SSOwat/access.lua

421 lines
11 KiB
Lua
Raw Normal View History

2013-10-15 13:58:16 +02:00
--
2013-10-15 10:11:39 +02:00
-- Load configuration
2013-10-15 13:58:16 +02:00
--
2013-10-16 11:27:18 +02:00
cookies = {}
local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")
2013-10-15 13:58:16 +02:00
local conf = json.decode(conf_file:read("*all"))
2013-10-15 10:11:39 +02:00
local portal_url = conf["portal_scheme"].."://"..
2013-10-16 15:54:58 +02:00
conf["portal_domain"]..
2013-10-15 10:11:39 +02:00
conf["portal_path"]
2013-10-16 15:54:58 +02:00
table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])
2013-10-15 10:11:39 +02:00
-- Dummy intructions
2013-10-16 11:57:53 +02:00
ngx.header["X-SSO-WAT"] = "You've just been SSOed"
2013-10-15 10:11:39 +02:00
2013-10-20 16:38:49 +02:00
2013-10-15 13:58:16 +02:00
--
-- Useful functions
--
2013-10-20 16:38:49 +02:00
function read_file(file)
local f = io.open(file, "rb")
2013-10-20 17:24:44 +02:00
if not f then return false end
2013-10-20 16:38:49 +02:00
local content = f:read("*all")
f:close()
return content
end
2013-10-16 11:27:18 +02:00
function is_in_table (t, v)
for key, value in ipairs(t) do
if value == v then return key end
end
end
2013-10-15 10:11:39 +02:00
function string.starts (String, Start)
return string.sub(String, 1, string.len(Start)) == Start
end
2013-10-15 13:58:16 +02:00
function string.ends (String, End)
return End=='' or string.sub(String, -string.len(End)) == End
end
2013-10-16 11:27:18 +02:00
function cook (cookie_str)
table.insert(cookies, cookie_str)
end
function set_auth_cookie (user, domain)
2013-10-15 10:11:39 +02:00
local maxAge = 60 * 60 * 24 * 7 -- 1 week
local expire = ngx.req.start_time() + maxAge
2013-10-16 20:37:12 +02:00
local hash = ngx.md5(srvkey..
2013-10-15 10:11:39 +02:00
"|" ..ngx.var.remote_addr..
"|"..user..
"|"..expire)
2013-10-16 11:27:18 +02:00
local cookie_str = "; Domain=."..domain..
2013-10-15 13:58:16 +02:00
"; Path=/"..
2013-10-15 10:11:39 +02:00
"; Max-Age="..maxAge
2013-10-16 16:20:51 +02:00
cook("SSOwAuthUser="..user..cookie_str)
cook("SSOwAuthHash="..hash..cookie_str)
cook("SSOwAuthExpire="..expire..cookie_str)
2013-10-15 10:11:39 +02:00
end
2013-10-15 13:58:16 +02:00
function set_redirect_cookie (redirect_url)
2013-10-16 11:27:18 +02:00
cook(
2013-10-16 16:20:51 +02:00
"SSOwAuthRedirect="..redirect_url..
2013-10-15 13:58:16 +02:00
"; Path="..conf["portal_path"]..
"; Max-Age=3600"
2013-10-16 11:27:18 +02:00
)
2013-10-15 13:58:16 +02:00
end
2013-10-15 10:11:39 +02:00
function delete_cookie ()
2013-10-16 16:20:51 +02:00
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
for _, domain in ipairs(conf["domains"]) do
local cookie_str = "; Domain=."..domain..
"; Path=/"..
"; Max-Age="..expired_time
cook("SSOwAuthUser=;" ..cookie_str)
cook("SSOwAuthHash=;" ..cookie_str)
cook("SSOwAuthExpire=;" ..cookie_str)
end
2013-10-15 13:58:16 +02:00
end
function delete_onetime_cookie ()
2013-10-16 16:20:51 +02:00
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
local cookie_str = "; Path="..conf["portal_path"]..
