portalapi: propagate changes on the new API, decrypt the AES256-encrypted password found in user cookie to be able to construct the basic auth headers

2024-09-03 20:06:27 +02:00 · 2023-07-11 22:41:09 +02:00 · 2023-07-11 22:41:09 +02:00 · ea0bc8a89c
commit ea0bc8a89c
parent d0dba1fd2e
3 changed files with 21 additions and 12 deletions
--- a/access.lua
+++ b/access.lua
@ -126,7 +126,7 @@ if hlp.has_access(permission) then
        -- If Basic Authorization header are enable for this permission,
        -- add it to the response
        if permission["auth_header"] then
-            hlp.set_headers()
+            hlp.set_basic_auth_header()
        end
    end

--- a/config.lua
+++ b/config.lua
@ -20,7 +20,7 @@ function get_cookie_secret()
    local conf_ = json.decode(conf_file:read("*all"))
    conf_file:close()

-    local cookie_secret_path = conf_["cookie_secret_file"]
+    local cookie_secret_path = conf_["cookie_secret_file"] or "/etc/yunohost/.ssowat_cookie_secret"
    local cookie_secret_file = assert(io.open(cookie_secret_path, "r"), "Cookie secret file is missing")
    local cookie_secret = cookie_secret_file:read("*all")
    cookie_secret_file:close()
--- a/helpers.lua
+++ b/helpers.lua
@ -11,7 +11,8 @@ local cache = ngx.shared.cache
 local conf = config.get_config()
 local Logging = require("logging")
 local jwt = require("vendor.luajwtjitsi.luajwtjitsi")
-
+local cipher = require('openssl.cipher')
+local mime = require("mime")

 local appender = function(self, level, message)

@ -120,17 +121,32 @@ function check_authentication()
    if err ~= nil then
        -- FIXME : log an authentication error to be caught by fail2ban ? or should it happen somewhere else ? (check the old code)
        authUser = nil
+        authPasswordEnc = nil
        is_logged_in = false
        return is_logged_in
    end

+    -- cf. src/authenticators/ldap_ynhuser.py in YunoHost to see how the cookie is actually created
    authUser = decoded["user"]
+    authPasswordEnc = decoded["pwd"]
    is_logged_in = true

    -- Gotta update authUser and is_logged_in
    return is_logged_in
 end

+-- Extract the user password from cookie,
+-- needed to create the basic auth header
+function decrypt_user_password()
+    -- authPasswordEnc is actually a string formatted as <password_enc_b64>|<iv_b64>
+    -- For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA==
+    -- The password is encoded using AES-256-CBC with the IV being the right-side data
+    local password_enc_b64, iv_b64 = authPasswordEnc:match("([^|]+)|([^|]+)")
+    local password_enc = mime.unb64(password_enc_b64)
+    local iv = mime.unb64(iv_b64)
+    return cipher.new('aes-256-cbc'):decrypt(cookie_secret, iv):final(password_enc)
+end
+
 -- Check whether a user is allowed to access a URL using the `permissions` directive
 -- of the configuration file
 function has_access(permission, user)
@ -172,21 +188,14 @@ function element_is_in_table(element, table)
    return false
 end

-
 -- Set the authentication headers in order to pass credentials to the
 -- application underneath.
-function set_headers(user)
+function set_basic_auth_header(user)
    local user = user or authUser
    -- Set `Authorization` header to enable HTTP authentification
    ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
-      user..":"..cache:get(user.."-password")
+      user..":"..decrypt_user_password()
    ))
-
-    -- Set optionnal additional headers (typically to pass email address)
-    for k, v in pairs(conf["additional_headers"]) do
-        ngx.req.set_header(k, cache:get(user.."-"..v))
-    end
-
 end