SSOwat/access.lua

839 lines
27 KiB
Lua
Raw Normal View History

2013-10-15 13:58:16 +02:00
--
2013-10-15 10:11:39 +02:00
-- Load configuration
2013-10-15 13:58:16 +02:00
--
2013-10-24 11:09:22 +02:00
cache = ngx.shared.cache
2013-11-29 16:29:57 +01:00
srvkey = cache:get("srvkey")
if not srvkey then
math.randomseed(os.time())
srvkey = tostring(math.random(1111111, 9999999))
cache:add("srvkey", srvkey)
end
2013-10-16 11:27:18 +02:00
cookies = {}
-- Load conf file
2013-10-16 11:27:18 +02:00
local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")
2013-10-15 13:58:16 +02:00
local conf = json.decode(conf_file:read("*all"))
-- Load additional rules
local persistent_conf_file = io.open(conf_path..".persistent", "r")
if persistent_conf_file ~= nil then
for k, v in pairs(json.decode(persistent_conf_file:read("*all"))) do
2014-04-10 22:12:14 +02:00
-- If key already exists and is a table, merge it
if conf[k] and type(v) == "table" then
for subk, subv in pairs(v) do
if type(subk) == "number" then
table.insert(conf[k], subv)
else
conf[k][subk] = subv
end
end
else
conf[k] = v
end
end
end
-- Default configuration values
default_conf = {
portal_scheme = "https",
portal_path = "/ssowat",
2014-04-17 16:27:42 +02:00
domains = { conf["portal_domain"] },
session_timeout = 60 * 60 * 24, -- one day
session_max_timeout = 60 * 60 * 24 * 7, -- one week
login_arg = "sso_login",
ldap_host = "localhost",
ldap_group = "ou=users,dc=yunohost,dc=org",
ldap_identifier = "uid",
ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
2014-04-17 16:27:42 +02:00
allow_mail_authentication = true,
additional_headers = { Remote-user = "uid" }
}
for param, default_value in pairs(default_conf) do
conf[param] = conf[param] or default_value
end
2013-10-15 10:11:39 +02:00
local portal_url = conf["portal_scheme"].."://"..
2013-10-16 15:54:58 +02:00
conf["portal_domain"]..
2013-10-15 10:11:39 +02:00
conf["portal_path"]
2013-10-16 15:54:58 +02:00
table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])
2013-10-15 10:11:39 +02:00
-- Dummy intructions
2013-10-16 11:57:53 +02:00
ngx.header["X-SSO-WAT"] = "You've just been SSOed"
2013-10-15 10:11:39 +02:00
2013-10-20 16:38:49 +02:00
2013-10-15 13:58:16 +02:00
--
-- Useful functions
--
2013-10-20 16:38:49 +02:00
function read_file(file)
local f = io.open(file, "rb")
2013-10-20 17:24:44 +02:00
if not f then return false end
2013-10-20 16:38:49 +02:00
local content = f:read("*all")
f:close()
return content
end
2013-10-16 11:27:18 +02:00
function is_in_table (t, v)
for key, value in ipairs(t) do
if value == v then return key end
end
end
2013-10-15 10:11:39 +02:00
function string.starts (String, Start)
return string.sub(String, 1, string.len(Start)) == Start
end
2013-10-15 13:58:16 +02:00
function string.ends (String, End)
return End=='' or string.sub(String, -string.len(End)) == End
end
2013-10-16 11:27:18 +02:00
function cook (cookie_str)
table.insert(cookies, cookie_str)
end
2013-10-20 22:07:26 +02:00
function flash (wat, message)
if wat == "fail"
or wat == "win"
or wat == "info"
then
flashs[wat] = message
end
end
function uri_args_string (args)
if not args then
args = ngx.req.get_uri_args()
end
String = "?"
for k,v in pairs(args) do
String = String..k.."="..v.."&"
end
return string.sub(String, 1, string.len(String) - 1)
end
2013-10-16 11:27:18 +02:00
function set_auth_cookie (user, domain)
local maxAge = conf["session_max_timeout"]
2013-10-15 10:11:39 +02:00
local expire = ngx.req.start_time() + maxAge
2014-01-31 21:25:46 +01:00
local session_key = cache:get("session_"..user)
if not session_key then
session_key = tostring(math.random(1111111, 9999999))
cache:add("session_"..user, session_key, conf["session_max_timeout"])
2014-01-31 21:25:46 +01:00
end
2013-10-16 20:37:12 +02:00
local hash = ngx.md5(srvkey..
