mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
POC: be able to access pages using an admin token
This commit is contained in:
Alexandre Aubin
parent
81abda2f4e
commit
00e6b224cb
2 changed files with 47 additions and 0 deletions
46
helpers.lua
46
helpers.lua
|
|
@ -299,6 +299,46 @@ function log_access(user, uri)
|
|||
end
|
||||
end
|
||||
|
||||
-- Check if the request contains the admin token
|
||||
function is_admin()
|
||||
|
||||
local admin_token_header = ngx.req.get_headers()["SSOwat-Admin-Token"]
|
||||
|
||||
if admin_token_header == nil then
|
||||
return false
|
||||
end
|
||||
|
||||
-- FIXME : ideally we should also be checking that the permissions for this file are something like 600 + appropriate owner...
|
||||
local admin_token_file = io.open(admin_token_path, "r")
|
||||
if admin_token_file == nil then
|
||||
-- N.B. these messages should use the same syntax as in authenticate()
|
||||
ngx.log(ngx.ERR, "Connection failed for: admin")
|
||||
logger.error("Authentication failure for user admin from "..ngx.var.remote_addr)
|
||||
return false
|
||||
end
|
||||
local token = admin_token_file:read("*all")
|
||||
if token == nil then
|
||||
-- N.B. these messages should use the same syntax as in authenticate()
|
||||
ngx.log(ngx.ERR, "Connection failed for: admin")
|
||||
logger.error("Authentication failure for user admin from "..ngx.var.remote_addr)
|
||||
return false
|
||||
end
|
||||
io.close(admin_token_file)
|
||||
|
||||
local token = token:gsub("\n","")
|
||||
|
||||
-- FIXME FIXME FIXME - this is a really stupid and time-attack-prone way to validate the token
|
||||
if admin_token_header == token then
|
||||
return true
|
||||
else
|
||||
ngx.log(ngx.ERR, "Connection failed for: admin")
|
||||
logger.error("Authentication failure for user admin from "..ngx.var.remote_addr)
|
||||
return false
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
|
||||
-- Check whether a user is allowed to access a URL using the `permissions` directive
|
||||
-- of the configuration file
|
||||
function has_access(permission, user)
|
||||
|
|
@ -309,6 +349,12 @@ function has_access(permission, user)
|
|||
return false
|
||||
end
|
||||
|
||||
if user == nil and not permission["public"] and is_admin()
|
||||
then
|
||||
logger.debug("Admin accesses "..ngx.var.host..ngx.var.uri..uri_args_string())
|
||||
return true
|
||||
end
|
||||
|
||||
-- Public access
|
||||
if user == nil or permission["public"] then
|
||||
user = user or "A visitor"
|
||||
|
|
|
|||
1
init.lua
1
init.lua
|
|
@ -11,6 +11,7 @@
|
|||
-- Path of the configuration
|
||||
conf_path = "/etc/ssowat/conf.json"
|
||||
log_file = "/var/log/nginx/ssowat.log"
|
||||
admin_token_path = "/etc/ssowat/admin_token"
|
||||
|
||||
-- Remove prepending '@' & trailing 'init.lua'
|
||||
script_path = string.sub(debug.getinfo(1).source, 2, -9)
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue