diff options
Diffstat (limited to 'filters/gentoo-ldap-authentication.lua')
-rw-r--r-- | filters/gentoo-ldap-authentication.lua | 76 |
1 files changed, 58 insertions, 18 deletions
diff --git a/filters/gentoo-ldap-authentication.lua b/filters/gentoo-ldap-authentication.lua index 6d8eb3e..673c88d 100644 --- a/filters/gentoo-ldap-authentication.lua +++ b/filters/gentoo-ldap-authentication.lua @@ -1,12 +1,18 @@ -- This script may be used with the auth-filter. Be sure to configure it as you wish. -- -- Requirements: --- luacrypto >= 0.3 --- <http://mkottman.github.io/luacrypto/> +-- luaossl +-- <http://25thandclement.com/~william/projects/luaossl.html> -- lualdap >= 1.2 -- <https://git.zx2c4.com/lualdap/about/> +-- luaposix +-- <https://github.com/luaposix/luaposix> -- - +local sysstat = require("posix.sys.stat") +local unistd = require("posix.unistd") +local lualdap = require("lualdap") +local rand = require("openssl.rand") +local hmac = require("openssl.hmac") -- -- @@ -21,11 +27,9 @@ local protected_repos = { portage = "dev" } - --- All cookies will be authenticated based on this secret. Make it something --- totally random and impossible to guess. It should be large. -local secret = "BE SURE TO CUSTOMIZE THIS STRING TO SOMETHING BIG AND RANDOM" - +-- Set this to a path this script can write to for storing a persistent +-- cookie secret, which should be guarded. +local secret_filename = "/var/cache/cgit/auth-secret" -- @@ -102,11 +106,9 @@ end -- -- -local lualdap = require("lualdap") - function gentoo_ldap_user_groups(username, password) -- Ensure the user is alphanumeric - if username:match("%W") then + if username == nil or username:match("%W") then return nil end @@ -224,6 +226,13 @@ function get_cookie(cookies, name) return string.match(cookies, ";" .. name .. "=(.-);") end +function tohex(b) + local x = "" + for i = 1, #b do + x = x .. string.format("%.2x", string.byte(b, i)) + end + return x +end -- -- @@ -231,7 +240,38 @@ end -- -- -local crypto = require("crypto") +local secret = nil + +-- Loads a secret from a file, creates a secret, or returns one from memory. +function get_secret() + if secret ~= nil then + return secret + end + local secret_file = io.open(secret_filename, "r") + if secret_file == nil then + local old_umask = sysstat.umask(63) + local temporary_filename = secret_filename .. ".tmp." .. tohex(rand.bytes(16)) + local temporary_file = io.open(temporary_filename, "w") + if temporary_file == nil then + os.exit(177) + end + temporary_file:write(tohex(rand.bytes(32))) + temporary_file:close() + unistd.link(temporary_filename, secret_filename) -- Intentionally fails in the case that another process is doing the same. + unistd.unlink(temporary_filename) + sysstat.umask(old_umask) + secret_file = io.open(secret_filename, "r") + end + if secret_file == nil then + os.exit(177) + end + secret = secret_file:read() + secret_file:close() + if secret:len() ~= 64 then + os.exit(177) + end + return secret +end -- Returns value of cookie if cookie is valid. Otherwise returns nil. function validate_value(expected_field, cookie) @@ -240,7 +280,7 @@ function validate_value(expected_field, cookie) local field = "" local expiration = 0 local salt = "" - local hmac = "" + local chmac = "" if cookie == nil or cookie:len() < 3 or cookie:sub(1, 1) == "|" then return nil @@ -259,19 +299,19 @@ function validate_value(expected_field, cookie) elseif i == 3 then salt = component elseif i == 4 then - hmac = component + chmac = component else break end i = i + 1 end - if hmac == nil or hmac:len() == 0 then + if chmac == nil or chmac:len() == 0 then return nil end -- Lua hashes strings, so these comparisons are time invariant. - if hmac ~= crypto.hmac.digest("sha1", field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt, secret) then + if chmac ~= tohex(hmac.new(get_secret(), "sha256"):final(field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt)) then return nil end @@ -292,11 +332,11 @@ function secure_value(field, value, expiration) end local authstr = "" - local salt = crypto.hex(crypto.rand.bytes(16)) + local salt = tohex(rand.bytes(16)) value = url_encode(value) field = url_encode(field) authstr = field .. "|" .. value .. "|" .. tostring(expiration) .. "|" .. salt - authstr = authstr .. "|" .. crypto.hmac.digest("sha1", authstr, secret) + authstr = authstr .. "|" .. tohex(hmac.new(get_secret(), "sha256"):final(authstr)) return authstr end |