RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
authelia/internal/authorization/authorizer_test.go

1107 lines
44 KiB
Go
Raw Normal View History

Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
package authorization
import (
"net"
"net/url"
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
"regexp"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"testing"
[MISC] Fix goimports ordering for repo (#947)
2020-05-01 06:56:42 +00:00
"github.com/stretchr/testify/assert"
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
"github.com/stretchr/testify/require"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
"github.com/stretchr/testify/suite"
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
"github.com/valyala/fasthttp"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
fix: include major in go.mod module directive (#2278) * build: include major in go.mod module directive * fix: xflags * revert: cobra changes * fix: mock doc
2021-08-11 01:04:35 +00:00
"github.com/authelia/authelia/v4/internal/configuration/schema"
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
)
type AuthorizerSuite struct {
suite.Suite
}
type AuthorizerTester struct {
*Authorizer
}
func NewAuthorizerTester(config schema.AccessControlConfiguration) *AuthorizerTester {
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
fullConfig := &schema.Configuration{
AccessControl: config,
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
return &AuthorizerTester{
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
NewAuthorizer(fullConfig),
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
func (s *AuthorizerTester) CheckAuthorizations(t *testing.T, subject Subject, requestURI, method string, expectedLevel Level) {
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
targetURL, _ := url.ParseRequestURI(requestURI)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
object := NewObject(targetURL, method)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
fix(handlers): verify handler (#3956) When an anonymous user tries to access a forbidden resource with no subject, we should response with 403. Fixes #3084
2022-09-04 22:21:30 +00:00
_, level := s.GetRequiredLevel(subject, object)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
assert.Equal(t, expectedLevel, level)
}
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
func (s *AuthorizerTester) GetRuleMatchResults(subject Subject, requestURI, method string) (results []RuleMatchResult) {
targetURL, _ := url.ParseRequestURI(requestURI)
object := NewObject(targetURL, method)
return s.Authorizer.GetRuleMatchResults(subject, object)
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
type AuthorizerTesterBuilder struct {
config schema.AccessControlConfiguration
}
func NewAuthorizerBuilder() *AuthorizerTesterBuilder {
return &AuthorizerTesterBuilder{}
}
func (b *AuthorizerTesterBuilder) WithDefaultPolicy(policy string) *AuthorizerTesterBuilder {
b.config.DefaultPolicy = policy
return b
}
func (b *AuthorizerTesterBuilder) WithRule(rule schema.ACLRule) *AuthorizerTesterBuilder {
b.config.Rules = append(b.config.Rules, rule)
return b
}
func (b *AuthorizerTesterBuilder) Build() *AuthorizerTester {
return NewAuthorizerTester(b.config)
}
var AnonymousUser = Subject{
Username: "",
Groups: []string{},
IP: net.ParseIP("127.0.0.1"),
}
var UserWithGroups = Subject{
Username: "john",
Groups: []string{"dev", "admins"},
IP: net.ParseIP("10.0.0.8"),
}
var John = UserWithGroups
var UserWithoutGroups = Subject{
Username: "bob",
Groups: []string{},
IP: net.ParseIP("10.0.0.7"),
}
var Bob = UserWithoutGroups
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
var UserWithIPv6Address = Subject{
Username: "sam",
Groups: []string{},
IP: net.ParseIP("fec0::1"),
}
var Sam = UserWithIPv6Address
var UserWithIPv6AddressAndGroups = Subject{
Username: "sam",
Groups: []string{"dev", "admins"},
IP: net.ParseIP("fec0::2"),
}
var Sally = UserWithIPv6AddressAndGroups
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func (s *AuthorizerSuite) TestShouldCheckDefaultBypassConfig() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(bypass).Build()
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/elsewhere", fasthttp.MethodGet, Bypass)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckDefaultDeniedConfig() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).Build()
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/elsewhere", fasthttp.MethodGet, Denied)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckMultiDomainRule() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"*.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://private.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/elsewhere", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com.c/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.co/", fasthttp.MethodGet, Denied)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckDynamicDomainRules() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
WithRule(schema.ACLRule{
Domains: []string{"{user}.example.com"},
fix(authorization): subject wildcard domain rule not matching (#4187) This fixes an issue where the subject wildcard domain rules (those containing {user} and {group}) are not considered matches even though they may be once a user authenticates. Fixes #4186
2022-10-18 08:14:34 +00:00
Policy: oneFactor,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"{group}.example.com"},
fix(authorization): subject wildcard domain rule not matching (#4187) This fixes an issue where the subject wildcard domain rules (those containing {user} and {group}) are not considered matches even though they may be once a user authenticates. Fixes #4186
2022-10-18 08:14:34 +00:00
Policy: oneFactor,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://john.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://dev.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://admins.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://othergroup.example.com/", fasthttp.MethodGet, Denied)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
func (s *AuthorizerSuite) TestShouldCheckMultipleDomainRule() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
WithRule(schema.ACLRule{
Domains: []string{"*.example.com", "other.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://private.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/elsewhere", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com.c/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.co/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://other.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://other.com/elsewhere", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://private.other.com/", fasthttp.MethodGet, Denied)
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func (s *AuthorizerSuite) TestShouldCheckFactorsPolicy() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"single.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"public.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://protected.example.com/", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://single.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://example.com/", fasthttp.MethodGet, Denied)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feat(authorization): query parameter filtering (#3990) This allows for advanced filtering of the query parameters in ACL's. Closes #2708
2022-10-19 03:09:22 +00:00
func (s *AuthorizerSuite) TestShouldCheckQueryPolicy() {
tester := NewAuthorizerBuilder().