2013-10-15 10:11:39 +02:00
"|" ..ngx.var.remote_addr..
"|"..user..
2014-01-31 21:25:46 +01:00
"|"..expire..
"|"..session_key)
2013-10-16 11:27:18 +02:00
local cookie_str = "; Domain=."..domain..
2013-10-15 13:58:16 +02:00
"; Path=/"..
2013-10-15 10:11:39 +02:00
"; Max-Age="..maxAge
2013-10-16 16:20:51 +02:00
cook("SSOwAuthUser="..user..cookie_str)
cook("SSOwAuthHash="..hash..cookie_str)
cook("SSOwAuthExpire="..expire..cookie_str)
2013-10-15 10:11:39 +02:00
end
function delete_cookie ()
2013-10-16 16:20:51 +02:00
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
for _, domain in ipairs(conf["domains"]) do
local cookie_str = "; Domain=."..domain..
"; Path=/"..
"; Max-Age="..expired_time
cook("SSOwAuthUser=;" ..cookie_str)
cook("SSOwAuthHash=;" ..cookie_str)
cook("SSOwAuthExpire=;" ..cookie_str)
end
2013-10-15 13:58:16 +02:00
end
2013-10-20 22:07:26 +02:00
function delete_redirect_cookie ()
2013-10-16 16:20:51 +02:00
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
local cookie_str = "; Path="..conf["portal_path"]..
"; Max-Age="..expired_time
cook("SSOwAuthRedirect=;" ..cookie_str)
2013-10-15 10:11:39 +02:00
end
2013-10-21 13:13:43 +02:00
function is_logged_in ()
2013-10-16 11:27:18 +02:00
2013-10-15 10:11:39 +02:00
-- Check if cookie is set
2013-10-16 16:20:51 +02:00
if ngx.var.cookie_SSOwAuthExpire and ngx.var.cookie_SSOwAuthExpire ~= ""
and ngx.var.cookie_SSOwAuthHash and ngx.var.cookie_SSOwAuthHash ~= ""
and ngx.var.cookie_SSOwAuthUser and ngx.var.cookie_SSOwAuthUser ~= ""
2013-10-15 10:11:39 +02:00
then
2013-10-16 16:20:51 +02:00
-- Check expire time
if (ngx.req.start_time() <= tonumber(ngx.var.cookie_SSOwAuthExpire)) then
-- Check hash
2014-01-31 21:25:46 +01:00
local session_key = cache:get("session_"..ngx.var.cookie_SSOwAuthUser)
if session_key and session_key ~= "" then
-- Check cache
if cache:get(ngx.var.cookie_SSOwAuthUser.."-password") then
local hash = ngx.md5(srvkey..
"|"..ngx.var.remote_addr..
"|"..ngx.var.cookie_SSOwAuthUser..
"|"..ngx.var.cookie_SSOwAuthExpire..
"|"..session_key)
return hash == ngx.var.cookie_SSOwAuthHash
end
2014-01-31 21:25:46 +01:00
end
2013-10-16 16:20:51 +02:00
end
2013-10-15 10:11:39 +02:00
end
2013-10-16 16:20:51 +02:00
return false
2013-10-15 10:11:39 +02:00
end
2013-10-29 11:48:56 +01:00
function has_access (user, url)
user = user or ngx.var.cookie_SSOwAuthUser
url = url or ngx.var.host..ngx.var.uri
2013-10-29 15:17:49 +01:00
if not conf["users"] or not conf["users"][user] then
2013-10-29 12:54:45 +01:00
return true
end
2013-10-29 11:48:56 +01:00
for u, _ in pairs(conf["users"][user]) do
2013-10-29 12:53:22 +01:00
if string.starts(url, string.sub(u, 1, -2)) then return true end
2013-10-29 11:48:56 +01:00
end
return false
end
2013-10-15 10:11:39 +02:00
function authenticate (user, password)
if conf["allow_mail_authentication"] and string.find(user, "@") then
ldap = lualdap.open_simple(conf["ldap_host"])
2014-02-19 12:57:57 +01:00
for dn, attribs in ldap:search {
base = conf["ldap_group"],
2014-02-19 12:57:57 +01:00
scope = "onelevel",
sizelimit = 1,
filter = "(mail="..user..")",
attrs = {conf["ldap_identifier"]}
2014-02-19 12:57:57 +01:00
} do
if attribs[conf["ldap_identifier"]] then
ngx.log(ngx.NOTICE, "Use email: "..user)
user = attribs[conf["ldap_identifier"]]
2014-02-19 12:57:57 +01:00
else
ngx.log(ngx.NOTICE, "Unknown email: "..user)
