Chapril/xmpp.chapril.org-ejabberd
25
1
Fork 0
mirror of https://github.com/processone/ejabberd.git synced 2024-11-10 15:47:30 +01:00
Code Releases Activity
0f25e59143
xmpp.chapril.org-ejabberd/src/ejabberd_oauth.erl

673 lines
26 KiB
Erlang
Raw Normal View History

Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%%%-------------------------------------------------------------------
%%% File : ejabberd_oauth.erl
%%% Author : Alexey Shchepin <alexey@process-one.net>
%%% Purpose : OAUTH2 support
%%% Created : 20 Mar 2015 by Alexey Shchepin <alexey@process-one.net>
%%%
%%%
Update copyright dates
2018-01-05 21:18:58 +01:00
%%% ejabberd, Copyright (C) 2002-2018 ProcessOne
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%%%
%%% This program is free software; you can redistribute it and/or
%%% modify it under the terms of the GNU General Public License as
%%% published by the Free Software Foundation; either version 2 of the
%%% License, or (at your option) any later version.
%%%
%%% This program is distributed in the hope that it will be useful,
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
%%% General Public License for more details.
%%%
%%% You should have received a copy of the GNU General Public License
%%% along with this program; if not, write to the Free Software
%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
%%% 02111-1307 USA
%%%
%%%-------------------------------------------------------------------
-module(ejabberd_oauth).
-behaviour(gen_server).
Don't validate an option in ejabberd_config:get_option() functions The commit introduces the following changes: * Now there is no need to pass validating function in ejabberd_config:get_option() functions, because the configuration keeps already validated values. * New function ejabberd_config:get_option/1 is introduced * Function ejabberd_config:get_option/3 is deprecated. If the function is still called, the second argument (validating function) is simply ignored. * The second argument for ejabberd_config:get_option/2 is now a default value, not a validating function.
2017-04-29 10:39:40 +02:00
-behaviour(ejabberd_config).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%% gen_server callbacks
-export([init/1, handle_call/3, handle_cast/2,
handle_info/2, terminate/2, code_change/3]).
Improve startup procedure
2017-02-24 10:05:47 +01:00
-export([start_link/0,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
get_client_identity/2,
verify_redirection_uri/3,
authenticate_user/2,
authenticate_client/2,
verify_resowner_scope/3,
associate_access_code/3,
associate_access_token/3,
associate_refresh_token/3,
New api permissions framework
2016-10-05 13:21:11 +02:00
check_token/1,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
check_token/4,
check_token/2,
New api permissions framework
2016-10-05 13:21:11 +02:00
scope_in_scope_list/2,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
process/2,
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
config_reloaded/0,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
opt_type/1]).
Remove old command calling interface
2017-07-06 13:29:43 +02:00
-export([oauth_issue_token/3, oauth_list_tokens/0, oauth_revoke_token/1]).
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Get rid of "jlib.hrl" dependency in some files
2016-07-26 10:29:17 +02:00
-include("xmpp.hrl").
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
-include("ejabberd.hrl").
-include("logger.hrl").
-include("ejabberd_http.hrl").
-include("ejabberd_web_admin.hrl").
Add DB backend support for ejabberd_oauth
2016-07-20 15:55:45 +02:00
-include("ejabberd_oauth.hrl").
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
-include("ejabberd_commands.hrl").
Declare ejabberd_oauth behaviour
2017-05-21 10:31:30 +02:00
-callback init() -> any().
-callback store(#oauth_token{}) -> ok | {error, any()}.
-callback lookup(binary()) -> {ok, #oauth_token{}} | error.
-callback clean(non_neg_integer()) -> any().
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
%% There are two ways to obtain an oauth token:
%% * Using the web form/api results in the token being generated in behalf of the user providing the user/pass
%% * Using the command line and oauth_issue_token command, the token is generated in behalf of ejabberd' sysadmin
%% (as it has access to ejabberd command line).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Erlang R17 has a Time limit in erlang:send_after (#1246)
2016-08-16 18:32:06 +02:00
-define(EXPIRE, 4294967).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
get_commands_spec() ->
[
#ejabberd_commands{name = oauth_issue_token, tags = [oauth],
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
desc = "Issue an oauth token for the given jid",
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
module = ?MODULE, function = oauth_issue_token,
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
args = [{jid, string},{ttl, integer}, {scopes, string}],
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
policy = restricted,
Fix values put in args_examples
2017-05-19 16:56:37 +02:00
args_example = ["user@server.com", 3600, "connected_users_number;muc_online_rooms"],
Provide proper args_desc in oauth_issue_token command
2016-08-09 19:22:51 +02:00
args_desc = ["Jid for which issue token",
"Time to live of generated token in seconds",
"List of scopes to allow, separated by ';'"],
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
result = {result, {tuple, [{token, string}, {scopes, string}, {expires_in, string}]}}
},
#ejabberd_commands{name = oauth_list_tokens, tags = [oauth],
oauth_list_tokens and oauth_revoke_token work only in Mnesia (#1644)
2017-03-29 12:41:27 +02:00
desc = "List oauth tokens, user, scope, and seconds to expire (only Mnesia)",
longdesc = "List oauth tokens, their user and scope, and how many seconds remain until expirity",
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
module = ?MODULE, function = oauth_list_tokens,
args = [],
policy = restricted,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
result = {tokens, {list, {token, {tuple, [{token, string}, {user, string}, {scope, string}, {expires_in, string}]}}}}
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
},
#ejabberd_commands{name = oauth_revoke_token, tags = [oauth],
oauth_list_tokens and oauth_revoke_token work only in Mnesia (#1644)
2017-03-29 12:41:27 +02:00
desc = "Revoke authorization for a token (only Mnesia)",
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
module = ?MODULE, function = oauth_revoke_token,
args = [{token, string}],
policy = restricted,
Fix command argument formatting
2016-07-19 05:51:04 +02:00
result = {tokens, {list, {token, {tuple, [{token, string}, {user, string}, {scope, string}, {expires_in, string}]}}}},
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
result_desc = "List of remaining tokens"
}
].
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
oauth_issue_token(Jid, TTLSeconds, ScopesString) ->
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Scopes = [list_to_binary(Scope) || Scope <- string:tokens(ScopesString, ";")],
Get rid of jid:to_string/1 and jid:from_string/1
2017-02-26 08:07:12 +01:00
try jid:decode(list_to_binary(Jid)) of
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
#jid{luser =Username, lserver = Server} ->
case oauth2:authorize_password({Username, Server}, Scopes, admin_generated) of
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
{ok, {_Ctx,Authorization}} ->
Oauth callback must pass expires_in as ttl instead of epoch
2016-07-20 19:47:11 +02:00
{ok, {_AppCtx2, Response}} = oauth2:issue_token(Authorization, [{expiry_time, TTLSeconds}]),
Get rid of jid:to_string/1 and jid:from_string/1
2017-02-26 08:07:12 +01:00
{ok, AccessToken} = oauth2_response:access_token(Response),
{ok, VerifiedScope} = oauth2_response:scope(Response),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
{AccessToken, VerifiedScope, integer_to_list(TTLSeconds) ++ " seconds"};
Get rid of jid:to_string/1 and jid:from_string/1
2017-02-26 08:07:12 +01:00
{error, Error} ->
{error, Error}
end
catch _:{bad_jid, _} ->
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
{error, "Invalid JID: " ++ Jid}
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
end.
oauth_list_tokens() ->
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
Tokens = mnesia:dirty_match_object(#oauth_token{_ = '_'}),
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
{MegaSecs, Secs, _MiniSecs} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Get rid of jid:to_string/1 and jid:from_string/1
2017-02-26 08:07:12 +01:00
[{Token, jid:encode(jid:make(U,S)), Scope, integer_to_list(Expires - TS) ++ " seconds"} ||
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
#oauth_token{token=Token, scope=Scope, us= {U,S},expire=Expires} <- Tokens].
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
oauth_revoke_token(Token) ->
ok = mnesia:dirty_delete(oauth_token, list_to_binary(Token)),
oauth_list_tokens().
