Add config file handling

This commit is contained in:
Mike Barnes 2025-01-22 10:42:40 +11:00
parent 413a6cad83
commit ce4891af79
4 changed files with 42 additions and 15 deletions

3
.gitignore vendored
View file

@ -1 +1,4 @@
.vscode/*
.venv
log/*
auth-mastodon.ini

View file

@ -8,11 +8,14 @@ It is used on [Chinwag Social](https://social.chinwag.org) to provide XMPP messa
Discussion, questions and/or just saying hi in the [Chinwag Social Beergarden](xmpp:beergarden@rooms.chinwag.org?join) MUC is welcomed!
## Setup
Edit the `auth-mastodon.py` file and add database connection credentials at the top. Moving this to a config file is next on the TODO list, as this makes updates an awful process. Sorry.
Edit the `auth-mastodon.ini.default` file and add database connection credentials, and a location for the log files if desired. Rename it and place it somewhere the ejabberd user can read it.
I recommend not using your main Mastodon database user account for this, and instead granting SELECT privileges on the Mastodon *accounts* and *users* tables to your ejabberd user instead.
I recommend not using your main Mastodon database user account for this, and instead granting SELECT privileges on the Mastodon *accounts* and *users* tables to your ejabberd user instead. The code here does not attempt any modification to the Mastodon tables at any point, so there's no reason to give it more than read-only rights.
The code here does not attempt any modification to the Mastodon tables at any point, so there's no reason to give it more than read-only rights.
The default locaction for the ini file is `/etc/ejabberd/auth-mastodon.ini` and can be changed with a command line option if desired:
```bash
$ auth-mastodon.py -c /usr/local/etc/auth-mastodon.ini
```
Then configure ejabberd to use `auth-mastodon.py` as an external authentication provider, as described in the [ejabberd docs](https://docs.ejabberd.im/admin/configuration/#external-script):
@ -20,9 +23,10 @@ Then configure ejabberd to use `auth-mastodon.py` as an external authentication
auth_method: external
extauth_program: "/path/to/auth-mastodon.py"
```
Startup and shutdown is handled by the ejabberd process, there's no need to handle this separately via systemd or similar. If the process is killed, ejabberd will restart it.
## To Do
1. Move all database and config elements to a simple file to be stored in /etc/ejabberd or similar
2. Verify domain part of request somehow. Maybe define a canonical domain to be used in config? Does this gain us anything at all?
3. Better error handling. Would be good to be more descriptive in the logs, perhaps.
4. Setup documentation is very brief, maybe include how to grant minimal permissions via pgsql.
1. Verify domain part of request somehow. Maybe define a canonical domain to be used in config? Does this gain us anything at all?
2. Better error handling. Would be good to be more descriptive in the logs, perhaps.
3. Setup documentation is very brief, maybe include how to grant minimal permissions via pgsql.
4. Reconnection handling, exiting if a query fails would be a simple way to reload if a DB upgrade occurs but we should check if we're in a restart loop or something.

View file

@ -0,0 +1,9 @@
[database]
db_host = localhost
db_port = 5432
db_user = ejabberd
db_pass =
db_name = mastodon
[log]
log_dir = /var/log/ejabberd/

View file

@ -6,20 +6,30 @@ import struct
import sys
import time
import argparse
import configparser
import bcrypt
import psycopg2
# Get config file location from command line, or default to /etc/ejabberd
config_args = argparse.ArgumentParser()
config_args.add_argument("-c", "--config_file", help="Config file location", type=str, default="/etc/ejabberd/auth-mastodon.ini")
args = config_args.parse_args()
# Load database config from file, this is currently the only configurable item
config_ini = configparser.ConfigParser()
config_ini.read(args.config_file)
# Database connection details. The credentials here need access to the
# Mastodon database, which "ejabberd" is unlikely to have on your system
# by default. You shoud grant SELECT privileges to ejabberd on the
# "accounts" and "users" tables, to play it safe, or include the
# Mastodon DB user credentials here (don't).
db_host = "localhost"
db_port = 5432
db_user = "ejabberd"
db_pass = ""
db_name = "mastodon"
db_host = config_ini.get('database', 'db_host', fallback='localhost')
db_port = config_ini.get('database', 'db_port', fallback=5432)
db_user = config_ini.get('database', 'db_user', fallback='ejabberd')
db_pass = config_ini.get('database', 'db_pass', fallback='')
db_name = config_ini.get('database', 'db_name', fallback='mastodon_production')
# This is the query that pulls the password hash for the given user.
# Mastodon doesn't store the domain for local accounts in the database,
@ -39,11 +49,12 @@ db_query_getpass = """
# Setup
########################################################################
sys.stderr = open('/var/log/ejabberd/extauth_err.log', 'a')
log_dir = config_ini.get('log', 'log_dir', fallback='/var/log/ejabberd')
sys.stderr = open('%s/extauth_err.log' % log_dir, 'a')
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s %(levelname)s %(message)s',
filename='/var/log/ejabberd/extauth.log',
filename='%s/extauth.log' % log_dir,
filemode='a',
)
@ -62,7 +73,7 @@ try:
database.set_session(readonly=True, autocommit=True)
logging.debug(database.get_dsn_parameters())
except Exception:
logging.error("Unable to initialize database, check settings!")
logging.error("Unable to connect to %s as %s, check configuration" % (db_name, db_user))
time.sleep(10)
sys.exit(1)