authelia/internal/authorization/authorizer.go

package authorization

import (
	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/logging"
)

// Authorizer the component in charge of checking whether a user can access a given resource.
type Authorizer struct {
	defaultPolicy Level
	rules         []*AccessControlRule
	mfa           bool
	configuration *schema.Configuration
}

// NewAuthorizer create an instance of authorizer with a given access control configuration.
func NewAuthorizer(configuration *schema.Configuration) (authorizer *Authorizer) {
	authorizer = &Authorizer{
		defaultPolicy: StringToLevel(configuration.AccessControl.DefaultPolicy),
		rules:         NewAccessControlRules(configuration.AccessControl),
		configuration: configuration,
	}

	if authorizer.defaultPolicy == TwoFactor {
		authorizer.mfa = true

		return authorizer
	}

	for _, rule := range authorizer.rules {
		if rule.Policy == TwoFactor {
			authorizer.mfa = true

			return authorizer
		}
	}

	if authorizer.configuration.IdentityProviders.OIDC != nil {
		for _, client := range authorizer.configuration.IdentityProviders.OIDC.Clients {
			if client.Policy == twoFactor {
				authorizer.mfa = true

				return authorizer
			}
		}
	}

	return authorizer
}

// IsSecondFactorEnabled return true if at least one policy is set to second factor.
func (p Authorizer) IsSecondFactorEnabled() bool {
	return p.mfa
}

// GetRequiredLevel retrieve the required level of authorization to access the object.
func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (bool, Level) {
	logger := logging.Logger()

	logger.Debugf("Check authorization of subject %s and object %s (method %s).",
		subject.String(), object.String(), object.Method)

	for _, rule := range p.rules {
		if rule.IsMatch(subject, object) {
			logger.Tracef(traceFmtACLHitMiss, "HIT", rule.Position, subject.String(), object.String(), object.Method)

			return len(rule.Subjects) > 0, rule.Policy
		}

		logger.Tracef(traceFmtACLHitMiss, "MISS", rule.Position, subject.String(), object.String(), object.Method)
	}

	logger.Debugf("No matching rule for subject %s and url %s... Applying default policy.",
		subject.String(), object.String())

	return false, p.defaultPolicy
}

// GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.
func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult) {
	skipped := false

	results = make([]RuleMatchResult, len(p.rules))

	for i, rule := range p.rules {
		results[i] = RuleMatchResult{
			Rule:    rule,
			Skipped: skipped,

			MatchDomain:        isMatchForDomains(subject, object, rule),
			MatchResources:     isMatchForResources(subject, object, rule),
			MatchMethods:       isMatchForMethods(object, rule),
			MatchNetworks:      isMatchForNetworks(subject, rule),
			MatchSubjects:      isMatchForSubjects(subject, rule),
			MatchSubjectsExact: isExactMatchForSubjects(subject, rule),
		}

		skipped = skipped || results[i].IsMatch()
	}

	return results
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`package authorization`

			`import (`
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/configuration/schema"`
			`"github.com/authelia/authelia/v4/internal/logging"`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`)`

			`// Authorizer the component in charge of checking whether a user can access a given resource.`
			`type Authorizer struct {`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`defaultPolicy Level`
			`rules []*AccessControlRule`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`mfa bool`
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled. 2021-06-18 01:38:01 +00:00			`configuration *schema.Configuration`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

			`// NewAuthorizer create an instance of authorizer with a given access control configuration.`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`func NewAuthorizer(configuration schema.Configuration) (authorizer Authorizer) {`
			`authorizer = &Authorizer{`
			`defaultPolicy: StringToLevel(configuration.AccessControl.DefaultPolicy),`
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled. 2021-06-18 01:38:01 +00:00			`rules: NewAccessControlRules(configuration.AccessControl),`
			`configuration: configuration,`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`if authorizer.defaultPolicy == TwoFactor {`
			`authorizer.mfa = true`

			`return authorizer`
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684) When no rule is set to two_factor in ACL configuration, 2FA is considered disabled. Therefore, when a user cannot be redirected correctly because no target URL is provided or the URL is unsafe, the user is either redirected to the default URL or to the 'already authenticated' view instead of the second factor view. Fixes #683 2020-03-06 00:31:09 +00:00			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`for _, rule := range authorizer.rules {`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`if rule.Policy == TwoFactor {`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`authorizer.mfa = true`

			`return authorizer`
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684) When no rule is set to two_factor in ACL configuration, 2FA is considered disabled. Therefore, when a user cannot be redirected correctly because no target URL is provided or the URL is unsafe, the user is either redirected to the default URL or to the 'already authenticated' view instead of the second factor view. Fixes #683 2020-03-06 00:31:09 +00:00			`}`
			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`if authorizer.configuration.IdentityProviders.OIDC != nil {`
			`for _, client := range authorizer.configuration.IdentityProviders.OIDC.Clients {`
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled. 2021-06-18 01:38:01 +00:00			`if client.Policy == twoFactor {`
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`authorizer.mfa = true`

			`return authorizer`
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled. 2021-06-18 01:38:01 +00:00			`}`
			`}`
			`}`

fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow. 2022-07-26 05:43:39 +00:00			`return authorizer`
			`}`

			`// IsSecondFactorEnabled return true if at least one policy is set to second factor.`
			`func (p Authorizer) IsSecondFactorEnabled() bool {`
			`return p.mfa`
[BUGFIX] Skip 2FA step if no ACL rule is two_factor (#684) When no rule is set to two_factor in ACL configuration, 2FA is considered disabled. Therefore, when a user cannot be redirected correctly because no target URL is provided or the URL is unsafe, the user is either redirected to the default URL or to the 'already authenticated' view instead of the second factor view. Fixes #683 2020-03-06 00:31:09 +00:00			`}`

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`// GetRequiredLevel retrieve the required level of authorization to access the object.`
fix(handlers): verify handler (#3956) When an anonymous user tries to access a forbidden resource with no subject, we should response with 403. Fixes #3084 2022-09-04 22:21:30 +00:00			`func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (bool, Level) {`
[MISC] Add missing CLI suite test (#1607) * [MISC] Add missing CLI suite test * Add missing test for `authelia version` command in CLI suite. * Standardise logger calls and swap CSP switch order 2021-01-16 23:23:35 +00:00			`logger := logging.Logger()`
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00
			`logger.Debugf("Check authorization of subject %s and object %s (method %s).",`
			`subject.String(), object.String(), object.Method)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`for _, rule := range p.rules {`
			`if rule.IsMatch(subject, object) {`
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00			`logger.Tracef(traceFmtACLHitMiss, "HIT", rule.Position, subject.String(), object.String(), object.Method)`

fix(handlers): verify handler (#3956) When an anonymous user tries to access a forbidden resource with no subject, we should response with 403. Fixes #3084 2022-09-04 22:21:30 +00:00			`return len(rule.Subjects) > 0, rule.Policy`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`}`
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00
			`logger.Tracef(traceFmtACLHitMiss, "MISS", rule.Position, subject.String(), object.String(), object.Method)`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
[CI] Add wsl linter (#980) * [CI] Add wsl linter * Implement wsl recommendations Co-authored-by: Clément Michaud <clement.michaud34@gmail.com> 2020-05-05 19:35:32 +00:00
fix(validator): misleading warning for empty acl domains (#1898) This fixes misleading errors for ACL rules with an empty list of domains. This also enables admins to have a default policy with zero ACL rules as long as the default policy is not deny or bypass. It also adds a rule number to all ACL rule related log messages which is the position in the YAML list plus 1. Lastly it adds comprehensive per rule HIT/MISS logging when Authelia trace logging is enabled. This trace logging includes the rule number. 2021-04-14 10:53:23 +00:00			`logger.Debugf("No matching rule for subject %s and url %s... Applying default policy.",`
			`subject.String(), object.String())`
[MISC] Add unit tests to authorization module and trace logs. (#638) This aims to help debug #637. 2020-02-18 22:15:09 +00:00
fix(handlers): verify handler (#3956) When an anonymous user tries to access a forbidden resource with no subject, we should response with 403. Fixes #3084 2022-09-04 22:21:30 +00:00			`return false, p.defaultPolicy`
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture. 2019-04-24 21:52:08 +00:00			`}`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00
			`// GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.`
			`func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult) {`
			`skipped := false`

			`results = make([]RuleMatchResult, len(p.rules))`

			`for i, rule := range p.rules {`
			`results[i] = RuleMatchResult{`
			`Rule: rule,`
			`Skipped: skipped,`

			`MatchDomain: isMatchForDomains(subject, object, rule),`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`MatchResources: isMatchForResources(subject, object, rule),`
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources. 2022-02-28 03:15:01 +00:00			`MatchMethods: isMatchForMethods(object, rule),`
			`MatchNetworks: isMatchForNetworks(subject, rule),`
			`MatchSubjects: isMatchForSubjects(subject, rule),`
			`MatchSubjectsExact: isExactMatchForSubjects(subject, rule),`
			`}`

			`skipped = skipped \|\| results[i].IsMatch()`
			`}`

			`return results`
			`}`