Move auth config spec to auth backend modules

This way it will be easier to introduce defaults and reuse code.
esl · Dec 8, 2021 · e0877c0 · e0877c0
1 parent c138fdc
commit e0877c0
Show file tree

Hide file tree

Showing 11 changed files with 199 additions and 167 deletions.
diff --git a/src/auth/ejabberd_auth.erl b/src/auth/ejabberd_auth.erl
@@ -46,7 +46,8 @@
          does_method_support/2,
          remove_user/1,
          supports_sasl_module/2,
-         entropy/1
+         entropy/1,
+         config_spec/1
         ]).
 
 -export([check_digest/4]).
@@ -389,6 +390,10 @@ entropy(IOList) ->
             length(InputList) * math:log(lists:sum(Set))/math:log(2)
     end.
 
+-spec config_spec(atom()) -> mongoose_config_spec:config_section().
+config_spec(Method) ->
+    mongoose_gen_auth:config_spec(auth_method_to_module(Method)).
+
 %%%----------------------------------------------------------------------
 %%% Internal functions
 %%%----------------------------------------------------------------------

diff --git a/src/auth/ejabberd_auth_anonymous.erl b/src/auth/ejabberd_auth_anonymous.erl
@@ -28,6 +28,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          register_connection/5,
          unregister_connection/5,
          session_cleanup/5
@@ -56,6 +57,8 @@
 -include("mongoose.hrl").
 -include("jlib.hrl").
 -include("session.hrl").
+-include("mongoose_config_spec.hrl").
+
 -record(anonymous, {us  :: jid:simple_bare_jid(),
                     sid :: ejabberd_sm:sid()
                    }).
@@ -82,6 +85,16 @@ stop(HostType) ->
     ejabberd_hooks:delete(session_cleanup, HostType, ?MODULE, session_cleanup, 50),
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"allow_multiple_connections">> => #option{type = boolean},
+                 <<"protocol">> => #option{type = atom,
+                                           validate = {enum, [sasl_anon, login_anon, both]}}
+                },
+       format_items = map
+      }.
+
 %% @doc Return true if multiple connections have been allowed in the config file
 %% defaults to false
 -spec allow_multiple_connections(mongooseim:host_type()) -> boolean().

diff --git a/src/auth/ejabberd_auth_dummy.erl b/src/auth/ejabberd_auth_dummy.erl
@@ -3,6 +3,7 @@
 %% API
 -export([start/1,
          stop/1,
+         config_spec/0,
          check_password/4,
          check_password/6,
          authorize/1,
@@ -24,6 +25,7 @@
 -ignore_xref([scram_passwords/0]).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 
 %%%----------------------------------------------------------------------
 %%% API
@@ -37,6 +39,16 @@ start(_HostType) ->
 stop(_HostType) ->
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"base_time">> => #option{type = integer,
+                                            validate = non_negative},
+                 <<"variance">> => #option{type = integer,
+                                           validate = positive}},
+       format_items = map
+      }.
+
 authorize(Creds) ->
     HostType = mongoose_credentials:host_type(Creds),
     Opts = mongoose_config:get_opt([{auth, HostType}, dummy], #{}),

diff --git a/src/auth/ejabberd_auth_external.erl b/src/auth/ejabberd_auth_external.erl
@@ -31,6 +31,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          set_password/4,
          authorize/1,
          try_register/4,
@@ -49,6 +50,7 @@
          check_password/6]).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 
 %%%----------------------------------------------------------------------
 %%% API
@@ -65,9 +67,21 @@ start(HostType) ->
             ok
     end.
 
+-spec stop(mongooseim:host_type()) -> ok.
 stop(HostType) ->
     extauth:stop(HostType).
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"instances">> => #option{type = integer,
+                                            validate = positive},
+                 <<"program">> => #option{type = string,
+                                          validate = non_empty}
+                },
+       required = [<<"program">>],
+       format_items = map
+      }.
 
