@@ -14,6 +14,9 @@ function action_logout()
luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s" %{
'', 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
})
+
+ luci.template.render("logout")
+ return
end
luci.http.redirect(dsp.build_url())
@@ -546,11 +546,12 @@ local function session_retrieve(sid, allowed_users)
return nil, nil, nil
end
-local function session_setup(user, pass)
+local function session_setup(user, pass, mode)
local login = util.ubus("session", "login", {
username = user,
password = pass,
- timeout = tonumber(luci.config.sauth.sessiontime)
+ timeout = tonumber(luci.config.sauth.sessiontime),
+ mode = mode
})
local rp = context.requestpath
@@ -866,6 +867,25 @@ function dispatch(request)
end
end
+ if not (sid and sdat and sacl) and auth.login then
+ local user = http.getenv("HTTPS_CLIENT_CERT_SN")
+ local pass = http.getenv("HTTPS_CLIENT_CERT_SHA256")
+
+ if user and pass then
+ sid, sdat, sacl = session_setup(user, pass, "cert")
+
+ if not sid then
+ http.status(401, "Unauthorized")
+ tpl.render("error401")
+ return
+ end
+
+ http.header("Set-Cookie", 'sysauth=%s; path=%s; SameSite=Strict; HttpOnly; secure' %{
+ sid, build_url()
+ })
+ end
+ end
+
if not (sid and sdat and sacl) and auth.login then
local user = http.getenv("HTTP_AUTH_USER")
local pass = http.getenv("HTTP_AUTH_PASS")
new file mode 100644
@@ -0,0 +1,6 @@
+<%#
+ Copyright 2021 Luka Logar <luka.logar@iname.com>
+ Licensed to the public under the Apache License 2.0.
+-%>
+
+<h2 name="content">401 <%:Unauthorized%></h2>
new file mode 100644
@@ -0,0 +1,6 @@
+<%#
+ Copyright 2021 Luka Logar <luka.logar@iname.com>
+ Licensed to the public under the Apache License 2.0.
+-%>
+
+<h2 name="content"><%:User logged out, please close the browser window%></h2>
When available, pass TLS client certificate data (subject name & cert hash) to the rpcd daemon for authentication (as username and password). Add an extra mode='cert' parameter, so the rpcd is aware they come from certificate and are treated accordingly Signed-off-by: Luka Logar <luka.logar@cifra.si> --- .../luasrc/controller/admin/index.lua | 3 +++ modules/luci-base/luasrc/dispatcher.lua | 24 +++++++++++++++++-- modules/luci-base/luasrc/view/error401.htm | 6 +++++ modules/luci-base/luasrc/view/logout.htm | 6 +++++ 4 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 modules/luci-base/luasrc/view/error401.htm create mode 100644 modules/luci-base/luasrc/view/logout.htm