🔀 Merge branch 'mildis/lufi-auth_header' into development

2022-03-19 18:08:07 +01:00 · 2022-03-19 18:08:07 +01:00 · 3cb87757c9
parent 7f6acda42b 537764508d
commit 3cb87757c9
6 changed files with 51 additions and 15 deletions
--- a/5
+++ b/5
@ -7,7 +7,7 @@ requires 'Mojolicious::Plugin::GzipStatic';
 requires 'Mojolicious::Plugin::StaticCache';
 requires 'Mojolicious::Plugin::CSPHeader', '>= 0.06';
 requires 'Mojolicious::Plugin::FiatTux::Helpers', '== 0.12', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-helpers/-/archive/0.12/mojolicious-plugin-fiattux-helpers-0.12.tar.gz';
-requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.07', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-grantaccess/-/archive/0.07/mojolicious-plugin-fiattux-grantaccess-0.07.tar.gz';
+requires 'Mojolicious::Plugin::FiatTux::GrantAccess', '== 0.08', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-grantaccess/-/archive/0.08/mojolicious-plugin-fiattux-grantaccess-0.08.tar.gz';
 requires 'Mojolicious::Plugin::FiatTux::Themes', '== 0.02', url => 'https://framagit.org/fiat-tux/mojolicious/fiat-tux/mojolicious-plugin-fiattux-themes/-/archive/0.02/mojolicious-plugin-fiattux-themes-0.02.tar.gz';
 requires 'Filesys::DiskUsage';
 requires 'Switch';
@ -43,6 +43,9 @@ feature 'htpasswd', 'Htpasswd authentication support' => sub {
    requires 'Apache::Htpasswd';
    requires 'Mojolicious::Plugin::Authentication';
 };
 feature 'auth_headers', 'Header authentication support' => sub {
    requires 'Mojolicious::Plugin::Authentication';
 };
 feature 'postgresql', 'PostgreSQL support' => sub {
    requires 'Mojo::Pg';
    requires 'Mojolicious::Plugin::PgURLHelper';
--- a/lib/Lufi.pm
+++ b/lib/Lufi.pm
@ -124,7 +124,7 @@ sub startup {
      ->to('Misc#change_lang')
      ->name('lang');
-    if (defined $self->config('ldap') || defined $self->config('htpasswd')) {
+    if (defined $self->config('ldap') || defined $self->config('htpasswd') || defined $self->config('auth_headers')) {
        # Login page
        $r->get('/login')
          ->to('Auth#login_page');
@ -138,7 +138,7 @@ sub startup {
          ->to('Auth#log_out')
          ->name('logout');
-        if (defined $self->config('ldap') && defined $self->config('invitations')) {
+        if ((defined $self->config('ldap') || defined $self->config('auth_headers')) && defined $self->config('invitations')) {
            # Invitation creation page
            $r->get('/invite')
              ->name('invite')
--- a/lib/Lufi/Controller/Auth.pm
+++ b/lib/Lufi/Controller/Auth.pm
@ -9,10 +9,21 @@ sub login_page {
    if ($c->is_user_authenticated) {
        $c->redirect_to('/');
    } else {
-        $c->render(
+        if ($c->config('auth_headers')) {
-            template => 'login',
+            if($c->authenticate('dummy', 'dummy')) {
-            redirect => $redirect
+                if ($redirect eq 'invite') {
-        );
+                    return $c->redirect_to('invite');
                } elsif ($redirect eq 'my_invitations') {
                    return $c->redirect_to('invite_list');
                }
                return $c->redirect_to('/');
            }
        } else {
            $c->render(
                template => 'login',
                redirect => $redirect
            );
        }
    }
 }
--- a/lib/Lufi/Controller/Misc.pm
+++ b/lib/Lufi/Controller/Misc.pm
@ -8,7 +8,7 @@ use Lufi::DB::File;
 sub index {
    my $c = shift;
-    if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd'))) || $c->is_user_authenticated) {
+    if ((!defined($c->config('ldap')) && !defined($c->config('htpasswd')) && !defined($c->config('auth_headers'))) || $c->is_user_authenticated) {
        $c->render(template => 'index');
    } else {
        $c->redirect_to('login');
@ -56,7 +56,7 @@ sub config_infos {
            force_burn_after_reading => $c->config('force_burn_after_reading'),
            keep_ip_during           => $c->config('keep_ip_during'),
            stop_upload              => (-f 'stop-upload' || -f 'stop-upload.manual') ? true : false,
-            need_authentication      => (defined($c->config('ldap')) || defined($c->config('htpasswd'))) ? true : false,
+            need_authentication      => (defined($c->config('ldap')) || defined($c->config('htpasswd')) || defined($c->config('auth_headers'))) ? true : false,
            version                  => $c->git_version
        }
    );
--- a/lufi.conf.template
+++ b/lufi.conf.template
@ -299,6 +299,28 @@
    # See 'man htpasswd' to know how to create such file
    #htpasswd => 'lufi.passwd',
    ############################
    # HTTP header authentication
    ############################
    # Set `auth_headers` if you want to use HTTP header auth.
    # Typically, these headers are set by a reverse-proxy
    # acting as an authentication server. Useful for SSO.
    # `auth_headers` should contains the user's username.
    #
    # /!\ LUFI BLINDLY TRUSTS THESE HEADERS
    # /!\ IT'S UP TO YOU TO SANITIZE INCOMING HEADERS TO SECURE YOUR INSTANCE
    #
    #auth_headers => 'X-AUTH-PREFERRED-USERNAME',
    #auth_headers_map_value => {
    #    # Like ldap_map_attr but for headers
    #    displayname => 'X-AUTH-DISPLAYNAME',
    #    firstname   => 'X-AUTH-GIVENNAME',
    #    lastname    => 'X-AUTH-LASTNAME',
    #    mail        => 'X-AUTH-EMAIL'
    #},
    #######################
    # HTTP Headers settings
    #######################
--- a/themes/default/templates/layouts/default.html.ep
+++ b/themes/default/templates/layouts/default.html.ep
@ -29,10 +29,10 @@
                <a href="#" data-activates="mobile" class="button-collapse"><i class="mdi-navigation-menu"></i></a>
                <ul id="nav-mobile" class="right hide-on-med-and-down">
                    <li><a href="<%= $self->config('report') %>"><%= l('Report file') %></a></li>
-                % if ((!defined(config('ldap')) && !defined(config('htpasswd'))) || is_user_authenticated()) {
+                % if ((!defined(config('ldap')) && !defined(config('htpasswd')) && !defined(config('auth_headers'))) || is_user_authenticated()) {
                    <li<%== ' class="active"' if (current_route eq 'index') %>><a href="<%= url_for('/') %>"><%= l('Upload files') %></a></li>
                    <li<%== ' class="active"' if (current_route eq 'files') %>><a href="<%= url_for('/files') %>"><%= l('My files') %></a></li>
-                    % if (defined config('ldap') && defined config('invitations')) {
+                    % if ((defined config('ldap') || defined config('auth_headers')) && defined config('invitations')) {
                        <li<%== ' class="active"' if (current_route eq 'invite') %>><a href="<%= url_for('/invite') %>"><%= l('Invite a guest') %></a></li>
                        <li<%== ' class="active"' if (current_route eq 'invite/list') %>><a href="<%= url_for('/invite/list') %>"><%= l('My invitations') %></a></li>
                    % }
@ -51,7 +51,7 @@
                        </div>
                    </li>
                    <li<%== ' class="active"' if (current_route eq 'about') %>><a href="<%= url_for('/about') %>"><%= l('About') %></a></li>
-                % if ((defined(config('ldap')) || defined(config('htpasswd'))) && is_user_authenticated()) {
+                % if ((defined(config('ldap')) || defined(config('htpasswd')) || defined(config('auth_headers'))) && is_user_authenticated()) {
                    <li>
                        <form action="<%= url_for('/logout') %>" method="POST">
                            %= csrf_field
@ -62,10 +62,10 @@
                </ul>
                <ul id="mobile" class="side-nav">
                    <li><a href="<%= $self->config('report') %>"><%= l('Report file') %></a></li>
-                % if ((!defined(config('ldap')) && !defined(config('htpasswd'))) || is_user_authenticated()) {
+                % if ((!defined(config('ldap')) && !defined(config('htpasswd')) && !defined(config('auth_headers'))) || is_user_authenticated()) {
                    <li<%== ' class="active"' if (current_route eq 'index') %>><a href="<%= url_for('/') %>"><%= l('Upload files') %></a></li>
                    <li<%== ' class="active"' if (current_route eq 'files') %>><a href="<%= url_for('/files') %>"><%= l('My files') %></a></li>
-                    % if (defined config('ldap') && defined config('invitations')) {
+                    % if ((defined config('ldap') || defined config('auth_headers')) && defined config('invitations')) {
                        <li<%== ' class="active"' if (current_route eq 'invite') %>><a href="<%= url_for('/invite') %>"><%= l('Invite a guest') %></a></li>
                        <li<%== ' class="active"' if (current_route eq 'invite/list') %>><a href="<%= url_for('/invite/list') %>"><%= l('My invitations') %></a></li>
                    % }
@ -84,7 +84,7 @@
                        </div>
                    </li>
                    <li<%== ' class="active"' if (current_route eq 'about') %>><a href="<%= url_for('/about') %>"><%= l('About') %></a></li>
-                % if ((defined(config('ldap')) || defined(config('htpasswd'))) && is_user_authenticated()) {
+                % if ((defined(config('ldap')) || defined(config('htpasswd')) || defined(config('auth_headers'))) && is_user_authenticated()) {
                    <li>
                        <form action="<%= url_for('/logout') %>" method="POST">
                            %= csrf_field