[enh] Renew session until session_max_timeout value + bugfixes + logging informations

This commit is contained in:
Kload 2014-04-16 21:06:47 +02:00
parent 0ff95a99dc
commit 790119235d

View file

@ -37,6 +37,10 @@ if not conf["session_timeout"] then
conf["session_timeout"] = 60 * 60 * 24 -- one day conf["session_timeout"] = 60 * 60 * 24 -- one day
end end
if not conf["session_max_timeout"] then
conf["session_max_timeout"] = 60 * 60 * 24 * 7 -- one week
end
local portal_url = conf["portal_scheme"].."://".. local portal_url = conf["portal_scheme"].."://"..
conf["portal_domain"].. conf["portal_domain"]..
conf["portal_path"] conf["portal_path"]
@ -85,12 +89,12 @@ function flash (wat, message)
end end
function set_auth_cookie (user, domain) function set_auth_cookie (user, domain)
local maxAge = conf["session_timeout"] local maxAge = conf["session_max_timeout"]
local expire = ngx.req.start_time() + maxAge local expire = ngx.req.start_time() + maxAge
local session_key = cache:get("session_"..user) local session_key = cache:get("session_"..user)
if not session_key then if not session_key then
session_key = tostring(math.random(1111111, 9999999)) session_key = tostring(math.random(1111111, 9999999))
cache:add("session_"..user, session_key) cache:add("session_"..user, session_key, conf["session_max_timeout"])
end end
local hash = ngx.md5(srvkey.. local hash = ngx.md5(srvkey..
"|" ..ngx.var.remote_addr.. "|" ..ngx.var.remote_addr..
@ -105,14 +109,6 @@ function set_auth_cookie (user, domain)
cook("SSOwAuthExpire="..expire..cookie_str) cook("SSOwAuthExpire="..expire..cookie_str)
end end
function set_redirect_cookie (redirect_url)
cook(
"SSOwAuthRedirect="..redirect_url..
"; Path="..conf["portal_path"]..
"; Max-Age=3600;"
)
end
function delete_cookie () function delete_cookie ()
expired_time = "Thu, Jan 01 1970 00:00:00 UTC;" expired_time = "Thu, Jan 01 1970 00:00:00 UTC;"
for _, domain in ipairs(conf["domains"]) do for _, domain in ipairs(conf["domains"]) do
@ -144,6 +140,8 @@ function is_logged_in ()
-- Check hash -- Check hash
local session_key = cache:get("session_"..ngx.var.cookie_SSOwAuthUser) local session_key = cache:get("session_"..ngx.var.cookie_SSOwAuthUser)
if session_key and session_key ~= "" then if session_key and session_key ~= "" then
-- Check cache
if cache:get(ngx.var.cookie_SSOwAuthUser.."-password") then
local hash = ngx.md5(srvkey.. local hash = ngx.md5(srvkey..
"|"..ngx.var.remote_addr.. "|"..ngx.var.remote_addr..
"|"..ngx.var.cookie_SSOwAuthUser.. "|"..ngx.var.cookie_SSOwAuthUser..
@ -153,6 +151,7 @@ function is_logged_in ()
end end
end end
end end
end
return false return false
end end
@ -180,8 +179,10 @@ function authenticate (user, password)
attrs = {"uid"} attrs = {"uid"}
} do } do
if attribs["uid"] then if attribs["uid"] then
ngx.log(ngx.NOTICE, "Use email: "..user)
user = attribs["uid"] user = attribs["uid"]
else else
ngx.log(ngx.NOTICE, "Unknown email: "..user)
return false return false
end end
end end
@ -196,24 +197,27 @@ function authenticate (user, password)
cache:flush_expired() cache:flush_expired()
if connected then if connected then
cache:add(user.."-password", password, conf["session_timeout"]) cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user)
return user return user
else else
ngx.log(ngx.NOTICE, "Connection failed for: "..user)
return false return false
end end
end end
function set_headers (user) function set_headers (user)
if ngx.var.scheme ~= "https" then if ngx.var.scheme ~= "https" then
return redirect("https://"..ngx.var.http_host..ngx.var.uri) return redirect("https://"..ngx.var.host..ngx.var.uri)
end end
user = user or ngx.var.cookie_SSOwAuthUser user = user or ngx.var.cookie_SSOwAuthUser