2014-02-19 12:57:57 +01:00
return false
end
end
ldap:close()
end
2013-10-16 11:27:18 +02:00
connected = lualdap.open_simple (
conf["ldap_host"],
conf["ldap_identifier"].."=".. user ..","..conf["ldap_group"],
2013-10-15 13:58:16 +02:00
password
2013-10-15 10:11:39 +02:00
)
2013-10-16 11:27:18 +02:00
2013-10-24 11:09:22 +02:00
cache:flush_expired()
if connected then
cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user)
2014-02-19 12:57:57 +01:00
return user
else
ngx.log(ngx.NOTICE, "Connection failed for: "..user)
2014-02-19 12:57:57 +01:00
return false
2013-10-16 11:27:18 +02:00
end
2013-10-15 10:11:39 +02:00
end
function set_headers (user)
if ngx.var.scheme ~= "https" then
return redirect("https://"..ngx.var.host..ngx.var.uri..uri_args_string())
end
2013-10-21 13:13:43 +02:00
user = user or ngx.var.cookie_SSOwAuthUser
2013-10-24 11:09:22 +02:00
if not cache:get(user.."-password") then
flash("info", "Please log in to access to this content")
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. uri_args_string()
2013-10-24 11:09:22 +02:00
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
2013-10-23 13:01:14 +02:00
end
if not cache:get(user.."-"..conf["ldap_identifier"]) then
ldap = lualdap.open_simple(conf["ldap_host"])
ngx.log(ngx.NOTICE, "Reloading LDAP values for: "..user)
2013-10-16 11:27:18 +02:00
for dn, attribs in ldap:search {
base = conf["ldap_identifier"].."=".. user ..","..conf["ldap_group"],
2013-10-16 11:27:18 +02:00
scope = "base",
sizelimit = 1,
attrs = conf["ldap_attributes"]
2013-10-16 11:27:18 +02:00
} do
2013-10-21 13:13:43 +02:00
for k,v in pairs(attribs) do
2013-10-24 11:09:22 +02:00
if type(v) == "table" then
for k2,v2 in ipairs(v) do
if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end
cache:set(user.."-"..k.."|"..k2, v2, conf["session_max_timeout"])
2013-10-24 11:09:22 +02:00
end
else
cache:set(user.."-"..k, v, conf["session_timeout"])
2013-10-24 11:09:22 +02:00
end
2013-10-21 13:13:43 +02:00
end
2013-10-15 10:11:39 +02:00
end
else
-- Revalidate session for another day by default
password = cache:get(user.."-password")
cache:set(user.."-password", password, conf["session_timeout"])
2013-10-15 10:11:39 +02:00
end
2013-10-16 11:27:18 +02:00
2013-10-16 18:16:41 +02:00
-- Set HTTP Auth header
2013-10-16 17:30:08 +02:00
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
2013-10-24 11:09:22 +02:00
user..":"..cache:get(user.."-password")
2013-10-16 17:30:08 +02:00
))
2013-12-03 19:46:48 +01:00
2013-10-16 18:16:41 +02:00
-- Set Additional headers
for k, v in pairs(conf["additional_headers"]) do
2013-10-24 11:09:22 +02:00
ngx.req.set_header(k, cache:get(user.."-"..v))
2013-10-16 18:16:41 +02:00
end
2013-10-15 10:11:39 +02:00
end
2013-10-21 20:43:12 +02:00
function get_mails(user)
local mails = { mail = "", mailalias = {}, maildrop = {} }
2013-10-24 11:09:22 +02:00
if cache:get(user.."-mail|2") then
for _, v in ipairs({2, 3, 4, 5, 6, 7, 8, 9, 10}) do
table.insert(mails["mailalias"], cache:get(user.."-mail|"..v))
2013-10-21 20:43:12 +02:00
end
end
2013-10-24 11:09:22 +02:00
mails["mail"] = cache:get(user.."-mail")
if cache:get(user.."-maildrop|2") then
for _, v in ipairs({2, 3, 4, 5, 6, 7, 8, 9, 10}) do
table.insert(mails["maildrop"], cache:get(user.."-maildrop|"..v))
2013-10-21 20:43:12 +02:00
end
end
return mails
end