WithDefaultPolicy(deny).
WithRule(schema.ACLRule{
Domains: []string{"one.example.com"},
Query: [][]schema.ACLQueryRule{
{
{
Operator: operatorEqual,
Key: "test",
Value: "two",
},
{
Operator: operatorAbsent,
Key: "admin",
},
},
{
{
Operator: operatorPresent,
Key: "public",
},
},
},
Policy: oneFactor,
}).
WithRule(schema.ACLRule{
Domains: []string{"two.example.com"},
Query: [][]schema.ACLQueryRule{
{
{
Operator: operatorEqual,
Key: "test",
Value: "one",
},
},
{
{
Operator: operatorEqual,
Key: "test",
Value: "two",
},
},
},
Policy: twoFactor,
}).
WithRule(schema.ACLRule{
Domains: []string{"three.example.com"},
Query: [][]schema.ACLQueryRule{
{
{
Operator: operatorNotEqual,
Key: "test",
Value: "one",
},
{
Operator: operatorNotEqual,
Key: "test",
Value: "two",
},
},
},
Policy: twoFactor,
}).
WithRule(schema.ACLRule{
Domains: []string{"four.example.com"},
Query: [][]schema.ACLQueryRule{
{
{
Operator: operatorPattern,
Key: "test",
Value: regexp.MustCompile(`^(one|two|three)$`),
},
},
},
Policy: twoFactor,
}).
WithRule(schema.ACLRule{
Domains: []string{"five.example.com"},
Query: [][]schema.ACLQueryRule{
{
{
Operator: operatorNotPattern,
Key: "test",
Value: regexp.MustCompile(`^(one|two|three)$`),
},
},
},
Policy: twoFactor,
}).
Build()
testCases := []struct {
name, requestURL string
expected Level
}{
{"ShouldDenyAbsentRule", "https://one.example.com/?admin=true", Denied},
{"ShouldAllow1FAPresentRule", "https://one.example.com/?public=true", OneFactor},
{"ShouldAllow1FAEqualRule", "https://one.example.com/?test=two", OneFactor},
{"ShouldDenyAbsentRuleWithMatchingPresentRule", "https://one.example.com/?test=two&admin=true", Denied},
{"ShouldAllow2FARuleWithOneMatchingEqual", "https://two.example.com/?test=one&admin=true", TwoFactor},
{"ShouldAllow2FARuleWithAnotherMatchingEqual", "https://two.example.com/?test=two&admin=true", TwoFactor},
{"ShouldDenyRuleWithNotMatchingEqual", "https://two.example.com/?test=three&admin=true", Denied},
{"ShouldDenyRuleWithNotMatchingNotEqualAND1", "https://three.example.com/?test=one", Denied},
{"ShouldDenyRuleWithNotMatchingNotEqualAND2", "https://three.example.com/?test=two", Denied},
{"ShouldAllowRuleWithMatchingNotEqualAND", "https://three.example.com/?test=three", TwoFactor},
{"ShouldAllowRuleWithMatchingPatternOne", "https://four.example.com/?test=one", TwoFactor},
{"ShouldAllowRuleWithMatchingPatternTwo", "https://four.example.com/?test=two", TwoFactor},
{"ShouldAllowRuleWithMatchingPatternThree", "https://four.example.com/?test=three", TwoFactor},
{"ShouldDenyRuleWithNotMatchingPattern", "https://four.example.com/?test=five", Denied},
{"ShouldAllowRuleWithMatchingNotPattern", "https://five.example.com/?test=five", TwoFactor},
{"ShouldDenyRuleWithNotMatchingNotPatternOne", "https://five.example.com/?test=one", Denied},
{"ShouldDenyRuleWithNotMatchingNotPatternTwo", "https://five.example.com/?test=two", Denied},
{"ShouldDenyRuleWithNotMatchingNotPatternThree", "https://five.example.com/?test=three", Denied},
}
for _, tc := range testCases {
s.T().Run(tc.name, func(t *testing.T) {
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(t, UserWithGroups, tc.requestURL, fasthttp.MethodGet, tc.expected)
feat(authorization): query parameter filtering (#3990) This allows for advanced filtering of the query parameters in ACL's. Closes #2708
2022-10-19 03:09:22 +00:00
})
}
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func (s *AuthorizerSuite) TestShouldCheckRulePrecedence() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
Subjects: [][]string{{"user:john"}},
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"*.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), John, "https://public.example.com/", fasthttp.MethodGet, TwoFactor)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
func (s *AuthorizerSuite) TestShouldCheckDomainMatching() {
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
tester := NewAuthorizerBuilder().
