path: root/msb-core/openresty-ext/src/assembly/resources/openresty/nginx/luaext/plugins/auth.lua

--[[

    Copyright 2016 Huawei Technologies Co., Ltd.

    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
]]
auth_url = '/openoapi/auth/v1';
auth_token_url = auth_url..'/tokens';
auth_token_key = "X-Auth-Token";
redirect_url = "/openoui/auth/v1/login/html/login.html"

white_list= {
  auth_token_url,
  redirect_url,
  '/openoui/auth/v1/login/'
};

function verify_value(value)
  if (nil == value or 0 == #value)
  then
    return false;
  else
    return true;
  end
end

--[[checks str2 starts with str1]]--
function starts_with(str1, str2)
  return string.sub(str2, 1, string.len(str1)) == str1;
end

--  Check and ignore the request if it is from auth module.--
function is_white_list(url)
  for i, value in ipairs(white_list)
  do
    if (starts_with(value, url))
      then
        return true;
      end
  end
  return false;
end

-- Check and ignore the request if it is from auth module.
-- function is_auth_request(url)
  
--   return string.sub(url, 1, string.len(auth_url)) == auth_url;
-- end

function set_header(tokens)
  for key,value in pairs(tokens)
  do
    ngx.log (ngx.ERR, "Headers: ", key, value);
    ngx.req.set_header(key, value);
  end

end
--[[ validates the token with auth ]]--
function validate_token(tokens)
  -- auth expects the token in header.
  set_header(tokens);
  -- call auth token check url to validate.
  local res = ngx.location.capture(auth_token_url, { method = ngx.HTTP_HEAD});
  ngx.log (ngx.ERR, "Auth Result:", res.status);
  if (nil == res)
  then
    return false;
  end
  return (ngx.HTTP_OK == res.status);
end

--[[ get auth token from cookies ]]--
function get_cookies()
  local cookie_name = "cookie_"..auth_token_key;
  local auth_token = ngx.var[cookie_name];
  local tokens = {};
  -- verify whether its empty or null.
  if (verify_value(auth_token))
  then
  ngx.log(ngx.ERR, "token : ", auth_token );
    tokens[auth_token_key] = auth_token;
  end
  return tokens;
end

function get_service_url()
  -- get host.
  local host = ngx.var.host;
  --get port
  local port = ":"..ngx.var.server_port;
  local proto = "";
  --get protocol
  if (ngx.var.https == "on")
  then
    proto = "https://";
  else
    proto = "http://";
  end
  --get url
  local uri = ngx.var.rui;
  --form complete service url.
  --local complete_url = proto..host..port..url
  local complete_url = uri;
  local service = "?service="
  --add arguments if any.
  if ngx.var.args ~= nil
  then
    complete_url = complete_url.."?"..ngx.var.args;
  end
  ngx.log(ngx.ERR, "service url : ", complete_url);
  return service..ngx.escape_uri(complete_url);
end

function redirect(url)
  local service = get_service_url();
  ngx.log(ngx.ERR, "redirect: ", url..service);
  ngx.redirect(url..service);
end

ngx.log(ngx.ERR, "==============start check token===============: ");
local url = ngx.var.uri;
ngx.log(ngx.ERR, "Url : ", url);

-- ignore token validation if auth request.
if (is_white_list(url))
then
  return;
end



-- get auth token from cookies.
local auth_tokens = get_cookies();

-- check if auth token is empty,
-- redirect it to login page in that case.
if (nil == next(auth_tokens))
then
  ngx.log(ngx.ERR, "Token Invalidate, redirect to ", redirect_url);
  redirect(redirect_url);
  return;
end

-- validate the token with auth module.
-- continue if success, else redirect to login page.
if(validate_token(auth_tokens))
then
  ngx.log(ngx.ERR, "Token Validate.");
  return;
else
  redirect(redirect_url);
end