2021-12-23 14:09:54 +00:00
|
|
|
local _M = {}
|
|
|
|
|
2022-02-28 13:15:42 +00:00
|
|
|
-- constant tier ids
|
|
|
|
local tier_id_anonymous = 0
|
|
|
|
local tier_id_free = 1
|
2022-01-21 16:43:30 +00:00
|
|
|
|
2022-03-03 18:13:38 +00:00
|
|
|
-- fallback - remember to keep those updated
|
|
|
|
local anon_limits = {
|
|
|
|
["tierID"] = tier_id_anonymous,
|
|
|
|
["tierName"] = "anonymous",
|
|
|
|
["upload"] = 655360,
|
|
|
|
["download"] = 655360,
|
|
|
|
["maxUploadSize"] = 1073741824,
|
|
|
|
["registry"] = 250
|
|
|
|
}
|
|
|
|
|
2022-03-15 21:43:35 +00:00
|
|
|
-- get all non empty authentication headers from request, we want to return
|
|
|
|
-- all of them and let accounts service deal with validation and prioritisation
|
|
|
|
function _M.get_auth_headers()
|
2022-03-21 13:23:26 +00:00
|
|
|
local utils = require("utils")
|
2022-03-15 21:43:35 +00:00
|
|
|
local request_headers = ngx.req.get_headers()
|
|
|
|
local headers = {}
|
|
|
|
|
2022-03-21 13:23:26 +00:00
|
|
|
-- try to extract skynet-jwt cookie from cookie header
|
|
|
|
local skynet_jwt_cookie = utils.extract_cookie(request_headers["Cookie"], "skynet[-]jwt")
|
|
|
|
|
|
|
|
-- if skynet-jwt cookie is present, pass it as is
|
|
|
|
if skynet_jwt_cookie then
|
|
|
|
headers["Cookie"] = skynet_jwt_cookie
|
2022-03-15 21:43:35 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
-- if authorization header is set, pass it as is
|
|
|
|
if request_headers["Authorization"] then
|
|
|
|
headers["Authorization"] = request_headers["Authorization"]
|
|
|
|
end
|
|
|
|
|
|
|
|
-- if skynet api key header is set, pass it as is
|
|
|
|
if request_headers["Skynet-Api-Key"] then
|
|
|
|
headers["Skynet-Api-Key"] = request_headers["Skynet-Api-Key"]
|
|
|
|
end
|
|
|
|
|
|
|
|
return headers
|
|
|
|
end
|
|
|
|
|
2022-01-21 16:43:30 +00:00
|
|
|
-- handle request exit when access to portal should be restricted to authenticated users only
|
2021-12-23 14:09:54 +00:00
|
|
|
function _M.exit_access_unauthorized(message)
|
|
|
|
ngx.status = ngx.HTTP_UNAUTHORIZED
|
|
|
|
ngx.header["content-type"] = "text/plain"
|
|
|
|
ngx.say(message or "Portal operator restricted access to authenticated users only")
|
|
|
|
return ngx.exit(ngx.status)
|
|
|
|
end
|
|
|
|
|
2022-01-21 16:43:30 +00:00
|
|
|
-- handle request exit when access to portal should be restricted to subscription users only
|
|
|
|
function _M.exit_access_forbidden(message)
|
|
|
|
ngx.status = ngx.HTTP_FORBIDDEN
|
|
|
|
ngx.header["content-type"] = "text/plain"
|
|
|
|
ngx.say(message or "Portal operator restricted access to users with active subscription only")
|
|
|
|
return ngx.exit(ngx.status)
|
|
|
|
end
|
|
|
|
|
2021-12-23 14:09:54 +00:00
|
|
|
function _M.accounts_enabled()
|
|
|
|
return os.getenv("PORTAL_MODULES"):match("a") ~= nil
|
|
|
|
end
|
|
|
|
|
|
|
|
function _M.get_account_limits()
|
|
|
|
local cjson = require('cjson')
|
2022-03-15 21:53:31 +00:00
|
|
|
local utils = require('utils')
|
2022-03-15 21:43:35 +00:00
|
|
|
local auth_headers = _M.get_auth_headers()
|
2021-12-23 14:09:54 +00:00
|
|
|
|
2022-03-15 21:43:35 +00:00
|
|
|
-- simple case of anonymous request - none of available auth headers exist
|
2022-03-15 21:53:31 +00:00
|
|
|
if utils.is_table_empty(auth_headers) then
|
2021-12-23 14:09:54 +00:00
|
|
|
return anon_limits
|
|
|
|
end
|
|
|
|
|
|
|
|
if ngx.var.account_limits == "" then
|
|
|
|
local httpc = require("resty.http").new()
|
2022-03-10 17:11:37 +00:00
|
|
|
|
2021-12-23 14:09:54 +00:00
|
|
|
-- 10.10.10.70 points to accounts service (alias not available when using resty-http)
|
2022-03-10 13:52:45 +00:00
|
|
|
local res, err = httpc:request_uri("http://10.10.10.70:3000/user/limits?unit=byte", {
|
2022-03-15 21:43:35 +00:00
|
|
|
headers = auth_headers,
|
2021-12-23 14:09:54 +00:00
|
|
|
})
|
2022-03-10 17:11:37 +00:00
|
|
|
|
2021-12-23 14:09:54 +00:00
|
|
|
-- fail gracefully in case /user/limits failed
|
|
|
|
if err or (res and res.status ~= ngx.HTTP_OK) then
|
2022-03-10 13:52:45 +00:00
|
|
|
ngx.log(ngx.ERR, "Failed accounts service request /user/limits?unit=byte: ", err or ("[HTTP " .. res.status .. "] " .. res.body))
|
2021-12-23 14:09:54 +00:00
|
|
|
ngx.var.account_limits = cjson.encode(anon_limits)
|
|
|
|
elseif res and res.status == ngx.HTTP_OK then
|
|
|
|
ngx.var.account_limits = res.body
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
return cjson.decode(ngx.var.account_limits)
|
|
|
|
end
|
|
|
|
|
|
|
|
-- detect whether current user is authenticated
|
|
|
|
function _M.is_authenticated()
|
2022-02-28 13:15:42 +00:00
|
|
|
if not _M.accounts_enabled() then return false end
|
|
|
|
|
2021-12-23 14:09:54 +00:00
|
|
|
local limits = _M.get_account_limits()
|
|
|
|
|
2022-02-28 13:15:42 +00:00
|
|
|
return limits.tierID > tier_id_anonymous
|
2021-12-23 14:09:54 +00:00
|
|
|
end
|
|
|
|
|
2022-01-21 16:43:30 +00:00
|
|
|
-- detect whether current user has active subscription
|
2022-02-28 13:15:42 +00:00
|
|
|
function _M.has_subscription()
|
2022-01-21 16:43:30 +00:00
|
|
|
local limits = _M.get_account_limits()
|
|
|
|
|
2022-02-28 13:15:42 +00:00
|
|
|
return limits.tierID > tier_id_free
|
2022-01-21 16:43:30 +00:00
|
|
|
end
|
|
|
|
|
2021-12-23 14:09:54 +00:00
|
|
|
function _M.is_auth_required()
|
2022-01-12 13:05:25 +00:00
|
|
|
return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "authenticated"
|
2021-12-23 14:09:54 +00:00
|
|
|
end
|
|
|
|
|
2022-01-21 16:43:30 +00:00
|
|
|
function _M.is_subscription_required()
|
|
|
|
return os.getenv("ACCOUNTS_LIMIT_ACCESS") == "subscription"
|
|
|
|
end
|
|
|
|
|
2022-01-26 22:46:52 +00:00
|
|
|
function is_access_always_allowed()
|
|
|
|
-- options requests do not attach cookies - should always be available
|
|
|
|
-- requests should not be limited based on accounts if accounts are not enabled
|
|
|
|
return ngx.req.get_method() == "OPTIONS" or not _M.accounts_enabled()
|
|
|
|
end
|
|
|
|
|
|
|
|
-- check whether access is restricted if portal requires authorization
|
2021-12-23 14:09:54 +00:00
|
|
|
function _M.is_access_unauthorized()
|
2022-01-26 22:46:52 +00:00
|
|
|
if is_access_always_allowed() then return false end
|
|
|
|
|
|
|
|
-- check if authentication is required and request is not authenticated
|
|
|
|
return _M.is_auth_required() and not _M.is_authenticated()
|
2021-12-23 14:09:54 +00:00
|
|
|
end
|
|
|
|
|
2022-01-26 22:46:52 +00:00
|
|
|
-- check whether user is authenticated but does not have access to given resources
|
2022-01-21 16:43:30 +00:00
|
|
|
function _M.is_access_forbidden()
|
2022-01-26 22:46:52 +00:00
|
|
|
if is_access_always_allowed() then return false end
|
|
|
|
|
|
|
|
-- check if active subscription is required and request is from user without it
|
2022-02-28 13:15:42 +00:00
|
|
|
return _M.is_subscription_required() and not _M.has_subscription()
|
2022-01-21 16:43:30 +00:00
|
|
|
end
|
|
|
|
|
2021-12-23 14:09:54 +00:00
|
|
|
return _M
|