WithRule(schema.ACLRule{
Domains: []string{"public.example.com"},
Policy: bypass,
}).
WithRule(schema.ACLRule{
Domains: []string{"one-factor.example.com"},
Policy: oneFactor,
}).
WithRule(schema.ACLRule{
Domains: []string{"two-factor.example.com"},
Policy: twoFactor,
}).
WithRule(schema.ACLRule{
Domains: []string{"*.example.com"},
Policy: oneFactor,
Subjects: [][]string{{"group:admins"}},
}).
WithRule(schema.ACLRule{
Domains: []string{"*.example.com"},
Policy: twoFactor,
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://public.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://public.example.com:8080/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com:8080", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com", fasthttp.MethodGet, Bypass)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://one-factor.example.com", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://one-factor.example.com", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one-factor.example.com", fasthttp.MethodGet, OneFactor)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://two-factor.example.com", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://two-factor.example.com", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://two-factor.example.com", fasthttp.MethodGet, TwoFactor)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://x.example.com", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://x.example.com", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://x.example.com", fasthttp.MethodGet, OneFactor)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(tester.rules, 5)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(tester.rules[0].Domains, 1)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("public.example.com", tester.config.AccessControl.Rules[0].Domains[0])
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher0, ok := tester.rules[0].Domains[0].Matcher.(*AccessControlDomainMatcher)
s.Require().True(ok)
s.Assert().Equal("public.example.com", ruleMatcher0.Name)
s.Assert().False(ruleMatcher0.Wildcard)
s.Assert().False(ruleMatcher0.UserWildcard)
s.Assert().False(ruleMatcher0.GroupWildcard)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(tester.rules[1].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("one-factor.example.com", tester.config.AccessControl.Rules[1].Domains[0])
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher1, ok := tester.rules[1].Domains[0].Matcher.(*AccessControlDomainMatcher)
s.Require().True(ok)
s.Assert().Equal("one-factor.example.com", ruleMatcher1.Name)
s.Assert().False(ruleMatcher1.Wildcard)
s.Assert().False(ruleMatcher1.UserWildcard)
s.Assert().False(ruleMatcher1.GroupWildcard)
s.Require().Len(tester.rules[2].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("two-factor.example.com", tester.config.AccessControl.Rules[2].Domains[0])
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher2, ok := tester.rules[2].Domains[0].Matcher.(*AccessControlDomainMatcher)
s.Require().True(ok)
s.Assert().Equal("two-factor.example.com", ruleMatcher2.Name)
s.Assert().False(ruleMatcher2.Wildcard)
s.Assert().False(ruleMatcher2.UserWildcard)
s.Assert().False(ruleMatcher2.GroupWildcard)
s.Require().Len(tester.rules[3].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("*.example.com", tester.config.AccessControl.Rules[3].Domains[0])
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher3, ok := tester.rules[3].Domains[0].Matcher.(*AccessControlDomainMatcher)
s.Require().True(ok)
s.Assert().Equal(".example.com", ruleMatcher3.Name)
s.Assert().True(ruleMatcher3.Wildcard)
s.Assert().False(ruleMatcher3.UserWildcard)
s.Assert().False(ruleMatcher3.GroupWildcard)
s.Require().Len(tester.rules[4].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("*.example.com", tester.config.AccessControl.Rules[4].Domains[0])
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher4, ok := tester.rules[4].Domains[0].Matcher.(*AccessControlDomainMatcher)
s.Require().True(ok)
s.Assert().Equal(".example.com", ruleMatcher4.Name)
s.Assert().True(ruleMatcher4.Wildcard)
s.Assert().False(ruleMatcher4.UserWildcard)
s.Assert().False(ruleMatcher4.GroupWildcard)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckDomainRegexMatching() {
createSliceRegexRule := func(t *testing.T, rules []string) []regexp.Regexp {
result, err := stringSliceToRegexpSlice(rules)
require.NoError(t, err)
return result
}
tester := NewAuthorizerBuilder().
WithRule(schema.ACLRule{
DomainsRegex: createSliceRegexRule(s.T(), []string{`^.*\.example.com$`}),
Policy: bypass,
}).
WithRule(schema.ACLRule{
DomainsRegex: createSliceRegexRule(s.T(), []string{`^.*\.example2.com$`}),
Policy: oneFactor,
}).
