summaryrefslogtreecommitdiff
path: root/internal/handlers/handler_authz_types.go
blob: bc00d7842197a27dab8a760b941264b6dfee33cb (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

package handlers

import (
	"context"
	"errors"
	"net/url"

	oauthelia2 "authelia.com/provider/oauth2"

	"github.com/authelia/authelia/v4/internal/authentication"
	"github.com/authelia/authelia/v4/internal/authorization"
	"github.com/authelia/authelia/v4/internal/configuration/schema"
	"github.com/authelia/authelia/v4/internal/middlewares"
	"github.com/authelia/authelia/v4/internal/model"
	"github.com/authelia/authelia/v4/internal/oidc"
	"github.com/authelia/authelia/v4/internal/session"
)

// Authz is a type which is a effectively is a middlewares.RequestHandler for authorization requests. This should NOT be
// manually used and developers should instead use NewAuthzBuilder.
type Authz struct {
	config AuthzConfig

	strategies []AuthnStrategy

	handleGetObject HandlerAuthzGetObject

	handleGetAutheliaURL HandlerAuthzGetAutheliaURL

	handleAuthorized   HandlerAuthzAuthorized
	handleUnauthorized HandlerAuthzUnauthorized

	implementation AuthzImplementation
}

// HandlerAuthzUnauthorized is a Authz handler func that handles unauthorized responses.
type HandlerAuthzUnauthorized func(ctx *middlewares.AutheliaCtx, authn *Authn, redirectionURL *url.URL)

// HandlerAuthzAuthorized is a Authz handler func that handles authorized responses.
type HandlerAuthzAuthorized func(ctx *middlewares.AutheliaCtx, authn *Authn)

// HandlerAuthzGetAutheliaURL is a Authz handler func that handles retrieval of the Portal URL.
type HandlerAuthzGetAutheliaURL func(ctx *middlewares.AutheliaCtx) (portalURL *url.URL, err error)

// HandlerAuthzGetRedirectionURL is a Authz handler func that handles retrieval of the Redirection URL.
type HandlerAuthzGetRedirectionURL func(ctx *middlewares.AutheliaCtx, object *authorization.Object) (redirectionURL *url.URL, err error)

// HandlerAuthzGetObject is a Authz handler func that handles retrieval of the authorization.Object to authorize.
type HandlerAuthzGetObject func(ctx *middlewares.AutheliaCtx) (object authorization.Object, err error)

// HandlerAuthzVerifyObject is a Authz handler func that handles authorization of the authorization.Object.
type HandlerAuthzVerifyObject func(ctx *middlewares.AutheliaCtx, object authorization.Object) (err error)

// AuthnType is an auth type.
type AuthnType int

const (
	// AuthnTypeNone is a nil Authentication AuthnType.
	AuthnTypeNone AuthnType = iota

	// AuthnTypeCookie is an Authentication AuthnType based on the Cookie header.
	AuthnTypeCookie

	// AuthnTypeProxyAuthorization is an Authentication AuthnType based on the Proxy-Authorization header.
	AuthnTypeProxyAuthorization

	// AuthnTypeAuthorization is an Authentication AuthnType based on the Authorization header.
	AuthnTypeAuthorization
)

// Authn is authentication.
type Authn struct {
	Username string
	Method   string
	ClientID string

	Details authentication.UserDetails
	Level   authentication.Level
	Object  authorization.Object
	Type    AuthnType

	Header HeaderAuthorization
}

type HeaderAuthorization struct {
	Authorization *model.Authorization
	Realm         string
	Scope         string
	Error         *oauthelia2.RFC6749Error
}

// AuthzConfig represents the configuration elements of the Authz type.
type AuthzConfig struct {
	RefreshInterval schema.RefreshIntervalDuration

	// StatusCodeBadRequest is sent for configuration issues prior to performing authorization checks. It's set by the
	// builder.
	StatusCodeBadRequest int
}

// AuthzBuilder is a builder pattern for the Authz type.
type AuthzBuilder struct {
	config         AuthzConfig
	implementation AuthzImplementation
	strategies     []AuthnStrategy
}

// AuthnStrategy is a strategy used for Authz authentication.
type AuthnStrategy interface {
	Get(ctx *middlewares.AutheliaCtx, provider *session.Session, object *authorization.Object) (authn *Authn, err error)
	CanHandleUnauthorized() (handle bool)
	HeaderStrategy() (is bool)
	HandleUnauthorized(ctx *middlewares.AutheliaCtx, authn *Authn, redirectionURL *url.URL)
}

// AuthzResult is a result for Authz response handling determination.
type AuthzResult int

const (
	// AuthzResultForbidden means the user is forbidden the access to a resource.
	AuthzResultForbidden AuthzResult = iota

	// AuthzResultUnauthorized means the user can access the resource with more permissions.
	AuthzResultUnauthorized

	// AuthzResultAuthorized means the user is authorized given her current permissions.
	AuthzResultAuthorized
)

// AuthzImplementation represents an Authz implementation.
type AuthzImplementation int

// AuthnStrategy names.
const (
	AuthnStrategyCookieSession                       = "CookieSession"
	AuthnStrategyHeaderAuthorization                 = "HeaderAuthorization"
	AuthnStrategyHeaderProxyAuthorization            = "HeaderProxyAuthorization"
	AuthnStrategyHeaderAuthRequestProxyAuthorization = "HeaderAuthRequestProxyAuthorization"
	AuthnStrategyHeaderLegacy                        = "HeaderLegacy"
)

const (
	// AuthzImplLegacy is the legacy Authz implementation (VerifyGET).
	AuthzImplLegacy AuthzImplementation = iota

	// AuthzImplForwardAuth is the modern Forward Auth Authz implementation which is used by Caddy and Traefik.
	AuthzImplForwardAuth

	// AuthzImplAuthRequest is the modern Auth Request Authz implementation which is used by NGINX and modelled after
	// the ingress-nginx k8s ingress.
	AuthzImplAuthRequest

	// AuthzImplExtAuthz is the modern ExtAuthz Authz implementation which is used by Envoy.
	AuthzImplExtAuthz
)

// String returns the text representation of this AuthzImplementation.
func (i AuthzImplementation) String() string {
	switch i {
	case AuthzImplLegacy:
		return "Legacy"
	case AuthzImplForwardAuth:
		return "ForwardAuth"
	case AuthzImplAuthRequest:
		return "AuthRequest"
	case AuthzImplExtAuthz:
		return "ExtAuthz"
	default:
		return ""
	}
}

type AuthzBearerIntrospectionProvider interface {
	GetRegisteredClient(ctx context.Context, id string) (client oidc.Client, err error)
	GetAudienceStrategy(ctx context.Context) (strategy oauthelia2.AudienceMatchingStrategy)
	IntrospectToken(ctx context.Context, token string, tokenUse oauthelia2.TokenUse, session oauthelia2.Session, scope ...string) (oauthelia2.TokenUse, oauthelia2.AccessRequester, error)
}

var (
	errTokenIntent = errors.New("the bearer token doesn't appear to be an authelia bearer token")
)