SSOwat/access.lua

--
-- access.lua
--
-- This file is executed at every request on a protected domain or server.
-- You just have to read this file normally to understand how and when the
-- request is handled: redirected, forbidden, bypassed or served.
--

-- Get the `cache` persistent shared table
local cache = ngx.shared.cache

-- Generate a unique token if it has not been generated yet
srvkey = cache:get("srvkey")
if not srvkey then
    srvkey = random_string()
    cache:add("srvkey", srvkey)
end

-- Initialize and get configuration
local conf = config.get_config()

-- Import helpers
local hlp = require "helpers"

-- Just a note for the client to know that he passed through the SSO
ngx.header["X-SSO-WAT"] = "You've just been SSOed"


--
-- 1. LOGIN
--
-- example: https://mydomain.org/?sso_login=a6e5320f
--
-- If the `sso_login` URI argument is set, try a cross-domain authentication
-- with the token passed as argument
--
if ngx.var.host ~= conf["portal_domain"] and ngx.var.request_method == "GET" then
    uri_args = ngx.req.get_uri_args()
    if uri_args[conf.login_arg] then
        cda_key = uri_args[conf.login_arg]

        -- Use the `cache` shared table where a username is associated with
        -- a CDA key
        user = cache:get(cda_key)
        if user then
            hlp.set_auth_cookie(user, ngx.var.host)
            ngx.log(ngx.NOTICE, "Cross-domain authentication: "..user.." connected on "..ngx.var.host)
            cache:delete(cda_key)
        end

        uri_args[conf.login_arg] = nil
        return hlp.redirect(ngx.var.uri..hlp.uri_args_string(uri_args))
    end
end


--
-- 2. PORTAL
--
-- example: https://mydomain.org/ssowat*
--
-- If the URL matches the portal URL, serve a portal file or proceed to a
-- portal operation
--
if ngx.var.host == conf["portal_domain"]
   and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))
then

    -- `GET` method will serve a portal file
    if ngx.var.request_method == "GET" then

        -- Force portal scheme
        if ngx.var.scheme ~= conf["portal_scheme"] then
            return hlp.redirect(conf.portal_url)
        end

        -- Add a trailing `/` if not present
        if ngx.var.uri.."/" == conf["portal_path"] then
            return hlp.redirect(conf.portal_url)
        end

        uri_args = ngx.req.get_uri_args()

        -- Logout is also called via a `GET` method
        -- TODO: change this ?
        if uri_args.action and uri_args.action == 'logout' then
            return hlp.logout()

        -- If the `r` URI argument is set, it means that we want to
        -- be redirected (typically after a login phase)
        elseif hlp.is_logged_in() and uri_args.r then
            back_url = ngx.decode_base64(uri_args.r)

            -- In case the `back_url` is not on the same domain than the
            -- current one, create a redirection with a CDA key
            if  not string.match(back_url, "^http[s]?://"..ngx.var.host.."/")
            and not string.match(back_url, ".*"..conf.login_arg.."=%d+$") then
                local cda_key = hlp.set_cda_key()
                if string.match(back_url, ".*?.*") then
                    back_url = back_url.."&"
                else
                    back_url = back_url.."?"
                end
                back_url = back_url.."sso_login="..cda_key
            end

            return hlp.redirect(back_url)


        -- In case we want to serve portal login or assets for portal, just
        -- serve it
        elseif hlp.is_logged_in()
            or ngx.var.uri == conf["portal_path"]
            or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets")
               and (not ngx.var.http_referer
                    or hlp.string.starts(ngx.var.http_referer, conf.portal_url)))
        then
            return hlp.serve(ngx.var.uri)


        -- If all the previous cases have failed, redirect to portal
        else
            hlp.flash("info", hlp.t("please_login"))
            return hlp.redirect(conf.portal_url)
        end


    -- `POST` method is basically use to achieve editing operations
    elseif ngx.var.request_method == "POST" then

        -- CSRF protection, only proceed if we are editing from the same
        -- domain
        if hlp.string.starts(ngx.var.http_referer, conf.portal_url) then
            if hlp.string.ends(ngx.var.uri, conf["portal_path"].."password.html")
            or hlp.string.ends(ngx.var.uri, conf["portal_path"].."edit.html")
            then
               return hlp.edit_user()
            else
               return hlp.login()
            end
        else
            -- Redirect to portal
            hlp.flash("fail", hlp.t("please_login_from_portal"))
            return hlp.redirect(conf.portal_url)
        end
    end
end


