diff options
author | antirez <antirez@gmail.com> | 2019-02-06 16:44:55 +0100 |
---|---|---|
committer | antirez <antirez@gmail.com> | 2019-02-06 16:44:55 +0100 |
commit | bbdf02338d865e0bf12b004be966a76ab8a71019 (patch) | |
tree | bd12972b2cf71ea9b00785762d3e25908ca82098 | |
parent | 0d3fb9f7f13c75c8d0c54c2faddc9e72f5dc5452 (diff) | |
download | redis-bbdf02338d865e0bf12b004be966a76ab8a71019.tar.gz |
ACL: now ACLLoadFromFile() validates against fake user.
-rw-r--r-- | src/acl.c | 39 |
1 files changed, 34 insertions, 5 deletions
@@ -1065,6 +1065,10 @@ sds ACLLoadFromFile(const char *filename) { sds *lines, errors = sdsempty(); lines = sdssplitlen(acls,strlen(acls),"\n",1,&totlines); + /* We need a fake user to validate the rules before making changes + * to the real user mentioned in the ACL line. */ + user *fakeuser = ACLCreateUnlinkedUser(); + for (int i = 0; i < totlines; i++) { sds *argv; int argc; @@ -1079,8 +1083,8 @@ sds ACLLoadFromFile(const char *filename) { argv = sdssplitargs(lines[i],&argc); if (argv == NULL) { errors = sdscatprintf(errors, - "%d: unbalanced quotes in acl line.", - linenum); + "%d: unbalanced quotes in acl line. ", + linenum); continue; } @@ -1090,15 +1094,40 @@ sds ACLLoadFromFile(const char *filename) { continue; } - /* Try to process the line. */ + /* The line should start with the "user" keyword. */ + if (strcmp(argv[0],"user")) { + errors = sdscatprintf(errors, + "%d: line should start with user keyword. ", + linenum); + continue; + } + + /* Try to process the line using the fake user to validate iif + * the rules are able to apply cleanly. */ + ACLSetUser(fakeuser,"reset",-1); + int j; + for (j = 2; j < argc; j++) { + if (ACLSetUser(fakeuser,argv[j],sdslen(argv[j])) != C_OK) { + char *errmsg = ACLSetUserStringError(); + errors = sdscatprintf(errors, + "%d: error in ACL: %s. ", + linenum, errmsg); + continue; + } + } + if (j != argc) continue; /* Error in ACL rules, don't apply. */ + + /* We can finally lookup the user and apply the rule. */ } + ACLFreeUser(fakeuser); sdsfreesplitres(lines,totlines); if (sdslen(errors) == 0) { sdsfree(errors); - errors = NULL; + return NULL; + } else { + return sdstrim(errors," "); } - return errors; } /* ============================================================================= |