mirror of https://github.com/vouch/vouch-proxy
43 lines
1.4 KiB
Lua
43 lines
1.4 KiB
Lua
-- ==============================
|
|
-- Group Authentication
|
|
-- via X-Vouch-IdP-Groups
|
|
-- ==============================
|
|
-- Function to turn a table with only values into a k=>v table
|
|
function Set (list)
|
|
local set = {}
|
|
for _, l in ipairs(list) do set[l] = true end
|
|
return set
|
|
end
|
|
-- Function to find a key in a table
|
|
function tableHasKey(table,key)
|
|
return table[key] ~= nil
|
|
end
|
|
-- Validate that a user is in a group
|
|
local authorized_groups = Set {
|
|
"CN=Domain Users,CN=Users,DC=Contoso,DC=com",
|
|
"CN=Website Users,CN=Users,DC=Contoso,DC=com"
|
|
}
|
|
-- Verify the variable exists
|
|
if ngx.var.auth_resp_x_vouch_idp_claims_groups then
|
|
-- Check if the found user is in the allowed_users table
|
|
local cjson = require("cjson")
|
|
local groups = cjson.decode("[" .. ngx.var.auth_resp_x_vouch_idp_claims_groups .. "]")
|
|
local found = false
|
|
-- Parse the groups and check if they match any of our authorized groups
|
|
for i, group in ipairs(groups) do
|
|
if tableHasKey(authorized_groups, group) then
|
|
-- If we found an authorized group, say so and break the loop
|
|
found = true
|
|
break
|
|
end
|
|
end
|
|
-- If we didn't find out group in our list, then return forbidden
|
|
if not found then
|
|
-- If not, throw a forbidden
|
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
end
|
|
else
|
|
-- Throw forbidden if variable doesn't exist
|
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
|
end
|