2013-10-20 16:38:49 +02:00
-- Yo dawg
function serve(uri)
rel_path = string.gsub(uri, conf["portal_path"], "/")
2013-10-15 10:11:39 +02:00
2013-10-20 16:38:49 +02:00
-- Load login.html as index
if rel_path == "/" then
2013-10-21 13:13:43 +02:00
if is_logged_in() then
2013-10-29 10:25:44 +01:00
rel_path = "/info.html"
2013-10-21 13:13:43 +02:00
else
rel_path = "/login.html"
end
2013-10-15 10:11:39 +02:00
end
2013-10-16 23:53:14 +02:00
2013-10-20 18:45:10 +02:00
-- Access to directory root: forbidden
if string.ends(rel_path, "/") then
return ngx.exit(403)
end
-- Try to get file content
2013-10-20 22:07:26 +02:00
local content = read_file(script_path.."portal"..rel_path)
2013-10-20 16:38:49 +02:00
if not content then
2013-10-20 18:25:24 +02:00
return ngx.exit(ngx.HTTP_NOT_FOUND)
2013-10-17 00:12:14 +02:00
end
2013-10-20 16:38:49 +02:00
-- Extract file extension
2013-10-20 17:24:44 +02:00
_, file, ext = string.match(rel_path, "(.-)([^\\/]-%.?([^%.\\/]*))$")
2013-10-20 16:38:49 +02:00
-- Associate to MIME type
mime_types = {
html = "text/html",
2013-10-23 11:21:05 +02:00
ms = "text/html",
2013-10-20 16:38:49 +02:00
js = "text/javascript",
2013-10-21 20:43:12 +02:00
map = "text/javascript",
2013-10-20 16:38:49 +02:00
css = "text/css",
gif = "image/gif",
jpg = "image/jpeg",
png = "image/png",
svg = "image/svg+xml",
ico = "image/vnd.microsoft.icon",
woff = "application/x-font-woff",
json = "application/json"
2013-10-20 16:38:49 +02:00
}
-- Set Content-Type
if mime_types[ext] then
ngx.header["Content-Type"] = mime_types[ext]
else
ngx.header["Content-Type"] = "text/plain"
end
-- Render as mustache
if ext == "html" then
2013-10-20 22:07:26 +02:00
local data = get_data_for(file)
local rendered = hige.render(read_file(script_path.."portal/header.ms"), data)
rendered = rendered..hige.render(content, data)
content = rendered..hige.render(read_file(script_path.."portal/footer.ms"), data)
2013-10-23 11:21:05 +02:00
elseif ext == "ms" then
2013-10-29 10:16:30 +01:00
local data = get_data_for(file)
content = hige.render(content, data)
elseif ext == "json" then
local data = get_data_for(file)
content = json.encode(data)
2013-10-20 16:38:49 +02:00
end
2013-10-20 22:07:26 +02:00
-- Reset flash messages
flashs["fail"] = nil
flashs["win"] = nil
flashs["info"] = nil
-- Ain't nobody got time for cache
2013-10-16 23:53:14 +02:00
ngx.header["Cache-Control"] = "no-cache"
2013-10-20 16:38:49 +02:00
ngx.say(content)
2013-10-20 18:25:24 +02:00
return ngx.exit(ngx.HTTP_OK)
2013-10-20 16:38:49 +02:00
end
function get_data_for(view)
2013-10-21 13:13:43 +02:00
local user = ngx.var.cookie_SSOwAuthUser
2013-10-20 22:07:26 +02:00
local data = {}
2013-10-20 16:38:49 +02:00
if view == "login.html" then
2013-10-20 22:07:26 +02:00
data["title"] = "YunoHost Login"
2013-10-21 20:43:12 +02:00
2013-10-21 13:13:43 +02:00
elseif view == "info.html" then
2013-10-21 20:43:12 +02:00
set_headers(user)
local mails = get_mails(user)
data = {
2013-10-24 11:09:22 +02:00
title = user.." <small>"..cache:get(user.."-cn").."</small>",
2013-10-21 20:43:12 +02:00
connected = true,
2013-10-24 11:09:22 +02:00
uid = user,
cn = cache:get(user.."-cn"),
2013-10-21 20:43:12 +02:00
mail = mails["mail"],
mailalias = mails["mailalias"],
2013-10-29 11:48:56 +01:00
maildrop = mails["maildrop"],
app = {}
2013-10-21 20:43:12 +02:00
}
2013-10-29 11:48:56 +01:00
