2013-10-15 13:58:16 +02:00
|
|
|
--
|
2015-02-02 00:05:09 +01:00
|
|
|
-- access.lua
|
|
|
|
--
|
|
|
|
-- This file is executed at every request on a protected domain or server.
|
|
|
|
-- You just have to read this file normally to understand how and when the
|
|
|
|
-- request is handled: redirected, forbidden, bypassed or served.
|
2013-10-15 13:58:16 +02:00
|
|
|
--
|
2014-04-10 20:42:43 +02:00
|
|
|
|
2015-02-12 12:08:52 +01:00
|
|
|
-- Get the `cache` persistent shared table
|
|
|
|
cache = ngx.shared.cache
|
|
|
|
|
|
|
|
-- Generate a unique token if it has not been generated yet
|
|
|
|
srvkey = cache:get("srvkey")
|
|
|
|
if not srvkey then
|
2015-04-30 15:08:08 +02:00
|
|
|
srvkey = random_string()
|
2015-02-12 12:08:52 +01:00
|
|
|
cache:add("srvkey", srvkey)
|
|
|
|
end
|
2014-04-17 14:51:47 +02:00
|
|
|
|
2015-02-12 12:08:52 +01:00
|
|
|
-- Initialize and get configuration
|
|
|
|
config = require "config"
|
|
|
|
conf = config.get_config()
|
2014-04-17 14:40:52 +02:00
|
|
|
|
2015-02-02 00:05:09 +01:00
|
|
|
-- Initialize the non-persistent cookie table
|
|
|
|
cookies = {}
|
2014-09-13 23:21:21 +02:00
|
|
|
|
2015-02-02 00:05:09 +01:00
|
|
|
-- Import helpers
|
|
|
|
hlp = require "helpers"
|
2013-10-15 10:11:39 +02:00
|
|
|
|
2015-02-02 00:05:09 +01:00
|
|
|
-- Just a note for the client to know that he passed through the SSO
|
2013-10-16 11:57:53 +02:00
|
|
|
ngx.header["X-SSO-WAT"] = "You've just been SSOed"
|
2013-10-15 10:11:39 +02:00
|
|
|
|
2013-10-20 16:38:49 +02:00
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
--
|
2015-02-02 00:05:09 +01:00
|
|
|
-- 1. LOGIN
|
2013-10-15 13:58:16 +02:00
|
|
|
--
|
2015-02-02 00:05:09 +01:00
|
|
|
-- example: https://mydomain.org/?sso_login=a6e5320f
|
|
|
|
--
|
|
|
|
-- If the `sso_login` URI argument is set, try a cross-domain authentication
|
|
|
|
-- with the token passed as argument
|
2013-10-20 17:24:44 +02:00
|
|
|
--
|
2014-04-17 12:21:11 +02:00
|
|
|
if ngx.var.host ~= conf["portal_domain"] and ngx.var.request_method == "GET" then
|
|
|
|
uri_args = ngx.req.get_uri_args()
|
|
|
|
if uri_args[conf.login_arg] then
|
|
|
|
cda_key = uri_args[conf.login_arg]
|
2015-02-12 12:08:52 +01:00
|
|
|
|
|
|
|
-- Use the `login` shared table where a username is associated with
|
|
|
|
-- a CDA key
|
2014-04-17 12:21:11 +02:00
|
|
|
if login[cda_key] then
|
2015-02-12 12:08:52 +01:00
|
|
|
hlp.set_auth_cookie(login[cda_key], ngx.var.host)
|
2014-04-17 12:21:11 +02:00
|
|
|
ngx.log(ngx.NOTICE, "Cross-domain authentication: "..login[cda_key].." connected on "..ngx.var.host)
|
|
|
|
login[cda_key] = nil
|
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
|
|
|
|
uri_args[conf.login_arg] = nil