--
-- 3. Redirected URLs
--
-- If the URL matches one of the `redirected_urls` in the configuration file,
-- just redirect to the target URL/URI
--

function detect_redirection(redirect_url)
    if hlp.string.starts(redirect_url, "http://")
    or hlp.string.starts(redirect_url, "https://") then
        return hlp.redirect(redirect_url)
    elseif hlp.string.starts(redirect_url, "/") then
        return hlp.redirect(ngx.var.scheme.."://"..ngx.var.host..redirect_url)
    else
        return hlp.redirect(ngx.var.scheme.."://"..redirect_url)
    end
end

if conf["redirected_urls"] then
    for url, redirect_url in pairs(conf["redirected_urls"]) do
        if url == ngx.var.host..ngx.var.uri..hlp.uri_args_string()
        or url == ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string()
        or url == ngx.var.uri..hlp.uri_args_string() then
            detect_redirection(redirect_url)
        end
    end
end

if conf["redirected_regex"] then
    for regex, redirect_url in pairs(conf["redirected_regex"]) do
        if string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or string.match(ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or string.match(ngx.var.uri..hlp.uri_args_string(), regex) then
            detect_redirection(redirect_url)
        end
    end
end


--
-- 4. Protected URLs
--
-- If the URL matches one of the `protected_urls` in the configuration file,
-- we have to protect it even if the URL is also set in the `unprotected_urls`.
-- It could be useful if you want to unprotect every URL except a few
-- particular ones.
--

function is_protected()
    if not conf["protected_urls"] then
        conf["protected_urls"] = {}
    end
    if not conf["protected_regex"] then
        conf["protected_regex"] = {}
    end

    for _, url in ipairs(conf["protected_urls"]) do
        if hlp.string.starts(ngx.var.host..ngx.var.uri, url)
        or hlp.string.starts(ngx.var.uri, url) then
            return true
        end
    end
    for _, regex in ipairs(conf["protected_regex"]) do
        if string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or string.match(ngx.var.uri..hlp.uri_args_string(), regex) then
            return true
        end
    end

    return false
end


--
-- 5. Skipped URLs
--
-- If the URL matches one of the `skipped_urls` in the configuration file,
-- it means that the URL should not be protected by the SSO and no header
-- has to be sent, even if the user is already authenticated.
--

if conf["skipped_urls"] then
    for _, url in ipairs(conf["skipped_urls"]) do
        if (hlp.string.starts(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url)
        or  hlp.string.starts(ngx.var.uri..hlp.uri_args_string(), url))
        and not is_protected() then
            return hlp.pass()
        end
    end
end

if conf["skipped_regex"] then
    for _, regex in ipairs(conf["skipped_regex"]) do
        if (string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or  string.match(ngx.var.uri..hlp.uri_args_string(), regex))
        and not is_protected() then
            return hlp.pass()
        end
    end
end


--
-- 6. Unprotected URLs
--
-- If the URL matches one of the `unprotected_urls` in the configuration file,
-- it means that the URL should not be protected by the SSO *but* headers have
-- to be sent if the user is already authenticated.
--
-- It means that you can let anyone access to an app, but if a user has already
-- been authenticated on the portal, he can have its authentication headers
-- passed to the app.
--

if conf["unprotected_urls"] then
    for _, url in ipairs(conf["unprotected_urls"]) do
        if (hlp.string.starts(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url)
        or  hlp.string.starts(ngx.var.uri..hlp.uri_args_string(), url))
        and not is_protected() then
            if hlp.is_logged_in() then
                hlp.set_headers()
            end
            return hlp.pass()
        end
    end
end

if conf["unprotected_regex"] then
    for _, regex in ipairs(conf["unprotected_regex"]) do
        if (string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or  string.match(ngx.var.uri..hlp.uri_args_string(), regex))
        and not is_protected() then
            if hlp.is_logged_in() then
                hlp.set_headers()
            end
            return hlp.pass()
        end
    end
end


--
-- 7. Specific files (used in YunoHost)
--
-- We want to serve specific portal assets right at the root of the domain.
--
-- For example: `https://mydomain.org/ynhpanel.js` will serve the
-- `/yunohost/sso/assets/js/ynhpanel.js` file.
--

if hlp.is_logged_in() then
    if string.match(ngx.var.uri, "^/ynhpanel.js$") then
        hlp.serve("/yunohost/sso/assets/js/ynhpanel.js")
    end
    if string.match(ngx.var.uri, "^/ynhpanel.css$") then
        hlp.serve("/yunohost/sso/assets/css/ynhpanel.css")
    end
    if string.match(ngx.var.uri, "^/ynhpanel.json$") then
        hlp.serve("/yunohost/sso/assets/js/ynhpanel.json")
    end

