internal/authorization/access_control_domain.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

package authorization

import (
	"fmt"
	"regexp"
	"strings"

	"github.com/authelia/authelia/v4/internal/utils"
)

// NewAccessControlDomain creates a new SubjectObjectMatcher that matches the domain as a basic string.
func NewAccessControlDomain(domain string) (subjcets bool, rule AccessControlDomain) {
	m := &AccessControlDomainMatcher{}
	domain = strings.ToLower(domain)

	switch {
	case strings.HasPrefix(domain, "*."):
		m.Wildcard = true
		m.Name = domain[1:]
	case strings.HasPrefix(domain, "{user}"):
		m.UserWildcard = true
		m.Name = domain[6:]
	case strings.HasPrefix(domain, "{group}"):
		m.GroupWildcard = true
		m.Name = domain[7:]
	default:
		m.Name = domain
	}

	return m.UserWildcard || m.GroupWildcard, AccessControlDomain{m}
}

// NewAccessControlDomainRegex creates a new SubjectObjectMatcher that matches the domain either in a basic way or
// dynamic User/Group subexpression group way.
func NewAccessControlDomainRegex(pattern regexp.Regexp) (subjects bool, rule AccessControlDomain) {
	var iuser, igroup = -1, -1

	for i, group := range pattern.SubexpNames() {
		switch group {
		case subexpNameUser:
			iuser = i
		case subexpNameGroup:
			igroup = i
		}
	}

	if iuser != -1 || igroup != -1 {
		return true, AccessControlDomain{RegexpGroupStringSubjectMatcher{pattern, iuser, igroup}}
	}

	return false, AccessControlDomain{RegexpStringSubjectMatcher{pattern}}
}

// AccessControlDomainMatcher is the basic domain matcher.
type AccessControlDomainMatcher struct {
	Name          string
	Wildcard      bool
	UserWildcard  bool
	GroupWildcard bool
}

// IsMatch returns true if this rule matches.
func (m AccessControlDomainMatcher) IsMatch(domain string, subject Subject) (match bool) {
	switch {
	case m.Wildcard:
		return strings.HasSuffix(domain, m.Name)
	case m.UserWildcard:
		if subject.IsAnonymous() && strings.HasSuffix(domain, m.Name) {
			return len(domain) > len(m.Name)
		}

		return domain == fmt.Sprintf("%s%s", subject.Username, m.Name)
	case m.GroupWildcard:
		if subject.IsAnonymous() && strings.HasSuffix(domain, m.Name) {
			return len(domain) > len(m.Name)
		}

		i := strings.Index(domain, ".")

		return domain[i:] == m.Name && utils.IsStringInSliceFold(domain[:i], subject.Groups)
	default:
		return strings.EqualFold(domain, m.Name)
	}
}

// AccessControlDomain represents an ACL domain.
type AccessControlDomain struct {
	Matcher StringSubjectMatcher
}

// IsMatch returns true if the ACL domain matches the object domain.
func (acl AccessControlDomain) IsMatch(subject Subject, object Object) (match bool) {
	return acl.Matcher.IsMatch(object.Domain, subject)
}