2015-02-01 15:04:36 +01:00
|
|
|
--
|
|
|
|
-- helpers.lua
|
|
|
|
--
|
|
|
|
-- This is a file called at every request by the `access.lua` file. It contains
|
|
|
|
-- a set of useful functions related to HTTP and LDAP.
|
|
|
|
--
|
|
|
|
|
2015-02-15 13:03:01 +01:00
|
|
|
module('helpers', package.seeall)
|
2015-02-01 15:04:36 +01:00
|
|
|
|
2015-05-16 09:42:26 +02:00
|
|
|
local cache = ngx.shared.cache
|
|
|
|
local conf = config.get_config()
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Read a FS stored file
|
|
|
|
function read_file(file)
|
|
|
|
local f = io.open(file, "rb")
|
|
|
|
if not f then return false end
|
|
|
|
local content = f:read("*all")
|
|
|
|
f:close()
|
|
|
|
return content
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Lua has no sugar :D
|
2016-04-30 12:40:59 +02:00
|
|
|
function is_in_table(t, v)
|
2015-02-01 15:04:36 +01:00
|
|
|
for key, value in ipairs(t) do
|
|
|
|
if value == v then return key end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-06-14 12:53:16 +02:00
|
|
|
-- Get the index of a value in a table
|
|
|
|
function index_of(t,val)
|
|
|
|
for k,v in ipairs(t) do
|
|
|
|
if v == val then return k end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Test whether a string starts with another
|
2016-04-30 12:40:59 +02:00
|
|
|
function string.starts(String, Start)
|
2015-02-01 15:04:36 +01:00
|
|
|
return string.sub(String, 1, string.len(Start)) == Start
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Test whether a string ends with another
|
2016-04-30 12:40:59 +02:00
|
|
|
function string.ends(String, End)
|
2015-02-01 15:04:36 +01:00
|
|
|
return End=='' or string.sub(String, -string.len(End)) == End
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Find a string by its translate key in the right language
|
2016-04-30 12:40:59 +02:00
|
|
|
function t(key)
|
2015-02-12 12:08:52 +01:00
|
|
|
if conf.lang and i18n[conf.lang] then
|
|
|
|
return i18n[conf.lang][key] or ""
|
2015-02-01 15:04:36 +01:00
|
|
|
else
|
|
|
|
return i18n[conf["default_language"]][key] or ""
|
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
end
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
|
|
|
|
-- Store a message in the flash shared table in order to display it at the
|
|
|
|
-- next response
|
2016-04-30 12:40:59 +02:00
|
|
|
function flash(wat, message)
|
2015-02-01 15:04:36 +01:00
|
|
|
if wat == "fail"
|
|
|
|
or wat == "win"
|
|
|
|
or wat == "info"
|
|
|
|
then
|
|
|
|
flashs[wat] = message
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2017-05-18 08:34:36 +02:00
|
|
|
-- Hash a string using hmac_sha512, return a hexa string
|
|
|
|
function hmac_sha512(key, message)
|
2017-05-22 23:01:18 +02:00
|
|
|
local cache_key = key..":"..message
|
|
|
|
|
|
|
|
if not cache:get(cache_key) then
|
|
|
|
-- lua ecosystem is a disaster and it was not possible to find a good
|
|
|
|
-- easily multiplatform integrable code for this
|
|
|
|
-- Python has this buildin, so we call it directly
|
|
|
|
--
|
|
|
|
-- this is a bad and probably leak the key and the message in the process list
|
|
|
|
-- but if someone got there I guess we really have other problems
|
|
|
|
-- and also this is way better than the previous situation
|
|
|
|
local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
|
|
|
|
|
|
|
|
-- openssl returns something like this:
|
|
|
|
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
|
|
|
|
-- (stdin)= f1c2b1658fe64c5a3d16459f2f4eea213e4181905c190235b060ab2a4e7d6a41c15ea2c246828537a1e32ae524b7a7ed309e6d296089194c3e3e3efb98c1fbe3
|
|
|
|
--
|
|
|
|
-- so we need to remove the "(stdin)= " at the beginning
|
|
|
|
local hash = pipe:read():sub(string.len("(stdin)= ") + 1)
|
|
|
|
pipe:close()
|
|
|
|
|
|
|
|
cache:set(cache_key, hash, conf["session_timeout"])
|
|
|
|
return hash
|
|
|
|
else
|
|
|
|
return cache:get(cache_key)
|
|
|
|
end
|
2017-05-18 08:34:36 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Convert a table of arguments to an URI string
|
2016-04-30 12:40:59 +02:00
|
|
|
function uri_args_string(args)
|
2015-02-01 15:04:36 +01:00
|
|
|
if not args then
|
|
|
|
args = ngx.req.get_uri_args()
|
|
|
|
end
|
|
|
|
String = "?"
|
|
|
|
for k,v in pairs(args) do
|
|
|
|
String = String..tostring(k).."="..tostring(v).."&"
|
|
|
|
end
|
|
|
|
return string.sub(String, 1, string.len(String) - 1)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-05-16 09:42:26 +02:00
|
|
|
-- Set the Cross-Domain-Authentication key for a specific user
|
2016-04-30 12:40:59 +02:00
|
|
|
function set_cda_key()
|
2015-05-16 09:42:26 +02:00
|
|
|
local cda_key = random_string()
|
2017-05-17 10:44:26 +02:00
|
|
|
cache:set("CDA|"..cda_key, authUser, 10)
|
2015-05-16 09:42:26 +02:00
|
|
|
return cda_key
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Compute and set the authentication cookie
|
|
|
|
--
|
|
|
|
-- Sets 3 cookies containing:
|
|
|
|
-- * The username
|
|
|
|
-- * The expiration time
|
|
|
|
-- * A hash of those information along with the client IP address and a unique
|
|
|
|
-- session key
|
|
|
|
--
|
|
|
|
-- It enables the SSO to quickly retrieve the username and the session
|
|
|
|
-- expiration time, and to prove their authenticity to avoid session hijacking.
|
|
|
|
--
|
2016-04-30 12:40:59 +02:00
|
|
|
function set_auth_cookie(user, domain)
|
2015-02-01 15:04:36 +01:00
|
|
|
local maxAge = conf["session_max_timeout"]
|
|
|
|
local expire = ngx.req.start_time() + maxAge
|
|
|
|
local session_key = cache:get("session_"..user)
|
|
|
|
if not session_key then
|
2015-04-30 15:08:08 +02:00
|
|
|
session_key = random_string()
|
2015-02-01 15:04:36 +01:00
|
|
|
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
|
|
|
end
|
2017-05-18 08:34:36 +02:00
|
|
|
local hash = hmac_sha512(srvkey,
|
2017-05-17 21:48:19 +02:00
|
|
|
user..
|
2015-02-01 15:04:36 +01:00
|
|
|
"|"..expire..
|
|
|
|
"|"..session_key)
|
|
|
|
local cookie_str = "; Domain=."..domain..
|
|
|
|
"; Path=/"..
|
2017-02-28 15:36:04 +01:00
|
|
|
"; Expires="..os.date("%a, %d %b %Y %X UTC;", expire)..
|
|
|
|
"; Secure"
|
2015-05-21 16:11:33 +02:00
|
|
|
|
|
|
|
ngx.header["Set-Cookie"] = {
|
|
|
|
"SSOwAuthUser="..user..cookie_str,
|
|
|
|
"SSOwAuthHash="..hash..cookie_str,
|
|
|
|
"SSOwAuthExpire="..expire..cookie_str
|
|
|
|
}
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Expires the 3 session cookies
|
2016-04-30 12:40:59 +02:00
|
|
|
function delete_cookie()
|
2015-06-02 17:01:56 +02:00
|
|
|
conf = config.get_config()
|
|
|
|
|
2017-02-28 15:38:46 +01:00
|
|
|
local expired_time = "Thu, 01 Jan 1970 00:00:00 UTC;"
|
2015-02-01 15:04:36 +01:00
|
|
|
for _, domain in ipairs(conf["domains"]) do
|
|
|
|
local cookie_str = "; Domain=."..domain..
|
|
|
|
"; Path=/"..
|
2017-02-28 15:36:04 +01:00
|
|
|
"; Expires="..expired_time..
|
|
|
|
"; Secure"
|
2015-05-21 16:11:33 +02:00
|
|
|
ngx.header["Set-Cookie"] = {
|
|
|
|
"SSOwAuthUser="..cookie_str,
|
|
|
|
"SSOwAuthHash="..cookie_str,
|
|
|
|
"SSOwAuthExpire="..cookie_str
|
|
|
|
}
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Expires the redirection cookie
|
2016-04-30 12:40:59 +02:00
|
|
|
function delete_redirect_cookie()
|
2017-02-28 15:38:46 +01:00
|
|
|
local expired_time = "Thu, 01 Jan 1970 00:00:00 UTC;"
|
2015-02-01 15:04:36 +01:00
|
|
|
local cookie_str = "; Path="..conf["portal_path"]..
|
2017-02-28 15:36:04 +01:00
|
|
|
"; Expires="..expired_time..
|
|
|
|
"; Secure"
|
2015-05-21 16:11:33 +02:00
|
|
|
ngx.header["Set-Cookie"] = "SSOwAuthRedirect=;" ..cookie_str
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Validate authentification
|
|
|
|
--
|
|
|
|
-- Check if the session cookies are set, and rehash server + client information
|
|
|
|
-- to match the session hash.
|
|
|
|
--
|
2016-04-30 12:40:59 +02:00
|
|
|
function is_logged_in()
|
2015-05-16 21:03:06 +02:00
|
|
|
local expireTime = ngx.var.cookie_SSOwAuthExpire
|
|
|
|
local user = ngx.var.cookie_SSOwAuthUser
|
|
|
|
local authHash = ngx.var.cookie_SSOwAuthHash
|
|
|
|
|
|
|
|
if expireTime and expireTime ~= ""
|
|
|
|
and authHash and authHash ~= ""
|
|
|
|
and user and user ~= ""
|
2015-02-01 15:04:36 +01:00
|
|
|
then
|
|
|
|
-- Check expire time
|
2015-05-16 21:03:06 +02:00
|
|
|
if (ngx.req.start_time() <= tonumber(expireTime)) then
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Check hash
|
2015-05-16 21:03:06 +02:00
|
|
|
local session_key = cache:get("session_"..user)
|
2015-02-01 15:04:36 +01:00
|
|
|
if session_key and session_key ~= "" then
|
|
|
|
-- Check cache
|
2015-05-16 21:03:06 +02:00
|
|
|
if cache:get(user.."-password") then
|
|
|
|
authUser = user
|
2017-05-18 08:34:36 +02:00
|
|
|
local hash = hmac_sha512(srvkey,
|
2017-05-17 21:48:19 +02:00
|
|
|
authUser..
