Skip to content
Snippets Groups Projects
Normal view Permalink
auth_checker.lua 1.24 KiB
Newer Older
Tim Wetzel's avatar
initial commit with tested and pre-written files from private development repository.
Tim Wetzel committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 
require 'apache2'

function auth_check_hook(r)
	-- apache debugging msg
	r:debug("lua: auth_check_hook entered")

	-- set newuser to "sub@iss" and query local mapping file
	local newuser=r.subprocess_env["OIDC_CLAIM_sub"] .. "@" .. r.subprocess_env["OIDC_CLAIM_iss"]
	local userfile = io.open("LOCATION_2_ON_FILE_SYSTEM/userfile.csv", "r")
	local luser = "nobody"
	for line in userfile:lines() do
		local remote_user, local_user = line:match("(.-),(.*)")
		if newuser == remote_user then
			luser=local_user
            -- put the authorized user into ENV variable MAPPED_USER
			r.subprocess_env["MAPPED_USER"] = luser
		end
	end
	userfile:close()
	if luser ~= "nobody" then
        -- set REMOTE_USER with local username for the access.log
		r.user = luser
		r:debug(string.format("remote user %s mapped to local user %s.",newuser, luser))
		return apache2.DECLINED
	else
		r:debug(string.format("remote user %s unknown, not authorized.",newuser))
		return 403
	end

	-- apache debugging msg
	r:debug("lua: auth_check_hook left")
    -- Here be dragons: this function MUST return DECLINED, otherwise, this hook phase is finished and the following hook registered by mpm-itk
    -- that performs setuid() and setgid() will not be called!
	return apache2.DECLINED
end

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog