-- This script may be used with the auth-filter. Be sure to configure it as you wish.
--
-- Requirements:
-- luacrypto >= 0.3
--
-- lualdap >= 1.2
--
--
--
--
-- Configure these variables for your settings.
--
--
-- A list of password protected repositories, with which gentooAccess
-- group is allowed to access each one.
local protected_repos = {
glouglou = "infra",
portage = "dev"
}
-- All cookies will be authenticated based on this secret. Make it something
-- totally random and impossible to guess. It should be large.
local secret = "BE SURE TO CUSTOMIZE THIS STRING TO SOMETHING BIG AND RANDOM"
--
--
-- Authentication functions follow below. Swap these out if you want different authentication semantics.
--
--
-- Sets HTTP cookie headers based on post and sets up redirection.
function authenticate_post()
local redirect = validate_value("redirect", post["redirect"])
if redirect == nil then
not_found()
return 0
end
redirect_to(redirect)
local groups = gentoo_ldap_user_groups(post["username"], post["password"])
if groups == nil then
set_cookie("cgitauth", "")
else
-- One week expiration time
set_cookie("cgitauth", secure_value("gentoogroups", table.concat(groups, ","), os.time() + 604800))
end
html("\n")
return 0
end
-- Returns 1 if the cookie is valid and 0 if it is not.
function authenticate_cookie()
local required_group = protected_repos[cgit["repo"]]
if required_group == nil then
-- We return as valid if the repo is not protected.
return 1
end
local user_groups = validate_value("gentoogroups", get_cookie(http["cookie"], "cgitauth"))
if user_groups == nil or user_groups == "" then
return 0
end
for group in string.gmatch(user_groups, "[^,]+") do
if group == required_group then
return 1
end
end
return 0
end
-- Prints the html for the login form.
function body()
html("Gentoo LDAP Authentication Required
")
html("")
return 0
end
--
--
-- Gentoo LDAP support.
--
--
local lualdap = require("lualdap")
function gentoo_ldap_user_groups(username, password)
-- Ensure the user is alphanumeric
if username:match("%W") then
return nil
end
local who = "uid=" .. username .. ",ou=devs,dc=gentoo,dc=org"
local ldap, err = lualdap.open_simple {
uri = "ldap://ldap1.gentoo.org",
who = who,
password = password,
starttls = true,
certfile = "/var/www/uwsgi/cgit/gentoo-ldap/star.gentoo.org.crt",
keyfile = "/var/www/uwsgi/cgit/gentoo-ldap/star.gentoo.org.key",
cacertfile = "/var/www/uwsgi/cgit/gentoo-ldap/ca.pem"
}
if ldap == nil then
return nil
end
local group_suffix = ".group"
local group_suffix_len = group_suffix:len()
local groups = {}
for dn, attribs in ldap:search { base = who, scope = "subtree" } do
local access = attribs["gentooAccess"]
if dn == who and access ~= nil then
for i, v in ipairs(access) do
local vlen = v:len()
if vlen > group_suffix_len and v:sub(-group_suffix_len) == group_suffix then
table.insert(groups, v:sub(1, vlen - group_suffix_len))
end
end
end
end
ldap:close()
return groups
end
--
--
-- Wrapper around filter API, exposing the http table, the cgit table, and the post table to the above functions.
--
--
local actions = {}
actions["authenticate-post"] = authenticate_post
actions["authenticate-cookie"] = authenticate_cookie
actions["body"] = body
function filter_open(...)
action = actions[select(1, ...)]
http = {}
http["cookie"] = select(2, ...)
http["method"] = select(3, ...)
http["query"] = select(4, ...)
http["referer"] = select(5, ...)
http["path"] = select(6, ...)
http["host"] = select(7, ...)
http["https"] = select(8, ...)
cgit = {}
cgit["repo"] = select(9, ...)
cgit["page"] = select(10, ...)
cgit["url"] = select(11, ...)
cgit["login"] = select(12, ...)
end
function filter_close()
return action()
end
function filter_write(str)
post = parse_qs(str)
end
--
--
-- Utility functions based on keplerproject/wsapi.
--
--
function url_decode(str)
if not str then
return ""
end
str = string.gsub(str, "+", " ")
str = string.gsub(str, "%%(%x%x)", function(h) return string.char(tonumber(