SSOwat/access.lua

--
-- access.lua
--
-- This file is executed at every request on a protected domain or server.
-- You just have to read this file normally to understand how and when the
-- request is handled: redirected, forbidden, bypassed or served.
--

-- Get the `cache` persistent shared table
local cache = ngx.shared.cache

-- Import helpers
local hlp = require "helpers"

-- Initialize and get configuration
hlp.refresh_config()
local conf = hlp.get_config()

-- Just a note for the client to know that he passed through the SSO
ngx.header["X-SSO-WAT"] = "You've just been SSOed"

local is_logged_in = hlp.check_authentication()

--
-- 3. REDIRECTED URLS
--
-- If the URL matches one of the `redirected_urls` in the configuration file,
-- just redirect to the target URL/URI
--

function detect_redirection(redirect_url)
    if hlp.string.starts(redirect_url, "http://")
    or hlp.string.starts(redirect_url, "https://") then
        return hlp.redirect(redirect_url)
    elseif hlp.string.starts(redirect_url, "/") then
        return hlp.redirect(ngx.var.scheme.."://"..ngx.var.host..redirect_url)
    else
        return hlp.redirect(ngx.var.scheme.."://"..redirect_url)
    end
end

if conf["redirected_urls"] then
    for url, redirect_url in pairs(conf["redirected_urls"]) do
        if url == ngx.var.host..ngx.var.uri..hlp.uri_args_string()
        or url == ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string()
        or url == ngx.var.uri..hlp.uri_args_string() then
            hlp.logger:debug("Requested URI is in redirected_urls")
            detect_redirection(redirect_url)
        end
    end
end

if conf["redirected_regex"] then
    for regex, redirect_url in pairs(conf["redirected_regex"]) do
        if hlp.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or hlp.match(ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)
        or hlp.match(ngx.var.uri..hlp.uri_args_string(), regex) then
            hlp.logger:debug("Requested URI is in redirected_regex")
            detect_redirection(redirect_url)
        end
    end
end

--
-- 4. IDENTIFY THE RELEVANT PERMISSION
--
-- In particular, the conf is filled with permissions such as:
--
--        "foobar": {
--            "auth_header": false,
--            "label": "Foobar permission",
--            "public": false,
--            "show_tile": true,
--            "uris": [
--                "yolo.test/foobar",
--                "re:^[^/]*/%.well%-known/foobar/.*$",
--            ],
--            "users": ["alice", "bob"]
--        }
--
--
-- And we find the best matching permission by trying to match the request uri
-- against all the uris rules/regexes from the conf and keep the longest matching one.
--

permission = nil
longest_url_match = ""

ngx_full_url = ngx.var.host..ngx.var.uri

for permission_name, permission_infos in pairs(conf["permissions"]) do
    if next(permission_infos['uris']) ~= nil then
        for _, url in pairs(permission_infos['uris']) do
            if string.starts(url, "re:") then
                url = string.sub(url, 4, string.len(url))
            end
            -- We want to match the beginning of the url
            if not string.starts(url, "^") then
                url = "^"..url
            end

            local m = hlp.match(ngx_full_url, url)
            if m ~= nil and string.len(m) > string.len(longest_url_match) then
                longest_url_match = m
                permission = permission_infos
                permission["id"] = permission_name
            end
        end
    end
end

--
--
-- 5. APPLY PERMISSION
--
--

-- 1st case : client has access

if hlp.has_access(permission) then

    if is_logged_in then
        -- If the user is logged in, refresh_cache
        --hlp.refresh_user_cache()

        -- If Basic Authorization header are enable for this permission,
        -- add it to the response
        if permission["auth_header"] then
            hlp.set_headers()
        end
    end

    return hlp.pass()

-- 2nd case : no access ... redirect to portal / login form
else

    if is_logged_in then
        return hlp.redirect(conf.portal_url)
    else
        local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()
        return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))
    end
end
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- access.lua`
			`--`
			`-- This file is executed at every request on a protected domain or server.`
			`-- You just have to read this file normally to understand how and when the`
			`-- request is handled: redirected, forbidden, bypassed or served.`
Bugfixes 2013-10-15 13:58:16 +02:00			`--`
[enh] Add persistent rules (as conf.json.persistent) 2014-04-10 20:42:43 +02:00
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			-- Get the `cache` persistent shared table
[fix] Load libraries locally to avoid caching 2015-05-16 09:42:26 +02:00			`local cache = ngx.shared.cache`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00
[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- Import helpers`
[fix] Load libraries locally to avoid caching 2015-05-16 09:42:26 +02:00			`local hlp = require "helpers"`
Init 2013-10-15 10:11:39 +02:00
Avoid unnecessarily reloading the config file 2020-03-29 18:02:49 +02:00			`-- Initialize and get configuration`
			`hlp.refresh_config()`
			`local conf = hlp.get_config()`

