pdns/sstuff: convert mapped IPv4 addresses for ACL

When a mapped address does not get converted, ACLs do not match as
expected. For example ::ffff:127.0.0.1 did not match the ACL 127.0.0.1.

Signed-off-by: famfo <famfo@famfo.xyz>

diff --git a/pdns/sstuff.hh b/pdns/sstuff.hh
index 4a30d0ad3912977bc07c25db9106f86926d91ea9..8174cc5fb36e9bc1503a205a87e4d08a3387dc1e 100644 (file)
--- a/pdns/sstuff.hh
+++ b/pdns/sstuff.hh
@@ -121,7 +121,13 @@ public:
   {
     ComboAddress remote;
     if (getRemote(remote)) {
-      return netmaskGroup.match(remote);
+      if (netmaskGroup.match(remote)) {
+        return true;
+      }
+
+      if (remote.isMappedIPv4()) {
+        return netmaskGroup.match(remote.mapToIPv4());
+      }
     }
 
     return false;

diff --git a/regression-tests.auth-py/test_acl.py b/regression-tests.auth-py/test_acl.py
new file mode 100644 (file)
index 0000000..812bdea
--- /dev/null
+++ b/regression-tests.auth-py/test_acl.py
@@ -0,0 +1,82 @@
+import requests
+from authtests import AuthTest
+
+class TestBasic(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = 127.0.0.1
+    webserver-port = 8053
+    webserver-allow-from = 127.0.0.1
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        super(TestBasic, cls).setUpClass()
+
+    def test_basic(self):
+        r = requests.get('http://127.0.0.1:8053')
+        self.assertEqual(r.status_code, 200)
+
+class TestDualStack(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = [::]
+    webserver-port = 8053
+    webserver-allow-from = 127.0.0.1
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        super(TestDualStack, cls).setUpClass()
+
+    def test_ds(self):
+        r = requests.get('http://127.0.0.1:8053')
+        self.assertEqual(r.status_code, 200)
+
+class TestDualStackBackwardsCompat(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = [::]
+    webserver-port = 8053
+    webserver-allow-from = ::ffff:127.0.0.1
+    """
+
+    def test_ds_compat(self):
+        r = requests.get('http://127.0.0.1:8053')
+        self.assertEqual(r.status_code, 200)
+
+class TestUnauthorized(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = 127.0.0.1
+    webserver-port = 8053
+    webserver-allow-from = 224.0.0.0
+    """
+
+    def test_unauthorized(self):
+        try:
+            requests.get('http://127.0.0.1:8053')
+            self.fail()
+        except requests.exceptions.ConnectionError:
+            pass
+
+class TestUnauthorizedDualStack(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = [::]
+    webserver-port = 8053
+    webserver-allow-from = 224.0.0.0
+    """
+
+    def test_unauthorized(self):
+        try:
+            requests.get('http://127.0.0.1:8053')
+            self.fail()
+        except requests.exceptions.ConnectionError:
+            pass
+