|
2015-05-16 21:03:06 +02:00
|
|
|
"|"..expireTime..
|
2015-02-01 15:04:36 +01:00
|
|
|
"|"..session_key)
|
2015-05-16 21:03:06 +02:00
|
|
|
return hash == authHash
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Check whether a user is allowed to access a URL using the `users` directive
|
|
|
|
-- of the configuration file
|
2016-04-30 12:40:59 +02:00
|
|
|
function has_access(user, url)
|
2015-05-16 21:03:06 +02:00
|
|
|
user = user or authUser
|
2015-02-01 15:04:36 +01:00
|
|
|
url = url or ngx.var.host..ngx.var.uri
|
|
|
|
|
2015-06-02 17:01:56 +02:00
|
|
|
if not conf["users"][user] then
|
|
|
|
conf = config.get_config()
|
|
|
|
end
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- If there are no `users` directive, or if the user has no ACL set, he can
|
|
|
|
-- access the URL by default
|
|
|
|
if not conf["users"] or not conf["users"][user] then
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Loop through user's ACLs and return if the URL is authorized.
|
|
|
|
for u, _ in pairs(conf["users"][user]) do
|
|
|
|
|
|
|
|
-- Replace the original domain by a local one if you are connected from
|
|
|
|
-- a non-global domain name.
|
|
|
|
if ngx.var.host == conf["local_portal_domain"] then
|
|
|
|
u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"])
|
|
|
|
end
|
|
|
|
|
|
|
|
if string.starts(url, string.sub(u, 1, -2)) then return true end
|
|
|
|
end
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Authenticate a user against the LDAP database using a username or an email
|
|
|
|
-- address.
|
|
|
|
-- Reminder: conf["ldap_identifier"] is "uid" by default
|
2016-04-30 12:40:59 +02:00
|
|
|
function authenticate(user, password)
|
2015-06-02 17:01:56 +02:00
|
|
|
conf = config.get_config()
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- Try to find the username from an email address by openning an anonymous
|
|
|
|
-- LDAP connection and check if the email address exists
|
|
|
|
if conf["allow_mail_authentication"] and string.find(user, "@") then
|
|
|
|
ldap = lualdap.open_simple(conf["ldap_host"])
|
|
|
|
for dn, attribs in ldap:search {
|
|
|
|
base = conf["ldap_group"],
|
|
|
|
scope = "onelevel",
|
|
|
|
sizelimit = 1,
|
|
|
|
filter = "(mail="..user..")",
|
|
|
|
attrs = {conf["ldap_identifier"]}
|
|
|
|
} do
|
|
|
|
if attribs[conf["ldap_identifier"]] then
|
|
|
|
ngx.log(ngx.NOTICE, "Use email: "..user)
|
|
|
|
user = attribs[conf["ldap_identifier"]]
|
|
|
|
else
|
|
|
|
ngx.log(ngx.ERR, "Unknown email: "..user)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
ldap:close()
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Now that we have a username, we can try connecting to the LDAP base.
|
|
|
|
connected = lualdap.open_simple (
|
|
|
|
conf["ldap_host"],
|
|
|
|
conf["ldap_identifier"].."=".. user ..","..conf["ldap_group"],
|
|
|
|
password
|
|
|
|
)
|
|
|
|
|
|
|
|
cache:flush_expired()
|
|
|
|
|
|
|
|
-- If we are connected, we can retrieve the password and put it in the
|
|
|
|
-- cache shared table in order to eventually reuse it later when updating
|
|
|
|
-- profile information or just passing credentials to an application.
|
|
|
|
if connected then
|
|
|
|
cache:add(user.."-password", password, conf["session_timeout"])
|
|
|
|
ngx.log(ngx.NOTICE, "Connected as: "..user)
|
|
|
|
return user
|
|
|
|
|
|
|
|
-- Else, the username/email or the password is wrong
|
|
|
|
else
|
|
|
|
ngx.log(ngx.ERR, "Connection failed for: "..user)
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-11-15 15:49:53 +01:00
|
|
|
function delete_user_info_cache(user)
|
|
|
|
cache:delete(user.."-"..conf["ldap_identifier"])
|
|
|
|
local i = 2
|
|
|
|
while cache:get(user.."-mail|"..i) do
|
|
|
|
cache:delete(user.."-mail|"..i)
|
|
|
|
i = i + 1
|
|
|
|
end
|
|
|
|
local i = 2
|
|
|
|
while cache:get(user.."-maildrop|"..i) do
|
|
|
|
cache:delete(user.."-maildrop|"..i)
|
|
|
|
i = i + 1
|
|
|
|
end
|
|
|
|
end
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- Set the authentication headers in order to pass credentials to the
|
|
|
|
-- application underneath.
