techies/authelia
1
0
Fork 0
mirror of https://github.com/0rangebananaspy/authelia.git synced 2024-09-14 22:47:21 +07:00
Code Issues Projects Releases Wiki Activity

Introduce Subject and Object in authorization module.

Browse Source
This commit is contained in:
Clement Michaud 2018-10-25 21:05:07 +02:00 committed by Clement Michaud
parent 97bfafb6eb
commit b53d16d8a1
11 changed files with 128 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
server/src/lib/authorization/Authorizer.spec.ts
View File

@ -14,10 +14,10 @@ describe("authorization/Authorizer", function () {
configuration = undefined;
authorizer = new Authorizer(configuration, winston);
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1", "group2"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/abc", "user1", ["group1", "group2"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/", "user2", ["group1", "group2"]), Level.BYPASS);
Assert.equal(authorizer.authorization("admin.example.com", "/", "user3", ["group3"]), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1", "group2"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/abc"}, {user: "user1", groups: ["group1", "group2"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user2", groups: ["group1", "group2"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "admin.example.com", resource: "/"}, {user: "user3", groups: ["group3"]}), Level.BYPASS);
});
});
@ -36,7 +36,7 @@ describe("authorization/Authorizer", function () {
});
it("should deny access when no rule is provided", function () {
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
});
it("should control access when multiple domain matcher is provided", function () {
@ -46,10 +46,10 @@ describe("authorization/Authorizer", function () {
subject: "user:user1",
resources: [".*"]
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("mx1.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("mx1.server.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("mail.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "mx1.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "mx1.server.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
});
it("should allow access to all resources when resources is not provided", function () {
@ -58,10 +58,10 @@ describe("authorization/Authorizer", function () {
policy: "two_factor",
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("mx1.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("mx1.server.mail.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("mail.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "mx1.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "mx1.server.mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "mail.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
});
describe("check user rules", function () {
@ -72,9 +72,9 @@ describe("authorization/Authorizer", function () {
resources: [".*"],
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/another/resource", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("another.home.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/another/resource"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "another.home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
});
it("should deny to other users", function () {
@ -84,9 +84,9 @@ describe("authorization/Authorizer", function () {
resources: [".*"],
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user2", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/another/resource", "user2", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("another.home.example.com", "/", "user2", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user2", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/another/resource"}, {user: "user2", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "another.home.example.com", resource: "/"}, {user: "user2", groups: ["group1"]}), Level.DENY);
});
it("should allow user access only to specific resources", function () {
@ -96,16 +96,16 @@ describe("authorization/Authorizer", function () {
resources: ["/private/.*", "^/begin", "/end$"],
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/private", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/private/class", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/middle/private/class", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/class"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/middle/private/class"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/begin", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/not/begin", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/begin"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/not/begin"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/abc/end", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/abc/end/x", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/abc/end"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/abc/end/x"}, {user: "user1", groups: ["group1"]}), Level.DENY);
});
it("should allow access to multiple domains", function () {
@ -125,10 +125,10 @@ describe("authorization/Authorizer", function () {
resources: [".*"],
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home1.example.com", "/", "user1", ["group1"]), Level.ONE_FACTOR);
Assert.equal(authorizer.authorization("home2.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("home3.example.com", "/", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home1.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.ONE_FACTOR);
Assert.equal(authorizer.authorization({domain: "home2.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home3.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.DENY);
});
it("should apply rules in order", function () {
@ -149,9 +149,9 @@ describe("authorization/Authorizer", function () {
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/my/poney", "user1", ["group1"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/my/private/duck", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/my/private/resource", "user1", ["group1"]), Level.ONE_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/my/poney"}, {user: "user1", groups: ["group1"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/my/private/duck"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/my/private/resource"}, {user: "user1", groups: ["group1"]}), Level.ONE_FACTOR);
});
});
@ -173,14 +173,14 @@ describe("authorization/Authorizer", function () {
resources: ["^/private$"],
subject: "group:group2"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1",
["group1", "group2", "group3"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/test", "user1",
["group1", "group2", "group3"]), Level.ONE_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/private", "user1",
["group1", "group2", "group3"]), Level.DENY);
Assert.equal(authorizer.authorization("another.home.example.com", "/", "user1",
["group1", "group2", "group3"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"},
{user: "user1", groups: ["group1", "group2", "group3"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/test"},
{user: "user1", groups: ["group1", "group2", "group3"]}), Level.ONE_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"},
{user: "user1", groups: ["group1", "group2", "group3"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "another.home.example.com", resource: "/"},
{user: "user1", groups: ["group1", "group2", "group3"]}), Level.DENY);
});
});
});
@ -196,14 +196,14 @@ describe("authorization/Authorizer", function () {
policy: "deny",
resources: ["^/private$"]
}];
Assert.equal(authorizer.authorization("home.example.com", "/public", "user1",
["group1", "group2", "group3"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/private", "user1",
["group1", "group2", "group3"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/public", "user4",
["group5"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/private", "user4",
["group5"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"},
{user: "user1", groups: ["group1", "group2", "group3"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"},
{user: "user1", groups: ["group1", "group2", "group3"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"},
{user: "user4", groups: ["group5"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private"},
{user: "user4", groups: ["group5"]}), Level.DENY);
});
});
@ -213,9 +213,9 @@ describe("authorization/Authorizer", function () {
});
it("should allow access to anything when no rule is provided", function () {
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/test", "user1", ["group1"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/dev", "user1", ["group1"]), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/test"}, {user: "user1", groups: ["group1"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "user1", groups: ["group1"]}), Level.BYPASS);
});
it("should deny access to one resource when defined", function () {
@ -225,9 +225,9 @@ describe("authorization/Authorizer", function () {
resources: ["/test"],
subject: "user:user1"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "user1", ["group1"]), Level.BYPASS);
Assert.equal(authorizer.authorization("home.example.com", "/test", "user1", ["group1"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/dev", "user1", ["group1"]), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "user1", groups: ["group1"]}), Level.BYPASS);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/test"}, {user: "user1", groups: ["group1"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "user1", groups: ["group1"]}), Level.BYPASS);
});
});
@ -267,32 +267,32 @@ describe("authorization/Authorizer", function () {
subject: "user:harry"
}];
Assert.equal(authorizer.authorization("home.example.com", "/", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/public", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/admin", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/private/josh", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/private/john", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/private/harry", "admin", ["admins"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/admin"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/josh"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/john"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/harry"}, {user: "admin", groups: ["admins"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/", "john", ["dev", "admin-private"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/public", "john", ["dev", "admin-private"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev", "john", ["dev", "admin-private"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev", "admin-private"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/admin", "john", ["dev", "admin-private"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/private/josh", "john", ["dev", "admin-private"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/private/john", "john", ["dev", "admin-private"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/private/harry", "john", ["dev", "admin-private"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "john", groups: ["dev", "admin-private"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev", "admin-private"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/admin"}, {user: "john", groups: ["dev", "admin-private"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/josh"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/john"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/harry"}, {user: "john", groups: ["dev", "admin-private"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/", "harry", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/public", "harry", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev", "harry", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "harry", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/admin", "harry", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/private/josh", "harry", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/private/john", "harry", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization("home.example.com", "/private/harry", "harry", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/"}, {user: "harry", groups: ["dev"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/public"}, {user: "harry", groups: ["dev"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev"}, {user: "harry", groups: ["dev"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "harry", groups: ["dev"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/admin"}, {user: "harry", groups: ["dev"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/josh"}, {user: "harry", groups: ["dev"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/john"}, {user: "harry", groups: ["dev"]}), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/private/harry"}, {user: "harry", groups: ["dev"]}), Level.TWO_FACTOR);
});
it("should allow when allowed at group level and denied at user level", function () {
@ -308,8 +308,8 @@ describe("authorization/Authorizer", function () {
subject: "group:dev"
}];
Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.DENY);
});
it("should allow access when allowed at 'any' level and denied at user level", function () {
@ -324,8 +324,8 @@ describe("authorization/Authorizer", function () {
resources: ["^/dev/?.*$"]
}];
Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.DENY);
});
it("should allow access when allowed at 'any' level and denied at group level", function () {
@ -340,8 +340,8 @@ describe("authorization/Authorizer", function () {
resources: ["^/dev/?.*$"]
}];
Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.DENY);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.DENY);
});
it("should respect rules precedence", function () {
@ -364,8 +364,8 @@ describe("authorization/Authorizer", function () {
resources: ["^/dev/?.*$"]
}];
Assert.equal(authorizer.authorization("home.example.com", "/dev/john", "john", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization("home.example.com", "/dev/bob", "john", ["dev"]), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/john"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR);
Assert.equal(authorizer.authorization({domain: "home.example.com", resource: "/dev/bob"}, {user: "john", groups: ["dev"]}), Level.TWO_FACTOR);
});
});
});

20
server/src/lib/authorization/Authorizer.ts
View File

@ -4,6 +4,8 @@ import { IAuthorizer } from "./IAuthorizer";
import { Winston } from "../../../types/Dependencies";
import { MultipleDomainMatcher } from "./MultipleDomainMatcher";
import { Level } from "./Level";
import { Object } from "./Object";
import { Subject } from "./Subject";
function MatchDomain(actualDomain: string) {
return function (rule: ACLRule): boolean {
@ -24,19 +26,19 @@ function MatchResource(actualResource: string) {
};
}
function MatchSubject(user: string, groups: string[]) {
function MatchSubject(subject: Subject) {
return (rule: ACLRule) => {
// If no subject, matches anybody
if (!rule.subject) return true;
if (rule.subject.startsWith("user:")) {
const ruleUser = rule.subject.split(":")[1];
if (user == ruleUser) return true;
if (subject.user == ruleUser) return true;
}
if (rule.subject.startsWith("group:")) {
const ruleGroup = rule.subject.split(":")[1];
if (groups.indexOf(ruleGroup) > -1) return true;
if (subject.groups.indexOf(ruleGroup) > -1) return true;
}
return false;
};
@ -51,13 +53,13 @@ export class Authorizer implements IAuthorizer {
this.configuration = configuration;
}
private getMatchingRules(domain: string, resource: string, user: string, groups: string[]): ACLRule[] {
private getMatchingRules(object: Object, subject: Subject): ACLRule[] {
const rules = this.configuration.rules;
if (!rules) return [];
return rules
.filter(MatchDomain(domain))
.filter(MatchResource(resource))
.filter(MatchSubject(user, groups));
.filter(MatchDomain(object.domain))
.filter(MatchResource(object.resource))
.filter(MatchSubject(subject));
}
private ruleToLevel(policy: string): Level {
@ -71,10 +73,10 @@ export class Authorizer implements IAuthorizer {
return Level.DENY;
}
authorization(domain: string, resource: string, user: string, groups: string[]): Level {
authorization(object: Object, subject: Subject): Level {
if (!this.configuration) return Level.BYPASS;
const rules = this.getMatchingRules(domain, resource, user, groups);
const rules = this.getMatchingRules(object, subject);
return (rules.length > 0)
? this.ruleToLevel(rules[0].policy) // extract the policy of the first matching rule

6
server/src/lib/authorization/AuthorizerStub.spec.ts
View File

@ -1,6 +1,8 @@
import Sinon = require("sinon");
import { IAuthorizer } from "./IAuthorizer";
import { Level } from "./Level";
import { Object } from "./Object";
import { Subject } from "./Subject";
export class AuthorizerStub implements IAuthorizer {
authorizationMock: Sinon.SinonStub;
@ -9,7 +11,7 @@ export class AuthorizerStub implements IAuthorizer {
this.authorizationMock = Sinon.stub();
}
authorization(domain: string, resource: string, user: string, groups: string[]): Level {
return this.authorizationMock(domain, resource, user, groups);
authorization(object: Object, subject: Subject): Level {
return this.authorizationMock(object, subject);
}
}

4
server/src/lib/authorization/IAuthorizer.ts
View File

@ -1,5 +1,7 @@
import { Level } from "./Level";
import { Subject } from "./Subject";
import { Object } from "./Object";
export interface IAuthorizer {
authorization(domain: string, resource: string, user: string, groups: string[]): Level;
authorization(object: Object, subject: Subject): Level;
}