    -- If user has no access to this URL, redirect him to the portal
    if not hlp.has_access() then
        return hlp.redirect(conf.portal_url)
    end

    -- If the user is authenticated and has access to the URL, sen the headers
    -- and let it be
    hlp.set_headers()
    return hlp.pass()
end


--
-- 8. Basic HTTP Authentication
--
-- If the `Authorization` header is set before reaching the SSO, we want to
-- match user and password against the user database.
--
-- It allows you to bypass the cookie-based procedure with a per-request
-- authentication. Very usefull when you are trying to reach a specific URL
-- via cURL for example.
--

local auth_header = ngx.req.get_headers()["Authorization"]

if auth_header then
    _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
    _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
    user = hlp.authenticate(user, password)
    if user then
        hlp.set_headers(user)
        return hlp.pass()
    end
end


--
-- 9. Redirect to login
--
-- If no previous rule has matched, just redirect to the portal login.
-- The default is to protect every URL by default.
--

hlp.flash("info", hlp.t("please_login"))
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()
return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- access.lua`
			`--`
			`-- This file is executed at every request on a protected domain or server.`
			`-- You just have to read this file normally to understand how and when the`
			`-- request is handled: redirected, forbidden, bypassed or served.`
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
[enh] Add persistent rules (as conf.json.persistent) 2014-04-10 20:42:43 +02:00
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			-- Get the `cache` persistent shared table
[fix] Load libraries locally to avoid caching 2015-05-16 09:42:26 +02:00			`local cache = ngx.shared.cache`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00
			`-- Generate a unique token if it has not been generated yet`
			`srvkey = cache:get("srvkey")`
			`if not srvkey then`
[fix] Efficiently generate random strings 2015-04-30 15:08:08 +02:00			`srvkey = random_string()`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`cache:add("srvkey", srvkey)`
			`end`
[enh] Default configuration value table 2014-04-17 14:51:47 +02:00
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`-- Initialize and get configuration`
[fix] Load libraries locally to avoid caching 2015-05-16 09:42:26 +02:00			`local conf = config.get_config()`
[enh] Handle local domain (yunohost.local by default) as a main domain replacement 2014-09-13 23:21:21 +02:00
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- Import helpers`
[fix] Load libraries locally to avoid caching 2015-05-16 09:42:26 +02:00			`local hlp = require "helpers"`
Init 2013-10-15 10:11:39 +02:00
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- Just a note for the client to know that he passed through the SSO`
Update access.lua 2013-10-16 11:57:53 +02:00			`ngx.header["X-SSO-WAT"] = "You've just been SSOed"`
Init 2013-10-15 10:11:39 +02:00
Refactoring + serving file from lua 2013-10-20 16:38:49 +02:00
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- 1. LOGIN`
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- example: https://mydomain.org/?sso_login=a6e5320f`
			`--`
			-- If the `sso_login` URI argument is set, try a cross-domain authentication
			`-- with the token passed as argument`
Bugfixes 2013-10-20 17:24:44 +02:00			`--`
[enh] Keep URI arguments at every redirection 2014-04-17 12:21:11 +02:00			`if ngx.var.host ~= conf["portal_domain"] and ngx.var.request_method == "GET" then`
			`uri_args = ngx.req.get_uri_args()`
			`if uri_args[conf.login_arg] then`
			`cda_key = uri_args[conf.login_arg]`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00
[fix] Use 'cache' shared table to store CDA keys and avoid infinite redirections 2015-05-04 19:29:55 +02:00			-- Use the `cache` shared table where a username is associated with
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`-- a CDA key`
[fix] Use 'cache' shared table to store CDA keys and avoid infinite redirections 2015-05-04 19:29:55 +02:00			`user = cache:get(cda_key)`
			`if user then`
			`hlp.set_auth_cookie(user, ngx.var.host)`
			`ngx.log(ngx.NOTICE, "Cross-domain authentication: "..user.." connected on "..ngx.var.host)`
			`cache:delete(cda_key)`
[enh] Keep URI arguments at every redirection 2014-04-17 12:21:11 +02:00			`end`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00
			`uri_args[conf.login_arg] = nil`
			`return hlp.redirect(ngx.var.uri..hlp.uri_args_string(uri_args))`
Serve ynhpanel.js on every domains 2014-02-04 16:28:54 +01:00			`end`
			`end`


[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`--`
			`-- 2. PORTAL`
			`--`
			`-- example: https://mydomain.org/ssowat*`
			`--`
			`-- If the URL matches the portal URL, serve a portal file or proceed to a`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			`-- portal operation`
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`--`
Bugfixes 2013-10-20 17:24:44 +02:00			`if ngx.var.host == conf["portal_domain"]`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))`
Bugfixes 2013-10-20 17:24:44 +02:00			`then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00
			-- `GET` method will serve a portal file
Bugfixes 2013-10-20 17:24:44 +02:00			`if ngx.var.request_method == "GET" then`

[fix] Force portal scheme. Fix #25 2014-11-13 20:27:01 +01:00			`-- Force portal scheme`
			`if ngx.var.scheme ~= conf["portal_scheme"] then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(conf.portal_url)`
[fix] Force portal scheme. Fix #25 2014-11-13 20:27:01 +01:00			`end`

[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			-- Add a trailing `/` if not present
User edition 2013-10-21 20:43:12 +02:00			`if ngx.var.uri.."/" == conf["portal_path"] then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(conf.portal_url)`
User edition 2013-10-21 20:43:12 +02:00			`end`

Bugfixes 2013-10-20 17:24:44 +02:00			`uri_args = ngx.req.get_uri_args()`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00
			-- Logout is also called via a `GET` method
			`-- TODO: change this ?`
Bugfixes 2013-10-20 17:24:44 +02:00			`if uri_args.action and uri_args.action == 'logout' then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.logout()`
Bugfixes 2013-10-20 17:24:44 +02:00
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			-- If the `r` URI argument is set, it means that we want to
			`-- be redirected (typically after a login phase)`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`elseif hlp.is_logged_in() and uri_args.r then`
[enh] Keep URI arguments at every redirection 2014-04-17 12:21:11 +02:00			`back_url = ngx.decode_base64(uri_args.r)`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			-- In case the `back_url` is not on the same domain than the
			`-- current one, create a redirection with a CDA key`
[fix] Strange Raspi regex error + trailing spaces 2014-04-21 13:04:05 +02:00			`if not string.match(back_url, "^http[s]?://"..ngx.var.host.."/")`
[enh] Keep URI arguments at every redirection 2014-04-17 12:21:11 +02:00			`and not string.match(back_url, ".*"..conf.login_arg.."=%d+$") then`
[fix] Load libraries locally to avoid caching 2015-05-16 09:42:26 +02:00			`local cda_key = hlp.set_cda_key()`
[enh] Keep URI arguments at every redirection 2014-04-17 12:21:11 +02:00			`if string.match(back_url, ".?.") then`
			`back_url = back_url.."&"`
			`else`
			`back_url = back_url.."?"`
			`end`
			`back_url = back_url.."sso_login="..cda_key`
			`end`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(back_url)`
Improve cross-domain authentication 2014-01-31 21:25:46 +01:00
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`-- In case we want to serve portal login or assets for portal, just`
			`-- serve it`
			`elseif hlp.is_logged_in()`
			`or ngx.var.uri == conf["portal_path"]`
			`or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets")`
Fix condition on optional Referer header 2013-11-27 03:48:25 +01:00			`and (not ngx.var.http_referer`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			`or hlp.string.starts(ngx.var.http_referer, conf.portal_url)))`
Fixes + login style 2013-10-20 18:25:24 +02:00			`then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.serve(ngx.var.uri)`
Bugfixes 2013-10-20 17:24:44 +02:00
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`-- If all the previous cases have failed, redirect to portal`
Bugfixes 2013-10-20 17:24:44 +02:00			`else`
[fix] Load modules as proper modules + typo 2015-02-15 13:03:01 +01:00			`hlp.flash("info", hlp.t("please_login"))`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(conf.portal_url)`
Bugfixes 2013-10-20 17:24:44 +02:00			`end`

[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			-- `POST` method is basically use to achieve editing operations
Bugfixes 2013-10-20 17:24:44 +02:00			`elseif ngx.var.request_method == "POST" then`

