Merge branch 'logging' into logging-reloaded

access.lua

@@ -416,6 +416,11 @@ if auth_header then
     _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
     user = hlp.authenticate(user, password)
     if user then
+        -- If user has no access to this URL, redirect him to the portal
+        if not hlp.has_access(user) then
+           return hlp.redirect(conf.portal_url)
+        end
+
         hlp.set_headers(user)
 
         -- If user has no access to this URL, redirect him to the portal

helpers.lua

@@ -9,6 +9,12 @@ module('helpers', package.seeall)
 
 local cache = ngx.shared.cache
 local conf = config.get_config()
+local logger = require("log")
+logger.outfile = "/var/log/nginx/ssowat.log"
+
+function log(...)
+    logger.info(...)
+end
 
 -- Read a FS stored file
 function read_file(file)
@@ -158,6 +164,7 @@ function set_auth_cookie(user, domain)
         "SSOwAuthHash="..hash..cookie_str,
         "SSOwAuthExpire="..expire..cookie_str
     }
+    log("Hash "..hash.." generated for "..user.."@"..ngx.var.remote_addr)
 end
 
 
@@ -220,6 +227,9 @@ function is_logged_in()
                             authUser..
                             "|"..expireTime..
                             "|"..session_key)
+                    if hash ~= authHash then
+                        log("Hash "..authHash.." rejected for "..user.."@"..ngx.var.remote_addr)
+                    end
                     return hash == authHash
                 end
             end
@@ -229,6 +239,15 @@ function is_logged_in()
     return false
 end
 
+function log_access(user, app)
+  local key = "ACC|"..user.."|"..app
+  local block = cache:get(key)
+  if block == nil then
+    logger.info("ACC "..app.." by "..user.."@"..ngx.var.remote_addr)
+    cache:set(key, "block", 60)
+  end
+end
+
 
 -- Check whether a user is allowed to access a URL using the `users` directive
 -- of the configuration file
@@ -247,7 +266,7 @@ function has_access(user, url)
     end
 
     -- Loop through user's ACLs and return if the URL is authorized.
-    for u, _ in pairs(conf["users"][user]) do
+    for u, app in pairs(conf["users"][user]) do
 
         -- Replace the original domain by a local one if you are connected from
         -- a non-global domain name.
@@ -255,7 +274,10 @@ function has_access(user, url)
             u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"])
         end
 
-        if string.starts(url, string.sub(u, 1, -2)) then return true end
+        if string.starts(url, string.sub(u, 1, -2)) then
+            log_access(user, app)
+            return true
+        end
     end
     return false
 end
@@ -307,11 +329,13 @@ function authenticate(user, password)
         end
         cache:add(user.."-password", password, conf["session_timeout"])
         ngx.log(ngx.NOTICE, "Connected as: "..user)
+        logger.info("AUTHSUCC "..user.."@"..ngx.var.remote_addr)
         return user
 
     -- Else, the username/email or the password is wrong
     else
         ngx.log(ngx.ERR, "Connection failed for: "..user)
+        logger.info("AUTHFAIL "..user.."@"..ngx.var.remote_addr)
         return false
     end
 end

log.lua

@@ -0,0 +1,91 @@
+--
+-- log.lua
+--
+-- Copyright (c) 2016 rxi
+--
+-- This library is free software; you can redistribute it and/or modify it
+-- under the terms of the MIT license. See LICENSE for details.
+--
+
+local log = { _version = "0.1.0" }
+
+log.usecolor = true
+log.outfile = nil
+log.level = "trace"
+
+
+local modes = {
+  { name = "trace", color = "\27[34m", },
+  { name = "debug", color = "\27[36m", },
+  { name = "info",  color = "\27[32m", },
+  { name = "warn",  color = "\27[33m", },
+  { name = "error", color = "\27[31m", },
+  { name = "fatal", color = "\27[35m", },
+}
+
+
+local levels = {}
+for i, v in ipairs(modes) do
+  levels[v.name] = i
+end
+
+
+local round = function(x, increment)
+  increment = increment or 1
+  x = x / increment
+  return (x > 0 and math.floor(x + .5) or math.ceil(x - .5)) * increment
+end
+
+
+local _tostring = tostring
+
+local tostring = function(...)
+  local t = {}
+  for i = 1, select('#', ...) do
+    local x = select(i, ...)
+    if type(x) == "number" then
+      x = round(x, .01)
+    end
+    t[#t + 1] = _tostring(x)
+  end
+  return table.concat(t, " ")
+end
+
+
+for i, x in ipairs(modes) do
+  local nameupper = x.name:upper()
+  log[x.name] = function(...)
+    
+    -- Return early if we're below the log level
+    if i < levels[log.level] then
+      return
+    end
+
+    local msg = tostring(...)
+    local info = debug.getinfo(2, "Sl")
+--    local lineinfo = info.short_src .. ":" .. info.currentline
+    local lineinfo = ""
+
+    -- Output to console
+    print(string.format("%s[%-6s%s]%s %s: %s",
+                        log.usecolor and x.color or "",
+                        nameupper,
+                        os.date("%H:%M:%S"),
+                        log.usecolor and "\27[0m" or "",
+                        lineinfo,
+                        msg))
+
+    -- Output to log file
+    if log.outfile then
+      local fp = io.open(log.outfile, "a")
+      local str = string.format("[%-6s%s] %s: %s\n",
+                                nameupper, os.date(), lineinfo, msg)
+      fp:write(str)
+      fp:close()
+    end
+
+  end
+end
+
+
+return log