authelia/internal/configuration/schema/access_control.go

package schema

import (
	"fmt"
	"net"
	"strings"
)

// ACLRule represent one ACL rule "weak" coerces a single value into string slice.
type ACLRule struct {
	Domains   []string `mapstructure:"domain,weak"`
	Policy    string   `mapstructure:"policy"`
	Subjects  []string `mapstructure:"subject,weak"`
	Networks  []string `mapstructure:"networks"`
	Resources []string `mapstructure:"resources"`
}

// IsPolicyValid check if policy is valid.
func IsPolicyValid(policy string) bool {
	return policy == "deny" || policy == "one_factor" || policy == "two_factor" || policy == "bypass"
}

// IsSubjectValid check if a subject is valid.
func IsSubjectValid(subject string) bool {
	return subject == "" || strings.HasPrefix(subject, "user:") || strings.HasPrefix(subject, "group:")
}

// IsNetworkValid check if a network is valid.
func IsNetworkValid(network string) bool {
	_, _, err := net.ParseCIDR(network)
	return err == nil
}

// Validate validate an ACL Rule.
func (r *ACLRule) Validate(validator *StructValidator) {
	if len(r.Domains) == 0 {
		validator.Push(fmt.Errorf("Domain must be provided"))
	}

	if !IsPolicyValid(r.Policy) {
		validator.Push(fmt.Errorf("A policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'"))
	}

	for i, subject := range r.Subjects {
		if !IsSubjectValid(subject) {
			validator.Push(fmt.Errorf("Subject %d must start with 'user:' or 'group:'", i))
		}
	}

	for i, network := range r.Networks {
		if !IsNetworkValid(network) {
			validator.Push(fmt.Errorf("Network %d must be a valid CIDR", i))
		}
	}
}

// AccessControlConfiguration represents the configuration related to ACLs.
type AccessControlConfiguration struct {
	DefaultPolicy string    `mapstructure:"default_policy"`
	Rules         []ACLRule `mapstructure:"rules"`
}

// Validate validate the access control configuration.
func (acc *AccessControlConfiguration) Validate(validator *StructValidator) {
	if acc.DefaultPolicy == "" {
		acc.DefaultPolicy = "deny"
	}

	if !IsPolicyValid(acc.DefaultPolicy) {
		validator.Push(fmt.Errorf("'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'"))
	}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package schema`

			`import (`
			`"fmt"`
			`"net"`
			`"strings"`
			`)`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// ACLRule represent one ACL rule "weak" coerces a single value into string slice.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`type ACLRule struct {`
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak` 2020-04-16 00:18:11 +00:00			Domains []string `mapstructure:"domain,weak"`
Introduce viper in order to read secrets from env variables. 2020-01-21 20:56:44 +00:00			Policy string `mapstructure:"policy"`
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak` 2020-04-16 00:18:11 +00:00			Subjects []string `mapstructure:"subject,weak"`
Introduce viper in order to read secrets from env variables. 2020-01-21 20:56:44 +00:00			Networks []string `mapstructure:"networks"`
			Resources []string `mapstructure:"resources"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// IsPolicyValid check if policy is valid.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`func IsPolicyValid(policy string) bool {`
			`return policy == "deny" \|\| policy == "one_factor" \|\| policy == "two_factor" \|\| policy == "bypass"`
			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// IsSubjectValid check if a subject is valid.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`func IsSubjectValid(subject string) bool {`
			`return subject == "" \|\| strings.HasPrefix(subject, "user:") \|\| strings.HasPrefix(subject, "group:")`
			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// IsNetworkValid check if a network is valid.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`func IsNetworkValid(network string) bool {`
			`_, _, err := net.ParseCIDR(network)`
			`return err == nil`
			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// Validate validate an ACL Rule.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`func (r ACLRule) Validate(validator StructValidator) {`
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak` 2020-04-16 00:18:11 +00:00			`if len(r.Domains) == 0 {`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`validator.Push(fmt.Errorf("Domain must be provided"))`
			`}`

			`if !IsPolicyValid(r.Policy) {`
			`validator.Push(fmt.Errorf("A policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'"))`
			`}`

[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak` 2020-04-16 00:18:11 +00:00			`for i, subject := range r.Subjects {`
			`if !IsSubjectValid(subject) {`
			`validator.Push(fmt.Errorf("Subject %d must start with 'user:' or 'group:'", i))`
			`}`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`for i, network := range r.Networks {`
			`if !IsNetworkValid(network) {`
			`validator.Push(fmt.Errorf("Network %d must be a valid CIDR", i))`
			`}`
			`}`
			`}`

			`// AccessControlConfiguration represents the configuration related to ACLs.`
			`type AccessControlConfiguration struct {`
Introduce viper in order to read secrets from env variables. 2020-01-21 20:56:44 +00:00			DefaultPolicy string `mapstructure:"default_policy"`
			Rules []ACLRule `mapstructure:"rules"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

[MISC] Implement golint recommendations (#885) Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-04-20 21:03:38 +00:00			`// Validate validate the access control configuration.`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`func (acc AccessControlConfiguration) Validate(validator StructValidator) {`
			`if acc.DefaultPolicy == "" {`
			`acc.DefaultPolicy = "deny"`
			`}`

			`if !IsPolicyValid(acc.DefaultPolicy) {`
			`validator.Push(fmt.Errorf("'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'"))`
			`}`
			`}`