2019-04-24 21:52:08 +00:00
|
|
|
package authorization
|
|
|
|
|
|
|
|
import (
|
2021-08-11 01:04:35 +00:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
|
|
"github.com/authelia/authelia/v4/internal/logging"
|
2019-04-24 21:52:08 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Authorizer the component in charge of checking whether a user can access a given resource.
|
|
|
|
type Authorizer struct {
|
2021-03-05 04:18:31 +00:00
|
|
|
defaultPolicy Level
|
|
|
|
rules []*AccessControlRule
|
2022-07-26 05:43:39 +00:00
|
|
|
mfa bool
|
2021-06-18 01:38:01 +00:00
|
|
|
configuration *schema.Configuration
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewAuthorizer create an instance of authorizer with a given access control configuration.
|
2022-07-26 05:43:39 +00:00
|
|
|
func NewAuthorizer(configuration *schema.Configuration) (authorizer *Authorizer) {
|
|
|
|
authorizer = &Authorizer{
|
|
|
|
defaultPolicy: StringToLevel(configuration.AccessControl.DefaultPolicy),
|
2021-06-18 01:38:01 +00:00
|
|
|
rules: NewAccessControlRules(configuration.AccessControl),
|
|
|
|
configuration: configuration,
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
|
|
|
|
2022-07-26 05:43:39 +00:00
|
|
|
if authorizer.defaultPolicy == TwoFactor {
|
|
|
|
authorizer.mfa = true
|
|
|
|
|
|
|
|
return authorizer
|
2020-03-06 00:31:09 +00:00
|
|
|
}
|
|
|
|
|
2022-07-26 05:43:39 +00:00
|
|
|
for _, rule := range authorizer.rules {
|
2021-03-05 04:18:31 +00:00
|
|
|
if rule.Policy == TwoFactor {
|
2022-07-26 05:43:39 +00:00
|
|
|
authorizer.mfa = true
|
|
|
|
|
|
|
|
return authorizer
|
2020-03-06 00:31:09 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-26 05:43:39 +00:00
|
|
|
if authorizer.configuration.IdentityProviders.OIDC != nil {
|
|
|
|
for _, client := range authorizer.configuration.IdentityProviders.OIDC.Clients {
|
2021-06-18 01:38:01 +00:00
|
|
|
if client.Policy == twoFactor {
|
2022-07-26 05:43:39 +00:00
|
|
|
authorizer.mfa = true
|
|
|
|
|
|
|
|
return authorizer
|
2021-06-18 01:38:01 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-07-26 05:43:39 +00:00
|
|
|
return authorizer
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsSecondFactorEnabled return true if at least one policy is set to second factor.
|
|
|
|
func (p Authorizer) IsSecondFactorEnabled() bool {
|
|
|
|
return p.mfa
|
2020-03-06 00:31:09 +00:00
|
|
|
}
|
|
|
|
|
2019-04-24 21:52:08 +00:00
|
|
|
// GetRequiredLevel retrieve the required level of authorization to access the object.
|
2021-04-14 10:53:23 +00:00
|
|
|
func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level {
|
2021-01-16 23:23:35 +00:00
|
|
|
logger := logging.Logger()
|
2021-04-14 10:53:23 +00:00
|
|
|
|
|
|
|
logger.Debugf("Check authorization of subject %s and object %s (method %s).",
|
|
|
|
subject.String(), object.String(), object.Method)
|
2019-04-24 21:52:08 +00:00
|
|
|
|
2021-03-05 04:18:31 +00:00
|
|
|
for _, rule := range p.rules {
|
|
|
|
if rule.IsMatch(subject, object) {
|
2021-04-14 10:53:23 +00:00
|
|
|
logger.Tracef(traceFmtACLHitMiss, "HIT", rule.Position, subject.String(), object.String(), object.Method)
|
|
|
|
|
2021-03-05 04:18:31 +00:00
|
|
|
return rule.Policy
|
|
|
|
}
|
2021-04-14 10:53:23 +00:00
|
|
|
|
|
|
|
logger.Tracef(traceFmtACLHitMiss, "MISS", rule.Position, subject.String(), object.String(), object.Method)
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
2020-05-05 19:35:32 +00:00
|
|
|
|
2021-04-14 10:53:23 +00:00
|
|
|
logger.Debugf("No matching rule for subject %s and url %s... Applying default policy.",
|
|
|
|
subject.String(), object.String())
|
2020-02-18 22:15:09 +00:00
|
|
|
|
2021-03-05 04:18:31 +00:00
|
|
|
return p.defaultPolicy
|
2019-04-24 21:52:08 +00:00
|
|
|
}
|
2022-02-28 03:15:01 +00:00
|
|
|
|
|
|
|
// GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object.
|
|
|
|
func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results []RuleMatchResult) {
|
|
|
|
skipped := false
|
|
|
|
|
|
|
|
results = make([]RuleMatchResult, len(p.rules))
|
|
|
|
|
|
|
|
for i, rule := range p.rules {
|
|
|
|
results[i] = RuleMatchResult{
|
|
|
|
Rule: rule,
|
|
|
|
Skipped: skipped,
|
|
|
|
|
|
|
|
MatchDomain: isMatchForDomains(subject, object, rule),
|
2022-06-28 02:51:05 +00:00
|
|
|
MatchResources: isMatchForResources(subject, object, rule),
|
2022-02-28 03:15:01 +00:00
|
|
|
MatchMethods: isMatchForMethods(object, rule),
|
|
|
|
MatchNetworks: isMatchForNetworks(subject, rule),
|
|
|
|
MatchSubjects: isMatchForSubjects(subject, rule),
|
|
|
|
MatchSubjectsExact: isExactMatchForSubjects(subject, rule),
|
|
|
|
}
|
|
|
|
|
|
|
|
skipped = skipped || results[i].IsMatch()
|
|
|
|
}
|
|
|
|
|
|
|
|
return results
|
|
|
|
}
|