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
config_reloaded() ->
DBMod = get_db_backend(),
case init_cache(DBMod) of
true ->
ets_cache:setopts(oauth_cache, cache_opts());
false ->
ok
end.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
start_link() ->
gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
init([]) ->
Improve startup procedure
2017-02-24 10:05:47 +01:00
DBMod = get_db_backend(),
DBMod:init(),
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
init_cache(DBMod),
Improve startup procedure
2017-02-24 10:05:47 +01:00
Expire = expire(),
application:set_env(oauth2, backend, ejabberd_oauth),
application:set_env(oauth2, expiry_time, Expire),
application:start(oauth2),
ejabberd_commands:register_commands(get_commands_spec()),
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
ejabberd_hooks:add(config_reloaded, ?MODULE, config_reloaded, 50),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
erlang:send_after(expire() * 1000, self(), clean),
{ok, ok}.
handle_call(_Request, _From, State) ->
{reply, bad_request, State}.
handle_cast(_Msg, State) -> {noreply, State}.
handle_info(clean, State) ->
{MegaSecs, Secs, MiniSecs} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Add DB backend support for ejabberd_oauth
2016-07-20 15:55:45 +02:00
DBMod = get_db_backend(),
DBMod:clean(TS),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
erlang:send_after(trunc(expire() * 1000 * (1 + MiniSecs / 1000000)),
self(), clean),
{noreply, State};
handle_info(_Info, State) -> {noreply, State}.
terminate(_Reason, _State) -> ok.
code_change(_OldVsn, State, _Extra) -> {ok, State}.
get_client_identity(Client, Ctx) -> {ok, {Ctx, {client, Client}}}.
verify_redirection_uri(_, _, Ctx) -> {ok, Ctx}.
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
authenticate_user({User, Server}, Ctx) ->
Don't pass empty resource to jid:make()
2017-02-25 08:01:01 +01:00
case jid:make(User, Server) of
Add oauth_access option
2015-09-25 18:47:27 +02:00
#jid{} = JID ->
Access =
ejabberd_config:get_option(
{oauth_access, JID#jid.lserver},
none),
case acl:match_rule(JID#jid.lserver, Access, JID) of
allow ->
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
case Ctx of
{password, Password} ->
Merge commit 'refs/pull/524/head' of github.com:processone/ejabberd into sasl-api-change
2016-03-25 16:16:50 +01:00
case ejabberd_auth:check_password(User, <<"">>, Server, Password) of
Add oauth_access option
2015-09-25 18:47:27 +02:00
true ->
{ok, {Ctx, {user, User, Server}}};
false ->
{error, badpass}
end;
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
admin_generated ->
{ok, {Ctx, {user, User, Server}}}
Add oauth_access option
2015-09-25 18:47:27 +02:00
end;
deny ->
{error, badpass}
end;
error ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{error, badpass}
end.
authenticate_client(Client, Ctx) -> {ok, {Ctx, {client, Client}}}.
Remove compile warnings
2016-02-08 10:50:28 +01:00
verify_resowner_scope({user, _User, _Server}, Scope, Ctx) ->
Clarify command module API
2016-07-26 12:15:03 +02:00
Cmds = ejabberd_commands:get_exposed_commands(),
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
Cmds1 = ['ejabberd:user', 'ejabberd:admin', sasl_auth | Cmds],
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
RegisteredScope = [atom_to_binary(C, utf8) || C <- Cmds1],
case oauth2_priv_set:is_subset(oauth2_priv_set:new(Scope),
oauth2_priv_set:new(RegisteredScope)) of
true ->
{ok, {Ctx, Scope}};
false ->
{error, badscope}
end;
verify_resowner_scope(_, _, _) ->
{error, badscope}.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
%% This is callback for oauth tokens generated through the command line. Only open and admin commands are
%% made available.
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
%verify_client_scope({client, ejabberd_ctl}, Scope, Ctx) ->
% RegisteredScope = dict:fetch_keys(get_cmd_scopes()),
% case oauth2_priv_set:is_subset(oauth2_priv_set:new(Scope),
% oauth2_priv_set:new(RegisteredScope)) of
% true ->
% {ok, {Ctx, Scope}};
% false ->
% {error, badscope}
% end.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
-spec seconds_since_epoch(integer()) -> non_neg_integer().
seconds_since_epoch(Diff) ->
{Mega, Secs, _} = os:timestamp(),
Mega * 1000000 + Secs + Diff.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Remove compile warnings
2016-02-08 10:50:28 +01:00
associate_access_code(_AccessCode, _Context, AppContext) ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%put(?ACCESS_CODE_TABLE, AccessCode, Context),
{ok, AppContext}.
associate_access_token(AccessToken, Context, AppContext) ->
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
{user, User, Server} = proplists:get_value(<<"resource_owner">>, Context, <<"">>),
Expire = case proplists:get_value(expiry_time, AppContext, undefined) of
undefined ->
proplists:get_value(<<"expiry_time">>, Context, 0);
Oauth callback must pass expires_in as ttl instead of epoch
2016-07-20 19:47:11 +02:00
ExpiresIn ->
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
%% There is no clean way in oauth2 lib to actually override the TTL of the generated token.
