mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
portalapi: propagate changes on the new API, decrypt the AES256-encrypted password found in user cookie to be able to construct the basic auth headers
This commit is contained in:
parent
d0dba1fd2e
commit
ea0bc8a89c
3 changed files with 21 additions and 12 deletions
|
@ -126,7 +126,7 @@ if hlp.has_access(permission) then
|
||||||
-- If Basic Authorization header are enable for this permission,
|
-- If Basic Authorization header are enable for this permission,
|
||||||
-- add it to the response
|
-- add it to the response
|
||||||
if permission["auth_header"] then
|
if permission["auth_header"] then
|
||||||
hlp.set_headers()
|
hlp.set_basic_auth_header()
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ function get_cookie_secret()
|
||||||
local conf_ = json.decode(conf_file:read("*all"))
|
local conf_ = json.decode(conf_file:read("*all"))
|
||||||
conf_file:close()
|
conf_file:close()
|
||||||
|
|
||||||
local cookie_secret_path = conf_["cookie_secret_file"]
|
local cookie_secret_path = conf_["cookie_secret_file"] or "/etc/yunohost/.ssowat_cookie_secret"
|
||||||
local cookie_secret_file = assert(io.open(cookie_secret_path, "r"), "Cookie secret file is missing")
|
local cookie_secret_file = assert(io.open(cookie_secret_path, "r"), "Cookie secret file is missing")
|
||||||
local cookie_secret = cookie_secret_file:read("*all")
|
local cookie_secret = cookie_secret_file:read("*all")
|
||||||
cookie_secret_file:close()
|
cookie_secret_file:close()
|
||||||
|
|
29
helpers.lua
29
helpers.lua
|
@ -11,7 +11,8 @@ local cache = ngx.shared.cache
|
||||||
local conf = config.get_config()
|
local conf = config.get_config()
|
||||||
local Logging = require("logging")
|
local Logging = require("logging")
|
||||||
local jwt = require("vendor.luajwtjitsi.luajwtjitsi")
|
local jwt = require("vendor.luajwtjitsi.luajwtjitsi")
|
||||||
|
local cipher = require('openssl.cipher')
|
||||||
|
local mime = require("mime")
|
||||||
|
|
||||||
local appender = function(self, level, message)
|
local appender = function(self, level, message)
|
||||||
|
|
||||||
|
@ -120,17 +121,32 @@ function check_authentication()
|
||||||
if err ~= nil then
|
if err ~= nil then
|
||||||
-- FIXME : log an authentication error to be caught by fail2ban ? or should it happen somewhere else ? (check the old code)
|
-- FIXME : log an authentication error to be caught by fail2ban ? or should it happen somewhere else ? (check the old code)
|
||||||
authUser = nil
|
authUser = nil
|
||||||
|
authPasswordEnc = nil
|
||||||
is_logged_in = false
|
is_logged_in = false
|
||||||
return is_logged_in
|
return is_logged_in
|
||||||
end
|
end
|
||||||
|
|
||||||
|
-- cf. src/authenticators/ldap_ynhuser.py in YunoHost to see how the cookie is actually created
|
||||||
authUser = decoded["user"]
|
authUser = decoded["user"]
|
||||||
|
authPasswordEnc = decoded["pwd"]
|
||||||
is_logged_in = true
|
is_logged_in = true
|
||||||
|
|
||||||
-- Gotta update authUser and is_logged_in
|
-- Gotta update authUser and is_logged_in
|
||||||
return is_logged_in
|
return is_logged_in
|
||||||
end
|
end
|
||||||
|
|
||||||
|
-- Extract the user password from cookie,
|
||||||
|
-- needed to create the basic auth header
|
||||||
|
function decrypt_user_password()
|
||||||
|
-- authPasswordEnc is actually a string formatted as <password_enc_b64>|<iv_b64>
|
||||||
|
-- For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA==
|
||||||
|
-- The password is encoded using AES-256-CBC with the IV being the right-side data
|
||||||
|
local password_enc_b64, iv_b64 = authPasswordEnc:match("([^|]+)|([^|]+)")
|
||||||
|
local password_enc = mime.unb64(password_enc_b64)
|
||||||
|
local iv = mime.unb64(iv_b64)
|
||||||
|
return cipher.new('aes-256-cbc'):decrypt(cookie_secret, iv):final(password_enc)
|
||||||
|
end
|
||||||
|
|
||||||
-- Check whether a user is allowed to access a URL using the `permissions` directive
|
-- Check whether a user is allowed to access a URL using the `permissions` directive
|
||||||
-- of the configuration file
|
-- of the configuration file
|
||||||
function has_access(permission, user)
|
function has_access(permission, user)
|
||||||
|
@ -172,21 +188,14 @@ function element_is_in_table(element, table)
|
||||||
return false
|
return false
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
-- Set the authentication headers in order to pass credentials to the
|
-- Set the authentication headers in order to pass credentials to the
|
||||||
-- application underneath.
|
-- application underneath.
|
||||||
function set_headers(user)
|
function set_basic_auth_header(user)
|
||||||
local user = user or authUser
|
local user = user or authUser
|
||||||
-- Set `Authorization` header to enable HTTP authentification
|
-- Set `Authorization` header to enable HTTP authentification
|
||||||
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
|
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
|
||||||
user..":"..cache:get(user.."-password")
|
user..":"..decrypt_user_password()
|
||||||
))
|
))
|
||||||
|
|
||||||
-- Set optionnal additional headers (typically to pass email address)
|
|
||||||
for k, v in pairs(conf["additional_headers"]) do
|
|
||||||
ngx.req.set_header(k, cache:get(user.."-"..v))
|
|
||||||
end
|
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Add table
Reference in a new issue