authelia/internal/authorization/authorizer.go

package authorization

import (
	"github.com/sirupsen/logrus"

	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/logging"
)

// Authorizer the component in charge of checking whether a user can access a given resource.
type Authorizer struct {
	defaultPolicy Level
	rules         []*AccessControlRule
	mfa           bool
	config        *schema.Configuration
	log           *logrus.Logger
}

// NewAuthorizer create an instance of authorizer with a given access control config.
func NewAuthorizer(config *schema.Configuration) (authorizer *Authorizer) {
	authorizer = &Authorizer{
		defaultPolicy: StringToLevel(config.AccessControl.DefaultPolicy),
		rules:         NewAccessControlRules(config.AccessControl),
		config:        config,
		log:           logging.Logger(),
	}

	if authorizer.defaultPolicy == TwoFactor {
		authorizer.mfa = true

		return authorizer
	}

	for _, rule := range authorizer.rules {
		if rule.Policy == TwoFactor {
			authorizer.mfa = true

			return authorizer
		}
	}

	if authorizer.config.IdentityProviders.OIDC != nil {
		for _, client := range authorizer.config.IdentityProviders.OIDC.Clients {
			if client.Policy == twoFactor {
				authorizer.mfa = true

				return authorizer
			}
		}
	}

	return authorizer
}

// IsSecondFactorEnabled return true if at least one policy is set to second factor.
func (p Authorizer) IsSecondFactorEnabled() bool {
	return p.mfa
}

// GetRequiredLevel retrieve the required level of authorization to access the object.
func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (hasSubjects bool, level Level) {
	p.log.Debugf("Check authorization of subject %s and object %s (method %s).",
		subject.String(), object.String(), object.Method)

	for _, rule := range p.rules {
		if rule.IsMatch(subject, object) {
			p.log.Tracef(traceFmtACLHitMiss, "HIT", rule.Position, subject, object, object.Method)

			return rule.HasSubjects, rule.Policy
		}

		p.log.Tracef(traceFmtACLHitMiss, "MISS", rule.Position, subject, object, object.Method)
	}

	p.log.Debugf("No matching rule for subject %s and url %s (method %s) applying default policy", subject, object, object.Method)

	return false, p.defaultPolicy
}

// GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.
func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult) {
	skipped := false

	results = make([]RuleMatchResult, len(p.rules))

	for i, rule := range p.rules {
		results[i] = RuleMatchResult{
			Rule:    rule,
			Skipped: skipped,

			MatchDomain:        rule.MatchesDomains(subject, object),
			MatchResources:     rule.MatchesResources(subject, object),
			MatchQuery:         rule.MatchesQuery(object),
			MatchMethods:       rule.MatchesMethods(object),
			MatchNetworks:      rule.MatchesNetworks(subject),
			MatchSubjects:      rule.MatchesSubjects(subject),
			MatchSubjectsExact: rule.MatchesSubjectExact(subject),
		}

		skipped = skipped || results[i].IsMatch()
	}

	return results
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package authorization`

			`import (`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`"github.com/sirupsen/logrus"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
			`"github.com/authelia/authelia/v4/internal/logging"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`// Authorizer the component in charge of checking whether a user can access a given resource.`
			`type Authorizer struct {`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`defaultPolicy Level`
			`rules []*AccessControlRule`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`mfa bool`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`config *schema.Configuration`
			`log *logrus.Logger`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`// NewAuthorizer create an instance of authorizer with a given access control config.`
			`func NewAuthorizer(config schema.Configuration) (authorizer Authorizer) {`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`authorizer = &Authorizer{`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`defaultPolicy: StringToLevel(config.AccessControl.DefaultPolicy),`
			`rules: NewAccessControlRules(config.AccessControl),`
			`config: config,`
			`log: logging.Logger(),`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`if authorizer.defaultPolicy == TwoFactor {`
			`authorizer.mfa = true`

