Merge branch 'logging' into logging-reloaded

This commit is contained in:
Alexandre Aubin 2019-09-24 17:27:44 +02:00
commit 7cb61f1619
3 changed files with 122 additions and 2 deletions

View file

@ -416,6 +416,11 @@ if auth_header then
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$") _, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
user = hlp.authenticate(user, password) user = hlp.authenticate(user, password)
if user then if user then
-- If user has no access to this URL, redirect him to the portal
if not hlp.has_access(user) then
return hlp.redirect(conf.portal_url)
end
hlp.set_headers(user) hlp.set_headers(user)
-- If user has no access to this URL, redirect him to the portal -- If user has no access to this URL, redirect him to the portal

View file

@ -9,6 +9,12 @@ module('helpers', package.seeall)
local cache = ngx.shared.cache local cache = ngx.shared.cache
local conf = config.get_config() local conf = config.get_config()
local logger = require("log")
logger.outfile = "/var/log/nginx/ssowat.log"
function log(...)
logger.info(...)
end
-- Read a FS stored file -- Read a FS stored file
function read_file(file) function read_file(file)
@ -158,6 +164,7 @@ function set_auth_cookie(user, domain)
"SSOwAuthHash="..hash..cookie_str, "SSOwAuthHash="..hash..cookie_str,
"SSOwAuthExpire="..expire..cookie_str "SSOwAuthExpire="..expire..cookie_str
} }
log("Hash "..hash.." generated for "..user.."@"..ngx.var.remote_addr)
end end
@ -220,6 +227,9 @@ function is_logged_in()
authUser.. authUser..
"|"..expireTime.. "|"..expireTime..
"|"..session_key) "|"..session_key)
if hash ~= authHash then
log("Hash "..authHash.." rejected for "..user.."@"..ngx.var.remote_addr)
end
return hash == authHash return hash == authHash
end end
end end
@ -229,6 +239,15 @@ function is_logged_in()
return false return false
end end
function log_access(user, app)
local key = "ACC|"..user.."|"..app
local block = cache:get(key)
if block == nil then
logger.info("ACC "..app.." by "..user.."@"..ngx.var.remote_addr)
cache:set(key, "block", 60)
end
end
-- Check whether a user is allowed to access a URL using the `users` directive -- Check whether a user is allowed to access a URL using the `users` directive
-- of the configuration file -- of the configuration file
@ -247,7 +266,7 @@ function has_access(user, url)
end end
-- Loop through user's ACLs and return if the URL is authorized. -- Loop through user's ACLs and return if the URL is authorized.
for u, _ in pairs(conf["users"][user]) do for u, app in pairs(conf["users"][user]) do
-- Replace the original domain by a local one if you are connected from -- Replace the original domain by a local one if you are connected from
-- a non-global domain name. -- a non-global domain name.
@ -255,7 +274,10 @@ function has_access(user, url)
u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"]) u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"])
end end
if string.starts(url, string.sub(u, 1, -2)) then return true end if string.starts(url, string.sub(u, 1, -2)) then
log_access(user, app)
return true
end
end end
return false return false
end end
@ -307,11 +329,13 @@ function authenticate(user, password)
end end
cache:add(user.."-password", password, conf["session_timeout"]) cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user) ngx.log(ngx.NOTICE, "Connected as: "..user)
logger.info("AUTHSUCC "..user.."@"..ngx.var.remote_addr)
return user return user
-- Else, the username/email or the password is wrong -- Else, the username/email or the password is wrong
else else
ngx.log(ngx.ERR, "Connection failed for: "..user) ngx.log(ngx.ERR, "Connection failed for: "..user)
logger.info("AUTHFAIL "..user.."@"..ngx.var.remote_addr)
return false return false
end end
end end

91
log.lua Normal file
View file

@ -0,0 +1,91 @@
--
-- log.lua
--
-- Copyright (c) 2016 rxi
--
-- This library is free software; you can redistribute it and/or modify it
-- under the terms of the MIT license. See LICENSE for details.
--
local log = { _version = "0.1.0" }
log.usecolor = true
log.outfile = nil
log.level = "trace"
local modes = {
{ name = "trace", color = "\27[34m", },
{ name = "debug", color = "\27[36m", },
{ name = "info", color = "\27[32m", },
{ name = "warn", color = "\27[33m", },
{ name = "error", color = "\27[31m", },
{ name = "fatal", color = "\27[35m", },
}
local levels = {}
for i, v in ipairs(modes) do
levels[v.name] = i
end
local round = function(x, increment)
increment = increment or 1
x = x / increment
return (x > 0 and math.floor(x + .5) or math.ceil(x - .5)) * increment
end
local _tostring = tostring
local tostring = function(...)
local t = {}
for i = 1, select('#', ...) do
local x = select(i, ...)
if type(x) == "number" then
x = round(x, .01)
end
t[#t + 1] = _tostring(x)
end
return table.concat(t, " ")
end
for i, x in ipairs(modes) do
local nameupper = x.name:upper()
log[x.name] = function(...)
-- Return early if we're below the log level
if i < levels[log.level] then
return
end
local msg = tostring(...)
local info = debug.getinfo(2, "Sl")
-- local lineinfo = info.short_src .. ":" .. info.currentline
local lineinfo = ""
-- Output to console
print(string.format("%s[%-6s%s]%s %s: %s",
log.usecolor and x.color or "",
nameupper,
os.date("%H:%M:%S"),
log.usecolor and "\27[0m" or "",
lineinfo,
msg))
-- Output to log file
if log.outfile then
local fp = io.open(log.outfile, "a")
local str = string.format("[%-6s%s] %s: %s\n",
nameupper, os.date(), lineinfo, msg)
fp:write(str)
fp:close()
end
end
end
return log