Commit 41d6352f authored by Daniel Salzman's avatar Daniel Salzman

acl: add explicit conf parameter to acl_allowed

parent e13f680c
......@@ -97,7 +97,7 @@ bool netrange_match(const struct sockaddr_storage *ss,
return true;
}
bool acl_allowed(conf_val_t *acl, acl_action_t action,
bool acl_allowed(conf_t *conf, conf_val_t *acl, acl_action_t action,
const struct sockaddr_storage *addr,
knot_tsig_key_t *tsig)
{
......@@ -109,7 +109,7 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
conf_val_t val;
/* Check if the address matches the current acl address list. */
val = conf_id_get(conf(), C_ACL, C_ADDR, acl);
val = conf_id_get(conf, C_ACL, C_ADDR, acl);
while (val.code == KNOT_EOK) {
struct sockaddr_storage ss, ss_max;
int prefix;
......@@ -135,7 +135,7 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
}
/* Check if the key matches the current acl key list. */
conf_val_t key_val = conf_id_get(conf(), C_ACL, C_KEY, acl);
conf_val_t key_val = conf_id_get(conf, C_ACL, C_KEY, acl);
while (key_val.code == KNOT_EOK) {
/* No key provided, but required. */
if (tsig->name == NULL) {
......@@ -151,7 +151,7 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
}
/* Compare key algorithms. */
conf_val_t alg_val = conf_id_get(conf(), C_KEY, C_ALG,
conf_val_t alg_val = conf_id_get(conf, C_KEY, C_ALG,
&key_val);
if (conf_opt(&alg_val) != tsig->algorithm) {
conf_val_next(&key_val);
......@@ -168,7 +168,7 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
/* Check if the action is allowed. */
if (action != ACL_ACTION_NONE) {
val = conf_id_get(conf(), C_ACL, C_ACTION, acl);
val = conf_id_get(conf, C_ACL, C_ACTION, acl);
while (val.code == KNOT_EOK) {
if (conf_opt(&val) != action) {
conf_val_next(&val);
......@@ -188,14 +188,14 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
}
/* Check if denied. */
val = conf_id_get(conf(), C_ACL, C_DENY, acl);
val = conf_id_get(conf, C_ACL, C_DENY, acl);
if (conf_bool(&val)) {
return false;
}
/* Fill the output with tsig secret if provided. */
if (tsig->name != NULL) {
val = conf_id_get(conf(), C_KEY, C_SECRET, &key_val);
val = conf_id_get(conf, C_KEY, C_SECRET, &key_val);
tsig->secret.data = (uint8_t *)conf_bin(&val, &tsig->secret.size);
}
......
......@@ -71,6 +71,7 @@ bool netrange_match(const struct sockaddr_storage *ss,
* If a proper ACL rule is found and tsig.name is not empty,
* tsig.secret is filled.
*
* \param conf Configuration.
* \param acl Pointer to ACL config multivalued identifier.
* \param action ACL action.
* \param addr IP address.
......@@ -78,7 +79,7 @@ bool netrange_match(const struct sockaddr_storage *ss,
*
* \retval bool if authenticated.
*/
bool acl_allowed(conf_val_t *acl, acl_action_t action,
bool acl_allowed(conf_t *conf, conf_val_t *acl, acl_action_t action,
const struct sockaddr_storage *addr,
knot_tsig_key_t *tsig);
......
......@@ -261,85 +261,85 @@ static void test_acl_allowed(void)
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_NONE, &addr, &key1);
ret = acl_allowed(conf(), &acl, ACL_ACTION_NONE, &addr, &key1);
ok(ret == true, "Address, key, empty action");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_TRANSFER, &addr, &key1);
ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key1);
ok(ret == true, "Address, key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::2", 0);
ret = acl_allowed(&acl, ACL_ACTION_TRANSFER, &addr, &key1);
ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key1);
ok(ret == false, "Address not match, key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_TRANSFER, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key0);
ok(ret == false, "Address match, no key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_TRANSFER, &addr, &key2);
ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key2);
ok(ret == false, "Address match, key not match, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "2001::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_NOTIFY, &addr, &key1);
ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key1);
ok(ret == false, "Address, key match, action not match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "240.0.0.1", 0);
ret = acl_allowed(&acl, ACL_ACTION_NOTIFY, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key0);
ok(ret == true, "Second address match, no key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "240.0.0.1", 0);
ret = acl_allowed(&acl, ACL_ACTION_NOTIFY, &addr, &key1);
ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key1);
ok(ret == false, "Second address match, extra key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "240.0.0.2", 0);
ret = acl_allowed(&acl, ACL_ACTION_NOTIFY, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_NOTIFY, &addr, &key0);
ok(ret == false, "Denied address match, no key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "240.0.0.2", 0);
ret = acl_allowed(&acl, ACL_ACTION_UPDATE, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_UPDATE, &addr, &key0);
ok(ret == true, "Denied address match, no key, action not match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "240.0.0.3", 0);
ret = acl_allowed(&acl, ACL_ACTION_UPDATE, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_UPDATE, &addr, &key0);
ok(ret == false, "Denied address match, no key, no action");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "1.1.1.1", 0);
ret = acl_allowed(&acl, ACL_ACTION_UPDATE, &addr, &key3);
ret = acl_allowed(conf(), &acl, ACL_ACTION_UPDATE, &addr, &key3);
ok(ret == true, "Arbitrary address, second key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET, "100.0.0.1", 0);
ret = acl_allowed(&acl, ACL_ACTION_TRANSFER, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key0);
ok(ret == true, "IPv4 address from range, no key, action match");
acl = conf_zone_get(conf(), C_ACL, zone_name);
ok(acl.code == KNOT_EOK, "Get zone ACL");
check_sockaddr_set(&addr, AF_INET6, "::1", 0);
ret = acl_allowed(&acl, ACL_ACTION_TRANSFER, &addr, &key0);
ret = acl_allowed(conf(), &acl, ACL_ACTION_TRANSFER, &addr, &key0);
ok(ret == true, "IPv6 address from range, no key, action match");
conf_free(conf());
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment