2019-04-25 04:52:08 +07:00
|
|
|
package authorization
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net"
|
|
|
|
"net/url"
|
|
|
|
"testing"
|
|
|
|
|
2020-05-01 13:56:42 +07:00
|
|
|
"github.com/stretchr/testify/assert"
|
2021-06-18 08:38:01 +07:00
|
|
|
"github.com/stretchr/testify/require"
|
2019-04-25 04:52:08 +07:00
|
|
|
"github.com/stretchr/testify/suite"
|
|
|
|
|
2019-12-24 09:14:52 +07:00
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
2019-04-25 04:52:08 +07:00
|
|
|
)
|
|
|
|
|
|
|
|
type AuthorizerSuite struct {
|
|
|
|
suite.Suite
|
|
|
|
}
|
|
|
|
|
|
|
|
type AuthorizerTester struct {
|
|
|
|
*Authorizer
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewAuthorizerTester(config schema.AccessControlConfiguration) *AuthorizerTester {
|
2021-06-18 08:38:01 +07:00
|
|
|
fullConfig := &schema.Configuration{
|
|
|
|
AccessControl: config,
|
|
|
|
}
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
return &AuthorizerTester{
|
2021-06-18 08:38:01 +07:00
|
|
|
NewAuthorizer(fullConfig),
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
func (s *AuthorizerTester) CheckAuthorizations(t *testing.T, subject Subject, requestURI, method string, expectedLevel Level) {
|
2019-04-25 04:52:08 +07:00
|
|
|
url, _ := url.ParseRequestURI(requestURI)
|
2021-03-05 11:18:31 +07:00
|
|
|
|
|
|
|
object := Object{
|
|
|
|
Scheme: url.Scheme,
|
|
|
|
Domain: url.Hostname(),
|
|
|
|
Path: url.Path,
|
|
|
|
Method: method,
|
|
|
|
}
|
|
|
|
|
|
|
|
level := s.GetRequiredLevel(subject, object)
|
2019-04-25 04:52:08 +07:00
|
|
|
|
|
|
|
assert.Equal(t, expectedLevel, level)
|
|
|
|
}
|
|
|
|
|
|
|
|
type AuthorizerTesterBuilder struct {
|
|
|
|
config schema.AccessControlConfiguration
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewAuthorizerBuilder() *AuthorizerTesterBuilder {
|
|
|
|
return &AuthorizerTesterBuilder{}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *AuthorizerTesterBuilder) WithDefaultPolicy(policy string) *AuthorizerTesterBuilder {
|
|
|
|
b.config.DefaultPolicy = policy
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *AuthorizerTesterBuilder) WithRule(rule schema.ACLRule) *AuthorizerTesterBuilder {
|
|
|
|
b.config.Rules = append(b.config.Rules, rule)
|
|
|
|
return b
|
|
|
|
}
|
|
|
|
|
|
|
|
func (b *AuthorizerTesterBuilder) Build() *AuthorizerTester {
|
|
|
|
return NewAuthorizerTester(b.config)
|
|
|
|
}
|
|
|
|
|
|
|
|
var AnonymousUser = Subject{
|
|
|
|
Username: "",
|
|
|
|
Groups: []string{},
|
|
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
|
|
}
|
|
|
|
|
|
|
|
var UserWithGroups = Subject{
|
|
|
|
Username: "john",
|
|
|
|
Groups: []string{"dev", "admins"},
|
|
|
|
IP: net.ParseIP("10.0.0.8"),
|
|
|
|
}
|
|
|
|
|
|
|
|
var John = UserWithGroups
|
|
|
|
|
|
|
|
var UserWithoutGroups = Subject{
|
|
|
|
Username: "bob",
|
|
|
|
Groups: []string{},
|
|
|
|
IP: net.ParseIP("10.0.0.7"),
|
|
|
|
}
|
|
|
|
|
|
|
|
var Bob = UserWithoutGroups
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
var UserWithIPv6Address = Subject{
|
|
|
|
Username: "sam",
|
|
|
|
Groups: []string{},
|
|
|
|
IP: net.ParseIP("fec0::1"),
|
|
|
|
}
|
|
|
|
|
|
|
|
var Sam = UserWithIPv6Address
|
|
|
|
|
|
|
|
var UserWithIPv6AddressAndGroups = Subject{
|
|
|
|
Username: "sam",
|
|
|
|
Groups: []string{"dev", "admins"},
|
|
|
|
IP: net.ParseIP("fec0::2"),
|
|
|
|
}
|
|
|
|
|
|
|
|
var Sally = UserWithIPv6AddressAndGroups
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
func (s *AuthorizerSuite) TestShouldCheckDefaultBypassConfig() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(bypass).Build()
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/elsewhere", "GET", Bypass)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckDefaultDeniedConfig() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).Build()
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithoutGroups, "https://public.example.com/elsewhere", "GET", Denied)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckMultiDomainRule() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"*.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://private.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/elsewhere", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com.c/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.co/", "GET", Denied)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckDynamicDomainRules() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2021-03-05 11:18:31 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"{user}.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"{group}.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://john.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://dev.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://admins.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://othergroup.example.com/", "GET", Denied)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
2020-04-16 07:18:11 +07:00
|
|
|
func (s *AuthorizerSuite) TestShouldCheckMultipleDomainRule() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2020-04-16 07:18:11 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"*.example.com", "other.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2020-04-16 07:18:11 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://private.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/elsewhere", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com.c/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.co/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://other.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://other.com/elsewhere", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://private.other.com/", "GET", Denied)
|
2020-04-16 07:18:11 +07:00
|
|
|
}
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
func (s *AuthorizerSuite) TestShouldCheckFactorsPolicy() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"single.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"public.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://public.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://protected.example.com/", "GET", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://single.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), UserWithGroups, "https://example.com/", "GET", Denied)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckRulePrecedence() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2020-06-25 15:22:42 +07:00
|
|
|
Subjects: [][]string{{"user:john"}},
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"*.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://public.example.com/", "GET", TwoFactor)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckUserMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2020-06-25 15:22:42 +07:00
|
|
|
Subjects: [][]string{{"user:john"}},
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "GET", Denied)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckGroupMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2020-06-25 15:22:42 +07:00
|
|
|
Subjects: [][]string{{"group:admins"}},
|
2019-04-25 04:52:08 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "GET", Denied)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
2020-04-16 07:18:11 +07:00
|
|
|
func (s *AuthorizerSuite) TestShouldCheckSubjectsMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2020-04-16 07:18:11 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2020-06-25 15:22:42 +07:00
|
|
|
Subjects: [][]string{{"group:admins"}, {"user:bob"}},
|
2020-04-16 07:18:11 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Sam, "https://protected.example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", "GET", OneFactor)
|
2020-04-16 07:18:11 +07:00
|
|
|
}
|
|
|
|
|
2020-06-25 15:22:42 +07:00
|
|
|
func (s *AuthorizerSuite) TestShouldCheckMultipleSubjectsMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2020-06-25 15:22:42 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2020-06-25 15:22:42 +07:00
|
|
|
Subjects: [][]string{{"group:admins", "user:bob"}, {"group:admins", "group:dev"}},
|
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", "GET", OneFactor)
|
2020-06-25 15:22:42 +07:00
|
|
|
}
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
func (s *AuthorizerSuite) TestShouldCheckIPMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2019-04-25 04:52:08 +07:00
|
|
|
Networks: []string{"192.168.1.8", "10.0.0.8"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
Networks: []string{"10.0.0.7"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"net.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
Networks: []string{"10.0.0.0/8"},
|
|
|
|
}).
|
2021-03-05 11:18:31 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"ipv6.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
Networks: []string{"fec0::1/64"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"ipv6-alt.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
Networks: []string{"fec0::1"},
|
|
|
|
}).
