nginx, openid: Allow IP whitelist to bypass OpenID auth

2022-11-29 14:53:17 +01:00 · 2022-11-29 14:53:17 +01:00 · 30fd214734
commit 30fd214734
parent ae4c55fdee
2 changed files with 35 additions and 17 deletions
--- a/hosts/architect/nginx.nix
+++ b/hosts/architect/nginx.nix
@ -68,6 +68,16 @@ in {

            return false
          end
+        
+          function is_ip_whitelisted(ip, whitelist)
+            for _, x in ipairs(whitelist) do
+              if ip == x then
+                return true
+              end
+            end
+            
+            return false
+          end
        }
      '';

--- a/hosts/architect/openid.nix
+++ b/hosts/architect/openid.nix
@ -2,7 +2,7 @@

 {
  openresty_oidc_block =
-    { access_role ? "" }: ''
+    { access_role ? "", whitelisted_ips ? [] }: ''
      access_by_lua_block {
        local opts = {
          discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -16,25 +16,33 @@
          revoke_tokens_on_logout = true,
          -- access token valid for a day
          access_token_expires_in = 86400
-      }
+        }

-      -- call introspect for OAuth 2.0 Bearer Access Token validation
-      local res, err = require("resty.openidc").authenticate(opts)
+        ${lib.optionalString (whitelisted_ips != []) ''
+          local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}          
+                      
+          if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
+            return
+          end
+        ''}
+       
+        -- call introspect for OAuth 2.0 Bearer Access Token validation
+        local res, err = require("resty.openidc").authenticate(opts)

-      if err then
-        ngx.status = 403
-        ngx.say(err)
-        ngx.exit(ngx.HTTP_FORBIDDEN)
-      end
-
-      ${lib.optionalString (access_role != "") ''
-        if not check_role(res, "${access_role}") then
-          ngx.status = 401
-          ngx.header.content_type = 'text/html';
-          ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
-          ngx.exit(ngx.HTTP_UNAUTHORIZED)
+        if err then
+          ngx.status = 403
+          ngx.say(err)
+          ngx.exit(ngx.HTTP_FORBIDDEN)
        end
-      ''}
+
+        ${lib.optionalString (access_role != "") ''
+          if not check_role(res, "${access_role}") then
+            ngx.status = 401
+            ngx.header.content_type = 'text/html';
+            ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
+            ngx.exit(ngx.HTTP_UNAUTHORIZED)
+          end
+        ''}
      }
    '';
 }