feat(authorization): acl resource regex named groups (#3597)

This adds the named group functionality from domain_regex to the resource criteria.
2022-06-28 12:51:05 +10:00 · 2022-06-28 12:51:05 +10:00 · ab1d0c51d3
parent 19a543289b
commit ab1d0c51d3
9 changed files with 366 additions and 168 deletions
--- a/docs/content/en/configuration/security/access-control.md
+++ b/docs/content/en/configuration/security/access-control.md
@ -186,18 +186,7 @@ strings. When it's a list of strings the rule matches when __any__ of the domain
 When used in conjunction with [domain](#domain) the rule will match when either the [domain](#domain) or the
 [domain_regex](#domain_regex) criteria matches.

-This criteria takes any standard go regex pattern to match the requests. We additionally utilize two special named match
-groups which match attributes of the user:
-
-| Group Name |    Match Value    |
-|:----------:|:-----------------:|
-|    User    |     username      |
-|   Group    | groups (contains) |
-
-For the group match it matches if the user has any group name that matches, and both matches are case-insensitive due to
-the fact domain names should not be compared in a case-sensitive way as per the
-[RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html) abstract and
-[RFC3986 Section 3.2.2](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2).
+In addition to standard regex patterns this criteria can match some [Named Regex Groups](#named-regex-groups).

 #### Examples

@ -395,6 +384,8 @@ strings. If any one of the regular expressions in the list matches the request i
 for debugging these regular expressions is called [Regex 101](https://regex101.com/) (ensure you pick the `Golang`
 option).

+In addition to standard regex patterns this criteria can match some [Named Regex Groups](#named-regex-groups).
+
 *__Note:__ Prior to 4.27.0 the regular expressions only matched the path excluding the query parameters. After 4.27.0
 they match the entire path including the query parameters. When upgrading you may be required to alter some of your
 resource rules to get them to operate as they previously did.*
@ -456,6 +447,20 @@ performed 2FA then they will be allowed to access the resource.
 This policy requires the user to complete 2FA successfully. This is currently the highest level of authentication
 policy available.

+## Named Regex Groups
+
+Some criteria allow matching named regex groups. These are the groups we accept:
+
+| Group Name |    Match Value    |
+|:----------:|:-----------------:|
+|    User    |     username      |
+|   Group    | groups (contains) |
+
+For the group name `Group` the regex pattern matches if the user has the specific group name matching the pattern. Both
+regex groups are case-insensitive due to the fact that the regex groups are used in domain criteria and domain names
+should not be compared in a case-sensitive way as per the [RFC4343](https://www.rfc-editor.org/rfc/rfc4343.html)
+abstract and [RFC3986 Section 3.2.2](https://www.rfc-editor.org/rfc/rfc3986#section-3.2.2).
+
 ## Detailed example

 Here is a detailed example of an example access control section:
--- a/internal/authorization/access_control_domain.go
+++ b/internal/authorization/access_control_domain.go
@ -9,60 +9,30 @@ import (
 )

 // NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.
-func NewAccessControlDomain(domain string) SubjectObjectMatcher {
-	d := AccessControlDomain{}
-
+func NewAccessControlDomain(domain string) AccessControlDomain {
+	m := &AccessControlDomainMatcher{}
 	domain = strings.ToLower(domain)

 	switch {
 	case strings.HasPrefix(domain, "*."):
-		d.Wildcard = true
-		d.Name = domain[1:]
+		m.Wildcard = true
+		m.Name = domain[1:]
 	case strings.HasPrefix(domain, "{user}"):
-		d.UserWildcard = true
-		d.Name = domain[7:]
+		m.UserWildcard = true
+		m.Name = domain[7:]
 	case strings.HasPrefix(domain, "{group}"):
-		d.GroupWildcard = true
-		d.Name = domain[8:]
+		m.GroupWildcard = true
+		m.Name = domain[8:]
 	default:
-		d.Name = domain
+		m.Name = domain
 	}

-	return d
-}
-
-// AccessControlDomain represents an ACL domain.
-type AccessControlDomain struct {
-	Name          string
-	Wildcard      bool
-	UserWildcard  bool
-	GroupWildcard bool
-}
-
-// IsMatch returns true if the ACL domain matches the object domain.
-func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {
-	switch {
-	case acl.Wildcard:
-		return strings.HasSuffix(object.Domain, acl.Name)
-	case acl.UserWildcard:
-		return object.Domain == fmt.Sprintf("%s.%s", subject.Username, acl.Name)
-	case acl.GroupWildcard:
-		prefix, suffix := domainToPrefixSuffix(object.Domain)
-
-		return suffix == acl.Name && utils.IsStringInSliceFold(prefix, subject.Groups)
-	default:
-		return object.Domain == acl.Name
-	}
-}
-
-// String returns a string representation of the SubjectObjectMatcher rule.
-func (acl AccessControlDomain) String() string {
-	return fmt.Sprintf("domain:%s", acl.Name)
+	return AccessControlDomain{m}
 }

 // NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or
 // dynamic User/Group subexpression group way.
-func NewAccessControlDomainRegex(pattern regexp.Regexp) SubjectObjectMatcher {
+func NewAccessControlDomainRegex(pattern regexp.Regexp) AccessControlDomain {
 	var iuser, igroup = -1, -1

 	for i, group := range pattern.SubexpNames() {
@ -75,53 +45,42 @@ func NewAccessControlDomainRegex(pattern regexp.Regexp) SubjectObjectMatcher {
 	}

 	if iuser != -1 || igroup != -1 {
-		return AccessControlDomainRegex{Pattern: pattern, SubexpNameUser: iuser, SubexpNameGroup: igroup}
+		return AccessControlDomain{RegexpGroupStringSubjectMatcher{pattern, iuser, igroup}}
 	}

-	return AccessControlDomainRegexBasic{Pattern: pattern}
+	return AccessControlDomain{RegexpStringSubjectMatcher{pattern}}
 }

-// AccessControlDomainRegexBasic represents a basic domain regex SubjectObjectMatcher.
-type AccessControlDomainRegexBasic struct {
-	Pattern regexp.Regexp
+// AccessControlDomainMatcher is the basic domain matcher.
+type AccessControlDomainMatcher struct {
+	Name          string
+	Wildcard      bool
+	UserWildcard  bool
+	GroupWildcard bool
 }

-// IsMatch returns true if the ACL regex matches the object domain.
-func (acl AccessControlDomainRegexBasic) IsMatch(_ Subject, object Object) (match bool) {
-	return acl.Pattern.MatchString(object.Domain)
-}
+// IsMatch returns true if this rule matches.
+func (m AccessControlDomainMatcher) IsMatch(domain string, subject Subject) (match bool) {
+	switch {
+	case m.Wildcard:
+		return strings.HasSuffix(domain, m.Name)
+	case m.UserWildcard:
+		return domain == fmt.Sprintf("%s.%s", subject.Username, m.Name)
+	case m.GroupWildcard:
+		prefix, suffix := domainToPrefixSuffix(domain)

-// String returns a text representation of a AccessControlDomainRegexBasic.
-func (acl AccessControlDomainRegexBasic) String() string {
-	return fmt.Sprintf("domain_regex:%s", acl.Pattern.String())
-}
-
-// AccessControlDomainRegex represents an ACL domain regex.
-type AccessControlDomainRegex struct {
-	Pattern         regexp.Regexp
-	SubexpNameUser  int
-	SubexpNameGroup int
-}
-
-// IsMatch returns true if the ACL regex matches the object domain.
-func (acl AccessControlDomainRegex) IsMatch(subject Subject, object Object) (match bool) {
-	matches := acl.Pattern.FindAllStringSubmatch(object.Domain, -1)
-	if matches == nil {
-		return false
+		return suffix == m.Name && utils.IsStringInSliceFold(prefix, subject.Groups)
+	default:
+		return strings.EqualFold(domain, m.Name)
 	}
-
-	if acl.SubexpNameUser != -1 && !strings.EqualFold(subject.Username, matches[0][acl.SubexpNameUser]) {
-		return false
-	}
-
-	if acl.SubexpNameGroup != -1 && !utils.IsStringInSliceFold(matches[0][acl.SubexpNameGroup], subject.Groups) {
-		return false
-	}
-
-	return true
 }

-// String returns a text representation of a AccessControlDomainRegex.
-func (acl AccessControlDomainRegex) String() string {
-	return fmt.Sprintf("domain_regex(subexp):%s", acl.Pattern.String())
+// AccessControlDomain represents an ACL domain.
+type AccessControlDomain struct {
+	Matcher StringSubjectMatcher
+}
+
+// IsMatch returns true if the ACL domain matches the object domain.
+func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {
+	return acl.Matcher.IsMatch(object.Domain, subject)
 }
--- a/internal/authorization/access_control_resource.go
+++ b/internal/authorization/access_control_resource.go
@ -4,12 +4,32 @@ import (
 	"regexp"
 )

-// AccessControlResource represents an ACL resource.
+// NewAccessControlResource creates a AccessControlResource or AccessControlResourceGroup.
+func NewAccessControlResource(pattern regexp.Regexp) AccessControlResource {
+	var iuser, igroup = -1, -1
+
+	for i, group := range pattern.SubexpNames() {
+		switch group {
+		case subexpNameUser:
+			iuser = i
+		case subexpNameGroup:
+			igroup = i
+		}
+	}
+
+	if iuser != -1 || igroup != -1 {
+		return AccessControlResource{RegexpGroupStringSubjectMatcher{pattern, iuser, igroup}}
+	}
+
+	return AccessControlResource{RegexpStringSubjectMatcher{pattern}}
+}
+
+// AccessControlResource represents an ACL resource that matches without named groups.
 type AccessControlResource struct {
-	Pattern regexp.Regexp
+	Matcher StringSubjectMatcher
 }

 // IsMatch returns true if the ACL resource match the object path.
-func (acr AccessControlResource) IsMatch(object Object) (match bool) {
-	return acr.Pattern.MatchString(object.Path)
+func (acl AccessControlResource) IsMatch(subject Subject, object Object) (match bool) {
+	return acl.Matcher.IsMatch(object.Path, subject)
 }
--- a/internal/authorization/access_control_rule.go
+++ b/internal/authorization/access_control_rule.go
@ -34,7 +34,7 @@ func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][
 // AccessControlRule controls and represents an ACL internally.
 type AccessControlRule struct {
 	Position  int
-	Domains   []SubjectObjectMatcher
+	Domains   []AccessControlDomain
 	Resources []AccessControlResource
 	Methods   []string
 	Networks  []*net.IPNet
@ -48,7 +48,7 @@ func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match boo
 		return false
 	}

-	if !isMatchForResources(object, acr) {
+	if !isMatchForResources(subject, object, acr) {
 		return false
 	}

@ -83,7 +83,7 @@ func isMatchForDomains(subject Subject, object Object, acl *AccessControlRule) (
 	return false
 }

-func isMatchForResources(object Object, acl *AccessControlRule) (match bool) {
+func isMatchForResources(subject Subject, object Object, acl *AccessControlRule) (match bool) {
 	// If there are no resources in this rule then the resource condition is a match.
 	if len(acl.Resources) == 0 {
 		return true
@ -91,7 +91,7 @@ func isMatchForResources(object Object, acl *AccessControlRule) (match bool) {

 	// Iterate over the resources until we find a match (return true) or until we exit the loop (return false).
 	for _, resource := range acl.Resources {
-		if resource.IsMatch(object) {
+		if resource.IsMatch(subject, object) {
 			return true
 		}
 	}
--- a/internal/authorization/authorizer.go
+++ b/internal/authorization/authorizer.go
@ -79,7 +79,7 @@ func (p Authorizer) GetRuleMatchResults(subject Subject, object Object) (results
 			Skipped: skipped,

 			MatchDomain:        isMatchForDomains(subject, object, rule),
-			MatchResources:     isMatchForResources(object, rule),
+			MatchResources:     isMatchForResources(subject, object, rule),
 			MatchMethods:       isMatchForMethods(object, rule),
 			MatchNetworks:      isMatchForNetworks(subject, rule),
 			MatchSubjects:      isMatchForSubjects(subject, rule),
--- a/internal/authorization/authorizer_test.go
+++ b/internal/authorization/authorizer_test.go
@ -231,7 +231,7 @@ func (s *AuthorizerSuite) TestShouldCheckRulePrecedence() {
 	tester.CheckAuthorizations(s.T(), John, "https://public.example.com/", "GET", TwoFactor)
 }

