acl: ACLName rule should match if any part of ACLName matches

2024-11-20 16:15:59 +01:00 · 2016-06-24 15:09:51 +02:00 · 2016-06-24 15:09:51 +02:00 · f56cff925c
commit f56cff925c
parent 94461948db
2 changed files with 15 additions and 1 deletions
--- a/src/acl.erl
+++ b/src/acl.erl
@ -371,6 +371,16 @@ all_acl_rules_matches2([Rule | Tail], Data, Host) ->
 all_acl_rules_matches2([], _Data, _Host) ->
    true.

+any_acl_rules_matches([], _Data, _Host) ->
+    false;
+any_acl_rules_matches([Rule|Tail], Data, Host) ->
+    case acl_rule_matches(Rule, Data, Host) of
+	true ->
+	    true;
+	false ->
+	    any_acl_rules_matches(Tail, Data, Host)
+    end.
+
 -spec acl_rule_matches(aclspec(), any(), global|binary()) -> boolean().

 acl_rule_matches(all, _Data, _Host) ->
@ -380,7 +390,7 @@ acl_rule_matches({acl, all}, _Data, _Host) ->
 acl_rule_matches({acl, Name}, Data, Host) ->
    ACLs = get_aclspecs(Name, Host),
    RawACLs = lists:map(fun(#acl{aclspec = R}) -> R end, ACLs),
-    all_acl_rules_matches(RawACLs, Data, Host);
+    any_acl_rules_matches(RawACLs, Data, Host);
 acl_rule_matches({ip, {Net, Mask}}, #{ip := {IP, _Port}}, _Host) ->
    is_ip_match(IP, Net, Mask);
 acl_rule_matches({ip, {Net, Mask}}, #{ip := IP}, _Host) ->
--- a/test/acl_test.exs
+++ b/test/acl_test.exs
@ -36,13 +36,17 @@ defmodule ACLTest do

  test "access rule match with user part ACL" do
    :acl.add(:global, :basic_acl_1, {:user, "test1"})
+    :acl.add(:global, :basic_acl_1, {:user, "test2"})
    :acl.add_access(:global, :basic_rule_1, [{:allow, [{:acl, :basic_acl_1}]}])
    # JID can only be passes as jid record.
    # => TODO: Support passing JID as binary.
    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain1")) == :allow
    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@domain2")) == :allow
+    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test2@domain1")) == :allow
+    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test2@domain2")) == :allow
    # We match on user part only for local domain. As an implicit rule remote domain are not matched
    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test1@otherdomain")) == :deny
+    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test2@otherdomain")) == :deny
    assert :acl.match_rule(:global, :basic_rule_1, :jid.from_string("test11@domain1")) == :deny

    :acl.add(:global, :basic_acl_2, {:user, {"test2", "domain1"}})