diff --git a/server/src/lib/authorization/Authorizer.spec.ts b/server/src/lib/authorization/Authorizer.spec.ts index 1027fb4b..58681404 100644 --- a/server/src/lib/authorization/Authorizer.spec.ts +++ b/server/src/lib/authorization/Authorizer.spec.ts @@ -14,10 +14,10 @@ describe("authorization/Authorizer", function () { configuration = undefined; authorizer = new Authorizer(configuration, winston); - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1", "group2"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/abc", "user1", ["group1", "group2"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/", "user2", ["group1", "group2"]), Level.BYPASS); - Assert.equal(authorizer.authorization("admin.example.com", "/", "user3", ["group3"]), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1", "group2"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/abc"}, {user: "user1", groups: ["group1", "group2"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user2", groups: ["group1", "group2"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "admin.example.com", resource: "/"}, {user: "user3", groups: ["group3"]}), Level.BYPASS); }); }); @@ -36,7 +36,7 @@ describe("authorization/Authorizer", function () { }); it("should deny access when no rule is provided", function () { - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); }); it("should control access when multiple domain matcher is provided", function () { @@ -46,10 +46,10 @@ describe("authorization/Authorizer", function () { subject: "user:user1", resources: [".*"] }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("mx1.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("mx1.server.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("mail.example.com", "/", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "mx1.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "mx1.server.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); }); it("should allow access to all resources when resources is not provided", function () { @@ -58,10 +58,10 @@ describe("authorization/Authorizer", function () { policy: "two_factor", subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("mx1.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("mx1.server.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("mail.example.com", "/", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "mx1.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "mx1.server.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); }); describe("check user rules", function () { @@ -72,9 +72,9 @@ describe("authorization/Authorizer", function () { resources: [".*"], subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/another/resource", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("another.home.example.com", "/", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/another/resource"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "another.home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); }); it("should deny to other users", function () { @@ -84,9 +84,9 @@ describe("authorization/Authorizer", function () { resources: [".*"], subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user2", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/another/resource", "user2", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("another.home.example.com", "/", "user2", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user2", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/another/resource"}, {user: "user2", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "another.home.example.com", resource: "/"}, {user: "user2", groups: ["group1"]}), Level.DENY); }); it("should allow user access only to specific resources", function () { @@ -96,16 +96,16 @@ describe("authorization/Authorizer", function () { resources: ["/private/.*", "^/begin", "/end$"], subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/private", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/private/class", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/middle/private/class", "user1", ["group1"]), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/class"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/middle/private/class"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/begin", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/not/begin", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/begin"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/not/begin"}, {user: "user1", groups: ["group1"]}), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/abc/end", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/abc/end/x", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/abc/end"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/abc/end/x"}, {user: "user1", groups: ["group1"]}), Level.DENY); }); it("should allow access to multiple domains", function () { @@ -125,10 +125,10 @@ describe("authorization/Authorizer", function () { resources: [".*"], subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home1.example.com", "/", "user1", ["group1"]), Level.ONE_FACTOR); - Assert.equal(authorizer.authorization("home2.example.com", "/", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("home3.example.com", "/", "user1", ["group1"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home1.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.ONE_FACTOR); + Assert.equal(authorizer.authorization({domain: "home2.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home3.