191 lines
5.2 KiB
Go
191 lines
5.2 KiB
Go
package authorization
|
|
|
|
import (
|
|
"net"
|
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
|
)
|
|
|
|
// NewAccessControlRules converts a schema.AccessControl into an AccessControlRule slice.
|
|
func NewAccessControlRules(config schema.AccessControl) (rules []*AccessControlRule) {
|
|
networksMap, networksCacheMap := parseSchemaNetworks(config.Networks)
|
|
|
|
for i, schemaRule := range config.Rules {
|
|
rules = append(rules, NewAccessControlRule(i+1, schemaRule, networksMap, networksCacheMap))
|
|
}
|
|
|
|
return rules
|
|
}
|
|
|
|
// NewAccessControlRule parses a schema ACL and generates an internal ACL.
|
|
func NewAccessControlRule(pos int, rule schema.AccessControlRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule {
|
|
r := &AccessControlRule{
|
|
Position: pos,
|
|
Query: NewAccessControlQuery(rule.Query),
|
|
Methods: schemaMethodsToACL(rule.Methods),
|
|
Networks: schemaNetworksToACL(rule.Networks, networksMap, networksCacheMap),
|
|
Subjects: schemaSubjectsToACL(rule.Subjects),
|
|
Policy: NewLevel(rule.Policy),
|
|
}
|
|
|
|
if len(r.Subjects) != 0 {
|
|
r.HasSubjects = true
|
|
}
|
|
|
|
ruleAddDomain(rule.Domains, r)
|
|
ruleAddDomainRegex(rule.DomainsRegex, r)
|
|
ruleAddResources(rule.Resources, r)
|
|
|
|
return r
|
|
}
|
|
|
|
// AccessControlRule controls and represents an ACL internally.
|
|
type AccessControlRule struct {
|
|
HasSubjects bool
|
|
|
|
Position int
|
|
Domains []AccessControlDomain
|
|
Resources []AccessControlResource
|
|
Query []AccessControlQuery
|
|
Methods []string
|
|
Networks []*net.IPNet
|
|
Subjects []AccessControlSubjects
|
|
Policy Level
|
|
}
|
|
|
|
// IsMatch returns true if all elements of an AccessControlRule match the object and subject.
|
|
func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool) {
|
|
if !acr.MatchesDomains(subject, object) {
|
|
return false
|
|
}
|
|
|
|
if !acr.MatchesResources(subject, object) {
|
|
return false
|
|
}
|
|
|
|
if !acr.MatchesQuery(object) {
|
|
return false
|
|
}
|
|
|
|
if !acr.MatchesMethods(object) {
|
|
return false
|
|
}
|
|
|
|
if !acr.MatchesNetworks(subject) {
|
|
return false
|
|
}
|
|
|
|
if !acr.MatchesSubjects(subject) {
|
|
return false
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// MatchesDomains returns true if the rule matches the domains.
|
|
func (acr *AccessControlRule) MatchesDomains(subject Subject, object Object) (matches bool) {
|
|
// If there are no domains in this rule then the domain condition is a match.
|
|
if len(acr.Domains) == 0 {
|
|
return true
|
|
}
|
|
|
|
// Iterate over the domains until we find a match (return true) or until we exit the loop (return false).
|
|
for _, domain := range acr.Domains {
|
|
if domain.IsMatch(subject, object) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// MatchesResources returns true if the rule matches the resources.
|
|
func (acr *AccessControlRule) MatchesResources(subject Subject, object Object) (matches bool) {
|
|
// If there are no resources in this rule then the resource condition is a match.
|
|
if len(acr.Resources) == 0 {
|
|
return true
|
|
}
|
|
|
|
// Iterate over the resources until we find a match (return true) or until we exit the loop (return false).
|
|
for _, resource := range acr.Resources {
|
|
if resource.IsMatch(subject, object) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// MatchesQuery returns true if the rule matches the query arguments.
|
|
func (acr *AccessControlRule) MatchesQuery(object Object) (match bool) {
|
|
// If there are no query rules in this rule then the query condition is a match.
|
|
if len(acr.Query) == 0 {
|
|
return true
|
|
}
|
|
|
|
// Iterate over the queries until we find a match (return true) or until we exit the loop (return false).
|
|
for _, query := range acr.Query {
|
|
if query.IsMatch(object) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// MatchesMethods returns true if the rule matches the method.
|
|
func (acr *AccessControlRule) MatchesMethods(object Object) (match bool) {
|
|
// If there are no methods in this rule then the method condition is a match.
|
|
if len(acr.Methods) == 0 {
|
|
return true
|
|
}
|
|
|
|
return utils.IsStringInSlice(object.Method, acr.Methods)
|
|
}
|
|
|
|
// MatchesNetworks returns true if the rule matches the networks.
|
|
func (acr *AccessControlRule) MatchesNetworks(subject Subject) (match bool) {
|
|
// If there are no networks in this rule then the network condition is a match.
|
|
if len(acr.Networks) == 0 {
|
|
return true
|
|
}
|
|
|
|
// Iterate over the networks until we find a match (return true) or until we exit the loop (return false).
|
|
for _, network := range acr.Networks {
|
|
if network.Contains(subject.IP) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// MatchesSubjects returns true if the rule matches the subjects.
|
|
func (acr *AccessControlRule) MatchesSubjects(subject Subject) (match bool) {
|
|
if subject.IsAnonymous() {
|
|
return true
|
|
}
|
|
|
|
return acr.MatchesSubjectExact(subject)
|
|
}
|
|
|
|
// MatchesSubjectExact returns true if the rule matches the subjects exactly.
|
|
func (acr *AccessControlRule) MatchesSubjectExact(subject Subject) (match bool) {
|
|
// If there are no subjects in this rule then the subject condition is a match.
|
|
if len(acr.Subjects) == 0 {
|
|
return true
|
|
} else if subject.IsAnonymous() {
|
|
return false
|
|
}
|
|
|
|
// Iterate over the subjects until we find a match (return true) or until we exit the loop (return false).
|
|
for _, subjectRule := range acr.Subjects {
|
|
if subjectRule.IsMatch(subject) {
|
|
return true
|
|
}
|
|
}
|
|
|
|
return false
|
|
}
|