Chapril
/
xmpp.chapril.org-ejabberd
mirror of https://github.com/processone/ejabberd.git
24
1
Fork 0
Code Releases Activity
xmpp.chapril.org-ejabberd/src/ejabberd_oauth.erl

640 lines
31 KiB
Erlang
Raw Normal View History

Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%%%-------------------------------------------------------------------
%%% File : ejabberd_oauth.erl
%%% Author : Alexey Shchepin <alexey@process-one.net>
%%% Purpose : OAUTH2 support
%%% Created : 20 Mar 2015 by Alexey Shchepin <alexey@process-one.net>
%%%
%%%
Update copyright to 2016 (#901)
2016-01-13 12:29:14 +01:00
%%% ejabberd, Copyright (C) 2002-2016 ProcessOne
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%%%
%%% This program is free software; you can redistribute it and/or
%%% modify it under the terms of the GNU General Public License as
%%% published by the Free Software Foundation; either version 2 of the
%%% License, or (at your option) any later version.
%%%
%%% This program is distributed in the hope that it will be useful,
%%% but WITHOUT ANY WARRANTY; without even the implied warranty of
%%% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
%%% General Public License for more details.
%%%
%%% You should have received a copy of the GNU General Public License
%%% along with this program; if not, write to the Free Software
%%% Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
%%% 02111-1307 USA
%%%
%%%-------------------------------------------------------------------
-module(ejabberd_oauth).
-behaviour(gen_server).
%% gen_server callbacks
-export([init/1, handle_call/3, handle_cast/2,
handle_info/2, terminate/2, code_change/3]).
-export([start/0,
start_link/0,
get_client_identity/2,
verify_redirection_uri/3,
authenticate_user/2,
authenticate_client/2,
verify_resowner_scope/3,
associate_access_code/3,
associate_access_token/3,
associate_refresh_token/3,
check_token/4,
check_token/2,
process/2,
opt_type/1]).
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
-export([oauth_issue_token/3, oauth_list_tokens/0, oauth_revoke_token/1, oauth_list_scopes/0]).
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
-include("jlib.hrl").
-include("ejabberd.hrl").
-include("logger.hrl").
-include("ejabberd_http.hrl").
-include("ejabberd_web_admin.hrl").
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
-include("ejabberd_commands.hrl").
%% There are two ways to obtain an oauth token:
%% * Using the web form/api results in the token being generated in behalf of the user providing the user/pass
%% * Using the command line and oauth_issue_token command, the token is generated in behalf of ejabberd' sysadmin
%% (as it has access to ejabberd command line).
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
-record(oauth_token, {
token = {<<"">>, <<"">>} :: {binary(), binary()},
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
us = {<<"">>, <<"">>} :: {binary(), binary()},
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
scope = [] :: [binary()],
expire :: integer()
}).
-define(EXPIRE, 3600).
start() ->
init_db(mnesia, ?MYNAME),
Expire = expire(),
application:set_env(oauth2, backend, ejabberd_oauth),
application:set_env(oauth2, expiry_time, Expire),
application:start(oauth2),
ChildSpec = {?MODULE, {?MODULE, start_link, []},
temporary, 1000, worker, [?MODULE]},
supervisor:start_child(ejabberd_sup, ChildSpec),
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
ejabberd_commands:register_commands(get_commands_spec()),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
ok.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
get_commands_spec() ->
[
#ejabberd_commands{name = oauth_issue_token, tags = [oauth],
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
desc = "Issue an oauth token for the given jid",
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
module = ?MODULE, function = oauth_issue_token,
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
args = [{jid, string},{ttl, integer}, {scopes, string}],
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
policy = restricted,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
args_example = ["user@server.com", "connected_users_number;muc_online_rooms"],
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
args_desc = ["List of scopes to allow, separated by ';'"],
result = {result, {tuple, [{token, string}, {scopes, string}, {expires_in, string}]}}
},
#ejabberd_commands{name = oauth_list_tokens, tags = [oauth],
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
desc = "List oauth tokens, their user and scope, and how many seconds remain until expirity",
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
module = ?MODULE, function = oauth_list_tokens,
args = [],
policy = restricted,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
result = {tokens, {list, {token, {tuple, [{token, string}, {user, string}, {scope, string}, {expires_in, string}]}}}}
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
},
#ejabberd_commands{name = oauth_list_scopes, tags = [oauth],
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
desc = "List scopes that can be granted to tokens generated through the command line, together with the commands they allow",
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
module = ?MODULE, function = oauth_list_scopes,
args = [],
policy = restricted,
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
result = {scopes, {list, {scope, {tuple, [{scope, string}, {commands, string}]}}}}
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
},
#ejabberd_commands{name = oauth_revoke_token, tags = [oauth],
desc = "Revoke authorization for a token",
module = ?MODULE, function = oauth_revoke_token,
args = [{token, string}],
policy = restricted,
Fix command argument formatting
2016-07-19 05:51:04 +02:00
result = {tokens, {list, {token, {tuple, [{token, string}, {user, string}, {scope, string}, {expires_in, string}]}}}},
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
result_desc = "List of remaining tokens"
}
].