|
2016-04-30 12:40:59 +02:00
|
|
|
function set_headers(user)
|
2015-02-01 15:04:36 +01:00
|
|
|
|
2016-11-15 15:49:53 +01:00
|
|
|
-- We definitely don't want to pass credentials on a non-encrypted
|
2015-02-01 15:04:36 +01:00
|
|
|
-- connection.
|
|
|
|
if ngx.var.scheme ~= "https" then
|
|
|
|
return redirect("https://"..ngx.var.host..ngx.var.uri..uri_args_string())
|
|
|
|
end
|
|
|
|
|
2015-05-16 21:03:06 +02:00
|
|
|
local user = user or authUser
|
2015-02-01 15:04:36 +01:00
|
|
|
|
2016-11-15 15:49:53 +01:00
|
|
|
-- If the password is not in cache or if the cache has expired, ask for
|
2015-02-01 15:04:36 +01:00
|
|
|
-- logging.
|
|
|
|
if not cache:get(user.."-password") then
|
|
|
|
flash("info", t("please_login"))
|
|
|
|
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. uri_args_string()
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
-- If the user information is not in cache, open an LDAP connection and
|
|
|
|
-- fetch it.
|
|
|
|
if not cache:get(user.."-"..conf["ldap_identifier"]) then
|
2016-01-12 11:48:07 +01:00
|
|
|
ldap = lualdap.open_simple(
|
|
|
|
conf["ldap_host"],
|
|
|
|
conf["ldap_identifier"].."=".. user ..","..conf["ldap_group"],
|
|
|
|
cache:get(user.."-password")
|
|
|
|
)
|
2015-02-01 15:04:36 +01:00
|
|
|
ngx.log(ngx.NOTICE, "Reloading LDAP values for: "..user)
|
|
|
|
for dn, attribs in ldap:search {
|
|
|
|
base = conf["ldap_identifier"].."=".. user ..","..conf["ldap_group"],
|
|
|
|
scope = "base",
|
|
|
|
sizelimit = 1,
|
|
|
|
attrs = conf["ldap_attributes"]
|
|
|
|
} do
|
|
|
|
for k,v in pairs(attribs) do
|
|
|
|
if type(v) == "table" then
|
|
|
|
for k2,v2 in ipairs(v) do
|
|
|
|
if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end
|
|
|
|
cache:set(user.."-"..k.."|"..k2, v2, conf["session_max_timeout"])
|
|
|
|
end
|
|
|
|
else
|
|
|
|
cache:set(user.."-"..k, v, conf["session_timeout"])
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
else
|
|
|
|
-- Else, just revalidate session for another day by default
|
|
|
|
password = cache:get(user.."-password")
|
|
|
|
cache:set(user.."-password", password, conf["session_timeout"])
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Set `authorization` header to enable HTTP authentification
|
|
|
|
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
|
|
|
|
user..":"..cache:get(user.."-password")
|
|
|
|
))
|
|
|
|
|
|
|
|
-- Set optionnal additional headers (typically to pass email address)
|
|
|
|
for k, v in pairs(conf["additional_headers"]) do
|
|
|
|
ngx.req.set_header(k, cache:get(user.."-"..v))
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Summarize email, aliases and forwards in a table for a specific user
|
|
|
|
function get_mails(user)
|
|
|
|
local mails = { mail = "", mailalias = {}, maildrop = {} }
|
|
|
|
|
|
|
|
-- default mail
|
|
|
|
mails["mail"] = cache:get(user.."-mail")
|
|
|
|
|
|
|
|
-- mail aliases
|
|
|
|
if cache:get(user.."-mail|2") then
|
|
|
|
local i = 2
|
|
|
|
while cache:get(user.."-mail|"..i) do
|
|
|
|
table.insert(mails["mailalias"], cache:get(user.."-mail|"..i))
|
|
|
|
i = i + 1
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- mail forward
|
|
|
|
if cache:get(user.."-maildrop|2") then
|
|
|
|
local i = 2
|
|
|
|
while cache:get(user.."-maildrop|"..i) do
|
|
|
|
table.insert(mails["maildrop"], cache:get(user.."-maildrop|"..i))
|
|
|
|
i = i + 1
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return mails
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Yo dawg, this enables SSOwat to serve files in HTTP in an HTTP server
|
|
|
|
-- Much reliable, very solid.
|
|
|
|
--
|
|
|
|
-- Takes an URI, and returns file content with the proper HTTP headers.
|
|
|
|
-- It is used to render the SSOwat portal *only*.
|
|
|
|
function serve(uri)
|
|
|
|
rel_path = string.gsub(uri, conf["portal_path"], "/")
|
|
|
|
|
|
|
|
-- Load login.html as index
|
|
|
|
if rel_path == "/" then
|
|
|
|
if is_logged_in() then
|
|
|
|
rel_path = "/info.html"
|
|
|
|
else
|
|
|
|
rel_path = "/login.html"
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Access to directory root: forbidden
|
|
|
|
if string.ends(rel_path, "/") then
|
|
|
|
return ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Try to get file content
|
|
|
|
local content = read_file(script_path.."portal"..rel_path)
|
|
|
|
if not content then
|
|
|
|
return ngx.exit(ngx.HTTP_NOT_FOUND)
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Extract file extension
|
|
|
|
_, file, ext = string.match(rel_path, "(.-)([^\\/]-%.?([^%.\\/]*))$")
|
|
|
|
|
|
|
|
-- Associate to MIME type
|
|
|
|
mime_types = {
|
|
|
|
html = "text/html",
|
|
|
|
ms = "text/html",
|
|
|
|
js = "text/javascript",
|
|
|
|
map = "text/javascript",
|
|
|
|
css = "text/css",
|
|
|
|
gif = "image/gif",
|
|
|
|
jpg = "image/jpeg",
|
|
|
|
png = "image/png",
|
|
|
|
svg = "image/svg+xml",
|
|
|
|
ico = "image/vnd.microsoft.icon",
|
|
|
|
woff = "application/x-font-woff",
|
|
|
|
json = "application/json"
|
|
|
|
}
|
|
|
|
|
|
|
|
-- Set Content-Type
|
|
|
|
if mime_types[ext] then
|
|
|
|
ngx.header["Content-Type"] = mime_types[ext]
|
|
|
|
else
|
|
|
|
ngx.header["Content-Type"] = "text/plain"
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Render as mustache
|
|
|
|
if ext == "html" then
|
|
|
|
local data = get_data_for(file)
|
|
|
|
local rendered = hige.render(read_file(script_path.."portal/header.ms"), data)
|
|
|
|
rendered = rendered..hige.render(content, data)
|
|
|
|
content = rendered..hige.render(read_file(script_path.."portal/footer.ms"), data)
|
|
|
|
elseif ext == "ms" then
|
|
|
|
local data = get_data_for(file)
|
|
|
|
content = hige.render(content, data)
|
|
|
|
elseif ext == "json" then
|
|
|
|
local data = get_data_for(file)
|
|
|
|
content = json.encode(data)
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Reset flash messages
|
|
|
|
flashs["fail"] = nil
|
|
|
|
flashs["win"] = nil
|
|
|
|
flashs["info"] = nil
|
|
|
|
|
|
|
|
-- Ain't nobody got time for cache
|
|
|
|
ngx.header["Cache-Control"] = "no-cache"
|
|
|
|
|
|
|
|
-- Print file content
|
|
|
|
ngx.say(content)
|
|
|
|
|
|
|
|
-- Return 200 :-)
|
|
|
|
return ngx.exit(ngx.HTTP_OK)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Simple controller that computes a data table to populate a specific view.
|
|
|
|
-- The resulting data table typically contains the user information, the page
|
|
|
|
-- title, the flash notifications' content and the translated strings.
|
|
|
|
function get_data_for(view)
|
2015-05-16 21:03:06 +02:00
|
|
|
local user = authUser
|
2015-06-02 17:01:56 +02:00
|
|
|
conf = config.get_config()
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- For the login page we only need the page title
|
|
|
|
if view == "login.html" then
|
|
|
|
data = {
|
|
|
|
title = t("login"),
|
|
|
|
connected = false
|
|
|
|
}
|
|
|
|
|
|
|
|
-- For those views, we may need user information
|
|
|
|
elseif view == "info.html"
|
|
|
|
or view == "edit.html"
|
|
|
|
or view == "password.html"
|
|
|
|
or view == "ynhpanel.json" then
|
2016-11-15 15:49:53 +01:00
|
|
|
|
|
|
|
-- Invalidate cache before loading these views.
|
|
|
|
-- Needed if the LDAP db is changed outside ssowat (from the cli for example).
|
|
|
|
-- Not doing it for ynhpanel.json only for performance reasons,
|
|
|
|
-- so the panel could show wrong first name, last name or main email address
|
|
|
|
if view ~= "ynhpanel.json" then
|
|
|
|
delete_user_info_cache(user)
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Be sure cache is loaded
|
2015-02-01 15:04:36 +01:00
|
|
|
set_headers(user)
|
|
|
|
|
|
|
|
local mails = get_mails(user)
|
|
|
|
data = {
|
|
|
|
connected = true,
|
2015-02-12 12:08:52 +01:00
|
|
|
portal_url = conf.portal_url,
|
2015-02-01 15:04:36 +01:00
|
|
|
uid = user,
|
|
|
|
cn = cache:get(user.."-cn"),
|
|
|
|
sn = cache:get(user.."-sn"),
|
|
|
|
givenName = cache:get(user.."-givenName"),
|
|
|
|
mail = mails["mail"],
|
|
|
|
mailalias = mails["mailalias"],
|
|
|
|
maildrop = mails["maildrop"],
|
|
|
|
app = {}
|
|
|
|
}
|
|
|
|
|
2015-06-14 12:53:16 +02:00
|
|
|
local sorted_apps = {}
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Add user's accessible URLs using the ACLs.
|
|
|
|
-- It is typically used to build the app list.
