oauth2-proxy/pkg/authorization/rules.go

package authorization

import (
	"net"
	"net/http"

	middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
)

type RuleSet interface {
	MatchesRequest(req *http.Request) middlewareapi.AuthorizationPolicy
}

type rule struct {
	conditions []condition
	policy     middlewareapi.AuthorizationPolicy
}

func (r rule) matches(req *http.Request) middlewareapi.AuthorizationPolicy {
	for _, condition := range r.conditions {
		if !condition.matches(req) {
			// One of the conditions didn't match so this rule does not apply
			return middlewareapi.OmittedPolicy
		}
	}
	// If all conditions match, return the configured rule policy
	return r.policy
}

func newRule(authRule options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (rule, error) {
	// This function should add the conditions in order of complexity, least complex first
	conditions := []condition{}

	if len(authRule.Methods) > 0 {
		conditions = append(conditions, newMethodCondition(authRule.Methods))
	}

	if len(authRule.Path) > 0 {
		condition, err := newPathCondition(authRule.Path)
		if err != nil {
			return rule{}, err
		}
		conditions = append(conditions, condition)
	}

	if len(authRule.IPs) > 0 {
		condition, err := newIPCondition(authRule.IPs, getClientIPFunc)
		if err != nil {
			return rule{}, err
		}
		conditions = append(conditions, condition)
	}

	var policy middlewareapi.AuthorizationPolicy
	switch authRule.Policy {
	case options.AllowPolicy:
		policy = middlewareapi.AllowPolicy
	case options.DelegatePolicy:
		policy = middlewareapi.DelegatePolicy
	case options.DenyPolicy:
		policy = middlewareapi.DenyPolicy
	default:
		// This shouldn't be the case and should be prevented by validation
		policy = middlewareapi.OmittedPolicy
	}

	return rule{
		conditions: conditions,
		policy:     policy,
	}, nil
}

type ruleSet struct {
	rules []rule
}

func (r ruleSet) MatchesRequest(req *http.Request) middlewareapi.AuthorizationPolicy {
	for _, rule := range r.rules {
		if policy := rule.matches(req); policy != middlewareapi.OmittedPolicy {
			// The rule applies to this request, return its policy
			return policy
		}
	}
	// No rules matched
	return middlewareapi.OmittedPolicy
}

func NewRuleSet(requestRules []options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) {
	rules := []rule{}
	for _, requestRule := range requestRules {
		r, err := newRule(requestRule, getClientIPFunc)
		if err != nil {
			return nil, err
		}
		rules = append(rules, r)
	}
	return ruleSet{
		rules: rules,
	}, nil
}
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`package authorization`

			`import (`
			`"net"`
			`"net/http"`

WIP 2022-06-03 12:41:30 +01:00			`middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"`
			`)`

			`type RuleSet interface {`
WIP 2022-06-03 12:41:30 +01:00			`MatchesRequest(req *http.Request) middlewareapi.AuthorizationPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`}`

			`type rule struct {`
			`conditions []condition`
WIP 2022-06-03 12:41:30 +01:00			`policy middlewareapi.AuthorizationPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`}`

WIP 2022-06-03 12:41:30 +01:00			`func (r rule) matches(req *http.Request) middlewareapi.AuthorizationPolicy {`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`for _, condition := range r.conditions {`
			`if !condition.matches(req) {`
			`// One of the conditions didn't match so this rule does not apply`
WIP 2022-06-03 12:41:30 +01:00			`return middlewareapi.OmittedPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`}`
			`}`
			`// If all conditions match, return the configured rule policy`
			`return r.policy`
			`}`

			`func newRule(authRule options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (rule, error) {`
			`// This function should add the conditions in order of complexity, least complex first`
			`conditions := []condition{}`

			`if len(authRule.Methods) > 0 {`
			`conditions = append(conditions, newMethodCondition(authRule.Methods))`
			`}`

			`if len(authRule.Path) > 0 {`
			`condition, err := newPathCondition(authRule.Path)`
			`if err != nil {`
			`return rule{}, err`
			`}`
			`conditions = append(conditions, condition)`
			`}`

			`if len(authRule.IPs) > 0 {`
			`condition, err := newIPCondition(authRule.IPs, getClientIPFunc)`
			`if err != nil {`
			`return rule{}, err`
			`}`
			`conditions = append(conditions, condition)`
			`}`

WIP 2022-06-03 12:41:30 +01:00			`var policy middlewareapi.AuthorizationPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`switch authRule.Policy {`
			`case options.AllowPolicy:`
WIP 2022-06-03 12:41:30 +01:00			`policy = middlewareapi.AllowPolicy`
Fixup Add request authorization ruleset 2022-04-19 10:04:52 +01:00			`case options.DelegatePolicy:`
WIP 2022-06-03 12:41:30 +01:00			`policy = middlewareapi.DelegatePolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`case options.DenyPolicy:`
WIP 2022-06-03 12:41:30 +01:00			`policy = middlewareapi.DenyPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`default:`
			`// This shouldn't be the case and should be prevented by validation`
WIP 2022-06-03 12:41:30 +01:00			`policy = middlewareapi.OmittedPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`}`

			`return rule{`
			`conditions: conditions,`
			`policy: policy,`
			`}, nil`
			`}`

			`type ruleSet struct {`
			`rules []rule`
			`}`

WIP 2022-06-03 12:41:30 +01:00			`func (r ruleSet) MatchesRequest(req *http.Request) middlewareapi.AuthorizationPolicy {`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`for _, rule := range r.rules {`
WIP 2022-06-03 12:41:30 +01:00			`if policy := rule.matches(req); policy != middlewareapi.OmittedPolicy {`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`// The rule applies to this request, return its policy`
			`return policy`
			`}`
			`}`
			`// No rules matched`
WIP 2022-06-03 12:41:30 +01:00			`return middlewareapi.OmittedPolicy`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`}`

Fixup Add request authorization ruleset 2022-04-19 10:04:52 +01:00			`func NewRuleSet(requestRules []options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) {`
Add request authorization ruleset 2020-07-19 09:37:06 +01:00			`rules := []rule{}`
			`for _, requestRule := range requestRules {`
			`r, err := newRule(requestRule, getClientIPFunc)`
			`if err != nil {`
			`return nil, err`
			`}`
			`rules = append(rules, r)`
			`}`
			`return ruleSet{`
			`rules: rules,`
			`}, nil`
			`}`