|
|
|
|
return hlp.redirect(ngx.var.uri..hlp.uri_args_string(uri_args))
|
2014-02-04 16:28:54 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-02-02 00:05:09 +01:00
|
|
|
--
|
|
|
|
-- 2. PORTAL
|
|
|
|
--
|
|
|
|
-- example: https://mydomain.org/ssowat*
|
|
|
|
--
|
|
|
|
-- If the URL matches the portal URL, serve a portal file or proceed to a
|
2015-02-15 12:31:23 +01:00
|
|
|
-- portal operation
|
2015-02-02 00:05:09 +01:00
|
|
|
--
|
2013-10-20 17:24:44 +02:00
|
|
|
if ngx.var.host == conf["portal_domain"]
|
2015-02-12 12:08:52 +01:00
|
|
|
and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))
|
2013-10-20 17:24:44 +02:00
|
|
|
then
|
2015-02-12 12:08:52 +01:00
|
|
|
|
|
|
|
-- `GET` method will serve a portal file
|
2013-10-20 17:24:44 +02:00
|
|
|
if ngx.var.request_method == "GET" then
|
|
|
|
|
2014-11-13 20:27:01 +01:00
|
|
|
-- Force portal scheme
|
|
|
|
if ngx.var.scheme ~= conf["portal_scheme"] then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.redirect(conf.portal_url)
|
2014-11-13 20:27:01 +01:00
|
|
|
end
|
|
|
|
|
2015-02-02 00:05:09 +01:00
|
|
|
-- Add a trailing `/` if not present
|
2013-10-21 20:43:12 +02:00
|
|
|
if ngx.var.uri.."/" == conf["portal_path"] then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.redirect(conf.portal_url)
|
2013-10-21 20:43:12 +02:00
|
|
|
end
|
|
|
|
|
2013-10-20 17:24:44 +02:00
|
|
|
uri_args = ngx.req.get_uri_args()
|
2015-02-12 12:08:52 +01:00
|
|
|
|
|
|
|
-- Logout is also called via a `GET` method
|
|
|
|
-- TODO: change this ?
|
2013-10-20 17:24:44 +02:00
|
|
|
if uri_args.action and uri_args.action == 'logout' then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.logout()
|
2013-10-20 17:24:44 +02:00
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
-- If the `r` URI argument is set, it means that we want to
|
|
|
|
-- be redirected (typically after a login phase)
|
2015-02-12 12:08:52 +01:00
|
|
|
elseif hlp.is_logged_in() and uri_args.r then
|
2014-04-17 12:21:11 +02:00
|
|
|
back_url = ngx.decode_base64(uri_args.r)
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
-- In case the `back_url` is not on the same domain than the
|
|
|
|
-- current one, create a redirection with a CDA key
|
2014-04-21 13:04:05 +02:00
|
|
|
if not string.match(back_url, "^http[s]?://"..ngx.var.host.."/")
|
2014-04-17 12:21:11 +02:00
|
|
|
and not string.match(back_url, ".*"..conf.login_arg.."=%d+$") then
|
2015-04-30 15:08:08 +02:00
|
|
|
cda_key = random_string()
|
2014-04-17 12:21:11 +02:00
|
|
|
login[cda_key] = ngx.var.cookie_SSOwAuthUser
|
|
|
|
if string.match(back_url, ".*?.*") then
|
|
|
|
back_url = back_url.."&"
|
|
|
|
else
|
|
|
|
back_url = back_url.."?"
