SSOwat/access.lua

232 lines
6 KiB
Lua
Raw Normal View History

2013-10-15 13:58:16 +02:00
--
2013-10-15 10:11:39 +02:00
-- Load configuration
2013-10-15 13:58:16 +02:00
--
2013-10-15 10:11:39 +02:00
local conf_file = assert(io.open("cache.json", "r"), "Configuration file is missing")
2013-10-15 13:58:16 +02:00
local conf = json.decode(conf_file:read("*all"))
2013-10-15 10:11:39 +02:00
local portal_url = conf["portal_scheme"].."://"..
conf["main_domain"]..
":"..conf["portal_port"]..
conf["portal_path"]
table.insert(conf["skipped_urls"], conf["main_domain"]..conf["portal_path"])
-- Dummy intructions
ngx.header["X-YNH-SSO"] = "You've just been SSOed"
2013-10-15 13:58:16 +02:00
--
-- Useful functions
--
2013-10-15 10:11:39 +02:00
function string.starts (String, Start)
return string.sub(String, 1, string.len(Start)) == Start
end
2013-10-15 13:58:16 +02:00
function string.ends (String, End)
return End=='' or string.sub(String, -string.len(End)) == End
end
function set_auth_cookie (user)
2013-10-15 10:11:39 +02:00
local maxAge = 60 * 60 * 24 * 7 -- 1 week
local expire = ngx.req.start_time() + maxAge
local hash = ngx.md5(auth_key..
"|" ..ngx.var.remote_addr..
"|"..user..
"|"..expire)
2013-10-15 13:58:16 +02:00
local cookie_str = "; Domain=."..ngx.var.host..
"; Path=/"..
2013-10-15 10:11:39 +02:00
"; Max-Age="..maxAge
ngx.header["Set-Cookie"] = {
"YnhAuthUser="..user..cookie_str,
"YnhAuthHash="..hash..cookie_str,
"YnhAuthExpire="..expire..cookie_str
}
end
2013-10-15 13:58:16 +02:00
function set_token_cookie ()
local token = tostring(math.random(111111, 999999))
tokens[token] = token
ngx.header["Set-Cookie"] = {
"YnhAuthToken="..token..
"; Path="..conf["portal_path"]..
"; Max-Age=3600"
}
end
function set_redirect_cookie (redirect_url)
ngx.header["Set-Cookie"] = {
"YnhAuthRedirect="..redirect_url..
"; Path="..conf["portal_path"]..
"; Max-Age=3600"
}
end
2013-10-15 10:11:39 +02:00
function delete_cookie ()
2013-10-15 13:58:16 +02:00
expired_time = ngx.req.start_time() - 3600 -- expired yesterday
ngx.header["Set-Cookie"] = {
"YnhAuthUser=;" ..expired_time,
"YnhAuthHash=;" ..expired_time,
"YnhAuthExpire=;" ..expired_time
}
end
function delete_onetime_cookie ()
expired_time = ngx.req.start_time() - 3600 -- expired yesterday
2013-10-15 10:11:39 +02:00
ngx.header["Set-Cookie"] = {
2013-10-15 13:58:16 +02:00
"YnhAuthToken=;" ..expired_time,
"YnhAuthRedirect=;"..expired_time
2013-10-15 10:11:39 +02:00
}
end
2013-10-15 13:58:16 +02:00
2013-10-15 10:11:39 +02:00
function check_cookie ()
-- Check if cookie is set
2013-10-15 13:58:16 +02:00
if not ngx.var.cookie_YnhAuthExpire
or not ngx.var.cookie_YnhAuthUser
or not ngx.var.cookie_YnhAuthHash
2013-10-15 10:11:39 +02:00
then
return false
end
-- Check expire time
if (ngx.req.start_time() >= tonumber(ngx.var.cookie_YnhAuthExpire)) then
return false
end
-- Check hash
local hash = ngx.md5(auth_key..
"|"..ngx.var.remote_addr..
"|"..ngx.var.cookie_YnhAuthUser..
