From 00e6b224cb3f3c3a8eba42430090539238c857bb Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Mon, 1 Mar 2021 17:42:03 +0100
Subject: [PATCH] POC: be able to access pages using an admin token

---
 helpers.lua | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 init.lua    |  1 +
 2 files changed, 47 insertions(+)

diff --git a/helpers.lua b/helpers.lua
index de99177..1c3e7b8 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -299,6 +299,46 @@ function log_access(user, uri)
   end
 end
 
+-- Check if the request contains the admin token
+function is_admin()
+
+  local admin_token_header = ngx.req.get_headers()["SSOwat-Admin-Token"]
+
+  if admin_token_header == nil then
+      return false
+  end
+
+  -- FIXME : ideally we should also be checking that the permissions for this file are something like 600 + appropriate owner...
+  local admin_token_file = io.open(admin_token_path, "r")
+  if admin_token_file == nil then
+      -- N.B. these messages should use the same syntax as in authenticate()
+      ngx.log(ngx.ERR, "Connection failed for: admin")
+      logger.error("Authentication failure for user admin from "..ngx.var.remote_addr)
+      return false
+  end
+  local token = admin_token_file:read("*all")
+  if token == nil then
+      -- N.B. these messages should use the same syntax as in authenticate()
+      ngx.log(ngx.ERR, "Connection failed for: admin")
+      logger.error("Authentication failure for user admin from "..ngx.var.remote_addr)
+      return false
+  end
+  io.close(admin_token_file)
+
+  local token = token:gsub("\n","")
+
+  -- FIXME FIXME FIXME - this is a really stupid and time-attack-prone way to validate the token
+  if admin_token_header == token then
+      return true
+  else
+      ngx.log(ngx.ERR, "Connection failed for: admin")
+      logger.error("Authentication failure for user admin from "..ngx.var.remote_addr)
+      return false
+  end
+
+end
+
+
 -- Check whether a user is allowed to access a URL using the `permissions` directive
 -- of the configuration file
 function has_access(permission, user)
@@ -309,6 +349,12 @@ function has_access(permission, user)
         return false
     end
 
+    if user == nil and not permission["public"] and is_admin()
+    then
+        logger.debug("Admin accesses "..ngx.var.host..ngx.var.uri..uri_args_string())
+        return true
+    end
+
     -- Public access
     if user == nil or permission["public"] then
         user = user or "A visitor"
diff --git a/init.lua b/init.lua
index 6993e53..4de561f 100644
--- a/init.lua
+++ b/init.lua
@@ -11,6 +11,7 @@
 -- Path of the configuration
 conf_path = "/etc/ssowat/conf.json"
 log_file = "/var/log/nginx/ssowat.log"
+admin_token_path = "/etc/ssowat/admin_token"
 
 -- Remove prepending '@' & trailing 'init.lua'
 script_path = string.sub(debug.getinfo(1).source, 2, -9)