SSOwat/access.lua

--
-- Load configuration
--
cookies = {}
local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")
local conf = json.decode(conf_file:read("*all"))
local portal_url = conf["portal_scheme"].."://"..
                   conf["portal_domain"]..
                   ":"..conf["portal_port"]..
                   conf["portal_path"]
table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])

-- Dummy intructions
ngx.header["X-SSO-WAT"] = "You've just been SSOed"

--
--  Useful functions
--
function is_in_table (t, v)
    for key, value in ipairs(t) do
        if value == v then return key end
    end
end

function string.starts (String, Start)
   return string.sub(String, 1, string.len(Start)) == Start
end

function string.ends (String, End)
   return End=='' or string.sub(String, -string.len(End)) == End
end

function cook (cookie_str)
    table.insert(cookies, cookie_str)
end

function set_auth_cookie (user, domain)
    local maxAge = 60 * 60 * 24 * 7 -- 1 week
    local expire = ngx.req.start_time() + maxAge
    local hash = ngx.md5(srvkey..
               "|" ..ngx.var.remote_addr..
               "|"..user..
               "|"..expire)
    local cookie_str = "; Domain=."..domain..
                       "; Path=/"..
                       "; Max-Age="..maxAge
    cook("SSOwAuthUser="..user..cookie_str)
    cook("SSOwAuthHash="..hash..cookie_str)
    cook("SSOwAuthExpire="..expire..cookie_str)
end

function set_token_cookie ()
    local token = tostring(math.random(111111, 999999))
    tokens[token] = token
    cook(
        "SSOwAuthToken="..token..
        "; Domain=."..conf["portal_domain"]..
        "; Path="..conf["portal_path"]..
        "; Max-Age=3600"
    )
end

function set_redirect_cookie (redirect_url)
    cook(
        "SSOwAuthRedirect="..redirect_url..
        "; Path="..conf["portal_path"]..
        "; Max-Age=3600"
    )
end

function delete_cookie ()
    expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
    for _, domain in ipairs(conf["domains"]) do
        local cookie_str = "; Domain=."..domain..
                           "; Path=/"..
                           "; Max-Age="..expired_time
        cook("SSOwAuthUser=;"    ..cookie_str)
        cook("SSOwAuthHash=;"    ..cookie_str)
        cook("SSOwAuthExpire=;"  ..cookie_str)
    end
end

function delete_onetime_cookie ()
    expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
    local cookie_str = "; Path="..conf["portal_path"]..
                       "; Max-Age="..expired_time
    cook("SSOwAuthToken=;"    ..cookie_str)
    cook("SSOwAuthRedirect=;" ..cookie_str)
end


function check_cookie ()

    -- Check if cookie is set
    if  ngx.var.cookie_SSOwAuthExpire and ngx.var.cookie_SSOwAuthExpire ~= ""
    and ngx.var.cookie_SSOwAuthHash   and ngx.var.cookie_SSOwAuthHash   ~= ""
    and ngx.var.cookie_SSOwAuthUser   and ngx.var.cookie_SSOwAuthUser   ~= ""
    then
        -- Check expire time
        if (ngx.req.start_time() <= tonumber(ngx.var.cookie_SSOwAuthExpire)) then
            -- Check hash
            local hash = ngx.md5(srvkey..
                    "|"..ngx.var.remote_addr..
                    "|"..ngx.var.cookie_SSOwAuthUser..
                    "|"..ngx.var.cookie_SSOwAuthExpire)
            return hash == ngx.var.cookie_SSOwAuthHash
        end
    end

    return false
end

function authenticate (user, password)
    connected = lualdap.open_simple (
        "localhost",
        "uid=".. user ..",ou=users,dc=yunohost,dc=org",
        password
    )

    if connected and not cache[user] then
        cache[user] = { password=password }
    end

    return connected
end

function set_headers (user)
    if not cache[user]["uid"] then
        ldap = lualdap.open_simple("localhost")
        for dn, attribs in ldap:search {
            base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
            scope = "base",
            sizelimit = 1,
            attrs = {"uid", "givenName", "sn", "cn", "homeDirectory", "mail"}
        } do
            for k,v in pairs(attribs) do cache[user][k] = v end
        end
    end

    -- Set HTTP Auth header
    ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
      cache[user]["uid"]..":"..cache[user]["password"]
    ))

    -- Set Additional headers
    for k, v in pairs(conf["additional_headers"]) do
        ngx.req.set_header(k, cache[user][v])
    end

end

function display_login_form ()
    local args = ngx.req.get_uri_args()
    ngx.req.set_header("Cache-Control", "no-cache")

    if args.action and args.action == 'logout' then
        if check_cookie() then
            local user = ngx.var.cookie_SSOwAuthUser
            logout[user] = {}
            logout[user]["redirect_url"] = portal_url
            logout[user]["domains"] = {}
            for _, value in ipairs(conf["domains"]) do
                table.insert(logout[user]["domains"], value)
            end
            return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssologout="..user)
        end
    end

    -- Set redirect
    if args.r then set_redirect_cookie(ngx.decode_base64(args.r)) end
    -- Set token
    set_token_cookie()
    ngx.header["Cache-Control"] = "no-cache"
    ngx.header["Set-Cookie"] = cookies
    return
end

function do_login ()
    ngx.req.read_body()
    local args = ngx.req.get_post_args()
    local uri_args = ngx.req.get_uri_args()

    -- CSRF check
    local token = ngx.var.cookie_SSOwAuthToken

    if token and tokens[token] then
        tokens[token] = nil
        ngx.status = ngx.HTTP_CREATED

        if authenticate(args.user, args.password) then
            local redirect_url = ngx.var.cookie_SSOwAuthRedirect
            if uri_args.r then
                redirect_url = ngx.decode_base64(uri_args.r)
            end
            if not redirect_url then redirect_url = portal_url end
            login[args.user] = {}
            login[args.user]["redirect_url"] = redirect_url
            login[args.user]["domains"] = {}
            for _, value in ipairs(conf["domains"]) do
                table.insert(login[args.user]["domains"], value)
            end

            -- Connect to the first domain (self)
            return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssologin="..args.user)
        end
    end
    return redirect(portal_url)
end

function login_walkthrough (user)
    -- Set Authentication cookies
    set_auth_cookie(user, ngx.var.host)
    -- Remove domain from login table
    domain_key = is_in_table(login[user]["domains"], ngx.var.host)
    table.remove(login[user]["domains"], domain_key)

    if table.getn(login[user]["domains"]) == 0 then
        -- All the redirections has been made
        local redirect_url = login[user]["redirect_url"]
        login[user] = nil
        return redirect(ngx.unescape_uri(redirect_url))
    else
        -- Redirect to the next domain
        for _, domain in ipairs(login[user]["domains"]) do
            return redirect(ngx.var.scheme.."://"..domain.."/?ssologin="..user)
        end
    end
end

function logout_walkthrough (user)
    -- Expire Authentication cookies
    delete_cookie()
    -- Remove domain from logout table
    domain_key = is_in_table(logout[user]["domains"], ngx.var.host)
    table.remove(logout[user]["domains"], domain_key)

    if table.getn(logout[user]["domains"]) == 0 then
        -- All the redirections has been made
        local redirect_url = logout[user]["redirect_url"]
        logout[user] = nil
        return redirect(ngx.unescape_uri(redirect_url))
    else
        -- Redirect to the next domain
        for _, domain in ipairs(logout[user]["domains"]) do
            return redirect(ngx.var.scheme.."://"..domain.."/?ssologout="..user)
        end
    end
end

function redirect (url)
    ngx.header["Set-Cookie"] = cookies
    return ngx.redirect(url)
end

function pass ()
    delete_onetime_cookie()
    ngx.req.set_header("Set-Cookie", cookies)
    return
end

--
-- Routing
--

-- Logging in/out
if ngx.var.request_method == "GET" then
    local args = ngx.req.get_uri_args()

    local user = args.ssologin
    if user and login[user] then
        return login_walkthrough(user)
    end

    user = args.ssologout
    if user and logout[user] then
        return logout_walkthrough(user)
    end
end

-- Portal
if ngx.var.host == conf["portal_domain"]
   and string.starts(ngx.var.uri, conf["portal_path"])
then
    if ngx.var.request_method == "GET" then
        return display_login_form()
    elseif ngx.var.request_method == "POST" then
        return do_login()
    end
end

-- Skipped urls
for _, url in ipairs(conf["skipped_urls"]) do
    if string.starts(ngx.var.host..ngx.var.uri, url) then
        return pass
    end
end

-- Unprotected urls
for _, url in ipairs(conf["unprotected_urls"]) do
    if string.starts(ngx.var.host..ngx.var.uri, url) then
        if check_cookie() then
            set_headers(ngx.var.cookie_SSOwAuthUser)
        end
        return pass
    end
end

-- Cookie validation
if check_cookie() then
    set_headers(ngx.var.cookie_SSOwAuthUser)
    return pass
else
    delete_cookie()
end


-- Login with HTTP Auth if credentials are brought
local auth_header = ngx.req.get_headers()["Authorization"]
if auth_header then
    _, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
    _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
    if authenticate(user, password) then
        set_headers(user)
        return pass
    end
end

-- Else redirect to portal
local back_url = ngx.escape_uri(ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri)
-- From another domain
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))