diff --git a/conf.json.example b/conf.json.example index 84e5118..4927a58 100644 --- a/conf.json.example +++ b/conf.json.example @@ -26,5 +26,15 @@ "example.org/myapp": "My other domain App", "example.com/myapp2": "My second App" } + }, + "groups": { + "group1": { + "example.com/myapp": "My App", + "example.com/myapp2": "My second App", + }, + "group2": { + "example.org/myapp": "My other domain App", + "example.com/myapp2": "My second App" + } } } diff --git a/config.lua b/config.lua index ab31ebd..914bd74 100644 --- a/config.lua +++ b/config.lua @@ -48,6 +48,7 @@ function get_config() session_max_timeout = 60 * 60 * 24 * 7, -- one week login_arg = "sso_login", ldap_host = "localhost", + ldap_base = "dc=yunohost,dc=org", ldap_group = "ou=users,dc=yunohost,dc=org", ldap_identifier = "uid", ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"}, diff --git a/helpers.lua b/helpers.lua index 1f23411..422172e 100644 --- a/helpers.lua +++ b/helpers.lua @@ -91,6 +91,16 @@ function set_cda_key() end +-- Function to serialize a table to a delimited string +function listvalues(s) + local t = { } + for k,v in ipairs(s) do + t[#t+1] = tostring(v) + end + return table.concat(t, " ") +end + + -- Compute and set the authentication cookie -- -- Sets 3 cookies containing: @@ -321,6 +331,26 @@ function set_headers(user) end end end + local grouplist = {} + for dn, groups in ldap:search { + base = conf["ldap_base"], + scope = "subtree", + filter = "(&(objectClass=posixGroup)(member="..conf["ldap_identifier"].."=".. user ..","..conf["ldap_group"].."))", + attrs = {conf["ldap_identifier"]} + } do + for k, v in pairs(groups) do + if k == conf["ldap_identifier"] then + if type(v) == "table" then + for k2,v2 in ipairs(v) do + v2 = string.gsub(v2, " ", "_") + grouplist[k2] = v2 + end + end + end + end + end + local groupstring = listvalues(grouplist) + cache:set(user.."-groups", groupstring, conf["session_timeout"]) else -- Else, just revalidate session for another day by default password = cache:get(user.."-password") @@ -486,16 +516,34 @@ function get_data_for(view) maildrop = mails["maildrop"], app = {} } - + + local all_apps = {} local sorted_apps = {} -- Add user's accessible URLs using the ACLs. -- It is typically used to build the app list. for url, name in pairs(conf["users"][user]) do - if ngx.var.host == conf["local_portal_domain"] then url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"]) end + all_apps[url] = name + end + + -- Add accessible URLs from user's groups. + local getgroups = cache:get(user.."-groups") + for group in string.gmatch(getgroups, "%S+") do + if conf["groups"][group] then + for url, name in pairs(conf["groups"][group]) do + if ngx.var.host == conf["local_portal_domain"] then + url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"]) + end + all_apps[url] = name + end + end + end + + -- Sort list of URLs and add to app list. + for url, name in pairs(all_apps) do table.insert(sorted_apps, name) table.sort(sorted_apps) table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })