portal with the new config file

2024-09-03 20:06:27 +02:00 · 2020-03-31 02:20:40 +02:00 · 2020-03-31 02:20:40 +02:00 · d8c74604c0
commit d8c74604c0
parent 0e2bfacabc
2 changed files with 79 additions and 70 deletions
--- a/access.lua
+++ b/access.lua
@ -30,6 +30,8 @@ local logger = require("log")
 ngx.header["X-SSO-WAT"] = "You've just been SSOed"
 local is_logged_in = hlp.is_logged_in()
 --
 -- 1. LOGIN
 --
@ -66,7 +68,7 @@ end
 -- If the URL matches the portal URL, serve a portal file or proceed to a
 -- portal operation
 --
-if (ngx.var.host == conf["portal_domain"] or hlp.is_logged_in())
+if (ngx.var.host == conf["portal_domain"] or is_logged_in)
   and hlp.string.starts(ngx.var.uri, string.sub(conf["portal_path"], 1, -2))
 then
@ -95,7 +97,7 @@ then
        -- If the `r` URI argument is set, it means that we want to
        -- be redirected (typically after a login phase)
-        elseif hlp.is_logged_in() and uri_args.r then
+        elseif is_logged_in and uri_args.r then
            -- Decode back url
            back_url = ngx.decode_base64(uri_args.r)
@ -146,7 +148,7 @@ then
        -- In case we want to serve portal login or assets for portal, just
        -- serve it
-        elseif hlp.is_logged_in()
+        elseif is_logged_in
            or ngx.var.uri == conf["portal_path"]
            or (hlp.string.starts(ngx.var.uri, conf["portal_path"].."assets")
               and (not ngx.var.http_referer
@ -238,32 +240,8 @@ if conf["redirected_regex"] then
    end
 end
 local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or ""
 local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or ""
 local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or ""
 logger.debug("longest skipped "..longest_skipped_match)
 logger.debug("longest unprotected "..longest_unprotected_match)
 logger.debug("longest protected "..longest_protected_match)
 --
-- 4. Skipped URLs
+-- 4. Specific files (used in YunoHost)
 --
 -- If the URL matches one of the `skipped_urls` in the configuration file,
 -- it means that the URL should not be protected by the SSO and no header
 -- has to be sent, even if the user is already authenticated.
 --
 if longest_skipped_match ~= ""
 and string.len(longest_skipped_match) >= string.len(longest_protected_match) 
 and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then
    logger.debug("Skipping "..ngx.var.uri)
    return hlp.pass()
 end
 --
 -- 5. Specific files (used in YunoHost)
 --
 -- We want to serve specific portal assets right at the root of the domain.
 --
@ -304,42 +282,65 @@ function serveYnhpanel()
    scandir("/usr/share/ssowat/portal/assets/themes/"..conf.theme, serveThemeFile)
 end
--
+-- local longest_protected_match = hlp.longest_url_path(hlp.get_matches("protected")) or ""
-- 6. Unprotected URLs
+-- local longest_skipped_match = hlp.longest_url_path(hlp.get_matches("skipped")) or ""
--
+-- local longest_unprotected_match = hlp.longest_url_path(hlp.get_matches("unprotected")) or ""
-- If the URL matches one of the `unprotected_urls` in the configuration file,
+-- 
-- it means that the URL should not be protected by the SSO *but* headers have
+-- logger.debug("longest skipped "..longest_skipped_match)
-- to be sent if the user is already authenticated.
+-- logger.debug("longest unprotected "..longest_unprotected_match)
--
+-- logger.debug("longest protected "..longest_protected_match)
-- It means that you can let anyone access to an app, but if a user has already
+-- 
-- been authenticated on the portal, he can have his authentication headers
+-- --
-- passed to the app.
+-- -- 4. Skipped URLs
--
+-- --
-
+-- -- If the URL matches one of the `skipped_urls` in the configuration file,
-if longest_unprotected_match ~= ""
+-- -- it means that the URL should not be protected by the SSO and no header
-and string.len(longest_unprotected_match) > string.len(longest_protected_match) then
+-- -- has to be sent, even if the user is already authenticated.
-    if hlp.is_logged_in() then
+-- --
-        serveYnhpanel()
+-- 
-
+-- if longest_skipped_match ~= ""
-        hlp.set_headers()
+-- and string.len(longest_skipped_match) >= string.len(longest_protected_match) 
-    end
+-- and string.len(longest_skipped_match) > string.len(longest_unprotected_match) then
-    logger.debug(ngx.var.uri.." is in unprotected_urls")
+--     logger.debug("Skipping "..ngx.var.uri)
-    return hlp.pass()
+--     return hlp.pass()
-end
+-- end
-
+-- 
-if hlp.is_logged_in() then
+-- --
-    serveYnhpanel()
+-- -- 6. Unprotected URLs
-
+-- --
-    -- If user has no access to this URL, redirect him to the portal
+-- -- If the URL matches one of the `unprotected_urls` in the configuration file,
-    if not hlp.has_access() then
+-- -- it means that the URL should not be protected by the SSO *but* headers have
-        return hlp.redirect(conf.portal_url)
+-- -- to be sent if the user is already authenticated.
-    end
+-- --
-
+-- -- It means that you can let anyone access to an app, but if a user has already
-    -- If the user is authenticated and has access to the URL, set the headers
+-- -- been authenticated on the portal, he can have his authentication headers
-    -- and let it be
+-- -- passed to the app.
-    hlp.set_headers()
+-- --
-    return hlp.pass()
+-- 
-end
+-- if longest_unprotected_match ~= ""
 -- and string.len(longest_unprotected_match) > string.len(longest_protected_match) then
 --     if is_logged_in then
 --         serveYnhpanel()
 -- 
 --         hlp.set_headers()
 --     end
 --     logger.debug(ngx.var.uri.." is in unprotected_urls")
 --     return hlp.pass()
 -- end
 -- 
 -- if is_logged_in then
 --     serveYnhpanel()
 -- 
 --     -- If user has no access to this URL, redirect him to the portal
 --     if not hlp.has_access() then
 --         return hlp.redirect(conf.portal_url)
 --     end
 -- 
 --     -- If the user is authenticated and has access to the URL, set the headers
 --     -- and let it be
 --     hlp.set_headers()
 --     return hlp.pass()
 -- end
 --
--- a/helpers.lua
+++ b/helpers.lua
@ -229,6 +229,8 @@ function is_logged_in()
    local user = ngx.var.cookie_SSOwAuthUser
    local authHash = ngx.var.cookie_SSOwAuthHash
    authUser = nil
    if expireTime and expireTime ~= ""
    and authHash and authHash ~= ""
    and user and user ~= ""
@ -682,14 +684,20 @@ function get_data_for(view)
        -- Add user's accessible URLs using the ACLs.
        -- It is typically used to build the app list.
-        for url, name in pairs(conf["users"][user]) do
+        for permission_name, permission in pairs(conf["permissions"]) do
            -- We want to display a tile, and uris is not empty
            if permission['show_tile'] and next(permission['uris']) ~= nil then
                url = permission['uris'][1]
                name = permission['label']
-            if ngx.var.host == conf["local_portal_domain"] then
+                if ngx.var.host == conf["local_portal_domain"] then
-                url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
+                    url = string.gsub(url, conf["original_portal_domain"], conf["local_portal_domain"])
                end
                table.insert(sorted_apps, name)
                table.sort(sorted_apps)
                table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })
            end
            table.insert(sorted_apps, name)
            table.sort(sorted_apps)
            table.insert(data["app"], index_of(sorted_apps, name), { url = url, name = name })
        end
    end