Added access log, ignore IP, check acl for basic auth

This commit is contained in:
sidddy 2017-05-12 13:54:39 +02:00 committed by Laurent Peuch
parent 46b6d1048e
commit ad39e3ded5
3 changed files with 124 additions and 4 deletions

View file

@ -372,6 +372,11 @@ if auth_header then
_, _, user, password = string.find(ngx.decode_base64(b64_cred), "^(.+):(.+)$")
user = hlp.authenticate(user, password)
if user then
-- If user has no access to this URL, redirect him to the portal
if not hlp.has_access(user) then
return hlp.redirect(conf.portal_url)
end
hlp.set_headers(user)
-- If user has no access to this URL, redirect him to the portal

View file

@ -9,6 +9,12 @@ module('helpers', package.seeall)
local cache = ngx.shared.cache
local conf = config.get_config()
local logger = require("log")
logger.outfile = "/var/log/nginx/ssowat.log"
function log(...)
logger.info(...)
end
-- Read a FS stored file
function read_file(file)
@ -111,7 +117,7 @@ function set_auth_cookie(user, domain)
cache:add("session_"..user, session_key, conf["session_max_timeout"])
end
local hash = ngx.md5(srvkey..
"|" ..ngx.var.remote_addr..
-- "|" ..ngx.var.remote_addr..
"|"..user..
"|"..expire..
"|"..session_key)
@ -125,6 +131,7 @@ function set_auth_cookie(user, domain)
"SSOwAuthHash="..hash..cookie_str,
"SSOwAuthExpire="..expire..cookie_str
}
log("Hash "..hash.." generated for "..user.."@"..ngx.var.remote_addr)
end
@ -180,10 +187,13 @@ function is_logged_in()
if cache:get(user.."-password") then
authUser = user
local hash = ngx.md5(srvkey..
"|"..ngx.var.remote_addr..
-- "|"..ngx.var.remote_addr..
"|"..authUser..
"|"..expireTime..
"|"..session_key)
if hash ~= authHash then
log("Hash "..authHash.." rejected for "..user.."@"..ngx.var.remote_addr)
end
return hash == authHash
end
end
@ -193,6 +203,15 @@ function is_logged_in()
return false
end
function log_access(user, app)
local key = "ACC|"..user.."|"..app
local block = cache:get(key)
if block == nil then
logger.info("ACC "..app.." by "..user.."@"..ngx.var.remote_addr)
cache:set(key, "block", 60)
end
end
-- Check whether a user is allowed to access a URL using the `users` directive
-- of the configuration file
@ -211,7 +230,7 @@ function has_access(user, url)
end
-- Loop through user's ACLs and return if the URL is authorized.
for u, _ in pairs(conf["users"][user]) do
for u, app in pairs(conf["users"][user]) do
-- Replace the original domain by a local one if you are connected from
-- a non-global domain name.
@ -219,7 +238,10 @@ function has_access(user, url)
u = string.gsub(u, conf["original_portal_domain"], conf["local_portal_domain"])
end
if string.starts(url, string.sub(u, 1, -2)) then return true end
if string.starts(url, string.sub(u, 1, -2)) then
log_access(user, app)
return true
end
end
return false
end
@ -268,11 +290,13 @@ function authenticate(user, password)
if connected then
cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user)
logger.info("AUTHSUCC "..user.."@"..ngx.var.remote_addr)
return user
-- Else, the username/email or the password is wrong
else
ngx.log(ngx.ERR, "Connection failed for: "..user)
logger.info("AUTHFAIL "..user.."@"..ngx.var.remote_addr)
return false
end
end

91
log.lua Normal file
View file

@ -0,0 +1,91 @@
--
-- log.lua
--
-- Copyright (c) 2016 rxi
--
-- This library is free software; you can redistribute it and/or modify it
-- under the terms of the MIT license. See LICENSE for details.
--
local log = { _version = "0.1.0" }
log.usecolor = true
log.outfile = nil
log.level = "trace"
local modes = {
{ name = "trace", color = "\27[34m", },
{ name = "debug", color = "\27[36m", },
{ name = "info", color = "\27[32m", },
{ name = "warn", color = "\27[33m", },
{ name = "error", color = "\27[31m", },
{ name = "fatal", color = "\27[35m", },
}
local levels = {}
for i, v in ipairs(modes) do
levels[v.name] = i
end
local round = function(x, increment)
increment = increment or 1
x = x / increment
return (x > 0 and math.floor(x + .5) or math.ceil(x - .5)) * increment
end
local _tostring = tostring
local tostring = function(...)
local t = {}
for i = 1, select('#', ...) do
local x = select(i, ...)
if type(x) == "number" then
x = round(x, .01)
end
t[#t + 1] = _tostring(x)
end
return table.concat(t, " ")
end
for i, x in ipairs(modes) do
local nameupper = x.name:upper()
log[x.name] = function(...)
-- Return early if we're below the log level
if i < levels[log.level] then
return
end
local msg = tostring(...)
local info = debug.getinfo(2, "Sl")
-- local lineinfo = info.short_src .. ":" .. info.currentline
local lineinfo = ""
-- Output to console
print(string.format("%s[%-6s%s]%s %s: %s",
log.usecolor and x.color or "",
nameupper,
os.date("%H:%M:%S"),
log.usecolor and "\27[0m" or "",
lineinfo,
msg))
-- Output to log file
if log.outfile then
local fp = io.open(log.outfile, "a")
local str = string.format("[%-6s%s] %s: %s\n",
nameupper, os.date(), lineinfo, msg)
fp:write(str)
fp:close()
end
end
end
return log