|
|
|
|
for url, name in pairs(conf["users"][user]) do
|
|
|
|
|
|
|
|
if ngx.var.host == conf["local_portal_domain"] then
|
|
|
|
url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
|
|
|
|
end
|
2015-06-14 12:53:16 +02:00
|
|
|
table.insert(sorted_apps, name)
|
|
|
|
table.sort(sorted_apps)
|
|
|
|
table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-02-15 13:03:01 +01:00
|
|
|
-- Pass all the translated strings to the view (to use with t_<key>)
|
|
|
|
if conf.lang and i18n[conf.lang] then
|
|
|
|
translate_table = i18n[conf.lang]
|
|
|
|
else
|
|
|
|
translate_table = i18n[conf["default_language"]]
|
|
|
|
end
|
|
|
|
for k, v in pairs(translate_table) do
|
|
|
|
data["t_"..k] = v
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Pass flash notification content
|
|
|
|
data['flash_fail'] = {flashs["fail"]}
|
|
|
|
data['flash_win'] = {flashs["win"] }
|
|
|
|
data['flash_info'] = {flashs["info"]}
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
return data
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Compute the user modification POST request
|
|
|
|
-- It has to update cached information and edit the LDAP user entry
|
|
|
|
-- according to the changes detected.
|
2016-04-30 12:40:59 +02:00
|
|
|
function edit_user()
|
2015-06-02 17:01:56 +02:00
|
|
|
conf = config.get_config()
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- We need these calls since we are in a POST request
|
|
|
|
ngx.req.read_body()
|
|
|
|
local args = ngx.req.get_post_args()
|
|
|
|
|
|
|
|
-- Ensure that user is logged in and has passed information
|
|
|
|
-- before continuing.
|
|
|
|
if is_logged_in() and args
|
|
|
|
then
|
|
|
|
|
|
|
|
-- Set HTTP status to 201
|
|
|
|
ngx.status = ngx.HTTP_CREATED
|
2015-05-16 21:03:06 +02:00
|
|
|
local user = authUser
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- In case of a password modification
|
|
|
|
-- TODO: split this into a new function
|
|
|
|
if string.ends(ngx.var.uri, "password.html") then
|
|
|
|
|
|
|
|
-- Check current password against the cached one
|
|
|
|
if args.currentpassword
|
|
|
|
and args.currentpassword == cache:get(user.."-password")
|
|
|
|
then
|
|
|
|
-- and the new password against the confirmation field's content
|
|
|
|
if args.newpassword == args.confirm then
|
|
|
|
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
|
|
|
|
|
|
|
|
-- Open the LDAP connection
|
|
|
|
local ldap = lualdap.open_simple(conf["ldap_host"], dn, args.currentpassword)
|
|
|
|
local password = "{SHA}"..ngx.encode_base64(ngx.sha1_bin(args.newpassword))
|
|
|
|
|
|
|
|
-- Modify the LDAP information
|
|
|
|
if ldap:modify(dn, {'=', userPassword = password }) then
|
|
|
|
flash("win", t("password_changed"))
|
|
|
|
|
|
|
|
-- Reset the password cache
|
|
|
|
cache:set(user.."-password", args.newpassword, conf["session_timeout"])
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."info.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
else
|
|
|
|
flash("fail", t("password_changed_error"))
|
|
|
|
end
|
|
|
|
else
|
|
|
|
flash("fail", t("password_not_match"))
|
|
|
|
end
|
|
|
|
else
|
|
|
|
flash("fail", t("wrong_current_password"))
|
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."password.html")
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- In case of profile modification
|
|
|
|
-- TODO: split this into a new function
|
|
|
|
elseif string.ends(ngx.var.uri, "edit.html") then
|
|
|
|
|
|
|
|
-- Check that needed arguments exist
|
|
|
|
if args.givenName and args.sn and args.mail then
|
|
|
|
|
|
|
|
-- Unstack mailaliases
|
|
|
|
local mailalias = {}
|
|
|
|
if args["mailalias[]"] then
|
|
|
|
if type(args["mailalias[]"]) == "string" then
|
|
|
|
args["mailalias[]"] = {args["mailalias[]"]}
|
|
|
|
end
|
|
|
|
mailalias = args["mailalias[]"]
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Unstack mail forwards
|
|
|
|
local maildrop = {}
|
|
|
|
if args["maildrop[]"] then
|
|
|
|
if type(args["maildrop[]"]) == "string" then
|
|
|
|
args["maildrop[]"] = {args["maildrop[]"]}
|
|
|
|
end
|
|
|
|
maildrop = args["maildrop[]"]
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Limit domains per user:
|
|
|
|
-- This ensures that a user already has an email address or an
|
|
|
|
-- aliases that ends with a specific domain to claim new aliases
|
|
|
|
-- on this domain.
|
|
|
|
--
|
|
|
|
-- I.E. You need to have xxx@domain.org to claim a
|
|
|
|
-- yyy@domain.org alias.