"; Max-Age="..expired_time
cook("SSOwAuthRedirect=;" ..cookie_str)
2013-10-15 10:11:39 +02:00
end
2013-10-15 13:58:16 +02:00
2013-10-15 10:11:39 +02:00
function check_cookie ()
2013-10-16 11:27:18 +02:00
2013-10-15 10:11:39 +02:00
-- Check if cookie is set
2013-10-16 16:20:51 +02:00
if ngx.var.cookie_SSOwAuthExpire and ngx.var.cookie_SSOwAuthExpire ~= ""
and ngx.var.cookie_SSOwAuthHash and ngx.var.cookie_SSOwAuthHash ~= ""
and ngx.var.cookie_SSOwAuthUser and ngx.var.cookie_SSOwAuthUser ~= ""
2013-10-15 10:11:39 +02:00
then
2013-10-16 16:20:51 +02:00
-- Check expire time
if (ngx.req.start_time() <= tonumber(ngx.var.cookie_SSOwAuthExpire)) then
-- Check hash
2013-10-16 20:37:12 +02:00
local hash = ngx.md5(srvkey..
2013-10-16 16:20:51 +02:00
"|"..ngx.var.remote_addr..
"|"..ngx.var.cookie_SSOwAuthUser..
"|"..ngx.var.cookie_SSOwAuthExpire)
return hash == ngx.var.cookie_SSOwAuthHash
end
2013-10-15 10:11:39 +02:00
end
2013-10-16 16:20:51 +02:00
return false
2013-10-15 10:11:39 +02:00
end
function authenticate (user, password)
2013-10-16 11:27:18 +02:00
connected = lualdap.open_simple (
2013-10-15 10:11:39 +02:00
"localhost",
2013-10-15 13:58:16 +02:00
"uid=".. user ..",ou=users,dc=yunohost,dc=org",
password
2013-10-15 10:11:39 +02:00
)
2013-10-16 11:27:18 +02:00
if connected and not cache[user] then
cache[user] = { password=password }
end
return connected
2013-10-15 10:11:39 +02:00
end
function set_headers (user)
2013-10-16 11:27:18 +02:00
if not cache[user]["uid"] then
ldap = lualdap.open_simple("localhost")
for dn, attribs in ldap:search {
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
scope = "base",
sizelimit = 1,
2013-10-16 16:47:48 +02:00
attrs = {"uid", "givenName", "sn", "cn", "homeDirectory", "mail"}
2013-10-16 11:27:18 +02:00
} do
for k,v in pairs(attribs) do cache[user][k] = v end
2013-10-15 10:11:39 +02:00
end
end
2013-10-16 11:27:18 +02:00
2013-10-16 18:16:41 +02:00
-- Set HTTP Auth header
2013-10-16 17:30:08 +02:00
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
cache[user]["uid"]..":"..cache[user]["password"]
))
2013-10-16 18:16:41 +02:00
-- Set Additional headers
for k, v in pairs(conf["additional_headers"]) do
ngx.req.set_header(k, cache[user][v])
end
2013-10-15 10:11:39 +02:00
end
2013-10-20 16:38:49 +02:00
-- Yo dawg
function serve(uri)
rel_path = string.gsub(uri, conf["portal_path"], "/")
2013-10-15 10:11:39 +02:00
2013-10-20 16:38:49 +02:00
-- Load login.html as index
if rel_path == "/" then
rel_path = "/login.html"
2013-10-15 10:11:39 +02:00
end
2013-10-16 23:53:14 +02:00
2013-10-20 18:45:10 +02:00
-- Access to directory root: forbidden
if string.ends(rel_path, "/") then
return ngx.exit(403)
end
-- Try to get file content
2013-10-20 18:25:24 +02:00
content = read_file(script_path.."portal"..rel_path)
2013-10-20 16:38:49 +02:00
if not content then
2013-10-20 18:25:24 +02:00
return ngx.exit(ngx.HTTP_NOT_FOUND)
2013-10-17 00:12:14 +02:00
end
2013-10-20 16:38:49 +02:00
-- Extract file extension
2013-10-20 17:24:44 +02:00
_, file, ext = string.match(rel_path, "(.-)([^\\/]-%.?([^%.\\/]*))$")
2013-10-20 16:38:49 +02:00
-- Associate to MIME type