 -spec check_cache_last_options(mongooseim:host_type()) -> 'cache' | 'no_cache'.
 check_cache_last_options(HostType) ->

diff --git a/src/auth/ejabberd_auth_http.erl b/src/auth/ejabberd_auth_http.erl
@@ -13,6 +13,7 @@
 %% External exports
 -export([start/1,
          stop/1,
+         config_spec/0,
          supports_sasl_module/2,
          set_password/4,
          authorize/1,
@@ -28,7 +29,7 @@
          check_password/6]).
 
 -include("mongoose.hrl").
--include("scram.hrl").
+-include("mongoose_config_spec.hrl").
 
 -type http_error_atom() :: conflict | not_found | not_authorized | not_allowed.
 -type params() :: #{luser := jid:luser(),
@@ -48,6 +49,13 @@ start(_HostType) ->
 stop(_HostType) ->
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"basic_auth">> => #option{type = string}},
+       format_items = map
+      }.
+
 -spec supports_sasl_module(mongooseim:host_type(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_HostType, cyrsasl_plain) -> true;
 supports_sasl_module(HostType, cyrsasl_digest) ->  not mongoose_scram:enabled(HostType);

diff --git a/src/auth/ejabberd_auth_jwt.erl b/src/auth/ejabberd_auth_jwt.erl
@@ -31,6 +31,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          authorize/1,
          check_password/4,
          check_password/6,
@@ -39,8 +40,11 @@
          supported_features/0
         ]).
 
+%% Config spec callbacks
+-export([process_jwt_secret/1]).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 
 %%%----------------------------------------------------------------------
 %%% API
@@ -57,6 +61,31 @@ stop(_HostType) ->
     persistent_term:erase(jwt_secret),
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"secret">> => jwt_secret_config_spec(),
+                 <<"algorithm">> => #option{type = binary,
+                                            validate = {enum, algorithms()}},
+                 <<"username_key">> => #option{type = atom,
+                                               validate = non_empty}
+                },
+       required = all,
+       format_items = map
+      }.
+
+jwt_secret_config_spec() ->
+    #section{
+       items = #{<<"file">> => #option{type = string,
+                                       validate = non_empty},
+                 <<"env">> => #option{type = string,
+                                      validate = non_empty},
+                 <<"value">> => #option{type = string}},
+       process = fun ?MODULE:process_jwt_secret/1
+      }.
+
+process_jwt_secret([V]) -> V.
+
 -spec supports_sasl_module(binary(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_, Module) -> Module =:= cyrsasl_plain.
 
@@ -143,3 +172,8 @@ get_jwt_secret(HostType) ->
             {ok, JWTSecret} = file:read_file(Path),
             JWTSecret
     end.
+
+algorithms() ->
+    [<<"HS256">>, <<"RS256">>, <<"ES256">>,
+     <<"HS386">>, <<"RS386">>, <<"ES386">>,
+     <<"HS512">>, <<"RS512">>, <<"ES512">>].
diff --git a/src/auth/ejabberd_auth_ldap.erl b/src/auth/ejabberd_auth_ldap.erl
@@ -36,6 +36,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          start_link/1,
          set_password/4,
          authorize/1,
@@ -48,13 +49,17 @@
          supported_features/0
         ]).
 
+%% Config spec callbacks
+-export([process_ldap_dn_filter/1,
+         process_ldap_local_filter/1]).
+
 %% Internal
 -export([check_password/4,
          check_password/6]).
 
 -ignore_xref([start_link/1]).
 
--include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 -include("eldap.hrl").
 
