MEDIUM: acl: remove the ACL_TEST_F_NULL_MATCH flag
This flag was used to force a boolean match even if there was no pattern
to match. It was used only by http_auth() and designed only for this one.
It's easier and cleaner to make the fetch function perform the test and
report the boolean result as a few other functions already do. It simplifies
the acl_exec_cond() logic and will help merging ACLs and patterns.
diff --git a/include/proto/auth.h b/include/proto/auth.h
index 8c060b5..c7b2abc 100644
--- a/include/proto/auth.h
+++ b/include/proto/auth.h
@@ -22,6 +22,7 @@
unsigned int auth_resolve_groups(struct userlist *l, char *groups);
void userlist_free(struct userlist *ul);
int acl_match_auth(struct acl_test *test, struct acl_pattern *pattern);
+int check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass);
#endif /* _PROTO_AUTH_H */
diff --git a/include/types/acl.h b/include/types/acl.h
index 748180c..4d79ee7 100644
--- a/include/types/acl.h
+++ b/include/types/acl.h
@@ -88,7 +88,6 @@
ACL_TEST_F_RES_PASS = 1 << 10,/* with SET_RESULT, sets result to PASS (defaults to FAIL) */
ACL_TEST_F_SET_RES_PASS = (ACL_TEST_F_RES_SET|ACL_TEST_F_RES_PASS), /* sets result to PASS */
ACL_TEST_F_SET_RES_FAIL = (ACL_TEST_F_RES_SET), /* sets result to FAIL */
- ACL_TEST_F_NULL_MATCH = 1 << 11,/* call expr->kw->match with NULL pattern if expr->patterns is empty */
};
/* ACLs can be evaluated on requests and on responses, and on partial or complete data */
diff --git a/src/acl.c b/src/acl.c
index 025e478..673ca03 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -1885,10 +1885,6 @@
break;
acl_res |= expr->kw->match(&test, pattern);
}
-
- if ((test.flags & ACL_TEST_F_NULL_MATCH) &&
- LIST_ISEMPTY(&expr->patterns) && eb_is_empty(&expr->pattern_tree))
- acl_res |= expr->kw->match(&test, NULL);
}
/*
* OK now acl_res holds the result of this expression
diff --git a/src/auth.c b/src/auth.c
index fd4e063..b650a45 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -173,12 +173,7 @@
struct userlist *ul = test->ctx.a[0];
char *user = test->ctx.a[1];
char *pass = test->ctx.a[2];
- unsigned int group_mask;
-
- if (pattern)
- group_mask = pattern->val.group_mask;
- else
- group_mask = 0;
+ unsigned int group_mask = pattern->val.group_mask;
if (check_user(ul, group_mask, user, pass))
return ACL_PAT_PASS;
diff --git a/src/proto_http.c b/src/proto_http.c
index f099913..82aa241 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -8005,11 +8005,10 @@
if (!get_http_auth(l4))
return 0;
- test->ctx.a[0] = expr->args->data.usr;
- test->ctx.a[1] = l4->txn.auth.user;
- test->ctx.a[2] = l4->txn.auth.pass;
-
- test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH;
+ if (check_user(expr->args->data.usr, 0, l4->txn.auth.user, l4->txn.auth.pass))
+ test->flags |= ACL_TEST_F_SET_RES_PASS;
+ else
+ test->flags |= ACL_TEST_F_SET_RES_FAIL;
return 1;
}
@@ -8280,7 +8279,7 @@
{ "hdr_sub", acl_parse_str, acl_fetch_hdr, acl_match_sub, ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) },
{ "hdr_val", acl_parse_int, acl_fetch_hdr_val, acl_match_int, ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) },
- { "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_auth, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
+ { "http_auth", acl_parse_nothing, acl_fetch_http_auth, acl_match_nothing, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
{ "http_auth_group", acl_parse_strcat, acl_fetch_http_auth, acl_match_auth, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
{ "http_first_req", acl_parse_nothing, acl_fetch_http_first_req, acl_match_nothing, ACL_USE_L7REQ_PERMANENT, 0 },