mime_types = {
html = "text/html",
js = "text/javascript",
css = "text/css",
gif = "image/gif",
jpg = "image/jpeg",
png = "image/png",
svg = "image/svg+xml",
ico = "image/vnd.microsoft.icon",
}
-- Set Content-Type
if mime_types[ext] then
ngx.header["Content-Type"] = mime_types[ext]
else
ngx.header["Content-Type"] = "text/plain"
end
-- Render as mustache
if ext == "html" then
data = get_data_for(file)
content = string.gsub(hige.render(content, data), "</html>(%d+)", "</html>")
end
2013-10-16 23:53:14 +02:00
ngx.header["Cache-Control"] = "no-cache"
2013-10-20 16:38:49 +02:00
ngx.say(content)
2013-10-20 18:25:24 +02:00
return ngx.exit(ngx.HTTP_OK)
2013-10-20 16:38:49 +02:00
end
function get_data_for(view)
if view == "login.html" then
2013-10-20 18:25:24 +02:00
return { title = "YunoHost Login" }
2013-10-20 16:38:49 +02:00
end
2013-10-15 10:11:39 +02:00
end
function do_login ()
ngx.req.read_body()
local args = ngx.req.get_post_args()
2013-10-16 19:01:17 +02:00
local uri_args = ngx.req.get_uri_args()
2013-10-15 10:11:39 +02:00
2013-10-20 16:38:49 +02:00
if authenticate(args.user, args.password) then
2013-10-16 11:27:18 +02:00
ngx.status = ngx.HTTP_CREATED
2013-10-20 16:38:49 +02:00
local redirect_url = ngx.var.cookie_SSOwAuthRedirect
if uri_args.r then
redirect_url = ngx.decode_base64(uri_args.r)
end
if not redirect_url then redirect_url = portal_url end
login[args.user] = {}
login[args.user]["redirect_url"] = redirect_url
login[args.user]["domains"] = {}
for _, value in ipairs(conf["domains"]) do
table.insert(login[args.user]["domains"], value)
2013-10-15 10:11:39 +02:00
end
2013-10-20 16:38:49 +02:00
-- Connect to the first domain (self)
return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssologin="..args.user)
else
ngx.status = ngx.HTTP_UNAUTHORIZED
return redirect(portal_url)
2013-10-15 10:11:39 +02:00
end
2013-10-20 16:38:49 +02:00
end
function do_logout()
local args = ngx.req.get_uri_args()
ngx.req.set_header("Cache-Control", "no-cache")
if check_cookie() then
local redirect_url = portal_url
if args.r then
redirect_url = ngx.decode_base64(args.r)
end
local user = ngx.var.cookie_SSOwAuthUser
logout[user] = {}
logout[user]["redirect_url"] = redirect_url
logout[user]["domains"] = {}
for _, value in ipairs(conf["domains"]) do
table.insert(logout[user]["domains"], value)
end
return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssologout="..user)
end
2013-10-16 11:27:18 +02:00
end
2013-10-16 23:53:14 +02:00
function login_walkthrough (user)
-- Set Authentication cookies
set_auth_cookie(user, ngx.var.host)
-- Remove domain from login table
domain_key = is_in_table(login[user]["domains"], ngx.var.host)
table.remove(login[user]["domains"], domain_key)
if table.getn(login[user]["domains"]) == 0 then
-- All the redirections has been made
local redirect_url = login[user]["redirect_url"]
login[user] = nil
2013-10-17 19:28:23 +02:00
return redirect(redirect_url)
2013-10-16 23:53:14 +02:00
else
-- Redirect to the next domain
for _, domain in ipairs(login[user]["domains"]) do
return redirect(ngx.var.scheme.."://"..domain.."/?ssologin="..user)
end
end
end
