perf(authorizer): preload access control lists (#1640)

* adjust session refresh to always occur (for disabled users) * feat: adds filtering option for Request Method in ACL's * simplify flow of internal/authorization/authorizer.go's methods * implement query string checking * utilize authorizer.Object fully * make matchers uniform * add tests * add missing request methods * add frontend enhancements to handle request method * add request method to 1FA Handler Suite * add internal ACL representations (preparsing) * expand on access_control next * add docs * remove unnecessary slice for network names and instead just use a plain string * add warning for ineffectual bypass policy (due to subjects) * add user/group wildcard support * fix(authorization): allow subject rules to match anonymous users * feat(api): add new params * docs(api): wording adjustments * test: add request method into testing and proxy docs * test: add several checks and refactor schema validation for ACL * test: add integration test for methods acl * refactor: apply suggestions from code review * docs(authorization): update description
author: James Elliott <james-d-elliott@users.noreply.github.com> 2021-03-05 15:18:31 +1100
committer: GitHub <noreply@github.com> 2021-03-05 15:18:31 +1100
commit: 4dce8f94962d3bd0099bbb202f76696a551d099b (patch)
tree: fdc3bba51d8f23b6866ddbbbd9e9feb50e9fb293 /internal/configuration/validator/access_control_test.go
parent: 455b8590477f0ec7841e6766294937cecb94640f (diff)
1 files changed, 28 insertions, 7 deletions
diff --git a/internal/configuration/validator/access_control_test.go b/internal/configuration/validator/access_control_test.go
index c57e46a19..7105680bd 100644
--- a/internal/configuration/validator/access_control_test.go
+++ b/internal/configuration/validator/access_control_test.go
@@ -1,6 +1,7 @@
 package validator
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/stretchr/testify/suite"
@@ -42,7 +43,7 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidDefaultPolicy() {
 func (suite *AccessControl) TestShouldRaiseErrorInvalidNetworkGroupNetwork() {
 	suite.configuration.Networks = []schema.ACLNetwork{
 		{
-			Name:     []string{"internal"},
+			Name:     "internal",
 			Networks: []string{"abc.def.ghi.jkl"},
 		},
 	}
@@ -52,7 +53,7 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidNetworkGroupNetwork() {
 	suite.Assert().False(suite.validator.HasWarnings())
 	suite.Require().Len(suite.validator.Errors(), 1)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "Network [abc.def.ghi.jkl] from network group: [internal] must be a valid IP or CIDR")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "Network [abc.def.ghi.jkl] from network group: internal must be a valid IP or CIDR")
 }
 
 func (suite *AccessControl) TestShouldRaiseErrorNoRulesDefined() {
@@ -100,6 +101,23 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidNetwork() {
 	suite.Assert().EqualError(suite.validator.Errors()[0], "Network [abc.def.ghi.jkl/32] for domain: [public.example.com] is not a valid network or network group")
 }
 
+func (suite *AccessControl) TestShouldRaiseErrorInvalidMethod() {
+	suite.configuration.Rules = []schema.ACLRule{
+		{
+			Domains: []string{"public.example.com"},
+			Policy:  "bypass",
+			Methods: []string{"GET", "HOP"},
+		},
+	}
+
+	ValidateRules(suite.configuration, suite.validator)
+
+	suite.Assert().False(suite.validator.HasWarnings())
+	suite.Require().Len(suite.validator.Errors(), 1)
+
+	suite.Assert().EqualError(suite.validator.Errors()[0], "Method HOP for domain: [public.example.com] is invalid, must be one of the following methods: GET, HEAD, POST, PUT, PATCH, DELETE, TRACE, CONNECT, OPTIONS")
+}
+
 func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() {
 	suite.configuration.Rules = []schema.ACLRule{
 		{
@@ -118,20 +136,23 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() {
 }
 
 func (suite *AccessControl) TestShouldRaiseErrorInvalidSubject() {
+	domains := []string{"public.example.com"}
+	subjects := [][]string{{"invalid"}}
 	suite.configuration.Rules = []schema.ACLRule{
 		{
-			Domains:  []string{"public.example.com"},
+			Domains:  domains,
 			Policy:   "bypass",
-			Subjects: [][]string{{"invalid"}},
+			Subjects: subjects,
 		},
 	}
 
 	ValidateRules(suite.configuration, suite.validator)
 
-	suite.Assert().False(suite.validator.HasWarnings())
-	suite.Require().Len(suite.validator.Errors(), 1)
+	suite.Require().Len(suite.validator.Warnings(), 0)
+	suite.Require().Len(suite.validator.Errors(), 2)
 
-	suite.Assert().EqualError(suite.validator.Errors()[0], "Subject [invalid] for domain: [public.example.com] must start with 'user:' or 'group:'")
+	suite.Assert().EqualError(suite.validator.Errors()[0], "Subject [invalid] for domain: [public.example.com] is invalid, must start with 'user:' or 'group:'")
+	suite.Assert().EqualError(suite.validator.Errors()[1], fmt.Sprintf(errAccessControlInvalidPolicyWithSubjects, domains, subjects))
 }
 
 func TestAccessControl(t *testing.T) {
author	James Elliott <james-d-elliott@users.noreply.github.com>	2021-03-05 15:18:31 +1100
committer	GitHub <noreply@github.com>	2021-03-05 15:18:31 +1100
commit	4dce8f94962d3bd0099bbb202f76696a551d099b (patch)
tree	fdc3bba51d8f23b6866ddbbbd9e9feb50e9fb293 /internal/configuration/validator/access_control_test.go
parent	455b8590477f0ec7841e6766294937cecb94640f (diff)