kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-03 11:25:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow permit/deny ACL lines to contain multiple items and negated entries.

Browse Source 
Rules in ACLs (specified using 'permit' and 'deny') can now contain multiple
items (separated by commas), and items in the rule can be negated by prefixing
them with '!'. This simplifies Asterisk Realtime configurations, since it is no
longer necessray to control the order that the 'permit' and 'deny' columns are
returned from queries.

Review: https://reviewboard.asterisk.org/r/1592/
Initial patch contributed by Tilghman Lesher
Unit tests written by Kevin P. Fleming



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@370426 65c4cc65-6c06-0410-ace0-fbb531ad65f3
This commit is contained in:
Kevin P. Fleming
2012-07-24 16:47:33 +00:00
parent 190d130cbe
commit 0385c0e9cb
2 changed files with 187 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

142
tests/test_acl.c
View File

@@ -128,11 +128,13 @@ AST_TEST_DEFINE(acl)
struct acl denyallv4 = { "0.0.0.0/0", "deny" };
struct acl permitallv6 = { "::/0", "permit" };
struct acl denyallv6 = { "::/0", "deny" };
struct acl acl1[] = {
{ "0.0.0.0/0.0.0.0", "deny" },
{ "10.0.0.0/255.0.0.0", "permit" },
{ "192.168.0.0/255.255.255.0", "permit" },
};
struct acl acl2[] = {
{ "10.0.0.0/8", "deny" },
{ "10.0.0.0/8", "permit" },
@@ -152,6 +154,23 @@ AST_TEST_DEFINE(acl)
{ "fe80::ffff:0:ffff:0/112", "permit" },
};
struct acl acl5[] = {
{ "0.0.0.0/0.0.0.0", "deny" },
{ "10.0.0.0/255.0.0.0,192.168.0.0/255.255.255.0", "permit" },
};
struct acl acl6[] = {
{ "10.0.0.0/8", "deny" },
{ "10.0.0.0/8", "permit" },
{ "10.0.0.0/16,!10.0.0.0/24", "deny" },
};
struct acl acl7[] = {
{ "::/0,!fe80::/64", "deny" },
{ "fe80::ffff:0:0:0/80", "deny" },
{ "fe80::ffff:0:ffff:0/112", "permit" },
};
struct {
const char *test_address;
int v4_permitall_result;
@@ -162,16 +181,19 @@ AST_TEST_DEFINE(acl)
int acl2_result;
int acl3_result;
int acl4_result;
int acl5_result;
int acl6_result;
int acl7_result;
} acl_tests[] = {
{ "10.1.1.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "192.168.0.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "192.168.1.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A },
{ "10.0.0.1", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "10.0.10.10", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A },
{ "172.16.0.1", TACL_A, TACL_D, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A },
{ "fe80::1234", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A },
{ "fe80::ffff:1213:dead:beef", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D },
{ "fe80::ffff:0:ffff:ABCD", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A },
{ "10.1.1.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "192.168.0.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "192.168.1.5", TACL_A, TACL_D, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A },
{ "10.0.0.1", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "10.0.10.10", TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A },
{ "172.16.0.1", TACL_A, TACL_D, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A },
{ "fe80::1234", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
{ "fe80::ffff:1213:dead:beef", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_D },
{ "fe80::ffff:0:ffff:ABCD", TACL_A, TACL_A, TACL_A, TACL_D, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A, TACL_A },
};
struct ast_ha *permit_hav4 = NULL;
@@ -182,10 +204,28 @@ AST_TEST_DEFINE(acl)
struct ast_ha *ha2 = NULL;
struct ast_ha *ha3 = NULL;
struct ast_ha *ha4 = NULL;
struct ast_ha *ha5 = NULL;
struct ast_ha *ha6 = NULL;
struct ast_ha *ha7 = NULL;
enum ast_test_result_state res = AST_TEST_PASS;
int err = 0;
int i;
