Allow testing user pattern directly in access rules
This commit is contained in:
parent
1dbdd58b1b
commit
127342449e
25
src/acl.erl
25
src/acl.erl
|
@ -31,7 +31,7 @@
|
|||
|
||||
-export([start/0, to_record/3, add/3, add_list/3,
|
||||
add_local/3, add_list_local/3, load_from_config/0,
|
||||
match_rule/3, match_acl/3, transform_options/1,
|
||||
match_rule/3, match_access/4, match_acl/3, transform_options/1,
|
||||
opt_type/1]).
|
||||
|
||||
-export([add_access/3, clear/0]).
|
||||
|
@ -255,6 +255,19 @@ normalize_spec(Spec) ->
|
|||
end
|
||||
end.
|
||||
|
||||
-spec match_access(global | binary(), access_name(),
|
||||
jid() | ljid() | inet:ip_address(),
|
||||
atom()) -> any().
|
||||
|
||||
match_access(_Host, all, _JID, _Default) ->
|
||||
allow;
|
||||
match_access(_Host, none, _JID, _Default) ->
|
||||
deny;
|
||||
match_access(_Host, {user, UserPattern}, JID, Default) ->
|
||||
match_user_spec({user, UserPattern}, JID, Default);
|
||||
match_access(Host, AccessRule, JID, _Default) ->
|
||||
match_rule(Host, AccessRule, JID).
|
||||
|
||||
-spec match_rule(global | binary(), access_name(),
|
||||
jid() | ljid() | inet:ip_address()) -> any().
|
||||
|
||||
|
@ -357,6 +370,16 @@ match_acl(ACL, JID, Host) ->
|
|||
get_aclspecs(ACL, Host) ->
|
||||
ets:lookup(acl, {ACL, Host}) ++ ets:lookup(acl, {ACL, global}).
|
||||
|
||||
|
||||
match_user_spec(Spec, JID, Default) ->
|
||||
case do_match_user_spec(Spec, jid:tolower(JID)) of
|
||||
true -> Default;
|
||||
false -> deny
|
||||
end.
|
||||
|
||||
do_match_user_spec({user, {U, S}}, {User, Server, _Resource}) ->
|
||||
U == User andalso S == Server.
|
||||
|
||||
is_regexp_match(String, RegExp) ->
|
||||
case ejabberd_regexp:run(String, RegExp) of
|
||||
nomatch -> false;
|
||||
|
|
|
@ -100,4 +100,29 @@ defmodule ACLTest do
|
|||
assert :acl.match_rule(:global, :mixed_rule_2, {127,0,0,1}) == :allow
|
||||
end
|
||||
|
||||
test "acl:match_access can match directly on user pattern" do
|
||||
pattern = {:user, {"test1", "domain1"}}
|
||||
assert :acl.match_access(:global, pattern, :jid.from_string("test1@domain1"), :allow) == :allow
|
||||
assert :acl.match_access(:global, pattern, :jid.from_string("test2@domain1"), :allow) == :deny
|
||||
end
|
||||
|
||||
## Checking ACL on both user pattern and IP
|
||||
## ========================================
|
||||
|
||||
# Typical example is mod_register
|
||||
|
||||
# Deprecated approach
|
||||
test "module can test both IP and user through two independent :acl.match_rule check (deprecated)" do
|
||||
:acl.add(:global, :user_acl, {:user, {"test1", "domain1"}})
|
||||
:acl.add(:global, :ip_acl, {:ip, "127.0.0.0/24"})
|
||||
:acl.add_access(:global, :user_rule, [{:user_acl, :allow}])
|
||||
:acl.add_access(:global, :ip_rule, [{:ip_acl, :allow}])
|
||||
|
||||
# acl module in 16.03 is not able to provide a function for compound result:
|
||||
assert :acl.match_rule(:global, :user_rule, :jid.from_string("test1@domain1")) == :allow
|
||||
assert :acl.match_rule(:global, :ip_rule, {127,0,0,1}) == :allow
|
||||
assert :acl.match_rule(:global, :user_rule, :jid.from_string("test2@domain1")) == :deny
|
||||
assert :acl.match_rule(:global, :ip_rule, {127,0,1,1}) == :deny
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue