2013-10-15 13:58:16 +02:00
|
|
|
--
|
2013-10-15 10:11:39 +02:00
|
|
|
-- Load configuration
|
2013-10-15 13:58:16 +02:00
|
|
|
--
|
2013-10-16 11:27:18 +02:00
|
|
|
cookies = {}
|
|
|
|
local conf_file = assert(io.open(conf_path, "r"), "Configuration file is missing")
|
2013-10-15 13:58:16 +02:00
|
|
|
local conf = json.decode(conf_file:read("*all"))
|
2013-10-15 10:11:39 +02:00
|
|
|
local portal_url = conf["portal_scheme"].."://"..
|
2013-10-16 15:54:58 +02:00
|
|
|
conf["portal_domain"]..
|
2013-10-15 10:11:39 +02:00
|
|
|
":"..conf["portal_port"]..
|
|
|
|
conf["portal_path"]
|
2013-10-16 15:54:58 +02:00
|
|
|
table.insert(conf["skipped_urls"], conf["portal_domain"]..conf["portal_path"])
|
2013-10-15 10:11:39 +02:00
|
|
|
|
|
|
|
-- Dummy intructions
|
2013-10-16 11:57:53 +02:00
|
|
|
ngx.header["X-SSO-WAT"] = "You've just been SSOed"
|
2013-10-15 10:11:39 +02:00
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
--
|
|
|
|
-- Useful functions
|
|
|
|
--
|
2013-10-16 11:27:18 +02:00
|
|
|
function is_in_table (t, v)
|
|
|
|
for key, value in ipairs(t) do
|
|
|
|
if value == v then return key end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-10-15 10:11:39 +02:00
|
|
|
function string.starts (String, Start)
|
|
|
|
return string.sub(String, 1, string.len(Start)) == Start
|
|
|
|
end
|
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
function string.ends (String, End)
|
|
|
|
return End=='' or string.sub(String, -string.len(End)) == End
|
|
|
|
end
|
|
|
|
|
2013-10-16 11:27:18 +02:00
|
|
|
function cook (cookie_str)
|
|
|
|
table.insert(cookies, cookie_str)
|
|
|
|
end
|
|
|
|
|
|
|
|
function set_auth_cookie (user, domain)
|
2013-10-15 10:11:39 +02:00
|
|
|
local maxAge = 60 * 60 * 24 * 7 -- 1 week
|
|
|
|
local expire = ngx.req.start_time() + maxAge
|
|
|
|
local hash = ngx.md5(auth_key..
|
|
|
|
"|" ..ngx.var.remote_addr..
|
|
|
|
"|"..user..
|
|
|
|
"|"..expire)
|
2013-10-16 11:27:18 +02:00
|
|
|
local cookie_str = "; Domain=."..domain..
|
2013-10-15 13:58:16 +02:00
|
|
|
"; Path=/"..
|
2013-10-15 10:11:39 +02:00
|
|
|
"; Max-Age="..maxAge
|
2013-10-16 16:20:51 +02:00
|
|
|
cook("SSOwAuthUser="..user..cookie_str)
|
|
|
|
cook("SSOwAuthHash="..hash..cookie_str)
|
|
|
|
cook("SSOwAuthExpire="..expire..cookie_str)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
function set_token_cookie ()
|
|
|
|
local token = tostring(math.random(111111, 999999))
|
|
|
|
tokens[token] = token
|
2013-10-16 11:27:18 +02:00
|
|
|
cook(
|
2013-10-16 16:20:51 +02:00
|
|
|
"SSOwAuthToken="..token..
|
|
|
|
"; Domain=."..conf["portal_domain"]..
|
2013-10-15 13:58:16 +02:00
|
|
|
"; Path="..conf["portal_path"]..
|
|
|
|
"; Max-Age=3600"
|
2013-10-16 11:27:18 +02:00
|
|
|
)
|
2013-10-15 13:58:16 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
function set_redirect_cookie (redirect_url)
|
2013-10-16 11:27:18 +02:00
|
|
|
cook(
|
2013-10-16 16:20:51 +02:00
|
|
|
"SSOwAuthRedirect="..redirect_url..
|
2013-10-15 13:58:16 +02:00
|
|
|
"; Path="..conf["portal_path"]..
|
|
|
|
"; Max-Age=3600"
|
2013-10-16 11:27:18 +02:00
|
|
|
)
|
2013-10-15 13:58:16 +02:00
|
|
|
end
|
|
|
|
|
2013-10-15 10:11:39 +02:00
|
|
|
function delete_cookie ()
|
2013-10-16 16:20:51 +02:00
|
|
|
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
|
|
|
|
for _, domain in ipairs(conf["domains"]) do
|
|
|
|
local cookie_str = "; Domain=."..domain..
|
|
|
|
"; Path=/"..
|
|
|
|
"; Max-Age="..expired_time
|
|
|
|
cook("SSOwAuthUser=;" ..cookie_str)
|
|
|
|
cook("SSOwAuthHash=;" ..cookie_str)
|
|
|
|
cook("SSOwAuthExpire=;" ..cookie_str)
|
|
|
|
end
|
2013-10-15 13:58:16 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
function delete_onetime_cookie ()
|
2013-10-16 16:20:51 +02:00
|
|
|
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
|
|
|
|
local cookie_str = "; Path="..conf["portal_path"]..
|
|
|
|
"; Max-Age="..expired_time
|
|
|
|
cook("SSOwAuthToken=;" ..cookie_str)
|
|
|
|
cook("SSOwAuthRedirect=;" ..cookie_str)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
|
2013-10-15 10:11:39 +02:00
|
|
|
function check_cookie ()
|
2013-10-16 11:27:18 +02:00
|
|
|
|
2013-10-15 10:11:39 +02:00
|
|
|
-- Check if cookie is set
|
2013-10-16 16:20:51 +02:00
|
|
|
if ngx.var.cookie_SSOwAuthExpire and ngx.var.cookie_SSOwAuthExpire ~= ""
|
|
|
|
and ngx.var.cookie_SSOwAuthHash and ngx.var.cookie_SSOwAuthHash ~= ""
|
|
|
|
and ngx.var.cookie_SSOwAuthUser and ngx.var.cookie_SSOwAuthUser ~= ""
|
2013-10-15 10:11:39 +02:00
|
|
|
then
|
2013-10-16 16:20:51 +02:00
|
|
|
-- Check expire time
|
|
|
|
if (ngx.req.start_time() <= tonumber(ngx.var.cookie_SSOwAuthExpire)) then
|
|
|
|
-- Check hash
|
|
|
|
local hash = ngx.md5(auth_key..
|
|
|
|
"|"..ngx.var.remote_addr..
|
|
|
|
"|"..ngx.var.cookie_SSOwAuthUser..
|
|
|
|
"|"..ngx.var.cookie_SSOwAuthExpire)
|
|
|
|
return hash == ngx.var.cookie_SSOwAuthHash
|
|
|
|
end
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
2013-10-16 16:20:51 +02:00
|
|
|
return false
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
function authenticate (user, password)
|
2013-10-16 11:27:18 +02:00
|
|
|
connected = lualdap.open_simple (
|
2013-10-15 10:11:39 +02:00
|
|
|
"localhost",
|
2013-10-15 13:58:16 +02:00
|
|
|
"uid=".. user ..",ou=users,dc=yunohost,dc=org",
|
|
|
|
password
|
2013-10-15 10:11:39 +02:00
|
|
|
)
|
2013-10-16 11:27:18 +02:00
|
|
|
|
|
|
|
if connected and not cache[user] then
|
|
|
|
cache[user] = { password=password }
|
|
|
|
end
|
|
|
|
|
|
|
|
return connected
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
function set_headers (user)
|
2013-10-16 11:27:18 +02:00
|
|
|
if not cache[user]["uid"] then
|
|
|
|
ldap = lualdap.open_simple("localhost")
|
|
|
|
for dn, attribs in ldap:search {
|
|
|
|
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
|
|
|
|
scope = "base",
|
|
|
|
sizelimit = 1,
|
2013-10-16 16:47:48 +02:00
|
|
|
attrs = {"uid", "givenName", "sn", "cn", "homeDirectory", "mail"}
|
2013-10-16 11:27:18 +02:00
|
|
|
} do
|
|
|
|
for k,v in pairs(attribs) do cache[user][k] = v end
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
end
|
2013-10-16 11:27:18 +02:00
|
|
|
|
2013-10-16 17:30:08 +02:00
|
|
|
ngx.req.set_header("Auth-User", user)
|
|
|
|
ngx.req.set_header("Remote-User", user)
|
|
|
|
ngx.req.set_header("Name", cache[user]["cn"])
|
|
|
|
ngx.req.set_header("Email", cache[user]["mail"])
|
|
|
|
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
|
|
|
|
cache[user]["uid"]..":"..cache[user]["password"]
|
|
|
|
))
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
|
|
|
function display_login_form ()
|
|
|
|
local args = ngx.req.get_uri_args()
|
2013-10-16 18:00:51 +02:00
|
|
|
ngx.req.set_header("Cache-Control", "no-cache")
|
2013-10-15 10:11:39 +02:00
|
|
|
|
2013-10-16 11:27:18 +02:00
|
|
|
-- Redirected from another domain
|
|
|
|
if args.r then
|
|
|
|
local redirect_url = ngx.decode_base64(args.r)
|
|
|
|
set_redirect_cookie(redirect_url)
|
2013-10-16 18:00:51 +02:00
|
|
|
ngx.header["Cache-Control"] = "no-cache"
|
2013-10-16 11:27:18 +02:00
|
|
|
return redirect(portal_url)
|
|
|
|
end
|
|
|
|
|
2013-10-15 10:11:39 +02:00
|
|
|
if args.action and args.action == 'logout' then
|
|
|
|
-- Logout
|
|
|
|
delete_cookie()
|
2013-10-16 11:27:18 +02:00
|
|
|
return redirect(portal_url)
|
2013-10-16 16:20:51 +02:00
|
|
|
elseif ngx.var.cookie_SSOwAuthToken
|
|
|
|
and tokens[ngx.var.cookie_SSOwAuthToken]
|
|
|
|
then
|
2013-10-15 10:11:39 +02:00
|
|
|
-- Display normal form
|
2013-10-16 17:30:08 +02:00
|
|
|
return
|
2013-10-16 11:27:18 +02:00
|
|
|
else
|
|
|
|
-- Set token
|
2013-10-15 13:58:16 +02:00
|
|
|
set_token_cookie()
|
2013-10-16 11:27:18 +02:00
|
|
|
return redirect(portal_url)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
function do_login ()
|
|
|
|
ngx.req.read_body()
|
|
|
|
local args = ngx.req.get_post_args()
|
|
|
|
|
|
|
|
-- CSRF check
|
2013-10-16 16:20:51 +02:00
|
|
|
local token = ngx.var.cookie_SSOwAuthToken
|
2013-10-15 13:58:16 +02:00
|
|
|
|
|
|
|
if token and tokens[token] then
|
|
|
|
tokens[token] = nil
|
2013-10-16 11:27:18 +02:00
|
|
|
ngx.status = ngx.HTTP_CREATED
|
2013-10-15 10:11:39 +02:00
|
|
|
|
|
|
|
if authenticate(args.user, args.password) then
|
2013-10-16 16:20:51 +02:00
|
|
|
local redirect_url = ngx.var.cookie_SSOwAuthRedirect
|
2013-10-16 11:27:18 +02:00
|
|
|
if not redirect_url then redirect_url = portal_url end
|
|
|
|
connections[args.user] = {}
|
|
|
|
connections[args.user]["redirect_url"] = redirect_url
|
|
|
|
connections[args.user]["domains"] = {}
|
|
|
|
for _, value in ipairs(conf["domains"]) do
|
|
|
|
table.insert(connections[args.user]["domains"], value)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
2013-10-16 11:27:18 +02:00
|
|
|
|
|
|
|
-- Connect to the first domain (self)
|
|
|
|
return redirect(ngx.var.scheme.."://"..ngx.var.http_host.."/?ssoconnect="..args.user)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
end
|
2013-10-16 11:27:18 +02:00
|
|
|
return redirect(portal_url)
|
|
|
|
end
|
|
|
|
|
|
|
|
function redirect (url)
|
|
|
|
ngx.header["Set-Cookie"] = cookies
|
2013-10-16 17:30:08 +02:00
|
|
|
return ngx.redirect(url)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
function pass ()
|
|
|
|
delete_onetime_cookie()
|
2013-10-16 17:30:08 +02:00
|
|
|
ngx.req.set_header("Set-Cookie", cookies)
|
2013-10-15 13:58:16 +02:00
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
--
|
|
|
|
-- Routing
|
|
|
|
--
|
|
|
|
|
2013-10-16 11:27:18 +02:00
|
|
|
-- Connection
|
|
|
|
if ngx.var.request_method == "GET" then
|
|
|
|
local args = ngx.req.get_uri_args()
|
|
|
|
|
|
|
|
-- /?ssoconnect=user
|
|
|
|
local user = args.ssoconnect
|
|
|
|