if not cache:get(user.."-password") then if not cache:get(user.."-password") then
flash("info", "Please log in to access to this content") flash("info", "Please log in to access to this content")
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri
return redirect(portal_url.."?r="..ngx.encode_base64(back_url)) return redirect(portal_url.."?r="..ngx.encode_base64(back_url))
end end
if not cache:get(user.."-uid") then if not cache:get(user.."-uid") then
ldap = lualdap.open_simple("localhost") ldap = lualdap.open_simple("localhost")
ngx.log(ngx.NOTICE, "Reloading LDAP values for: "..user)
for dn, attribs in ldap:search { for dn, attribs in ldap:search {
base = "uid=".. user ..",ou=users,dc=yunohost,dc=org", base = "uid=".. user ..",ou=users,dc=yunohost,dc=org",
scope = "base", scope = "base",
@ -224,13 +228,17 @@ function set_headers (user)
if type(v) == "table" then if type(v) == "table" then
for k2,v2 in ipairs(v) do for k2,v2 in ipairs(v) do
if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end if k2 == 1 then cache:set(user.."-"..k, v2, conf["session_timeout"]) end
cache:set(user.."-"..k.."|"..k2, v2, conf["session_timeout"]) cache:set(user.."-"..k.."|"..k2, v2, conf["session_max_timeout"])
end end
else else
cache:set(user.."-"..k, v, conf["session_timeout"]) cache:set(user.."-"..k, v, conf["session_timeout"])
end end
end end
end end
else
-- Revalidate session for another day by default
password = cache:get(user.."-password")
cache:set(user.."-password", password, conf["session_timeout"])
end end
-- Set HTTP Auth header -- Set HTTP Auth header
@ -545,6 +553,7 @@ function do_logout()
local args = ngx.req.get_uri_args() local args = ngx.req.get_uri_args()
if is_logged_in() then if is_logged_in() then
cache:delete("session_"..ngx.var.cookie_SSOwAuthUser) cache:delete("session_"..ngx.var.cookie_SSOwAuthUser)
cache:delete(user.."-uid") -- Ugly trick to reload cache
flash("info", "Logged out") flash("info", "Logged out")
return redirect(portal_url) return redirect(portal_url)
end end
@ -552,6 +561,7 @@ end
function redirect (url) function redirect (url)
ngx.header["Set-Cookie"] = cookies ngx.header["Set-Cookie"] = cookies
ngx.log(ngx.INFO, "Redirect to: "..url)
return ngx.redirect(url) return ngx.redirect(url)
end end
@ -573,6 +583,7 @@ if string.match(ngx.var.uri, "~sso~%d+$") then
cda_key = string.sub(ngx.var.uri, -7) cda_key = string.sub(ngx.var.uri, -7)
if login[cda_key] then if login[cda_key] then
set_auth_cookie(login[cda_key], ngx.var.host) set_auth_cookie(login[cda_key], ngx.var.host)
ngx.log(ngx.NOTICE, "Cross-domain authentication: "..login[cda_key].." connected on "..ngx.var.host)
login[cda_key] = nil login[cda_key] = nil
return redirect(string.gsub(ngx.var.uri, "~sso~%d+$", "")) return redirect(string.gsub(ngx.var.uri, "~sso~%d+$", ""))
end end
@ -597,7 +608,7 @@ then
-- Logout -- Logout
return do_logout() return do_logout()
elseif is_logged_in() and uri_args.r then elseif is_logged_in() and uri_args.r and ngx.decode_base64(uri_args.r) ~= portal_url then
cda_key = tostring(math.random(1111111, 9999999)) cda_key = tostring(math.random(1111111, 9999999))
login[cda_key] = ngx.var.cookie_SSOwAuthUser login[cda_key] = ngx.var.cookie_SSOwAuthUser
return redirect(ngx.decode_base64(uri_args.r).."~sso~"..cda_key) return redirect(ngx.decode_base64(uri_args.r).."~sso~"..cda_key)
@ -787,6 +798,6 @@ end
-- --
flash("info", "Please log in to access to this content") flash("info", "Please log in to access to this content")
local back_url = ngx.var.scheme .. "://" .. ngx.var.http_host .. ngx.var.uri local back_url = ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri
return redirect(portal_url.."?r="..ngx.encode_base64(back_url)) return redirect(portal_url.."?r="..ngx.encode_base64(back_url))