mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-07-14 14:01:34 +00:00
fix: fix domain check in acl service
This commit is contained in:
@@ -1,6 +1,8 @@
|
||||
package service
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/tinyauthapp/tinyauth/internal/model"
|
||||
@@ -35,27 +37,35 @@ func NewAccessControlsService(i AccessControlServiceInput) *AccessControlsServic
|
||||
}
|
||||
}
|
||||
|
||||
func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App {
|
||||
func (service *AccessControlsService) lookupStaticACLs(domain string) (*model.App, error) {
|
||||
var nameMatch *model.App
|
||||
|
||||
// First try to find a matching app by domain, then fallback to matching by app name (subdomain)
|
||||
for app, config := range service.config.Apps {
|
||||
if config.Config.Domain == domain {
|
||||
service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
|
||||
return &config
|
||||
match, err := service.checkDomain(domain, config.Config.Domain)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if strings.SplitN(domain, ".", 2)[0] == app {
|
||||
if match {
|
||||
service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
|
||||
return &config, nil
|
||||
}
|
||||
if strings.HasPrefix(domain, app+".") {
|
||||
service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
|
||||
nameMatch = &config
|
||||
}
|
||||
}
|
||||
|
||||
return nameMatch
|
||||
return nameMatch, nil
|
||||
}
|
||||
|
||||
func (service *AccessControlsService) GetAccessControls(domain string) (*model.App, error) {
|
||||
// First check in the static config
|
||||
app := service.lookupStaticACLs(domain)
|
||||
app, err := service.lookupStaticACLs(domain)
|
||||
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if app != nil {
|
||||
service.log.App.Debug().Msg("Using static ACLs for app")
|
||||
@@ -70,3 +80,35 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
|
||||
// no labels
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
func (service *AccessControlsService) checkDomain(check, target string) (bool, error) {
|
||||
// Domains don't have a scheme, so we use a mock one
|
||||
cu, err := url.Parse("tinyauth://" + check)
|
||||
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("failed to parse check domain: %w", err)
|
||||
}
|
||||
|
||||
if cu.Host == "" {
|
||||
return false, fmt.Errorf("check domain is empty")
|
||||
}
|
||||
|
||||
tu, err := url.Parse("tinyauth://" + target)
|
||||
|
||||
if err != nil {
|
||||
return false, fmt.Errorf("failed to parse target domain: %w", err)
|
||||
}
|
||||
|
||||
if tu.Host == "" {
|
||||
return false, fmt.Errorf("target domain is empty")
|
||||
}
|
||||
|
||||
// non-dns check url
|
||||
ndcu := strings.TrimSuffix(cu.Hostname(), ".")
|
||||
|
||||
// non-dns target url
|
||||
ndtu := strings.TrimSuffix(tu.Hostname(), ".")
|
||||
|
||||
// Strip out the port
|
||||
return strings.EqualFold(ndcu, ndtu), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user