aboutsummaryrefslogtreecommitdiffstats
path: root/src/assembly/resources/openresty/nginx/luaext/plugins/auth/handler.lua
blob: 4a54ed6a2343f0d9a35c520085ba9f8d4ead6cbd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
--[[

    Copyright 2016 ZTE, Inc. and others.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.

]]
local _M = {}
_M._VERSION = '1.0.0'
local auth_url = '/openoapi/auth/v1';
local auth_token_url = auth_url..'/tokens';
local auth_token_key = "X-Auth-Token";
local redirect_url = "/openoui/common/login.html"

local white_list= {
  auth_token_url,
  redirect_url,
  '/openoui/common/css',
  '/openoui/common/js',
  '/openoui/common/thirdparty',
  '/openoui/common/i18n',
  '/openoui/common/image',
  '/openoui/common/login.html',
  '/openoui/common/json'
};

local function verify_value(value)
  if (nil == value or 0 == #value)
  then
    return false;
  else
    return true;
  end
end

--[[checks str2 starts with str1]]--
local function starts_with(str1, str2)
  return string.sub(str2, 1, string.len(str1)) == str1;
end

--  Check and ignore the request if it is from auth module.--
local function is_white_list(url)
  for i, value in ipairs(white_list)
  do
    if (starts_with(value, url))
      then
        return true;
      end
  end
  return false;
end

local function set_header(tokens)
  for key,value in pairs(tokens)
  do
    ngx.log (ngx.ERR, "Headers: ", key, value);
    ngx.req.set_header(key, value);
  end

end
--[[ validates the token with auth ]]--
local function validate_token(tokens)
  -- auth expects the token in header.
  set_header(tokens);
  -- call auth token check url to validate.
  local res = ngx.location.capture(auth_token_url, { method = ngx.HTTP_HEAD});
  ngx.log (ngx.ERR, "Auth Result:", res.status);
  if (nil == res)
  then
    return false;
  end
  return (ngx.HTTP_OK == res.status);
end

--[[ get auth token from cookies ]]--
local function get_cookies()
  local cookie_name = "cookie_"..auth_token_key;
  local auth_token = ngx.var[cookie_name];
  local tokens = {};
  -- verify whether its empty or null.
  if (verify_value(auth_token))
  then
  ngx.log(ngx.ERR, "token : ", auth_token );
    tokens[auth_token_key] = auth_token;
  end
  return tokens;
end

local function get_service_url()
  -- get host.
  local host = ngx.var.host;
  --get port
  local port = ":"..ngx.var.server_port;
  local proto = "";
  --get protocol
  if (ngx.var.https == "on")
  then
    proto = "https://";
  else
    proto = "http://";
  end
  --get url
  local uri = ngx.var.uri;
  --form complete service url.
  --local complete_url = proto..host..port..url
  local complete_url = uri;
  local service = "?service="
  --add arguments if any.
  if ngx.var.args ~= nil
  then
    complete_url = complete_url.."?"..ngx.var.args;
  end
  ngx.log(ngx.ERR, "service url : ", complete_url);
  return service..ngx.escape_uri(complete_url);
end

local function redirect(url)
  local service = get_service_url();
  ngx.log(ngx.ERR, "redirect: ", url..service);
  ngx.redirect(url..service);
end

function _M.access()

    ngx.log(ngx.ERR, "==============start check token===============: ");
    local url = ngx.var.uri;
    ngx.log(ngx.ERR, "Url : ", url);

    -- ignore token validation if auth request.
    if (is_white_list(url))
    then
      return;
    end



    -- get auth token from cookies.
    local auth_tokens = get_cookies();

    -- check if auth token is empty,
    -- redirect it to login page in that case.
    if (nil == next(auth_tokens))
    then
      ngx.log(ngx.ERR, "Token Invalidate, redirect to ", redirect_url);
      redirect(redirect_url);
      return;
    end

    -- validate the token with auth module.
    -- continue if success, else redirect to login page.
    if(validate_token(auth_tokens))
    then
      ngx.log(ngx.ERR, "Token Validate.");
      return;
    else
      redirect(redirect_url);
    end
    	ngx.log(ngx.INFO, "running auth plugin")
    end

return _M