feat(authorization): acl resource regex named groups (#3597)

This adds the named group functionality from domain_regex to the resource criteria.

1 files changed, 24 insertions, 4 deletions

diff --git a/internal/authorization/access_control_resource.go b/internal/authorization/access_control_resource.go
index 9bfca6d20..c9141f863 100644
--- a/internal/authorization/access_control_resource.go
+++ b/internal/authorization/access_control_resource.go
@@ -4,12 +4,32 @@ import (
 	"regexp"
 )
 
-// AccessControlResource represents an ACL resource.
+// NewAccessControlResource creates a AccessControlResource or AccessControlResourceGroup.
+func NewAccessControlResource(pattern regexp.Regexp) AccessControlResource {
+	var iuser, igroup = -1, -1
+
+	for i, group := range pattern.SubexpNames() {
+		switch group {
+		case subexpNameUser:
+			iuser = i
+		case subexpNameGroup:
+			igroup = i
+		}
+	}
+
+	if iuser != -1 || igroup != -1 {
+		return AccessControlResource{RegexpGroupStringSubjectMatcher{pattern, iuser, igroup}}
+	}
+
+	return AccessControlResource{RegexpStringSubjectMatcher{pattern}}
+}
+
+// AccessControlResource represents an ACL resource that matches without named groups.
 type AccessControlResource struct {
-	Pattern regexp.Regexp
+	Matcher StringSubjectMatcher
 }
 
 // IsMatch returns true if the ACL resource match the object path.
-func (acr AccessControlResource) IsMatch(object Object) (match bool) {
-	return acr.Pattern.MatchString(object.Path)
+func (acl AccessControlResource) IsMatch(subject Subject, object Object) (match bool) {
+	return acl.Matcher.IsMatch(object.Path, subject)
 }