Rework the configuration of the access control to allow default policy for certain domains

config.template.yml

@@ -43,17 +43,19 @@ ldap:
 # is allowed to everyone.
 # Otherwise, the default policy is denied for any user and any subdomain.
 access_control:
-  - group: admin
-    allowed_domains:
-    - secret.test.local
-    - secret1.test.local
-    - secret2.test.local
-  - group: dev
-    allowed_domains:
-    - secret2.test.local
-  - user: harry
-    allowed_domains:
-    - secret1.test.local
+  default:
+    - home.test.local
+  groups:
+    admin:
+      - '*.test.local'
+    dev:
+      - secret.test.local
+      - secret2.test.local
+  users: 
+    harry:
+      - secret1.test.local
+    bob:
+      - '*.mail.test.local'
 
 
 # Configuration of session cookies

example/nginx_conf/index.html

@@ -3,8 +3,81 @@
     <title>Home page</title>
   </head>
   <body>
-  You need to <a href="https://auth.test.local:8080/authentication/login?redirect=https://secret.test.local:8080/">log in</a> to access the <a href="/secret.html">secret</a>!<br/><br/>
-  But you can also access it from another <a href="https://secret1.test.local:8080/secret.html">domain</a> or still <a href="https://secret2.test.local:8080/secret.html">another one</a>.<br/><br/>
-  You can also log off by visiting the following <a href="https://auth.test.local:8080/authentication/logout?redirect=https://secret.test.local:8080/">link</a>.
+  <h1>Access the secret</h1>
+  You need to log in to access the secret!<br/><br/>
+  Try to access it via one of the following links.<br/>
+  <ul>
+    <li>
+      <a href="https://secret.test.local:8080/secret.html">secret.test.local</a>
+    </li>
+    <li>
+      <a href="https://secret1.test.local:8080/secret.html">secret1.test.local</a>
+    </li>
+    <li>
+      <a href="https://secret2.test.local:8080/secret.html">secret2.test.local</a>
+    </li>
+    <li>
+      <a href="https://home.test.local:8080/secret.html">home.test.local</a>
+    </li>
+    <li>
+      <a href="https://mx1.mail.test.local:8080/secret.html">mx1.mail.test.local</a>
+    </li>
+    <li>
+      <a href="https://mx2.mail.test.local:8080/secret.html">mx2.mail.test.local</a>
+    </li>
+  </ul>
+
+  You can also log off by visiting the following <a href="https://auth.test.local:8080/authentication/logout?redirect=https://home.test.local:8080/">link</a>.
+
+  <h1>List of users</h1>
+  Here is the list of credentials you can log in with to test access control.
+ 
+  <ul>
+    <li><strong>john / password</strong>: belongs to <em>admin</em> and <em>dev</em> groups.</li>
+    <li><strong>bob / password</strong>: belongs to <em>dev</em> group only.</li>
+    <li><strong>harry / password</strong>: does not belong to any group.</li>
+  </ul>
+
+  <h1>Access control rules</h1>
+
+  <ul>
+    <li><strong>Default policy</strong>
+      <ul>
+        <li>home.test.local</li>
+      </ul>
+    </li>
+
+    <li><strong>Groups policy</strong>
+      <ul>
+        <li>admin
+          <ul>
+            <li>*.test.local</li>
+          </ul>
+        </li>
+        <li>dev
+          <ul>
+            <li>secret.test.local</li>
+            <li>secret2.test.local</li>
+          </ul>
+        </li>
+      </ul>
+    </li>
+
+    <li><strong>Users policy</strong>
+      <ul>
+        <li>harry
+          <ul>
+            <li>secret1.test.local</li>
+          </ul>
+        </li>
+        <li>bob
+          <ul>
+            <li>*.mail.test.local</li>
+          </ul>
+        </li>
+      </ul>
+    </li>
+  </ul>
+
   </body>
 </html>

example/nginx_conf/nginx.conf

@@ -60,7 +60,9 @@ http {
         listen 443 ssl;
         root /usr/share/nginx/html;
  
-        server_name     secret1.test.local secret2.test.local secret.test.local localhost;
+        server_name     secret1.test.local secret2.test.local secret.test.local 
+                        home.test.local mx1.mail.test.local mx2.mail.test.local 
+                        localhost;
 
         ssl on;
         ssl_certificate     /etc/ssl/server.crt;

example/nginx_conf/secret.html

@@ -3,6 +3,7 @@
     <title>Secret</title>
   </head>
   <body>
-  This is a very important secret!
+  This is a very important secret!<br/>
+  Go back to <a href="https://home.test.local:8080/">home page</a>.
   </body>
 </html>

src/lib/access_control.js

@@ -0,0 +1,84 @@
+
+module.exports = function(logger, acl_config) {
+  return {
+    builder: new AccessControlBuilder(logger, acl_config),
+    matcher: new AccessControlMatcher(logger)
+  };
+}
+
+var objectPath = require('object-path');
+
+// *************** PER DOMAIN MATCHER ***************
+function AccessControlMatcher(logger) {
+  this.logger = logger;
+}
+
+AccessControlMatcher.prototype.is_domain_allowed = function(domain, allowed_domains) {
+  // Allow all matcher
+  if(allowed_domains.length == 1 && allowed_domains[0] == '*') return true;
+
+  this.logger.debug('ACL: trying to match %s with %s', domain, 
+                    JSON.stringify(allowed_domains));
+  for(var i = 0; i < allowed_domains.length; ++i) {
+    var allowed_domain = allowed_domains[i];
+    if(allowed_domain.startsWith('*') && 
+       domain.endsWith(allowed_domain.substr(1))) {
+      return true;
+    }
+    else if(domain == allowed_domain) {
+      return true;
+    }
+  }
+  return false;
+}
+
+
+// *************** MATCHER BUILDER ***************
+function AccessControlBuilder(logger, acl_config) {
+  this.logger = logger;
+  this.config = acl_config;
+}
+
+AccessControlBuilder.prototype.extract_per_group = function(groups) {
+  var allowed_domains = [];
+  var groups_policy = objectPath.get(this.config, 'groups');
+  if(groups_policy) {
+    for(var i=0; i<groups.length; ++i) {
+      var group = groups[i];
+      if(group in groups_policy) {
+        allowed_domains = allowed_domains.concat(groups_policy[group]);
+      }
+    }
+  }
+  return allowed_domains;
+}
+
+AccessControlBuilder.prototype.extract_per_user = function(user) {
+  var allowed_domains = [];
+  var users_policy = objectPath.get(this.config, 'users');
+  if(users_policy) {
+    if(user in users_policy) {
+      allowed_domains = allowed_domains.concat(users_policy[user]);
+    }
+  }
+  return allowed_domains;
+}
+
+AccessControlBuilder.prototype.get_allowed_domains = function(user, groups) {
+  var allowed_domains = [];
+  var default_policy = objectPath.get(this.config, 'default');
+  if(default_policy) {
+    allowed_domains = allowed_domains.concat(default_policy);
+  }
+
+  allowed_domains = allowed_domains.concat(this.extract_per_group(groups));
+  allowed_domains = allowed_domains.concat(this.extract_per_user(user));
+
+  this.logger.debug('ACL: user \'%s\' is allowed access to %s', user, 
+                    JSON.stringify(allowed_domains));
+  return allowed_domains;
+}
+
+AccessControlBuilder.prototype.get_any_domain = function() {
+  return ['*'];
+}

src/lib/routes/first_factor.js

@@ -37,6 +37,7 @@ function first_factor(req, res) {
   var ldap = req.app.get('ldap');
   var config = req.app.get('config');
   var regulator = req.app.get('authentication regulator');
+  var acl_builder = req.app.get('access control').builder;
 
   logger.info('1st factor: Starting authentication of user "%s"', username);
   logger.debug('1st factor: Start bind operation against LDAP');
@@ -56,22 +57,21 @@ function first_factor(req, res) {
   .then(function(data) {
     var emails = data[0];
     var groups = data[1];
+    var allowed_domains;
 
     if(!emails && emails.length <= 0) throw new Error('No email found');
     logger.debug('1st factor: Retrieved email are %s', emails);
     objectPath.set(req, 'session.auth_session.email', emails[0]);
 
     if(config.access_control) {
-      var allowed_domains = get_allowed_domains(config.access_control, 
-        username, groups);
-      logger.debug('1st factor: allowed domains are %s', allowed_domains);
-      objectPath.set(req, 'session.auth_session.allowed_domains', 
-        allowed_domains);
+      allowed_domains = acl_builder.get_allowed_domains(username, groups);
     }
     else {
+      allowed_domains = acl_builder.get_any_domain();
       logger.debug('1st factor: no access control rules found.' +
         'Default policy to allow all.');
     }
+    objectPath.set(req, 'session.auth_session.allowed_domains', allowed_domains);
 
     regulator.mark(username, true);
     res.status(204);

src/lib/routes/verify.js

@@ -19,19 +19,17 @@ function verify_filter(req, res) {
   if(!objectPath.has(req, 'session.auth_session.userid'))
     return Promise.reject('No userid variable'); 
 