-func (s *AuthorizerSuite) TestShouldcheckDomainMatching() {
+func (s *AuthorizerSuite) TestShouldCheckDomainMatching() {
 	tester := NewAuthorizerBuilder().
 		WithRule(schema.ACLRule{
 			Domains: []string{"public.example.com"},
@ -272,20 +272,62 @@ func (s *AuthorizerSuite) TestShouldcheckDomainMatching() {
 	tester.CheckAuthorizations(s.T(), Bob, "https://x.example.com", "GET", TwoFactor)
 	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://x.example.com", "GET", OneFactor)

-	assert.Equal(s.T(), "public.example.com", tester.configuration.AccessControl.Rules[0].Domains[0])
-	assert.Equal(s.T(), "domain:public.example.com", tester.rules[0].Domains[0].String())
+	s.Require().Len(tester.rules, 5)

-	assert.Equal(s.T(), "one-factor.example.com", tester.configuration.AccessControl.Rules[1].Domains[0])
-	assert.Equal(s.T(), "domain:one-factor.example.com", tester.rules[1].Domains[0].String())
+	s.Require().Len(tester.rules[0].Domains, 1)

-	assert.Equal(s.T(), "two-factor.example.com", tester.configuration.AccessControl.Rules[2].Domains[0])
-	assert.Equal(s.T(), "domain:two-factor.example.com", tester.rules[2].Domains[0].String())
+	s.Assert().Equal("public.example.com", tester.configuration.AccessControl.Rules[0].Domains[0])

-	assert.Equal(s.T(), "*.example.com", tester.configuration.AccessControl.Rules[3].Domains[0])
-	assert.Equal(s.T(), "domain:.example.com", tester.rules[3].Domains[0].String())
+	ruleMatcher0, ok := tester.rules[0].Domains[0].Matcher.(*AccessControlDomainMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("public.example.com", ruleMatcher0.Name)
+	s.Assert().False(ruleMatcher0.Wildcard)
+	s.Assert().False(ruleMatcher0.UserWildcard)
+	s.Assert().False(ruleMatcher0.GroupWildcard)

-	assert.Equal(s.T(), "*.example.com", tester.configuration.AccessControl.Rules[4].Domains[0])
-	assert.Equal(s.T(), "domain:.example.com", tester.rules[4].Domains[0].String())
+	s.Require().Len(tester.rules[1].Domains, 1)
+
+	s.Assert().Equal("one-factor.example.com", tester.configuration.AccessControl.Rules[1].Domains[0])
+
+	ruleMatcher1, ok := tester.rules[1].Domains[0].Matcher.(*AccessControlDomainMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("one-factor.example.com", ruleMatcher1.Name)
+	s.Assert().False(ruleMatcher1.Wildcard)
+	s.Assert().False(ruleMatcher1.UserWildcard)
+	s.Assert().False(ruleMatcher1.GroupWildcard)
+
+	s.Require().Len(tester.rules[2].Domains, 1)
+
+	s.Assert().Equal("two-factor.example.com", tester.configuration.AccessControl.Rules[2].Domains[0])
+
+	ruleMatcher2, ok := tester.rules[2].Domains[0].Matcher.(*AccessControlDomainMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("two-factor.example.com", ruleMatcher2.Name)
+	s.Assert().False(ruleMatcher2.Wildcard)
+	s.Assert().False(ruleMatcher2.UserWildcard)
+	s.Assert().False(ruleMatcher2.GroupWildcard)
+
+	s.Require().Len(tester.rules[3].Domains, 1)
+
+	s.Assert().Equal("*.example.com", tester.configuration.AccessControl.Rules[3].Domains[0])
+
+	ruleMatcher3, ok := tester.rules[3].Domains[0].Matcher.(*AccessControlDomainMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal(".example.com", ruleMatcher3.Name)
+	s.Assert().True(ruleMatcher3.Wildcard)
+	s.Assert().False(ruleMatcher3.UserWildcard)
+	s.Assert().False(ruleMatcher3.GroupWildcard)
+
+	s.Require().Len(tester.rules[4].Domains, 1)
+
+	s.Assert().Equal("*.example.com", tester.configuration.AccessControl.Rules[4].Domains[0])
+
+	ruleMatcher4, ok := tester.rules[4].Domains[0].Matcher.(*AccessControlDomainMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal(".example.com", ruleMatcher4.Name)
+	s.Assert().True(ruleMatcher4.Wildcard)
+	s.Assert().False(ruleMatcher4.UserWildcard)
+	s.Assert().False(ruleMatcher4.GroupWildcard)
 }

