diff options
| author | Amir Zarrinkafsh <nightah@me.com> | 2021-01-04 21:55:23 +1100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-01-04 21:55:23 +1100 |
| commit | 9ca0e940da2e0eaa6f90290b344eeccc24c7806f (patch) | |
| tree | ddfe80b033ff3290db2c95c5d1c625222d8b01d1 /internal/configuration/schema/access_control.go | |
| parent | 29a900226d8ac85fa04e11af022a9561dae9e652 (diff) | |
[FEATURE] Validate ACLs and add network groups (#1568)
* adds validation to ACL's
* adds a new networks section that can be used as aliases in other sections (currently access_control)
Diffstat (limited to 'internal/configuration/schema/access_control.go')
| -rw-r--r-- | internal/configuration/schema/access_control.go | 75 |
1 files changed, 12 insertions, 63 deletions
diff --git a/internal/configuration/schema/access_control.go b/internal/configuration/schema/access_control.go index 09c91cc2e..68010ec33 100644 --- a/internal/configuration/schema/access_control.go +++ b/internal/configuration/schema/access_control.go @@ -1,10 +1,17 @@ package schema -import ( - "fmt" - "net" - "strings" -) +// AccessControlConfiguration represents the configuration related to ACLs. +type AccessControlConfiguration struct { + DefaultPolicy string `mapstructure:"default_policy"` + Networks []ACLNetwork `mapstructure:"networks"` + Rules []ACLRule `mapstructure:"rules"` +} + +// ACLNetwork represents one ACL network group entry; "weak" coerces a single value into slice. +type ACLNetwork struct { + Name []string `mapstructure:"name,weak"` + Networks []string `mapstructure:"networks"` +} // ACLRule represents one ACL rule entry; "weak" coerces a single value into slice. type ACLRule struct { @@ -14,61 +21,3 @@ type ACLRule struct { Networks []string `mapstructure:"networks"` Resources []string `mapstructure:"resources"` } - -// IsPolicyValid check if policy is valid. -func IsPolicyValid(policy string) bool { - return policy == denyPolicy || policy == "one_factor" || policy == "two_factor" || policy == "bypass" -} - -// IsSubjectValid check if a subject is valid. -func IsSubjectValid(subject string) bool { - return subject == "" || strings.HasPrefix(subject, "user:") || strings.HasPrefix(subject, "group:") -} - -// IsNetworkValid check if a network is valid. -func IsNetworkValid(network string) bool { - _, _, err := net.ParseCIDR(network) - return err == nil -} - -// Validate validate an ACL Rule. -func (r *ACLRule) Validate(validator *StructValidator) { - if len(r.Domains) == 0 { - validator.Push(fmt.Errorf("Domain must be provided")) - } - - if !IsPolicyValid(r.Policy) { - validator.Push(fmt.Errorf("A policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'")) - } - - for i, subjectRule := range r.Subjects { - for j, subject := range subjectRule { - if !IsSubjectValid(subject) { - validator.Push(fmt.Errorf("Subject %d-%d must start with 'user:' or 'group:'", i, j)) - } - } - } - - for i, network := range r.Networks { - if !IsNetworkValid(network) { - validator.Push(fmt.Errorf("Network %d must be a valid CIDR", i)) - } - } -} - -// AccessControlConfiguration represents the configuration related to ACLs. -type AccessControlConfiguration struct { - DefaultPolicy string `mapstructure:"default_policy"` - Rules []ACLRule `mapstructure:"rules"` -} - -// Validate validate the access control configuration. -func (acc *AccessControlConfiguration) Validate(validator *StructValidator) { - if acc.DefaultPolicy == "" { - acc.DefaultPolicy = denyPolicy - } - - if !IsPolicyValid(acc.DefaultPolicy) { - validator.Push(fmt.Errorf("'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'")) - } -} |