summaryrefslogtreecommitdiff
path: root/internal/configuration/schema/access_control.go
diff options
context:
space:
mode:
Diffstat (limited to 'internal/configuration/schema/access_control.go')
-rw-r--r--internal/configuration/schema/access_control.go70
1 files changed, 70 insertions, 0 deletions
diff --git a/internal/configuration/schema/access_control.go b/internal/configuration/schema/access_control.go
new file mode 100644
index 000000000..d493208d2
--- /dev/null
+++ b/internal/configuration/schema/access_control.go
@@ -0,0 +1,70 @@
+package schema
+
+import (
+ "fmt"
+ "net"
+ "strings"
+)
+
+// ACLRule represent one ACL rule
+type ACLRule struct {
+ Domain string `yaml:"domain"`
+ Policy string `yaml:"policy"`
+ Subject string `yaml:"subject"`
+ Networks []string `yaml:"networks"`
+ Resources []string `yaml:"resources"`
+}
+
+// IsPolicyValid check if policy is valid
+func IsPolicyValid(policy string) bool {
+ return policy == "deny" || policy == "one_factor" || policy == "two_factor" || policy == "bypass"
+}
+
+// IsSubjectValid check if a subject is valid
+func IsSubjectValid(subject string) bool {
+ return subject == "" || strings.HasPrefix(subject, "user:") || strings.HasPrefix(subject, "group:")
+}
+
+// IsNetworkValid check if a network is valid
+func IsNetworkValid(network string) bool {
+ _, _, err := net.ParseCIDR(network)
+ return err == nil
+}
+
+// Validate validate an ACL Rule
+func (r *ACLRule) Validate(validator *StructValidator) {
+ if r.Domain == "" {
+ validator.Push(fmt.Errorf("Domain must be provided"))
+ }
+
+ if !IsPolicyValid(r.Policy) {
+ validator.Push(fmt.Errorf("A policy must either be 'deny', 'two_factor', 'one_factor' or 'bypass'"))
+ }
+
+ if !IsSubjectValid(r.Subject) {
+ validator.Push(fmt.Errorf("A subject must start with 'user:' or 'group:'"))
+ }
+
+ for i, network := range r.Networks {
+ if !IsNetworkValid(network) {
+ validator.Push(fmt.Errorf("Network %d must be a valid CIDR", i))
+ }
+ }
+}
+
+// AccessControlConfiguration represents the configuration related to ACLs.
+type AccessControlConfiguration struct {
+ DefaultPolicy string `yaml:"default_policy"`
+ Rules []ACLRule `yaml:"rules"`
+}
+
+// Validate validate the access control configuration
+func (acc *AccessControlConfiguration) Validate(validator *StructValidator) {
+ if acc.DefaultPolicy == "" {
+ acc.DefaultPolicy = "deny"
+ }
+
+ if !IsPolicyValid(acc.DefaultPolicy) {
+ validator.Push(fmt.Errorf("'default_policy' must either be 'deny', 'two_factor', 'one_factor' or 'bypass'"))
+ }
+}