%% It always pass the global configured value. Here we use the app context to pass the per-case
%% ttl if we want to override it.
Oauth callback must pass expires_in as ttl instead of epoch
2016-07-20 19:47:11 +02:00
seconds_since_epoch(ExpiresIn)
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
end,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
{user, User, Server} = proplists:get_value(<<"resource_owner">>, Context, <<"">>),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Scope = proplists:get_value(<<"scope">>, Context, []),
R = #oauth_token{
token = AccessToken,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
us = {jid:nodeprep(User), jid:nodeprep(Server)},
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
scope = Scope,
expire = Expire
},
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
store(R),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{ok, AppContext}.
Remove compile warnings
2016-02-08 10:50:28 +01:00
associate_refresh_token(_RefreshToken, _Context, AppContext) ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%put(?REFRESH_TOKEN_TABLE, RefreshToken, Context),
{ok, AppContext}.
New api permissions framework
2016-10-05 13:21:11 +02:00
scope_in_scope_list(Scope, ScopeList) ->
TokenScopeSet = oauth2_priv_set:new(Scope),
lists:any(fun(Scope2) ->
oauth2_priv_set:is_member(Scope2, TokenScopeSet) end,
ScopeList).
check_token(Token) ->
case lookup(Token) of
{ok, #oauth_token{us = US,
scope = TokenScope,
expire = Expire}} ->
{MegaSecs, Secs, _} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
if
Expire > TS ->
{ok, US, TokenScope};
true ->
{false, expired}
end;
_ ->
{false, not_found}
end.
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
check_token(User, Server, ScopeList, Token) ->
Move JID related functions to jid.erl (#847)
2015-11-24 16:44:13 +01:00
LUser = jid:nodeprep(User),
LServer = jid:nameprep(Server),
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
case lookup(Token) of
{ok, #oauth_token{us = {LUser, LServer},
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
scope = TokenScope,
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
expire = Expire}} ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{MegaSecs, Secs, _} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Add support for sending back missing scope error to API ReST command calls
2016-07-30 18:51:54 +02:00
if
Expire > TS ->
TokenScopeSet = oauth2_priv_set:new(TokenScope),
lists:any(fun(Scope) ->
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
ScopeList);
true ->
{false, expired}
end;
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
_ ->
Add support for sending back missing scope error to API ReST command calls
2016-07-30 18:51:54 +02:00
{false, not_found}
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
end.
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
check_token(ScopeList, Token) ->
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
case lookup(Token) of
{ok, #oauth_token{us = US,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
scope = TokenScope,
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
expire = Expire}} ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{MegaSecs, Secs, _} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Add support for sending back missing scope error to API ReST command calls
2016-07-30 18:51:54 +02:00
if
Expire > TS ->
TokenScopeSet = oauth2_priv_set:new(TokenScope),
case lists:any(fun(Scope) ->
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
ScopeList) of
true -> {ok, user, US};
false -> {false, no_matching_scope}
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
end;
Add support for sending back missing scope error to API ReST command calls
2016-07-30 18:51:54 +02:00
true ->
{false, expired}
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
end;
_ ->
Add support for sending back missing scope error to API ReST command calls
2016-07-30 18:51:54 +02:00
{false, not_found}
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
end.
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
store(R) ->
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
DBMod = get_db_backend(),
case DBMod:store(R) of
ok ->
ets_cache:delete(oauth_cache, R#oauth_token.token,
ejabberd_cluster:get_nodes());
{error, _} = Err ->
Err
end.
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
lookup(Token) ->
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
ets_cache:lookup(oauth_cache, Token,
fun() ->
DBMod = get_db_backend(),
DBMod:lookup(Token)
end).