[enh] Separate configuration file loading to a new file and document it 2015-02-02 00:05:09 +01:00			`-- Just a note for the client to know that he passed through the SSO`
Update access.lua 2013-10-16 11:57:53 +02:00			`ngx.header["X-SSO-WAT"] = "You've just been SSOed"`
Init 2013-10-15 10:11:39 +02:00
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			`local is_logged_in = hlp.check_authentication()`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00
			`--`
Misc cosmetics / debug tweaks 2020-09-20 18:00:49 +02:00			`-- 3. REDIRECTED URLS`
[enh] Finish documenting the code 2015-02-15 12:31:23 +01:00			`--`
			-- If the URL matches one of the `redirected_urls` in the configuration file,
			`-- just redirect to the target URL/URI`
			`--`
Misc cosmetics / debug tweaks 2020-09-20 18:00:49 +02:00
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`function detect_redirection(redirect_url)`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if hlp.string.starts(redirect_url, "http://")`
			`or hlp.string.starts(redirect_url, "https://") then`
			`return hlp.redirect(redirect_url)`
			`elseif hlp.string.starts(redirect_url, "/") then`
			`return hlp.redirect(ngx.var.scheme.."://"..ngx.var.host..redirect_url)`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`else`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`return hlp.redirect(ngx.var.scheme.."://"..redirect_url)`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`end`
			`end`

			`if conf["redirected_urls"] then`
			`for url, redirect_url in pairs(conf["redirected_urls"]) do`
[fix] Separate files properly 2015-02-12 12:08:52 +01:00			`if url == ngx.var.host..ngx.var.uri..hlp.uri_args_string()`
			`or url == ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string()`
			`or url == ngx.var.uri..hlp.uri_args_string() then`
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			`hlp.logger:debug("Requested URI is in redirected_urls")`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`detect_redirection(redirect_url)`
			`end`
			`end`
			`end`

			`if conf["redirected_regex"] then`
			`for regex, redirect_url in pairs(conf["redirected_regex"]) do`
fix string.match 2020-01-17 08:01:24 +01:00			`if hlp.match(ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or hlp.match(ngx.var.scheme.."://"..ngx.var.host..ngx.var.uri..hlp.uri_args_string(), regex)`
			`or hlp.match(ngx.var.uri..hlp.uri_args_string(), regex) then`
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			`hlp.logger:debug("Requested URI is in redirected_regex")`
[enh] Add custom redirections (url & regex) 2014-04-10 17:35:28 +02:00			`detect_redirection(redirect_url)`
			`end`
			`end`
			`end`
Improve cross-domain authentication 2014-01-31 21:25:46 +01:00
[fix] Fix tile not displayed when app is installed on root (bug #285) (#71) * Fix proposal for bug #285 (YunoHost tile is not displayed when the app is installed on root path) * Fix access to administration page 2017-04-02 23:47:54 +02:00			`--`
Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:57:23 +02:00			`-- 4. IDENTIFY THE RELEVANT PERMISSION`
HTTP Auth before permissions managment 2020-05-21 21:53:04 +02:00			`--`
Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:57:23 +02:00			`-- In particular, the conf is filled with permissions such as:`
HTTP Auth before permissions managment 2020-05-21 21:53:04 +02:00			`--`
Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:57:23 +02:00			`-- "foobar": {`
			`-- "auth_header": false,`
			`-- "label": "Foobar permission",`
			`-- "public": false,`
			`-- "show_tile": true,`
			`-- "uris": [`
			`-- "yolo.test/foobar",`
			`-- "re:^[^/]/%.well%-known/foobar/.$",`
			`-- ],`
			`-- "users": ["alice", "bob"]`
			`-- }`
			`--`
			`--`
			`-- And we find the best matching permission by trying to match the request uri`
			`-- against all the uris rules/regexes from the conf and keep the longest matching one.`
HTTP Auth before permissions managment 2020-05-21 21:53:04 +02:00			`--`

Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:57:23 +02:00			`permission = nil`
			`longest_url_match = ""`
do not reauth if we are already logged in 2020-05-21 22:56:52 +02:00
match the beginning of url permissions 2021-01-20 01:28:08 +01:00			`ngx_full_url = ngx.var.host..ngx.var.uri`

Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:57:23 +02:00			`for permission_name, permission_infos in pairs(conf["permissions"]) do`
			`if next(permission_infos['uris']) ~= nil then`
			`for _, url in pairs(permission_infos['uris']) do`
			`if string.starts(url, "re:") then`
			`url = string.sub(url, 4, string.len(url))`
			`end`
match the beginning of url permissions 2021-01-20 01:28:08 +01:00			`-- We want to match the beginning of the url`
			`if not string.starts(url, "^") then`
			`url = "^"..url`
			`end`
do not reauth if we are already logged in 2020-05-21 22:56:52 +02:00
match the beginning of url permissions 2021-01-20 01:28:08 +01:00			`local m = hlp.match(ngx_full_url, url)`
Move identification of relevant permission from helpers.lua to access.lua 2020-09-20 17:57:23 +02:00			`if m ~= nil and string.len(m) > string.len(longest_url_match) then`
			`longest_url_match = m`
			`permission = permission_infos`
			`permission["id"] = permission_name`
			`end`
			`end`
			`end`
			`end`
HTTP Auth before permissions managment 2020-05-21 21:53:04 +02:00
			`--`
[fix] Fix tile not displayed when app is installed on root (bug #285) (#71) * Fix proposal for bug #285 (YunoHost tile is not displayed when the app is installed on root path) * Fix access to administration page 2017-04-02 23:47:54 +02:00			`--`
Rework/simplify code that effectively apply the permission 2020-09-20 18:00:37 +02:00			`-- 5. APPLY PERMISSION`
[fix] Fix tile not displayed when app is installed on root (bug #285) (#71) * Fix proposal for bug #285 (YunoHost tile is not displayed when the app is installed on root path) * Fix access to administration page 2017-04-02 23:47:54 +02:00			`--`
			`--`

Rework/simplify code that effectively apply the permission 2020-09-20 18:00:37 +02:00			`-- 1st case : client has access`
[fix] Fix tile not displayed when app is installed on root (bug #285) (#71) * Fix proposal for bug #285 (YunoHost tile is not displayed when the app is installed on root path) * Fix access to administration page 2017-04-02 23:47:54 +02:00
Rework/simplify code that effectively apply the permission 2020-09-20 18:00:37 +02:00			`if hlp.has_access(permission) then`
check permission after unprotected 2020-01-29 12:24:51 +01:00
Rework access 2020-04-01 00:43:59 +02:00			`if is_logged_in then`
Update access.lua 2020-12-17 17:06:19 +01:00			`-- If the user is logged in, refresh_cache`
Epic refactoring for new portal API etc 2021-12-26 17:01:56 +01:00			`--hlp.refresh_user_cache()`
Rework access 2020-04-01 00:43:59 +02:00
Update access.lua 2020-12-17 17:06:19 +01:00			`-- If Basic Authorization header are enable for this permission,`
			`-- add it to the response`
			`if permission["auth_header"] then`
			`hlp.set_headers()`
Rework access 2020-04-01 00:43:59 +02:00			`end`
			`end`

			`return hlp.pass()`
Bugfixes 2013-10-20 17:24:44 +02:00
Rework/simplify code that effectively apply the permission 2020-09-20 18:00:37 +02:00			`-- 2nd case : no access ... redirect to portal / login form`
fix the redirect loop \o/ 2020-05-21 21:51:55 +02:00			`else`

Rework/simplify code that effectively apply the permission 2020-09-20 18:00:37 +02:00			`if is_logged_in then`
			`return hlp.redirect(conf.portal_url)`
			`else`
			`local back_url = "https://" .. ngx.var.host .. ngx.var.uri .. hlp.uri_args_string()`
			`return hlp.redirect(conf.portal_url.."?r="..ngx.encode_base64(back_url))`
			`end`
fix the redirect loop \o/ 2020-05-21 21:51:55 +02:00			`end`