portal with the new config file

2024-09-03 20:06:27 +02:00 · 2020-03-31 02:20:40 +02:00 · 2020-03-31 02:20:40 +02:00 · d8c74604c0
commit d8c74604c0
parent 0e2bfacabc
2 changed files with 79 additions and 70 deletions
--- a/access.lua
+++ b/access.lua
@ -30,6 +30,8 @@ local logger = require("log")
 ngx.header["X-SSO-WAT"] = "You've just been SSOed"


+local is_logged_in = hlp.is_logged_in()
+
 --
 -- 1. LOGIN
 --
@ -66,7 +68,7 @@ end
 -- If the URL matches the portal URL, serve a portal file or proceed to a
 -- portal operation
 --
-if (ngx.var.host == conf["portal_domain"] or hlp.is_logged_in())
+if (ngx.var.host == conf["portal_domain"] or is_logged_in)
   and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))
 then

@ -95,7 +97,7 @@ then

        -- If the `r` URI argument is set, it means that we want to
        -- be redirected (typically after a login phase)
-        elseif hlp.is_logged_in() and uri_args.r then
+        elseif is_logged_in and uri_args.r then
            -- Decode back url
            back_url = ngx.decode_base64(uri_args.r)

@ -146,7 +148,7 @@ then

        -- In case we want to serve portal login or assets for portal, just
        -- serve it
-        elseif hlp.is_logged_in()
+        elseif is_logged_in
            or ngx.var.uri == conf["portal_path"]
            or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets")
               and (not ngx.var.http_referer
@ -238,32 +240,8 @@ if conf["redirected_regex"] then
    end
 end

-
-local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or ""
-local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or ""
-local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or ""
-
-logger.debug("longest skipped "..longest_skipped_match)
-logger.debug("longest unprotected "..longest_unprotected_match)
-logger.debug("longest protected "..longest_protected_match)
-
 --
-- 4. Skipped URLs
--
-- If the URL matches one of the `skipped_urls` in the configuration file,
-- it means that the URL should not be protected by the SSO and no header
-- has to be sent, even if the user is already authenticated.
--
-
-if longest_skipped_match ~= ""
-and string.len(longest_skipped_match) >= string.len(longest_protected_match) 
-and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then
-    logger.debug("Skipping "..ngx.var.uri)
-    return hlp.pass()
-end
-
--
-- 5. Specific files (used in YunoHost)
+-- 4. Specific files (used in YunoHost)
 --
 -- We want to serve specific portal assets right at the root of the domain.
 --
@ -304,42 +282,65 @@ function serveYnhpanel()
    scandir("/usr/share/ssowat/portal/assets/themes/"..conf.theme, serveThemeFile)
 end

--
-- 6. Unprotected URLs
--
-- If the URL matches one of the `unprotected_urls` in the configuration file,
-- it means that the URL should not be protected by the SSO *but* headers have
-- to be sent if the user is already authenticated.
--
-- It means that you can let anyone access to an app, but if a user has already
-- been authenticated on the portal, he can have his authentication headers
-- passed to the app.
--
-
-if longest_unprotected_match ~= ""
-and string.len(longest_unprotected_match) > string.len(longest_protected_match) then
-    if hlp.is_logged_in() then
-        serveYnhpanel()
-
-        hlp.set_headers()
-    end
-    logger.debug(ngx.var.uri.." is in unprotected_urls")
-    return hlp.pass()
-end
-
-if hlp.is_logged_in() then
-    serveYnhpanel()
-
-    -- If user has no access to this URL, redirect him to the portal
-    if not hlp.has_access() then
-        return hlp.redirect(conf.portal_url)
-    end
-
-    -- If the user is authenticated and has access to the URL, set the headers
-    -- and let it be
-    hlp.set_headers()
-    return hlp.pass()
-end
+-- local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or ""
+-- local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or ""
+-- local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or ""
+-- 
+-- logger.debug("longest skipped "..longest_skipped_match)
+-- logger.debug("longest unprotected "..longest_unprotected_match)
+-- logger.debug("longest protected "..longest_protected_match)
+-- 
+-- --
+-- -- 4. Skipped URLs
+-- --
+-- -- If the URL matches one of the `skipped_urls` in the configuration file,
+-- -- it means that the URL should not be protected by the SSO and no header
+-- -- has to be sent, even if the user is already authenticated.
+-- --
+-- 
+-- if longest_skipped_match ~= ""
+-- and string.len(longest_skipped_match) >= string.len(longest_protected_match) 
+-- and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then
+--     logger.debug("Skipping "..ngx.var.uri)
+--     return hlp.pass()
+-- end
+-- 
+-- --
+-- -- 6. Unprotected URLs
+-- --
+-- -- If the URL matches one of the `unprotected_urls` in the configuration file,
+-- -- it means that the URL should not be protected by the SSO *but* headers have
+-- -- to be sent if the user is already authenticated.
+-- --
+-- -- It means that you can let anyone access to an app, but if a user has already
+-- -- been authenticated on the portal, he can have his authentication headers
+-- -- passed to the app.
+-- --
+-- 
+-- if longest_unprotected_match ~= ""
+-- and string.len(longest_unprotected_match) > string.len(longest_protected_match) then
+--     if is_logged_in then
+--         serveYnhpanel()
+-- 
+--         hlp.set_headers()
+--     end
+--     logger.debug(ngx.var.uri.." is in unprotected_urls")
+--     return hlp.pass()
+-- end
+-- 
+-- if is_logged_in then
+--     serveYnhpanel()
+-- 
+--     -- If user has no access to this URL, redirect him to the portal
+--     if not hlp.has_access() then
+--         return hlp.redirect(conf.portal_url)
+--     end
+-- 
+--     -- If the user is authenticated and has access to the URL, set the headers
+--     -- and let it be
+--     hlp.set_headers()
+--     return hlp.pass()
+-- end


 --
--- a/helpers.lua
+++ b/helpers.lua
@ -229,6 +229,8 @@ function is_logged_in()
    local user = ngx.var.cookie_SSOwAuthUser
    local authHash = ngx.var.cookie_SSOwAuthHash

+    authUser = nil
+    
    if expireTime and expireTime ~= ""
    and authHash and authHash ~= ""
    and user and user ~= ""
@ -682,14 +684,20 @@ function get_data_for(view)

        -- Add user's accessible URLs using the ACLs.
        -- It is typically used to build the app list.
-        for url, name in pairs(conf["users"][user]) do
+        for permission_name, permission in pairs(conf["permissions"]) do
+            -- We want to display a tile, and uris is not empty
+            if permission['show_tile'] and next(permission['uris']) ~= nil then
+                url = permission['uris'][1]
+                name = permission['label']

-            if ngx.var.host == conf["local_portal_domain"] then
-                url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
+                if ngx.var.host == conf["local_portal_domain"] then
+                    url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
+                end
+
+                table.insert(sorted_apps, name)
+                table.sort(sorted_apps)
+                table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })
            end
-            table.insert(sorted_apps, name)
-            table.sort(sorted_apps)
-            table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })
        end
    end