diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 0f323d3..fa1291c 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -68,6 +68,16 @@ in { return false end + + function is_ip_whitelisted(ip, whitelist) + for _, x in ipairs(whitelist) do + if ip == x then + return true + end + end + + return false + end } ''; diff --git a/hosts/architect/openid.nix b/hosts/architect/openid.nix index 551dc07..6aaef44 100644 --- a/hosts/architect/openid.nix +++ b/hosts/architect/openid.nix @@ -2,7 +2,7 @@ { openresty_oidc_block = - { access_role ? "" }: '' + { access_role ? "", whitelisted_ips ? [] }: '' access_by_lua_block { local opts = { discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", @@ -16,25 +16,33 @@ revoke_tokens_on_logout = true, -- access token valid for a day access_token_expires_in = 86400 - } + } - -- call introspect for OAuth 2.0 Bearer Access Token validation - local res, err = require("resty.openidc").authenticate(opts) + ${lib.optionalString (whitelisted_ips != []) '' + local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}} + + if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then + return + end + ''} + + -- call introspect for OAuth 2.0 Bearer Access Token validation + local res, err = require("resty.openidc").authenticate(opts) - if err then - ngx.status = 403 - ngx.say(err) - ngx.exit(ngx.HTTP_FORBIDDEN) - end - - ${lib.optionalString (access_role != "") '' - if not check_role(res, "${access_role}") then - ngx.status = 401 - ngx.header.content_type = 'text/html'; - ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") - ngx.exit(ngx.HTTP_UNAUTHORIZED) + if err then + ngx.status = 403 + ngx.say(err) + ngx.exit(ngx.HTTP_FORBIDDEN) end - ''} + + ${lib.optionalString (access_role != "") '' + if not check_role(res, "${access_role}") then + ngx.status = 401 + ngx.header.content_type = 'text/html'; + ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") + ngx.exit(ngx.HTTP_UNAUTHORIZED) + end + ''} } ''; }