From: Eric Bollengier <eric@baculasystems.com>
Date: Fri, 24 Apr 2020 16:00:48 +0000 (+0200)
Subject: BEE Backport bacula/src/dird/ua_acl.c
X-Git-Tag: Release-11.3.2~1745
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=001aa6e80ce90114976763359fedf38007f06ca3;p=thirdparty%2Fbacula.git

BEE Backport bacula/src/dird/ua_acl.c

This commit is the result of the squash of the following main commits:

Author: Alain Spineux <alain@baculasystems.com>
Date:   Tue May 21 18:32:30 2019 +0200

    re-activate command "show console" and display ACLs

    - "root" console can display any console resource
    - restricted console can only display its own ressource
    - Display all ACLs
      - use the name of the ACL define in the RES_ITEM

Author: Eric Bollengier <eric@baculasystems.com>
Date:   Mon Jun 18 15:40:30 2018 +0200

    Allow glob type expression in Console ACL lists

Author: Eric Bollengier <eric@baculasystems.com>
Date:   Thu Jun 30 20:53:53 2016 +0200

    Add new RestoreClientAcl/BackupClientAcl console directives

Author: Kern Sibbald <kern@sibbald.com>
Date:   Sun Sep 23 14:31:40 2012 +0200

    Add first cut bconsjson and bdirjson
---

diff --git a/bacula/src/dird/ua_acl.c b/bacula/src/dird/ua_acl.c
index c69d495bc1..f6a80b89c5 100644
--- a/bacula/src/dird/ua_acl.c
+++ b/bacula/src/dird/ua_acl.c
@@ -17,9 +17,11 @@
    Bacula(R) is a registered trademark of Kern Sibbald.
 */
 /*
+ *
  *   Bacula Director -- User Agent Access Control List (ACL) handling
  *
  *     Kern Sibbald, January MMIV
+ *
  */
 
 #include "bacula.h"
@@ -54,13 +56,25 @@ bool acl_access_client_ok(UAContext *ua, const char *name, int32_t jobtype)
    return false;
 }
 
-
+bool acl_access_console_ok(UAContext *ua, const char *name)
+{
+   /* If no console resource => default console and all is permitted */
+   if (!ua || !ua->cons) {
+      Dmsg0(1400, "Root cons access OK.\n");
+      return true;                    /* No cons resource -> root console OK for everything */
+   }
+   /* allow access to its own console resource only */
+   if (strcmp(ua->cons->name(), name)==0) {
+      return true;
+   }
+   return false;
+}
 
 /* This version expects the length of the item which we must check. */
 bool acl_access_ok(UAContext *ua, int acl, const char *item, int len)
 {
    /* The resource name contains nasty characters */
-   if (acl != Where_ACL && !is_name_valid(item, NULL)) {
+   if (acl != Where_ACL && !is_name_valid(item, NULL, EXTRA_VALID_RESOURCE_CHAR_GLOB)) {
       Dmsg1(1400, "Access denied for item=%s\n", item);
       return false;
    }
@@ -86,7 +100,7 @@ bool acl_access_ok(UAContext *ua, int acl, const char *item, int len)
 
    /* Search list for item */
    for (int i=0; i<list->size(); i++) {
-      if (strcasecmp(item, (char *)list->get(i)) == 0) {
+      if (fnmatch((char *)list->get(i), item, 0) == 0) {
          Dmsg3(1400, "ACL found %s in %d %s\n", item, acl, (char *)list->get(i));
          return true;
       }