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
oauth_issue_token(Jid, TTLSeconds, ScopesString) ->
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Scopes = [list_to_binary(Scope) || Scope <- string:tokens(ScopesString, ";")],
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
case jid:from_string(list_to_binary(Jid)) of
#jid{luser =Username, lserver = Server} ->
case oauth2:authorize_password({Username, Server}, Scopes, admin_generated) of
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
{ok, {_Ctx,Authorization}} ->
{ok, {_AppCtx2, Response}} = oauth2:issue_token(Authorization, [{expiry_time, seconds_since_epoch(TTLSeconds)}]),
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
{ok, AccessToken} = oauth2_response:access_token(Response),
{ok, VerifiedScope} = oauth2_response:scope(Response),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
{AccessToken, VerifiedScope, integer_to_list(TTLSeconds) ++ " seconds"};
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
{error, Error} ->
{error, Error}
end;
error ->
{error, "Invalid JID: " ++ Jid}
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
end.
oauth_list_tokens() ->
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
Tokens = mnesia:dirty_match_object(#oauth_token{_ = '_'}),
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
{MegaSecs, Secs, _MiniSecs} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
[{Token, jid:to_string(jid:make(U,S,<<>>)), Scope, integer_to_list(Expires - TS) ++ " seconds"} ||
#oauth_token{token=Token, scope=Scope, us= {U,S},expire=Expires} <- Tokens].
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
oauth_revoke_token(Token) ->
ok = mnesia:dirty_delete(oauth_token, list_to_binary(Token)),
oauth_list_tokens().
oauth_list_scopes() ->
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
[ {Scope, string:join([atom_to_list(Cmd) || Cmd <- Cmds], ",")} || {Scope, Cmds} <- dict:to_list(get_cmd_scopes())].
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
start_link() ->
gen_server:start_link({local, ?MODULE}, ?MODULE, [], []).
init([]) ->
erlang:send_after(expire() * 1000, self(), clean),
{ok, ok}.
handle_call(_Request, _From, State) ->
{reply, bad_request, State}.
handle_cast(_Msg, State) -> {noreply, State}.
handle_info(clean, State) ->
{MegaSecs, Secs, MiniSecs} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
F = fun() ->
Ts = mnesia:select(
oauth_token,
[{#oauth_token{expire = '$1', _ = '_'},
[{'<', '$1', TS}],
['$_']}]),
lists:foreach(fun mnesia:delete_object/1, Ts)
end,
mnesia:async_dirty(F),
erlang:send_after(trunc(expire() * 1000 * (1 + MiniSecs / 1000000)),
self(), clean),
{noreply, State};
handle_info(_Info, State) -> {noreply, State}.
terminate(_Reason, _State) -> ok.
code_change(_OldVsn, State, _Extra) -> {ok, State}.
init_db(mnesia, _Host) ->
mnesia:create_table(oauth_token,
[{disc_copies, [node()]},
{attributes,
record_info(fields, oauth_token)}]),
mnesia:add_table_copy(oauth_token, node(), disc_copies);
init_db(_, _) ->
ok.
get_client_identity(Client, Ctx) -> {ok, {Ctx, {client, Client}}}.
verify_redirection_uri(_, _, Ctx) -> {ok, Ctx}.
