mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
218 lines
6.6 KiB
Lua
218 lines
6.6 KiB
Lua
--
|
|
-- helpers.lua
|
|
--
|
|
-- This is a file called at every request by the `access.lua` file. It contains
|
|
-- a set of useful functions related to HTTP and LDAP.
|
|
--
|
|
|
|
module('helpers', package.seeall)
|
|
|
|
local conf = config.get_config()
|
|
local Logging = require("logging")
|
|
local jwt = require("vendor.luajwtjitsi.luajwtjitsi")
|
|
local cipher = require('openssl.cipher')
|
|
local mime = require("mime")
|
|
local rex = require("rex_pcre")
|
|
|
|
local appender = function(self, level, message)
|
|
|
|
-- Output to log file
|
|
local fp = io.open(log_file, "a")
|
|
local str = string.format("[%-6s%s] %s\n", level:upper(), os.date(), message)
|
|
fp:write(str)
|
|
fp:close()
|
|
|
|
return true
|
|
end
|
|
|
|
local logger = Logging.new(appender)
|
|
--logger:setLevel(logger.DEBUG) -- FIXME
|
|
|
|
local is_logged_in = false
|
|
|
|
function refresh_config()
|
|
conf = config.get_config()
|
|
end
|
|
|
|
function get_config()
|
|
return conf
|
|
end
|
|
|
|
function element_is_in_table(element, table)
|
|
if table then
|
|
for _, el in pairs(table) do
|
|
if el == element then
|
|
return true
|
|
end
|
|
end
|
|
end
|
|
|
|
return false
|
|
end
|
|
|
|
-- The 'match' function uses PCRE regex as default
|
|
-- If '%.' is found in the regex, we assume it's a LUA regex (legacy code)
|
|
-- 'match' returns the matched text.
|
|
function match(s, regex)
|
|
if not string.find(regex, '%%%.') then
|
|
return rex.match(s, regex)
|
|
else
|
|
return string.match(s,regex)
|
|
end
|
|
end
|
|
|
|
-- Test whether a string starts with another
|
|
function string.starts(String, Start)
|
|
if not String then
|
|
return false
|
|
end
|
|
return string.sub(String, 1, string.len(Start)) == Start
|
|
end
|
|
|
|
|
|
-- Test whether a string ends with another
|
|
function string.ends(String, End)
|
|
return End=='' or string.sub(String, -string.len(End)) == End
|
|
end
|
|
|
|
|
|
-- Convert a table of arguments to an URI string
|
|
function uri_args_string(args)
|
|
if not args then
|
|
args = ngx.req.get_uri_args()
|
|
end
|
|
String = "?"
|
|
for k,v in pairs(args) do
|
|
String = String..tostring(k).."="..tostring(v).."&"
|
|
end
|
|
return string.sub(String, 1, string.len(String) - 1)
|
|
end
|
|
|
|
|
|
-- Validate authentification
|
|
--
|
|
-- Check if the session cookies are set, and rehash server + client information
|
|
-- to match the session hash.
|
|
--
|
|
function check_authentication()
|
|
|
|
local token = ngx.var["cookie_" .. conf["cookie_name"]]
|
|
|
|
decoded, err = jwt.verify(token, "HS256", cookie_secret)
|
|
|
|
if err ~= nil then
|
|
-- FIXME : log an authentication error to be caught by fail2ban ? or should it happen somewhere else ? (check the old code)
|
|
authUser = nil
|
|
authPasswordEnc = nil
|
|
is_logged_in = false
|
|
return is_logged_in
|
|
end
|
|
|
|
-- cf. src/authenticators/ldap_ynhuser.py in YunoHost to see how the cookie is actually created
|
|
authUser = decoded["user"]
|
|
authPasswordEnc = decoded["pwd"]
|
|
is_logged_in = true
|
|
|
|
-- Gotta update authUser and is_logged_in
|
|
return is_logged_in
|
|
end
|
|
|
|
-- Extract the user password from cookie,
|
|
-- needed to create the basic auth header
|
|
function decrypt_user_password()
|
|
-- authPasswordEnc is actually a string formatted as <password_enc_b64>|<iv_b64>
|
|
-- For example: ctl8kk5GevYdaA5VZ2S88Q==|yTAzCx0Gd1+MCit4EQl9lA==
|
|
-- The password is encoded using AES-256-CBC with the IV being the right-side data
|
|
local password_enc_b64, iv_b64 = authPasswordEnc:match("([^|]+)|([^|]+)")
|
|
local password_enc = mime.unb64(password_enc_b64)
|
|
local iv = mime.unb64(iv_b64)
|
|
return cipher.new('aes-256-cbc'):decrypt(cookie_secret, iv):final(password_enc)
|
|
end
|
|
|
|
-- Check whether a user is allowed to access a URL using the `permissions` directive
|
|
-- of the configuration file
|
|
function has_access(permission, user)
|
|
user = user or authUser
|
|
|
|
if permission == nil then
|
|
logger:debug("No permission matching request for "..ngx.var.uri)
|
|
return false
|
|
end
|
|
|
|
-- Public access
|
|
if user == nil or permission["public"] then
|
|
user = user or "A visitor"
|
|
logger:debug(user.." tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")")
|
|
return permission["public"]
|
|
end
|
|
|
|
logger:debug("User "..user.." tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")")
|
|
|
|
-- The user has permission to access the content if he is in the list of allowed users
|
|
if element_is_in_table(user, permission["users"]) then
|
|
logger:debug("User "..user.." can access "..ngx.var.host..ngx.var.uri..uri_args_string())
|
|
return true
|
|
else
|
|
logger:debug("User "..user.." cannot access "..ngx.var.uri)
|
|
return false
|
|
end
|
|
end
|
|
|
|
-- Set the authentication headers in order to pass credentials to the
|
|
-- application underneath.
|
|
function set_basic_auth_header(user)
|
|
local user = user or authUser
|
|
-- Set `Authorization` header to enable HTTP authentification
|
|
ngx.req.set_header("Authorization", "Basic "..ngx.encode_base64(
|
|
user..":"..decrypt_user_password()
|
|
))
|
|
end
|
|
|
|
|
|
-- Set cookie and redirect (needed to properly set cookie)
|
|
function redirect(url)
|
|
logger:debug("Redirecting to "..url)
|
|
-- For security reason we don't allow to redirect onto unknown domain
|
|
-- And if `uri_args.r` contains line break, someone is probably trying to
|
|
-- pass some additional headers
|
|
|
|
-- This should cover the following cases:
|
|
-- https://malicious.domain.tld/foo/bar
|
|
-- http://malicious.domain.tld/foo/bar
|
|
-- https://malicious.domain.tld:1234/foo
|
|
-- malicious.domain.tld/foo/bar
|
|
-- (/foo/bar, in which case no need to make sure it's prefixed with https://)
|
|
if not string.starts(url, "/") and not string.starts(url, "http://") and not string.starts(url, "https://") then
|
|
url = "https://"..url
|
|
end
|
|
local is_known_domain = string.starts(url, "/")
|
|
for _, domain in ipairs(conf["domains"]) do
|
|
if is_known_domain then
|
|
break
|
|
end
|
|
-- Replace - character to %- because - is a special char for regex in lua
|
|
domain = string.gsub(domain, "%-","%%-")
|
|
is_known_domain = is_known_domain or url:match("^https?://"..domain.."/?") ~= nil
|
|
end
|
|
if string.match(url, "(.*)\n") or not is_known_domain then
|
|
logger:debug("Unauthorized redirection to "..url)
|
|
url = conf.portal_url
|
|
end
|
|
return ngx.redirect(url)
|
|
end
|
|
|
|
|
|
-- Set cookie and go on with the response (needed to properly set cookie)
|
|
function pass()
|
|
logger:debug("Allowing to pass through "..ngx.var.uri)
|
|
|
|
-- When we are in the SSOwat portal, we need a default `content-type`
|
|
if string.ends(ngx.var.uri, "/")
|
|
or string.ends(ngx.var.uri, ".html")
|
|
or string.ends(ngx.var.uri, ".htm")
|
|
then
|
|
ngx.header["Content-Type"] = "text/html"
|
|
end
|
|
|
|
return
|
|
end
|