MEDIUM: acl: remove the ACL_TEST_F_NULL_MATCH flag

This flag was used to force a boolean match even if there was no pattern
to match. It was used only by http_auth() and designed only for this one.
It's easier and cleaner to make the fetch function perform the test and
report the boolean result as a few other functions already do. It simplifies
the acl_exec_cond() logic and will help merging ACLs and patterns.

diff --git a/include/proto/auth.h b/include/proto/auth.h
index 8c060b517e327337616b10b0036f5c5ba00177b7..c7b2abce8521b20b26b2a599c200aaff622eae5b 100644 (file)
--- a/include/proto/auth.h
+++ b/include/proto/auth.h
@@ -22,6 +22,7 @@ struct userlist *auth_find_userlist(char *name);
 unsigned int auth_resolve_groups(struct userlist *l, char *groups);
 void userlist_free(struct userlist *ul);
 int acl_match_auth(struct acl_test *test, struct acl_pattern *pattern);
+int check_user(struct userlist *ul, unsigned int group_mask, const char *user, const char *pass);
 
 #endif /* _PROTO_AUTH_H */
 

diff --git a/include/types/acl.h b/include/types/acl.h
index 748180c9e4705bec2a785785933001d97e8c8842..4d79ee7700297c989bc49c8e26f238151f2f1f1d 100644 (file)
--- a/include/types/acl.h
+++ b/include/types/acl.h
@@ -88,7 +88,6 @@ enum {
        ACL_TEST_F_RES_PASS   = 1 << 10,/* with SET_RESULT, sets result to PASS (defaults to FAIL) */
        ACL_TEST_F_SET_RES_PASS = (ACL_TEST_F_RES_SET|ACL_TEST_F_RES_PASS),  /* sets result to PASS */
        ACL_TEST_F_SET_RES_FAIL = (ACL_TEST_F_RES_SET),                      /* sets result to FAIL */
-       ACL_TEST_F_NULL_MATCH = 1 << 11,/* call expr->kw->match with NULL pattern if expr->patterns is empty */
 };
 
 /* ACLs can be evaluated on requests and on responses, and on partial or complete data */

diff --git a/src/acl.c b/src/acl.c
index 025e4780a857b3149848e0bd7240429f507af5e6..673ca03a42820eff99f7a54ae1f24edcf89aee25 100644 (file)
--- a/src/acl.c
+++ b/src/acl.c
@@ -1885,10 +1885,6 @@ int acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, v
                                                        break;
                                                acl_res |= expr->kw->match(&test, pattern);
                                        }
-
-                                       if ((test.flags & ACL_TEST_F_NULL_MATCH) &&
-                                           LIST_ISEMPTY(&expr->patterns) && eb_is_empty(&expr->pattern_tree))
-                                               acl_res |= expr->kw->match(&test, NULL);
                                }
                                /*
                                 * OK now acl_res holds the result of this expression

diff --git a/src/auth.c b/src/auth.c
index fd4e063ec61fccef866ac7d485c0419ea43c37b9..b650a451270250a5029c0fcb32cb6a5323594a6d 100644 (file)
--- a/src/auth.c
+++ b/src/auth.c
@@ -173,12 +173,7 @@ acl_match_auth(struct acl_test *test, struct acl_pattern *pattern)
        struct userlist *ul = test->ctx.a[0];
        char *user = test->ctx.a[1];
        char *pass = test->ctx.a[2];
-       unsigned int group_mask;
-
-       if (pattern)
-               group_mask = pattern->val.group_mask;
-       else
-               group_mask = 0;
+       unsigned int group_mask = pattern->val.group_mask;
 
        if (check_user(ul, group_mask, user, pass))
                return ACL_PAT_PASS;

diff --git a/src/proto_http.c b/src/proto_http.c
index f099913ad92af4ab61d8a9b9b75877e2582c2517..82aa24172770d2eaa5af5c8708a2b92ef504e199 100644 (file)
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -8005,11 +8005,10 @@ acl_fetch_http_auth(struct proxy *px, struct session *l4, void *l7, int dir,
        if (!get_http_auth(l4))
                return 0;
 
-       test->ctx.a[0] = expr->args->data.usr;
-       test->ctx.a[1] = l4->txn.auth.user;
-       test->ctx.a[2] = l4->txn.auth.pass;
-
-       test->flags |= ACL_TEST_F_READ_ONLY | ACL_TEST_F_NULL_MATCH;
+       if (check_user(expr->args->data.usr, 0, l4->txn.auth.user, l4->txn.auth.pass))
+               test->flags |= ACL_TEST_F_SET_RES_PASS;
+       else
+               test->flags |= ACL_TEST_F_SET_RES_FAIL;
 
        return 1;
 }
@@ -8280,7 +8279,7 @@ static struct acl_kw_list acl_kws = {{ },{
        { "hdr_sub",         acl_parse_str,     acl_fetch_hdr,            acl_match_sub,     ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) },
        { "hdr_val",         acl_parse_int,     acl_fetch_hdr_val,        acl_match_int,     ACL_USE_L7REQ_VOLATILE, ARG1(0,STR) },
 
-       { "http_auth",       acl_parse_nothing, acl_fetch_http_auth,      acl_match_auth,    ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
+       { "http_auth",       acl_parse_nothing, acl_fetch_http_auth,      acl_match_nothing, ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
        { "http_auth_group", acl_parse_strcat,  acl_fetch_http_auth,      acl_match_auth,    ACL_USE_L7REQ_VOLATILE, ARG1(0,USR) },
        { "http_first_req",  acl_parse_nothing, acl_fetch_http_first_req, acl_match_nothing, ACL_USE_L7REQ_PERMANENT, 0 },