WithRule(schema.ACLRule{
DomainsRegex: createSliceRegexRule(s.T(), []string{`^(?P<User>[a-zA-Z0-9]+)\.regex.com$`}),
Policy: oneFactor,
}).
WithRule(schema.ACLRule{
DomainsRegex: createSliceRegexRule(s.T(), []string{`^group-(?P<Group>[a-zA-Z0-9]+)\.regex.com$`}),
Policy: twoFactor,
}).
WithRule(schema.ACLRule{
DomainsRegex: createSliceRegexRule(s.T(), []string{`^.*\.(one|two).com$`}),
Policy: twoFactor,
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://john.regex.com", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://john.regex.com", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example2.com", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), John, "https://group-dev.regex.com", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://group-dev.regex.com", fasthttp.MethodGet, Denied)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(tester.rules, 5)
s.Require().Len(tester.rules[0].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("^.*\\.example.com$", tester.config.AccessControl.Rules[0].DomainsRegex[0].String())
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher0, ok := tester.rules[0].Domains[0].Matcher.(RegexpStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^.*\\.example.com$", ruleMatcher0.String())
s.Require().Len(tester.rules[1].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("^.*\\.example2.com$", tester.config.AccessControl.Rules[1].DomainsRegex[0].String())
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher1, ok := tester.rules[1].Domains[0].Matcher.(RegexpStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^.*\\.example2.com$", ruleMatcher1.String())
s.Require().Len(tester.rules[2].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("^(?P<User>[a-zA-Z0-9]+)\\.regex.com$", tester.config.AccessControl.Rules[2].DomainsRegex[0].String())
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher2, ok := tester.rules[2].Domains[0].Matcher.(RegexpGroupStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^(?P<User>[a-zA-Z0-9]+)\\.regex.com$", ruleMatcher2.String())
s.Require().Len(tester.rules[3].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("^group-(?P<Group>[a-zA-Z0-9]+)\\.regex.com$", tester.config.AccessControl.Rules[3].DomainsRegex[0].String())
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher3, ok := tester.rules[3].Domains[0].Matcher.(RegexpGroupStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^group-(?P<Group>[a-zA-Z0-9]+)\\.regex.com$", ruleMatcher3.String())
s.Require().Len(tester.rules[4].Domains, 1)
fix(authorization): regex subj doesn't redirect anon user (#4037) This fixes an issue with the authorization policies where if the Domain Regex or Resources criteria would incorrectly return 403 Forbidden statuses instead of 302 Found statuses. Co-authored-by: Amir Zarrinkafsh <nightah@me.com>
2022-09-26 04:33:08 +00:00
s.Assert().Equal("^.*\\.(one|two).com$", tester.config.AccessControl.Rules[4].DomainsRegex[0].String())
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher4, ok := tester.rules[4].Domains[0].Matcher.(RegexpStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^.*\\.(one|two).com$", ruleMatcher4.String())
}
func (s *AuthorizerSuite) TestShouldCheckResourceSubjectMatching() {
createSliceRegexRule := func(t *testing.T, rules []string) []regexp.Regexp {
result, err := stringSliceToRegexpSlice(rules)
require.NoError(t, err)
return result
}
tester := NewAuthorizerBuilder().
WithRule(schema.ACLRule{
Domains: []string{"id.example.com"},
Policy: oneFactor,
Resources: createSliceRegexRule(s.T(), []string{`^/(?P<User>[a-zA-Z0-9]+)/personal(/|/.*)?$`, `^/(?P<Group>[a-zA-Z0-9]+)/group(/|/.*)?$`}),
}).
WithRule(schema.ACLRule{
Domains: []string{"id.example.com"},
Policy: deny,
Resources: createSliceRegexRule(s.T(), []string{`^/([a-zA-Z0-9]+)/personal(/|/.*)?$`, `^/([a-zA-Z0-9]+)/group(/|/.*)?$`}),
}).
WithRule(schema.ACLRule{
Domains: []string{"id.example.com"},
Policy: bypass,
}).
