mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
Added access log, ignore IP, check acl for basic auth
This commit is contained in:
parent
46b6d1048e
commit
ad39e3ded5
3 changed files with 124 additions and 4 deletions
|
@ -372,6 +372,11 @@ if auth_header then
|
|||
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
|
||||
user = hlp.authenticate(user, password)
|
||||
if user then
|
||||
-- If user has no access to this URL, redirect him to the portal
|
||||
if not hlp.has_access(user) then
|
||||
return hlp.redirect(conf.portal_url)
|
||||
end
|
||||
|
||||
hlp.set_headers(user)
|
||||
|
||||
-- If user has no access to this URL, redirect him to the portal
|
||||
|
|
32
helpers.lua
32
helpers.lua
|
@ -9,6 +9,12 @@ module('helpers', package.seeall)
|
|||
|
||||
local cache = ngx.shared.cache
|
||||
local conf = config.get_config()
|
||||
local logger = require("log")
|
||||
logger.outfile = "/var/log/nginx/ssowat.log"
|
||||
|
||||
function log(...)
|
||||
logger.info(...)
|
||||
end
|
||||
|
||||
-- Read a FS stored file
|
||||
function read_file(file)
|
||||
|
@ -111,7 +117,7 @@ function set_auth_cookie(user, domain)
|
|||
cache:add("session_"..user, session_key, conf["session_max_timeout"])
|
||||
end
|
||||
local hash = ngx.md5(srvkey..
|
||||
"|" ..ngx.var.remote_addr..
|
||||
-- "|" ..ngx.var.remote_addr..
|
||||
"|"..user..
|
||||
"|"..expire..
|
||||
"|"..session_key)
|
||||
|
@ -125,6 +131,7 @@ function set_auth_cookie(user, domain)
|
|||
"SSOwAuthHash="..hash..cookie_str,
|
||||
"SSOwAuthExpire="..expire..cookie_str
|
||||
}
|
||||
log("Hash "..hash.." generated for "..user.."@"..ngx.var.remote_addr)
|
||||
end
|
||||
|
||||
|
||||
|
@ -180,10 +187,13 @@ function is_logged_in()
|
|||
if cache:get(user.."-password") then
|
||||
authUser = user
|
||||
local hash = ngx.md5(srvkey..
|
||||
"|"..ngx.var.remote_addr..
|
||||
-- "|"..ngx.var.remote_addr..
|
||||
"|"..authUser..
|
||||
"|"..expireTime..
|
||||
"|"..session_key)
|
||||
if hash ~= authHash then
|
||||
log("Hash "..authHash.." rejected for "..user.."@"..ngx.var.remote_addr)
|
||||
end
|
||||
return hash == authHash
|
||||
end
|
||||
end
|
||||
|
@ -193,6 +203,15 @@ function is_logged_in()
|
|||
return false
|
||||
end
|
||||
|
||||
function log_access(user, app)
|
||||
local key = "ACC|"..user.."|"..app
|
||||
local block = cache:get(key)
|
||||
if block == nil then
|
||||
logger.info("ACC "..app.." by "..user.."@"..ngx.var.remote_addr)
|
||||
cache:set(key, "block", 60)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
-- Check whether a user is allowed to access a URL using the `users` directive
|
||||
-- of the configuration file
|
||||
|
@ -211,7 +230,7 @@ function has_access(user, url)
|
|||
end
|
||||
|
||||
-- Loop through user's ACLs and return if the URL is authorized.
|
||||
for u, _ in pairs(conf["users"][user]) do
|
||||
for u, app in pairs(conf["users"][user]) do
|
||||
|
||||
-- Replace the original domain by a local one if you are connected from
|
||||
-- a non-global domain name.