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
authenticate_user({User, Server}, Ctx) ->
Move JID related functions to jid.erl (#847)
2015-11-24 16:44:13 +01:00
case jid:make(User, Server, <<"">>) of
Add oauth_access option
2015-09-25 18:47:27 +02:00
#jid{} = JID ->
Access =
ejabberd_config:get_option(
{oauth_access, JID#jid.lserver},
Use {access,shaper}_rules_validator in other places where access rules are used
2016-06-21 13:18:24 +02:00
fun(A) -> A end,
Add oauth_access option
2015-09-25 18:47:27 +02:00
none),
case acl:match_rule(JID#jid.lserver, Access, JID) of
allow ->
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
case Ctx of
{password, Password} ->
case ejabberd_auth:check_password(User, <<"">>, Server, Password) of
true ->
{ok, {Ctx, {user, User, Server}}};
false ->
{error, badpass}
end;
admin_generated ->
{ok, {Ctx, {user, User, Server}}}
Add oauth_access option
2015-09-25 18:47:27 +02:00
end;
deny ->
{error, badpass}
end;
error ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{error, badpass}
end.
authenticate_client(Client, Ctx) -> {ok, {Ctx, {client, Client}}}.
Remove compile warnings
2016-02-08 10:50:28 +01:00
verify_resowner_scope({user, _User, _Server}, Scope, Ctx) ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Cmds = ejabberd_commands:get_commands(),
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
Cmds1 = ['ejabberd:user', 'ejabberd:admin', sasl_auth | Cmds],
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
RegisteredScope = [atom_to_binary(C, utf8) || C <- Cmds1],
case oauth2_priv_set:is_subset(oauth2_priv_set:new(Scope),
oauth2_priv_set:new(RegisteredScope)) of
true ->
{ok, {Ctx, Scope}};
false ->
{error, badscope}
end;
verify_resowner_scope(_, _, _) ->
{error, badscope}.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
get_cmd_scopes() ->
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
ScopeMap = lists:foldl(fun(Cmd, Accum) ->
case ejabberd_commands:get_command_policy_and_scope(Cmd) of
{ok, Policy, Scopes} when Policy =/= restricted ->
lists:foldl(fun(Scope, Accum2) ->
dict:append(Scope, Cmd, Accum2)
end, Accum, Scopes);
_ -> Accum
end end, dict:new(), ejabberd_commands:get_commands()),
ScopeMap.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
%% This is callback for oauth tokens generated through the command line. Only open and admin commands are
%% made available.
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
%verify_client_scope({client, ejabberd_ctl}, Scope, Ctx) ->
% RegisteredScope = dict:fetch_keys(get_cmd_scopes()),
% case oauth2_priv_set:is_subset(oauth2_priv_set:new(Scope),
% oauth2_priv_set:new(RegisteredScope)) of
% true ->
% {ok, {Ctx, Scope}};
% false ->
% {error, badscope}
% end.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
-spec seconds_since_epoch(integer()) -> non_neg_integer().
seconds_since_epoch(Diff) ->
{Mega, Secs, _} = os:timestamp(),
Mega * 1000000 + Secs + Diff.
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
Remove compile warnings
2016-02-08 10:50:28 +01:00
associate_access_code(_AccessCode, _Context, AppContext) ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%put(?ACCESS_CODE_TABLE, AccessCode, Context),
{ok, AppContext}.
associate_access_token(AccessToken, Context, AppContext) ->
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
{user, User, Server} = proplists:get_value(<<"resource_owner">>, Context, <<"">>),
Expire = case proplists:get_value(expiry_time, AppContext, undefined) of
undefined ->
proplists:get_value(<<"expiry_time">>, Context, 0);
E ->
%% There is no clean way in oauth2 lib to actually override the TTL of the generated token.
%% It always pass the global configured value. Here we use the app context to pass the per-case
%% ttl if we want to override it.
E
end,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
{user, User, Server} = proplists:get_value(<<"resource_owner">>, Context, <<"">>),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
Scope = proplists:get_value(<<"scope">>, Context, []),
R = #oauth_token{
token = AccessToken,
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
us = {jid:nodeprep(User), jid:nodeprep(Server)},
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
scope = Scope,
expire = Expire
},
mnesia:dirty_write(R),
{ok, AppContext}.
Remove compile warnings
2016-02-08 10:50:28 +01:00
associate_refresh_token(_RefreshToken, _Context, AppContext) ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
%put(?REFRESH_TOKEN_TABLE, RefreshToken, Context),
{ok, AppContext}.
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
check_token(User, Server, ScopeList, Token) ->
Move JID related functions to jid.erl (#847)
2015-11-24 16:44:13 +01:00
LUser = jid:nodeprep(User),
LServer = jid:nameprep(Server),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
case catch mnesia:dirty_read(oauth_token, Token) of
[#oauth_token{us = {LUser, LServer},
scope = TokenScope,
expire = Expire}] ->
{MegaSecs, Secs, _} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
TokenScopeSet = oauth2_priv_set:new(TokenScope),
lists:any(fun(Scope) ->
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
ScopeList) andalso Expire > TS;
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
_ ->
false
end.
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
check_token(ScopeList, Token) ->
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
case catch mnesia:dirty_read(oauth_token, Token) of
Allow generation of oauth tokens from command line Oauth tokens can be generated for commands (scopes) having admin|user|open policy. Restricted commands are not available as those are only usable from ejabberdctl command line. Four new commands are available: $ejabberdctl oauth_issue_token "stats;get_roster" Generates a token authorized to call both stats and get_roster commands. Note scopes must be separated by semicolon. $ejabberdctl oauth_list_tokens List tokens generated from the command line, with their scope and expirity time. $ejabberdctl oauth_list_scopes List scopes available $ejabberdctl oauth_revoke_token "Lbs7qdJfdKXOWzVrArgyckY055tE1xnt" Revokes the given token
2016-06-29 05:22:28 +02:00
[#oauth_token{us = US,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
scope = TokenScope,
expire = Expire}] ->
{MegaSecs, Secs, _} = os:timestamp(),
TS = 1000000 * MegaSecs + Secs,
Add 'ejabberd:user' and 'ejabberd:admin' oauth scopes 'ejabberd:user' includes all commands defined with policy "user". 'ejabberd:admin' includes commands defined with policy "admin".
2016-07-19 04:27:49 +02:00
TokenScopeSet = oauth2_priv_set:new(TokenScope),
case lists:any(fun(Scope) ->
oauth2_priv_set:is_member(Scope, TokenScopeSet) end,
ScopeList) andalso Expire > TS of
Fix ce0d1704c6cc167c8bc891587952f78c55f979ad Original request was to allow ejabberd sysadmin to generate tokens for specific users. JIDs must not be passed as argument when requesting the tokens.
2016-07-19 01:25:23 +02:00
true -> {ok, user, US};
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
false -> false
end;
_ ->
false
end.
expire() ->
ejabberd_config:get_option(
oauth_expire,
fun(I) when is_integer(I) -> I end,
?EXPIRE).
-define(DIV(Class, Els),
?XAE(<<"div">>, [{<<"class">>, Class}], Els)).
-define(INPUTID(Type, Name, Value),
?XA(<<"input">>,
[{<<"type">>, Type}, {<<"name">>, Name},
{<<"value">>, Value}, {<<"id">>, Name}])).
-define(LABEL(ID, Els),
?XAE(<<"label">>, [{<<"for">>, ID}], Els)).
process(_Handlers,
#request{method = 'GET', q = Q, lang = Lang,
path = [_, <<"authorization_token">>]}) ->
ResponseType = proplists:get_value(<<"response_type">>, Q, <<"">>),
ClientId = proplists:get_value(<<"client_id">>, Q, <<"">>),
RedirectURI = proplists:get_value(<<"redirect_uri">>, Q, <<"">>),
Scope = proplists:get_value(<<"scope">>, Q, <<"">>),
State = proplists:get_value(<<"state">>, Q, <<"">>),
Form =
?XAE(<<"form">>,
[{<<"action">>, <<"authorization_token">>},
{<<"method">>, <<"post">>}],
[?LABEL(<<"username">>, [?CT(<<"User">>), ?C(<<": ">>)]),
?INPUTID(<<"text">>, <<"username">>, <<"">>),
?BR,
?LABEL(<<"server">>, [?CT(<<"Server">>), ?C(<<": ">>)]),
?INPUTID(<<"text">>, <<"server">>, <<"">>),
?BR,
?LABEL(<<"password">>, [?CT(<<"Password">>), ?C(<<": ">>)]),
?INPUTID(<<"password">>, <<"password">>, <<"">>),
?INPUT(<<"hidden">>, <<"response_type">>, ResponseType),
?INPUT(<<"hidden">>, <<"client_id">>, ClientId),
?INPUT(<<"hidden">>, <<"redirect_uri">>, RedirectURI),
?INPUT(<<"hidden">>, <<"scope">>, Scope),
?INPUT(<<"hidden">>, <<"state">>, State),
?BR,
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
?LABEL(<<"ttl">>, [?CT(<<"Token TTL">>), ?CT(<<": ">>)]),
?XAE(<<"select">>, [{<<"name">>, <<"ttl">>}],
[
?XAC(<<"option">>, [{<<"selected">>, <<"selected">>},
{<<"value">>, jlib:integer_to_binary(expire())}],<<"Default (", (integer_to_binary(expire()))/binary, " seconds)">>),
?XAC(<<"option">>, [{<<"value">>, <<"3600">>}],<<"1 Hour">>),
?XAC(<<"option">>, [{<<"value">>, <<"86400">>}],<<"1 Day">>),
?XAC(<<"option">>, [{<<"value">>, <<"2592000">>}],<<"1 Month">>),
?XAC(<<"option">>, [{<<"value">>, <<"31536000">>}],<<"1 Year">>),
?XAC(<<"option">>, [{<<"value">>, <<"315360000">>}],<<"10 Years">>)]),
?BR,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
?INPUTT(<<"submit">>, <<"">>, <<"Accept">>)
]),
Top =
?DIV(<<"section">>,
[?DIV(<<"block">>,
[?A(<<"https://www.ejabberd.im">>,
[?XA(<<"img">>,
[{<<"height">>, <<"32">>},
{<<"src">>, logo()}])]
)])]),
Middle =
?DIV(<<"white section">>,
[?DIV(<<"block">>,
[?XC(<<"h1">>, <<"Authorization request">>),
?XE(<<"p">>,
[?C(<<"Application ">>),
?XC(<<"em">>, ClientId),
?C(<<" wants to access scope ">>),
?XC(<<"em">>, Scope)]),
Form
])]),
Bottom =
?DIV(<<"section">>,
[?DIV(<<"block">>,
[?XAC(<<"a">>,
[{<<"href">>, <<"https://www.ejabberd.im">>},
{<<"title">>, <<"ejabberd XMPP server">>}],
<<"ejabberd">>),
?C(" is maintained by "),
?XAC(<<"a">>,
[{<<"href">>, <<"https://www.process-one.net">>},
{<<"title">>, <<"ProcessOne - Leader in Instant Messaging and Push Solutions">>}],
<<"ProcessOne">>)
])]),
Body = ?DIV(<<"container">>, [Top, Middle, Bottom]),
ejabberd_web:make_xhtml(web_head(), [Body]);
process(_Handlers,
#request{method = 'POST', q = Q, lang = _Lang,
path = [_, <<"authorization_token">>]}) ->
Remove compile warnings
2016-02-08 10:50:28 +01:00
_ResponseType = proplists:get_value(<<"response_type">>, Q, <<"">>),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
ClientId = proplists:get_value(<<"client_id">>, Q, <<"">>),
RedirectURI = proplists:get_value(<<"redirect_uri">>, Q, <<"">>),
SScope = proplists:get_value(<<"scope">>, Q, <<"">>),
Username = proplists:get_value(<<"username">>, Q, <<"">>),
Server = proplists:get_value(<<"server">>, Q, <<"">>),
Password = proplists:get_value(<<"password">>, Q, <<"">>),
State = proplists:get_value(<<"state">>, Q, <<"">>),
Scope = str:tokens(SScope, <<" ">>),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
TTL = proplists:get_value(<<"ttl">>, Q, <<"">>),
ExpiresIn = case TTL of
<<>> -> undefined;
_ -> seconds_since_epoch(jlib:binary_to_integer(TTL))
end,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
case oauth2:authorize_password({Username, Server},
ClientId,
RedirectURI,
Scope,
{password, Password}) of
{ok, {_AppContext, Authorization}} ->
{ok, {_AppContext2, Response}} =
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
oauth2:issue_token(Authorization, [{expiry_time, ExpiresIn} || ExpiresIn /= undefined ]),
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{ok, AccessToken} = oauth2_response:access_token(Response),
{ok, Type} = oauth2_response:token_type(Response),
Let user choose the desired oauth token TTL
2016-07-20 01:18:07 +02:00
%%Ugly: workardound to return the correct expirity time, given than oauth2 lib doesn't really have
%%per-case expirity time.