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY); }); it("should apply rules in order", function () { @@ -149,9 +149,9 @@ describe("authorization/Authorizer", function () { subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/my/poney", "user1", ["group1"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/my/private/duck", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/my/private/resource", "user1", ["group1"]), Level.ONE_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/my/poney"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/my/private/duck"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/my/private/resource"}, {user: "user1", groups: ["group1"]}), Level.ONE_FACTOR); }); }); @@ -173,14 +173,14 @@ describe("authorization/Authorizer", function () { resources: ["^/private$"], subject: "group:group2" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", - ["group1", "group2", "group3"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/test", "user1", - ["group1", "group2", "group3"]), Level.ONE_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/private", "user1", - ["group1", "group2", "group3"]), Level.DENY); - Assert.equal(authorizer.authorization("another.home.example.com", "/", "user1", - ["group1", "group2", "group3"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, + {user: "user1", groups: ["group1", "group2", "group3"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/test"}, + {user: "user1", groups: ["group1", "group2", "group3"]}), Level.ONE_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"}, + {user: "user1", groups: ["group1", "group2", "group3"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "another.home.example.com", resource: "/"}, + {user: "user1", groups: ["group1", "group2", "group3"]}), Level.DENY); }); }); }); @@ -196,14 +196,14 @@ describe("authorization/Authorizer", function () { policy: "deny", resources: ["^/private$"] }]; - Assert.equal(authorizer.authorization("home.example.com", "/public", "user1", - ["group1", "group2", "group3"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/private", "user1", - ["group1", "group2", "group3"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/public", "user4", - ["group5"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/private", "user4", - ["group5"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, + {user: "user1", groups: ["group1", "group2", "group3"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"}, + {user: "user1", groups: ["group1", "group2", "group3"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, + {user: "user4", groups: ["group5"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"}, + {user: "user4", groups: ["group5"]}), Level.DENY); }); }); @@ -213,9 +213,9 @@ describe("authorization/Authorizer", function () { }); it("should allow access to anything when no rule is provided", function () { - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/test", "user1", ["group1"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/dev", "user1", ["group1"]), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/test"}, {user: "user1", groups: ["group1"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "user1", groups: ["group1"]}), Level.BYPASS); }); it("should deny access to one resource when defined", function () { @@ -225,9 +225,9 @@ describe("authorization/Authorizer", function () { resources: ["/test"], subject: "user:user1" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.BYPASS); - Assert.equal(authorizer.authorization("home.example.com", "/test", "user1", ["group1"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/dev", "user1", ["group1"]), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.BYPASS); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/test"}, {user: "user1", groups: ["group1"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "user1", groups: ["group1"]}), Level.BYPASS); }); }); @@ -267,32 +267,32 @@ describe("authorization/Authorizer", function () { subject: "user:harry" }]; - Assert.equal(authorizer.authorization("home.example.com", "/", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/public", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/admin", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/private/josh", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/private/john", "admin", ["admins"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/private/harry", "admin", ["admins"]), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/admin"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/josh"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/john"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/harry"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/", "john", ["dev", "admin-private"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/public", "john", ["dev", "admin-private"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev", "john", ["dev", "admin-private"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev", "admin-private"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/admin", "john", ["dev", "admin-private"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/private/josh", "john", ["dev", "admin-private"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/private/john", "john", ["dev", "admin-private"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/private/harry", "john", ["dev", "admin-private"]), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "john", groups: ["dev", "admin-private"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev", "admin-private"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/admin"}, {user: "john", groups: ["dev", "admin-private"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/josh"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/john"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/harry"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/", "harry", ["dev"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/public", "harry", ["dev"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev", "harry", ["dev"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "harry", ["dev"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/admin", "harry", ["dev"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/private/josh", "harry", ["dev"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/private/john", "harry", ["dev"]), Level.DENY); - Assert.equal(authorizer.authorization("home.example.com", "/private/harry", "harry", ["dev"]), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "harry", groups: ["dev"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, {user: "harry", groups: ["dev"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "harry", groups: ["dev"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "harry", groups: ["dev"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/admin"}, {user: "harry", groups: ["dev"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/josh"}, {user: "harry", groups: ["dev"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/john"}, {user: "harry", groups: ["dev"]}), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/harry"}, {user: "harry", groups: ["dev"]}), Level.TWO_FACTOR); }); it("should allow when allowed at group level and denied at user level", function () { @@ -308,8 +308,8 @@ describe("authorization/Authorizer", function () { subject: "group:dev" }]; - Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.DENY); }); it("should allow access when allowed at 'any' level and denied at user level", function () { @@ -324,8 +324,8 @@ describe("authorization/Authorizer", function () { resources: ["^/dev/?.*$"] }]; - Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.DENY); }); it("should allow access when allowed at 'any' level and denied at group level", function () { @@ -340,8 +340,8 @@ describe("authorization/Authorizer", function () { resources: ["^/dev/?.*$"] }]; - Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.DENY); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.DENY); }); it("should respect rules precedence", function () { @@ -364,8 +364,8 @@ describe("authorization/Authorizer", function () { resources: ["^/dev/?.*$"] }]; - Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR); - Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR); + Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR); }); }); }); diff --git a/server/src/lib/authorization/Authorizer.ts b/server/src/lib/authorization/Authorizer.ts index 3cb640d3..889b7ec2 100644 --- a/server/src/lib/authorization/Authorizer.ts +++ b/server/src/lib/authorization/Authorizer.ts @@ -4,6 +4,8 @@ import { IAuthorizer } from "./IAuthorizer"; import { Winston } from "../../../types/Dependencies"; import { MultipleDomainMatcher } from "./MultipleDomainMatcher"; import { Level } from "./Level"; +import { Object } from "./Object"; +import { Subject } from "./Subject"; function MatchDomain(actualDomain: string) { return function (rule: ACLRule): boolean { @@ -24,19 +26,19 @@ function MatchResource(actualResource: string) { }; } -function MatchSubject(user: string, groups: string[]) { +function MatchSubject(subject: Subject) { return (rule: ACLRule) => { // If no subject, matches anybody if (!rule.subject) return true; if (rule.subject.startsWith("user:")) { const ruleUser = rule.subject.split(":")[1]; - if (user == ruleUser) return true; + if (subject.user == ruleUser) return true; } if (rule.subject.startsWith("group:")) { const ruleGroup = rule.subject.split(":")[1]; - if (groups.indexOf(ruleGroup) > -1) return true; + if (subject.groups.indexOf(ruleGroup) > -1) return true; } return false; }; @@ -51,13 +53,13 @@ export class Authorizer implements IAuthorizer { this.configuration = configuration; } - private getMatchingRules(domain: string, resource: string, user: string, groups: string[]): ACLRule[] { + private getMatchingRules(object: Object, subject: Subject): ACLRule[] { const rules = this.configuration.rules; if (!rules) return []; return rules - .filter(MatchDomain(domain)) - .filter(MatchResource(resource)) - .filter(MatchSubject(user, groups)); + .filter(MatchDomain(object.domain)) + .filter(MatchResource(object.resource)) + .filter(MatchSubject(subject)); } private ruleToLevel(policy: string): Level { @@ -71,10 +73,10 @@ export class Authorizer implements IAuthorizer { return Level.DENY; } - authorization(domain: string, resource: string, user: string, groups: string[]): Level { + authorization(object: Object, subject: Subject): Level { if (!this.configuration) return Level.BYPASS; - const rules = this.getMatchingRules(domain, resource, user, groups); + const rules = this.getMatchingRules(object, subject); return (rules.length > 0) ? this.ruleToLevel(rules[0].policy) // extract the policy of the first matching rule diff --git a/server/src/lib/authorization/AuthorizerStub.spec.ts b/server/src/lib/authorization/AuthorizerStub.spec.ts index 3b8ece28..9bd6f4a8 100644 --- a/server/src/lib/authorization/AuthorizerStub.spec.ts +++ b/server/src/lib/authorization/AuthorizerStub.spec.ts @@ -1,6 +1,8 @@ import Sinon = require("sinon"); import { IAuthorizer } from "./IAuthorizer"; import { Level } from "./Level"; +import { Object } from "./Object"; +import { Subject } from "./Subject"; export class AuthorizerStub implements IAuthorizer { authorizationMock: Sinon.SinonStub; @@ -9,7 +11,7 @@ export class AuthorizerStub implements IAuthorizer { this.authorizationMock = Sinon.stub(); } - authorization(domain: string, resource: string, user: string, groups: string[]): Level { - return this.authorizationMock(domain, resource, user, groups); + authorization(object: Object, subject: Subject): Level { + return this.authorizationMock(object, subject); } } diff --git a/server/src/lib/authorization/IAuthorizer.ts b/server/src/lib/authorization/IAuthorizer.ts index 1b5caabc..fe7ba367 100644 --- a/server/src/lib/authorization/IAuthorizer.ts +++ b/server/src/lib/authorization/IAuthorizer.ts @@ -1,5 +1,7 @@ import { Level } from "./Level"; +import { Subject } from "./Subject"; +import { Object } from "./Object"; export interface IAuthorizer { - authorization(domain: string, resource: string, user: string, groups: string[]): Level; + authorization(object: Object, subject: Subject): Level; } \ No newline at end of file diff --git a/server/src/lib/authorization/Object.ts b/server/src/lib/authorization/Object.ts new file mode 100644 index 00000000..5411b0d2 --- /dev/null +++ b/server/src/lib/authorization/Object.ts @@ -0,0 +1,5 @@ + +export interface Object { + domain: string; + resource: string; +} \ No newline at end of file diff --git a/server/src/lib/authorization/Subject.ts b/server/src/lib/authorization/Subject.ts new file mode 100644 index 00000000..310d6b4c --- /dev/null +++ b/server/src/lib/authorization/Subject.ts @@ -0,0 +1,5 @@ + +export interface Subject { + user: string; + groups: string[]; +} \ No newline at end of file diff --git a/server/src/lib/routes/firstfactor/post.ts b/server/src/lib/routes/firstfactor/post.ts index ba45c3ec..565681d6 100644 --- a/server/src/lib/routes/firstfactor/post.ts +++ b/server/src/lib/routes/firstfactor/post.ts @@ -59,7 +59,8 @@ export default function (vars: ServerVariables) { const decomposition = URLDecomposer.fromUrl(redirectUrl); const authorizationLevel = (decomposition) ? vars.authorizer.authorization( - decomposition.domain, decomposition.path, username, groups) + {domain: decomposition.domain, resource: decomposition.path}, + {user: username, groups: groups}) : AuthorizationLevel.TWO_FACTOR; if (emails.length > 0) diff --git a/server/src/lib/routes/verify/access_control.ts b/server/src/lib/routes/verify/access_control.ts index 86e74029..136239ae 100644 --- a/server/src/lib/routes/verify/access_control.ts +++ b/server/src/lib/routes/verify/access_control.ts @@ -28,22 +28,22 @@ function isAuthorized( export default function ( req: Express.Request, vars: ServerVariables, - domain: string, path: string, - username: string, groups: string[], + domain: string, resource: string, + user: string, groups: string[], authenticationLevel: AuthenticationLevel) { return new BluebirdPromise(function (resolve, reject) { const authorizationLevel = vars.authorizer - .authorization(domain, path, username, groups); + .authorization({domain, resource}, {user, groups}); if (!isAuthorized(authorizationLevel, authenticationLevel)) { if (authorizationLevel == AuthorizationLevel.DENY) { reject(new Exceptions.NotAuthorizedError( - Util.format("User %s is unauthorized to access %s%s", username, domain, path))); + Util.format("User %s is not authorized to access %s%s", user, domain, resource))); return; } reject(new Exceptions.NotAuthenticatedError(Util.format( - "User '%s' is not sufficiently authenticated.", username, domain, path))); + "User '%s' is not sufficiently authorized to access %s%s.", user, domain, resource))); return; } resolve(); diff --git a/server/src/lib/routes/verify/get_basic_auth.ts b/server/src/lib/routes/verify/get_basic_auth.ts index c57a0125..af23c76c 100644 --- a/server/src/lib/routes/verify/get_basic_auth.ts +++ b/server/src/lib/routes/verify/get_basic_auth.ts @@ -4,11 +4,6 @@ import ObjectPath = require("object-path"); import { ServerVariables } from "../../ServerVariables"; import { AuthenticationSession } from "../../../../types/AuthenticationSession"; -<<<<<<< HEAD -import { DomainExtractor } from "../../../../../shared/DomainExtractor"; -import { MethodCalculator } from "../../authentication/MethodCalculator"; -======= ->>>>>>> Integrate more policy options in ACL rules. import AccessControl from "./access_control"; import { URLDecomposer } from "../../utils/URLDecomposer"; import { Level } from "../../authentication/Level"; diff --git a/server/src/lib/routes/verify/get_session_cookie.ts b/server/src/lib/routes/verify/get_session_cookie.ts index dc7453ad..07034481 100644 --- a/server/src/lib/routes/verify/get_session_cookie.ts +++ b/server/src/lib/routes/verify/get_session_cookie.ts @@ -14,9 +14,6 @@ import { AuthenticationSessionHandler } import AccessControl from "./access_control"; import { URLDecomposer } from "../../utils/URLDecomposer"; -const FIRST_FACTOR_NOT_VALIDATED_MESSAGE = "First factor not yet validated"; -const SECOND_FACTOR_NOT_VALIDATED_MESSAGE = "Second factor not yet validated"; - function verify_inactivity(req: Express.Request, authSession: AuthenticationSession, configuration: Configuration, logger: IRequestLogger) @@ -54,18 +51,19 @@ export default function (req: Express.Request, res: Express.Response, if (!authSession.userid) { return BluebirdPromise.reject(new Exceptions.AccessDeniedError( - Util.format("%s: %s.", FIRST_FACTOR_NOT_VALIDATED_MESSAGE, - "userid is missing"))); + "userid is missing")); } - const originalUrl = ObjectPath.get(req, "headers.x-original-url"); + const originalUrl = ObjectPath.get( + req, "headers.x-original-url"); const originalUri = ObjectPath.get(req, "headers.x-original-uri"); const d = URLDecomposer.fromUrl(originalUrl); vars.logger.debug(req, "domain=%s, path=%s, user=%s, groups=%s", d.domain, d.path, username, groups.join(",")); - return AccessControl(req, vars, d.domain, d.path, username, groups, authSession.authentication_level); + return AccessControl(req, vars, d.domain, d.path, username, groups, + authSession.authentication_level); }) .then(() => { return verify_inactivity(req, authSession, diff --git a/test/features/step_definitions/restrictions.ts b/test/features/step_definitions/restrictions.ts index 3ab37390..db218ab2 100644 --- a/test/features/step_definitions/restrictions.ts +++ b/test/features/step_definitions/restrictions.ts @@ -12,11 +12,6 @@ Then("I get an error {int}", function (code: number) { return this.getErrorPage(code); }); -When("I request {string} with method {string}", - function (url: string, method: string) { - const that = this; - }); - function requestAndExpectStatusCode(ctx: any, url: string, method: string, expectedStatusCode: number) { return Request(url, {