From ad39e3ded5358dba421aeb6cba05659da7a2c328 Mon Sep 17 00:00:00 2001
From: sidddy <anon@anon.anon>
Date: Fri, 12 May 2017 13:54:39 +0200
Subject: [PATCH 1/2] Added access log, ignore IP, check acl for basic auth

---
 access.lua  |  5 +++
 helpers.lua | 32 ++++++++++++++++---
 log.lua     | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 124 insertions(+), 4 deletions(-)
 create mode 100644 log.lua

diff --git a/access.lua b/access.lua
index 3964af0..3f58543 100644
--- a/access.lua
+++ b/access.lua
@@ -372,6 +372,11 @@ if auth_header then
     _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
     user = hlp.authenticate(user, password)
     if user then
+        -- If user has no access to this URL, redirect him to the portal
+        if not hlp.has_access(user) then
+           return hlp.redirect(conf.portal_url)
+        end
+
         hlp.set_headers(user)
 
         -- If user has no access to this URL, redirect him to the portal
diff --git a/helpers.lua b/helpers.lua
index e834f28..8486034 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -9,6 +9,12 @@ module('helpers', package.seeall)
 
 local cache = ngx.shared.cache
 local conf = config.get_config()
+local logger = require("log")
+logger.outfile = "/var/log/nginx/ssowat.log"
+
+function log(...)
+    logger.info(...)
+end
 
 -- Read a FS stored file
 function read_file(file)
@@ -111,7 +117,7 @@ function set_auth_cookie(user, domain)
         cache:add("session_"..user, session_key, conf["session_max_timeout"])
     end
     local hash = ngx.md5(srvkey..
-               "|" ..ngx.var.remote_addr..
+--               "|" ..ngx.var.remote_addr..
                "|"..user..
                "|"..expire..
                "|"..session_key)
@@ -125,6 +131,7 @@ function set_auth_cookie(user, domain)
         "SSOwAuthHash="..hash..cookie_str,
         "SSOwAuthExpire="..expire..cookie_str
     }
+    log("Hash "..hash.." generated for "..user.."@"..ngx.var.remote_addr)
 end
 
 
@@ -180,10 +187,13 @@ function is_logged_in()
                 if cache:get(user.."-password") then
                     authUser = user
                     local hash = ngx.md5(srvkey..
-                            "|"..ngx.var.remote_addr..
+--                            "|"..ngx.var.remote_addr..
                             "|"..authUser..
                             "|"..expireTime..
                             "|"..session_key)
+		    if hash ~= authHash then
+                        log("Hash "..authHash.." rejected for "..user.."@"..ngx.var.remote_addr)
+                    end
                     return hash == authHash
                 end
             end
@@ -193,6 +203,15 @@ function is_logged_in()
     return false
 end
 
+function log_access(user, app)
+  local key = "ACC|"..user.."|"..app
+  local block = cache:get(key)
+  if block == nil then
+    logger.info("ACC "..app.." by "..user.."@"..ngx.var.remote_addr)
+    cache:set(key, "block", 60)
+  end
+end
+
 
 -- Check whether a user is allowed to access a URL using the `users` directive
 -- of the configuration file
@@ -211,7 +230,7 @@ function has_access(user, url)
     end
 
     -- Loop through user's ACLs and return if the URL is authorized.
-    for u, _ in pairs(conf["users"][user]) do
+    for u, app in pairs(conf["users"][user]) do
 
         -- Replace the original domain by a local one if you are connected from
         -- a non-global domain name.
@@ -219,7 +238,10 @@ function has_access(user, url)
             u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"])
         end
 
-        if string.starts(url, string.sub(u, 1, -2)) then return true end
+        if string.starts(url, string.sub(u, 1, -2)) then
+            log_access(user, app)
+            return true
+        end
     end
     return false
 end
@@ -268,11 +290,13 @@ function authenticate(user, password)
     if connected then
         cache:add(user.."-password", password, conf["session_timeout"])
         ngx.log(ngx.NOTICE, "Connected as: "..user)
+        logger.info("AUTHSUCC "..user.."@"..ngx.var.remote_addr)
         return user
 