|
|
|
|
end
|
|
|
|
back_url = back_url.."sso_login="..cda_key
|
|
|
|
end
|
2015-02-15 12:31:23 +01:00
|
|
|
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.redirect(back_url)
|
2014-01-31 21:25:46 +01:00
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
-- In case we want to serve portal login or assets for portal, just
|
|
|
|
-- serve it
|
|
|
|
elseif hlp.is_logged_in()
|
|
|
|
or ngx.var.uri == conf["portal_path"]
|
|
|
|
or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets")
|
2013-11-27 03:48:25 +01:00
|
|
|
and (not ngx.var.http_referer
|
2015-02-15 12:31:23 +01:00
|
|
|
or hlp.string.starts(ngx.var.http_referer, conf.portal_url)))
|
2013-10-20 18:25:24 +02:00
|
|
|
then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.serve(ngx.var.uri)
|
2013-10-20 17:24:44 +02:00
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
-- If all the previous cases have failed, redirect to portal
|
2013-10-20 17:24:44 +02:00
|
|
|
else
|
2015-02-15 13:03:01 +01:00
|
|
|
hlp.flash("info", hlp.t("please_login"))
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.redirect(conf.portal_url)
|
2013-10-20 17:24:44 +02:00
|
|
|
end
|
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
-- `POST` method is basically use to achieve editing operations
|
2013-10-20 17:24:44 +02:00
|
|
|
elseif ngx.var.request_method == "POST" then
|
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
-- CSRF protection, only proceed if we are editing from the same
|
|
|
|
-- domain
|
2015-02-12 12:08:52 +01:00
|
|
|
if hlp.string.starts(ngx.var.http_referer, conf.portal_url) then
|
|
|
|
if hlp.string.ends(ngx.var.uri, conf["portal_path"].."password.html")
|
|
|
|
or hlp.string.ends(ngx.var.uri, conf["portal_path"].."edit.html")
|
2013-10-21 13:13:43 +02:00
|
|
|
then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.edit_user()
|
2013-10-21 13:13:43 +02:00
|
|
|
else
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.login()
|
2013-10-21 13:13:43 +02:00
|
|
|
end
|
2013-10-20 17:24:44 +02:00
|
|
|
else
|
|
|
|
-- Redirect to portal
|
2015-02-15 13:03:01 +01:00
|
|
|
hlp.flash("fail", hlp.t("please_login_from_portal"))
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.redirect(conf.portal_url)
|
2013-10-20 17:24:44 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
--
|
|
|
|
-- 3. Redirected URLs
|
|
|
|
--
|
|
|
|
-- If the URL matches one of the `redirected_urls` in the configuration file,
|
|
|
|
-- just redirect to the target URL/URI
|
|
|
|
--
|
2014-04-10 17:35:28 +02:00
|
|
|
|
|
|
|
function detect_redirection(redirect_url)
|
2015-02-12 12:08:52 +01:00
|
|
|
if hlp.string.starts(redirect_url, "http://")
|
|
|
|
or hlp.string.starts(redirect_url, "https://") then
|
|
|
|
return hlp.redirect(redirect_url)
|
|
|
|
elseif hlp.string.starts(redirect_url, "/") then
|
|
|
|
return hlp.redirect(ngx.var.scheme.."://"..ngx.var.host..redirect_url)
|
2014-04-10 17:35:28 +02:00
|
|
|
else
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.redirect(ngx.var.scheme.."://"..redirect_url)
|
2014-04-10 17:35:28 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if conf["redirected_urls"] then
|
|
|
|
for url, redirect_url in pairs(conf["redirected_urls"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if url == ngx.var.host..ngx.var.uri..hlp.uri_args_string()
|
|
|
|
or url == ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string()
|
|
|
|
or url == ngx.var.uri..hlp.uri_args_string() then
|
2014-04-10 17:35:28 +02:00
|
|
|
detect_redirection(redirect_url)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if conf["redirected_regex"] then
|
|
|
|
for regex, redirect_url in pairs(conf["redirected_regex"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
|
|
|
|
or string.match(ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
|
|
|
|
or string.match(ngx.var.uri..hlp.uri_args_string(), regex) then
|
2014-04-10 17:35:28 +02:00
|
|
|
detect_redirection(redirect_url)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2014-01-31 21:25:46 +01:00
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
--
|
|
|
|
-- 4. Protected URLs
|
|
|
|
--
|
|
|
|
-- If the URL matches one of the `protected_urls` in the configuration file,
|
|
|
|
-- we have to protect it even if the URL is also set in the `unprotected_urls`.
|
|
|
|
-- It could be useful if you want to unprotect every URL except a few
|
|
|
|
-- particular ones.