-spec init_cache(module()) -> boolean().
init_cache(DBMod) ->
UseCache = use_cache(DBMod),
case UseCache of
true ->
ets_cache:new(oauth_cache, cache_opts());
false ->
ets_cache:delete(oauth_cache)
end,
UseCache.
use_cache(DBMod) ->
case erlang:function_exported(DBMod, use_cache, 0) of
true -> DBMod:use_cache();
false ->
ejabberd_config:get_option(
Don't validate an option in ejabberd_config:get_option() functions The commit introduces the following changes: * Now there is no need to pass validating function in ejabberd_config:get_option() functions, because the configuration keeps already validated values. * New function ejabberd_config:get_option/1 is introduced * Function ejabberd_config:get_option/3 is deprecated. If the function is still called, the second argument (validating function) is simply ignored. * The second argument for ejabberd_config:get_option/2 is now a default value, not a validating function.
2017-04-29 10:39:40 +02:00
oauth_use_cache,
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
ejabberd_config:use_cache(global))
end.
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
cache_opts() ->
MaxSize = ejabberd_config:get_option(
oauth_cache_size,
ejabberd_config:cache_size(global)),
CacheMissed = ejabberd_config:get_option(
oauth_cache_missed,
ejabberd_config:cache_missed(global)),
LifeTime = case ejabberd_config:get_option(
oauth_cache_life_time,
ejabberd_config:cache_life_time(global)) of
infinity -> infinity;
I -> timer:seconds(I)
end,
[{max_size, MaxSize}, {life_time, LifeTime}, {cache_missed, CacheMissed}].
Add tokens cache to ejabberd_oauth
2016-08-04 00:58:56 +02:00
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
expire() ->
Don't validate an option in ejabberd_config:get_option() functions The commit introduces the following changes: * Now there is no need to pass validating function in ejabberd_config:get_option() functions, because the configuration keeps already validated values. * New function ejabberd_config:get_option/1 is introduced * Function ejabberd_config:get_option/3 is deprecated. If the function is still called, the second argument (validating function) is simply ignored. * The second argument for ejabberd_config:get_option/2 is now a default value, not a validating function.
2017-04-29 10:39:40 +02:00
ejabberd_config:get_option(oauth_expire, ?EXPIRE).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
-define(DIV(Class, Els),
?XAE(<<"div">>, [{<<"class">>, Class}], Els)).
-define(INPUTID(Type, Name, Value),
?XA(<<"input">>,
[{<<"type">>, Type}, {<<"name">>, Name},
{<<"value">>, Value}, {<<"id">>, Name}])).
-define(LABEL(ID, Els),
?XAE(<<"label">>, [{<<"for">>, ID}], Els)).
process(_Handlers,
#request{method = 'GET', q = Q, lang = Lang,
path = [_, <<"authorization_token">>]}) ->
ResponseType = proplists:get_value(<<"response_type">>, Q, <<"">>),
ClientId = proplists:get_value(<<"client_id">>, Q, <<"">>),
RedirectURI = proplists:get_value(<<"redirect_uri">>, Q, <<"">>),
Scope = proplists:get_value(<<"scope">>, Q, <<"">>),
State = proplists:get_value(<<"state">>, Q, <<"">>),
Form =
?XAE(<<"form">>,
[{<<"action">>, <<"authorization_token">>},
{<<"method">>, <<"post">>}],
oauth: single jid field instead of username/password fields
2016-07-22 20:37:48 +02:00
[?LABEL(<<"username">>, [?CT(<<"User (jid)">>), ?C(<<": ">>)]),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
?INPUTID(<<"text">>, <<"username">>, <<"">>),
?BR,
?LABEL(<<"password">>, [?CT(<<"Password">>), ?C(<<": ">>)]),
?INPUTID(<<"password">>, <<"password">>, <<"">>),
?INPUT(<<"hidden">>, <<"response_type">>, ResponseType),
?INPUT(<<"hidden">>, <<"client_id">>, ClientId),
?INPUT(<<"hidden">>, <<"redirect_uri">>, RedirectURI),
?INPUT(<<"hidden">>, <<"scope">>, Scope),
