From e9a772d6c226c35f6bc34c507853d896c12f2b8f Mon Sep 17 00:00:00 2001 From: HuabingZhao Date: Mon, 7 Aug 2017 08:12:49 +0000 Subject: lua plugin initial commit Change-Id: I45bdc7a56c5b2c46ef9240302804211e1863a381 Issue-Id: AAF-15 Signed-off-by: HuabingZhao --- .gitattributes | 3 + .gitignore | 10 ++ README.md | 8 + pom.xml | 89 +++++++++++ .../nginx/luaext/plugins/auth/handler.lua | 171 +++++++++++++++++++++ 5 files changed, 281 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 README.md create mode 100644 pom.xml create mode 100644 src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..bb0dee2 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,3 @@ +*.java text eol=lf +*.xml text eol=lf +*.sh text eol=lf diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c6355b1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,10 @@ +.project +.classpath +.settings/ +target/ +.vagrant +/archives/ +*.jar +*.zip +*.tar +*.gz diff --git a/README.md b/README.md new file mode 100644 index 0000000..3719e24 --- /dev/null +++ b/README.md @@ -0,0 +1,8 @@ +aaf-luaplugin +=============== +A lua plugin to integrate AAF with MSB, which provides centralized auth features at the API Gateway. + +## License +The aaf-luaplugin is released under version 2.0 of the [Apache License][]. + +[Apache License]: http://www.apache.org/licenses/LICENSE-2.0 diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000..5821840 --- /dev/null +++ b/pom.xml @@ -0,0 +1,89 @@ + + + + + org.onap.oparent + oparent + 1.0.0-SNAPSHOT + + 4.0.0 + org.onap.aaf.luaplugin + auth-plugin + 1.0.0-SNAPSHOT + onap/onap/aaf/luaplugin/auth-plugin + pom + + target/assembly + auth-plugin + + + + + maven-resources-plugin + + true + + + + copy-resources + process-resources + + copy-resources + + + ${outputdir} + + + src/assembly/resources/ + false + + **/* + + + + true + + + + + + org.apache.maven.plugins + maven-antrun-plugin + 1.8 + + + attach-artifact + package + + run + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua b/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua new file mode 100644 index 0000000..4a54ed6 --- /dev/null +++ b/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua @@ -0,0 +1,171 @@ +--[[ + + Copyright 2016 ZTE, Inc. and others. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + +]] +local _M = {} +_M._VERSION = '1.0.0' +local auth_url = '/openoapi/auth/v1'; +local auth_token_url = auth_url..'/tokens'; +local auth_token_key = "X-Auth-Token"; +local redirect_url = "/openoui/common/login.html" + +local white_list= { + auth_token_url, + redirect_url, + '/openoui/common/css', + '/openoui/common/js', + '/openoui/common/thirdparty', + '/openoui/common/i18n', + '/openoui/common/image', + '/openoui/common/login.html', + '/openoui/common/json' +}; + +local function verify_value(value) + if (nil == value or 0 == #value) + then + return false; + else + return true; + end +end + +--[[checks str2 starts with str1]]-- +local function starts_with(str1, str2) + return string.sub(str2, 1, string.len(str1)) == str1; +end + +-- Check and ignore the request if it is from auth module.-- +local function is_white_list(url) + for i, value in ipairs(white_list) + do + if (starts_with(value, url)) + then + return true; + end + end + return false; +end + +local function set_header(tokens) + for key,value in pairs(tokens) + do + ngx.log (ngx.ERR, "Headers: ", key, value); + ngx.req.set_header(key, value); + end + +end +--[[ validates the token with auth ]]-- +local function validate_token(tokens) + -- auth expects the token in header. + set_header(tokens); + -- call auth token check url to validate. + local res = ngx.location.capture(auth_token_url, { method = ngx.HTTP_HEAD}); + ngx.log (ngx.ERR, "Auth Result:", res.status); + if (nil == res) + then + return false; + end + return (ngx.HTTP_OK == res.status); +end + +--[[ get auth token from cookies ]]-- +local function get_cookies() + local cookie_name = "cookie_"..auth_token_key; + local auth_token = ngx.var[cookie_name]; + local tokens = {}; + -- verify whether its empty or null. + if (verify_value(auth_token)) + then + ngx.log(ngx.ERR, "token : ", auth_token ); + tokens[auth_token_key] = auth_token; + end + return tokens; +end + +local function get_service_url() + -- get host. + local host = ngx.var.host; + --get port + local port = ":"..ngx.var.server_port; + local proto = ""; + --get protocol + if (ngx.var.https == "on") + then + proto = "https://"; + else + proto = "http://"; + end + --get url + local uri = ngx.var.uri; + --form complete service url. + --local complete_url = proto..host..port..url + local complete_url = uri; + local service = "?service=" + --add arguments if any. + if ngx.var.args ~= nil + then + complete_url = complete_url.."?"..ngx.var.args; + end + ngx.log(ngx.ERR, "service url : ", complete_url); + return service..ngx.escape_uri(complete_url); +end + +local function redirect(url) + local service = get_service_url(); + ngx.log(ngx.ERR, "redirect: ", url..service); + ngx.redirect(url..service); +end + +function _M.access() + + ngx.log(ngx.ERR, "==============start check token===============: "); + local url = ngx.var.uri; + ngx.log(ngx.ERR, "Url : ", url); + + -- ignore token validation if auth request. + if (is_white_list(url)) + then + return; + end + + + + -- get auth token from cookies. + local auth_tokens = get_cookies(); + + -- check if auth token is empty, + -- redirect it to login page in that case. + if (nil == next(auth_tokens)) + then + ngx.log(ngx.ERR, "Token Invalidate, redirect to ", redirect_url); + redirect(redirect_url); + return; + end + + -- validate the token with auth module. + -- continue if success, else redirect to login page. + if(validate_token(auth_tokens)) + then + ngx.log(ngx.ERR, "Token Validate."); + return; + else + redirect(redirect_url); + end + ngx.log(ngx.INFO, "running auth plugin") + end + +return _M \ No newline at end of file -- cgit 1.2.3-korg