|
|
|
|
--
|
|
|
|
|
2014-03-03 15:44:17 +01:00
|
|
|
function is_protected()
|
|
|
|
if not conf["protected_urls"] then
|
|
|
|
conf["protected_urls"] = {}
|
|
|
|
end
|
|
|
|
if not conf["protected_regex"] then
|
|
|
|
conf["protected_regex"] = {}
|
|
|
|
end
|
|
|
|
|
|
|
|
for _, url in ipairs(conf["protected_urls"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if hlp.string.starts(ngx.var.host..ngx.var.uri, url)
|
|
|
|
or hlp.string.starts(ngx.var.uri, url) then
|
2014-03-03 15:44:17 +01:00
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
for _, regex in ipairs(conf["protected_regex"]) do
|
|
|
|
if string.match(ngx.var.host..ngx.var.uri, regex)
|
|
|
|
or string.match(ngx.var.uri, regex) then
|
|
|
|
return true
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
--
|
|
|
|
-- 5. Skipped URLs
|
|
|
|
--
|
|
|
|
-- If the URL matches one of the `skipped_urls` in the configuration file,
|
|
|
|
-- it means that the URL should not be protected by the SSO and no header
|
|
|
|
-- has to be sent, even if the user is already authenticated.
|
|
|
|
--
|
2013-10-20 17:24:44 +02:00
|
|
|
|
2014-03-03 15:04:08 +01:00
|
|
|
if conf["skipped_urls"] then
|
|
|
|
for _, url in ipairs(conf["skipped_urls"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if (hlp.string.starts(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url)
|
|
|
|
or hlp.string.starts(ngx.var.uri..hlp.uri_args_string(), url))
|
2014-03-03 15:44:17 +01:00
|
|
|
and not is_protected() then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.pass()
|
2014-03-03 15:04:08 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
if conf["skipped_regex"] then
|
|
|
|
for _, regex in ipairs(conf["skipped_regex"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if (string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
|
|
|
|
or string.match(ngx.var.uri..hlp.uri_args_string(), regex))
|
2014-03-03 15:44:17 +01:00
|
|
|
and not is_protected() then
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.pass()
|
2014-03-03 15:04:08 +01:00
|
|
|
end
|
2013-10-20 17:24:44 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2014-03-03 15:04:08 +01:00
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
--
|
|
|
|
-- 6. Unprotected URLs
|
|
|
|
--
|
|
|
|
-- If the URL matches one of the `unprotected_urls` in the configuration file,
|
|
|
|
-- it means that the URL should not be protected by the SSO *but* headers have
|
|
|
|
-- to be sent if the user is already authenticated.
|
|
|
|
--
|
|
|
|
-- It means that you can let anyone access to an app, but if a user has already
|
|
|
|
-- been authenticated on the portal, he can have its authentication headers
|
|
|
|
-- passed to the app.
|
|
|
|
--
|
2013-10-20 17:24:44 +02:00
|
|
|
|
2014-03-03 15:04:08 +01:00
|
|
|
if conf["unprotected_urls"] then
|
|
|
|
for _, url in ipairs(conf["unprotected_urls"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if (hlp.string.starts(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), url)
|
|
|
|
or hlp.string.starts(ngx.var.uri..hlp.uri_args_string(), url))
|
2014-03-03 15:44:17 +01:00
|
|
|
and not is_protected() then
|
2015-02-12 12:08:52 +01:00
|
|
|
if hlp.is_logged_in() then
|
|
|
|
hlp.set_headers()
|
2014-03-03 15:04:08 +01:00
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.pass()
|
2013-10-20 17:24:44 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-03-03 15:04:08 +01:00
|
|
|
if conf["unprotected_regex"] then
|
|
|
|
for _, regex in ipairs(conf["unprotected_regex"]) do
|
2015-02-12 12:08:52 +01:00
|
|
|
if (string.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
|
|
|
|
or string.match(ngx.var.uri..hlp.uri_args_string(), regex))
|
2014-03-03 15:44:17 +01:00
|
|
|
and not is_protected() then
|
2015-02-12 12:08:52 +01:00
|
|
|
if hlp.is_logged_in() then
|
|
|
|
hlp.set_headers()
|
2014-03-03 15:04:08 +01:00
|
|
|
end
|
2015-02-12 12:08:52 +01:00
|
|
|
return hlp.pass()
|
2014-03-03 15:04:08 +01:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
2013-10-20 17:24:44 +02:00
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
--
|
|
|
|
-- 7. Specific files (used in YunoHost)
|
|
|
|
--
|
|
|
|
-- We want to serve specific portal assets right at the root of the domain.