 func (s *AuthorizerSuite) TestShouldCheckDomainRegexMatching() {
@ -327,20 +369,135 @@ func (s *AuthorizerSuite) TestShouldCheckDomainRegexMatching() {
 	tester.CheckAuthorizations(s.T(), John, "https://group-dev.regex.com", "GET", TwoFactor)
 	tester.CheckAuthorizations(s.T(), Bob, "https://group-dev.regex.com", "GET", Denied)

-	assert.Equal(s.T(), "^.*\\.example.com$", tester.configuration.AccessControl.Rules[0].DomainsRegex[0].String())
-	assert.Equal(s.T(), "domain_regex:^.*\\.example.com$", tester.rules[0].Domains[0].String())
+	s.Require().Len(tester.rules, 5)

-	assert.Equal(s.T(), "^.*\\.example2.com$", tester.configuration.AccessControl.Rules[1].DomainsRegex[0].String())
-	assert.Equal(s.T(), "domain_regex:^.*\\.example2.com$", tester.rules[1].Domains[0].String())
+	s.Require().Len(tester.rules[0].Domains, 1)

-	assert.Equal(s.T(), "^(?P<User>[a-zA-Z0-9]+)\\.regex.com$", tester.configuration.AccessControl.Rules[2].DomainsRegex[0].String())
-	assert.Equal(s.T(), "domain_regex(subexp):^(?P<User>[a-zA-Z0-9]+)\\.regex.com$", tester.rules[2].Domains[0].String())
+	s.Assert().Equal("^.*\\.example.com$", tester.configuration.AccessControl.Rules[0].DomainsRegex[0].String())

-	assert.Equal(s.T(), "^group-(?P<Group>[a-zA-Z0-9]+)\\.regex.com$", tester.configuration.AccessControl.Rules[3].DomainsRegex[0].String())
-	assert.Equal(s.T(), "domain_regex(subexp):^group-(?P<Group>[a-zA-Z0-9]+)\\.regex.com$", tester.rules[3].Domains[0].String())
+	ruleMatcher0, ok := tester.rules[0].Domains[0].Matcher.(RegexpStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^.*\\.example.com$", ruleMatcher0.String())