[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			`-- CSRF protection, only proceed if we are editing from the same`
			`-- domain`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.string.starts(ngx.var.http_referer, conf.portal_url) then`
			`if hlp.string.ends(ngx.var.uri, conf["portal_path"].."password.html")`
			`or hlp.string.ends(ngx.var.uri, conf["portal_path"].."edit.html")`
User info view + password edition 2013-10-21 13:13:43 +02:00			`then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.edit_user()`
User info view + password edition 2013-10-21 13:13:43 +02:00			`else`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.login()`
User info view + password edition 2013-10-21 13:13:43 +02:00			`end`
Bugfixes 2013-10-20 17:24:44 +02:00			`else`
			`-- Redirect to portal`
[fix] Load modules as proper modules + typo 2015-02-15 13:03:01 +01:00			`hlp.flash("fail", hlp.t("please_login_from_portal"))`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(conf.portal_url)`
Bugfixes 2013-10-20 17:24:44 +02:00			`end`
			`end`
			`end`

[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`--`
			`-- 3. Redirected URLs`
			`--`
			-- If the URL matches one of the `redirected_urls` in the configuration file,
			`-- just redirect to the target URL/URI`
			`--`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00
			`function detect_redirection(redirect_url)`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.string.starts(redirect_url, "http://")`
			`or hlp.string.starts(redirect_url, "https://") then`
			`return hlp.redirect(redirect_url)`
			`elseif hlp.string.starts(redirect_url, "/") then`
			`return hlp.redirect(ngx.var.scheme.."://"..ngx.var.host..redirect_url)`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`else`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(ngx.var.scheme.."://"..redirect_url)`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`end`
			`end`

			`if conf["redirected_urls"] then`
			`for url, redirect_url in pairs(conf["redirected_urls"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if url == ngx.var.host..ngx.var.uri..hlp.uri_args_string()`
			`or url == ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string()`
			`or url == ngx.var.uri..hlp.uri_args_string() then`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`detect_redirection(redirect_url)`
			`end`
			`end`
			`end`

			`if conf["redirected_regex"] then`
			`for regex, redirect_url in pairs(conf["redirected_regex"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or string.match(ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or string.match(ngx.var.uri..hlp.uri_args_string(), regex) then`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`detect_redirection(redirect_url)`
			`end`
			`end`
			`end`
Improve cross-domain authentication 2014-01-31 21:25:46 +01:00
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`--`
			`-- 4. Protected URLs`
			`--`
			-- If the URL matches one of the `protected_urls` in the configuration file,
			-- we have to protect it even if the URL is also set in the `unprotected_urls`.
			`-- It could be useful if you want to unprotect every URL except a few`
			`-- particular ones.`
			`--`

Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`function is_protected()`
			`if not conf["protected_urls"] then`
			`conf["protected_urls"] = {}`
			`end`
			`if not conf["protected_regex"] then`
			`conf["protected_regex"] = {}`
			`end`

			`for _, url in ipairs(conf["protected_urls"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.string.starts(ngx.var.host..ngx.var.uri, url)`
			`or hlp.string.starts(ngx.var.uri, url) then`
Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`return true`
			`end`
			`end`
			`for _, regex in ipairs(conf["protected_regex"]) do`
Regex non reconnues sur protected_regex Les patterns sont interprétés correctement sur unprotected_regex, mais pas sur protected_regex. L'ajout de ..hlp.uri_args_string() corrige ça et permet d'interpréter correctement les patterns 2016-04-21 23:27:30 +02:00			`if string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or string.match(ngx.var.uri..hlp.uri_args_string(), regex) then`
Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`return true`
			`end`
			`end`

			`return false`
			`end`

[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`--`
			`-- 5. Skipped URLs`
			`--`
			-- If the URL matches one of the `skipped_urls` in the configuration file,
			`-- it means that the URL should not be protected by the SSO and no header`
			`-- has to be sent, even if the user is already authenticated.`
			`--`
Bugfixes 2013-10-20 17:24:44 +02:00
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`if conf["skipped_urls"] then`
			`for _, url in ipairs(conf["skipped_urls"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if (hlp.string.starts(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url)`
			`or hlp.string.starts(ngx.var.uri..hlp.uri_args_string(), url))`
Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`and not is_protected() then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.pass()`
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`end`
			`end`
			`end`

			`if conf["skipped_regex"] then`
			`for _, regex in ipairs(conf["skipped_regex"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if (string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or string.match(ngx.var.uri..hlp.uri_args_string(), regex))`
Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`and not is_protected() then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.pass()`
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`end`
Bugfixes 2013-10-20 17:24:44 +02:00			`end`
			`end`


Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			`--`
			`-- 6. Unprotected URLs`
			`--`
			-- If the URL matches one of the `unprotected_urls` in the configuration file,
			`-- it means that the URL should not be protected by the SSO but headers have`
			`-- to be sent if the user is already authenticated.`
			`--`
			`-- It means that you can let anyone access to an app, but if a user has already`
			`-- been authenticated on the portal, he can have its authentication headers`
			`-- passed to the app.`
			`--`
Bugfixes 2013-10-20 17:24:44 +02:00
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`if conf["unprotected_urls"] then`
			`for _, url in ipairs(conf["unprotected_urls"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if (hlp.string.starts(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url)`
			`or hlp.string.starts(ngx.var.uri..hlp.uri_args_string(), url))`
Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`and not is_protected() then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.is_logged_in() then`
			`hlp.set_headers()`
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`end`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.pass()`
Bugfixes 2013-10-20 17:24:44 +02:00			`end`
			`end`
			`end`

Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`if conf["unprotected_regex"] then`
			`for _, regex in ipairs(conf["unprotected_regex"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if (string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or string.match(ngx.var.uri..hlp.uri_args_string(), regex))`
Implement must_be_protected URL 2014-03-03 15:44:17 +01:00			`and not is_protected() then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.is_logged_in() then`
			`hlp.set_headers()`
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`end`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.pass()`
Implement regex check in urls/uris 2014-03-03 15:04:08 +01:00			`end`
			`end`
			`end`
Bugfixes 2013-10-20 17:24:44 +02:00
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`--`
			`-- 7. Specific files (used in YunoHost)`
			`--`
			`-- We want to serve specific portal assets right at the root of the domain.`
			`--`
			-- For example: `https://mydomain.org/ynhpanel.js` will serve the
			-- `/yunohost/sso/assets/js/ynhpanel.js` file.
Bugfixes 2013-10-20 17:24:44 +02:00			`--`

[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.is_logged_in() then`
Serve JSON with revelant informations for the panel 2014-02-04 21:41:53 +01:00			`if string.match(ngx.var.uri, "^/ynhpanel.js$") then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`hlp.serve("/yunohost/sso/assets/js/ynhpanel.js")`
Serve JSON with revelant informations for the panel 2014-02-04 21:41:53 +01:00			`end`
YNH Panel. 1st draft. 2014-02-17 13:07:28 +01:00			`if string.match(ngx.var.uri, "^/ynhpanel.css$") then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`hlp.serve("/yunohost/sso/assets/css/ynhpanel.css")`
YNH Panel. 1st draft. 2014-02-17 13:07:28 +01:00			`end`
Serve JSON with revelant informations for the panel 2014-02-04 21:41:53 +01:00			`if string.match(ngx.var.uri, "^/ynhpanel.json$") then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`hlp.serve("/yunohost/sso/assets/js/ynhpanel.json")`
Serve JSON with revelant informations for the panel 2014-02-04 21:41:53 +01:00			`end`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`-- If user has no access to this URL, redirect him to the portal`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if not hlp.has_access() then`
			`return hlp.redirect(conf.portal_url)`
User access 2013-10-29 11:48:56 +01:00			`end`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`-- If the user is authenticated and has access to the URL, sen the headers`
			`-- and let it be`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`hlp.set_headers()`
			`return hlp.pass()`
Bugfixes 2013-10-20 17:24:44 +02:00			`end`


[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			`--`
			`-- 8. Basic HTTP Authentication`
			`--`
			-- If the `Authorization` header is set before reaching the SSO, we want to
			`-- match user and password against the user database.`
			`--`
			`-- It allows you to bypass the cookie-based procedure with a per-request`
			`-- authentication. Very usefull when you are trying to reach a specific URL`
			`-- via cURL for example.`
Bugfixes 2013-10-20 17:24:44 +02:00			`--`

			`local auth_header = ngx.req.get_headers()["Authorization"]`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
Bugfixes 2013-10-20 17:24:44 +02:00			`if auth_header then`
			`_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")`
			`_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`user = hlp.authenticate(user, password)`
Add mail authentication ability 2014-02-19 12:57:57 +01:00			`if user then`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`hlp.set_headers(user)`
			`return hlp.pass()`
Bugfixes 2013-10-20 17:24:44 +02:00			`end`
			`end`

[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`--`
			`-- 9. Redirect to login`
			`--`
			`-- If no previous rule has matched, just redirect to the portal login.`
			`-- The default is to protect every URL by default.`
Bugfixes 2013-10-20 17:24:44 +02:00			`--`

[fix] Load modules as proper modules + typo 2015-02-15 13:03:01 +01:00			`hlp.flash("info", hlp.t("please_login"))`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()`
			`return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))`