2013-10-15 13:58:16 +02:00
"|"..ngx.var.cookie_YnhAuthExpire)
if hash ~= ngx.var.cookie_YnhAuthHash then
2013-10-15 10:11:39 +02:00
return false
end
return true
end
function authenticate (user, password)
return lualdap.open_simple (
"localhost",
2013-10-15 13:58:16 +02:00
"uid=".. user ..",ou=users,dc=yunohost,dc=org",
password
2013-10-15 10:11:39 +02:00
)
end
function set_headers (user)
ldap = lualdap.open_simple("localhost")
for dn, attribs in ldap:search {
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
scope = "base",
sizelimit = 1,
attrs = {"uid", "givenName", "sn", "homeDirectory", "mail"}
} do
for name, value in pairs (attribs) do
ngx.header["X-YNH-".. name:upper()] = value
end
end
end
function display_login_form ()
local args = ngx.req.get_uri_args()
if args.action and args.action == 'logout' then
-- Logout
delete_cookie()
return ngx.redirect(portal_url)
else
-- Display normal form
2013-10-15 13:58:16 +02:00
set_token_cookie()
2013-10-15 10:11:39 +02:00
return
end
end
function do_login ()
ngx.req.read_body()
local args = ngx.req.get_post_args()
-- CSRF check
2013-10-15 13:58:16 +02:00
local token = ngx.var.cookie_YnhAuthToken
if token and tokens[token] then
tokens[token] = nil
2013-10-15 10:11:39 +02:00
if authenticate(args.user, args.password) then
2013-10-15 13:58:16 +02:00
set_auth_cookie(args.user)
--ngx.status = ngx.HTTP_CREATED
--ngx.exit(ngx.HTTP_OK)
2013-10-15 10:11:39 +02:00
-- Redirect to precedent page
2013-10-15 13:58:16 +02:00
local redirect_url = ngx.var.cookie_YnhAuthRedirect
if redirect_url then
return ngx.redirect(ngx.unescape_uri(redirect_url))
2013-10-15 10:11:39 +02:00
end
end
return ngx.redirect(portal_url)
end
end
2013-10-15 13:58:16 +02:00
function pass ()
if not ngx.header["Content-Type"] then
ngx.header["Content-Type"] = "text/html"
end
delete_onetime_cookie()
return
end
--
-- Routing
--
-- Portal
2013-10-15 10:11:39 +02:00
if ngx.var.host == conf["main_domain"]
and string.starts(ngx.var.uri, conf["portal_path"])
then
2013-10-15 13:58:16 +02:00
if ngx.var.request_method == "GET" then
2013-10-15 10:11:39 +02:00
return display_login_form()
2013-10-15 13:58:16 +02:00
elseif ngx.var.request_method == "POST" then
2013-10-15 10:11:39 +02:00
return do_login()
end
end
-- Skipped urls
for _, url in ipairs(conf["skipped_urls"]) do
2013-10-15 13:58:16 +02:00
if string.starts(ngx.var.host..ngx.var.uri, url) then
return pass
2013-10-15 10:11:39 +02:00
end
end
-- Unprotected urls
for _, url in ipairs(conf["unprotected_urls"]) do
2013-10-15 13:58:16 +02:00
if string.starts(ngx.var.host..ngx.var.uri, url) then
2013-10-15 10:11:39 +02:00
if check_cookie() then
set_headers(ngx.var.cookie_YnhAuthUser)
end
2013-10-15 13:58:16 +02:00
return pass
2013-10-15 10:11:39 +02:00
end
end
-- Cookie validation
if check_cookie() then
set_headers(ngx.var.cookie_YnhAuthUser)
2013-10-15 13:58:16 +02:00
return pass
2013-10-15 10:11:39 +02:00
end
-- Connect with HTTP Auth if credentials are brought
local auth_header = ngx.req.get_headers()["Authorization"]
if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
if authenticate(user, password) then
set_headers(user)
2013-10-15 13:58:16 +02:00
return pass
2013-10-15 10:11:39 +02:00
end
end
2013-10-15 13:58:16 +02:00
if not ngx.var.cookie_YnhAuthRedirect and not string.ends(ngx.var.uri, "favicon.ico") then
-- Else redirect to portal
local back_url = ngx.escape_uri(ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri)
set_redirect_cookie(back_url)
return ngx.redirect(portal_url)
else
ngx.status = ngx.HTTP_UNAUTHORIZED
return ngx.exit(ngx.HTTP_OK)
end