|
2019-04-25 04:52:08 +07:00
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", "GET", Denied)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://net.example.com/", "GET", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://net.example.com/", "GET", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://net.example.com/", "GET", Denied)
|
2019-04-25 04:52:08 +07:00
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), Sally, "https://ipv6-alt.example.com/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), Sam, "https://ipv6-alt.example.com/", "GET", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Sally, "https://ipv6.example.com/", "GET", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Sam, "https://ipv6.example.com/", "GET", TwoFactor)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckMethodMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2021-03-05 11:18:31 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
Methods: []string{"OPTIONS", "HEAD", "GET", "CONNECT", "TRACE"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
Methods: []string{"PUT", "PATCH", "POST"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"protected.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
Methods: []string{"DELETE"},
|
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "OPTIONS", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", "HEAD", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "CONNECT", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "TRACE", Bypass)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://protected.example.com/", "PUT", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://protected.example.com/", "PATCH", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", "POST", OneFactor)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://protected.example.com/", "DELETE", TwoFactor)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldCheckResourceMatching() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2019-04-25 04:52:08 +07:00
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"resource.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2019-04-25 04:52:08 +07:00
|
|
|
Resources: []string{"^/bypass/[a-z]+$", "^/$", "embedded"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2020-04-16 07:18:11 +07:00
|
|
|
Domains: []string{"resource.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2019-04-25 04:52:08 +07:00
|
|
|
Resources: []string{"^/one_factor/[a-z]+$"},
|
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
2021-03-05 11:18:31 +07:00
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/abc", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/bypass/ABC", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/one_factor/abc", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://resource.example.com/xyz/embedded/abc", "GET", Bypass)
|
|
|
|
}
|
|
|
|
|
|
|
|
// This test assures that rules without domains (not allowed by schema validator at this time) will pass validation correctly.
|
|
|
|
func (s *AuthorizerSuite) TestShouldMatchAnyDomainIfBlank() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
|
|
|
WithRule(schema.ACLRule{
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
Methods: []string{"OPTIONS", "HEAD", "GET", "CONNECT", "TRACE"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
Methods: []string{"PUT", "PATCH"},
|
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
Methods: []string{"DELETE"},
|
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", "OPTIONS", Bypass)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", "PUT", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", "PATCH", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", "PUT", OneFactor)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", "DELETE", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", "DELETE", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", "DELETE", TwoFactor)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://one.domain-four.com", "POST", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-three.com", "POST", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://one.domain-two.com", "POST", Denied)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *AuthorizerSuite) TestShouldMatchResourceWithSubjectRules() {
|
|
|
|
tester := NewAuthorizerBuilder().
|
2021-06-18 08:38:01 +07:00
|
|
|
WithDefaultPolicy(deny).
|
2021-03-05 11:18:31 +07:00
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"public.example.com"},
|
|
|
|
Resources: []string{"^/admin/.*$"},
|
|
|
|
Subjects: [][]string{{"group:admins"}},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: oneFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"public.example.com"},
|
|
|
|
Resources: []string{"^/admin/.*$"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: deny,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"public.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"public2.example.com"},
|
|
|
|
Resources: []string{"^/admin/.*$"},
|
|
|
|
Subjects: [][]string{{"group:admins"}},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"public2.example.com"},
|
|
|
|
Resources: []string{"^/admin/.*$"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: deny,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"public2.example.com"},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: bypass,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
WithRule(schema.ACLRule{
|
|
|
|
Domains: []string{"private.example.com"},
|
|
|
|
Subjects: [][]string{{"group:admins"}},
|
2021-06-18 08:38:01 +07:00
|
|
|
Policy: twoFactor,
|
2021-03-05 11:18:31 +07:00
|
|
|
}).
|
|
|
|
Build()
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://public.example.com", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com", "GET", Bypass)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://public.example.com/admin/index.html", "GET", OneFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://public.example.com/admin/index.html", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public.example.com/admin/index.html", "GET", OneFactor)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://public2.example.com", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://public2.example.com", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public2.example.com", "GET", Bypass)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://public2.example.com/admin/index.html", "GET", Bypass)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://public2.example.com/admin/index.html", "GET", Denied)
|
|
|
|
|
|
|
|
// This test returns this result since we validate the schema instead of validating it in code.
