RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MEDIUM: acl: remove the ACL_TEST_F_NULL_MATCH flag 

This flag was used to force a boolean match even if there was no pattern
to match. It was used only by http_auth() and designed only for this one.
It's easier and cleaner to make the fetch function perform the test and
report the boolean result as a few other functions already do. It simplifies
the acl_exec_cond() logic and will help merging ACLs and patterns.
This commit is contained in:
Willy Tarreau 2012-04-20 18:16:26 +02:00
parent b27c0d35dd
commit 8f7406e9b4
5 changed files with 7 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/proto/auth.h
View File

@ -22,6 +22,7 @@ struct userlist *auth_find_userlist(char *name);
unsigned int auth_resolve_groups(struct userlist *l, char *groups);
void userlist_free(struct userlist *ul);
int acl_match_auth(struct acl_test *test, struct acl_pattern *pattern);
int check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass);
#endif /* _PROTO_AUTH_H */

1
include/types/acl.h
View File

@ -88,7 +88,6 @@ enum {
ACL_TEST_F_RES_PASS = 1 << 10,/* with SET_RESULT, sets result to PASS (defaults to FAIL) */
ACL_TEST_F_SET_RES_PASS = (ACL_TEST_F_RES_SET|ACL_TEST_F_RES_PASS), /* sets result to PASS */
ACL_TEST_F_SET_RES_FAIL = (ACL_TEST_F_RES_SET), /* sets result to FAIL */
ACL_TEST_F_NULL_MATCH = 1 << 11,/* call expr->kw->match with NULL pattern if expr->patterns is empty */
};
/* ACLs can be evaluated on requests and on responses, and on partial or complete data */

4
src/acl.c
View File

@ -1885,10 +1885,6 @@ int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, v
break;
acl_res |= expr->kw->match(&test, pattern);
}
if ((test.flags & ACL_TEST_F_NULL_MATCH) &&
LIST_ISEMPTY(&expr->patterns) && eb_is_empty(&expr->pattern_tree))
acl_res |= expr->kw->match(&test, NULL);
}
/*
* OK now acl_res holds the result of this expression

7
src/auth.c
View File

@ -173,12 +173,7 @@ acl_match_auth(struct acl_test *test, struct acl_pattern *pattern)
struct userlist *ul = test->ctx.a[0];
char *user = test->ctx.a[1];
char *pass = test->ctx.a[2];
unsigned int group_mask;
if (pattern)
group_mask = pattern->val.group_mask;
else
group_mask = 0;
unsigned int group_mask = pattern->val.group_mask;
if (check_user(ul, group_mask, user, pass))
return ACL_PAT_PASS;

11
src/proto_http.c
View File

@ -8005,11 +8005,10 @@ acl_fetch_http_auth(struct proxy *px, struct session *l4, void *l7, int dir,
if (!get_http_auth(l4))
return 0;
test->ctx.a[0] = expr->args->data.usr;
test->ctx.a[1] = l4->txn.auth.user;
test->ctx.a[2] = l4->txn.auth.pass;
test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH;
if (check_user(expr->args->data.usr, 0, l4->txn.auth.user, l4->txn.auth.pass))
test->flags |= ACL_TEST_F_SET_RES_PASS;
else
test->flags |= ACL_TEST_F_SET_RES_FAIL;
return 1;
}
@ -8280,7 +8279,7 @@ static struct acl_kw_list acl_kws = {{ },{
{ "hdr_sub", acl_parse_str, acl_fetch_hdr, acl_match_sub, ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) },
{ "hdr_val", acl_parse_int, acl_fetch_hdr_val, acl_match_int, ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) },
{ "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_auth, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
{ "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_nothing, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
{ "http_auth_group", acl_parse_strcat, acl_fetch_http_auth, acl_match_auth, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
{ "http_first_req", acl_parse_nothing, acl_fetch_http_first_req, acl_match_nothing, ACL_USE_L7REQ_PERMANENT, 0 },