Fix permission mapping in the UI framework to better handle REs.

TekMonksGitHub · Jun 21, 2024 · 228328c · 228328c
1 parent a511785
commit 228328c
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 13 deletions.
diff --git a/frontend/framework/js/loadbalancer.mjs b/frontend/framework/js/loadbalancer.mjs
@@ -41,6 +41,18 @@ function createLoadbalancer(lbconf) {
                 const testURL = _getReplacedURL(hostThis, parsedURL);
                 if (testURL == urlToMatch) return urlThis;
             }
+        },
+
+        getAllBalancedCombinationURLs: function(urlIn) {
+            const balancedCombinations = [];
+            for (const hostThis of this.BACKENDCONF.endpoints) {
+                const urlHostMatchingRE = new RegExp("([A-Za-z0-9]+://)([A-Za-z0-9.]+)([:0-9]+)?(.*)");
+                const parsedURLPieces = urlIn.match(urlHostMatchingRE);
+                if (!parsedURLPieces) continue; // skip bad URLs
+                const replacedURL = [parsedURLPieces[1], hostThis, ...parsedURLPieces.slice(3)].join("");
+                balancedCombinations.push(replacedURL);
+            }
+            return balancedCombinations;
         }
     }
 }

diff --git a/frontend/framework/js/router.mjs b/frontend/framework/js/router.mjs
@@ -340,16 +340,17 @@ function getBalancedURL(url) {
 
 /**
  * Checks if the given URLs match, taking into account LB policies.
- * @param {string} url1 First URL
+ * @param {string} url1OrRE First URL
  * @param {string} url2 Second URL
+ * @param {boolean} url1IsARegularExpression The first URL is a regular expression
  * @returns true if they match, else not
  */
-function doURLsMatch(url1, url2) {
-	try {new URL(url1), new URL(url2)} catch (err) {return false;}	// bad URL/s
-
+function doURLsMatch(url1OrRE, url2, url1IsARegularExpression) {	
+	const _doesThisURLMatchURL1 = (url1RE, url2, useREs) => useREs ? url2.match(new RegExp(url1RE)) : url1RE == url2;
+	if (!loadbalancers.length) return _doesThisURLMatchURL1(url1OrRE, url2, url1IsARegularExpression);
 	for (const lb of loadbalancers) {
-		const matchingURL = lb.getMatchingURLFrom([url1], url2);
-		if (matchingURL) return true;
+		const allPossibleLBURLs = lb.getAllBalancedCombinationURLs(url1OrRE);
+		for (const possibleMatch of allPossibleLBURLs) if (_doesThisURLMatchURL1(possibleMatch, url2, url1IsARegularExpression)) return true;
 	}
 	return false;
 }

diff --git a/frontend/framework/js/securityguard.mjs b/frontend/framework/js/securityguard.mjs
@@ -41,14 +41,12 @@ function addPermission(resource, role) {
 }
 
 function _doesResourceMatchPermissionPath(resource, permissionpath) {
-    if (!permissionpath.includes("*")) {
-        if (resource == permissionpath) return true;    // definitely match else try router for LB URLs
-        else return router.doURLsMatch(permissionpath, resource);   
-    }
+    if (resource == permissionpath) return true;    // definitely match else try router for LB URLs
+    else if (router.doURLsMatch(permissionpath, resource)) return true;
 
-    const _shellToJSRegexp =  shellRegex => shellRegex.replace(/[.+^${}()/|[\]\\]/g, '\\$&').replace(/\*/g, '.*').replace(/\?/g, '.');
-    const jsRegExp = _shellToJSRegexp(permissionpath), regExpObj = new RegExp(jsRegExp);  
-    return resource.match(regExpObj) ? true : false;
+    // now check via the RE route
+    const regExpObj = new RegExp(permissionpath);  
+    return resource.match(regExpObj) ? true : router.doURLsMatch(permissionpath, resource, true);
 }
 
 export const securityguard = {isAllowed, setAppInterceptor, getAppInterceptor, setPermissionsMap, getPermissionsMap,