Build()
// Accessing the unprotected root.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://id.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com", fasthttp.MethodGet, Bypass)
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
// Accessing Personal page.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/john/personal", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/John/personal", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/bob/personal", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/Bob/personal", fasthttp.MethodGet, OneFactor)
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
// Accessing an invalid users Personal page.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/invaliduser/personal", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/invaliduser/personal", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/invaliduser/personal", fasthttp.MethodGet, OneFactor)
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
// Accessing another users Personal page.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/bob/personal", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/bob/personal", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/Bob/personal", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/Bob/personal", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/john/personal", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/john/personal", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/John/personal", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/John/personal", fasthttp.MethodGet, OneFactor)
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
// Accessing a Group page.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/dev/group", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/admins/group", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/dev/group", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/admins/group", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/dev/group", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/admins/group", fasthttp.MethodGet, OneFactor)
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
// Accessing an invalid group's Group page.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://id.example.com/invalidgroup/group", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/invalidgroup/group", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/invalidgroup/group", fasthttp.MethodGet, OneFactor)
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(tester.rules, 3)
s.Require().Len(tester.rules[0].Resources, 2)
ruleMatcher00, ok := tester.rules[0].Resources[0].Matcher.(RegexpGroupStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^/(?P<User>[a-zA-Z0-9]+)/personal(/|/.*)?$", ruleMatcher00.String())
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher01, ok := tester.rules[0].Resources[1].Matcher.(RegexpGroupStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^/(?P<Group>[a-zA-Z0-9]+)/group(/|/.*)?$", ruleMatcher01.String())
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(tester.rules[1].Resources, 2)
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher10, ok := tester.rules[1].Resources[0].Matcher.(RegexpStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^/([a-zA-Z0-9]+)/personal(/|/.*)?$", ruleMatcher10.String())
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
ruleMatcher11, ok := tester.rules[1].Resources[1].Matcher.(RegexpStringSubjectMatcher)
s.Require().True(ok)
s.Assert().Equal("^/([a-zA-Z0-9]+)/group(/|/.*)?$", ruleMatcher11.String())
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func (s *AuthorizerSuite) TestShouldCheckUserMatching() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
Subjects: [][]string{{"user:john"}},
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodGet, Denied)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckGroupMatching() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
Subjects: [][]string{{"group:admins"}},
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodGet, Denied)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
func (s *AuthorizerSuite) TestShouldCheckSubjectsMatching() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
WithRule(schema.ACLRule{
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
Subjects: [][]string{{"group:admins"}, {"user:bob"}},
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Sam, "https://protected.example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
}
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
func (s *AuthorizerSuite) TestShouldCheckMultipleSubjectsMatching() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
WithRule(schema.ACLRule{
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
Subjects: [][]string{{"group:admins", "user:bob"}, {"group:admins", "group:dev"}},
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
[FEATURE] Support for subject combinations in ACLs (#1142)
2020-06-25 08:22:42 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func (s *AuthorizerSuite) TestShouldCheckIPMatching() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
Networks: []string{"192.168.1.8", "10.0.0.8"},
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
Networks: []string{"10.0.0.7"},
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"net.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
Networks: []string{"10.0.0.0/8"},
}).
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
WithRule(schema.ACLRule{
Domains: []string{"ipv6.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
Networks: []string{"fec0::1/64"},
}).
WithRule(schema.ACLRule{
Domains: []string{"ipv6-alt.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
Networks: []string{"fec0::1"},
}).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", fasthttp.MethodGet, Denied)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://net.example.com/", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://net.example.com/", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://net.example.com/", fasthttp.MethodGet, Denied)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), Sally, "https://ipv6-alt.example.com/", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), Sam, "https://ipv6-alt.example.com/", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), Sally, "https://ipv6.example.com/", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), Sam, "https://ipv6.example.com/", fasthttp.MethodGet, TwoFactor)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckMethodMatching() {
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
WithRule(schema.ACLRule{
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
Methods: []string{fasthttp.MethodOptions, fasthttp.MethodHead, fasthttp.MethodGet, fasthttp.MethodConnect, fasthttp.MethodTrace},
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
Methods: []string{fasthttp.MethodPut, fasthttp.MethodPatch, fasthttp.MethodPost},
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"protected.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
Methods: []string{fasthttp.MethodDelete},
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodOptions, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", fasthttp.MethodHead, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodConnect, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodTrace, Bypass)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", fasthttp.MethodPut, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", fasthttp.MethodPatch, OneFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", fasthttp.MethodPost, OneFactor)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", fasthttp.MethodDelete, TwoFactor)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
func (s *AuthorizerSuite) TestShouldCheckResourceMatching() {
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
createSliceRegexRule := func(t *testing.T, rules []string) []regexp.Regexp {
result, err := stringSliceToRegexpSlice(rules)
require.NoError(t, err)
return result
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"resource.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized.
2022-07-05 01:32:10 +00:00
Resources: createSliceRegexRule(s.T(), []string{"^/case/[a-z]+$", "^/$"}),
}).
WithRule(schema.ACLRule{
Domains: []string{"resource.example.com"},
Policy: bypass,
Resources: createSliceRegexRule(s.T(), []string{"^/bypass/.*$", "^/$", "embedded"}),
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
WithRule(schema.ACLRule{
[FEATURE] Support multiple domains and multiple subjects in ACLs (#869) * added support for listing multiple domains and multiple subjects * updated documentation to show use of multiple domains and subjects * updated config.template.yml to display multiple domains as a list * updated config.template.yml to display multiple subjects as a list * updated docs/configuration/access-control.md to display multiple domains as a list * updated docs/configuration/access-control.md to display multiple subjects as a list * removed redundant check that always returned true * Commentary definition for `weak`
2020-04-16 00:18:11 +00:00
Domains: []string{"resource.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
fix(authorization): object path not normalized (#3661) This fixes an issue where the object path is not normalized.
