From 228328c43a6fbdfb2263a6dfccc688c3c416a5dc Mon Sep 17 00:00:00 2001 From: TekmonksGitHub Date: Fri, 21 Jun 2024 11:17:02 +0900 Subject: [PATCH] Fix permission mapping in the UI framework to better handle REs. --- frontend/framework/js/loadbalancer.mjs | 12 ++++++++++++ frontend/framework/js/router.mjs | 13 +++++++------ frontend/framework/js/securityguard.mjs | 12 +++++------- 3 files changed, 24 insertions(+), 13 deletions(-) diff --git a/frontend/framework/js/loadbalancer.mjs b/frontend/framework/js/loadbalancer.mjs index 3d33c22..70e37c6 100644 --- a/frontend/framework/js/loadbalancer.mjs +++ b/frontend/framework/js/loadbalancer.mjs @@ -41,6 +41,18 @@ function createLoadbalancer(lbconf) { const testURL = _getReplacedURL(hostThis, parsedURL); if (testURL == urlToMatch) return urlThis; } + }, + + getAllBalancedCombinationURLs: function(urlIn) { + const balancedCombinations = []; + for (const hostThis of this.BACKENDCONF.endpoints) { + const urlHostMatchingRE = new RegExp("([A-Za-z0-9]+://)([A-Za-z0-9.]+)([:0-9]+)?(.*)"); + const parsedURLPieces = urlIn.match(urlHostMatchingRE); + if (!parsedURLPieces) continue; // skip bad URLs + const replacedURL = [parsedURLPieces[1], hostThis, ...parsedURLPieces.slice(3)].join(""); + balancedCombinations.push(replacedURL); + } + return balancedCombinations; } } } diff --git a/frontend/framework/js/router.mjs b/frontend/framework/js/router.mjs index 98dcde2..3a54f6d 100644 --- a/frontend/framework/js/router.mjs +++ b/frontend/framework/js/router.mjs @@ -340,16 +340,17 @@ function getBalancedURL(url) { /** * Checks if the given URLs match, taking into account LB policies. - * @param {string} url1 First URL + * @param {string} url1OrRE First URL * @param {string} url2 Second URL + * @param {boolean} url1IsARegularExpression The first URL is a regular expression * @returns true if they match, else not */ -function doURLsMatch(url1, url2) { - try {new URL(url1), new URL(url2)} catch (err) {return false;} // bad URL/s - +function doURLsMatch(url1OrRE, url2, url1IsARegularExpression) { + const _doesThisURLMatchURL1 = (url1RE, url2, useREs) => useREs ? url2.match(new RegExp(url1RE)) : url1RE == url2; + if (!loadbalancers.length) return _doesThisURLMatchURL1(url1OrRE, url2, url1IsARegularExpression); for (const lb of loadbalancers) { - const matchingURL = lb.getMatchingURLFrom([url1], url2); - if (matchingURL) return true; + const allPossibleLBURLs = lb.getAllBalancedCombinationURLs(url1OrRE); + for (const possibleMatch of allPossibleLBURLs) if (_doesThisURLMatchURL1(possibleMatch, url2, url1IsARegularExpression)) return true; } return false; } diff --git a/frontend/framework/js/securityguard.mjs b/frontend/framework/js/securityguard.mjs index fdc66b1..18f161a 100644 --- a/frontend/framework/js/securityguard.mjs +++ b/frontend/framework/js/securityguard.mjs @@ -41,14 +41,12 @@ function addPermission(resource, role) { } function _doesResourceMatchPermissionPath(resource, permissionpath) { - if (!permissionpath.includes("*")) { - if (resource == permissionpath) return true; // definitely match else try router for LB URLs - else return router.doURLsMatch(permissionpath, resource); - } + if (resource == permissionpath) return true; // definitely match else try router for LB URLs + else if (router.doURLsMatch(permissionpath, resource)) return true; - const _shellToJSRegexp = shellRegex => shellRegex.replace(/[.+^${}()/|[\]\\]/g, '\\$&').replace(/\*/g, '.*').replace(/\?/g, '.'); - const jsRegExp = _shellToJSRegexp(permissionpath), regExpObj = new RegExp(jsRegExp); - return resource.match(regExpObj) ? true : false; + // now check via the RE route + const regExpObj = new RegExp(permissionpath); + return resource.match(regExpObj) ? true : router.doURLsMatch(permissionpath, resource, true); } export const securityguard = {isAllowed, setAppInterceptor, getAppInterceptor, setPermissionsMap, getPermissionsMap,