ACL: now ACLLoadFromFile() validates against fake user.

author: antirez <antirez@gmail.com> 2019-02-06 16:44:55 +0100
committer: antirez <antirez@gmail.com> 2019-02-06 16:44:55 +0100
commit: bbdf02338d865e0bf12b004be966a76ab8a71019 (patch)
tree: bd12972b2cf71ea9b00785762d3e25908ca82098
parent: 0d3fb9f7f13c75c8d0c54c2faddc9e72f5dc5452 (diff)
download: redis-bbdf02338d865e0bf12b004be966a76ab8a71019.tar.gz
1 files changed, 34 insertions, 5 deletions
diff --git a/src/acl.c b/src/acl.c
index e19c26eb3..2fbc564ab 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -1065,6 +1065,10 @@ sds ACLLoadFromFile(const char *filename) {
     sds *lines, errors = sdsempty();
     lines = sdssplitlen(acls,strlen(acls),"\n",1,&totlines);
 
+    /* We need a fake user to validate the rules before making changes
+     * to the real user mentioned in the ACL line. */
+    user *fakeuser = ACLCreateUnlinkedUser();
+
     for (int i = 0; i < totlines; i++) {
         sds *argv;
         int argc;
@@ -1079,8 +1083,8 @@ sds ACLLoadFromFile(const char *filename) {
         argv = sdssplitargs(lines[i],&argc);
         if (argv == NULL) {
             errors = sdscatprintf(errors,
-                                  "%d: unbalanced quotes in acl line.",
-                                  linenum);
+                     "%d: unbalanced quotes in acl line. ",
+                     linenum);
             continue;
         }
 
@@ -1090,15 +1094,40 @@ sds ACLLoadFromFile(const char *filename) {
             continue;
         }
 
-        /* Try to process the line. */
+        /* The line should start with the "user" keyword. */
+        if (strcmp(argv[0],"user")) {
+            errors = sdscatprintf(errors,
+                     "%d: line should start with user keyword. ",
+                     linenum);
+            continue;
+        }
+
+        /* Try to process the line using the fake user to validate iif
+         * the rules are able to apply cleanly. */
+        ACLSetUser(fakeuser,"reset",-1);
+        int j;
+        for (j = 2; j < argc; j++) {
+            if (ACLSetUser(fakeuser,argv[j],sdslen(argv[j])) != C_OK) {
+                char *errmsg = ACLSetUserStringError();
+                errors = sdscatprintf(errors,
+                         "%d: error in ACL: %s. ",
+                         linenum, errmsg);
+                continue;
+            }
+        }
+        if (j != argc) continue; /* Error in ACL rules, don't apply. */
+
+        /* We can finally lookup the user and apply the rule. */
     }
 
+    ACLFreeUser(fakeuser);
     sdsfreesplitres(lines,totlines);
     if (sdslen(errors) == 0) {
         sdsfree(errors);
-        errors = NULL;
+        return NULL;
+    } else {
+        return sdstrim(errors," ");
     }
-    return errors;
 }
 
 /* =============================================================================
author	antirez <antirez@gmail.com>	2019-02-06 16:44:55 +0100
committer	antirez <antirez@gmail.com>	2019-02-06 16:44:55 +0100
commit	bbdf02338d865e0bf12b004be966a76ab8a71019 (patch)
tree	bd12972b2cf71ea9b00785762d3e25908ca82098
parent	0d3fb9f7f13c75c8d0c54c2faddc9e72f5dc5452 (diff)
download	redis-bbdf02338d865e0bf12b004be966a76ab8a71019.tar.gz