-  var config = req.app.get('config');
-  var access_control = config.access_control;
+  if(!objectPath.has(req, 'session.auth_session.allowed_domains'))
+    return Promise.reject('No allowed_domains variable'); 
 
-  if(access_control) {
-    var allowed_domains = objectPath.get(req, 'session.auth_session.allowed_domains');
-    var host = objectPath.get(req, 'headers.host');
-    var domain = host.split(':')[0]; 
-    logger.debug('Trying to access domain: %s', domain);
-    logger.debug('User has access to %s', JSON.stringify(allowed_domains));
+  // Get the session ACL matcher
+  var allowed_domains = objectPath.get(req, 'session.auth_session.allowed_domains');
+  var host = objectPath.get(req, 'headers.host');
+  var domain = host.split(':')[0]; 
+  var acl_matcher = req.app.get('access control').matcher;
 
-    if(allowed_domains.indexOf(domain) < 0)
-      return Promise.reject('Access restricted by ACL rules');
-  }
+  if(!acl_matcher.is_domain_allowed(domain, allowed_domains))
+    return Promise.reject('Access restricted by ACL rules');
 
   if(!req.session.auth_session.first_factor || 
      !req.session.auth_session.second_factor)

src/lib/server.js

@@ -12,6 +12,7 @@ var AuthenticationRegulator = require('./authentication_regulator');
 var setup_endpoints = require('./setup_endpoints');
 var config_adapter = require('./config_adapter');
 var Ldap = require('./ldap');
+var AccessControl = require('./access_control');
 
 function run(yaml_config, deps, fn) {
   var config = config_adapter(yaml_config);
@@ -51,6 +52,7 @@ function run(yaml_config, deps, fn) {
   var regulator = new AuthenticationRegulator(data_store, five_minutes);
   var notifier = new Notifier(config.notifier, deps);
   var ldap = new Ldap(deps, config.ldap);
+  var access_control = AccessControl(deps.winston, config.access_control);
 
   app.set('logger', deps.winston);
   app.set('ldap', ldap);
@@ -60,6 +62,7 @@ function run(yaml_config, deps, fn) {
   app.set('notifier', notifier);
   app.set('authentication regulator', regulator);
   app.set('config', config);
+  app.set('access control', access_control);
 
   setup_endpoints(app);
   

test/unitary/routes/test_first_factor.js

@@ -6,6 +6,7 @@ var winston = require('winston');
 var first_factor = require('../../../src/lib/routes/first_factor');
 var exceptions = require('../../../src/lib/exceptions');
 var Ldap = require('../../../src/lib/ldap');
+var AccessControl = require('../../../src/lib/access_control');
 
 describe('test the first factor validation route', function() {
   var req, res;
@@ -13,6 +14,7 @@ describe('test the first factor validation route', function() {
   var emails;
   var search_res_ok;
   var regulator;
+  var access_control;
   var config;
 
   beforeEach(function() {
@@ -34,11 +36,22 @@ describe('test the first factor validation route', function() {
     regulator.mark.returns(Promise.resolve());
     regulator.regulate.returns(Promise.resolve());
 
+    access_control = { 
+      builder: {
+        get_allowed_domains: sinon.stub(),
+        get_any_domain: sinon.stub(),
+      },
+      matcher: {
+        is_domain_allowed: sinon.stub()
+      }
+    };
+
     var app_get = sinon.stub();
     app_get.withArgs('ldap').returns(ldap_interface_mock);
     app_get.withArgs('config').returns(config);
     app_get.withArgs('logger').returns(winston);
     app_get.withArgs('authentication regulator').returns(regulator);
+    app_get.withArgs('access control').returns(access_control);
 
     req = {
       app: {
@@ -74,16 +87,13 @@ describe('test the first factor validation route', function() {
     });
   });
 
