diff options
author | sterni <sternenseemann@systemli.org> | 2022-05-19T08·23+0200 |
---|---|---|
committer | sterni <sternenseemann@systemli.org> | 2022-05-19T08·23+0200 |
commit | 0c86e2ac3f20fa43fabd2f7ff2dc3d16fadd08e0 (patch) | |
tree | 01c4790c535bb816c544ae1b65e551a00d9a66d3 /filters/gentoo-ldap-authentication.lua | |
parent | 723dc8fbcb1a4609c264758eae420ee2811a2b55 (diff) |
Squashed 'third_party/cgit/' changes from 8fc0c81bb..26ac84466
26ac84466 Bump version to 1.4.1 cc167887f Fix bad free in cgit_diff_tree 4a30da89c Bump version to 1.4.0 695515801 Tolerate short writes in print_slot 069d15447 git: update to v2.36.1 3374b0e7a git: update to v2.36.0 400fd7abb Use release_commit_memory() 93ce8fe3b Reset font size for blame oid 28c0cb6f7 Add a link to the parent commit in blame c5809a429 Fix fmt() off-by-one error 129d8a158 Allow to give readme head from query 44a004809 Bump version to 1.3.0 76d9396e4 Update information for fork d993e4be6 Remove Lua support e4ce4fa74 Merge remote-tracking branch 'ch/git-2-35' 065ee253a Silence owner-info error f92ba7ea8 Remove default favicon 03519c7bc Show about path in page title 20f0352d9 Generate valid Atom feeds 516175469 Merge up to git v2.32.0 12d91b897 Fix crash trying to print "this commit" on 404s 957855ffd Use owner-filter for repo page headers f9c417f24 Fix tests for diff spans be6a526a7 Use <pre> and <span> to print diffs a8e11db65 Use buffered stdio b2511f295 Remove redundant title on repo anchors 2d4c893db Improve button spacing for browsers w/o CSS 1e9f26ffb Improve decoration display for browsers without CSS 2843093cb Use <pre> for commit-msg 122f7a9be Improve pageheader display on text-based browsers 298f7d15f Use git raw note format 6524fe671 Add "this commit" option to switch form 8f9034884 Show subject in commit page title 41a17adaf Show symlink targets in tree listing 437d0b416 Disallow blame in robots.txt e75fa957e Don't link to blame for binary blobs 8bf017ec5 Bail from blame if blob is binary fa86ef6a3 Remove dependency on memrchr bbbaa29a9 git: update to v2.35.1 73e98c16e git: update to v2.35.0 11be5b818 git: update to v2.34.1 b8f2b675d git: update to v2.34.0 45eff4065 git: update to v2.33.0 5258c297b git: update to v2.32.0 6dbbffe01 git: update to v2.31.1 62eb8db45 md2html: use proper formatting for hr d889cae81 git: update to v2.31.0 4ffadc1e0 git: update to v2.30.1 bd6f5683f tests: t0107: support older and/or non-GNU tar f69626c68 md2html: use sane_lists extension cef27b670 git: update to v2.30.0 b1739247b git: update to v2.29.2 fe99c76ee git: update to v2.29.1 adcc4f822 tests: try with commit-graph a1039ab17 tests: do not copy snapshots to /tmp/ a4de0e810 global: replace hard coded hash length 779631c6d global: replace references to 'sha1' with 'oid' 629659d2c git: update to v2.29.0 205837d46 git: update to v2.28.0 f780396c0 git: update to v2.27.0 0462f08d8 git: update to v2.26.0 55fa25adb Bump version 6a8d6d4b5 global: use proper accessors for maybe_tree 892ba8c3c ui-snapshot: add support for zstd compression cc230bf04 tests: add tests for xz compressed snapshots 06671f4b2 ui-snapshot: add support for lzip compression fde897b81 git: update to v2.25.1 5e49023b0 tests: allow to skip git version tests fa146ccab Bump version bd68c9887 git: update to v2.25.0 ca98c9e7b tests: skip tests if strace is not functional d8e5dd25a git: update to v2.24.1 583aa5d80 ui-repolist: do not return unsigned (negative) value bfabd4519 git: update to v2.24.0 git-subtree-dir: third_party/cgit git-subtree-split: 26ac844661e95ee1ff3ddf4f8691de9904dad783
Diffstat (limited to 'filters/gentoo-ldap-authentication.lua')
-rw-r--r-- | filters/gentoo-ldap-authentication.lua | 360 |
1 files changed, 0 insertions, 360 deletions
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua deleted file mode 100644 index 673c88d1021c..000000000000 --- a/filters/gentoo-ldap-authentication.lua +++ /dev/null @@ -1,360 +0,0 @@ --- This script may be used with the auth-filter. Be sure to configure it as you wish. --- --- Requirements: --- luaossl --- <http://25thandclement.com/~william/projects/luaossl.html> --- lualdap >= 1.2 --- <https://git.zx2c4.com/lualdap/about/> --- luaposix --- <https://github.com/luaposix/luaposix> --- -local sysstat = require("posix.sys.stat") -local unistd = require("posix.unistd") -local lualdap = require("lualdap") -local rand = require("openssl.rand") -local hmac = require("openssl.hmac") - --- --- --- Configure these variables for your settings. --- --- - --- A list of password protected repositories, with which gentooAccess --- group is allowed to access each one. -local protected_repos = { - glouglou = "infra", - portage = "dev" -} - --- Set this to a path this script can write to for storing a persistent --- cookie secret, which should be guarded. -local secret_filename = "/var/cache/cgit/auth-secret" - - --- --- --- Authentication functions follow below. Swap these out if you want different authentication semantics. --- --- - --- Sets HTTP cookie headers based on post and sets up redirection. -function authenticate_post() - local redirect = validate_value("redirect", post["redirect"]) - - if redirect == nil then - not_found() - return 0 - end - - redirect_to(redirect) - - local groups = gentoo_ldap_user_groups(post["username"], post["password"]) - if groups == nil then - set_cookie("cgitauth", "") - else - -- One week expiration time - set_cookie("cgitauth", secure_value("gentoogroups", table.concat(groups, ","), os.time() + 604800)) - end - - html("\n") - return 0 -end - - --- Returns 1 if the cookie is valid and 0 if it is not. -function authenticate_cookie() - local required_group = protected_repos[cgit["repo"]] - if required_group == nil then - -- We return as valid if the repo is not protected. - return 1 - end - - local user_groups = validate_value("gentoogroups", get_cookie(http["cookie"], "cgitauth")) - if user_groups == nil or user_groups == "" then - return 0 - end - for group in string.gmatch(user_groups, "[^,]+") do - if group == required_group then - return 1 - end - end - return 0 -end - --- Prints the html for the login form. -function body() - html("<h2>Gentoo LDAP Authentication Required</h2>") - html("<form method='post' action='") - html_attr(cgit["login"]) - html("'>") - html("<input type='hidden' name='redirect' value='") - html_attr(secure_value("redirect", cgit["url"], 0)) - html("' />") - html("<table>") - html("<tr><td><label for='username'>Username:</label></td><td><input id='username' name='username' autofocus /></td></tr>") - html("<tr><td><label for='password'>Password:</label></td><td><input id='password' name='password' type='password' /></td></tr>") - html("<tr><td colspan='2'><input value='Login' type='submit' /></td></tr>") - html("</table></form>") - - return 0 -end - --- --- --- Gentoo LDAP support. --- --- - -function gentoo_ldap_user_groups(username, password) - -- Ensure the user is alphanumeric - if username == nil or username:match("%W") then - return nil - end - - local who = "uid=" .. username .. ",ou=devs,dc=gentoo,dc=org" - - local ldap, err = lualdap.open_simple { - uri = "ldap://ldap1.gentoo.org", - who = who, - password = password, - starttls = true, - certfile = "/var/www/uwsgi/cgit/gentoo-ldap/star.gentoo.org.crt", - keyfile = "/var/www/uwsgi/cgit/gentoo-ldap/star.gentoo.org.key", - cacertfile = "/var/www/uwsgi/cgit/gentoo-ldap/ca.pem" - } - if ldap == nil then - return nil - end - - local group_suffix = ".group" - local group_suffix_len = group_suffix:len() - local groups = {} - for dn, attribs in ldap:search { base = who, scope = "subtree" } do - local access = attribs["gentooAccess"] - if dn == who and access ~= nil then - for i, v in ipairs(access) do - local vlen = v:len() - if vlen > group_suffix_len and v:sub(-group_suffix_len) == group_suffix then - table.insert(groups, v:sub(1, vlen - group_suffix_len)) - end - end - end - end - - ldap:close() - - return groups -end - --- --- --- Wrapper around filter API, exposing the http table, the cgit table, and the post table to the above functions. --- --- - -local actions = {} -actions["authenticate-post"] = authenticate_post -actions["authenticate-cookie"] = authenticate_cookie -actions["body"] = body - -function filter_open(...) - action = actions[select(1, ...)] - - http = {} - http["cookie"] = select(2, ...) - http["method"] = select(3, ...) - http["query"] = select(4, ...) - http["referer"] = select(5, ...) - http["path"] = select(6, ...) - http["host"] = select(7, ...) - http["https"] = select(8, ...) - - cgit = {} - cgit["repo"] = select(9, ...) - cgit["page"] = select(10, ...) - cgit["url"] = select(11, ...) - cgit["login"] = select(12, ...) - -end - -function filter_close() - return action() -end - -function filter_write(str) - post = parse_qs(str) -end - - --- --- --- Utility functions based on keplerproject/wsapi. --- --- - -function url_decode(str) - if not str then - return "" - end - str = string.gsub(str, "+", " ") - str = string.gsub(str, "%%(%x%x)", function(h) return string.char(tonumber(h, 16)) end) - str = string.gsub(str, "\r\n", "\n") - return str -end - -function url_encode(str) - if not str then - return "" - end - str = string.gsub(str, "\n", "\r\n") - str = string.gsub(str, "([^%w ])", function(c) return string.format("%%%02X", string.byte(c)) end) - str = string.gsub(str, " ", "+") - return str -end - -function parse_qs(qs) - local tab = {} - for key, val in string.gmatch(qs, "([^&=]+)=([^&=]*)&?") do - tab[url_decode(key)] = url_decode(val) - end - return tab -end - -function get_cookie(cookies, name) - cookies = string.gsub(";" .. cookies .. ";", "%s*;%s*", ";") - return string.match(cookies, ";" .. name .. "=(.-);") -end - -function tohex(b) - local x = "" - for i = 1, #b do - x = x .. string.format("%.2x", string.byte(b, i)) - end - return x -end - --- --- --- Cookie construction and validation helpers. --- --- - -local secret = nil - --- Loads a secret from a file, creates a secret, or returns one from memory. -function get_secret() - if secret ~= nil then - return secret - end - local secret_file = io.open(secret_filename, "r") - if secret_file == nil then - local old_umask = sysstat.umask(63) - local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) - local temporary_file = io.open(temporary_filename, "w") - if temporary_file == nil then - os.exit(177) - end - temporary_file:write(tohex(rand.bytes(32))) - temporary_file:close() - unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. - unistd.unlink(temporary_filename) - sysstat.umask(old_umask) - secret_file = io.open(secret_filename, "r") - end - if secret_file == nil then - os.exit(177) - end - secret = secret_file:read() - secret_file:close() - if secret:len() ~= 64 then - os.exit(177) - end - return secret -end - --- Returns value of cookie if cookie is valid. Otherwise returns nil. -function validate_value(expected_field, cookie) - local i = 0 - local value = "" - local field = "" - local expiration = 0 - local salt = "" - local chmac = "" - - if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then - return nil - end - - for component in string.gmatch(cookie, "[^|]+") do - if i == 0 then - field = component - elseif i == 1 then - value = component - elseif i == 2 then - expiration = tonumber(component) - if expiration == nil then - expiration = -1 - end - elseif i == 3 then - salt = component - elseif i == 4 then - chmac = component - else - break - end - i = i + 1 - end - - if chmac == nil or chmac:len() == 0 then - return nil - end - - -- Lua hashes strings, so these comparisons are time invariant. - if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then - return nil - end - - if expiration == -1 or (expiration ~= 0 and expiration <= os.time()) then - return nil - end - - if url_decode(field) ~= expected_field then - return nil - end - - return url_decode(value) -end - -function secure_value(field, value, expiration) - if value == nil or value:len() <= 0 then - return "" - end - - local authstr = "" - local salt = tohex(rand.bytes(16)) - value = url_encode(value) - field = url_encode(field) - authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt - authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) - return authstr -end - -function set_cookie(cookie, value) - html("Set-Cookie: " .. cookie .. "=" .. value .. "; HttpOnly") - if http["https"] == "yes" or http["https"] == "on" or http["https"] == "1" then - html("; secure") - end - html("\n") -end - -function redirect_to(url) - html("Status: 302 Redirect\n") - html("Cache-Control: no-cache, no-store\n") - html("Location: " .. url .. "\n") -end - -function not_found() - html("Status: 404 Not Found\n") - html("Cache-Control: no-cache, no-store\n\n") -end |