2022-07-05 01:32:10 +00:00
Resources: createSliceRegexRule(s.T(), []string{"^/one_factor/.*$"}),
}).
WithRule(schema.ACLRule{
Domains: []string{"resource.example.com"},
Policy: twoFactor,
Resources: createSliceRegexRule(s.T(), []string{"^/a/longer/rule/.*$"}),
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}).
fix(authorization): final slash in url matches ignored (#3717) This fixes an issue with the URL matching machinery which ignores the final slash of a URL. Introduced in 664d65d7fb4cd77f66629dc42c0a2c4a3ccc36a4. Fixes #3692
2022-07-18 04:59:13 +00:00
WithRule(schema.ACLRule{
Domains: []string{"resource.example.com"},
Policy: twoFactor,
Resources: createSliceRegexRule(s.T(), []string{"^/an/exact/path/$"}),
}).
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/abc", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/one_factor/abc", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/xyz/embedded/abc", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/case/abc", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/case/ABC", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/an/exact/path/", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/../a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/..//a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/..%2f/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/..%2fa/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/..%2F/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/..%2Fa/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2e%2e/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2e%2e//a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2e%2e%2f/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2e%2e%2fa/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2e%2e%2F/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2e%2e%2Fa/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E//a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E%2f/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E%2fa/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E%2F/a/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E%2Fa/longer/rule/abc", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/%2E%2E%2Fan/exact/path/", fasthttp.MethodGet, TwoFactor)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}
// This test assures that rules without domains (not allowed by schema validator at this time) will pass validation correctly.
func (s *AuthorizerSuite) TestShouldMatchAnyDomainIfBlank() {
tester := NewAuthorizerBuilder().
WithRule(schema.ACLRule{
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
Methods: []string{fasthttp.MethodOptions, fasthttp.MethodHead, fasthttp.MethodGet, fasthttp.MethodConnect, fasthttp.MethodTrace},
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
Methods: []string{fasthttp.MethodPut, fasthttp.MethodPatch},
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
Methods: []string{fasthttp.MethodDelete},
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", fasthttp.MethodOptions, Bypass)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", fasthttp.MethodPut, OneFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", fasthttp.MethodPatch, OneFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", fasthttp.MethodPut, OneFactor)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", fasthttp.MethodDelete, TwoFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", fasthttp.MethodDelete, TwoFactor)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", fasthttp.MethodDelete, TwoFactor)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", fasthttp.MethodPost, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", fasthttp.MethodPost, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", fasthttp.MethodPost, Denied)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}
func (s *AuthorizerSuite) TestShouldMatchResourceWithSubjectRules() {
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
createSliceRegexRule := func(t *testing.T, rules []string) []regexp.Regexp {
result, err := stringSliceToRegexpSlice(rules)
require.NoError(t, err)
return result
}
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
tester := NewAuthorizerBuilder().
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
WithDefaultPolicy(deny).
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
WithRule(schema.ACLRule{
Domains: []string{"public.example.com"},
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
Resources: createSliceRegexRule(s.T(), []string{"^/admin/.*$"}),
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
Subjects: [][]string{{"group:admins"}},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: oneFactor,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"public.example.com"},
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
Resources: createSliceRegexRule(s.T(), []string{"^/admin/.*$"}),
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: deny,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"public.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"public2.example.com"},
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
Resources: createSliceRegexRule(s.T(), []string{"^/admin/.*$"}),
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
Subjects: [][]string{{"group:admins"}},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"public2.example.com"},
feat(authorization): domain regex match with named groups (#2789) This adds an option to match domains by regex including two special named matching groups. User matches the username of the user, and Group matches the groups a user is a member of. These are both case-insensitive and you can see examples in the docs.
2022-04-01 11:38:49 +00:00
Resources: createSliceRegexRule(s.T(), []string{"^/admin/.*$"}),
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: deny,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"public2.example.com"},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: bypass,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
WithRule(schema.ACLRule{
Domains: []string{"private.example.com"},
Subjects: [][]string{{"group:admins"}},
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
Policy: twoFactor,
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
}).
Build()
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://public.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com", fasthttp.MethodGet, Bypass)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://public.example.com/admin/index.html", fasthttp.MethodGet, OneFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com/admin/index.html", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com/admin/index.html", fasthttp.MethodGet, OneFactor)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://public2.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://public2.example.com", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public2.example.com", fasthttp.MethodGet, Bypass)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://public2.example.com/admin/index.html", fasthttp.MethodGet, Bypass)
tester.CheckAuthorizations(s.T(), Bob, "https://public2.example.com/admin/index.html", fasthttp.MethodGet, Denied)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
// This test returns this result since we validate the schema instead of validating it in code.