|
|
|
|
--
|
|
|
|
local domains = {}
|
|
|
|
local ldap = lualdap.open_simple(conf["ldap_host"])
|
|
|
|
for dn, attribs in ldap:search {
|
|
|
|
base = conf["ldap_group"],
|
|
|
|
scope = "onelevel",
|
|
|
|
sizelimit = 1,
|
|
|
|
filter = "(uid="..user..")",
|
|
|
|
attrs = {"mail"}
|
|
|
|
} do
|
2015-06-30 21:02:58 +02:00
|
|
|
-- Construct proper emails array
|
|
|
|
local mail_list = {}
|
|
|
|
local mail_attr = attribs["mail"]
|
|
|
|
if type(mail_attr) == "string" then
|
|
|
|
mail_list = { mail_attr }
|
|
|
|
elseif type(mail_attr) == "table" then
|
|
|
|
mail_list = mail_attr
|
|
|
|
end
|
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Filter configuration's domain list to keep only
|
|
|
|
-- "allowed" domains
|
|
|
|
for _, domain in ipairs(conf["domains"]) do
|
2015-06-02 17:01:56 +02:00
|
|
|
for k, mail in ipairs(mail_list) do
|
2015-02-01 15:04:36 +01:00
|
|
|
if string.ends(mail, "@"..domain) then
|
|
|
|
if not is_in_table(domains, domain) then
|
|
|
|
table.insert(domains, domain)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
ldap:close()
|
|
|
|
|
2015-02-15 22:31:20 +01:00
|
|
|
local rex = require "rex_pcre"
|
2015-02-16 16:31:21 +01:00
|
|
|
local rex_flags = rex.flags()
|
2015-03-31 11:29:45 +02:00
|
|
|
local mail_re = rex.new([[^[\w\.\-+%]+@([^\W_A-Z]+([\-]*[^\W_A-Z]+)*\.)+([^\W\d_]{2,})$]], rex_flags.UTF8 + rex_flags.UCP)
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
local mails = {}
|
|
|
|
|
|
|
|
-- Build an LDAP filter so that we can ensure that email
|
|
|
|
-- addresses are used only once.
|
|
|
|
local filter = "(|"
|
|
|
|
table.insert(mailalias, 1, args.mail)
|
|
|
|
|
|
|
|
-- Loop through all the aliases
|
|
|
|
for k, mail in ipairs(mailalias) do
|
|
|
|
if mail ~= "" then
|
|
|
|
-- Check the mail pattern
|
2015-02-15 22:31:20 +01:00
|
|
|
if not mail_re:match(mail) then
|
2015-02-01 15:04:36 +01:00
|
|
|
flash("fail", t("invalid_mail")..": "..mail)
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."edit.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- Check that the domain is known and allowed
|
|
|
|
else
|
|
|
|
local domain_valid = false
|
|
|
|
for _, domain in ipairs(domains) do
|
|
|
|
if string.ends(mail, "@"..domain) then
|
|
|
|
domain_valid = true
|
|
|
|
break
|
|
|
|
end
|
|
|
|
end
|
|
|
|
if domain_valid then
|
|
|
|
table.insert(mails, mail)
|
|
|
|
filter = filter.."(mail="..mail..")"
|
|
|
|
else
|
|
|
|
flash("fail", t("invalid_domain").." "..mail)
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."edit.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- filter should look like "(|(mail=my@mail.tld)(mail=my@mail2.tld))"
|
|
|
|
filter = filter..")"
|
|
|
|
|
2015-02-12 12:08:52 +01:00
|
|
|
|
2015-02-01 15:04:36 +01:00
|
|
|
-- For email forwards, we only need to check that they look
|
|
|
|
-- like actual emails
|
|
|
|
local drops = {}
|
|
|
|
for k, mail in ipairs(maildrop) do
|
|
|
|
if mail ~= "" then
|
2015-02-15 22:31:20 +01:00
|
|
|
if not mail_re:match(mail) then
|
2015-02-01 15:04:36 +01:00
|
|
|
flash("fail", t("invalid_mailforward")..": "..mail)
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."edit.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
table.insert(drops, mail)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
table.insert(drops, 1, user)
|
|
|
|
|
|
|
|
|
|
|
|
-- We now have a list of validated emails and forwards.
|
|
|
|
-- We need to check if there is a user with a claimed email
|
|
|
|
-- already before writing modifications to the LDAP.
|
|
|
|
local dn = conf["ldap_identifier"].."="..user..","..conf["ldap_group"]
|
|
|
|
local ldap = lualdap.open_simple(conf["ldap_host"], dn, cache:get(user.."-password"))
|
|
|
|
local cn = args.givenName.." "..args.sn
|
|
|
|
|
|
|
|
for dn, attribs in ldap:search {
|
|
|
|
base = conf["ldap_group"],
|
|
|
|
scope = "onelevel",
|
|
|
|
filter = filter,
|
|
|
|
attrs = {conf["ldap_identifier"], "mail"}
|
|
|
|
} do
|
|
|
|
-- Another user with one of these emails has been found.
