From 8f7406e9b4025013e73cc63eb5c952a5cbc4c907 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 20 Apr 2012 18:16:26 +0200 Subject: [PATCH] MEDIUM: acl: remove the ACL_TEST_F_NULL_MATCH flag This flag was used to force a boolean match even if there was no pattern to match. It was used only by http_auth() and designed only for this one. It's easier and cleaner to make the fetch function perform the test and report the boolean result as a few other functions already do. It simplifies the acl_exec_cond() logic and will help merging ACLs and patterns. --- include/proto/auth.h | 1 + include/types/acl.h | 1 - src/acl.c | 4 ---- src/auth.c | 7 +------ src/proto_http.c | 11 +++++------ 5 files changed, 7 insertions(+), 17 deletions(-) diff --git a/include/proto/auth.h b/include/proto/auth.h index 8c060b517e..c7b2abce85 100644 --- a/include/proto/auth.h +++ b/include/proto/auth.h @@ -22,6 +22,7 @@ struct userlist *auth_find_userlist(char *name); unsigned int auth_resolve_groups(struct userlist *l, char *groups); void userlist_free(struct userlist *ul); int acl_match_auth(struct acl_test *test, struct acl_pattern *pattern); +int check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass); #endif /* _PROTO_AUTH_H */ diff --git a/include/types/acl.h b/include/types/acl.h index 748180c9e4..4d79ee7700 100644 --- a/include/types/acl.h +++ b/include/types/acl.h @@ -88,7 +88,6 @@ enum { ACL_TEST_F_RES_PASS = 1 << 10,/* with SET_RESULT, sets result to PASS (defaults to FAIL) */ ACL_TEST_F_SET_RES_PASS = (ACL_TEST_F_RES_SET|ACL_TEST_F_RES_PASS), /* sets result to PASS */ ACL_TEST_F_SET_RES_FAIL = (ACL_TEST_F_RES_SET), /* sets result to FAIL */ - ACL_TEST_F_NULL_MATCH = 1 << 11,/* call expr->kw->match with NULL pattern if expr->patterns is empty */ }; /* ACLs can be evaluated on requests and on responses, and on partial or complete data */ diff --git a/src/acl.c b/src/acl.c index 025e4780a8..673ca03a42 100644 --- a/src/acl.c +++ b/src/acl.c @@ -1885,10 +1885,6 @@ int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, v break; acl_res |= expr->kw->match(&test, pattern); } - - if ((test.flags & ACL_TEST_F_NULL_MATCH) && - LIST_ISEMPTY(&expr->patterns) && eb_is_empty(&expr->pattern_tree)) - acl_res |= expr->kw->match(&test, NULL); } /* * OK now acl_res holds the result of this expression diff --git a/src/auth.c b/src/auth.c index fd4e063ec6..b650a45127 100644 --- a/src/auth.c +++ b/src/auth.c @@ -173,12 +173,7 @@ acl_match_auth(struct acl_test *test, struct acl_pattern *pattern) struct userlist *ul = test->ctx.a[0]; char *user = test->ctx.a[1]; char *pass = test->ctx.a[2]; - unsigned int group_mask; - - if (pattern) - group_mask = pattern->val.group_mask; - else - group_mask = 0; + unsigned int group_mask = pattern->val.group_mask; if (check_user(ul, group_mask, user, pass)) return ACL_PAT_PASS; diff --git a/src/proto_http.c b/src/proto_http.c index f099913ad9..82aa241727 100644 --- a/src/proto_http.c +++ b/src/proto_http.c @@ -8005,11 +8005,10 @@ acl_fetch_http_auth(struct proxy *px, struct session *l4, void *l7, int dir, if (!get_http_auth(l4)) return 0; - test->ctx.a[0] = expr->args->data.usr; - test->ctx.a[1] = l4->txn.auth.user; - test->ctx.a[2] = l4->txn.auth.pass; - - test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH; + if (check_user(expr->args->data.usr, 0, l4->txn.auth.user, l4->txn.auth.pass)) + test->flags |= ACL_TEST_F_SET_RES_PASS; + else + test->flags |= ACL_TEST_F_SET_RES_FAIL; return 1; } @@ -8280,7 +8279,7 @@ static struct acl_kw_list acl_kws = {{ },{ { "hdr_sub", acl_parse_str, acl_fetch_hdr, acl_match_sub, ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) }, { "hdr_val", acl_parse_int, acl_fetch_hdr_val, acl_match_int, ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) }, - { "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_auth, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) }, + { "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_nothing, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) }, { "http_auth_group", acl_parse_strcat, acl_fetch_http_auth, acl_match_auth, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) }, { "http_first_req", acl_parse_nothing, acl_fetch_http_first_req, acl_match_nothing, ACL_USE_L7REQ_PERMANENT, 0 },