Honor the "deny" part of "foobar deny ACL" options - Temporary patch

When AuthenticateAcl() and aclMatchExternal() were converted to use extended
authentication ACL states (r11644 and r11645 dated 2011-08-14), the result of
those function calls was set as the current checklist answer.  This was
incorrect because those functions do not make allow/deny decisions. They only
tell us whether the ACL part of the allow/deny rule matches. If there is a
match, the ACCESS_ALLOWED/ACCESS_DENIED answer depends on whether it is an
allow or deny rule.

For example, "http_access deny BadGuys" should deny access when the BadGuys
ACL matches, but it was allowing access instead.

diff --git a/src/auth/AclMaxUserIp.cc b/src/auth/AclMaxUserIp.cc
index 1aa9155357268213dee3cfdebac46da9b2122918..8498adbdc452196967637786a4d4af6955a19d9f 100644 (file)
--- a/src/auth/AclMaxUserIp.cc
+++ b/src/auth/AclMaxUserIp.cc
@@ -151,7 +151,13 @@ ACLMaxUserIP::match(ACLChecklist *cl)
 {
     ACLFilledChecklist *checklist = Filled(cl);
     allow_t answer = AuthenticateAcl(checklist);
-    checklist->currentAnswer(answer);
+    if (answer != ACCESS_DENIED && answer != ACCESS_ALLOWED) {
+        // If the answer is not allowed or denied (matches/not matches), requires 
+        // authentication (ACCESS_AUTH_*) or the authentication is in progress (ACCESS_DUNNO)
+        // so change the state in the related checklist.
+        checklist->currentAnswer(answer);
+    }
+
     int ti;
 
     // convert to tri-state ACL match 1,0,-1

diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc
index 085e6c4e9c01d3a14bdf4bbce13f2ec1df07a48f..c8834b542b47bf3e2af40f65709a2b316a539f5c 100644 (file)
--- a/src/auth/AclProxyAuth.cc
+++ b/src/auth/AclProxyAuth.cc
@@ -80,7 +80,12 @@ int
 ACLProxyAuth::match(ACLChecklist *checklist)
 {
     allow_t answer = AuthenticateAcl(checklist);
-    checklist->currentAnswer(answer);
+    if (answer != ACCESS_DENIED && answer != ACCESS_ALLOWED) {
+        // If the answer is not allowed or denied (matches/not matches), requires 
+        // authentication (ACCESS_AUTH_*) or the authentication is in progress (ACCESS_DUNNO)
+        // so change the state in the related checklist.
+        checklist->currentAnswer(answer);
+    }
 
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {

diff --git a/src/external_acl.cc b/src/external_acl.cc
index a358895fb9bca01944f531f96074442de8859e12..9d48afeb47ae3bbb6bec5093a4e5929767859a5b 100644 (file)
--- a/src/external_acl.cc
+++ b/src/external_acl.cc
@@ -861,7 +861,12 @@ int
 ACLExternal::match(ACLChecklist *checklist)
 {
     allow_t answer = aclMatchExternal(data, Filled(checklist));
-    checklist->currentAnswer(answer);
+    if (answer != ACCESS_DENIED && answer != ACCESS_ALLOWED) {
+        // If the answer is not allowed or denied (matches/not matches), requires 
+        // authentication (ACCESS_AUTH_*) or the authentication is in progress (ACCESS_DUNNO)
+        // so change the state in the related checklist.
+        checklist->currentAnswer(answer);
+    }
 
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {