mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
4dce8f9496
* adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
185 lines
4.4 KiB
Go
185 lines
4.4 KiB
Go
package authorization
|
|
|
|
import (
|
|
"net"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/authelia/authelia/internal/configuration/schema"
|
|
)
|
|
|
|
func TestShouldNotParseInvalidSubjects(t *testing.T) {
|
|
subjectsSchema := [][]string{{"groups:z"}, {"group:z", "users:b"}}
|
|
subjectsACL := schemaSubjectsToACL(subjectsSchema)
|
|
|
|
require.Len(t, subjectsACL, 1)
|
|
|
|
require.Len(t, subjectsACL[0].Subjects, 1)
|
|
|
|
assert.True(t, subjectsACL[0].IsMatch(Subject{Username: "a", Groups: []string{"z"}}))
|
|
}
|
|
|
|
func TestShouldSplitDomainCorrectly(t *testing.T) {
|
|
prefix, suffix := domainToPrefixSuffix("apple.example.com")
|
|
|
|
assert.Equal(t, "apple", prefix)
|
|
assert.Equal(t, "example.com", suffix)
|
|
|
|
prefix, suffix = domainToPrefixSuffix("example")
|
|
|
|
assert.Equal(t, "", prefix)
|
|
assert.Equal(t, "example", suffix)
|
|
|
|
prefix, suffix = domainToPrefixSuffix("example.com")
|
|
|
|
assert.Equal(t, "example", prefix)
|
|
assert.Equal(t, "com", suffix)
|
|
}
|
|
|
|
func TestShouldParseRuleNetworks(t *testing.T) {
|
|
schemaNetworks := []schema.ACLNetwork{
|
|
{
|
|
Name: "desktop",
|
|
Networks: []string{
|
|
"10.0.0.1",
|
|
},
|
|
},
|
|
{
|
|
Name: "lan",
|
|
Networks: []string{
|
|
"10.0.0.0/8",
|
|
"172.16.0.0/12",
|
|
"192.168.0.0/16",
|
|
},
|
|
},
|
|
}
|
|
|
|
_, firstNetwork, err := net.ParseCIDR("192.168.1.20/32")
|
|
require.NoError(t, err)
|
|
|
|
networksMap, networksCacheMap := parseSchemaNetworks(schemaNetworks)
|
|
|
|
assert.Len(t, networksCacheMap, 5)
|
|
|
|
networks := []string{"192.168.1.20", "lan"}
|
|
|
|
acl := schemaNetworksToACL(networks, networksMap, networksCacheMap)
|
|
|
|
assert.Len(t, networksCacheMap, 7)
|
|
|
|
require.Len(t, acl, 4)
|
|
assert.Equal(t, firstNetwork, acl[0])
|
|
assert.Equal(t, networksMap["lan"][0], acl[1])
|
|
assert.Equal(t, networksMap["lan"][1], acl[2])
|
|
assert.Equal(t, networksMap["lan"][2], acl[3])
|
|
|
|
// Check they are the same memory address.
|
|
assert.True(t, networksMap["lan"][0] == acl[1])
|
|
assert.True(t, networksMap["lan"][1] == acl[2])
|
|
assert.True(t, networksMap["lan"][2] == acl[3])
|
|
|
|
assert.False(t, firstNetwork == acl[0])
|
|
}
|
|
|
|
func TestShouldParseACLNetworks(t *testing.T) {
|
|
schemaNetworks := []schema.ACLNetwork{
|
|
{
|
|
Name: "test",
|
|
Networks: []string{
|
|
"10.0.0.1",
|
|
},
|
|
},
|
|
{
|
|
Name: "second",
|
|
Networks: []string{
|
|
"10.0.0.1",
|
|
},
|
|
},
|
|
{
|
|
Name: "duplicate",
|
|
Networks: []string{
|
|
"10.0.0.1",
|
|
},
|
|
},
|
|
{
|
|
Name: "duplicate",
|
|
Networks: []string{
|
|
"10.0.0.1",
|
|
},
|
|
},
|
|
{
|
|
Name: "ipv6",
|
|
Networks: []string{
|
|
"fec0::1",
|
|
},
|
|
},
|
|
{
|
|
Name: "ipv6net",
|
|
Networks: []string{
|
|
"fec0::1/64",
|
|
},
|
|
},
|
|
{
|
|
Name: "net",
|
|
Networks: []string{
|
|
"10.0.0.0/8",
|
|
},
|
|
},
|
|
{
|
|
Name: "badnet",
|
|
Networks: []string{
|
|
"bad/8",
|
|
},
|
|
},
|
|
}
|
|
|
|
_, firstNetwork, err := net.ParseCIDR("10.0.0.1/32")
|
|
require.NoError(t, err)
|
|
|
|
_, secondNetwork, err := net.ParseCIDR("10.0.0.0/8")
|
|
require.NoError(t, err)
|
|
|
|
_, thirdNetwork, err := net.ParseCIDR("fec0::1/64")
|
|
require.NoError(t, err)
|
|
|
|
_, fourthNetwork, err := net.ParseCIDR("fec0::1/128")
|
|
require.NoError(t, err)
|
|
|
|
networksMap, networksCacheMap := parseSchemaNetworks(schemaNetworks)
|
|
|
|
require.Len(t, networksMap, 6)
|
|
require.Contains(t, networksMap, "test")
|
|
require.Contains(t, networksMap, "second")
|
|
require.Contains(t, networksMap, "duplicate")
|
|
require.Contains(t, networksMap, "ipv6")
|
|
require.Contains(t, networksMap, "ipv6net")
|
|
require.Contains(t, networksMap, "net")
|
|
require.Len(t, networksMap["test"], 1)
|
|
|
|
require.Len(t, networksCacheMap, 7)
|
|
require.Contains(t, networksCacheMap, "10.0.0.1")
|
|
require.Contains(t, networksCacheMap, "10.0.0.1/32")
|
|
require.Contains(t, networksCacheMap, "10.0.0.1/32")
|
|
require.Contains(t, networksCacheMap, "10.0.0.0/8")
|
|
require.Contains(t, networksCacheMap, "fec0::1")
|
|
require.Contains(t, networksCacheMap, "fec0::1/128")
|
|
require.Contains(t, networksCacheMap, "fec0::1/64")
|
|
|
|
assert.Equal(t, firstNetwork, networksMap["test"][0])
|
|
assert.Equal(t, secondNetwork, networksMap["net"][0])
|
|
assert.Equal(t, thirdNetwork, networksMap["ipv6net"][0])
|
|
assert.Equal(t, fourthNetwork, networksMap["ipv6"][0])
|
|
|
|
assert.Equal(t, firstNetwork, networksCacheMap["10.0.0.1"])
|
|
assert.Equal(t, firstNetwork, networksCacheMap["10.0.0.1/32"])
|
|
|
|
assert.Equal(t, secondNetwork, networksCacheMap["10.0.0.0/8"])
|
|
|
|
assert.Equal(t, thirdNetwork, networksCacheMap["fec0::1/64"])
|
|
|
|
assert.Equal(t, fourthNetwork, networksCacheMap["fec0::1"])
|
|
assert.Equal(t, fourthNetwork, networksCacheMap["fec0::1/128"])
|
|
}
|