Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(configuration): allow rfc4918 http verbs in acl #2988

Merged
merged 7 commits into from Apr 1, 2022
Merged

feat(configuration): allow rfc4918 http verbs in acl #2988

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
45e9ba4
feat(configuration): allow rfc4918 http verbs in acl
james-d-elliott Mar 9, 2022
a8850f9
Merge remote-tracking branch 'origin/master' into feat-rfc2518-verbs
james-d-elliott Mar 16, 2022
f7531b1
docs: update docs
james-d-elliott Mar 16, 2022
50b6700
test: fix test case
james-d-elliott Mar 16, 2022
0238338
fix: yamllint
james-d-elliott Mar 17, 2022
8a5b4b1
Merge remote-tracking branch 'origin/master' into feat-rfc2518-verbs
james-d-elliott Mar 17, 2022
0ed35cf
Merge branch 'master' into feat-rfc2518-verbs
james-d-elliott Apr 1, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 17 additions & 1 deletion api/openapi.yml
View file
Open in desktop
Expand Up @@ -637,7 +637,23 @@ components:
explode: true
schema:
type: string
enum: ["GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"]
enum:
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "PATCH"
- "DELETE"
- "TRACE"
- "CONNECT"
- "OPTIONS"
- "COPY"
- "LOCK"
- "MKCOL"
- "MOVE"
- "PROPFIND"
- "PROPPATCH"
- "UNLOCK"
authParam:
name: auth
in: query
Expand Down
12 changes: 10 additions & 2 deletions docs/configuration/access-control.md
View file
Open in desktop
Expand Up @@ -271,8 +271,16 @@ access_control:
- OPTIONS
```

The valid request methods are: OPTIONS, HEAD, GET, POST, PUT, PATCH, DELETE, TRACE, CONNECT. Additional information
about HTTP request methods can be found on the [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods).
The accepted and valid methods for this configuration option are those specified in well known RFC's. The RFC's and the
relevant methods are listed in this table:

| RFC | Methods | Additional Documentation |
|:--------------------------------------------------------:|:-----------------------------------------------------:|:----------------------------------------------------------------:|
| [RFC7231](https://datatracker.ietf.org/doc/html/rfc7231) | GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE | [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) |
| [RFC5789](https://datatracker.ietf.org/doc/html/rfc5789) | PATCH | [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) |
| [RFC4918](https://datatracker.ietf.org/doc/html/rfc4918) | PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK | |



### networks
<div markdown="1">
Expand Down
4 changes: 2 additions & 2 deletions internal/configuration/validator/access_control.go
View file
Open in desktop
Expand Up @@ -147,8 +147,8 @@ func validateSubjects(rulePosition int, rule schema.ACLRule, validator *schema.S

func validateMethods(rulePosition int, rule schema.ACLRule, validator *schema.StructValidator) {
for _, method := range rule.Methods {
if !utils.IsStringInSliceFold(method, validACLRuleMethods) {
validator.Push(fmt.Errorf(errFmtAccessControlRuleMethodInvalid, ruleDescriptor(rulePosition, rule), method, strings.Join(validACLRuleMethods, "', '")))
if !utils.IsStringInSliceFold(method, validACLHTTPMethodVerbs) {
validator.Push(fmt.Errorf(errFmtAccessControlRuleMethodInvalid, ruleDescriptor(rulePosition, rule), method, strings.Join(validACLHTTPMethodVerbs, "', '")))
}
}
}
2 changes: 1 addition & 1 deletion internal/configuration/validator/access_control_test.go
View file
Open in desktop
Expand Up @@ -152,7 +152,7 @@ func (suite *AccessControl) TestShouldRaiseErrorInvalidMethod() {
suite.Assert().False(suite.validator.HasWarnings())
suite.Require().Len(suite.validator.Errors(), 1)

suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1 (domain 'public.example.com'): 'methods' option 'HOP' is invalid: must be one of 'GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'TRACE', 'CONNECT', 'OPTIONS'")
suite.Assert().EqualError(suite.validator.Errors()[0], "access control: rule #1 (domain 'public.example.com'): 'methods' option 'HOP' is invalid: must be one of 'GET', 'HEAD', 'POST', 'PUT', 'PATCH', 'DELETE', 'TRACE', 'CONNECT', 'OPTIONS', 'COPY', 'LOCK', 'MKCOL', 'MOVE', 'PROPFIND', 'PROPPATCH', 'UNLOCK'")
}

func (suite *AccessControl) TestShouldRaiseErrorInvalidResource() {
Expand Down
6 changes: 5 additions & 1 deletion internal/configuration/validator/const.go
View file
Open in desktop
Expand Up @@ -256,7 +256,11 @@ var validLoLevels = []string{"trace", "debug", "info", "warn", "error"}
var validWebauthnConveyancePreferences = []string{string(protocol.PreferNoAttestation), string(protocol.PreferIndirectAttestation), string(protocol.PreferDirectAttestation)}
var validWebauthnUserVerificationRequirement = []string{string(protocol.VerificationDiscouraged), string(protocol.VerificationPreferred), string(protocol.VerificationRequired)}

var validACLRuleMethods = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
var validRFC7231HTTPMethodVerbs = []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "TRACE", "CONNECT", "OPTIONS"}
var validRFC4918HTTPMethodVerbs = []string{"COPY", "LOCK", "MKCOL", "MOVE", "PROPFIND", "PROPPATCH", "UNLOCK"}

var validACLHTTPMethodVerbs = append(validRFC7231HTTPMethodVerbs, validRFC4918HTTPMethodVerbs...)

var validACLRulePolicies = []string{policyBypass, policyOneFactor, policyTwoFactor, policyDeny}

var validOIDCScopes = []string{oidc.ScopeOpenID, oidc.ScopeEmail, oidc.ScopeProfile, oidc.ScopeGroups, "offline_access"}
Expand Down