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public2.example.com/admin/index.html", fasthttp.MethodGet, Bypass)
perf(authorizer): preload access control lists (#1640) * adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
2021-03-05 04:18:31 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
tester.CheckAuthorizations(s.T(), John, "https://private.example.com", fasthttp.MethodGet, TwoFactor)
tester.CheckAuthorizations(s.T(), Bob, "https://private.example.com", fasthttp.MethodGet, Denied)
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://private.example.com", fasthttp.MethodGet, TwoFactor)
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
refactor: http verbs etc (#5248) Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-04-15 05:03:14 +00:00
results := tester.GetRuleMatchResults(John, "https://private.example.com", fasthttp.MethodGet)
feat(commands): add access-control check-policy command (#2871) This adds an access-control command that checks the policy enforcement for a given criteria using a configuration file and refactors the configuration validation command to include all configuration sources.
2022-02-28 03:15:01 +00:00
feat(authorization): acl resource regex named groups (#3597) This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 02:51:05 +00:00
s.Require().Len(results, 7)
s.Assert().False(results[0].IsMatch())
s.Assert().False(results[0].MatchDomain)
s.Assert().False(results[0].MatchResources)
s.Assert().True(results[0].MatchSubjects)
s.Assert().True(results[0].MatchNetworks)
s.Assert().True(results[0].MatchMethods)
s.Assert().False(results[1].IsMatch())
s.Assert().False(results[1].MatchDomain)
s.Assert().False(results[1].MatchResources)
s.Assert().True(results[1].MatchSubjects)
s.Assert().True(results[1].MatchNetworks)
s.Assert().True(results[1].MatchMethods)
s.Assert().False(results[2].IsMatch())
s.Assert().False(results[2].MatchDomain)
s.Assert().True(results[2].MatchResources)
s.Assert().True(results[2].MatchSubjects)
s.Assert().True(results[2].MatchNetworks)
s.Assert().True(results[2].MatchMethods)
s.Assert().False(results[3].IsMatch())
s.Assert().False(results[3].MatchDomain)
s.Assert().False(results[3].MatchResources)
s.Assert().True(results[3].MatchSubjects)
s.Assert().True(results[3].MatchNetworks)
s.Assert().True(results[3].MatchMethods)
s.Assert().False(results[4].IsMatch())
s.Assert().False(results[4].MatchDomain)
s.Assert().False(results[4].MatchResources)
s.Assert().True(results[4].MatchSubjects)
s.Assert().True(results[4].MatchNetworks)
s.Assert().True(results[4].MatchMethods)
s.Assert().False(results[5].IsMatch())
s.Assert().False(results[5].MatchDomain)
s.Assert().True(results[5].MatchResources)
s.Assert().True(results[5].MatchSubjects)
s.Assert().True(results[5].MatchNetworks)
s.Assert().True(results[5].MatchMethods)
s.Assert().True(results[6].IsMatch())
s.Assert().True(results[6].MatchDomain)
s.Assert().True(results[6].MatchResources)
s.Assert().True(results[6].MatchSubjects)
s.Assert().True(results[6].MatchNetworks)
s.Assert().True(results[6].MatchMethods)
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
}
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611) * Redirect to default URL after 1FA when default policy is one_factor. User is now redirected to the default redirection URL after 1FA if the default policy is set to one_factor and there is no target URL or if the target URL is unsafe. Also, if the default policy is set to one_factor and the user is already authenticated, if she visits the login portal, the 'already authenticated' view is displayed with a logout button. This fixes #581. * Update users.yml * Fix permissions issue causing suite test failure
2020-02-04 21:18:02 +00:00
func (s *AuthorizerSuite) TestPolicyToLevel() {
refactor: const int type stringers (#4588)
2022-12-17 12:39:24 +00:00
s.Assert().Equal(Bypass, NewLevel(bypass))
s.Assert().Equal(OneFactor, NewLevel(oneFactor))
s.Assert().Equal(TwoFactor, NewLevel(twoFactor))
s.Assert().Equal(Denied, NewLevel(deny))
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611) * Redirect to default URL after 1FA when default policy is one_factor. User is now redirected to the default redirection URL after 1FA if the default policy is set to one_factor and there is no target URL or if the target URL is unsafe. Also, if the default policy is set to one_factor and the user is already authenticated, if she visits the login portal, the 'already authenticated' view is displayed with a logout button. This fixes #581. * Update users.yml * Fix permissions issue causing suite test failure
2020-02-04 21:18:02 +00:00
refactor: const int type stringers (#4588)
2022-12-17 12:39:24 +00:00
s.Assert().Equal(Denied, NewLevel("whatever"))
[FIX] Redirect to default URL after 1FA when default policy is one_factor. (#611) * Redirect to default URL after 1FA when default policy is one_factor. User is now redirected to the default redirection URL after 1FA if the default policy is set to one_factor and there is no target URL or if the target URL is unsafe. Also, if the default policy is set to one_factor and the user is already authenticated, if she visits the login portal, the 'already authenticated' view is displayed with a logout button. This fixes #581. * Update users.yml * Fix permissions issue causing suite test failure
2020-02-04 21:18:02 +00:00
}
Bootstrap Go implementation of Authelia. This is going to be the v4. Expected improvements: - More reliable due to static typing. - Bump of performance. - Improvement of logging. - Authelia can be shipped as a single binary. - Will likely work on ARM architecture.
