diff options
| author | Clement Michaud <clement.michaud34@gmail.com> | 2019-11-17 11:47:07 +0100 |
|---|---|---|
| committer | Clément Michaud <clement.michaud34@gmail.com> | 2019-11-17 16:30:33 +0100 |
| commit | 3b2d733367c88621e4178301f2bcb4bc03613eee (patch) | |
| tree | 41ac41fc5b6cece04db85a08bfa7c32a022f7354 /internal/configuration/schema/access_control.go | |
| parent | a06b69dd458e756f1a3d6867eb5b9f54560e2ee1 (diff) | |
Move source code into internal directory to follow standard project layout.
https://github.com/golang-standards/project-layout
Diffstat (limited to 'internal/configuration/schema/access_control.go')
| -rw-r--r-- | internal/configuration/schema/access_control.go | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/internal/configuration/schema/access_control.go b/internal/configuration/schema/access_control.go new file mode 100644 index 000000000..d493208d2 --- /dev/null +++ b/internal/configuration/schema/access_control.go @@ -0,0 +1,70 @@ +package schema + +import ( + "fmt" + "net" + "strings" +) + +// ACLRule represent one ACL rule +type ACLRule struct { + Domain string `yaml:"domain"` + Policy string `yaml:"policy"` + Subject string `yaml:"subject"` + Networks []string `yaml:"networks"` + Resources []string `yaml:"resources"` +} + +// IsPolicyValid check if policy is valid +func IsPolicyValid(policy string) bool { + return policy == "deny" || policy == "one_factor" || policy == "two_factor" || policy == "bypass" +} + +// IsSubjectValid check if a subject is valid +func IsSubjectValid(subject string) bool { + return subject == "" || strings.HasPrefix(subject, "user:") || strings.HasPrefix(subject, "group:") +} + +// IsNetworkValid check if a network is valid +func IsNetworkValid(network string) bool { + _, _, err := net.ParseCIDR(network) + return err == nil +} + +// Validate validate an ACL Rule +func (r *ACLRule) Validate(validator *StructValidator) { + if r.Domain == "" { + validator.Push(fmt.Errorf("Domain must be provided")) + } + + if !IsPolicyValid(r.Policy) { + validator.Push(fmt.Errorf("A policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'")) + } + + if !IsSubjectValid(r.Subject) { + validator.Push(fmt.Errorf("A subject must start with 'user:' or 'group:'")) + } + + for i, network := range r.Networks { + if !IsNetworkValid(network) { + validator.Push(fmt.Errorf("Network %d must be a valid CIDR", i)) + } + } +} + +// AccessControlConfiguration represents the configuration related to ACLs. +type AccessControlConfiguration struct { + DefaultPolicy string `yaml:"default_policy"` + Rules []ACLRule `yaml:"rules"` +} + +// Validate validate the access control configuration +func (acc *AccessControlConfiguration) Validate(validator *StructValidator) { + if acc.DefaultPolicy == "" { + acc.DefaultPolicy = "deny" + } + + if !IsPolicyValid(acc.DefaultPolicy) { + validator.Push(fmt.Errorf("'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'")) + } +} |