diff options
Diffstat (limited to 'msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua')
-rw-r--r-- | msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua | 170 |
1 files changed, 150 insertions, 20 deletions
diff --git a/msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua b/msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua index a1fecf2..101679d 100644 --- a/msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua +++ b/msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua @@ -1,29 +1,159 @@ ---[[ +-- Copyright 2016 Huawei Technologies Co., Ltd. - Copyright 2016 2015-2016 ZTE, Inc. and others. All rights reserved. +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at +-- http://www.apache.org/licenses/LICENSE-2.0 - http://www.apache.org/licenses/LICENSE-2.0 +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. +auth_url = '/openoapi/auth/v1'; +auth_token_url = auth_url..'/tokens'; +auth_token_key = "X-Auth-Token"; +redirect_url = "/openoui/auth/v1/login/html/login.html" - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. +white_list= { + auth_token_url, + redirect_url, + '/openoui/auth/v1/login/' +}; - Author: Zhaoxing Meng - email: meng.zhaoxing1@zte.com.cn +function verify_value(value) + if (nil == value or 0 == #value) + then + return false; + else + return true; + end +end + +--[[checks str2 starts with str1]]-- +function starts_with(str1, str2) + return string.sub(str2, 1, string.len(str1)) == str1; +end + +-- Check and ignore the request if it is from auth module.-- +function is_white_list(url) + for i, value in ipairs(white_list) + do + if (starts_with(value, url)) + then + return true; + end + end + return false; +end + +-- Check and ignore the request if it is from auth module. +-- function is_auth_request(url) + +-- return string.sub(url, 1, string.len(auth_url)) == auth_url; +-- end + +function set_header(tokens) + for key,value in pairs(tokens) + do + ngx.log (ngx.ERR, "Headers: ", key, value); + ngx.req.set_header(key, value); + end + +end +--[[ validates the token with auth ]]-- +function validate_token(tokens) + -- auth expects the token in header. + set_header(tokens); + -- call auth token check url to validate. + local res = ngx.location.capture(auth_token_url, { method = ngx.HTTP_HEAD}); + ngx.log (ngx.ERR, "Auth Result:", res.status); + if (nil == res) + then + return false; + end + return (ngx.HTTP_OK == res.status); +end + +--[[ get auth token from cookies ]]-- +function get_cookies() + local cookie_name = "cookie_"..auth_token_key; + local auth_token = ngx.var[cookie_name]; + local tokens = {}; + -- verify whether its empty or null. + if (verify_value(auth_token)) + then + ngx.log(ngx.ERR, "token : ", auth_token ); + tokens[auth_token_key] = auth_token; + end + return tokens; +end + +function get_service_url() + -- get host. + local host = ngx.var.host; + --get port + local port = ":"..ngx.var.server_port; + local proto = ""; + --get protocol + if (ngx.var.https == "on") + then + proto = "https://"; + else + proto = "http://"; + end + --get url + local uri = ngx.var.rui; + --form complete service url. + --local complete_url = proto..host..port..url + local complete_url = uri; + local service = "?service=" + --add arguments if any. + if ngx.var.args ~= nil + then + complete_url = complete_url.."?"..ngx.var.args; + end + ngx.log(ngx.ERR, "service url : ", complete_url); + return service..ngx.escape_uri(complete_url); +end -]] -local _M = {} -_M._VERSION = '1.0.0' +function redirect(url) + local service = get_service_url(); + ngx.log(ngx.ERR, "redirect: ", url..service); + ngx.redirect(url..service); +end + +ngx.log(ngx.ERR, "==============start check token===============: "); +local url = ngx.var.uri; +ngx.log(ngx.ERR, "Url : ", url); -function _M.access() - --add your own code here - ngx.log(ngx.INFO, "running auth plugin") +-- ignore token validation if auth request. +if (is_white_list(url)) +then + return; end -return _M
\ No newline at end of file + + +-- get auth token from cookies. +local auth_tokens = get_cookies(); + +-- check if auth token is empty, +-- redirect it to login page in that case. +if (nil == next(auth_tokens)) +then + ngx.log(ngx.ERR, "Token Invalidate, redirect to ", redirect_url); + redirect(redirect_url); + return; +end + +-- validate the token with auth module. +-- continue if success, else redirect to login page. +if(validate_token(auth_tokens)) +then + ngx.log(ngx.ERR, "Token Validate."); + return; +else + redirect(redirect_url); +end |