From d8c74604c0a5918c57a00a94b0214fcc327d5611 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Tue, 31 Mar 2020 02:20:40 +0200 Subject: [PATCH] portal with the new config file --- access.lua | 129 ++++++++++++++++++++++++++-------------------------- helpers.lua | 20 +++++--- 2 files changed, 79 insertions(+), 70 deletions(-) diff --git a/access.lua b/access.lua index 2616c3a..4ca0f4a 100644 --- a/access.lua +++ b/access.lua @@ -30,6 +30,8 @@ local logger = require("log") ngx.header["X-SSO-WAT"] = "You've just been SSOed" +local is_logged_in = hlp.is_logged_in() + -- -- 1. LOGIN -- @@ -66,7 +68,7 @@ end -- If the URL matches the portal URL, serve a portal file or proceed to a -- portal operation -- -if (ngx.var.host == conf["portal_domain"] or hlp.is_logged_in()) +if (ngx.var.host == conf["portal_domain"] or is_logged_in) and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2)) then @@ -95,7 +97,7 @@ then -- If the `r` URI argument is set, it means that we want to -- be redirected (typically after a login phase) - elseif hlp.is_logged_in() and uri_args.r then + elseif is_logged_in and uri_args.r then -- Decode back url back_url = ngx.decode_base64(uri_args.r) @@ -146,7 +148,7 @@ then -- In case we want to serve portal login or assets for portal, just -- serve it - elseif hlp.is_logged_in() + elseif is_logged_in or ngx.var.uri == conf["portal_path"] or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets") and (not ngx.var.http_referer @@ -238,32 +240,8 @@ if conf["redirected_regex"] then end end - -local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or "" -local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or "" -local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or "" - -logger.debug("longest skipped "..longest_skipped_match) -logger.debug("longest unprotected "..longest_unprotected_match) -logger.debug("longest protected "..longest_protected_match) - -- --- 4. Skipped URLs --- --- If the URL matches one of the `skipped_urls` in the configuration file, --- it means that the URL should not be protected by the SSO and no header --- has to be sent, even if the user is already authenticated. --- - -if longest_skipped_match ~= "" -and string.len(longest_skipped_match) >= string.len(longest_protected_match) -and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then - logger.debug("Skipping "..ngx.var.uri) - return hlp.pass() -end - --- --- 5. Specific files (used in YunoHost) +-- 4. Specific files (used in YunoHost) -- -- We want to serve specific portal assets right at the root of the domain. -- @@ -304,42 +282,65 @@ function serveYnhpanel() scandir("/usr/share/ssowat/portal/assets/themes/"..conf.theme, serveThemeFile) end --- --- 6. Unprotected URLs --- --- If the URL matches one of the `unprotected_urls` in the configuration file, --- it means that the URL should not be protected by the SSO *but* headers have --- to be sent if the user is already authenticated. --- --- It means that you can let anyone access to an app, but if a user has already --- been authenticated on the portal, he can have his authentication headers --- passed to the app. --- - -if longest_unprotected_match ~= "" -and string.len(longest_unprotected_match) > string.len(longest_protected_match) then - if hlp.is_logged_in() then - serveYnhpanel() - - hlp.set_headers() - end - logger.debug(ngx.var.uri.." is in unprotected_urls") - return hlp.pass() -end - -if hlp.is_logged_in() then - serveYnhpanel() - - -- If user has no access to this URL, redirect him to the portal - if not hlp.has_access() then - return hlp.redirect(conf.portal_url) - end - - -- If the user is authenticated and has access to the URL, set the headers - -- and let it be - hlp.set_headers() - return hlp.pass() -end +-- local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or "" +-- local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or "" +-- local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or "" +-- +-- logger.debug("longest skipped "..longest_skipped_match) +-- logger.debug("longest unprotected "..longest_unprotected_match) +-- logger.debug("longest protected "..longest_protected_match) +-- +-- -- +-- -- 4. Skipped URLs +-- -- +-- -- If the URL matches one of the `skipped_urls` in the configuration file, +-- -- it means that the URL should not be protected by the SSO and no header +-- -- has to be sent, even if the user is already authenticated. +-- -- +-- +-- if longest_skipped_match ~= "" +-- and string.len(longest_skipped_match) >= string.len(longest_protected_match) +-- and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then +-- logger.debug("Skipping "..ngx.var.uri) +-- return hlp.pass() +-- end +-- +-- -- +-- -- 6. Unprotected URLs +-- -- +-- -- If the URL matches one of the `unprotected_urls` in the configuration file, +-- -- it means that the URL should not be protected by the SSO *but* headers have +-- -- to be sent if the user is already authenticated. +-- -- +-- -- It means that you can let anyone access to an app, but if a user has already +-- -- been authenticated on the portal, he can have his authentication headers +-- -- passed to the app. +-- -- +-- +-- if longest_unprotected_match ~= "" +-- and string.len(longest_unprotected_match) > string.len(longest_protected_match) then +-- if is_logged_in then +-- serveYnhpanel() +-- +-- hlp.set_headers() +-- end +-- logger.debug(ngx.var.uri.." is in unprotected_urls") +-- return hlp.pass() +-- end +-- +-- if is_logged_in then +-- serveYnhpanel() +-- +-- -- If user has no access to this URL, redirect him to the portal +-- if not hlp.has_access() then +-- return hlp.redirect(conf.portal_url) +-- end +-- +-- -- If the user is authenticated and has access to the URL, set the headers +-- -- and let it be +-- hlp.set_headers() +-- return hlp.pass() +-- end -- diff --git a/helpers.lua b/helpers.lua index 4ca3b1a..a32f81d 100644 --- a/helpers.lua +++ b/helpers.lua @@ -229,6 +229,8 @@ function is_logged_in() local user = ngx.var.cookie_SSOwAuthUser local authHash = ngx.var.cookie_SSOwAuthHash + authUser = nil + if expireTime and expireTime ~= "" and authHash and authHash ~= "" and user and user ~= "" @@ -682,14 +684,20 @@ function get_data_for(view) -- Add user's accessible URLs using the ACLs. -- It is typically used to build the app list. - for url, name in pairs(conf["users"][user]) do + for permission_name, permission in pairs(conf["permissions"]) do + -- We want to display a tile, and uris is not empty + if permission['show_tile'] and next(permission['uris']) ~= nil then + url = permission['uris'][1] + name = permission['label'] - if ngx.var.host == conf["local_portal_domain"] then - url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"]) + if ngx.var.host == conf["local_portal_domain"] then + url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"]) + end + + table.insert(sorted_apps, name) + table.sort(sorted_apps) + table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name }) end - table.insert(sorted_apps, name) - table.sort(sorted_apps) - table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name }) end end