1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
package handlers
import (
"github.com/authelia/authelia/v4/internal/authentication"
"github.com/authelia/authelia/v4/internal/authorization"
"github.com/authelia/authelia/v4/internal/middlewares"
"github.com/authelia/authelia/v4/internal/session"
"github.com/authelia/authelia/v4/internal/utils"
)
func friendlyMethod(m string) (fm string) {
switch m {
case "":
return "unknown"
default:
return m
}
}
func friendlyUsername(username string) (fusername string) {
switch username {
case "":
return anonymous
default:
return username
}
}
func isAuthzResult(level authentication.Level, required authorization.Level, ruleHasSubject bool) AuthzResult {
switch {
case required == authorization.Bypass:
return AuthzResultAuthorized
case required == authorization.Denied && (level != authentication.NotAuthenticated || !ruleHasSubject):
// If the user is not anonymous, it means that we went through all the rules related to that user identity and
// can safely conclude their access is actually forbidden. If a user is anonymous however this is not actually
// possible without some more advanced logic.
return AuthzResultForbidden
case required == authorization.OneFactor && level >= authentication.OneFactor,
required == authorization.TwoFactor && level >= authentication.TwoFactor:
return AuthzResultAuthorized
default:
return AuthzResultUnauthorized
}
}
// generateVerifySessionHasUpToDateProfileTraceLogs is used to generate trace logs only when trace logging is enabled.
// The information calculated in this function is completely useless other than trace for now.
func generateVerifySessionHasUpToDateProfileTraceLogs(ctx *middlewares.AutheliaCtx, userSession *session.UserSession,
details *authentication.UserDetails) {
groupsAdded, groupsRemoved := utils.StringSlicesDelta(userSession.Groups, details.Groups)
emailsAdded, emailsRemoved := utils.StringSlicesDelta(userSession.Emails, details.Emails)
nameDelta := userSession.DisplayName != details.DisplayName
fields := map[string]any{"username": userSession.Username}
msg := "User session groups are current"
if len(groupsAdded) != 0 || len(groupsRemoved) != 0 {
if len(groupsAdded) != 0 {
fields["added"] = groupsAdded
}
if len(groupsRemoved) != 0 {
fields["removed"] = groupsRemoved
}
msg = "User session groups were updated"
}
ctx.Logger.WithFields(fields).Trace(msg)
if len(emailsAdded) != 0 || len(emailsRemoved) != 0 {
if len(emailsAdded) != 0 {
fields["added"] = emailsAdded
} else {
delete(fields, "added")
}
if len(emailsRemoved) != 0 {
fields["removed"] = emailsRemoved
} else {
delete(fields, "removed")
}
msg = "User session emails were updated"
} else {
msg = "User session emails are current"
delete(fields, "added")
delete(fields, "removed")
}
ctx.Logger.WithFields(fields).Trace(msg)
if nameDelta {
ctx.Logger.
WithFields(map[string]any{
"username": userSession.Username,
"before": userSession.DisplayName,
"after": details.DisplayName,
}).
Trace("User session display name updated")
} else {
ctx.Logger.Trace("User session display name is current")
}
}
|
