public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixup Add request authorization ruleset

This commit is contained in:
Joel Speed 2022-04-19 10:04:52 +01:00
parent d31b135cc6
commit 5b31cde578
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
3 changed files with 54 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/apis/options/alpha_options.go
View File

@ -9,6 +9,11 @@ package options
// They may change between releases without notice. // They may change between releases without notice.
// ::: // :::
type AlphaOptions struct { type AlphaOptions struct {
// Authorization is used to configure authorization checks.
// Rules can be configured for HTTP requests to allow or deny requests,
// or to delegate the authorization to session based authorization.
Authorization Authorization `json:"authorization,omitempty"`
// UpstreamConfig is used to configure upstream servers. // UpstreamConfig is used to configure upstream servers.
// Once a user is authenticated, requests to the server will be proxied to // Once a user is authenticated, requests to the server will be proxied to
// these upstream servers based on the path mappings defined in this list. // these upstream servers based on the path mappings defined in this list.

48
pkg/apis/options/authorization.go
View File

@ -1,17 +1,53 @@
package options package options
// AuthorizationPolicy is an enumeration of different authorization rule
// policies. Each policy determines a different action for a matching rule.
type AuthorizationPolicy string type AuthorizationPolicy string
const ( const (
// AllowPolicy when used, with a matching authorization rule, allows the
// request without further authorization.
AllowPolicy AuthorizationPolicy = "Allow" AllowPolicy AuthorizationPolicy = "Allow"
// DelegatePolicy when used, with a matching authorization rule, delegates
// the authorization to the session based authorization.
// This can only be used with request based authorization rules.
DelegatePolicy AuthorizationPolicy = "Delegate"
// DenyPolicy when used, with a matching authorization rule, denies the
// request without further authorization.
DenyPolicy AuthorizationPolicy = "Deny" DenyPolicy AuthorizationPolicy = "Deny"
) )
type AuthorizationRule struct { // Authorization contains fields to allow configuration of request authorization.
Policy AuthorizationPolicy type Authorization struct {
Path string // RequestRules determines a set of rules for which each request to the proxy
Methods []string // should be matched against.
IPs []string // If any rule matches the request, the policy for the rule is applied to the
// request.
RequestRules []AuthorizationRule `json:"requestRules,omitempty"`
} }
type RequestRules []AuthorizationRule // AuthorizationRule determines the configuration for a particular authorization
// rule.
type AuthorizationRule struct {
// Policy is the authorization policy to apply should the rule match the given
// request.
// All conditions specified within the rule must match the request for the
// policy to be applied.
// Valid values are Allow, Deny and Delegate.
Policy AuthorizationPolicy
// Path is a regex string that expects to match the HTTP request path.
Path string
// Methods is a list of HTTP methods to match against the HTTP request method.
// If any method in the list matches the request method, this rule is
// considered to match.
Methods []string
// IPs is a list of IP or network addresses (in CIDR notation) with which to
// match the request client IP address.
IPs []string
}

9
pkg/authorization/rules.go
View File

@ -12,11 +12,12 @@ type AuthorizationPolicy int
const ( const (
NonePolicy AuthorizationPolicy = iota NonePolicy AuthorizationPolicy = iota
AllowPolicy AllowPolicy
DelegatePolicy
DenyPolicy DenyPolicy
) )
type RuleSet interface { type RuleSet interface {
Matches(req *http.Request) AuthorizationPolicy MatchesRequest(req *http.Request) AuthorizationPolicy
} }
type rule struct { type rule struct {
@ -63,6 +64,8 @@ func newRule(authRule options.AuthorizationRule, getClientIPFunc func(*http.Requ
switch authRule.Policy { switch authRule.Policy {
case options.AllowPolicy: case options.AllowPolicy:
policy = AllowPolicy policy = AllowPolicy
case options.DelegatePolicy:
policy = DelegatePolicy
case options.DenyPolicy: case options.DenyPolicy:
policy = DenyPolicy policy = DenyPolicy
default: default:
@ -80,7 +83,7 @@ type ruleSet struct {
rules []rule rules []rule
} }
func (r ruleSet) Matches(req *http.Request) AuthorizationPolicy { func (r ruleSet) MatchesRequest(req *http.Request) AuthorizationPolicy {
for _, rule := range r.rules { for _, rule := range r.rules {
if policy := rule.matches(req); policy != NonePolicy { if policy := rule.matches(req); policy != NonePolicy {
// The rule applies to this request, return its policy // The rule applies to this request, return its policy
@ -91,7 +94,7 @@ func (r ruleSet) Matches(req *http.Request) AuthorizationPolicy {
return NonePolicy return NonePolicy
} }
func NewRuleSet(requestRules options.RequestRules, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) { func NewRuleSet(requestRules []options.AuthorizationRule, getClientIPFunc func(*http.Request) net.IP) (RuleSet, error) {
rules := []rule{} rules := []rule{}
for _, requestRule := range requestRules { for _, requestRule := range requestRules {
r, err := newRule(requestRule, getClientIPFunc) r, err := newRule(requestRule, getClientIPFunc)