authelia/internal/authorization/access_control_domain.go

package authorization

import (
	"fmt"
	"regexp"
	"strings"

	"github.com/authelia/authelia/v4/internal/utils"
)

// NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.
func NewAccessControlDomain(domain string) AccessControlDomain {
	m := &AccessControlDomainMatcher{}
	domain = strings.ToLower(domain)

	switch {
	case strings.HasPrefix(domain, "*."):
		m.Wildcard = true
		m.Name = domain[1:]
	case strings.HasPrefix(domain, "{user}"):
		m.UserWildcard = true
		m.Name = domain[7:]
	case strings.HasPrefix(domain, "{group}"):
		m.GroupWildcard = true
		m.Name = domain[8:]
	default:
		m.Name = domain
	}

	return AccessControlDomain{m}
}

// NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or
// dynamic User/Group subexpression group way.
func NewAccessControlDomainRegex(pattern regexp.Regexp) (subjects bool, rule AccessControlDomain) {
	var iuser, igroup = -1, -1

	for i, group := range pattern.SubexpNames() {
		switch group {
		case subexpNameUser:
			iuser = i
		case subexpNameGroup:
			igroup = i
		}
	}

	if iuser != -1 || igroup != -1 {
		return true, AccessControlDomain{RegexpGroupStringSubjectMatcher{pattern, iuser, igroup}}
	}

	return false, AccessControlDomain{RegexpStringSubjectMatcher{pattern}}
}

// AccessControlDomainMatcher is the basic domain matcher.
type AccessControlDomainMatcher struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

// IsMatch returns true if this rule matches.
func (m AccessControlDomainMatcher) IsMatch(domain string, subject Subject) (match bool) {
	switch {
	case m.Wildcard:
		return strings.HasSuffix(domain, m.Name)
	case m.UserWildcard:
		return domain == fmt.Sprintf("%s.%s", subject.Username, m.Name)
	case m.GroupWildcard:
		prefix, suffix := domainToPrefixSuffix(domain)

		return suffix == m.Name && utils.IsStringInSliceFold(prefix, subject.Groups)
	default:
		return strings.EqualFold(domain, m.Name)
	}
}

// AccessControlDomain represents an ACL domain.
type AccessControlDomain struct {
	Matcher StringSubjectMatcher
}

// IsMatch returns true if the ACL domain matches the object domain.
func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {
	return acl.Matcher.IsMatch(object.Domain, subject)
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`package authorization`

			`import (`
			`"fmt"`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`"regexp"`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`"strings"`

fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc 2021-08-11 01:04:35 +00:00			`"github.com/authelia/authelia/v4/internal/utils"`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`)`

feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`// NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`func NewAccessControlDomain(domain string) AccessControlDomain {`
			`m := &AccessControlDomainMatcher{}`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`domain = strings.ToLower(domain)`

			`switch {`
			`case strings.HasPrefix(domain, "*."):`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`m.Wildcard = true`
			`m.Name = domain[1:]`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`case strings.HasPrefix(domain, "{user}"):`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`m.UserWildcard = true`
			`m.Name = domain[7:]`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`case strings.HasPrefix(domain, "{group}"):`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`m.GroupWildcard = true`
			`m.Name = domain[8:]`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`default:`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`m.Name = domain`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`

feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`return AccessControlDomain{m}`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`

			`// NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or`
			`// dynamic User/Group subexpression group way.`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`func NewAccessControlDomainRegex(pattern regexp.Regexp) (subjects bool, rule AccessControlDomain) {`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`var iuser, igroup = -1, -1`

			`for i, group := range pattern.SubexpNames() {`
			`switch group {`
			`case subexpNameUser:`
			`iuser = i`
			`case subexpNameGroup:`
			`igroup = i`
			`}`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`}`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00
			`if iuser != -1 \|\| igroup != -1 {`
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`return true, AccessControlDomain{RegexpGroupStringSubjectMatcher{pattern, iuser, igroup}}`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`

fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com> 2022-09-26 04:33:08 +00:00			`return false, AccessControlDomain{RegexpStringSubjectMatcher{pattern}}`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`

feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`// AccessControlDomainMatcher is the basic domain matcher.`
			`type AccessControlDomainMatcher struct {`
			`Name string`
			`Wildcard bool`
			`UserWildcard bool`
			`GroupWildcard bool`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`

feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`// IsMatch returns true if this rule matches.`
			`func (m AccessControlDomainMatcher) IsMatch(domain string, subject Subject) (match bool) {`
			`switch {`
			`case m.Wildcard:`
			`return strings.HasSuffix(domain, m.Name)`
			`case m.UserWildcard:`
			`return domain == fmt.Sprintf("%s.%s", subject.Username, m.Name)`
			`case m.GroupWildcard:`
			`prefix, suffix := domainToPrefixSuffix(domain)`

			`return suffix == m.Name && utils.IsStringInSliceFold(prefix, subject.Groups)`
			`default:`
			`return strings.EqualFold(domain, m.Name)`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`}`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`// AccessControlDomain represents an ACL domain.`
			`type AccessControlDomain struct {`
			`Matcher StringSubjectMatcher`
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs. 2022-04-01 11:38:49 +00:00			`}`

feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria. 2022-06-28 02:51:05 +00:00			`// IsMatch returns true if the ACL domain matches the object domain.`
			`func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {`
			`return acl.Matcher.IsMatch(object.Domain, subject)`
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description 2021-03-05 04:18:31 +00:00			`}`