Software /
code /
prosody-modules
File
mod_lib_ldap/ldap.lib.lua @ 3503:882180b459a0
mod_pubsub_post: Restructure authentication and authorization (BC)
This deprecates the default "superuser" actor model and makes the
default equivalent to the previous "request.id".
A single actor and secret per node is supported because HTTP and
WebHooks don't normally include any authorization identity.
Allowing authentication bypass when no secret is given should be
relatively safe when the actor is unprivileged, as will be unless
explicitly configured otherwise.
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sat, 30 Mar 2019 21:16:13 +0100 |
parent | 3195:66b3085ecc49 |
line wrap: on
line source
-- vim:sts=4 sw=4 -- Prosody IM -- Copyright (C) 2008-2010 Matthew Wild -- Copyright (C) 2008-2010 Waqas Hussain -- Copyright (C) 2012 Rob Hoelz -- -- This project is MIT/X11 licensed. Please see the -- COPYING file in the source package for more information. -- local ldap; local connection; local params = module:get_option("ldap"); local format = string.format; local tconcat = table.concat; local _M = {}; local config_params = { hostname = 'string', user = { basedn = 'string', namefield = 'string', filter = 'string', usernamefield = 'string', }, groups = { basedn = 'string', namefield = 'string', memberfield = 'string', _member = { name = 'string', admin = 'boolean?', }, }, admin = { _optional = true, basedn = 'string', namefield = 'string', filter = 'string', } } local function run_validation(params, config, prefix) prefix = prefix or ''; -- verify that every required member of config is present in params for k, v in pairs(config) do if type(k) == 'string' and k:sub(1, 1) ~= '_' then local is_optional; if type(v) == 'table' then is_optional = v._optional; else is_optional = v:sub(-1) == '?'; end if not is_optional and params[k] == nil then return nil, prefix .. k .. ' is required'; end end end for k, v in pairs(params) do local expected_type = config[k]; local ok, err = true; if type(k) == 'string' then -- verify that this key is present in config if k:sub(1, 1) == '_' or expected_type == nil then return nil, 'invalid parameter ' .. prefix .. k; end -- type validation if type(expected_type) == 'string' then if expected_type:sub(-1) == '?' then expected_type = expected_type:sub(1, -2); end if type(v) ~= expected_type then return nil, 'invalid type for parameter ' .. prefix .. k; end else -- it's a table (or had better be) if type(v) ~= 'table' then return nil, 'invalid type for parameter ' .. prefix .. k; end -- recurse into child ok, err = run_validation(v, expected_type, prefix .. k .. '.'); end else -- it's an integer (or had better be) if not config._member then return nil, 'invalid parameter ' .. prefix .. tostring(k); end ok, err = run_validation(v, config._member, prefix .. tostring(k) .. '.'); end if not ok then return ok, err; end end return true; end local function validate_config() if true then return true; -- XXX for now end -- this is almost too clever (I mean that in a bad -- maintainability sort of way) -- -- basically this allows a free pass for a key in group members -- equal to params.groups.namefield setmetatable(config_params.groups._member, { __index = function(_, k) if k == params.groups.namefield then return 'string'; end end }); local ok, err = run_validation(params, config_params); setmetatable(config_params.groups._member, nil); if ok then -- a little extra validation that doesn't fit into -- my recursive checker local group_namefield = params.groups.namefield; for i, group in ipairs(params.groups) do if not group[group_namefield] then return nil, format('groups.%d.%s is required', i, group_namefield); end end -- fill in params.admin if you can if not params.admin and params.groups then local admingroup; for _, groupconfig in ipairs(params.groups) do if groupconfig.admin then admingroup = groupconfig; break; end end if admingroup then params.admin = { basedn = params.groups.basedn, namefield = params.groups.memberfield, filter = group_namefield .. '=' .. admingroup[group_namefield], }; end end end return ok, err; end -- what to do if connection isn't available? local function connect() return ldap.open_simple(params.hostname, params.bind_dn, params.bind_password, params.use_tls); end -- this is abstracted so we can maintain persistent connections at a later time function _M.getconnection() return assert(connect()); end function _M.getparams() return params; end -- XXX consider renaming this...it doesn't bind the current connection function _M.bind(username, password) local conn = _M.getconnection(); local filter = format('%s=%s', params.user.usernamefield, username); if filter then filter = _M.filter.combine_and(filter, params.user.filter); end local who = _M.singlematch { attrs = params.user.usernamefield, base = params.user.basedn, filter = filter, }; if who then who = who.dn; module:log('debug', '_M.bind - who: %s', who); else module:log('debug', '_M.bind - no DN found for username = %s', username); return nil, format('no DN found for username = %s', username); end local conn, err = ldap.open_simple(params.hostname, who, password, params.use_tls); if conn then conn:close(); return true; end return conn, err; end function _M.singlematch(query) local ld = _M.getconnection(); query.sizelimit = 1; query.scope = 'subtree'; for dn, attribs in ld:search(query) do attribs.dn = dn; return attribs; end end _M.filter = {}; function _M.filter.combine_and(...) local parts = { '(&' }; local arg = { ... }; for _, filter in ipairs(arg) do if filter:sub(1, 1) ~= '(' and filter:sub(-1) ~= ')' then filter = '(' .. filter .. ')' end parts[#parts + 1] = filter; end parts[#parts + 1] = ')'; return tconcat(parts, ''); end do local ok, err; prosody.unlock_globals(); ok, ldap = pcall(require, 'lualdap'); prosody.lock_globals(); if not ok then module:log("error", "Failed to load the LuaLDAP library for accessing LDAP: %s", ldap); module:log("error", "More information on install LuaLDAP can be found at http://www.keplerproject.org/lualdap"); return; end if not params then module:log("error", "LDAP configuration required to use the LDAP storage module"); return; end ok, err = validate_config(); if not ok then module:log("error", "LDAP configuration is invalid: %s", tostring(err)); return; end end return _M;