portal with the new config file

2024-09-03 20:06:27 +02:00 · 2020-03-31 02:20:40 +02:00 · 2020-03-31 02:20:40 +02:00 · d8c74604c0
commit d8c74604c0
parent 0e2bfacabc
2 changed files with 79 additions and 70 deletions
--- a/access.lua
+++ b/access.lua
@ -30,6 +30,8 @@ local logger = require("log")
 ngx.header["X-SSO-WAT"] = "You've just been SSOed"
 local is_logged_in = hlp.is_logged_in()
 --
 -- 1. LOGIN
 --
@ -66,7 +68,7 @@ end
 -- If the URL matches the portal URL, serve a portal file or proceed to a
 -- portal operation
 --
-if (ngx.var.host == conf["portal_domain"] or hlp.is_logged_in())
+if (ngx.var.host == conf["portal_domain"] or is_logged_in)
   and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))
 then
@ -95,7 +97,7 @@ then
        -- If the `r` URI argument is set, it means that we want to
        -- be redirected (typically after a login phase)
-        elseif hlp.is_logged_in() and uri_args.r then
+        elseif is_logged_in and uri_args.r then
            -- Decode back url
            back_url = ngx.decode_base64(uri_args.r)
@ -146,7 +148,7 @@ then
        -- In case we want to serve portal login or assets for portal, just
        -- serve it
-        elseif hlp.is_logged_in()
+        elseif is_logged_in
            or ngx.var.uri == conf["portal_path"]
            or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets")
               and (not ngx.var.http_referer
@ -238,32 +240,8 @@ if conf["redirected_regex"] then
    end
 end
 local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or ""
 local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or ""
 local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or ""
 logger.debug("longest skipped "..longest_skipped_match)
 logger.debug("longest unprotected "..longest_unprotected_match)
 logger.debug("longest protected "..longest_protected_match)
 --
-- 4. Skipped URLs
+-- 4. Specific files (used in YunoHost)
 --
 -- If the URL matches one of the `skipped_urls` in the configuration file,
 -- it means that the URL should not be protected by the SSO and no header
 -- has to be sent, even if the user is already authenticated.
 --
 if longest_skipped_match ~= ""
 and string.len(longest_skipped_match) >= string.len(longest_protected_match) 
 and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then
    logger.debug("Skipping "..ngx.var.uri)
    return hlp.pass()
 end
 --
 -- 5. Specific files (used in YunoHost)
 --
 -- We want to serve specific portal assets right at the root of the domain.
 --
@ -304,42 +282,65 @@ function serveYnhpanel()
    scandir("/usr/share/ssowat/portal/assets/themes/"..conf.theme, serveThemeFile)
 end
 -- local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or ""
 -- local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or ""
 -- local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or ""
 -- 
-- 6. Unprotected URLs
+-- logger.debug("longest skipped "..longest_skipped_match)
 -- logger.debug("longest unprotected "..longest_unprotected_match)
 -- logger.debug("longest protected "..longest_protected_match)
 -- 
-- If the URL matches one of the `unprotected_urls` in the configuration file,
+-- --
-- it means that the URL should not be protected by the SSO *but* headers have
+-- -- 4. Skipped URLs
-- to be sent if the user is already authenticated.
+-- --
 -- -- If the URL matches one of the `skipped_urls` in the configuration file,
 -- -- it means that the URL should not be protected by the SSO and no header
 -- -- has to be sent, even if the user is already authenticated.
 -- --
 -- 
-- It means that you can let anyone access to an app, but if a user has already
+-- if longest_skipped_match ~= ""
-- been authenticated on the portal, he can have his authentication headers
+-- and string.len(longest_skipped_match) >= string.len(longest_protected_match) 
-- passed to the app.
+-- and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then
 --     logger.debug("Skipping "..ngx.var.uri)
 --     return hlp.pass()
 -- end
 -- 
-
+-- --
-if longest_unprotected_match ~= ""
+-- -- 6. Unprotected URLs
-and string.len(longest_unprotected_match) > string.len(longest_protected_match) then
+-- --
-    if hlp.is_logged_in() then
+-- -- If the URL matches one of the `unprotected_urls` in the configuration file,
-        serveYnhpanel()
+-- -- it means that the URL should not be protected by the SSO *but* headers have
-
+-- -- to be sent if the user is already authenticated.
-        hlp.set_headers()
+-- --
-    end
+-- -- It means that you can let anyone access to an app, but if a user has already
-    logger.debug(ngx.var.uri.." is in unprotected_urls")
+-- -- been authenticated on the portal, he can have his authentication headers
-    return hlp.pass()
+-- -- passed to the app.
-end
+-- --
-
+-- 
-if hlp.is_logged_in() then
+-- if longest_unprotected_match ~= ""
-    serveYnhpanel()
+-- and string.len(longest_unprotected_match) > string.len(longest_protected_match) then
-
+--     if is_logged_in then
-    -- If user has no access to this URL, redirect him to the portal
+--         serveYnhpanel()
-    if not hlp.has_access() then
+-- 
-        return hlp.redirect(conf.portal_url)
+--         hlp.set_headers()
-    end
+--     end
-
+--     logger.debug(ngx.var.uri.." is in unprotected_urls")
-    -- If the user is authenticated and has access to the URL, set the headers
+--     return hlp.pass()
-    -- and let it be
+-- end
-    hlp.set_headers()
+-- 
-    return hlp.pass()
+-- if is_logged_in then
-end
+--     serveYnhpanel()
 -- 
 --     -- If user has no access to this URL, redirect him to the portal
 --     if not hlp.has_access() then
 --         return hlp.redirect(conf.portal_url)
 --     end
 -- 
 --     -- If the user is authenticated and has access to the URL, set the headers
 --     -- and let it be
 --     hlp.set_headers()
 --     return hlp.pass()
 -- end
 --
--- a/helpers.lua
+++ b/helpers.lua
@ -229,6 +229,8 @@ function is_logged_in()
    local user = ngx.var.cookie_SSOwAuthUser
    local authHash = ngx.var.cookie_SSOwAuthHash
    authUser = nil
    if expireTime and expireTime ~= ""
    and authHash and authHash ~= ""
    and user and user ~= ""
@ -682,16 +684,22 @@ function get_data_for(view)
        -- Add user's accessible URLs using the ACLs.
        -- It is typically used to build the app list.
-        for url, name in pairs(conf["users"][user]) do
+        for permission_name, permission in pairs(conf["permissions"]) do
            -- We want to display a tile, and uris is not empty
            if permission['show_tile'] and next(permission['uris']) ~= nil then
                url = permission['uris'][1]
                name = permission['label']
                if ngx.var.host == conf["local_portal_domain"] then
                    url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
                end
                table.insert(sorted_apps, name)
                table.sort(sorted_apps)
                table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })
            end
        end
    end
    -- Pass all the translated strings to the view (to use with t_<key>)
    for k, v in pairs(i18n[conf["default_language"]]) do