			`return authorizer`
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684) When no rule is set to two_factor in ACL configuration, 2FA is considered disabled. Therefore, when a user cannot be redirected correctly because no target URL is provided or the URL is unsafe, the user is either redirected to the default URL or to the 'already authenticated' view instead of the second factor view. Fixes #683 2020-03-06 00:31:09 +00:00			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`for _, rule := range authorizer.rules {`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`if rule.Policy == TwoFactor {`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`authorizer.mfa = true`

			`return authorizer`
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684) When no rule is set to two_factor in ACL configuration, 2FA is considered disabled. Therefore, when a user cannot be redirected correctly because no target URL is provided or the URL is unsafe, the user is either redirected to the default URL or to the 'already authenticated' view instead of the second factor view. Fixes #683 2020-03-06 00:31:09 +00:00			`}`
			`}`

fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`if authorizer.config.IdentityProviders.OIDC != nil {`
			`for _, client := range authorizer.config.IdentityProviders.OIDC.Clients {`
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled. 2021-06-18 01:38:01 +00:00			`if client.Policy == twoFactor {`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`authorizer.mfa = true`

			`return authorizer`
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled. 2021-06-18 01:38:01 +00:00			`}`
			`}`
			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`return authorizer`
			`}`

			`// IsSecondFactorEnabled return true if at least one policy is set to second factor.`
			`func (p Authorizer) IsSecondFactorEnabled() bool {`
			`return p.mfa`
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684) When no rule is set to two_factor in ACL configuration, 2FA is considered disabled. Therefore, when a user cannot be redirected correctly because no target URL is provided or the URL is unsafe, the user is either redirected to the default URL or to the 'already authenticated' view instead of the second factor view. Fixes #683 2020-03-06 00:31:09 +00:00			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// GetRequiredLevel retrieve the required level of authorization to access the object.`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (hasSubjects bool, level Level) {`
			`p.log.Debugf("Check authorization of subject %s and object %s (method %s).",`
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00			`subject.String(), object.String(), object.Method)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`for _, rule := range p.rules {`
			`if rule.IsMatch(subject, object) {`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`p.log.Tracef(traceFmtACLHitMiss, "HIT", rule.Position, subject, object, object.Method)`
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`return rule.HasSubjects, rule.Policy`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`}`
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`p.log.Tracef(traceFmtACLHitMiss, "MISS", rule.Position, subject, object, object.Method)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`p.log.Debugf("No matching rule for subject %s and url %s (method %s) applying default policy", subject, object, object.Method)`
[MISC] Add unit tests to authorization module and trace logs. (#638) This aims to help debug #637. 2020-02-18 22:15:09 +00:00
fix(handlers): verify handler (#3956) When an anonymous user tries to access a forbidden resource with no subject, we should response with 403. Fixes #3084 2022-09-04 22:21:30 +00:00			`return false, p.defaultPolicy`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00
			`// GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.`
			`func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult) {`
			`skipped := false`

			`results = make([]RuleMatchResult, len(p.rules))`

			`for i, rule := range p.rules {`
			`results[i] = RuleMatchResult{`
			`Rule: rule,`
			`Skipped: skipped,`

feat(authorization): query parameter filtering (#3990) This allows for advanced filtering of the query parameters in ACL's. Closes #2708 2022-10-19 03:09:22 +00:00			`MatchDomain: rule.MatchesDomains(subject, object),`
			`MatchResources: rule.MatchesResources(subject, object),`
			`MatchQuery: rule.MatchesQuery(object),`
			`MatchMethods: rule.MatchesMethods(object),`
			`MatchNetworks: rule.MatchesNetworks(subject),`
			`MatchSubjects: rule.MatchesSubjects(subject),`
			`MatchSubjectsExact: rule.MatchesSubjectExact(subject),`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`}`

			`skipped = skipped \|\| results[i].IsMatch()`
			`}`

			`return results`
			`}`