Adjust rule processing

2025-08-16 23:41:11 +02:00 · 2025-02-09 10:50:43 -05:00 · 2025-02-09 10:50:43 -05:00 · 874c67345e
commit 874c67345e
parent 42434ca832
1 changed files with 34 additions and 20 deletions
--- a/server/routers/badger/verifySession.ts
+++ b/server/routers/badger/verifySession.ts
@ -151,12 +151,22 @@ export async function verifyResourceSession(
        }

        // check the rules
-        if (
-            resource.applyRules &&
-            (await checkRules(resource.resourceId, clientIp, path))
-        ) {
-            logger.debug("Resource allowed because rules are satisfied");
+        if (resource.applyRules) {
+            const action = await checkRules(
+                resource.resourceId,
+                clientIp,
+                path
+            );
+
+            if (action == "ACCEPT") {
+                logger.debug("Resource allowed by rule");
                return allowed(res);
+            } else if (action == "DROP") {
+                logger.debug("Resource denied by rule");
+                return notAllowed(res);
+            }
+
+            // otherwise its undefined and we pass
        }

        const redirectUrl = `${config.getRawConfig().app.dashboard_url}/auth/resource/${encodeURIComponent(resource.resourceId)}?redirect=${encodeURIComponent(originalRequestURL)}`;
@ -456,7 +466,7 @@ async function checkRules(
    resourceId: number,
    clientIp: string | undefined,
    path: string | undefined
-): Promise<boolean> {
+): Promise<"ACCEPT" | "DROP" | undefined> {
    const ruleCacheKey = `rules:${resourceId}`;

    let rules: ResourceRule[] | undefined = cache.get(ruleCacheKey);
@ -472,33 +482,37 @@ async function checkRules(

    if (rules.length === 0) {
        logger.debug("No rules found for resource", resourceId);
-        return false;
+        return;
    }

    for (const rule of rules) {
-        if (clientIp && rule.match == "IP" && isIpInCidr(clientIp, rule.value)) {
-            return rule.action == "ACCEPT"; 
+        if (
+            clientIp &&
+            rule.match == "IP" &&
+            isIpInCidr(clientIp, rule.value)
+        ) {
+            return rule.action as "ACCEPT" | "DROP";
        } else if (path && rule.match == "PATH") {
            // rule.value is a regex, match on the path and see if it matches
            const re = urlGlobToRegex(rule.value);
            if (re.test(path)) {
-                return rule.action == "ACCEPT";
+                return rule.action as "ACCEPT" | "DROP";
            }
        }
    }

-    return false;
+    return;
 }

 function urlGlobToRegex(pattern: string): RegExp {
    // Remove leading slash if present (we'll add it to the regex pattern)
-    pattern = pattern.startsWith('/') ? pattern.slice(1) : pattern;
+    pattern = pattern.startsWith("/") ? pattern.slice(1) : pattern;

    // Escape special regex characters except *
-    const escapedPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+    const escapedPattern = pattern.replace(/[.+?^${}()|[\]\\]/g, "\\$&");

    // Replace * with regex pattern for any valid URL segment characters
-    const regexPattern = escapedPattern.replace(/\*/g, '[a-zA-Z0-9_-]+');
+    const regexPattern = escapedPattern.replace(/\*/g, "[a-zA-Z0-9_-]+");

    // Create the final pattern that:
    // 1. Optionally matches leading slash