for url, name in pairs(conf["users"][user]) do
table.insert(data["app"], { url = url, name = name })
end
2013-10-21 13:13:43 +02:00
elseif view == "password.html" then
2013-10-21 20:43:12 +02:00
data = {
title = "Change password",
connected = true
}
elseif view == "edit.html" then
set_headers(user)
local mails = get_mails(user)
data = {
title = "Edit "..user,
connected = true,
2013-10-24 11:09:22 +02:00
uid = user,
sn = cache:get(user.."-sn"),
givenName = cache:get(user.."-givenName"),
2013-10-21 20:43:12 +02:00
mail = mails["mail"],
mailalias = mails["mailalias"],
maildrop = mails["maildrop"]
}
2013-10-29 10:16:30 +01:00
elseif view == "panel.ms" then
data = { app = {} }
for url, name in pairs(conf["users"][user]) do
table.insert(data["app"], { url = url, name = name })
end
elseif view == "ynhpanel.json" then
2014-02-19 01:49:35 +01:00
local mails = get_mails(user)
data = {
app = {},
2014-02-19 01:49:35 +01:00
user = {
uid = user,
name = cache:get(user..'-cn'),
givenName = cache:get(user..'-givenName'),
surname = cache:get(user..'-sn'),
mail = mails['mail']
},
portal_url = portal_url
}
for url, name in pairs(conf["users"][user]) do
table.insert(data["app"], { url = url, name = name })
end
2013-10-20 16:38:49 +02:00
end
2013-10-21 20:43:12 +02:00
data['flash_fail'] = {flashs["fail"]}
data['flash_win'] = {flashs["win"] }
data['flash_info'] = {flashs["info"]}
2013-10-20 22:07:26 +02:00
return data
2013-10-15 10:11:39 +02:00
end
2013-10-21 13:13:43 +02:00
function do_edit ()
ngx.req.read_body()
local args = ngx.req.get_post_args()
if is_logged_in() and args
then
ngx.status = ngx.HTTP_CREATED
2013-10-21 20:43:12 +02:00
local user = ngx.var.cookie_SSOwAuthUser
-- Change password
2013-10-21 13:13:43 +02:00
if string.ends(ngx.var.uri, "password.html") then
2013-10-21 20:43:12 +02:00
if args.currentpassword
2013-10-24 11:09:22 +02:00
and args.currentpassword == cache:get(user.."-password")
2013-10-21 13:13:43 +02:00
then
if args.newpassword == args.confirm then
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
local ldap = lualdap.open_simple(conf["ldap_host"], dn, args.currentpassword)
2013-10-21 13:13:43 +02:00
local password = "{SHA}"..ngx.encode_base64(ngx.sha1_bin(args.newpassword))
if ldap:modify(dn, {'=', userPassword = password }) then
flash("win", "Password successfully changed")
cache:set(user.."-password", args.newpassword, conf["session_timeout"])
2013-10-21 13:13:43 +02:00
return redirect(portal_url.."info.html")
else
flash("fail", "An error occured on password changing")
2013-10-21 20:43:12 +02:00
end
2013-10-21 13:13:43 +02:00
else
flash("fail", "New passwords don't match")
end
else
flash("fail", "Actual password is wrong")
end
return redirect(portal_url.."password.html")
2013-10-21 20:43:12 +02:00
-- Edit user informations
2013-10-21 13:13:43 +02:00
elseif string.ends(ngx.var.uri, "edit.html") then
2013-10-21 20:43:12 +02:00
if args.givenName and args.sn and args.mail then
2013-12-03 19:46:48 +01:00
2013-10-21 20:43:12 +02:00
local mailalias = {}
if args["mailalias[]"] and type(args["mailalias[]"]) == "table" then
mailalias = args["mailalias[]"]
end
local maildrop = {}
if args["maildrop[]"] and type(args["maildrop[]"]) == "table" then
maildrop = args["maildrop[]"]
end
local mail_pattern = "[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?"
table.insert(mailalias, 1, args.mail)
for k, mail in ipairs(mailalias) do
if mail == "" then
table.remove(mailalias, k)
elseif not mail:match(mail_pattern) then
flash("fail", "Invalid mail address: "..mail)
return redirect(portal_url.."edit.html")
else
2013-10-29 11:48:56 +01:00
local domains = conf["domains"]
2013-10-21 20:43:12 +02:00
local domain_valid = false
for _, domain in ipairs(domains) do
if string.ends(mail, "@"..domain) then
domain_valid = true
break
end
end
if not domain_valid then
flash("fail", "Invalid domain for mail "..mail)
return redirect(portal_url.."edit.html")
end
end
end
for k, mail in ipairs(maildrop) do
if mail == "" then
table.remove(maildrop, k)
elseif not mail:match(mail_pattern) then
flash("fail", "Invalid mail forward address: "..mail)
return redirect(portal_url.."edit.html")
end
end
table.insert(maildrop, 1, user)
2013-12-03 19:46:48 +01:00
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
local ldap = lualdap.open_simple(conf["ldap_host"], dn, cache:get(user.."-password"))
2013-10-21 20:43:12 +02:00
local cn = args.givenName.." "..args.sn
if ldap:modify(dn, {'=', cn = cn,
2013-10-21 20:43:12 +02:00
givenName = args.givenName,
sn = args.sn,
mail = mailalias,
maildrop = maildrop })
then
cache:delete(user.."-"..conf["ldap_identifier"])
2013-10-21 20:43:12 +02:00
set_headers(user) -- Ugly trick to reload cache
flash("win", "Informations updated")
return redirect(portal_url.."info.html")
else
flash("fail", "An error occured on user saving")
end
else
flash("fail", "Missing required fields")
end
2013-10-21 13:13:43 +02:00
return redirect(portal_url.."edit.html")
end
end
end
2013-10-15 10:11:39 +02:00
function do_login ()
ngx.req.read_body()
local args = ngx.req.get_post_args()
2013-10-16 19:01:17 +02:00
local uri_args = ngx.req.get_uri_args()
2013-10-15 10:11:39 +02:00
2014-02-19 12:57:57 +01:00
user = authenticate(args.user, args.password)
if user then
2013-10-16 11:27:18 +02:00
ngx.status = ngx.HTTP_CREATED
2014-02-19 12:57:57 +01:00
set_auth_cookie(user, ngx.var.host)
2013-10-20 16:38:49 +02:00
if uri_args.r then
2014-01-31 21:25:46 +01:00
return redirect(portal_url.."?r="..uri_args.r)
else
return redirect(portal_url)
2013-10-15 10:11:39 +02:00
end
2013-10-20 16:38:49 +02:00
else
ngx.status = ngx.HTTP_UNAUTHORIZED
2013-10-20 22:07:26 +02:00
flash("fail", "Wrong username/password combination")
2013-10-20 16:38:49 +02:00
return redirect(portal_url)
2013-10-15 10:11:39 +02:00
end
2013-10-20 16:38:49 +02:00
end
function do_logout()
local args = ngx.req.get_uri_args()
2013-10-21 13:13:43 +02:00
if is_logged_in() then
2014-01-31 21:25:46 +01:00
cache:delete("session_"..ngx.var.cookie_SSOwAuthUser)
cache:delete(ngx.var.cookie_SSOwAuthUser.."-"..conf["ldap_identifier"]) -- Ugly trick to reload cache
2013-10-21 13:13:43 +02:00
flash("info", "Logged out")
2013-10-20 22:07:26 +02:00
return redirect(portal_url)
end
2013-10-16 11:27:18 +02:00
end
function redirect (url)
ngx.header["Set-Cookie"] = cookies
ngx.log(ngx.INFO, "Redirect to: "..url)
2013-10-16 17:30:08 +02:00
return ngx.redirect(url)
2013-10-15 10:11:39 +02:00
end
2013-10-15 13:58:16 +02:00
function pass ()
2013-10-20 22:07:26 +02:00
delete_redirect_cookie()
2013-10-16 17:30:08 +02:00
ngx.req.set_header("Set-Cookie", cookies)
2013-10-15 13:58:16 +02:00
return
end
2013-10-20 17:24:44 +02:00
--------------------------------------------------
-- Routing
--
2014-02-04 16:28:54 +01:00
-- Logging in
-- i.e. http://mydomain.org/?sso_login=a6e5320f
if ngx.var.host ~= conf["portal_domain"] and ngx.var.request_method == "GET" then
