forked from greenpau/caddy-security
-
Notifications
You must be signed in to change notification settings - Fork 0
/
caddyfile_authz_acl.go
71 lines (68 loc) · 2.38 KB
/
caddyfile_authz_acl.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
// Copyright 2022 Paul Greenberg [email protected]
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package security
import (
"github.com/caddyserver/caddy/v2"
"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
"github.com/greenpau/go-authcrunch/pkg/acl"
"github.com/greenpau/go-authcrunch/pkg/authz"
cfgutil "github.com/greenpau/go-authcrunch/pkg/util/cfg"
"strings"
)
func parseCaddyfileAuthorizationACL(h *caddyfile.Dispenser, repl *caddy.Replacer, p *authz.PolicyConfig, rootDirective string, args []string) error {
if len(args) == 0 {
return h.Errf("%s directive has no value", rootDirective)
}
switch args[0] {
case "rule":
if len(args) > 1 {
return h.Errf("%s directive %q is too long", rootDirective, strings.Join(args, " "))
}
rule := &acl.RuleConfiguration{}
for subNesting := h.Nesting(); h.NextBlock(subNesting); {
k := h.Val()
rargs := h.RemainingArgs()
if len(rargs) == 0 {
return h.Errf("%s %s directive %v has no values", rootDirective, args[0], k)
}
rargs = append([]string{k}, rargs...)
switch k {
case "comment":
rule.Comment = cfgutil.EncodeArgs(rargs)
case "allow", "deny":
rule.Action = cfgutil.EncodeArgs(rargs)
default:
rule.Conditions = append(rule.Conditions, cfgutil.EncodeArgs(rargs))
}
}
p.AccessListRules = append(p.AccessListRules, rule)
case "default":
if len(args) != 2 {
return h.Errf("%s directive %q is too long", rootDirective, strings.Join(args, " "))
}
rule := &acl.RuleConfiguration{
Conditions: []string{"match any"},
}
switch args[1] {
case "allow", "deny":
rule.Action = args[1]
default:
return h.Errf("%s directive %q must have either allow or deny", rootDirective, strings.Join(args, " "))
}
p.AccessListRules = append(p.AccessListRules, rule)
default:
return h.Errf("%s directive value of %q is unsupported", rootDirective, strings.Join(args, " "))
}
return nil
}