mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
feat(configuration): allow rfc4918 http verbs in acl (#2988)
This allows the HTTP Method verbs from RFC4918 to be used. See https://datatracker.ietf.org/doc/html/rfc4918 for more information.
This commit is contained in:
parent
c3faa38d72
commit
b2d35d88ec
|
@ -637,7 +637,23 @@ components:
|
||||||
explode: true
|
explode: true
|
||||||
schema:
|
schema:
|
||||||
type: string
|
type: string
|
||||||
enum: ["GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"]
|
enum:
|
||||||
|
- "GET"
|
||||||
|
- "HEAD"
|
||||||
|
- "POST"
|
||||||
|
- "PUT"
|
||||||
|
- "PATCH"
|
||||||
|
- "DELETE"
|
||||||
|
- "TRACE"
|
||||||
|
- "CONNECT"
|
||||||
|
- "OPTIONS"
|
||||||
|
- "COPY"
|
||||||
|
- "LOCK"
|
||||||
|
- "MKCOL"
|
||||||
|
- "MOVE"
|
||||||
|
- "PROPFIND"
|
||||||
|
- "PROPPATCH"
|
||||||
|
- "UNLOCK"
|
||||||
authParam:
|
authParam:
|
||||||
name: auth
|
name: auth
|
||||||
in: query
|
in: query
|
||||||
|
|
|
@ -271,8 +271,16 @@ access_control:
|
||||||
- OPTIONS
|
- OPTIONS
|
||||||
```
|
```
|
||||||
|
|
||||||
The valid request methods are: OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE, TRACE, CONNECT. Additional information
|
The accepted and valid methods for this configuration option are those specified in well known RFC's. The RFC's and the
|
||||||
about HTTP request methods can be found on the [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods).
|
relevant methods are listed in this table:
|
||||||
|
|
||||||
|
| RFC | Methods | Additional Documentation |
|
||||||
|
|:--------------------------------------------------------:|:-----------------------------------------------------:|:----------------------------------------------------------------:|
|
||||||
|
| [RFC7231](https://datatracker.ietf.org/doc/html/rfc7231) | GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE | [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) |
|
||||||
|
| [RFC5789](https://datatracker.ietf.org/doc/html/rfc5789) | PATCH | [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) |
|
||||||
|
| [RFC4918](https://datatracker.ietf.org/doc/html/rfc4918) | PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK | |
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
### networks
|
### networks
|
||||||
<div markdown="1">
|
<div markdown="1">
|
||||||
|
|
|
@ -147,8 +147,8 @@ func validateSubjects(rulePosition int, rule schema.ACLRule, validator *schema.S
|
||||||
|
|
||||||
func validateMethods(rulePosition int, rule schema.ACLRule, validator *schema.StructValidator) {
|
func validateMethods(rulePosition int, rule schema.ACLRule, validator *schema.StructValidator) {
|
||||||
for _, method := range rule.Methods {
|
for _, method := range rule.Methods {
|
||||||
if !utils.IsStringInSliceFold(method, validACLRuleMethods) {
|
if !utils.IsStringInSliceFold(method, validACLHTTPMethodVerbs) {
|
||||||
validator.Push(fmt.Errorf(errFmtAccessControlRuleMethodInvalid, ruleDescriptor(rulePosition, rule), method, strings.Join(validACLRuleMethods, "', '")))
|
validator.Push(fmt.Errorf(errFmtAccessControlRuleMethodInvalid, ruleDescriptor(rulePosition, rule), method, strings.Join(validACLHTTPMethodVerbs, "', '")))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -152,7 +152,7 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidMethod() {
|
||||||
suite.Assert().False(suite.validator.HasWarnings())
|
suite.Assert().False(suite.validator.HasWarnings())
|
||||||
suite.Require().Len(suite.validator.Errors(), 1)
|
suite.Require().Len(suite.validator.Errors(), 1)
|
||||||
|
|
||||||
suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1 (domain 'public.example.com'): 'methods' option 'HOP' is invalid: must be one of 'GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'TRACE', 'CONNECT', 'OPTIONS'")
|
suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1 (domain 'public.example.com'): 'methods' option 'HOP' is invalid: must be one of 'GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'TRACE', 'CONNECT', 'OPTIONS', 'COPY', 'LOCK', 'MKCOL', 'MOVE', 'PROPFIND', 'PROPPATCH', 'UNLOCK'")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() {
|
func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() {
|
||||||
|
|
|
@ -256,7 +256,11 @@ var validLoLevels = []string{"trace", "debug", "info", "warn", "error"}
|
||||||
var validWebauthnConveyancePreferences = []string{string(protocol.PreferNoAttestation), string(protocol.PreferIndirectAttestation), string(protocol.PreferDirectAttestation)}
|
var validWebauthnConveyancePreferences = []string{string(protocol.PreferNoAttestation), string(protocol.PreferIndirectAttestation), string(protocol.PreferDirectAttestation)}
|
||||||
var validWebauthnUserVerificationRequirement = []string{string(protocol.VerificationDiscouraged), string(protocol.VerificationPreferred), string(protocol.VerificationRequired)}
|
var validWebauthnUserVerificationRequirement = []string{string(protocol.VerificationDiscouraged), string(protocol.VerificationPreferred), string(protocol.VerificationRequired)}
|
||||||
|
|
||||||
var validACLRuleMethods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
|
var validRFC7231HTTPMethodVerbs = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
|
||||||
|
var validRFC4918HTTPMethodVerbs = []string{"COPY", "LOCK", "MKCOL", "MOVE", "PROPFIND", "PROPPATCH", "UNLOCK"}
|
||||||
|
|
||||||
|
var validACLHTTPMethodVerbs = append(validRFC7231HTTPMethodVerbs, validRFC4918HTTPMethodVerbs...)
|
||||||
|
|
||||||
var validACLRulePolicies = []string{policyBypass, policyOneFactor, policyTwoFactor, policyDeny}
|
var validACLRulePolicies = []string{policyBypass, policyOneFactor, policyTwoFactor, policyDeny}
|
||||||
|
|
||||||
var validOIDCScopes = []string{oidc.ScopeOpenID, oidc.ScopeEmail, oidc.ScopeProfile, oidc.ScopeGroups, "offline_access"}
|
var validOIDCScopes = []string{oidc.ScopeOpenID, oidc.ScopeEmail, oidc.ScopeProfile, oidc.ScopeGroups, "offline_access"}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user