uri_args = ngx.req.get_uri_args()
if uri_args[conf.login_arg] then
cda_key = uri_args[conf.login_arg]
if login[cda_key] then
set_auth_cookie(login[cda_key], ngx.var.host)
ngx.log(ngx.NOTICE, "Cross-domain authentication: "..login[cda_key].." connected on "..ngx.var.host)
login[cda_key] = nil
uri_args[conf.login_arg] = nil
return redirect(ngx.var.uri..uri_args_string(uri_args))
end
2014-02-04 16:28:54 +01:00
end
end
2013-10-20 17:24:44 +02:00
-- Portal
-- i.e. http://mydomain.org/ssowat/*
if ngx.var.host == conf["portal_domain"]
2013-10-21 20:43:12 +02:00
and string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))
2013-10-20 17:24:44 +02:00
then
if ngx.var.request_method == "GET" then
2013-10-21 20:43:12 +02:00
-- http://mydomain.org/ssowat
if ngx.var.uri.."/" == conf["portal_path"] then
return redirect(portal_url)
end
2013-10-20 17:24:44 +02:00
uri_args = ngx.req.get_uri_args()
if uri_args.action and uri_args.action == 'logout' then
-- Logout
return do_logout()
elseif is_logged_in() and uri_args.r then
back_url = ngx.decode_base64(uri_args.r)
if not string.match(back_url, "^http[s]?:\/\/"..ngx.var.host.."\/")
and not string.match(back_url, ".*"..conf.login_arg.."=%d+$") then
cda_key = tostring(math.random(1111111, 9999999))
login[cda_key] = ngx.var.cookie_SSOwAuthUser
if string.match(back_url, ".*?.*") then
back_url = back_url.."&"
else
back_url = back_url.."?"
end
back_url = back_url.."sso_login="..cda_key
end
return redirect(back_url)
2014-01-31 21:25:46 +01:00
2013-10-21 13:13:43 +02:00
elseif is_logged_in() -- Authenticated
2013-10-20 22:07:26 +02:00
or ngx.var.uri == conf["portal_path"] -- OR Want to serve portal login
or (string.starts(ngx.var.uri, conf["portal_path"].."assets")
and (not ngx.var.http_referer
or string.starts(ngx.var.http_referer, portal_url))) -- OR Want to serve assets for portal login
2013-10-20 18:25:24 +02:00
then
2013-10-20 17:24:44 +02:00
-- Serve normal portal
return serve(ngx.var.uri)
else
-- Redirect to portal
2013-10-20 22:07:26 +02:00
flash("info", "Please log in to access to this content")
2013-10-20 17:24:44 +02:00
return redirect(portal_url)
end
elseif ngx.var.request_method == "POST" then
2013-10-21 13:13:43 +02:00
-- CSRF protection
2013-10-20 17:24:44 +02:00
if string.starts(ngx.var.http_referer, portal_url) then
2013-10-21 13:13:43 +02:00
if string.ends(ngx.var.uri, conf["portal_path"].."password.html")
or string.ends(ngx.var.uri, conf["portal_path"].."edit.html")
then
return do_edit()
else
return do_login()
end
2013-10-20 17:24:44 +02:00
else
-- Redirect to portal
2013-10-20 22:07:26 +02:00
flash("fail", "Please log in from the portal")
2013-10-20 17:24:44 +02:00
return redirect(portal_url)
end
end
end
-- Redirected urls
function detect_redirection(redirect_url)
if string.starts(redirect_url, "http://")
or string.starts(redirect_url, "https://") then
return redirect(redirect_url)
elseif string.starts(redirect_url, "/") then
return redirect(ngx.var.scheme.."://"..ngx.var.host..redirect_url)
else
return redirect(ngx.var.scheme.."://"..redirect_url)
end
end
if conf["redirected_urls"] then
for url, redirect_url in pairs(conf["redirected_urls"]) do
if url == ngx.var.host..ngx.var.uri
or url == ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri
or url == ngx.var.uri then
detect_redirection(redirect_url)
end
end
end
if conf["redirected_regex"] then
for regex, redirect_url in pairs(conf["redirected_regex"]) do
if string.match(ngx.var.host..ngx.var.uri, regex)