?INPUT(<<"hidden">>, <<"state">>, State),
?BR,
Add script to extract translation strings
2017-09-23 23:08:01 +02:00
?LABEL(<<"ttl">>, [?CT(<<"Token TTL">>), ?C(<<": ">>)]),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
?XAE(<<"select">>, [{<<"name">>, <<"ttl">>}],
[
?XAC(<<"option">>, [{<<"value">>, <<"3600">>}],<<"1 Hour">>),
?XAC(<<"option">>, [{<<"value">>, <<"86400">>}],<<"1 Day">>),
?XAC(<<"option">>, [{<<"value">>, <<"2592000">>}],<<"1 Month">>),
Make default OAuth token TTL values more user friendly
2016-07-23 18:57:57 +02:00
?XAC(<<"option">>, [{<<"selected">>, <<"selected">>},{<<"value">>, <<"31536000">>}],<<"1 Year">>),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
?XAC(<<"option">>, [{<<"value">>, <<"315360000">>}],<<"10 Years">>)]),
?BR,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
?INPUTT(<<"submit">>, <<"">>, <<"Accept">>)
]),
Top =
?DIV(<<"section">>,
[?DIV(<<"block">>,
[?A(<<"https://www.ejabberd.im">>,
[?XA(<<"img">>,
[{<<"height">>, <<"32">>},
{<<"src">>, logo()}])]
)])]),
Middle =
?DIV(<<"white section">>,
[?DIV(<<"block">>,
[?XC(<<"h1">>, <<"Authorization request">>),
?XE(<<"p">>,
[?C(<<"Application ">>),
?XC(<<"em">>, ClientId),
?C(<<" wants to access scope ">>),
?XC(<<"em">>, Scope)]),
Form
])]),
Bottom =
?DIV(<<"section">>,
[?DIV(<<"block">>,
[?XAC(<<"a">>,
[{<<"href">>, <<"https://www.ejabberd.im">>},
{<<"title">>, <<"ejabberd XMPP server">>}],
<<"ejabberd">>),
Fix typo
2016-11-16 18:24:12 +01:00
?C(<<" is maintained by ">>),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
?XAC(<<"a">>,
[{<<"href">>, <<"https://www.process-one.net">>},
{<<"title">>, <<"ProcessOne - Leader in Instant Messaging and Push Solutions">>}],
<<"ProcessOne">>)
])]),
Body = ?DIV(<<"container">>, [Top, Middle, Bottom]),
ejabberd_web:make_xhtml(web_head(), [Body]);
process(_Handlers,
#request{method = 'POST', q = Q, lang = _Lang,
path = [_, <<"authorization_token">>]}) ->
Remove compile warnings
2016-02-08 10:50:28 +01:00
_ResponseType = proplists:get_value(<<"response_type">>, Q, <<"">>),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
ClientId = proplists:get_value(<<"client_id">>, Q, <<"">>),
RedirectURI = proplists:get_value(<<"redirect_uri">>, Q, <<"">>),
SScope = proplists:get_value(<<"scope">>, Q, <<"">>),
oauth: single jid field instead of username/password fields
2016-07-22 20:37:48 +02:00
StringJID = proplists:get_value(<<"username">>, Q, <<"">>),
Get rid of jid:to_string/1 and jid:from_string/1
2017-02-26 08:07:12 +01:00
#jid{user = Username, server = Server} = jid:decode(StringJID),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Password = proplists:get_value(<<"password">>, Q, <<"">>),
State = proplists:get_value(<<"state">>, Q, <<"">>),
Scope = str:tokens(SScope, <<" ">>),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
TTL = proplists:get_value(<<"ttl">>, Q, <<"">>),
ExpiresIn = case TTL of
<<>> -> undefined;
Deprecate most of the functions from jlib.erl
2016-11-13 08:44:53 +01:00
_ -> binary_to_integer(TTL)
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
end,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
case oauth2:authorize_password({Username, Server},
ClientId,
RedirectURI,
Scope,
{password, Password}) of
{ok, {_AppContext, Authorization}} ->
{ok, {_AppContext2, Response}} =
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
oauth2:issue_token(Authorization, [{expiry_time, ExpiresIn} || ExpiresIn /= undefined ]),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{ok, AccessToken} = oauth2_response:access_token(Response),
{ok, Type} = oauth2_response:token_type(Response),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
%%Ugly: workardound to return the correct expirity time, given than oauth2 lib doesn't really have
%%per-case expirity time.
