authelia/internal/authorization/access_control_domain.go

package authorization

import (
	"fmt"
	"strings"

	"github.com/authelia/authelia/internal/utils"
)

// AccessControlDomain represents an ACL domain.
type AccessControlDomain struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

// IsMatch returns true if the ACL domain matches the object domain.
func (acd AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {
	switch {
	case acd.Wildcard:
		return strings.HasSuffix(object.Domain, acd.Name)
	case acd.UserWildcard:
		return object.Domain == fmt.Sprintf("%s.%s", subject.Username, acd.Name)
	case acd.GroupWildcard:
		prefix, suffix := domainToPrefixSuffix(object.Domain)

		return suffix == acd.Name && utils.IsStringInSliceFold(prefix, subject.Groups)
	default:
		return object.Domain == acd.Name
	}
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`package authorization`

			`import (`
			`"fmt"`
			`"strings"`

			`"github.com/authelia/authelia/internal/utils"`
			`)`

			`// AccessControlDomain represents an ACL domain.`
			`type AccessControlDomain struct {`
			`Name string`
			`Wildcard bool`
			`UserWildcard bool`
			`GroupWildcard bool`
			`}`

			`// IsMatch returns true if the ACL domain matches the object domain.`
			`func (acd AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {`
			`switch {`
			`case acd.Wildcard:`
			`return strings.HasSuffix(object.Domain, acd.Name)`
			`case acd.UserWildcard:`
			`return object.Domain == fmt.Sprintf("%s.%s", subject.Username, acd.Name)`
			`case acd.GroupWildcard:`
			`prefix, suffix := domainToPrefixSuffix(object.Domain)`

			`return suffix == acd.Name && utils.IsStringInSliceFold(prefix, subject.Groups)`
			`default:`
			`return object.Domain == acd.Name`
			`}`
			`}`