if user and connections[user] then
|
|
|
|
-- Set Authentication cookie
|
|
|
|
set_auth_cookie(user, ngx.var.host)
|
|
|
|
-- Remove domain from connection table
|
|
|
|
domain_key = is_in_table(connections[user]["domains"], ngx.var.host)
|
|
|
|
table.remove(connections[user]["domains"], domain_key)
|
|
|
|
|
|
|
|
if table.getn(connections[user]["domains"]) == 0 then
|
|
|
|
-- All the redirections has been made
|
|
|
|
local redirect_url = connections[user]["redirect_url"]
|
|
|
|
connections[user] = nil
|
|
|
|
return redirect(ngx.unescape_uri(redirect_url))
|
|
|
|
else
|
|
|
|
-- Redirect to the next domain
|
|
|
|
for _, domain in ipairs(connections[user]["domains"]) do
|
|
|
|
return redirect(ngx.var.scheme.."://"..domain.."/?ssoconnect="..user)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-10-15 13:58:16 +02:00
|
|
|
-- Portal
|
2013-10-16 15:54:58 +02:00
|
|
|
if ngx.var.host == conf["portal_domain"]
|
2013-10-15 10:11:39 +02:00
|
|
|
and string.starts(ngx.var.uri, conf["portal_path"])
|
|
|
|
then
|
2013-10-15 13:58:16 +02:00
|
|
|
if ngx.var.request_method == "GET" then
|
2013-10-15 10:11:39 +02:00
|
|
|
return display_login_form()
|
2013-10-15 13:58:16 +02:00
|
|
|
elseif ngx.var.request_method == "POST" then
|
2013-10-15 10:11:39 +02:00
|
|
|
return do_login()
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Skipped urls
|
|
|
|
for _, url in ipairs(conf["skipped_urls"]) do
|
2013-10-15 13:58:16 +02:00
|
|
|
if string.starts(ngx.var.host..ngx.var.uri, url) then
|
|
|
|
return pass
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Unprotected urls
|
|
|
|
for _, url in ipairs(conf["unprotected_urls"]) do
|
2013-10-15 13:58:16 +02:00
|
|
|
if string.starts(ngx.var.host..ngx.var.uri, url) then
|
2013-10-15 10:11:39 +02:00
|
|
|
if check_cookie() then
|
2013-10-16 16:20:51 +02:00
|
|
|
set_headers(ngx.var.cookie_SSOwAuthUser)
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
2013-10-15 13:58:16 +02:00
|
|
|
return pass
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
-- Cookie validation
|
|
|
|
if check_cookie() then
|
2013-10-16 16:20:51 +02:00
|
|
|
set_headers(ngx.var.cookie_SSOwAuthUser)
|
2013-10-15 13:58:16 +02:00
|
|
|
return pass
|
2013-10-16 16:20:51 +02:00
|
|
|
else
|
|
|
|
delete_cookie()
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
|
2013-10-16 11:27:18 +02:00
|
|
|
|
2013-10-15 10:11:39 +02:00
|
|
|
-- Connect with HTTP Auth if credentials are brought
|
|
|
|
local auth_header = ngx.req.get_headers()["Authorization"]
|
|
|
|
if auth_header then
|
|
|
|
_, _, b64_cred = string.find(auth_header, "^Basic%s+(.+)$")
|
|
|
|
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
|
|
|
if authenticate(user, password) then
|
|
|
|
set_headers(user)
|
2013-10-15 13:58:16 +02:00
|
|
|
return pass
|
2013-10-15 10:11:39 +02:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-10-16 11:27:18 +02:00
|
|
|
-- Else redirect to portal
|
|
|
|
local back_url = ngx.escape_uri(ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri)
|
|
|
|
if set_redirect_cookie(back_url) then
|
|
|
|
-- From same domain
|
|
|
|
return redirect(portal_url)
|
2013-10-15 13:58:16 +02:00
|
|
|
else
|
2013-10-16 11:27:18 +02:00
|
|
|
-- From another domain
|
|
|
|
return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
|
2013-10-15 13:58:16 +02:00
|
|
|
end
|