Wildcard access list support was failing in case multiple wildcards
entries were defined and/or when a specific access list string
overlapped a wildcard entry.
Root cause of the problem was the way how wildcard entries were sorted
in the avl tree by the compare function ubusd_acl_match_path resulting
into a non acces list match for a given object path.
The avl_tree sorting has been changed to make use of avl_strcmp; as such
there's no distinction anymore between non-wildcard and wildcard entries
in the avl_tree compare function as the boolean partial marks an access
list entry as a wildcard entry.
When trying to find an access list match for an object path the access list
tree is iterated as long as the number of characters between the access list
string and object path is monotonically increasing.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
/*
* Copyright (C) 2015 John Crispin <blogic@openwrt.org>
/*
* Copyright (C) 2015 John Crispin <blogic@openwrt.org>
+ * Copyright (C) 2018 Hans Dedecker <dedeckeh@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License version 2.1
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License version 2.1
struct avl_node avl;
struct list_head list;
struct avl_node avl;
struct list_head list;
const char *user;
const char *group;
const char *user;
const char *group;
static int ubusd_acl_seq;
static struct ubus_object *acl_obj;
static int ubusd_acl_seq;
static struct ubus_object *acl_obj;
-static int
-ubusd_acl_match_path(const void *k1, const void *k2, void *ptr)
-{
- const char *name = k1;
- const char *match = k2;
- char *wildcard = strstr(match, "\t");
-
- if (wildcard)
- return strncmp(name, match, wildcard - match);
-
- return strcmp(name, match);
-}
-
static int
ubusd_acl_match_cred(struct ubus_client *cl, struct ubusd_acl_obj *obj)
{
static int
ubusd_acl_match_cred(struct ubus_client *cl, struct ubusd_acl_obj *obj)
{
const char *method, enum ubusd_acl_type type)
{
struct ubusd_acl_obj *acl;
const char *method, enum ubusd_acl_type type)
{
struct ubusd_acl_obj *acl;
- struct blob_attr *cur;
- int rem;
+ if (!cl || !cl->uid || !obj)
- acl = avl_find_ge_element(&ubusd_acls, obj, acl, avl);
- if (!acl)
- return -1;
+ /*
+ * Since this tree is sorted alphabetically, we can only expect
+ * to find matching entries as long as the number of matching
+ * characters between the access list string and the object path
+ * is monotonically increasing.
+ */
+ avl_for_each_element(&ubusd_acls, acl, avl) {
+ const char *key = acl->avl.key;
+ int cur_match_len;
+ bool full_match;
+
+ full_match = ubus_strmatch_len(obj, key, &cur_match_len);
+ if (cur_match_len < match_len)
+ break;
- avl_for_element_to_last(&ubusd_acls, acl, acl, avl) {
- int diff = ubusd_acl_match_path(obj, acl->avl.key, NULL);
+ match_len = cur_match_len;
+ if (!full_match) {
+ if (!acl->partial)
+ continue;
+
+ if (match_len != strlen(key))
+ continue;
+ }
if (ubusd_acl_match_cred(cl, acl))
continue;
if (ubusd_acl_match_cred(cl, acl))
continue;
break;
case UBUS_ACL_ACCESS:
break;
case UBUS_ACL_ACCESS:
+ if (acl->methods) {
+ struct blob_attr *cur;
+ int rem;
+
blobmsg_for_each_attr(cur, acl->methods, rem)
if (blobmsg_type(cur) == BLOBMSG_TYPE_STRING)
blobmsg_for_each_attr(cur, acl->methods, rem)
if (blobmsg_type(cur) == BLOBMSG_TYPE_STRING)
- if (!ubusd_acl_match_path(method, blobmsg_get_string(cur), NULL))
+ if (!strcmp(method, blobmsg_get_string(cur)))
ubusd_acl_alloc_obj(struct ubusd_acl_file *file, const char *obj)
{
struct ubusd_acl_obj *o;
ubusd_acl_alloc_obj(struct ubusd_acl_file *file, const char *obj)
{
struct ubusd_acl_obj *o;
- o = calloc_a(sizeof(*o), &k, strlen(obj) + 1);
+ if (obj[len - 1] == '*') {
+ partial = true;
+ len--;
+ }
+
+ o = calloc_a(sizeof(*o), &k, len + 1);
+ o->partial = partial;
o->user = file->user;
o->group = file->group;
o->user = file->user;
o->group = file->group;
- o->avl.key = k;
- strcpy(k, obj);
-
- while (*k) {
- if (*k == '*')
- *k = '\t';
- k++;
- }
+ o->avl.key = memcpy(k, obj, len);
list_add(&o->list, &file->acl);
avl_insert(&ubusd_acls, &o->avl);
list_add(&o->list, &file->acl);
avl_insert(&ubusd_acls, &o->avl);
ubusd_reply_add(struct ubus_object *obj)
{
struct ubusd_acl_obj *acl;
ubusd_reply_add(struct ubus_object *obj)
{
struct ubusd_acl_obj *acl;
if (!obj->path.key)
return;
if (!obj->path.key)
return;
- acl = avl_find_ge_element(&ubusd_acls, obj->path.key, acl, avl);
- if (!acl)
- return;
-
- avl_for_element_to_last(&ubusd_acls, acl, acl, avl) {
+ /*
+ * Since this tree is sorted alphabetically, we can only expect
+ * to find matching entries as long as the number of matching
+ * characters between the access list string and the object path
+ * is monotonically increasing.
+ */
+ avl_for_each_element(&ubusd_acls, acl, avl) {
+ const char *key = acl->avl.key;
+ int cur_match_len;
+ bool full_match;
void *c;
if (!acl->priv)
continue;
void *c;
if (!acl->priv)
continue;
- if (ubusd_acl_match_path(obj->path.key, acl->avl.key, NULL))
- continue;
+ full_match = ubus_strmatch_len(obj->path.key, key, &cur_match_len);
+ if (cur_match_len < match_len)
+ break;
+
+ match_len = cur_match_len;
+
+ if (!full_match) {
+ if (!acl->partial)
+ continue;
+
+ if (match_len != strlen(key))
+ continue;
+ }
c = blobmsg_open_table(&b, NULL);
blobmsg_add_string(&b, "obj", obj->path.key);
c = blobmsg_open_table(&b, NULL);
blobmsg_add_string(&b, "obj", obj->path.key);
blobmsg_close_table(&b, c);
}
}
blobmsg_close_table(&b, c);
}
}
static int ubusd_reply_query(struct ubus_client *cl, struct ubus_msg_buf *ub, struct blob_attr **attr, struct blob_attr *msg)
{
struct ubus_object *obj;
static int ubusd_reply_query(struct ubus_client *cl, struct ubus_msg_buf *ub, struct blob_attr **attr, struct blob_attr *msg)
{
struct ubus_object *obj;
void ubusd_acl_init(void)
{
void ubusd_acl_init(void)
{
- avl_init(&ubusd_acls, ubusd_acl_match_path, true, NULL);
+ ubus_init_string_tree(&ubusd_acls, true);
acl_obj = ubusd_create_object_internal(NULL, UBUS_SYSTEM_OBJECT_ACL);
acl_obj->recv_msg = ubusd_acl_recv;
}
acl_obj = ubusd_create_object_internal(NULL, UBUS_SYSTEM_OBJECT_ACL);
acl_obj->recv_msg = ubusd_acl_recv;
}
projects / oweals / ubus.git / commitdiff