nginx, openid: Allow IP whitelist to bypass OpenID auth

2022-11-29 14:53:17 +01:00 · 2022-11-29 14:53:17 +01:00 · 30fd214734
commit 30fd214734
parent ae4c55fdee
2 changed files with 35 additions and 17 deletions
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@ -68,6 +68,16 @@ in {

            return false
          end
+        
+          function is_ip_whitelisted(ip, whitelist)
+            for _, x in ipairs(whitelist) do
+              if ip == x then
+                return true
+              end
+            end
+            
+            return false
+          end
        }
      '';

--- a/hosts/architect/openid.nix
+++ b/hosts/architect/openid.nix
@ -2,7 +2,7 @@

 {
  openresty_oidc_block =
-    { access_role ? "" }: ''
+    { access_role ? "", whitelisted_ips ? [] }: ''
      access_by_lua_block {
        local opts = {
          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -18,6 +18,14 @@
          access_token_expires_in = 86400
        }

+        ${lib.optionalString (whitelisted_ips != []) ''
+          local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
+                      
+          if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
+            return
+          end
+        ''}
+       
        -- call introspect for OAuth 2.0 Bearer Access Token validation
        local res, err = require("resty.openidc").authenticate(opts)