1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
|
--[[
Copyright 2016 ZTE, Inc. and others.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
]]
local _M = {}
_M._VERSION = '1.0.0'
local auth_url = '/openoapi/auth/v1';
local auth_token_url = auth_url..'/tokens';
local auth_token_key = "X-Auth-Token";
local redirect_url = "/openoui/common/login.html"
local white_list= {
auth_token_url,
redirect_url,
'/openoui/common/css',
'/openoui/common/js',
'/openoui/common/thirdparty',
'/openoui/common/i18n',
'/openoui/common/image',
'/openoui/common/login.html',
'/openoui/common/json'
};
local function verify_value(value)
if (nil == value or 0 == #value)
then
return false;
else
return true;
end
end
--[[checks str2 starts with str1]]--
local function starts_with(str1, str2)
return string.sub(str2, 1, string.len(str1)) == str1;
end
-- Check and ignore the request if it is from auth module.--
local function is_white_list(url)
for i, value in ipairs(white_list)
do
if (starts_with(value, url))
then
return true;
end
end
return false;
end
local function set_header(tokens)
for key,value in pairs(tokens)
do
ngx.log (ngx.ERR, "Headers: ", key, value);
ngx.req.set_header(key, value);
end
end
--[[ validates the token with auth ]]--
local function validate_token(tokens)
-- auth expects the token in header.
set_header(tokens);
-- call auth token check url to validate.
local res = ngx.location.capture(auth_token_url, { method = ngx.HTTP_HEAD});
ngx.log (ngx.ERR, "Auth Result:", res.status);
if (nil == res)
then
return false;
end
return (ngx.HTTP_OK == res.status);
end
--[[ get auth token from cookies ]]--
local function get_cookies()
local cookie_name = "cookie_"..auth_token_key;
local auth_token = ngx.var[cookie_name];
local tokens = {};
-- verify whether its empty or null.
if (verify_value(auth_token))
then
ngx.log(ngx.ERR, "token : ", auth_token );
tokens[auth_token_key] = auth_token;
end
return tokens;
end
local function get_service_url()
-- get host.
local host = ngx.var.host;
--get port
local port = ":"..ngx.var.server_port;
local proto = "";
--get protocol
if (ngx.var.https == "on")
then
proto = "https://";
else
proto = "http://";
end
--get url
local uri = ngx.var.uri;
--form complete service url.
--local complete_url = proto..host..port..url
local complete_url = uri;
local service = "?service="
--add arguments if any.
if ngx.var.args ~= nil
then
complete_url = complete_url.."?"..ngx.var.args;
end
ngx.log(ngx.ERR, "service url : ", complete_url);
return service..ngx.escape_uri(complete_url);
end
local function redirect(url)
local service = get_service_url();
ngx.log(ngx.ERR, "redirect: ", url..service);
ngx.redirect(url..service);
end
function _M.access()
ngx.log(ngx.ERR, "==============start check token===============: ");
local url = ngx.var.uri;
ngx.log(ngx.ERR, "Url : ", url);
-- ignore token validation if auth request.
if (is_white_list(url))
then
return;
end
-- get auth token from cookies.
local auth_tokens = get_cookies();
-- check if auth token is empty,
-- redirect it to login page in that case.
if (nil == next(auth_tokens))
then
ngx.log(ngx.ERR, "Token Invalidate, redirect to ", redirect_url);
redirect(redirect_url);
return;
end
-- validate the token with auth module.
-- continue if success, else redirect to login page.
if(validate_token(auth_tokens))
then
ngx.log(ngx.ERR, "Token Validate.");
return;
else
redirect(redirect_url);
end
ngx.log(ngx.INFO, "running auth plugin")
end
return _M
|
