From b403cfe2f8539681cb2cdb1cc2bf7f893c81ac70 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sat, 25 Mar 2017 18:38:14 +0100 Subject: [PATCH] Rework the configuration of the access control to allow default policy for certain domains --- config.template.yml | 24 ++-- example/nginx_conf/index.html | 79 ++++++++++- example/nginx_conf/nginx.conf | 4 +- example/nginx_conf/secret.html | 3 +- src/lib/access_control.js | 84 ++++++++++++ src/lib/routes/first_factor.js | 10 +- src/lib/routes/verify.js | 20 ++- src/lib/server.js | 3 + test/unitary/routes/test_first_factor.js | 37 +++--- test/unitary/routes/test_verify.js | 23 ++-- test/unitary/test_access_control.js | 160 +++++++++++++++++++++++ 11 files changed, 387 insertions(+), 60 deletions(-) create mode 100644 src/lib/access_control.js create mode 100644 test/unitary/test_access_control.js diff --git a/config.template.yml b/config.template.yml index d258a2a9..789e6108 100644 --- a/config.template.yml +++ b/config.template.yml @@ -43,17 +43,19 @@ ldap: # is allowed to everyone. # Otherwise, the default policy is denied for any user and any subdomain. access_control: - - group: admin - allowed_domains: - - secret.test.local - - secret1.test.local - - secret2.test.local - - group: dev - allowed_domains: - - secret2.test.local - - user: harry - allowed_domains: - - secret1.test.local + default: + - home.test.local + groups: + admin: + - '*.test.local' + dev: + - secret.test.local + - secret2.test.local + users: + harry: + - secret1.test.local + bob: + - '*.mail.test.local' # Configuration of session cookies diff --git a/example/nginx_conf/index.html b/example/nginx_conf/index.html index c59b1e20..6eb9a534 100644 --- a/example/nginx_conf/index.html +++ b/example/nginx_conf/index.html @@ -3,8 +3,81 @@ Home page - You need to log in to access the secret!

- But you can also access it from another domain or still another one.

- You can also log off by visiting the following link. +

Access the secret

+ You need to log in to access the secret!

+ Try to access it via one of the following links.
+ + + You can also log off by visiting the following link. + +

List of users

+ Here is the list of credentials you can log in with to test access control. + + + +

Access control rules

+ + + diff --git a/example/nginx_conf/nginx.conf b/example/nginx_conf/nginx.conf index cfb8c62e..4cce9207 100644 --- a/example/nginx_conf/nginx.conf +++ b/example/nginx_conf/nginx.conf @@ -60,7 +60,9 @@ http { listen 443 ssl; root /usr/share/nginx/html; - server_name secret1.test.local secret2.test.local secret.test.local localhost; + server_name secret1.test.local secret2.test.local secret.test.local + home.test.local mx1.mail.test.local mx2.mail.test.local + localhost; ssl on; ssl_certificate /etc/ssl/server.crt; diff --git a/example/nginx_conf/secret.html b/example/nginx_conf/secret.html index b0f43b63..8b44155a 100644 --- a/example/nginx_conf/secret.html +++ b/example/nginx_conf/secret.html @@ -3,6 +3,7 @@ Secret - This is a very important secret! + This is a very important secret!
+ Go back to home page. diff --git a/src/lib/access_control.js b/src/lib/access_control.js new file mode 100644 index 00000000..e185eb7a --- /dev/null +++ b/src/lib/access_control.js @@ -0,0 +1,84 @@ + +module.exports = function(logger, acl_config) { + return { + builder: new AccessControlBuilder(logger, acl_config), + matcher: new AccessControlMatcher(logger) + }; +} + +var objectPath = require('object-path'); + +// *************** PER DOMAIN MATCHER *************** +function AccessControlMatcher(logger) { + this.logger = logger; +} + +AccessControlMatcher.prototype.is_domain_allowed = function(domain, allowed_domains) { + // Allow all matcher + if(allowed_domains.length == 1 && allowed_domains[0] == '*') return true; + + this.logger.debug('ACL: trying to match %s with %s', domain, + JSON.stringify(allowed_domains)); + for(var i = 0; i < allowed_domains.length; ++i) { + var allowed_domain = allowed_domains[i]; + if(allowed_domain.startsWith('*') && + domain.endsWith(allowed_domain.substr(1))) { + return true; + } + else if(domain == allowed_domain) { + return true; + } + } + return false; +} + + +// *************** MATCHER BUILDER *************** +function AccessControlBuilder(logger, acl_config) { + this.logger = logger; + this.config = acl_config; +} + +AccessControlBuilder.prototype.extract_per_group = function(groups) { + var allowed_domains = []; + var groups_policy = objectPath.get(this.config, 'groups'); + if(groups_policy) { + for(var i=0; i