-	assert.Equal(s.T(), "^.*\\.(one|two).com$", tester.configuration.AccessControl.Rules[4].DomainsRegex[0].String())
-	assert.Equal(s.T(), "domain_regex:^.*\\.(one|two).com$", tester.rules[4].Domains[0].String())
+	s.Require().Len(tester.rules[1].Domains, 1)
+
+	s.Assert().Equal("^.*\\.example2.com$", tester.configuration.AccessControl.Rules[1].DomainsRegex[0].String())
+
+	ruleMatcher1, ok := tester.rules[1].Domains[0].Matcher.(RegexpStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^.*\\.example2.com$", ruleMatcher1.String())
+
+	s.Require().Len(tester.rules[2].Domains, 1)
+
+	s.Assert().Equal("^(?P<User>[a-zA-Z0-9]+)\\.regex.com$", tester.configuration.AccessControl.Rules[2].DomainsRegex[0].String())
+
+	ruleMatcher2, ok := tester.rules[2].Domains[0].Matcher.(RegexpGroupStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^(?P<User>[a-zA-Z0-9]+)\\.regex.com$", ruleMatcher2.String())
+
+	s.Require().Len(tester.rules[3].Domains, 1)
+
+	s.Assert().Equal("^group-(?P<Group>[a-zA-Z0-9]+)\\.regex.com$", tester.configuration.AccessControl.Rules[3].DomainsRegex[0].String())
+
+	ruleMatcher3, ok := tester.rules[3].Domains[0].Matcher.(RegexpGroupStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^group-(?P<Group>[a-zA-Z0-9]+)\\.regex.com$", ruleMatcher3.String())
+
+	s.Require().Len(tester.rules[4].Domains, 1)
+
+	s.Assert().Equal("^.*\\.(one|two).com$", tester.configuration.AccessControl.Rules[4].DomainsRegex[0].String())
+
+	ruleMatcher4, ok := tester.rules[4].Domains[0].Matcher.(RegexpStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^.*\\.(one|two).com$", ruleMatcher4.String())
+}
+
+func (s *AuthorizerSuite) TestShouldCheckResourceSubjectMatching() {
+	createSliceRegexRule := func(t *testing.T, rules []string) []regexp.Regexp {
+		result, err := stringSliceToRegexpSlice(rules)
+
+		require.NoError(t, err)
+
+		return result
+	}
+
+	tester := NewAuthorizerBuilder().
+		WithRule(schema.ACLRule{
+			Domains:   []string{"id.example.com"},
+			Policy:    oneFactor,
+			Resources: createSliceRegexRule(s.T(), []string{`^/(?P<User>[a-zA-Z0-9]+)/personal(/|/.*)?$`, `^/(?P<Group>[a-zA-Z0-9]+)/group(/|/.*)?$`}),
+		}).
+		WithRule(schema.ACLRule{
+			Domains:   []string{"id.example.com"},
+			Policy:    deny,
+			Resources: createSliceRegexRule(s.T(), []string{`^/([a-zA-Z0-9]+)/personal(/|/.*)?$`, `^/([a-zA-Z0-9]+)/group(/|/.*)?$`}),
+		}).
+		WithRule(schema.ACLRule{
+			Domains: []string{"id.example.com"},
+			Policy:  bypass,
+		}).
+		Build()
+
+	// Accessing the unprotected root.
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com", "GET", Bypass)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com", "GET", Bypass)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com", "GET", Bypass)
+
+	// Accessing Personal page.
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/john/personal", "GET", OneFactor)
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/John/personal", "GET", OneFactor)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/bob/personal", "GET", OneFactor)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/Bob/personal", "GET", OneFactor)
+
+	// Accessing an invalid users Personal page.
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/invaliduser/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/invaliduser/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/invaliduser/personal", "GET", Denied)
+
+	// Accessing another users Personal page.
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/bob/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/bob/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/Bob/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/Bob/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/john/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/john/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/John/personal", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/John/personal", "GET", Denied)
+
+	// Accessing a Group page.
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/dev/group", "GET", OneFactor)
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/admins/group", "GET", OneFactor)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/dev/group", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/admins/group", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/dev/group", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/admins/group", "GET", Denied)
+
+	// Accessing an invalid group's Group page.
+	tester.CheckAuthorizations(s.T(), John, "https://id.example.com/invalidgroup/group", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), Bob, "https://id.example.com/invalidgroup/group", "GET", Denied)
+	tester.CheckAuthorizations(s.T(), AnonymousUser, "https://id.example.com/invalidgroup/group", "GET", Denied)
+
+	s.Require().Len(tester.rules, 3)
+
+	s.Require().Len(tester.rules[0].Resources, 2)
+
+	ruleMatcher00, ok := tester.rules[0].Resources[0].Matcher.(RegexpGroupStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^/(?P<User>[a-zA-Z0-9]+)/personal(/|/.*)?$", ruleMatcher00.String())
+
+	ruleMatcher01, ok := tester.rules[0].Resources[1].Matcher.(RegexpGroupStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^/(?P<Group>[a-zA-Z0-9]+)/group(/|/.*)?$", ruleMatcher01.String())
+
+	s.Require().Len(tester.rules[1].Resources, 2)
+
+	ruleMatcher10, ok := tester.rules[1].Resources[0].Matcher.(RegexpStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^/([a-zA-Z0-9]+)/personal(/|/.*)?$", ruleMatcher10.String())
+
+	ruleMatcher11, ok := tester.rules[1].Resources[1].Matcher.(RegexpStringSubjectMatcher)
+	s.Require().True(ok)
+	s.Assert().Equal("^/([a-zA-Z0-9]+)/group(/|/.*)?$", ruleMatcher11.String())
 }

 func (s *AuthorizerSuite) TestShouldCheckUserMatching() {
@ -616,56 +773,56 @@ func (s *AuthorizerSuite) TestShouldMatchResourceWithSubjectRules() {

 	results := tester.GetRuleMatchResults(John, "https://private.example.com", "GET")

-	require.Len(s.T(), results, 7)
+	s.Require().Len(results, 7)

