25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

acl: ACLName rule should match if any part of ACLName matches

This commit is contained in:
Paweł Chmielowski 2016-06-24 15:09:51 +02:00
parent 94461948db
commit f56cff925c
2 changed files with 15 additions and 1 deletions

View File

@ -371,6 +371,16 @@ all_acl_rules_matches2([Rule | Tail], Data, Host) ->
all_acl_rules_matches2([], _Data, _Host) -> all_acl_rules_matches2([], _Data, _Host) ->
true. true.
any_acl_rules_matches([], _Data, _Host) ->
false;
any_acl_rules_matches([Rule|Tail], Data, Host) ->
case acl_rule_matches(Rule, Data, Host) of
true ->
true;
false ->
any_acl_rules_matches(Tail, Data, Host)
end.
-spec acl_rule_matches(aclspec(), any(), global|binary()) -> boolean(). -spec acl_rule_matches(aclspec(), any(), global|binary()) -> boolean().
acl_rule_matches(all, _Data, _Host) -> acl_rule_matches(all, _Data, _Host) ->
@ -380,7 +390,7 @@ acl_rule_matches({acl, all}, _Data, _Host) ->
acl_rule_matches({acl, Name}, Data, Host) -> acl_rule_matches({acl, Name}, Data, Host) ->
ACLs = get_aclspecs(Name, Host), ACLs = get_aclspecs(Name, Host),
RawACLs = lists:map(fun(#acl{aclspec = R}) -> R end, ACLs), RawACLs = lists:map(fun(#acl{aclspec = R}) -> R end, ACLs),
all_acl_rules_matches(RawACLs, Data, Host); any_acl_rules_matches(RawACLs, Data, Host);
acl_rule_matches({ip, {Net, Mask}}, #{ip := {IP, _Port}}, _Host) -> acl_rule_matches({ip, {Net, Mask}}, #{ip := {IP, _Port}}, _Host) ->
is_ip_match(IP, Net, Mask); is_ip_match(IP, Net, Mask);
acl_rule_matches({ip, {Net, Mask}}, #{ip := IP}, _Host) -> acl_rule_matches({ip, {Net, Mask}}, #{ip := IP}, _Host) ->

View File

@ -36,13 +36,17 @@ defmodule ACLTest do
test "access rule match with user part ACL" do test "access rule match with user part ACL" do
:acl.add(:global, :basic_acl_1, {:user, "test1"}) :acl.add(:global, :basic_acl_1, {:user, "test1"})
:acl.add(:global, :basic_acl_1, {:user, "test2"})
:acl.add_access(:global, :basic_rule_1, [{:allow, [{:acl, :basic_acl_1}]}]) :acl.add_access(:global, :basic_rule_1, [{:allow, [{:acl, :basic_acl_1}]}])
# JID can only be passes as jid record. # JID can only be passes as jid record.
# => TODO: Support passing JID as binary. # => TODO: Support passing JID as binary.
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test2@domain1")) == :allow
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test2@domain2")) == :allow
# We match on user part only for local domain. As an implicit rule remote domain are not matched # We match on user part only for local domain. As an implicit rule remote domain are not matched
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@otherdomain")) == :deny assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@otherdomain")) == :deny
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test2@otherdomain")) == :deny
assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test11@domain1")) == :deny assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test11@domain1")) == :deny
:acl.add(:global, :basic_acl_2, {:user, {"test2", "domain1"}}) :acl.add(:global, :basic_acl_2, {:user, {"test2", "domain1"}})