]> git.cameronkatri.com Git - cgit.git/blob - filters/simple-authentication.lua
git.ckatri.com / cgit.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
auth: have cgit calculate login address
[cgit.git] / filters / simple-authentication.lua
1 -- This script may be used with the auth-filter. Be sure to configure it as you wish.
2 --
3 -- Requirements:
4 -- luacrypto >= 0.3
5 -- <http://mkottman.github.io/luacrypto/>
6 --
7
8
9 --
10 --
11 -- Configure these variables for your settings.
12 --
13 --
14
15 local protected_repos = {
16 glouglou = { laurent = true, jason = true },
17 qt = { jason = true, bob = true }
18 }
19
20 local users = {
21 jason = "secretpassword",
22 laurent = "s3cr3t",
23 bob = "ilikelua"
24 }
25
26 local secret = "BE SURE TO CUSTOMIZE THIS STRING TO SOMETHING BIG AND RANDOM"
27
28
29
30 --
31 --
32 -- Authentication functions follow below. Swap these out if you want different authentication semantics.
33 --
34 --
35
36 -- Sets HTTP cookie headers based on post and sets up redirection.
37 function authenticate_post()
38 local password = users[post["username"]]
39 local redirect = validate_value(post["redirect"])
40
41 if redirect == nil then
42 not_found()
43 return 0
44 end
45
46 redirect_to(redirect)
47
48 -- Lua hashes strings, so these comparisons are time invariant.
49 if password == nil or password ~= post["password"] then
50 set_cookie("cgitauth", "")
51 else
52 -- One week expiration time
53 local username = secure_value(post["username"], os.time() + 604800)
54 set_cookie("cgitauth", username)
55 end
56
57 html("\n")
58 return 0
59 end
60
61
62 -- Returns 1 if the cookie is valid and 0 if it is not.
63 function authenticate_cookie()
64 accepted_users = protected_repos[cgit["repo"]]
65 if accepted_users == nil then
66 -- We return as valid if the repo is not protected.
67 return 1
68 end
69
70 local username = validate_value(get_cookie(http["cookie"], "cgitauth"))
71 if username == nil or not accepted_users[username:lower()] then
72 return 0
73 else
74 return 1
75 end
76 end
77
78 -- Prints the html for the login form.
79 function body()
80 html("<h2>Authentication Required</h2>")
81 html("<form method='post' action='")
82 html_attr(cgit["login"])
83 html("'>")
84 html("<input type='hidden' name='redirect' value='")
85 html_attr(secure_value(cgit["url"], 0))
86 html("' />")
87 html("<table>")
88 html("<tr><td><label for='username'>Username:</label></td><td><input id='username' name='username' autofocus /></td></tr>")
89 html("<tr><td><label for='password'>Password:</label></td><td><input id='password' name='password' type='password' /></td></tr>")
90 html("<tr><td colspan='2'><input value='Login' type='submit' /></td></tr>")
91 html("</table></form>")
92
93 return 0
94 end
95
96
97
98 --
99 --
100 -- Wrapper around filter API, exposing the http table, the cgit table, and the post table to the above functions.
101 --
102 --
103
104 local actions = {}
105 actions["authenticate-post"] = authenticate_post
106 actions["authenticate-cookie"] = authenticate_cookie
107 actions["body"] = body
108
109 function filter_open(...)
110 action = actions[select(1, ...)]
111
112 http = {}
113 http["cookie"] = select(2, ...)
114 http["method"] = select(3, ...)
115 http["query"] = select(4, ...)
116 http["referer"] = select(5, ...)
117 http["path"] = select(6, ...)
118 http["host"] = select(7, ...)
119 http["https"] = select(8, ...)
120
121 cgit = {}
122 cgit["repo"] = select(9, ...)
123 cgit["page"] = select(10, ...)
124 cgit["url"] = select(11, ...)
125 cgit["login"] = select(12, ...)
126
127 end
128
129 function filter_close()
130 return action()
131 end
132
133 function filter_write(str)
134 post = parse_qs(str)
135 end
136
137
138 --
139 --
140 -- Utility functions based on keplerproject/wsapi.
141 --
142 --
143
144 function url_decode(str)
145 if not str then
146 return ""
147 end
148 str = string.gsub(str, "+", " ")
149 str = string.gsub(str, "%%(%x%x)", function(h) return string.char(tonumber(h, 16)) end)
150 str = string.gsub(str, "\r\n", "\n")
151 return str
152 end
153
154 function url_encode(str)
155 if not str then
156 return ""
157 end
158 str = string.gsub(str, "\n", "\r\n")
159 str = string.gsub(str, "([^%w ])", function (c) return string.format("%%%02X", string.byte(c)) end)
160 str = string.gsub(str, " ", "+")
161 return str
162 end
163
164 function parse_qs(qs)
165 local tab = {}
166 for key, val in string.gmatch(qs, "([^&=]+)=([^&=]*)&?") do
167 tab[url_decode(key)] = url_decode(val)
168 end
169 return tab
170 end
171
172 function get_cookie(cookies, name)
173 cookies = string.gsub(";" .. cookies .. ";", "%s*;%s*", ";")
174 return url_decode(string.match(cookies, ";" .. name .. "=(.-);"))
175 end
176
177
178 --
179 --
180 -- Cookie construction and validation helpers.
181 --
182 --
183
184 local crypto = require("crypto")
185
186 -- Returns value of cookie if cookie is valid. Otherwise returns nil.
187 function validate_value(cookie)
188 local i = 0
189 local value = ""
190 local expiration = 0
191 local salt = ""
192 local hmac = ""
193
194 if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then
195 return nil
196 end
197
198 for component in string.gmatch(cookie, "[^|]+") do
199 if i == 0 then
200 value = component
201 elseif i == 1 then
202 expiration = tonumber(component)
203 if expiration == nil then
204 expiration = 0
205 end
206 elseif i == 2 then
207 salt = component
208 elseif i == 3 then
209 hmac = component
210 else
211 break
212 end
213 i = i + 1
214 end
215
216 if hmac == nil or hmac:len() == 0 then
217 return nil
218 end
219
220 -- Lua hashes strings, so these comparisons are time invariant.
221 if hmac ~= crypto.hmac.digest("sha1", value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then
222 return nil
223 end
224
225 if expiration ~= 0 and expiration <= os.time() then
226 return nil
227 end
228
229 return url_decode(value)
230 end
231
232 function secure_value(value, expiration)
233 if value == nil or value:len() <= 0 then
234 return ""
235 end
236
237 local authstr = ""
238 local salt = crypto.hex(crypto.rand.bytes(16))
239 value = url_encode(value)
240 authstr = value .. "|" .. tostring(expiration) .. "|" .. salt
241 authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret)
242 return authstr
243 end
244
245 function set_cookie(cookie, value)
246 html("Set-Cookie: " .. cookie .. "=" .. value .. "; HttpOnly")
247 if http["https"] == "yes" or http["https"] == "on" or http["https"] == "1" then
248 html("; secure")
249 end
250 html("\n")
251 end
252
253 function redirect_to(url)
254 html("Status: 302 Redirect\n")
255 html("Cache-Control: no-cache, no-store\n")
256 html("Location: " .. url .. "\n")
257 end
258
259 function not_found()
260 html("Status: 404 Not Found\n")
261 html("Cache-Control: no-cache, no-store\n\n")
262 end
A hyperfast web frontend for git repositories written in C.