Use regex for permission pattern matching

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <[email protected]>
openfaas · May 14, 2024 · 19d7e56 · 19d7e56
1 parent 8805db3
commit 19d7e56
Showing 1 changed file with 29 additions and 12 deletions.
diff --git a/executor/jwt_authenticator.go b/executor/jwt_authenticator.go
@@ -8,6 +8,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"regexp"
 	"strings"
 	"time"
 
@@ -219,19 +220,9 @@ func isAuthorized(permissions []string, namespace, fn string) bool {
 			return true
 		}
 
-		parts := strings.Split(permission, ":")
-		allowedNamespace := parts[0]
-		allowedFunction := parts[1]
-
-		if namespace != allowedNamespace {
-			continue
-		}
-
-		if allowedFunction != "*" && fn != allowedFunction {
-			continue
+		if matchString(permission, fmt.Sprintf("%s:%s", namespace, fn)) {
+			return true
 		}
-
-		return true
 	}
 
 	return false
@@ -256,3 +247,29 @@ func getPermissions(mapClaims jwt.MapClaims) []string {
 	}
 	return values
 }
+
+func matchString(pattern string, value string) bool {
+	if len(pattern) > 0 {
+		result, _ := regexp.MatchString(wildCardToRegexp(pattern), value)
+		return result
+	}
+
+	return pattern == value
+}
+
+// wildCardToRegexp converts a wildcard pattern to a regular expression pattern.
+func wildCardToRegexp(pattern string) string {
+	var result strings.Builder
+	for i, literal := range strings.Split(pattern, "*") {
+
+		// Replace * with .*
+		if i > 0 {
+			result.WriteString(".*")
+		}
+
+		// Quote any regular expression meta characters in the
+		// literal text.
+		result.WriteString(regexp.QuoteMeta(literal))
+	}
+	return result.String()
+}