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://public2.example.com/admin/index.html", "GET", Bypass)
|
|
|
|
|
|
|
|
tester.CheckAuthorizations(s.T(), John, "https://private.example.com", "GET", TwoFactor)
|
|
|
|
tester.CheckAuthorizations(s.T(), Bob, "https://private.example.com", "GET", Denied)
|
|
|
|
tester.CheckAuthorizations(s.T(), AnonymousUser, "https://private.example.com", "GET", TwoFactor)
|
2019-04-25 04:52:08 +07:00
|
|
|
}
|
|
|
|
|
2020-02-05 04:18:02 +07:00
|
|
|
func (s *AuthorizerSuite) TestPolicyToLevel() {
|
2021-06-18 08:38:01 +07:00
|
|
|
s.Assert().Equal(Bypass, PolicyToLevel(bypass))
|
|
|
|
s.Assert().Equal(OneFactor, PolicyToLevel(oneFactor))
|
|
|
|
s.Assert().Equal(TwoFactor, PolicyToLevel(twoFactor))
|
|
|
|
s.Assert().Equal(Denied, PolicyToLevel(deny))
|
2020-02-05 04:18:02 +07:00
|
|
|
|
|
|
|
s.Assert().Equal(Denied, PolicyToLevel("whatever"))
|
|
|
|
}
|
|
|
|
|
2019-04-25 04:52:08 +07:00
|
|
|
func TestRunSuite(t *testing.T) {
|
|
|
|
s := AuthorizerSuite{}
|
|
|
|
suite.Run(t, &s)
|
|
|
|
}
|
2021-06-18 08:38:01 +07:00
|
|
|
|
|
|
|
func TestNewAuthorizer(t *testing.T) {
|
|
|
|
config := &schema.Configuration{
|
|
|
|
AccessControl: schema.AccessControlConfiguration{
|
|
|
|
DefaultPolicy: deny,
|
|
|
|
Rules: []schema.ACLRule{
|
|
|
|
{
|
|
|
|
Domains: []string{"example.com"},
|
|
|
|
Policy: twoFactor,
|
|
|
|
Subjects: [][]string{
|
|
|
|
{
|
|
|
|
"user:admin",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"group:admins",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
authorizer := NewAuthorizer(config)
|
|
|
|
|
|
|
|
assert.Equal(t, Denied, authorizer.defaultPolicy)
|
|
|
|
assert.Equal(t, TwoFactor, authorizer.rules[0].Policy)
|
|
|
|
|
|
|
|
user, ok := authorizer.rules[0].Subjects[0].Subjects[0].(AccessControlUser)
|
|
|
|
require.True(t, ok)
|
|
|
|
assert.Equal(t, "admin", user.Name)
|
|
|
|
|
|
|
|
group, ok := authorizer.rules[0].Subjects[1].Subjects[0].(AccessControlGroup)
|
|
|
|
require.True(t, ok)
|
|
|
|
assert.Equal(t, "admins", group.Name)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizerIsSecondFactorEnabledRuleWithNoOIDC(t *testing.T) {
|
|
|
|
config := &schema.Configuration{
|
|
|
|
AccessControl: schema.AccessControlConfiguration{
|
|
|
|
DefaultPolicy: deny,
|
|
|
|
Rules: []schema.ACLRule{
|
|
|
|
{
|
|
|
|
Domains: []string{"example.com"},
|
|
|
|
Policy: oneFactor,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
authorizer := NewAuthorizer(config)
|
|
|
|
assert.False(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
|
|
|
|
authorizer.rules[0].Policy = TwoFactor
|
|
|
|
assert.True(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthorizerIsSecondFactorEnabledRuleWithOIDC(t *testing.T) {
|
|
|
|
config := &schema.Configuration{
|
|
|
|
AccessControl: schema.AccessControlConfiguration{
|
|
|
|
DefaultPolicy: deny,
|
|
|
|
Rules: []schema.ACLRule{
|
|
|
|
{
|
|
|
|
Domains: []string{"example.com"},
|
|
|
|
Policy: oneFactor,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
IdentityProviders: schema.IdentityProvidersConfiguration{
|
|
|
|
OIDC: &schema.OpenIDConnectConfiguration{
|
|
|
|
Clients: []schema.OpenIDConnectClientConfiguration{
|
|
|
|
{
|
|
|
|
Policy: oneFactor,
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
authorizer := NewAuthorizer(config)
|
|
|
|
assert.False(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
|
|
|
|
authorizer.rules[0].Policy = TwoFactor
|
|
|
|
assert.True(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
|
|
|
|
authorizer.rules[0].Policy = OneFactor
|
|
|
|
assert.False(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
|
|
|
|
config.IdentityProviders.OIDC.Clients[0].Policy = twoFactor
|
|
|
|
|
|
|
|
assert.True(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
|
|
|
|
authorizer.rules[0].Policy = OneFactor
|
|
|
|
config.IdentityProviders.OIDC.Clients[0].Policy = oneFactor
|
|
|
|
|
|
|
|
assert.False(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
|
|
|
|
authorizer.defaultPolicy = TwoFactor
|
|
|
|
|
|
|
|
assert.True(t, authorizer.IsSecondFactorEnabled())
|
|
|
|
}
|