2019-04-24 21:52:08 +00:00
func TestRunSuite(t *testing.T) {
s := AuthorizerSuite{}
suite.Run(t, &s)
}
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
func TestNewAuthorizer(t *testing.T) {
config := &schema.Configuration{
AccessControl: schema.AccessControlConfiguration{
DefaultPolicy: deny,
Rules: []schema.ACLRule{
{
Domains: []string{"example.com"},
Policy: twoFactor,
Subjects: [][]string{
{
"user:admin",
},
{
"group:admins",
},
},
},
},
},
}
authorizer := NewAuthorizer(config)
assert.Equal(t, Denied, authorizer.defaultPolicy)
assert.Equal(t, TwoFactor, authorizer.rules[0].Policy)
user, ok := authorizer.rules[0].Subjects[0].Subjects[0].(AccessControlUser)
require.True(t, ok)
assert.Equal(t, "admin", user.Name)
group, ok := authorizer.rules[0].Subjects[1].Subjects[0].(AccessControlGroup)
require.True(t, ok)
assert.Equal(t, "admins", group.Name)
}
func TestAuthorizerIsSecondFactorEnabledRuleWithNoOIDC(t *testing.T) {
config := &schema.Configuration{
AccessControl: schema.AccessControlConfiguration{
DefaultPolicy: deny,
Rules: []schema.ACLRule{
{
Domains: []string{"example.com"},
Policy: oneFactor,
},
},
},
}
authorizer := NewAuthorizer(config)
assert.False(t, authorizer.IsSecondFactorEnabled())
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
config.AccessControl.Rules[0].Policy = twoFactor
authorizer = NewAuthorizer(config)
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
assert.True(t, authorizer.IsSecondFactorEnabled())
}
func TestAuthorizerIsSecondFactorEnabledRuleWithOIDC(t *testing.T) {
config := &schema.Configuration{
AccessControl: schema.AccessControlConfiguration{
DefaultPolicy: deny,
Rules: []schema.ACLRule{
{
Domains: []string{"example.com"},
Policy: oneFactor,
},
},
},
feat(oidc): jwk selection by id (#5464) This adds support for JWK selection by ID on a per-client basis, and allows multiple JWK's for the same algorithm. Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-22 11:14:32 +00:00
IdentityProviders: schema.IdentityProviders{
OIDC: &schema.OpenIDConnect{
Clients: []schema.OpenIDConnectClient{
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
{
Policy: oneFactor,
},
},
},
},
}
authorizer := NewAuthorizer(config)
assert.False(t, authorizer.IsSecondFactorEnabled())
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
config.AccessControl.Rules[0].Policy = twoFactor
authorizer = NewAuthorizer(config)
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
assert.True(t, authorizer.IsSecondFactorEnabled())
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
config.AccessControl.Rules[0].Policy = oneFactor
authorizer = NewAuthorizer(config)
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
assert.False(t, authorizer.IsSecondFactorEnabled())
config.IdentityProviders.OIDC.Clients[0].Policy = twoFactor
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
authorizer = NewAuthorizer(config)
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
assert.True(t, authorizer.IsSecondFactorEnabled())
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
config.AccessControl.Rules[0].Policy = oneFactor
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
config.IdentityProviders.OIDC.Clients[0].Policy = oneFactor
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
authorizer = NewAuthorizer(config)
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
assert.False(t, authorizer.IsSecondFactorEnabled())
fix(handlers): consent session prevents standard flow (#3668) This fixes an issue where consent sessions prevent the standard workflow.
2022-07-26 05:43:39 +00:00
config.AccessControl.DefaultPolicy = twoFactor
authorizer = NewAuthorizer(config)
fix(authorization): configuration reports 2fa disabled with 2fa oidc clients (#2089) This resolves an issue where if you have zero two_factor ACL rules but enabled two_factor OIDC clients, 2FA is reported as disabled.
2021-06-18 01:38:01 +00:00
assert.True(t, authorizer.IsSecondFactorEnabled())
}