or string.match(ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri, regex)
or string.match(ngx.var.uri, regex) then
detect_redirection(redirect_url)
end
end
end
2014-01-31 21:25:46 +01:00
2014-03-03 15:44:17 +01:00
-- URL that must be protected
function is_protected()
if not conf["protected_urls"] then
conf["protected_urls"] = {}
end
if not conf["protected_regex"] then
conf["protected_regex"] = {}
end
for _, url in ipairs(conf["protected_urls"]) do
if string.starts(ngx.var.host..ngx.var.uri, url)
or string.starts(ngx.var.uri, url) then
return true
end
end
for _, regex in ipairs(conf["protected_regex"]) do
if string.match(ngx.var.host..ngx.var.uri, regex)
or string.match(ngx.var.uri, regex) then
return true
end
end
return false
end
2013-10-20 17:24:44 +02:00
-- Skipped urls
-- i.e. http://mydomain.org/no_protection/
2014-03-03 15:04:08 +01:00
if conf["skipped_urls"] then
for _, url in ipairs(conf["skipped_urls"]) do
2014-03-03 15:44:17 +01:00
if (string.starts(ngx.var.host..ngx.var.uri, url)
or string.starts(ngx.var.uri, url))
and not is_protected() then
2014-03-03 15:04:08 +01:00
return pass()
end
end
end
if conf["skipped_regex"] then
for _, regex in ipairs(conf["skipped_regex"]) do
2014-03-03 15:44:17 +01:00
if (string.match(ngx.var.host..ngx.var.uri, regex)
or string.match(ngx.var.uri, regex))
and not is_protected() then
2014-03-03 15:04:08 +01:00
return pass()
end
2013-10-20 17:24:44 +02:00
end
end
2014-03-03 15:04:08 +01:00
2013-10-20 17:24:44 +02:00
-- Unprotected urls
-- i.e. http://mydomain.org/no_protection+headers/
2014-03-03 15:04:08 +01:00
if conf["unprotected_urls"] then
for _, url in ipairs(conf["unprotected_urls"]) do
2014-03-03 15:44:17 +01:00
if (string.starts(ngx.var.host..ngx.var.uri, url)
or string.starts(ngx.var.uri, url))
and not is_protected() then
2014-03-03 15:04:08 +01:00
if is_logged_in() then
set_headers()
end
return pass()
2013-10-20 17:24:44 +02:00
end
end
end
2014-03-03 15:04:08 +01:00
if conf["unprotected_regex"] then
for _, regex in ipairs(conf["unprotected_regex"]) do
2014-03-03 15:44:17 +01:00
if (string.match(ngx.var.host..ngx.var.uri, regex)
or string.match(ngx.var.uri, regex))
and not is_protected() then
2014-03-03 15:04:08 +01:00
if is_logged_in() then
set_headers()
end
return pass()
end
end
end
2013-10-20 17:24:44 +02:00
-- Cookie validation
--
2013-10-21 13:13:43 +02:00
if is_logged_in() then
if string.match(ngx.var.uri, "^/ynhpanel.js$") then
serve("/ynhsso/assets/js/ynhpanel.js")
end
2014-02-17 13:07:28 +01:00
if string.match(ngx.var.uri, "^/ynhpanel.css$") then
serve("/ynhsso/assets/css/ynhpanel.css")
end
if string.match(ngx.var.uri, "^/ynhpanel.json$") then
serve("/ynhsso/assets/js/ynhpanel.json")
end
2013-10-29 11:48:56 +01:00
if not has_access() then
2013-11-23 13:15:13 +01:00
return redirect(portal_url)
2013-10-29 11:48:56 +01:00
end
2013-10-21 13:13:43 +02:00
set_headers()
2013-10-20 22:07:26 +02:00
return pass()
2013-10-20 17:24:44 +02:00
end
-- Login with HTTP Auth if credentials are brought
--
local auth_header = ngx.req.get_headers()["Authorization"]
if auth_header then
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
2014-02-19 12:57:57 +01:00
user = authenticate(user, password)
if user then
2013-10-20 17:24:44 +02:00
set_headers(user)
return pass()
end
end
-- Else redirect to portal
--
2013-10-20 22:07:26 +02:00
flash("info", "Please log in to access to this content")
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. uri_args_string()
2013-10-20 17:24:44 +02:00
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))