lua plugin initial commit

Change-Id: I45bdc7a56c5b2c46ef9240302804211e1863a381
Issue-Id: AAF-15
Signed-off-by: HuabingZhao <zhao.huabing@zte.com.cn>

5 files changed, 281 insertions, 0 deletions

diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..bb0dee2
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,3 @@
+*.java text eol=lf
+*.xml text eol=lf
+*.sh text eol=lf
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c6355b1
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,10 @@
+.project
+.classpath
+.settings/
+target/
+.vagrant
+/archives/
+*.jar
+*.zip
+*.tar
+*.gz
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..3719e24
--- /dev/null
+++ b/README.md
@@ -0,0 +1,8 @@
+aaf-luaplugin
+===============
+A lua plugin to integrate AAF with MSB, which provides centralized auth features at the API Gateway.
+
+## License
+The aaf-luaplugin is released under version 2.0 of the [Apache License][].
+
+[Apache License]: http://www.apache.org/licenses/LICENSE-2.0
diff --git a/pom.xml b/pom.xml
new file mode 100644
index 0000000..5821840
--- /dev/null
+++ b/pom.xml
@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ 
+    Copyright (C) 2016 ZTE, Inc. and others. All rights reserved. (ZTE)
+ 
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+ 
+            http://www.apache.org/licenses/LICENSE-2.0
+ 
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+ 
+-->
+<project 
+  xmlns="http://maven.apache.org/POM/4.0.0" 
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.onap.oparent</groupId>
+    <artifactId>oparent</artifactId>
+    <version>1.0.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>org.onap.aaf.luaplugin</groupId>
+  <artifactId>auth-plugin</artifactId>
+  <version>1.0.0-SNAPSHOT</version>
+  <name>onap/onap/aaf/luaplugin/auth-plugin</name>
+  <packaging>pom</packaging>
+  <properties>
+    <outputdir>target/assembly</outputdir>
+    <packageid>auth-plugin</packageid>
+  </properties>
+  <build>
+    <plugins>
+      <plugin>
+        <artifactId>maven-resources-plugin</artifactId>
+        <configuration>
+          <includeEmptyDirs>true</includeEmptyDirs>
+        </configuration>
+        <executions>
+          <execution>
+            <id>copy-resources</id>
+            <phase>process-resources</phase>
+            <goals>
+              <goal>copy-resources</goal>
+            </goals>
+            <configuration>
+              <outputDirectory>${outputdir}</outputDirectory>
+              <resources>
+                <resource>
+                  <directory>src/assembly/resources/</directory>
+                  <filtering>false</filtering>
+                  <includes>
+                    <include>**/*</include>
+                  </includes>
+                </resource>
+              </resources>
+              <overwrite>true</overwrite>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-antrun-plugin</artifactId>
+        <version>1.8</version>
+        <executions>
+          <execution>
+            <id>attach-artifact</id>
+            <phase>package</phase>
+            <goals>
+              <goal>run</goal>
+            </goals>
+            <configuration>
+              <target name="distribution">
+                <zip destfile="target/${packageid}-${project.version}.zip" update="true" basedir="target/assembly/" includes="**" />
+                <attachartifact file="target/${packageid}-${project.version}.zip" type="zip"/>
+              </target>
+            </configuration>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>
\ No newline at end of file
diff --git a/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua b/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua
new file mode 100644
index 0000000..4a54ed6
--- /dev/null
+++ b/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua
@@ -0,0 +1,171 @@
+--[[
+
+    Copyright 2016 ZTE, Inc. and others.
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+]]
+local _M = {}
+_M._VERSION = '1.0.0'
+local auth_url = '/openoapi/auth/v1';
+local auth_token_url = auth_url..'/tokens';
+local auth_token_key = "X-Auth-Token";
+local redirect_url = "/openoui/common/login.html"
+
+local white_list= {
+  auth_token_url,
+  redirect_url,
+  '/openoui/common/css',
+  '/openoui/common/js',
+  '/openoui/common/thirdparty',
+  '/openoui/common/i18n',
+  '/openoui/common/image',
+  '/openoui/common/login.html',
+  '/openoui/common/json'
+};
+
+local function verify_value(value)
+  if (nil == value or 0 == #value)
+  then
+    return false;
+  else
+    return true;
+  end
+end
+
+--[[checks str2 starts with str1]]--
+local function starts_with(str1, str2)
+  return string.sub(str2, 1, string.len(str1)) == str1;
+end
+
+--  Check and ignore the request if it is from auth module.--
+local function is_white_list(url)
+  for i, value in ipairs(white_list)
+  do
+    if (starts_with(value, url))
+      then
+        return true;
+      end
+  end
+  return false;
+end
+
+local function set_header(tokens)
+  for key,value in pairs(tokens)
+  do
+    ngx.log (ngx.ERR, "Headers: ", key, value);
+    ngx.req.set_header(key, value);
+  end
+
+end
+--[[ validates the token with auth ]]--
+local function validate_token(tokens)
+  -- auth expects the token in header.
+  set_header(tokens);
+  -- call auth token check url to validate.
+  local res = ngx.location.capture(auth_token_url, { method = ngx.HTTP_HEAD});
+  ngx.log (ngx.ERR, "Auth Result:", res.status);
+  if (nil == res)
+  then
+    return false;
+  end
+  return (ngx.HTTP_OK == res.status);
+end
+
+--[[ get auth token from cookies ]]--
+local function get_cookies()
+  local cookie_name = "cookie_"..auth_token_key;
+  local auth_token = ngx.var[cookie_name];
+  local tokens = {};
+  -- verify whether its empty or null.
+  if (verify_value(auth_token))
+  then
+  ngx.log(ngx.ERR, "token : ", auth_token );
+    tokens[auth_token_key] = auth_token;
+  end
+  return tokens;
+end
+
+local function get_service_url()
+  -- get host.
+  local host = ngx.var.host;
+  --get port
+  local port = ":"..ngx.var.server_port;
+  local proto = "";
+  --get protocol
+  if (ngx.var.https == "on")
+  then
+    proto = "https://";
+  else
+    proto = "http://";
+  end
+  --get url
+  local uri = ngx.var.uri;
+  --form complete service url.
+  --local complete_url = proto..host..port..url
+  local complete_url = uri;
+  local service = "?service="
+  --add arguments if any.
+  if ngx.var.args ~= nil
+  then
+    complete_url = complete_url.."?"..ngx.var.args;
+  end
+  ngx.log(ngx.ERR, "service url : ", complete_url);
+  return service..ngx.escape_uri(complete_url);
+end
+
+local function redirect(url)
+  local service = get_service_url();
+  ngx.log(ngx.ERR, "redirect: ", url..service);
+  ngx.redirect(url..service);
+end
+
+function _M.access()
+
+    ngx.log(ngx.ERR, "==============start check token===============: ");
+    local url = ngx.var.uri;
+    ngx.log(ngx.ERR, "Url : ", url);
+
+    -- ignore token validation if auth request.
+    if (is_white_list(url))
+    then
+      return;
+    end
+
+
+
+    -- get auth token from cookies.
+    local auth_tokens = get_cookies();
+
+    -- check if auth token is empty,
+    -- redirect it to login page in that case.
+    if (nil == next(auth_tokens))
+    then
+      ngx.log(ngx.ERR, "Token Invalidate, redirect to ", redirect_url);
+      redirect(redirect_url);
+      return;
+    end
+
+    -- validate the token with auth module.
+    -- continue if success, else redirect to login page.
+    if(validate_token(auth_tokens))
+    then
+      ngx.log(ngx.ERR, "Token Validate.");
+      return;
+    else
+      redirect(redirect_url);
+    end
+    	ngx.log(ngx.INFO, "running auth plugin")
+    end
+
+return _M
\ No newline at end of file