-  describe('store the allowed domains in the auth session', function() {
-    it('should store the per group allowed domains', function() {
-      config.access_control = [];
-      config.access_control.push({ 
-        group: 'group1', 
-        allowed_domains: ['domain1.example.com', 'domain2.example.com']
-      });
+  describe('store the ACL matcher in the auth session', function() {
+    it('should store the allowed domains in the auth session', function() {
+      config.access_control = {};
+      access_control.builder.get_allowed_domains.returns(['example.com', 'test.example.com']);
       return new Promise(function(resolve, reject) {
         res.send = sinon.spy(function(data) {
-          assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
+          assert.deepEqual(['example.com', 'test.example.com'], 
             req.session.auth_session.allowed_domains);
           assert.equal(204, res.status.getCall(0).args[0]);
           resolve();
@@ -95,16 +105,11 @@ describe('test the first factor validation route', function() {
       });
     });
 
-    it('should store the per group allowed domains', function() {
-      config.access_control = [];
-      config.access_control.push({ 
-        user: 'username', 
-        allowed_domains: ['domain1.example.com', 'domain2.example.com']
-      });
+    it('should store the allow all ACL matcher in the auth session', function() {
+      access_control.builder.get_any_domain.returns(['*']);
       return new Promise(function(resolve, reject) {
         res.send = sinon.spy(function(data) {
-          assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
-            req.session.auth_session.allowed_domains);
+          assert(req.session.auth_session.allowed_domains);
           assert.equal(204, res.status.getCall(0).args[0]);
           resolve();
         });

test/unitary/routes/test_verify.js

@@ -7,8 +7,15 @@ var winston = require('winston');
 describe('test authentication token verification', function() {
   var req, res;
   var config_mock;
+  var acl_matcher;
 
   beforeEach(function() {
+    acl_matcher = {
+      is_domain_allowed: sinon.stub().returns(true)
+    };
+    var access_control = {
+      matcher: acl_matcher
+    }
     config_mock = {};
     req = {};
     res = {};
@@ -18,6 +25,7 @@ describe('test authentication token verification', function() {
     req.app.get = sinon.stub();
     req.app.get.withArgs('config').returns(config_mock);
     req.app.get.withArgs('logger').returns(winston);
+    req.app.get.withArgs('access control').returns(access_control);
     res.status = sinon.spy();
   });
 
@@ -27,7 +35,7 @@ describe('test authentication token verification', function() {
       first_factor: true, 
       second_factor: true,
       userid: 'myuser',
-      group: 'mygroup'
+      allowed_domains: ['*']
     };
  
     res.send = sinon.spy(function() {
@@ -86,25 +94,16 @@ describe('test authentication token verification', function() {
     });
 
     it('should reply unauthorized when the domain is restricted', function() {
-      config_mock.access_control = [];
-      config_mock.access_control.push({
-        group: 'abc',
-        allowed_domains: ['secret.example.com']
-      });
+      acl_matcher.is_domain_allowed.returns(false);
       return test_unauthorized({
         first_factor: true,
         second_factor: true,
         userid: 'user',
-        allowed_domains: ['restricted.example.com']
+        allowed_domains: []
       });
     });
 
     it('should reply authorized when the domain is allowed', function() {
-      config_mock.access_control = [];
-      config_mock.access_control.push({
-        group: 'abc',
-        allowed_domains: ['secret.example.com']
-      });
       return test_authorized({
         first_factor: true,
         second_factor: true,

test/unitary/test_access_control.js

@@ -0,0 +1,160 @@
+
+var assert = require('assert');
+var winston = require('winston');
+var AccessControl = require('../../src/lib/access_control');
+
+describe('test access control manager', function() {
+  var access_control;
+  var acl_config;
+  var acl_builder;
+  var acl_matcher;
+
+  beforeEach(function() {
+    acl_config = {};
+    access_control = AccessControl(winston, acl_config);
+    acl_builder = access_control.builder;
+    acl_matcher = access_control.matcher;
+  });
+
+  describe('building user group access control matcher', function() {
+    it('should deny all if nothing is defined in the config', function() {
+      var allowed_domains = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert.deepEqual(allowed_domains, []);
+    });
+
+    it('should allow domain test.example.com to all users if defined in' + 
+       ' default policy', function() {
+      acl_config.default = ['test.example.com'];
+      
+      var allowed_domains = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert.deepEqual(allowed_domains, ['test.example.com']);
+    });
+
+    it('should allow domain test.example.com to all users in group mygroup', function() {
+      var allowed_domains0 = acl_builder.get_allowed_domains('user', ['group1', 'group1']); 
+      assert.deepEqual(allowed_domains0, []);
+
+      acl_config.groups = {
+        mygroup: ['test.example.com']
+      };
+
+      var allowed_domains1 = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert.deepEqual(allowed_domains1, []);
+
+      var allowed_domains2 = acl_builder.get_allowed_domains('user', ['group1', 'mygroup']); 
+      assert.deepEqual(allowed_domains2, ['test.example.com']);
+    });
+
+    it('should allow domain test.example.com based on per user config', function() {
+      var allowed_domains0 = acl_builder.get_allowed_domains('user', ['group1']); 
+      assert.deepEqual(allowed_domains0, []);
+
+      acl_config.users = {
+        user1: ['test.example.com']
+      };
+
+      var allowed_domains1 = acl_builder.get_allowed_domains('user', ['group1', 'mygroup']); 
+      assert.deepEqual(allowed_domains1, []);
+
+      var allowed_domains2 = acl_builder.get_allowed_domains('user1', ['group1', 'mygroup']); 
+      assert.deepEqual(allowed_domains2, ['test.example.com']);
+    });
+
+    it('should allow domains from user and groups', function() {
+      acl_config.groups = {
+        group2: ['secret.example.com', 'secret1.example.com']
+      };
+      acl_config.users = {
+        user: ['test.example.com']
+      };
+
+      var allowed_domains0 = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert.deepEqual(allowed_domains0, [
+        'secret.example.com',
+        'secret1.example.com',
+        'test.example.com', 
+      ]);
+    });
+
+    it('should allow domains from several groups', function() {
+      acl_config.groups = {
+        group1: ['secret2.example.com'],
+        group2: ['secret.example.com', 'secret1.example.com']
+      };
+
+      var allowed_domains0 = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert.deepEqual(allowed_domains0, [
+        'secret2.example.com',
+        'secret.example.com',
+        'secret1.example.com',
+      ]);
+    });
+
+    it('should allow domains from several groups and default policy', function() {
+      acl_config.default = ['home.example.com'];
+      acl_config.groups = {
+        group1: ['secret2.example.com'],
+        group2: ['secret.example.com', 'secret1.example.com']
+      };
+
+      var allowed_domains0 = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert.deepEqual(allowed_domains0, [
+        'home.example.com',
+        'secret2.example.com',
+        'secret.example.com',
+        'secret1.example.com',
+      ]);
+    });
+  });
+
+  describe('building user group access control matcher', function() {
+    it('should allow access to any subdomain', function() {
+      var allowed_domains = acl_builder.get_any_domain(); 
+      assert(acl_matcher.is_domain_allowed('example.com', allowed_domains));
+      assert(acl_matcher.is_domain_allowed('mail.example.com', allowed_domains));
+      assert(acl_matcher.is_domain_allowed('test.example.com', allowed_domains));
+      assert(acl_matcher.is_domain_allowed('user.mail.example.com', allowed_domains));
+      assert(acl_matcher.is_domain_allowed('public.example.com', allowed_domains));
+      assert(acl_matcher.is_domain_allowed('example2.com', allowed_domains));
+    });
+  });
+
+  describe('check access control matching', function() {
+    beforeEach(function() {
+      acl_config.default = ['home.example.com', '*.public.example.com'];
+      acl_config.users = {
+        user1: ['user1.example.com', 'user1.mail.example.com']
+      };
+      acl_config.groups = {
+        group1: ['secret2.example.com'],
+        group2: ['secret.example.com', 'secret1.example.com']
+      };
+    });
+
+    it('should allow access to secret.example.com', function() {
+      var allowed_domains = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert(acl_matcher.is_domain_allowed('secret.example.com', allowed_domains));
+    });
+
+    it('should deny access to secret3.example.com', function() {
+      var allowed_domains = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert(!acl_matcher.is_domain_allowed('secret3.example.com', allowed_domains));
+    });
+
+    it('should allow access to home.example.com', function() {
+      var allowed_domains = acl_builder.get_allowed_domains('user', ['group1', 'group2']); 
+      assert(acl_matcher.is_domain_allowed('home.example.com', allowed_domains));
+    });
+
+    it('should allow access to user1.example.com', function() {
+      var allowed_domains = acl_builder.get_allowed_domains('user1', ['group1', 'group2']); 
+      assert(acl_matcher.is_domain_allowed('user1.example.com', allowed_domains));
+    });
+
+    it('should allow access *.public.example.com', function() {
+      var allowed_domains = acl_builder.get_allowed_domains('nouser', []); 
+      assert(acl_matcher.is_domain_allowed('user.public.example.com', allowed_domains));
+      assert(acl_matcher.is_domain_allowed('test.public.example.com', allowed_domains));
+    });
+  });
+});