     -- Else, the username/email or the password is wrong
     else
         ngx.log(ngx.ERR, "Connection failed for: "..user)
+        logger.info("AUTHFAIL "..user.."@"..ngx.var.remote_addr)
         return false
     end
 end
diff --git a/log.lua b/log.lua
new file mode 100644
index 0000000..9b123d0
--- /dev/null
+++ b/log.lua
@@ -0,0 +1,91 @@
+--
+-- log.lua
+--
+-- Copyright (c) 2016 rxi
+--
+-- This library is free software; you can redistribute it and/or modify it
+-- under the terms of the MIT license. See LICENSE for details.
+--
+
+local log = { _version = "0.1.0" }
+
+log.usecolor = true
+log.outfile = nil
+log.level = "trace"
+
+
+local modes = {
+  { name = "trace", color = "\27[34m", },
+  { name = "debug", color = "\27[36m", },
+  { name = "info",  color = "\27[32m", },
+  { name = "warn",  color = "\27[33m", },
+  { name = "error", color = "\27[31m", },
+  { name = "fatal", color = "\27[35m", },
+}
+
+
+local levels = {}
+for i, v in ipairs(modes) do
+  levels[v.name] = i
+end
+
+
+local round = function(x, increment)
+  increment = increment or 1
+  x = x / increment
+  return (x > 0 and math.floor(x + .5) or math.ceil(x - .5)) * increment
+end
+
+
+local _tostring = tostring
+
+local tostring = function(...)
+  local t = {}
+  for i = 1, select('#', ...) do
+    local x = select(i, ...)
+    if type(x) == "number" then
+      x = round(x, .01)
+    end
+    t[#t + 1] = _tostring(x)
+  end
+  return table.concat(t, " ")
+end
+
+
+for i, x in ipairs(modes) do
+  local nameupper = x.name:upper()
+  log[x.name] = function(...)
+    
+    -- Return early if we're below the log level
+    if i < levels[log.level] then
+      return
+    end
+
+    local msg = tostring(...)
+    local info = debug.getinfo(2, "Sl")
+--    local lineinfo = info.short_src .. ":" .. info.currentline
+    local lineinfo = ""
+
+    -- Output to console
+    print(string.format("%s[%-6s%s]%s %s: %s",
+                        log.usecolor and x.color or "",
+                        nameupper,
+                        os.date("%H:%M:%S"),
+                        log.usecolor and "\27[0m" or "",
+                        lineinfo,
+                        msg))
+
+    -- Output to log file
+    if log.outfile then
+      local fp = io.open(log.outfile, "a")
+      local str = string.format("[%-6s%s] %s: %s\n",
+                                nameupper, os.date(), lineinfo, msg)
+      fp:write(str)
+      fp:close()
+    end
+
+  end
+end
+
+
+return log

From 054b7d1752e4193258ffb6fae443afb1185382e5 Mon Sep 17 00:00:00 2001
From: Laurent Peuch <cortex@worlddomination.be>
Date: Sat, 13 May 2017 15:08:56 +0200
Subject: [PATCH 2/2] [mod] remove things not related to logging

---
 helpers.lua | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/helpers.lua b/helpers.lua
index 8486034..4fcca88 100644
--- a/helpers.lua
+++ b/helpers.lua
@@ -117,7 +117,7 @@ function set_auth_cookie(user, domain)
         cache:add("session_"..user, session_key, conf["session_max_timeout"])
     end
     local hash = ngx.md5(srvkey..
---               "|" ..ngx.var.remote_addr..
+               "|" ..ngx.var.remote_addr..
                "|"..user..
                "|"..expire..
                "|"..session_key)
@@ -187,11 +187,11 @@ function is_logged_in()
                 if cache:get(user.."-password") then
                     authUser = user
                     local hash = ngx.md5(srvkey..
---                            "|"..ngx.var.remote_addr..
+                            "|"..ngx.var.remote_addr..
                             "|"..authUser..
                             "|"..expireTime..
                             "|"..session_key)
-		    if hash ~= authHash then
+                    if hash ~= authHash then
                         log("Hash "..authHash.." rejected for "..user.."@"..ngx.var.remote_addr)
                     end
                     return hash == authHash