peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

nginx, openid: Allow IP whitelist to bypass OpenID auth

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-11-29 14:53:17 +01:00
parent ae4c55fdee
commit 30fd214734
2 changed files with 35 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hosts/architect/nginx.nix
View File

@ -68,6 +68,16 @@ in {
return false return false
end end
function is_ip_whitelisted(ip, whitelist)
for _, x in ipairs(whitelist) do
if ip == x then
return true
end
end
return false
end
} }
''; '';

42
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "" }: '' { access_role ? "", whitelisted_ips ? [] }: ''
access_by_lua_block { access_by_lua_block {
local opts = { local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -16,25 +16,33 @@
revoke_tokens_on_logout = true, revoke_tokens_on_logout = true,
-- access token valid for a day -- access token valid for a day
access_token_expires_in = 86400 access_token_expires_in = 86400
} }
-- call introspect for OAuth 2.0 Bearer Access Token validation ${lib.optionalString (whitelisted_ips != []) ''
local res, err = require("resty.openidc").authenticate(opts) local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
return
end
''}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then if err then
ngx.status = 403 ngx.status = 403
ngx.say(err) ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN) ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end end
''}
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
} }
''; '';
} }