2021-03-05 11:18:31 +07:00
|
|
|
package authorization
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net"
|
|
|
|
|
2021-08-11 08:04:35 +07:00
|
|
|
"github.com/authelia/authelia/v4/internal/configuration/schema"
|
|
|
|
"github.com/authelia/authelia/v4/internal/utils"
|
2021-03-05 11:18:31 +07:00
|
|
|
)
|
|
|
|
|
|
|
|
// NewAccessControlRules converts a schema.AccessControlConfiguration into an AccessControlRule slice.
|
|
|
|
func NewAccessControlRules(config schema.AccessControlConfiguration) (rules []*AccessControlRule) {
|
|
|
|
networksMap, networksCacheMap := parseSchemaNetworks(config.Networks)
|
|
|
|
|
2021-04-14 17:53:23 +07:00
|
|
|
for i, schemaRule := range config.Rules {
|
|
|
|
rules = append(rules, NewAccessControlRule(i+1, schemaRule, networksMap, networksCacheMap))
|
2021-03-05 11:18:31 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
return rules
|
|
|
|
}
|
|
|
|
|
|
|
|
// NewAccessControlRule parses a schema ACL and generates an internal ACL.
|
2021-04-14 17:53:23 +07:00
|
|
|
func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][]*net.IPNet, networksCacheMap map[string]*net.IPNet) *AccessControlRule {
|
2021-03-05 11:18:31 +07:00
|
|
|
return &AccessControlRule{
|
2021-04-14 17:53:23 +07:00
|
|
|
Position: pos,
|
2022-04-01 18:38:49 +07:00
|
|
|
Domains: schemaDomainsToACL(rule.Domains, rule.DomainsRegex),
|
2021-03-05 11:18:31 +07:00
|
|
|
Resources: schemaResourcesToACL(rule.Resources),
|
|
|
|
Methods: schemaMethodsToACL(rule.Methods),
|
|
|
|
Networks: schemaNetworksToACL(rule.Networks, networksMap, networksCacheMap),
|
|
|
|
Subjects: schemaSubjectsToACL(rule.Subjects),
|
|
|
|
Policy: PolicyToLevel(rule.Policy),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AccessControlRule controls and represents an ACL internally.
|
|
|
|
type AccessControlRule struct {
|
2021-04-14 17:53:23 +07:00
|
|
|
Position int
|
2022-04-01 18:38:49 +07:00
|
|
|
Domains []SubjectObjectMatcher
|
2021-03-05 11:18:31 +07:00
|
|
|
Resources []AccessControlResource
|
|
|
|
Methods []string
|
|
|
|
Networks []*net.IPNet
|
|
|
|
Subjects []AccessControlSubjects
|
|
|
|
Policy Level
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsMatch returns true if all elements of an AccessControlRule match the object and subject.
|
|
|
|
func (acr *AccessControlRule) IsMatch(subject Subject, object Object) (match bool) {
|
|
|
|
if !isMatchForDomains(subject, object, acr) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if !isMatchForResources(object, acr) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if !isMatchForMethods(object, acr) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if !isMatchForNetworks(subject, acr) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
if !isMatchForSubjects(subject, acr) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
func isMatchForDomains(subject Subject, object Object, acl *AccessControlRule) (match bool) {
|
|
|
|
// If there are no domains in this rule then the domain condition is a match.
|
|
|
|
if len(acl.Domains) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Iterate over the domains until we find a match (return true) or until we exit the loop (return false).
|
|
|
|
for _, domain := range acl.Domains {
|
|
|
|
if domain.IsMatch(subject, object) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func isMatchForResources(object Object, acl *AccessControlRule) (match bool) {
|
|
|
|
// If there are no resources in this rule then the resource condition is a match.
|
|
|
|
if len(acl.Resources) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Iterate over the resources until we find a match (return true) or until we exit the loop (return false).
|
|
|
|
for _, resource := range acl.Resources {
|
|
|
|
if resource.IsMatch(object) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
func isMatchForMethods(object Object, acl *AccessControlRule) (match bool) {
|
|
|
|
// If there are no methods in this rule then the method condition is a match.
|
|
|
|
if len(acl.Methods) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
return utils.IsStringInSlice(object.Method, acl.Methods)
|
|
|
|
}
|
|
|
|
|
|
|
|
func isMatchForNetworks(subject Subject, acl *AccessControlRule) (match bool) {
|
|
|
|
// If there are no networks in this rule then the network condition is a match.
|
|
|
|
if len(acl.Networks) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// Iterate over the networks until we find a match (return true) or until we exit the loop (return false).
|
|
|
|
for _, network := range acl.Networks {
|
|
|
|
if network.Contains(subject.IP) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2022-02-28 10:15:01 +07:00
|
|
|
// Same as isExactMatchForSubjects except it theoretically matches if subject is anonymous since they'd need to authenticate.
|
2021-03-05 11:18:31 +07:00
|
|
|
func isMatchForSubjects(subject Subject, acl *AccessControlRule) (match bool) {
|
2022-02-28 10:15:01 +07:00
|
|
|
if subject.IsAnonymous() {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
return isExactMatchForSubjects(subject, acl)
|
|
|
|
}
|
|
|
|
|
|
|
|
func isExactMatchForSubjects(subject Subject, acl *AccessControlRule) (match bool) {
|
2021-03-05 11:18:31 +07:00
|
|
|
// If there are no subjects in this rule then the subject condition is a match.
|
2022-02-28 10:15:01 +07:00
|
|
|
if len(acl.Subjects) == 0 {
|
2021-03-05 11:18:31 +07:00
|
|
|
return true
|
2022-02-28 10:15:01 +07:00
|
|
|
} else if subject.IsAnonymous() {
|
|
|
|
return false
|
2021-03-05 11:18:31 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
// Iterate over the subjects until we find a match (return true) or until we exit the loop (return false).
|
|
|
|
for _, subjectRule := range acl.Subjects {
|
|
|
|
if subjectRule.IsMatch(subject) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false
|
|
|
|
}
|