|
||||
|
@ -219,7 +238,10 @@ function has_access(user, url)
|
|||
u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"])
|
||||
end
|
||||
|
||||
if string.starts(url, string.sub(u, 1, -2)) then return true end
|
||||
if string.starts(url, string.sub(u, 1, -2)) then
|
||||
log_access(user, app)
|
||||
return true
|
||||
end
|
||||
end
|
||||
return false
|
||||
end
|
||||
|
@ -268,11 +290,13 @@ function authenticate(user, password)
|
|||
if connected then
|
||||
cache:add(user.."-password", password, conf["session_timeout"])
|
||||
ngx.log(ngx.NOTICE, "Connected as: "..user)
|
||||
logger.info("AUTHSUCC "..user.."@"..ngx.var.remote_addr)
|
||||
return user
|
||||
|
||||
-- Else, the username/email or the password is wrong
|
||||
else
|
||||
ngx.log(ngx.ERR, "Connection failed for: "..user)
|
||||
logger.info("AUTHFAIL "..user.."@"..ngx.var.remote_addr)
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
|
91
log.lua
Normal file
91
log.lua
Normal file
|
@ -0,0 +1,91 @@
|
|||
--
|
||||
-- log.lua
|
||||
--
|
||||
-- Copyright (c) 2016 rxi
|
||||
--
|
||||
-- This library is free software; you can redistribute it and/or modify it
|
||||
-- under the terms of the MIT license. See LICENSE for details.
|
||||
--
|
||||
|
||||
local log = { _version = "0.1.0" }
|
||||
|
||||
log.usecolor = true
|
||||
log.outfile = nil
|
||||
log.level = "trace"
|
||||
|
||||
|
||||
local modes = {
|
||||
{ name = "trace", color = "\27[34m", },
|
||||
{ name = "debug", color = "\27[36m", },
|
||||
{ name = "info", color = "\27[32m", },
|
||||
{ name = "warn", color = "\27[33m", },
|
||||
{ name = "error", color = "\27[31m", },
|
||||
{ name = "fatal", color = "\27[35m", },
|
||||
}
|
||||
|
||||
|
||||
local levels = {}
|
||||
for i, v in ipairs(modes) do
|
||||
levels[v.name] = i
|
||||
end
|
||||
|
||||
|
||||
local round = function(x, increment)
|
||||
increment = increment or 1
|
||||
x = x / increment
|
||||
return (x > 0 and math.floor(x + .5) or math.ceil(x - .5)) * increment
|
||||
end
|
||||
|
||||
|
||||
local _tostring = tostring
|
||||
|
||||
local tostring = function(...)
|
||||
local t = {}
|
||||
for i = 1, select('#', ...) do
|
||||
local x = select(i, ...)
|
||||
if type(x) == "number" then
|
||||
x = round(x, .01)
|
||||
end
|
||||
t[#t + 1] = _tostring(x)
|
||||
end
|
||||
return table.concat(t, " ")
|
||||
end
|
||||
|
||||
|
||||
for i, x in ipairs(modes) do
|
||||
local nameupper = x.name:upper()
|
||||
log[x.name] = function(...)
|
||||
|
||||
-- Return early if we're below the log level
|
||||
if i < levels[log.level] then
|
||||
return
|
||||
end
|
||||
|
||||
local msg = tostring(...)
|
||||
local info = debug.getinfo(2, "Sl")
|
||||
-- local lineinfo = info.short_src .. ":" .. info.currentline
|
||||
local lineinfo = ""
|
||||
|
||||
-- Output to console
|
||||
print(string.format("%s[%-6s%s]%s %s: %s",
|
||||
log.usecolor and x.color or "",
|
||||
nameupper,
|
||||
os.date("%H:%M:%S"),
|
||||
log.usecolor and "\27[0m" or "",
|
||||
lineinfo,
|
||||
msg))
|
||||
|
||||
-- Output to log file
|
||||
if log.outfile then
|
||||
local fp = io.open(log.outfile, "a")
|
||||
local str = string.format("[%-6s%s] %s: %s\n",
|
||||
nameupper, os.date(), lineinfo, msg)
|
||||
fp:write(str)
|
||||
fp:close()
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
return log
|
Loading…
Reference in a new issue