 -record(state,
@@ -99,6 +104,57 @@ stop(HostType) ->
     ejabberd_sup:stop_child(Proc),
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"pool_tag">> => #option{type = atom,
+                                           validate = non_empty},
+                 <<"bind_pool_tag">> => #option{type = atom,
+                                                validate = non_empty},
+                 <<"base">> => #option{type = binary},
+                 <<"uids">> => #list{items = mongoose_config_spec:ldap_uids()},
+                 <<"filter">> => #option{type = binary,
+                                         validate = ldap_filter},
+                 <<"dn_filter">> => ldap_dn_filter(),
+                 <<"local_filter">> => ldap_local_filter(),
+                 <<"deref">> => #option{type = atom,
+                                        validate = {enum, [never, always, finding, searching]}}
+                },
+       format_items = map
+      }.
+
+ldap_dn_filter() ->
+    #section{
+       items = #{<<"filter">> => #option{type = binary,
+                                         validate = ldap_filter},
+                 <<"attributes">> => #list{items = #option{type = binary}}
+                },
+       required = [<<"filter">>],
+       defaults = #{<<"attributes">> => []},
+       process = fun ?MODULE:process_ldap_dn_filter/1,
+       format_items = map
+      }.
+
+ldap_local_filter() ->
+    #section{
+       items = #{<<"operation">> => #option{type = atom,
+                                            validate = {enum, [equal, notequal]}},
+                 <<"attribute">> => #option{type = string,
+                                            validate = non_empty},
+                 <<"values">> => #list{items = #option{type = string},
+                                       validate = non_empty}
+                },
+       required = all,
+       process = fun ?MODULE:process_ldap_local_filter/1,
+       format_items = map
+      }.
+
+process_ldap_dn_filter(#{filter := Filter, attributes := Attrs}) ->
+    {Filter, Attrs}.
+
+process_ldap_local_filter(#{operation := Op, attribute := Attr, values := Values}) ->
+    {Op, {Attr, Values}}.
+
 -spec start_link(HostType :: mongooseim:host_type()) -> {ok, pid()} | {error, any()}.
 start_link(HostType) ->
     Proc = gen_mod:get_module_proc(HostType, ?MODULE),

diff --git a/src/auth/ejabberd_auth_rdbms.erl b/src/auth/ejabberd_auth_rdbms.erl
@@ -31,6 +31,7 @@
 
 -export([start/1,
          stop/1,
+         config_spec/0,
          authorize/1,
          set_password/4,
          try_register/4,
@@ -56,7 +57,7 @@
 -import(mongoose_rdbms, [prepare/4, execute_successfully/3]).
 
 -include("mongoose.hrl").
--include("scram.hrl").
+-include("mongoose_config_spec.hrl").
 
 -define(DEFAULT_SCRAMMIFY_COUNT, 10000).
 -define(DEFAULT_SCRAMMIFY_INTERVAL, 1000).
@@ -74,13 +75,22 @@
 %%% API
 %%%----------------------------------------------------------------------
 
+-spec start(moongooseim:host_type()) -> ok.
 start(HostType) ->
     prepare_queries(HostType),
     ok.
 
+-spec stop(moongooseim:host_type()) -> ok.
 stop(_HostType) ->
     ok.
 
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"users_number_estimate">> => #option{type = boolean}},
+       format_items = map
+      }.
+
 -spec supports_sasl_module(mongooseim:host_type(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_HostType, cyrsasl_plain) -> true;
 supports_sasl_module(HostType, cyrsasl_digest) -> not mongoose_scram:enabled(HostType);

diff --git a/src/auth/ejabberd_auth_riak.erl b/src/auth/ejabberd_auth_riak.erl
@@ -18,11 +18,13 @@
 -behaviour(mongoose_gen_auth).
 
 -include("mongoose.hrl").
+-include("mongoose_config_spec.hrl").
 -include("scram.hrl").
 
 %% API
 -export([start/1,
          stop/1,
+         config_spec/0,
          supports_sasl_module/2,
          supported_features/0,
          set_password/4,
@@ -46,7 +48,15 @@ start(_HostType) ->
 
 -spec stop(mongooseim:host_type()) -> ok.
 stop(_HostType) ->
-ok.
+    ok.
+
+-spec config_spec() -> mongoose_config_spec:config_section().
+config_spec() ->
+    #section{
+       items = #{<<"bucket_type">> => #option{type = binary,
+                                              validate = non_empty}},
+       format_items = map
+      }.
 
 -spec supports_sasl_module(mongooseim:host_type(), cyrsasl:sasl_module()) -> boolean().
 supports_sasl_module(_HostType, cyrsasl_plain) -> true;