function logout_walkthrough (user)
-- Expire Authentication cookies
delete_cookie()
-- Remove domain from logout table
domain_key = is_in_table(logout[user]["domains"], ngx.var.host)
table.remove(logout[user]["domains"], domain_key)
if table.getn(logout[user]["domains"]) == 0 then
-- All the redirections has been made
local redirect_url = logout[user]["redirect_url"]
logout[user] = nil
2013-10-17 19:28:23 +02:00
return redirect(redirect_url)
2013-10-16 23:53:14 +02:00
else
-- Redirect to the next domain
for _, domain in ipairs(logout[user]["domains"]) do
return redirect(ngx.var.scheme.."://"..domain.."/?ssologout="..user)
end
end
end
2013-10-16 11:27:18 +02:00
function redirect (url)
ngx.header["Set-Cookie"] = cookies
2013-10-16 17:30:08 +02:00
return ngx.redirect(url)
2013-10-15 10:11:39 +02:00
end
2013-10-15 13:58:16 +02:00
function pass ()
delete_onetime_cookie()
2013-10-16 17:30:08 +02:00
ngx.req.set_header("Set-Cookie", cookies)
2013-10-15 13:58:16 +02:00
return
end
2013-10-20 17:24:44 +02:00
--------------------------------------------------
-- Routing
--
-- Logging in/out
-- i.e. http://mydomain.org/?ssologin=myuser
if ngx.var.request_method == "GET" then
local args = ngx.req.get_uri_args()
-- In login loop
local user = args.ssologin
if user and login[user] then
return login_walkthrough(user)
end
-- In logout loop
user = args.ssologout
if user and logout[user] then
return logout_walkthrough(user)
end
end
-- Portal
-- i.e. http://mydomain.org/ssowat/*
if ngx.var.host == conf["portal_domain"]
and string.starts(ngx.var.uri, conf["portal_path"])
then
if ngx.var.request_method == "GET" then
uri_args = ngx.req.get_uri_args()
if uri_args.action and uri_args.action == 'logout' then
-- Logout
return do_logout()
2013-10-20 18:25:24 +02:00
elseif check_cookie()
or ngx.var.uri == conf["portal_path"]
or string.starts(ngx.var.uri, conf["portal_path"].."assets")
then
2013-10-20 17:24:44 +02:00
-- Serve normal portal
return serve(ngx.var.uri)
else
-- Redirect to portal
return redirect(portal_url)
end
elseif ngx.var.request_method == "POST" then
if string.starts(ngx.var.http_referer, portal_url) then
-- CSRF protection
return do_login()
else
-- Redirect to portal
return redirect(portal_url)
end
end
end
-- Skipped urls
-- i.e. http://mydomain.org/no_protection/
for _, url in ipairs(conf["skipped_urls"]) do
if string.starts(ngx.var.host..ngx.var.uri, url) then
return pass()
end
end
-- Unprotected urls
-- i.e. http://mydomain.org/no_protection+headers/
for _, url in ipairs(conf["unprotected_urls"]) do
if string.starts(ngx.var.host..ngx.var.uri, url) then
if check_cookie() then
set_headers(ngx.var.cookie_SSOwAuthUser)
end
return pass()
end
end
-- Cookie validation
--
if check_cookie() then
set_headers(ngx.var.cookie_SSOwAuthUser)
return pass
else
delete_cookie()
end
-- Login with HTTP Auth if credentials are brought
--
local auth_header = ngx.req.get_headers()["Authorization"]
if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
if authenticate(user, password) then
set_headers(user)
return pass()
end
end
-- Else redirect to portal
--
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))