Expires = case ExpiresIn of
undefined ->
{ok, Ex} = oauth2_response:expires_in(Response),
Ex;
_ ->
ExpiresIn
end,
Add OAuth support (thanks to Aleksey)
2015-09-25 14:53:25 +02:00
{ok, VerifiedScope} = oauth2_response:scope(Response),
%oauth2_wrq:redirected_access_token_response(ReqData,
% RedirectURI,
% AccessToken,
% Type,
% Expires,
% VerifiedScope,
% State,
% Context);
{302, [{<<"Location">>,
<<RedirectURI/binary,
"?access_token=", AccessToken/binary,
"&token_type=", Type/binary,
"&expires_in=", (integer_to_binary(Expires))/binary,
"&scope=", (str:join(VerifiedScope, <<" ">>))/binary,
"&state=", State/binary>>
}],
ejabberd_web:make_xhtml([?XC(<<"h1">>, <<"302 Found">>)])};
{error, Error} when is_atom(Error) ->
%oauth2_wrq:redirected_error_response(
% ReqData, RedirectURI, Error, State, Context)
{302, [{<<"Location">>,
<<RedirectURI/binary,
"?error=", (atom_to_binary(Error, utf8))/binary,
"&state=", State/binary>>
}],
ejabberd_web:make_xhtml([?XC(<<"h1">>, <<"302 Found">>)])}
end;
process(_Handlers, _Request) ->
ejabberd_web:error(not_found).
web_head() ->
[?XA(<<"meta">>, [{<<"http-equiv">>, <<"X-UA-Compatible">>},
{<<"content">>, <<"IE=edge">>}]),
?XA(<<"meta">>, [{<<"name">>, <<"viewport">>},
{<<"content">>,
<<"width=device-width, initial-scale=1">>}]),
?XC(<<"title">>, <<"Authorization request">>),
?XC(<<"style">>, css())
].
css() ->
<<"
body {
margin: 0;
padding: 0;
font-family: sans-serif;
color: #fff;
}
h1 {
font-size: 3em;
color: #444;
}
p {
line-height: 1.5em;
color: #888;
}
a {
color: #fff;
}
a:hover,
a:active {
text-decoration: underline;
}
em {
display: inline-block;
padding: 0 5px;
background: #f4f4f4;
border-radius: 5px;
font-style: normal;
font-weight: bold;
color: #444;
}
form {
color: #444;
}
label {
display: block;
font-weight: bold;
}
input[type=text],
input[type=password] {
margin-bottom: 1em;
padding: 0.4em;
max-width: 330px;
width: 100%;
border: 1px solid #c4c4c4;
border-radius: 5px;
outline: 0;
font-size: 1.2em;
}
input[type=text]:focus,
input[type=password]:focus,
input[type=text]:active,
input[type=password]:active {
border-color: #41AFCA;
}
input[type=submit] {
font-size: 1em;
}
.container {
position: absolute;
top: 0;
left: 0;
right: 0;
bottom: 0;
background: #424A55;
background-image: -webkit-linear-gradient(270deg, rgba(48,52,62,0) 24%, #30353e 100%);
background-image: linear-gradient(-180deg, rgba(48,52,62,0) 24%, #30353e 100%);
}
.section {