|
|
|
|
--
|
|
|
|
-- For example: `https://mydomain.org/ynhpanel.js` will serve the
|
|
|
|
-- `/yunohost/sso/assets/js/ynhpanel.js` file.
|
2013-10-20 17:24:44 +02:00
|
|
|
--
|
|
|
|
|
2015-02-12 12:08:52 +01:00
|
|
|
if hlp.is_logged_in() then
|
2014-02-04 21:41:53 +01:00
|
|
|
if string.match(ngx.var.uri, "^/ynhpanel.js$") then
|
2015-02-12 12:08:52 +01:00
|
|
|
hlp.serve("/yunohost/sso/assets/js/ynhpanel.js")
|
2014-02-04 21:41:53 +01:00
|
|
|
end
|
2014-02-17 13:07:28 +01:00
|
|
|
if string.match(ngx.var.uri, "^/ynhpanel.css$") then
|
2015-02-12 12:08:52 +01:00
|
|
|
hlp.serve("/yunohost/sso/assets/css/ynhpanel.css")
|
2014-02-17 13:07:28 +01:00
|
|
|
end
|
2014-02-04 21:41:53 +01:00
|
|
|
if string.match(ngx.var.uri, "^/ynhpanel.json$") then
|
2015-02-12 12:08:52 +01:00
|
|
|
hlp.serve("/yunohost/sso/assets/js/ynhpanel.json")
|
2014-02-04 21:41:53 +01:00
|
|
|
end
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
-- If user has no access to this URL, redirect him to the portal
|
2015-02-12 12:08:52 +01:00
|
|
|
if not hlp.has_access() then
|
|
|
|
return hlp.redirect(conf.portal_url)
|
2013-10-29 11:48:56 +01:00
|
|
|
end
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
-- If the user is authenticated and has access to the URL, sen the headers
|
|
|
|
-- and let it be
|
2015-02-12 12:08:52 +01:00
|
|
|
hlp.set_headers()
|
|
|
|
return hlp.pass()
|
2013-10-20 17:24:44 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
--
|
|
|
|
-- 8. Basic HTTP Authentication
|
|
|
|
--
|
|
|
|
-- If the `Authorization` header is set before reaching the SSO, we want to
|
|
|
|
-- match user and password against the user database.
|
|
|
|
--
|
|
|
|
-- It allows you to bypass the cookie-based procedure with a per-request
|
|
|
|
-- authentication. Very usefull when you are trying to reach a specific URL
|
|
|
|
-- via cURL for example.
|
2013-10-20 17:24:44 +02:00
|
|
|
--
|
|
|
|
|
|
|
|
local auth_header = ngx.req.get_headers()["Authorization"]
|
2015-02-15 12:31:23 +01:00
|
|
|
|
2013-10-20 17:24:44 +02:00
|
|
|
if auth_header then
|
|
|
|
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
|
|
|
|
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
2015-02-12 12:08:52 +01:00
|
|
|
user = hlp.authenticate(user, password)
|
2014-02-19 12:57:57 +01:00
|
|
|
if user then
|
2015-02-12 12:08:52 +01:00
|
|
|
hlp.set_headers(user)
|
|
|
|
return hlp.pass()
|
2013-10-20 17:24:44 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2015-02-15 12:31:23 +01:00
|
|
|
|
|
|
|
--
|
|
|
|
-- 9. Redirect to login
|
|
|
|
--
|
|
|
|
-- If no previous rule has matched, just redirect to the portal login.
|
|
|
|
-- The default is to protect every URL by default.
|
2013-10-20 17:24:44 +02:00
|
|
|
--
|
|
|
|
|
2015-02-15 13:03:01 +01:00
|
|
|
hlp.flash("info", hlp.t("please_login"))
|
2015-02-12 12:08:52 +01:00
|
|
|
local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()
|
|
|
|
return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))
|