Expires = case ExpiresIn of
undefined ->
{ok, Ex} = oauth2_response:expires_in(Response),
Ex;
_ ->
ExpiresIn
end,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{ok, VerifiedScope} = oauth2_response:scope(Response),
%oauth2_wrq:redirected_access_token_response(ReqData,
% RedirectURI,
% AccessToken,
% Type,
% Expires,
% VerifiedScope,
% State,
% Context);
{302, [{<<"Location">>,
<<RedirectURI/binary,
"?access_token=", AccessToken/binary,
"&token_type=", Type/binary,
"&expires_in=", (integer_to_binary(Expires))/binary,
"&scope=", (str:join(VerifiedScope, <<" ">>))/binary,
"&state=", State/binary>>
}],
ejabberd_web:make_xhtml([?XC(<<"h1">>, <<"302 Found">>)])};
{error, Error} when is_atom(Error) ->
%oauth2_wrq:redirected_error_response(
% ReqData, RedirectURI, Error, State, Context)
{302, [{<<"Location">>,
<<RedirectURI/binary,
"?error=", (atom_to_binary(Error, utf8))/binary,
"&state=", State/binary>>
}],
ejabberd_web:make_xhtml([?XC(<<"h1">>, <<"302 Found">>)])}
end;
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
process(_Handlers,
#request{method = 'POST', q = Q, lang = _Lang,
path = [_, <<"token">>]}) ->
Make default OAuth token TTL values more user friendly
2016-07-23 18:57:57 +02:00
case proplists:get_value(<<"grant_type">>, Q, <<"">>) of
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
<<"password">> ->
SScope = proplists:get_value(<<"scope">>, Q, <<"">>),
StringJID = proplists:get_value(<<"username">>, Q, <<"">>),
Get rid of jid:to_string/1 and jid:from_string/1
2017-02-26 08:07:12 +01:00
#jid{user = Username, server = Server} = jid:decode(StringJID),
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
Password = proplists:get_value(<<"password">>, Q, <<"">>),
Scope = str:tokens(SScope, <<" ">>),
TTL = proplists:get_value(<<"ttl">>, Q, <<"">>),
ExpiresIn = case TTL of
<<>> -> undefined;
Deprecate most of the functions from jlib.erl
2016-11-13 08:44:53 +01:00
_ -> binary_to_integer(TTL)
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
end,
case oauth2:authorize_password({Username, Server},
Scope,
{password, Password}) of
{ok, {_AppContext, Authorization}} ->
{ok, {_AppContext2, Response}} =
oauth2:issue_token(Authorization, [{expiry_time, ExpiresIn} || ExpiresIn /= undefined ]),
{ok, AccessToken} = oauth2_response:access_token(Response),
{ok, Type} = oauth2_response:token_type(Response),
%%Ugly: workardound to return the correct expirity time, given than oauth2 lib doesn't really have
%%per-case expirity time.
Expires = case ExpiresIn of
undefined ->
{ok, Ex} = oauth2_response:expires_in(Response),
Ex;
_ ->
ExpiresIn
end,
{ok, VerifiedScope} = oauth2_response:scope(Response),
json_response(200, {[
{<<"access_token">>, AccessToken},
{<<"token_type">>, Type},
{<<"scope">>, str:join(VerifiedScope, <<" ">>)},
{<<"expires_in">>, Expires}]});
{error, Error} when is_atom(Error) ->
Return more user friendly, human readable error description
2016-07-24 14:10:12 +02:00
json_error(400, <<"invalid_grant">>, Error)
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
end;
Return more user friendly, human readable error description
2016-07-24 14:10:12 +02:00
_OtherGrantType ->
json_error(400, <<"unsupported_grant_type">>, unsupported_grant_type)
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
end;
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
process(_Handlers, _Request) ->
ejabberd_web:error(not_found).
Add DB backend support for ejabberd_oauth
2016-07-20 15:55:45 +02:00
-spec get_db_backend() -> module().
get_db_backend() ->
DBType = ejabberd_config:get_option(
Don't validate an option in ejabberd_config:get_option() functions The commit introduces the following changes: * Now there is no need to pass validating function in ejabberd_config:get_option() functions, because the configuration keeps already validated values. * New function ejabberd_config:get_option/1 is introduced * Function ejabberd_config:get_option/3 is deprecated. If the function is still called, the second argument (validating function) is simply ignored. * The second argument for ejabberd_config:get_option/2 is now a default value, not a validating function.