int build_ha(const struct acl *acl, size_t len, struct ast_ha **ha, const char *acl_name) {
size_t i;
for (i = 0; i < len; ++i) {
if (!(*ha = ast_append_ha(acl[i].access, acl[i].host, *ha, &err))) {
ast_test_status_update(test, "Failed to add rule %s with access %s to %s\n",
acl[i].host, acl[i].access, acl_name);
res = AST_TEST_FAIL;
return -1;
}
}
return 0;
}
switch (cmd) {
case TEST_INIT:
info->name = "acl";
@@ -222,40 +262,32 @@ AST_TEST_DEFINE(acl)
goto acl_cleanup;
}
for (i = 0; i < ARRAY_LEN(acl1); ++i) {
if (!(ha1 = ast_append_ha(acl1[i].access, acl1[i].host, ha1, &err))) {
ast_test_status_update(test, "Failed to add rule %s with access %s to ha1\n",
acl1[i].host, acl1[i].access);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (build_ha(acl1, ARRAY_LEN(acl1), &ha1, "ha1") != 0) {
goto acl_cleanup;
}
for (i = 0; i < ARRAY_LEN(acl2); ++i) {
if (!(ha2 = ast_append_ha(acl2[i].access, acl2[i].host, ha2, &err))) {
ast_test_status_update(test, "Failed to add rule %s with access %s to ha2\n",
acl2[i].host, acl2[i].access);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (build_ha(acl2, ARRAY_LEN(acl2), &ha2, "ha2") != 0) {
goto acl_cleanup;
}
for (i = 0; i < ARRAY_LEN(acl3); ++i) {
if (!(ha3 = ast_append_ha(acl3[i].access, acl3[i].host, ha3, &err))) {
ast_test_status_update(test, "Failed to add rule %s with access %s to ha3\n",
acl3[i].host, acl3[i].access);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (build_ha(acl3, ARRAY_LEN(acl3), &ha3, "ha3") != 0) {
goto acl_cleanup;
}
for (i = 0; i < ARRAY_LEN(acl4); ++i) {
if (!(ha4 = ast_append_ha(acl4[i].access, acl4[i].host, ha4, &err))) {
ast_test_status_update(test, "Failed to add rule %s with access %s to ha4\n",
acl4[i].host, acl4[i].access);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (build_ha(acl4, ARRAY_LEN(acl4), &ha4, "ha4") != 0) {
goto acl_cleanup;
}
if (build_ha(acl5, ARRAY_LEN(acl5), &ha5, "ha5") != 0) {
goto acl_cleanup;
}
if (build_ha(acl6, ARRAY_LEN(acl6), &ha6, "ha6") != 0) {
goto acl_cleanup;
}
if (build_ha(acl7, ARRAY_LEN(acl7), &ha7, "ha7") != 0) {
goto acl_cleanup;
}
for (i = 0; i < ARRAY_LEN(acl_tests); ++i) {
@@ -268,6 +300,9 @@ AST_TEST_DEFINE(acl)
int acl2_res;
int acl3_res;
int acl4_res;
int acl5_res;
int acl6_res;
int acl7_res;
ast_sockaddr_parse(&addr, acl_tests[i].test_address, PARSE_PORT_FORBID);
@@ -279,6 +314,9 @@ AST_TEST_DEFINE(acl)
acl2_res = ast_apply_ha(ha2, &addr);
acl3_res = ast_apply_ha(ha3, &addr);
acl4_res = ast_apply_ha(ha4, &addr);
acl5_res = ast_apply_ha(ha5, &addr);
acl6_res = ast_apply_ha(ha6, &addr);
acl7_res = ast_apply_ha(ha7, &addr);
if (permit_resv4 != acl_tests[i].v4_permitall_result) {
ast_test_status_update(test, "Access not as expected to %s on permitallv4. Expected %d but "
@@ -335,6 +373,27 @@ AST_TEST_DEFINE(acl)
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (acl5_res != acl_tests[i].acl5_result) {
ast_test_status_update(test, "Access not as expected to %s on acl5. Expected %d but "
"got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl5_result, acl5_res);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (acl6_res != acl_tests[i].acl6_result) {
ast_test_status_update(test, "Access not as expected to %s on acl6. Expected %d but "
"got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl6_result, acl6_res);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
if (acl7_res != acl_tests[i].acl7_result) {
ast_test_status_update(test, "Access not as expected to %s on acl7. Expected %d but "
"got %d instead\n", acl_tests[i].test_address, acl_tests[i].acl7_result, acl7_res);
res = AST_TEST_FAIL;
goto acl_cleanup;
}
}
acl_cleanup:
@@ -362,6 +421,15 @@ acl_cleanup:
if (ha4) {
ast_free_ha(ha4);
}
if (ha5) {
ast_free_ha(ha5);
}
if (ha6) {
ast_free_ha(ha6);
}
if (ha7) {
ast_free_ha(ha7);
}
return res;
}