-	assert.False(s.T(), results[0].IsMatch())
-	assert.False(s.T(), results[0].MatchDomain)
-	assert.False(s.T(), results[0].MatchResources)
-	assert.True(s.T(), results[0].MatchSubjects)
-	assert.True(s.T(), results[0].MatchNetworks)
-	assert.True(s.T(), results[0].MatchMethods)
+	s.Assert().False(results[0].IsMatch())
+	s.Assert().False(results[0].MatchDomain)
+	s.Assert().False(results[0].MatchResources)
+	s.Assert().True(results[0].MatchSubjects)
+	s.Assert().True(results[0].MatchNetworks)
+	s.Assert().True(results[0].MatchMethods)

-	assert.False(s.T(), results[1].IsMatch())
-	assert.False(s.T(), results[1].MatchDomain)
-	assert.False(s.T(), results[1].MatchResources)
-	assert.True(s.T(), results[1].MatchSubjects)
-	assert.True(s.T(), results[1].MatchNetworks)
-	assert.True(s.T(), results[1].MatchMethods)
+	s.Assert().False(results[1].IsMatch())
+	s.Assert().False(results[1].MatchDomain)
+	s.Assert().False(results[1].MatchResources)
+	s.Assert().True(results[1].MatchSubjects)
+	s.Assert().True(results[1].MatchNetworks)
+	s.Assert().True(results[1].MatchMethods)

-	assert.False(s.T(), results[2].IsMatch())
-	assert.False(s.T(), results[2].MatchDomain)
-	assert.True(s.T(), results[2].MatchResources)
-	assert.True(s.T(), results[2].MatchSubjects)
-	assert.True(s.T(), results[2].MatchNetworks)
-	assert.True(s.T(), results[2].MatchMethods)
+	s.Assert().False(results[2].IsMatch())
+	s.Assert().False(results[2].MatchDomain)
+	s.Assert().True(results[2].MatchResources)
+	s.Assert().True(results[2].MatchSubjects)
+	s.Assert().True(results[2].MatchNetworks)
+	s.Assert().True(results[2].MatchMethods)

-	assert.False(s.T(), results[3].IsMatch())
-	assert.False(s.T(), results[3].MatchDomain)
-	assert.False(s.T(), results[3].MatchResources)
-	assert.True(s.T(), results[3].MatchSubjects)
-	assert.True(s.T(), results[3].MatchNetworks)
-	assert.True(s.T(), results[3].MatchMethods)
+	s.Assert().False(results[3].IsMatch())
+	s.Assert().False(results[3].MatchDomain)
+	s.Assert().False(results[3].MatchResources)
+	s.Assert().True(results[3].MatchSubjects)
+	s.Assert().True(results[3].MatchNetworks)
+	s.Assert().True(results[3].MatchMethods)

-	assert.False(s.T(), results[4].IsMatch())
-	assert.False(s.T(), results[4].MatchDomain)
-	assert.False(s.T(), results[4].MatchResources)
-	assert.True(s.T(), results[4].MatchSubjects)
-	assert.True(s.T(), results[4].MatchNetworks)
-	assert.True(s.T(), results[4].MatchMethods)
+	s.Assert().False(results[4].IsMatch())
+	s.Assert().False(results[4].MatchDomain)
+	s.Assert().False(results[4].MatchResources)
+	s.Assert().True(results[4].MatchSubjects)
+	s.Assert().True(results[4].MatchNetworks)
+	s.Assert().True(results[4].MatchMethods)

-	assert.False(s.T(), results[5].IsMatch())
-	assert.False(s.T(), results[5].MatchDomain)
-	assert.True(s.T(), results[5].MatchResources)
-	assert.True(s.T(), results[5].MatchSubjects)
-	assert.True(s.T(), results[5].MatchNetworks)
-	assert.True(s.T(), results[5].MatchMethods)
+	s.Assert().False(results[5].IsMatch())
+	s.Assert().False(results[5].MatchDomain)
+	s.Assert().True(results[5].MatchResources)
+	s.Assert().True(results[5].MatchSubjects)
+	s.Assert().True(results[5].MatchNetworks)
+	s.Assert().True(results[5].MatchMethods)