padding: 3em;
}
.white.section {
background: #fff;
border-bottom: 4px solid #41AFCA;
}
.white.section a {
text-decoration: none;
color: #41AFCA;
}
.white.section a:hover,
.white.section a:active {
text-decoration: underline;
}
.container > .section {
background: #424A55;
}
.block {
margin: 0 auto;
max-width: 900px;
width: 100%;
}
">>.
logo() ->
<<"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAASwAAABACAYAAACgPErgAAAVtklEQVR42uydeXhU1d2ADzuyCcii4FZBZdEqVYtaUGqlikVwaRWsrWBRKIh8KgXcEAX9VECtoljcURAJICJWQLaKLAEjIHtBSNhC9oQkk2SW+36/52P+iIE5d5kzk4Fn3ud5H/7gIbnD3PPOveeeuVedygD9xLlQMh9yJ0D+GeokJAg1xcEWzOWYj0DBaQm0fXdaMCu8bROgpJVKksQj0+F84OXw/jRd7KVOdbbCFI6jdDNktlAnESVQNwSzOI6yhZBaV1UzAXiB4wj8CBtbqiRJXDIILtgL+zmOb8aoU5Xh0MMiEr5x6iSiAIZYROLo/aoayYMeocjbNlklSeKC9VAjBDM5IcEQfNZFnYq8AM8SkcJV6iSiCGYRkT1LVDWSA08Tkfy9MLaeOsUA2ot9xJHiW2KK+LW4Mvxnijg1/Pd9xQvFGiqJLUOhcT5kE5Etg0/VYI3TBOvbkyxYKURk2dpqDZb2gyEjC1SjUyBQdcQe4mtimujDHWXiD+Lr4g1iXZXkhISgBZBLZIaoU5GR0I2IVDxxkgVrNhH5z+pqDZb2g+FAJjQ4aYMFtBAfEzdils3iP8TkhYkqlMEZFuQQmcHqVGUBTOI40lLhz02TwUoGKxJAI/FxMYPYckB8Smyikvw/vlM/WHqAP4ifiHPF0fBsYyUkg5UM1okAbhV/JL5sE29TSZLBOhHJYCWDVRXgNPFVqpfXxQbJYCWDlQxWMlgRAc4VV5EYrBZ/kQxWMljJYFVLsBomdLCAS8RdJBZ7xMuSwTIcLKCO2EG8VrxdvEfsLV4F1vkJstq9BlidwN8hVleSLLgUuFzsEv6zs9g4EYIFNBAvFi87tm3WZWI7oHZ8glWnkWbb6ortCG/bsT+tDsBpcYrVpeIhzBHAHJni5XGOd5PwvnKJif0DaCh2/Pn7y/linbgFKx/qrjkWpffEHZo3qVhMBWuC2EVVA4ehay6sAYJgBeDocuh9iYqCL+F04DbxLTFNPMzxWGI6WCuBJ8Rfxi5YK34WLKC5BX3FVzj22n8S/fwcX/i9+1wcLraLVbAqr8OqgNOA31nwPLBc3HWCNU1+cbe4WBwjXhbD08A9eOcn8SNxmHij+EuxQ3iwdxP/Jr4pbsU7+2J5ehiCNuI9FkwN78sZol+0xDSYd6OH75R2BcZasALYKwZO0IWd4fd3LIS6g1XHeLBWQV1gsLgJ9wTBWgSBm1ScuBYuAvI4jrx9cOEZyiXzoUUIxhbDPm+fvFlL4PPe5oO14FslvAjnrYeXgYO4p0T8UrzJbLB2HlbCZMqbfwOjgrDD41HLCrE/LK1pKFYNxFS8sVDsK1Y5ctQeRf42HLcy3JMmNjIc6+ss+ETMRUuRH9Zd7SBS9QMwCFiDNzZBYAT4G5dTUcuC7KiClQ3dj8B6osYSAzOgoq2KMatgChF5e5RyQQXcVwL7MMNXsKOTuWAd2FBG9uhyyMMI6XPBd7GZYOUd8pP+UCn8hBEOr4KCbgYG7Ju4Z43YU0VB+LRoLu6ZpgyQAhflw2e4Y7lYS0XADzdZ8ANGsLaX88PgACHvwfLBY4Afo4T2Q9lNMZ68W0lE/J8oB5RDkxDMwDhF+XC4v6tgxZdcKLov+mBhYR4/FD8VRTRu93CE97RYTxkCuFfMxR13qSjIhoE+Tx9qPh9Mb6WqcBRqBuBli5hguQ4WUGsPvGsRKyw/hAaoGJEPy4lI4Uxlw3XHzu/XEVNKHk3QYAmWWDEecmraBqtaCE6HrCYeJpX34Jwc8eYYXp3cjHPSxWbKA9/Da3im+CeY1kBV4gNoUQILiB/6YD0JNYFP4jMoGFINwZqhNHwKLbfB5ji9/kdMBss8vk9MBcs8pasht7GLSIzHOQfFX6kYApyFuw/FFz38jveJitxBqhI3QMsS2IiQMMFaDFOJHyF45fZECdYOqA0sIX5YMPkOk8Eyz96xpoJlnvIZDgduazEfZ+SJVyoNhqO1DWcUim1dfJf2DTxTVgxFY1Ql+kOtivDYSJhgTYX7cIx1EJgmDhSvEbuK12XAiHyYCxThCKsQHmiXCMHa5+5T+BBY74qVX39vcUIhbLBwSkUO7DonBsEqBCtFfBjoHt6+34mjLfg34HO4feL8mw0HqwKsr8XRwA2E9x3xYY693jzHvWfZCAdheAZnWG6+1wecKd4oDhFHicPFvm6WI4SXRBTijOcdzi3+BefkifPAehLoI14Pqcdt/1x3YyNb/BisYUC38PvbU3wivOQhGHWw+sK5ASjAltBB8D8MQe05NXCBBZOBCmxJXwbTa1RnsDbCL4Pgx5ajeeJjYDVXEZgDNSugVwhW44j1sw0GKwjrX4El2kGzHDqVwzvO1x3d2dhMsPbMgjnaRZGroW0OjHcY1VIYeZHNMoZ0nPFP5YDwIJwp5miWinwt3u7w5z3g4lS1sc2c1Tl+Z0eTRXBkLKy1PWp7Ga4EAthSXAhHn4BQa5vX2zUIX1rRBKvU0fluYDaUt3F5xa5rNmzFlsfurs5grYP52JK7AVZcpBxSCrU3wvPOPtgzuxsI1gG3l9/90Cfg6Ihm/ONRBssn3udyceNVftiBLXNnaAZHbxcLNZs6uPXMFJdHCF84OeICluIIfQTzHI3jrI0Q7Kwc4myaxEqDtR2VC9bCCMDvOliZ0NGCCv1pwb7XlEdmQCtgOVp2bYU69aojWB/AVUEIoWcpfNlMeQD4q/0bs/GL6IK1JR3Wd/T4/lxZDJloKTgMrzXzFqyDJfBNT+WB2dD2kO1Eb9AP/zrhAAQ+xhl/d7A6fm0U977qbvPzr3YYwlkqArnQ2f4swb8SZjZXDtkG3SxsWSZ6HRt9RJ+rYP0H/omWdVNUlGyDxpm2b/i4P1VHsPbYnhrl7IQ/NlNRAPzDfqnH0o4eg1UEEy+N8mkl3e1P378e4CFYFnzRR0VBVzgP26BumqyqANQX92JPhm5FOXC2uJXoKBR7KA3AQuzZLzaMcJbwqv2pfXFL5YKV8BFaCvfCH1uqKDgKA0NOgzUAGuRp7664eaUyxD3Qpkz7u0oWxDtY/aBhFhzUD7hBN6goeRVq7IRVNkEY4y1YRx5VBiiHV9ByaK77YOW+pwxQCn9DS/4W2Fy7SgCuEEPYM1ETkXriSsxwRLxQe7RhjyV2VVW4E+ofhj1oSe2rXDAaGhTBAbQM72vo6VDzHQXrX9r7nxeXwqrLYWcNoFa0hj8F7rQiTuAV5cHIFvEM1jvQ3UJH+QJliN9Dj5B2APkWuw/Wrm3QrJ6hZyC20q/C9qfDsgbOg1WYDxe2NbRtdfTfZbXKIbW9x8ns30QISA1xEmbZLDbRzJEdwp6hqgqvwVWWdt9avVy5ZDL8Wj9VstbYwUwpdALKbIP1HxhJRAJlwPfhHWWzATeJafpz9bd/H89grYBRaHn+RmWQn2CdZtsyYWhjd8HaPVQZZKl2HV7AgvEXOw9W1pvKIDNhGFrevbVKACY6vPLWSHN0NUp8ThxnyJfECzRHWSlermaugfvRcuQu5ZLv4F60pN+lDLIZUmyDtRRmklAUPBzPYK2GT3Vf4IX+jZRBPoYniUioHA62dx6sQAVkt1MGSYXeFjoC3ZwFKyRm/14Z5Bu4OKidZwsOqjL4P8eeZSqBAMZgz0JVhQ3wOhEpLoLxZyqXHIAJRKS0CF48UxnkWehnG6wj8BUJxfK3VZQUuAiW/ntRwa+UYR6BP+gH+f6eLoK1CQprKoMchIv82itNGfc5DFY+FLUyvG0NS2E/Ecl8qcrg/w573kuwYP0Re1JVFd7RfvAWbYIU1/vJ2/AhETm6HlJqKIOshA4hKNMGK5RwwZrygYFHqC9zGqygNlgrP4vBjQW7hcCKHKy9tzh/kGrqd8ow+6CVX3tPovShKkw2PKuJx2G4tKEyyF6o4YPvicjhN1UlHD5TcGKCBetG7Nkq/ixA+doPNv9i5YFp2iuE1mJlmBxoEbR7kKqVcMGaOU1FyTpYq7tbg/NgbZ+tDLMLrrcJVi9ViTLtKfsq48E6CK392p0m/e8qTDE8RUQOHo
opt_type(oauth_expire) ->
fun(I) when is_integer(I), I >= 0 -> I end;
Add oauth_access option
2015-09-25 18:47:27 +02:00
opt_type(oauth_access) ->
Use {access,shaper}_rules_validator in other places where access rules are used
2016-06-21 13:18:24 +02:00
fun acl:access_rules_validator/1;
Add oauth_access option
2015-09-25 18:47:27 +02:00
opt_type(_) -> [oauth_expire, oauth_access].