authelia/internal/handlers/handler_authz.go

package handlers

import (
	"fmt"
	"net/url"

	"github.com/authelia/authelia/v4/internal/authentication"
	"github.com/authelia/authelia/v4/internal/authorization"
	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/session"
	"github.com/authelia/authelia/v4/internal/utils"
)

// Handler is the middlewares.RequestHandler for Authz.
func (authz *Authz) Handler(ctx *middlewares.AutheliaCtx) {
	var (
		object      authorization.Object
		autheliaURL *url.URL
		provider    *session.Session
		err         error
	)

	if object, err = authz.handleGetObject(ctx); err != nil {
		ctx.Logger.Errorf("Error getting original request object: %v", err)

		ctx.ReplyUnauthorized()

		return
	}

	if !utils.IsURISecure(object.URL) {
		ctx.Logger.Errorf("Target URL '%s' has an insecure scheme '%s', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely", object.URL.String(), object.URL.Scheme)

		ctx.ReplyUnauthorized()

		return
	}

	if provider, err = ctx.GetSessionProviderByTargetURL(object.URL); err != nil {
		ctx.Logger.WithError(err).Errorf("Target URL '%s' does not appear to be configured as a session domain", object.URL.String())

		ctx.ReplyUnauthorized()

		return
	}

	if autheliaURL, err = authz.getAutheliaURL(ctx, provider); err != nil {
		ctx.Logger.WithError(err).Error("Error occurred trying to determine the URL of the portal")

		ctx.ReplyUnauthorized()

		return
	}

	var (
		authn    Authn
		strategy AuthnStrategy
	)

	if authn, strategy, err = authz.authn(ctx, provider); err != nil {
		authn.Object = object

		ctx.Logger.WithError(err).Error("Error occurred while attempting to authenticate a request")

		switch strategy {
		case nil:
			ctx.ReplyUnauthorized()
		default:
			strategy.HandleUnauthorized(ctx, &authn, authz.getRedirectionURL(&object, autheliaURL))
		}

		return
	}

	authn.Object = object
	authn.Method = friendlyMethod(authn.Object.Method)

	ruleHasSubject, required := ctx.Providers.Authorizer.GetRequiredLevel(
		authorization.Subject{
			Username: authn.Details.Username,
			Groups:   authn.Details.Groups,
			IP:       ctx.RemoteIP(),
		},
		object,
	)

	switch isAuthzResult(authn.Level, required, ruleHasSubject) {
	case AuthzResultForbidden:
		ctx.Logger.Infof("Access to '%s' is forbidden to user '%s'", object.URL.String(), authn.Username)
		ctx.ReplyForbidden()
	case AuthzResultUnauthorized:
		var handler HandlerAuthzUnauthorized

		if strategy != nil {
			handler = strategy.HandleUnauthorized
		} else {
			handler = authz.handleUnauthorized
		}

		handler(ctx, &authn, authz.getRedirectionURL(&object, autheliaURL))
	case AuthzResultAuthorized:
		authz.handleAuthorized(ctx, &authn)
	}
}

func (authz *Authz) getAutheliaURL(ctx *middlewares.AutheliaCtx, provider *session.Session) (autheliaURL *url.URL, err error) {
	if authz.handleGetAutheliaURL == nil {
		return nil, nil
	}

	if autheliaURL, err = authz.handleGetAutheliaURL(ctx); err != nil {
		return nil, err
	}

	if autheliaURL != nil || authz.legacy {
		return autheliaURL, nil
	}

	if provider.Config.AutheliaURL != nil {
		if authz.legacy {
			return nil, nil
		}

		return provider.Config.AutheliaURL, nil
	}

	return nil, fmt.Errorf("authelia url lookup failed")
}

func (authz *Authz) getRedirectionURL(object *authorization.Object, autheliaURL *url.URL) (redirectionURL *url.URL) {
	if autheliaURL == nil {
		return nil
	}

	redirectionURL, _ = url.ParseRequestURI(autheliaURL.String())

	qry := redirectionURL.Query()

	qry.Set(queryArgRD, object.URL.String())

	if object.Method != "" {
		qry.Set(queryArgRM, object.Method)
	}

	redirectionURL.RawQuery = qry.Encode()

	return redirectionURL
}

func (authz *Authz) authn(ctx *middlewares.AutheliaCtx, provider *session.Session) (authn Authn, strategy AuthnStrategy, err error) {
	for _, strategy = range authz.strategies {
		if authn, err = strategy.Get(ctx, provider); err != nil {
			if strategy.CanHandleUnauthorized() {
				return Authn{Type: authn.Type, Level: authentication.NotAuthenticated}, strategy, err
			}

			return Authn{Type: authn.Type, Level: authentication.NotAuthenticated}, nil, err
		}

		if authn.Level != authentication.NotAuthenticated {
			break
		}
	}

	if strategy.CanHandleUnauthorized() {
		return authn, strategy, err
	}

	return authn, nil, nil
}
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`package handlers`

			`import (`
			`"fmt"`
			`"net/url"`

			`"github.com/authelia/authelia/v4/internal/authentication"`
			`"github.com/authelia/authelia/v4/internal/authorization"`
			`"github.com/authelia/authelia/v4/internal/middlewares"`
			`"github.com/authelia/authelia/v4/internal/session"`
			`"github.com/authelia/authelia/v4/internal/utils"`
			`)`

			`// Handler is the middlewares.RequestHandler for Authz.`
			`func (authz Authz) Handler(ctx middlewares.AutheliaCtx) {`
			`var (`
			`object authorization.Object`
			`autheliaURL *url.URL`
			`provider *session.Session`
			`err error`
			`)`

			`if object, err = authz.handleGetObject(ctx); err != nil {`
			`ctx.Logger.Errorf("Error getting original request object: %v", err)`

			`ctx.ReplyUnauthorized()`

			`return`
			`}`

			`if !utils.IsURISecure(object.URL) {`
			`ctx.Logger.Errorf("Target URL '%s' has an insecure scheme '%s', only the 'https' and 'wss' schemes are supported so session cookies can be transmitted securely", object.URL.String(), object.URL.Scheme)`

			`ctx.ReplyUnauthorized()`

			`return`
			`}`

			`if provider, err = ctx.GetSessionProviderByTargetURL(object.URL); err != nil {`
			`ctx.Logger.WithError(err).Errorf("Target URL '%s' does not appear to be configured as a session domain", object.URL.String())`

			`ctx.ReplyUnauthorized()`

			`return`
			`}`

			`if autheliaURL, err = authz.getAutheliaURL(ctx, provider); err != nil {`
			`ctx.Logger.WithError(err).Error("Error occurred trying to determine the URL of the portal")`

			`ctx.ReplyUnauthorized()`

			`return`
			`}`

			`var (`
			`authn Authn`
			`strategy AuthnStrategy`
			`)`

			`if authn, strategy, err = authz.authn(ctx, provider); err != nil {`
			`authn.Object = object`

			`ctx.Logger.WithError(err).Error("Error occurred while attempting to authenticate a request")`

			`switch strategy {`
			`case nil:`
			`ctx.ReplyUnauthorized()`
			`default:`
			`strategy.HandleUnauthorized(ctx, &authn, authz.getRedirectionURL(&object, autheliaURL))`
			`}`

			`return`
			`}`

			`authn.Object = object`
			`authn.Method = friendlyMethod(authn.Object.Method)`

			`ruleHasSubject, required := ctx.Providers.Authorizer.GetRequiredLevel(`
			`authorization.Subject{`
			`Username: authn.Details.Username,`
			`Groups: authn.Details.Groups,`
			`IP: ctx.RemoteIP(),`
			`},`
			`object,`
			`)`

			`switch isAuthzResult(authn.Level, required, ruleHasSubject) {`
			`case AuthzResultForbidden:`
			`ctx.Logger.Infof("Access to '%s' is forbidden to user '%s'", object.URL.String(), authn.Username)`
			`ctx.ReplyForbidden()`
			`case AuthzResultUnauthorized:`
			`var handler HandlerAuthzUnauthorized`

			`if strategy != nil {`
			`handler = strategy.HandleUnauthorized`
			`} else {`
			`handler = authz.handleUnauthorized`
			`}`

			`handler(ctx, &authn, authz.getRedirectionURL(&object, autheliaURL))`
			`case AuthzResultAuthorized:`
			`authz.handleAuthorized(ctx, &authn)`
			`}`
			`}`

			`func (authz Authz) getAutheliaURL(ctx middlewares.AutheliaCtx, provider session.Session) (autheliaURL url.URL, err error) {`
			`if authz.handleGetAutheliaURL == nil {`
			`return nil, nil`
			`}`

			`if autheliaURL, err = authz.handleGetAutheliaURL(ctx); err != nil {`
			`return nil, err`
			`}`

fix(handlers): legacy authz failure on nginx (#4956) Since nginx doesn't do portal URL detection we have to skip returning an error on the legacy authz implementation when the portal URL isn't detected. This issue only exists in unreleased versions. 2023-02-18 05:56:53 +00:00			`if autheliaURL != nil \|\| authz.legacy {`
feat(server): customizable authz endpoints (#4296) This allows users to customize the authz endpoints. Closes #2753, Fixes #3716 Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2023-01-25 09:36:40 +00:00			`return autheliaURL, nil`
			`}`

			`if provider.Config.AutheliaURL != nil {`
			`if authz.legacy {`
			`return nil, nil`
			`}`

			`return provider.Config.AutheliaURL, nil`
			`}`

			`return nil, fmt.Errorf("authelia url lookup failed")`
			`}`

			`func (authz Authz) getRedirectionURL(object authorization.Object, autheliaURL url.URL) (redirectionURL url.URL) {`
			`if autheliaURL == nil {`
			`return nil`
			`}`

			`redirectionURL, _ = url.ParseRequestURI(autheliaURL.String())`

			`qry := redirectionURL.Query()`

			`qry.Set(queryArgRD, object.URL.String())`

			`if object.Method != "" {`
			`qry.Set(queryArgRM, object.Method)`
			`}`

			`redirectionURL.RawQuery = qry.Encode()`

			`return redirectionURL`
			`}`

			`func (authz Authz) authn(ctx middlewares.AutheliaCtx, provider *session.Session) (authn Authn, strategy AuthnStrategy, err error) {`
			`for _, strategy = range authz.strategies {`
			`if authn, err = strategy.Get(ctx, provider); err != nil {`
			`if strategy.CanHandleUnauthorized() {`
			`return Authn{Type: authn.Type, Level: authentication.NotAuthenticated}, strategy, err`
			`}`

			`return Authn{Type: authn.Type, Level: authentication.NotAuthenticated}, nil, err`
			`}`

			`if authn.Level != authentication.NotAuthenticated {`
			`break`
			`}`
			`}`

			`if strategy.CanHandleUnauthorized() {`
			`return authn, strategy, err`
			`}`

			`return authn, nil, nil`
			`}`