2020-12-12 21:08:36 +02:00
|
|
|
package auth
|
2020-05-20 12:59:01 +02:00
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"sort"
|
|
|
|
"strings"
|
|
|
|
)
|
|
|
|
|
|
|
|
// Verify an account has access to a resource using the rules provided. If the account does not have
|
|
|
|
// access an error will be returned. If there are no rules provided which match the resource, an error
|
|
|
|
// will be returned
|
2020-12-12 21:08:36 +02:00
|
|
|
func Verify(rules []*Rule, acc *Account, res *Resource) error {
|
2020-05-20 12:59:01 +02:00
|
|
|
// the rule is only to be applied if the type matches the resource or is catch-all (*)
|
|
|
|
validTypes := []string{"*", res.Type}
|
|
|
|
|
|
|
|
// the rule is only to be applied if the name matches the resource or is catch-all (*)
|
|
|
|
validNames := []string{"*", res.Name}
|
|
|
|
|
|
|
|
// rules can have wildcard excludes on endpoints since this can also be a path for web services,
|
|
|
|
// e.g. /foo/* would include /foo/bar. We also want to check for wildcards and the exact endpoint
|
|
|
|
validEndpoints := []string{"*", res.Endpoint}
|
|
|
|
if comps := strings.Split(res.Endpoint, "/"); len(comps) > 1 {
|
2020-05-22 15:02:02 +02:00
|
|
|
for i := 1; i < len(comps)+1; i++ {
|
2020-05-20 12:59:01 +02:00
|
|
|
wildcard := fmt.Sprintf("%v/*", strings.Join(comps[0:i], "/"))
|
|
|
|
validEndpoints = append(validEndpoints, wildcard)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// filter the rules to the ones which match the criteria above
|
2020-12-12 21:08:36 +02:00
|
|
|
filteredRules := make([]*Rule, 0)
|
2020-05-20 12:59:01 +02:00
|
|
|
for _, rule := range rules {
|
|
|
|
if !include(validTypes, rule.Resource.Type) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if !include(validNames, rule.Resource.Name) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
if !include(validEndpoints, rule.Resource.Endpoint) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
filteredRules = append(filteredRules, rule)
|
|
|
|
}
|
|
|
|
|
|
|
|
// sort the filtered rules by priority, highest to lowest
|
|
|
|
sort.SliceStable(filteredRules, func(i, j int) bool {
|
|
|
|
return filteredRules[i].Priority > filteredRules[j].Priority
|
|
|
|
})
|
|
|
|
|
|
|
|
// loop through the rules and check for a rule which applies to this account
|
|
|
|
for _, rule := range filteredRules {
|
2020-05-21 15:56:17 +02:00
|
|
|
// a blank scope indicates the rule applies to everyone, even nil accounts
|
2020-12-12 21:08:36 +02:00
|
|
|
if rule.Scope == ScopePublic && rule.Access == AccessDenied {
|
|
|
|
return ErrForbidden
|
|
|
|
} else if rule.Scope == ScopePublic && rule.Access == AccessGranted {
|
2020-05-20 12:59:01 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-21 15:56:17 +02:00
|
|
|
// all further checks require an account
|
|
|
|
if acc == nil {
|
2020-05-20 12:59:01 +02:00
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
// this rule applies to any account
|
2020-12-12 21:08:36 +02:00
|
|
|
if rule.Scope == ScopeAccount && rule.Access == AccessDenied {
|
|
|
|
return ErrForbidden
|
|
|
|
} else if rule.Scope == ScopeAccount && rule.Access == AccessGranted {
|
2020-05-20 12:59:01 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-21 15:56:17 +02:00
|
|
|
// if the account has the necessary scope
|
2020-12-12 21:08:36 +02:00
|
|
|
if include(acc.Scopes, rule.Scope) && rule.Access == AccessDenied {
|
|
|
|
return ErrForbidden
|
|
|
|
} else if include(acc.Scopes, rule.Scope) && rule.Access == AccessGranted {
|
2020-05-20 12:59:01 +02:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// if no rules matched then return forbidden
|
2020-12-12 21:08:36 +02:00
|
|
|
return ErrForbidden
|
2020-05-20 12:59:01 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// include is a helper function which checks to see if the slice contains the value. includes is
|
|
|
|
// not case sensitive.
|
|
|
|
func include(slice []string, val string) bool {
|
|
|
|
for _, s := range slice {
|
|
|
|
if strings.ToLower(s) == strings.ToLower(val) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|