
174 function _M.getparams() | |
175 return params; | |
176 end | |
177 | |
178 -- XXX consider renaming this...it doesn't bind the current connection | |
179 function _M.bind(username, password) | |
180 local who = format('%s=%s,%s', params.user.usernamefield, username, params.user.basedn); | |
181 local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls); | |
182 | |
183 if conn then | |
184 conn:close(); | |
185 return true; | |
186 end | |
187 | |
188 return conn, err; | |
189 end | |
190 | |
191 function _M.singlematch(query) | |
192 local ld = _M.getconnection(); | |
193 | |
194 query.sizelimit = 1; | |
195 query.scope = 'onelevel'; | |
196 | |
197 for dn, attribs in ld:search(query) do | |
198 return attribs; | |
199 end | |
200 end | |
201 | |
202 _M.filter = {}; | |
203 | |
204 function _M.filter.combine_and(...) | |
205 local parts = { '(&' }; | |
206 | |
207 local arg = { ... }; | |
208 | |
209 for _, filter in ipairs(arg) do | |
210 if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then | |
211 filter = '(' .. filter .. ')' | |
212 end | |
213 parts[#parts + 1] = filter; | |
214 end | |
215 | |
216 parts[#parts + 1] = ')'; | |
217 | |
218 return tconcat(parts, ''); | |
219 end | |
220 | |
221 do | |
222 local ok, err; | |
223 | |
224 prosody.unlock_globals(); | |
225 ok, ldap = pcall(require, 'lualdap'); | |
226 prosody.lock_globals(); | |
227 if not ok then | |
228 module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap); | |
229 module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap"); | |
230 return; | |
231 end | |
232 | |
233 if not params then | |
234 module:log("error", "LDAP configuration required to use the LDAP storage module"); | |
235 return; | |
236 end | |
237 | |
238 ok, err = validate_config(); | |
239 | |
240 if not ok then | |
241 module:log("error", "LDAP configuration is invalid: %s", tostring(err)); | |
242 return; | |
243 end | |
244 end | |
245 | |
246 return _M; |