2017-04-29 10:39:40 +02:00
oauth_db_type,
ejabberd_config:default_db(?MODULE)),
Add DB backend support for ejabberd_oauth
2016-07-20 15:55:45 +02:00
list_to_atom("ejabberd_oauth_" ++ atom_to_list(DBType)).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Make default OAuth token TTL values more user friendly
2016-07-23 18:57:57 +02:00
%% Headers as per RFC 6749
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
json_response(Code, Body) ->
{Code, [{<<"Content-Type">>, <<"application/json;charset=UTF-8">>},
Make default OAuth token TTL values more user friendly
2016-07-23 18:57:57 +02:00
{<<"Cache-Control">>, <<"no-store">>},
{<<"Pragma">>, <<"no-cache">>}],
Support oauth password grant type As in https://tools.ietf.org/html/rfc6749#section-4.3
2016-07-23 00:17:12 +02:00
jiffy:encode(Body)}.
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Return more user friendly, human readable error description
2016-07-24 14:10:12 +02:00
%% OAauth error are defined in:
%% https://tools.ietf.org/html/draft-ietf-oauth-v2-25#section-5.2
json_error(Code, Error, Reason) ->
Desc = json_error_desc(Reason),
Body = {[{<<"error">>, Error},
{<<"error_description">>, Desc}]},
json_response(Code, Body).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Return more user friendly, human readable error description
2016-07-24 14:10:12 +02:00
json_error_desc(access_denied) -> <<"Access denied">>;
json_error_desc(unsupported_grant_type) -> <<"Unsupported grant type">>;
json_error_desc(invalid_scope) -> <<"Invalid scope">>.
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
web_head() ->
[?XA(<<"meta">>, [{<<"http-equiv">>, <<"X-UA-Compatible">>},
{<<"content">>, <<"IE=edge">>}]),
?XA(<<"meta">>, [{<<"name">>, <<"viewport">>},
{<<"content">>,
<<"width=device-width, initial-scale=1">>}]),
?XC(<<"title">>, <<"Authorization request">>),
?XC(<<"style">>, css())
].
css() ->
Don't include CSS, javascript and image data directly in the code
2017-10-09 22:35:42 +02:00
case misc:read_css("oauth.css") of
{ok, Data} -> Data;
{error, _} -> <<>>
end.
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
logo() ->
Don't include CSS, javascript and image data directly in the code
2017-10-09 22:35:42 +02:00
case misc:read_img("oauth-logo.png") of
{ok, Img} ->
B64Img = base64:encode(Img),
<<"data:image/png;base64,", B64Img/binary>>;
{error, _} ->
<<>>
end.
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Add type specs for Module:opt_type/1
2017-05-08 11:59:28 +02:00
-spec opt_type(oauth_expire) -> fun((non_neg_integer()) -> non_neg_integer());
(oauth_access) -> fun((any()) -> any());
(oauth_db_type) -> fun((atom()) -> atom());
(oauth_cache_life_time) -> fun((timeout()) -> timeout());
(oauth_cache_size) -> fun((timeout()) -> timeout());
(oauth_use_cache) -> fun((boolean()) -> boolean());
(oauth_cache_misse) -> fun((boolean()) -> boolean());
(atom()) -> [atom()].
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
opt_type(oauth_expire) ->
fun(I) when is_integer(I), I >= 0 -> I end;
Add oauth_access option
2015-09-25 18:47:27 +02:00
opt_type(oauth_access) ->
Use {access,shaper}_rules_validator in other places where access rules are used
2016-06-21 13:18:24 +02:00
fun acl:access_rules_validator/1;
Add DB backend support for ejabberd_oauth
2016-07-20 15:55:45 +02:00
opt_type(oauth_db_type) ->
fun(T) -> ejabberd_config:v_db(?MODULE, T) end;
Use new cache API in ejabberd_oauth
2017-04-21 08:02:10 +02:00
opt_type(O) when O == oauth_cache_life_time; O == oauth_cache_size ->
fun (I) when is_integer(I), I > 0 -> I;
(infinity) -> infinity
end;
opt_type(O) when O == oauth_use_cache; O == oauth_cache_missed ->
fun (B) when is_boolean(B) -> B end;
opt_type(_) ->
[oauth_expire, oauth_access, oauth_db_type,
oauth_cache_life_time, oauth_cache_size, oauth_use_cache,
oauth_cache_missed].
Copy Permalink