-	assert.True(s.T(), results[6].IsMatch())
-	assert.True(s.T(), results[6].MatchDomain)
-	assert.True(s.T(), results[6].MatchResources)
-	assert.True(s.T(), results[6].MatchSubjects)
-	assert.True(s.T(), results[6].MatchNetworks)
-	assert.True(s.T(), results[6].MatchMethods)
+	s.Assert().True(results[6].IsMatch())
+	s.Assert().True(results[6].MatchDomain)
+	s.Assert().True(results[6].MatchResources)
+	s.Assert().True(results[6].MatchSubjects)
+	s.Assert().True(results[6].MatchNetworks)
+	s.Assert().True(results[6].MatchMethods)
 }

 func (s *AuthorizerSuite) TestPolicyToLevel() {
--- a/internal/authorization/regexp.go
+++ b/internal/authorization/regexp.go
@ -0,0 +1,53 @@
+package authorization
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/authelia/authelia/v4/internal/utils"
+)
+
+// RegexpGroupStringSubjectMatcher matches the input string against the pattern taking into account Subexp groups.
+type RegexpGroupStringSubjectMatcher struct {
+	Pattern         regexp.Regexp
+	SubexpNameUser  int
+	SubexpNameGroup int
+}
+
+// IsMatch returns true if the underlying pattern matches the input given the subject.
+func (r RegexpGroupStringSubjectMatcher) IsMatch(input string, subject Subject) (match bool) {
+	matches := r.Pattern.FindAllStringSubmatch(input, -1)
+	if matches == nil {
+		return false
+	}
+
+	if r.SubexpNameUser != -1 && !strings.EqualFold(subject.Username, matches[0][r.SubexpNameUser]) {
+		return false
+	}
+
+	if r.SubexpNameGroup != -1 && !utils.IsStringInSliceFold(matches[0][r.SubexpNameGroup], subject.Groups) {
+		return false
+	}
+
+	return true
+}
+
+// String returns the pattern string.
+func (r RegexpGroupStringSubjectMatcher) String() string {
+	return r.Pattern.String()
+}
+
+// RegexpStringSubjectMatcher just matches the input string against the pattern.
+type RegexpStringSubjectMatcher struct {
+	Pattern regexp.Regexp
+}
+
+// IsMatch returns true if the underlying pattern matches the input.
+func (r RegexpStringSubjectMatcher) IsMatch(input string, _ Subject) (match bool) {
+	return r.Pattern.MatchString(input)
+}
+
+// String returns the pattern string.
+func (r RegexpStringSubjectMatcher) String() string {
+	return r.Pattern.String()
+}
--- a/internal/authorization/types.go
+++ b/internal/authorization/types.go
@ -12,10 +12,14 @@ type SubjectMatcher interface {
 	IsMatch(subject Subject) (match bool)
 }

+// StringSubjectMatcher is a matcher that takes an input string and subject.
+type StringSubjectMatcher interface {
+	IsMatch(input string, subject Subject) (match bool)
+}
+
 // SubjectObjectMatcher is a matcher that takes both a subject and an object.
 type SubjectObjectMatcher interface {
 	IsMatch(subject Subject, object Object) (match bool)
-	String() string
 }

 // Subject represents the identity of a user for the purposes of ACL matching.
--- a/internal/authorization/util.go
+++ b/internal/authorization/util.go
@ -70,7 +70,7 @@ func schemaSubjectToACLSubject(subjectRule string) (subject SubjectMatcher) {
 	return nil
 }

-func schemaDomainsToACL(domainRules []string, domainRegexRules []regexp.Regexp) (domains []SubjectObjectMatcher) {
+func schemaDomainsToACL(domainRules []string, domainRegexRules []regexp.Regexp) (domains []AccessControlDomain) {
 	for _, domainRule := range domainRules {
 		domains = append(domains, NewAccessControlDomain(domainRule))
 	}
@ -84,7 +84,7 @@ func schemaDomainsToACL(domainRules []string, domainRegexRules []regexp.Regexp)

 func schemaResourcesToACL(resourceRules []regexp.Regexp) (resources []AccessControlResource) {
 	for _, resourceRule := range resourceRules {
-		resources = append(resources, AccessControlResource{Pattern: resourceRule})
+		resources = append(resources, NewAccessControlResource(resourceRule))
 	}

 	return resources