5
server/src/lib/authorization/Object.ts Normal file
View File

@ -0,0 +1,5 @@
export interface Object {
domain: string;
resource: string;
}

5
server/src/lib/authorization/Subject.ts Normal file
View File

@ -0,0 +1,5 @@
export interface Subject {
user: string;
groups: string[];
}

3
server/src/lib/routes/firstfactor/post.ts
View File

@ -59,7 +59,8 @@ export default function (vars: ServerVariables) {
const decomposition = URLDecomposer.fromUrl(redirectUrl);
const authorizationLevel = (decomposition)
? vars.authorizer.authorization(
decomposition.domain, decomposition.path, username, groups)
{domain: decomposition.domain, resource: decomposition.path},
{user: username, groups: groups})
: AuthorizationLevel.TWO_FACTOR;
if (emails.length > 0)

10
server/src/lib/routes/verify/access_control.ts
View File

@ -28,22 +28,22 @@ function isAuthorized(
export default function (
req: Express.Request,
vars: ServerVariables,
domain: string, path: string,
username: string, groups: string[],
domain: string, resource: string,
user: string, groups: string[],
authenticationLevel: AuthenticationLevel) {
return new BluebirdPromise(function (resolve, reject) {
const authorizationLevel = vars.authorizer
.authorization(domain, path, username, groups);
.authorization({domain, resource}, {user, groups});
if (!isAuthorized(authorizationLevel, authenticationLevel)) {
if (authorizationLevel == AuthorizationLevel.DENY) {
reject(new Exceptions.NotAuthorizedError(
Util.format("User %s is unauthorized to access %s%s", username, domain, path)));
Util.format("User %s is not authorized to access %s%s", user, domain, resource)));
return;
}
reject(new Exceptions.NotAuthenticatedError(Util.format(
"User '%s' is not sufficiently authenticated.", username, domain, path)));
"User '%s' is not sufficiently authorized to access %s%s.", user, domain, resource)));
return;
}
resolve();

5
server/src/lib/routes/verify/get_basic_auth.ts
View File

@ -4,11 +4,6 @@ import ObjectPath = require("object-path");
import { ServerVariables } from "../../ServerVariables";
import { AuthenticationSession }
from "../../../../types/AuthenticationSession";
<<<<<<< HEAD
import { DomainExtractor } from "../../../../../shared/DomainExtractor";
import { MethodCalculator } from "../../authentication/MethodCalculator";
=======
>>>>>>> Integrate more policy options in ACL rules.
import AccessControl from "./access_control";
import { URLDecomposer } from "../../utils/URLDecomposer";
import { Level } from "../../authentication/Level";

12
server/src/lib/routes/verify/get_session_cookie.ts
View File

@ -14,9 +14,6 @@ import { AuthenticationSessionHandler }
import AccessControl from "./access_control";
import { URLDecomposer } from "../../utils/URLDecomposer";
const FIRST_FACTOR_NOT_VALIDATED_MESSAGE = "First factor not yet validated";
const SECOND_FACTOR_NOT_VALIDATED_MESSAGE = "Second factor not yet validated";
function verify_inactivity(req: Express.Request,
authSession: AuthenticationSession,
configuration: Configuration, logger: IRequestLogger)
@ -54,18 +51,19 @@ export default function (req: Express.Request, res: Express.Response,
if (!authSession.userid) {
return BluebirdPromise.reject(new Exceptions.AccessDeniedError(
Util.format("%s: %s.", FIRST_FACTOR_NOT_VALIDATED_MESSAGE,
"userid is missing")));
"userid is missing"));
}
const originalUrl = ObjectPath.get<Express.Request, string>(req, "headers.x-original-url");
const originalUrl = ObjectPath.get<Express.Request, string>(
req, "headers.x-original-url");
const originalUri =
ObjectPath.get<Express.Request, string>(req, "headers.x-original-uri");
const d = URLDecomposer.fromUrl(originalUrl);
vars.logger.debug(req, "domain=%s, path=%s, user=%s, groups=%s", d.domain,
d.path, username, groups.join(","));
return AccessControl(req, vars, d.domain, d.path, username, groups, authSession.authentication_level);
return AccessControl(req, vars, d.domain, d.path, username, groups,
authSession.authentication_level);
})
.then(() => {
return verify_inactivity(req, authSession,

5
test/features/step_definitions/restrictions.ts
View File

@ -12,11 +12,6 @@ Then("I get an error {int}", function (code: number) {
return this.getErrorPage(code);
});
When("I request {string} with method {string}",
function (url: string, method: string) {
const that = this;
});
function requestAndExpectStatusCode(ctx: any, url: string, method: string,
expectedStatusCode: number) {
return Request(url, {