|
|
|
|
if attribs[conf["ldap_identifier"]] and attribs[conf["ldap_identifier"]] ~= user then
|
2015-06-30 21:02:58 +02:00
|
|
|
-- Construct proper emails array
|
|
|
|
local mail_list = {}
|
|
|
|
local mail_attr = attribs["mail"]
|
|
|
|
if type(mail_attr) == "string" then
|
|
|
|
mail_list = { mail_attr }
|
|
|
|
elseif type(mail_attr) == "table" then
|
|
|
|
mail_list = mail_attr
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
2015-06-30 21:02:58 +02:00
|
|
|
|
|
|
|
for _, mail in ipairs(mail_list) do
|
2015-02-01 15:04:36 +01:00
|
|
|
if is_in_table(mails, mail) then
|
|
|
|
flash("fail", t("mail_already_used").." "..mail)
|
|
|
|
end
|
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."edit.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- No problem so far, we can write modifications to the LDAP
|
|
|
|
if ldap:modify(dn, {'=', cn = cn,
|
|
|
|
givenName = args.givenName,
|
|
|
|
sn = args.sn,
|
|
|
|
mail = mails,
|
|
|
|
maildrop = drops })
|
|
|
|
then
|
2016-11-15 15:49:53 +01:00
|
|
|
delete_user_info_cache(user)
|
2015-02-01 15:04:36 +01:00
|
|
|
-- Ugly trick to force cache reloading
|
|
|
|
set_headers(user)
|
|
|
|
flash("win", t("information_updated"))
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."info.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
else
|
|
|
|
flash("fail", t("user_saving_fail"))
|
|
|
|
end
|
|
|
|
else
|
|
|
|
flash("fail", t("missing_required_fields"))
|
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."edit.html")
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Compute the user login POST request
|
|
|
|
-- It authenticates the user against the LDAP base then redirects to the portal
|
2016-04-30 12:40:59 +02:00
|
|
|
function login()
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- We need these calls since we are in a POST request
|
|
|
|
ngx.req.read_body()
|
|
|
|
local args = ngx.req.get_post_args()
|
|
|
|
local uri_args = ngx.req.get_uri_args()
|
|
|
|
|
2015-06-02 17:01:56 +02:00
|
|
|
args.user = string.lower(args.user)
|
|
|
|
|
2015-05-16 21:03:06 +02:00
|
|
|
local user = authenticate(args.user, args.password)
|
2015-02-01 15:04:36 +01:00
|
|
|
if user then
|
|
|
|
ngx.status = ngx.HTTP_CREATED
|
|
|
|
set_auth_cookie(user, ngx.var.host)
|
|
|
|
else
|
|
|
|
ngx.status = ngx.HTTP_UNAUTHORIZED
|
|
|
|
flash("fail", t("wrong_username_password"))
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Forward the `r` URI argument if it exists to redirect
|
|
|
|
-- the user properly after a successful login.
|
|
|
|
if uri_args.r then
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url.."?r="..uri_args.r)
|
2015-02-01 15:04:36 +01:00
|
|
|
else
|
2015-02-12 12:08:52 +01:00
|
|
|
return redirect(conf.portal_url)
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-02-12 12:08:52 +01:00
|
|
|
-- Compute the user logout request
|
2015-02-01 15:04:36 +01:00
|
|
|
-- It deletes session cached information to invalidate client side cookie
|
|
|
|
-- information.
|
2015-02-12 12:08:52 +01:00
|
|
|
function logout()
|
2015-02-01 15:04:36 +01:00
|
|
|
|
|
|
|
-- We need this call since we are in a POST request
|
|
|
|
local args = ngx.req.get_uri_args()
|
|
|
|
|
2017-02-23 17:53:17 +01:00
|
|
|
-- Delete user cookie if logged in (that should always be the case)
|
2015-02-01 15:04:36 +01:00
|
|
|
if is_logged_in() then
|
2017-02-28 15:36:45 +01:00
|
|
|
delete_cookie()
|
2015-05-16 21:03:06 +02:00
|
|
|
cache:delete("session_"..authUser)
|
|
|
|
cache:delete(authUser.."-"..conf["ldap_identifier"]) -- Ugly trick to reload cache
|
2015-02-01 15:04:36 +01:00
|
|
|
flash("info", t("logged_out"))
|
|
|
|
end
|
2017-02-23 17:53:17 +01:00
|
|
|
|
|
|
|
-- Redirect to portal anyway
|
|
|
|
return redirect(conf.portal_url)
|
2015-02-01 15:04:36 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Set cookie and redirect (needed to properly set cookie)
|
2016-04-30 12:40:59 +02:00
|
|
|
function redirect(url)
|
2015-05-16 21:03:06 +02:00
|
|
|
ngx.log(ngx.NOTICE, "Redirect to: "..url)
|
2015-02-01 15:04:36 +01:00
|
|
|
return ngx.redirect(url)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
-- Set cookie and go on with the response (needed to properly set cookie)
|
2016-04-30 12:40:59 +02:00
|
|
|
function pass()
|
2015-02-01 15:04:36 +01:00
|
|
|
delete_redirect_cookie()
|
|
|
|
|
|
|
|
-- When we are in the SSOwat portal, we need a default `content-type`
|
|
|
|
if string.ends(ngx.var.uri, "/")
|
|
|
|
or string.ends(ngx.var.uri, ".html")
|
|
|
|
or string.ends(ngx.var.uri, ".htm")
|
|
|
|
then
|
|
|
|
ngx.header["Content-Type"] = "text/html"
|
|
|
|
end
|
|
|
|
|
|
|
|
return
|
|
|
|
end
|