This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 17379af4fb Fix acl_remap bug (#11414)
17379af4fb is described below
commit 17379af4fb52314dcbdc358c517c8e82c01292c5
Author: Matt Williams <[email protected]>
AuthorDate: Fri Jun 7 23:56:15 2024 +0900
Fix acl_remap bug (#11414)
* Fix acl_remap bug
The acl remap rules are described in [1]. Namely:
> 1. A remap.config ACL line for an individual remap rule.
> 2. All named ACLs in remap.config.
> 3. Rules as specified in ip_allow.yaml.
This commit fixes a bug that would cause (2) to not be processed if there
was no entry in (1).
[1] src/proxy/http/remap/RemapConfig.cc:123
Co-authored-by: Masaori Koshiba <[email protected]>
* Fixes from Brian's review
---------
Co-authored-by: Masaori Koshiba <[email protected]>
---
src/proxy/http/remap/RemapConfig.cc | 22 ++---
tests/gold_tests/remap/deny_head_post.replay.yaml | 100 ++++++++++++++++++++++
tests/gold_tests/remap/remap_acl.test.py | 9 ++
3 files changed, 121 insertions(+), 10 deletions(-)
diff --git a/src/proxy/http/remap/RemapConfig.cc
b/src/proxy/http/remap/RemapConfig.cc
index be72d76dc6..7c48e44325 100644
--- a/src/proxy/http/remap/RemapConfig.cc
+++ b/src/proxy/http/remap/RemapConfig.cc
@@ -130,22 +130,24 @@ process_filter_opt(url_mapping *mp, const
BUILD_TABLE_INFO *bti, char *errStrBuf
;
}
errStr = remap_validate_filter_args(rpp, (const char **)bti->argv,
bti->argc, errStrBuf, errStrBufSize);
- for (rp = bti->rules_list; rp; rp = rp->next) {
+ }
+
+ for (rp = bti->rules_list; rp; rp = rp->next) {
+ for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) {
+ ;
+ }
+ if (rp->active_queue_flag) {
+ Dbg(dbg_ctl_url_rewrite, "[process_filter_opt] Add active main filter
\"%s\" (argc=%d)",
+ rp->filter_name ? rp->filter_name : "<nullptr>", rp->argc);
for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) {
;
}
- if (rp->active_queue_flag) {
- Dbg(dbg_ctl_url_rewrite, "[process_filter_opt] Add active main filter
\"%s\" (argc=%d)",
- rp->filter_name ? rp->filter_name : "<nullptr>", rp->argc);
- for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) {
- ;
- }
- if ((errStr = remap_validate_filter_args(rpp, (const char **)rp->argv,
rp->argc, errStrBuf, errStrBufSize)) != nullptr) {
- break;
- }
+ if ((errStr = remap_validate_filter_args(rpp, (const char **)rp->argv,
rp->argc, errStrBuf, errStrBufSize)) != nullptr) {
+ break;
}
}
}
+
// Set the ip allow flag for this rule to the current ip allow flag state
mp->ip_allow_check_enabled_p = bti->ip_allow_check_enabled_p;
diff --git a/tests/gold_tests/remap/deny_head_post.replay.yaml
b/tests/gold_tests/remap/deny_head_post.replay.yaml
new file mode 100644
index 0000000000..0d4e91acd8
--- /dev/null
+++ b/tests/gold_tests/remap/deny_head_post.replay.yaml
@@ -0,0 +1,100 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This expects a remap.config that denies HEAD and POST, but allows all other
+# methods.
+
+meta:
+ version: "1.0"
+
+ blocks:
+ - standard_response: &standard_response
+ server-response:
+ status: 200
+ reason: OK
+ headers:
+ fields:
+ - [ Content-Length, 20 ]
+
+sessions:
+- protocol:
+ - name: http
+ version: 1
+ - name: tls
+ sni: test_sni
+ transactions:
+
+ - client-request:
+ method: "GET"
+ version: "1.1"
+ url: /test/ip_allow/test_get
+ headers:
+ fields:
+ - [ Content-Length, 0 ]
+ - [ uuid, get ]
+ - [ X-Request, get ]
+
+ <<: *standard_response
+
+ proxy-response:
+ status: 200
+
+ - client-request:
+ method: "HEAD"
+ version: "1.1"
+ url: /test/ip_allow/test_head
+ headers:
+ fields:
+ - [ Content-Length, 0 ]
+ - [ uuid, head ]
+ - [ X-Request, head ]
+
+ <<: *standard_response
+
+ proxy-response:
+ status: 403
+
+ # POST rejected
+ - client-request:
+ method: "POST"
+ version: "1.1"
+ url: /test/ip_allow/test_post
+ headers:
+ fields:
+ - [Content-Length, 10]
+ - [ uuid, post ]
+ - [ X-Request, post ]
+
+ <<: *standard_response
+
+ proxy-response:
+ status: 403
+
+ - client-request:
+ method: "DELETE"
+ version: "1.1"
+ url: /test/ip_allow/test_delete
+ headers:
+ fields:
+ - [ Host, example.com ]
+ - [ uuid, delete ]
+ - [ X-Request, delete ]
+ - [ Content-Length, 0 ]
+
+ <<: *standard_response
+
+ proxy-response:
+ status: 200
diff --git a/tests/gold_tests/remap/remap_acl.test.py
b/tests/gold_tests/remap/remap_acl.test.py
index c65943b4b3..5c46f2f1ad 100644
--- a/tests/gold_tests/remap/remap_acl.test.py
+++ b/tests/gold_tests/remap/remap_acl.test.py
@@ -296,3 +296,12 @@ test_ip_allow_optional_methods = Test_remap_acl(
acl_configuration='@action=allow @in_ip=3.4.5.6 @method=GET @method=POST',
named_acls=[],
expected_responses=[200, 403, 403, 403, 403])
+
+test_named_acl_deny = Test_remap_acl(
+ "Verify a named ACL is applied if an in-line ACL is absent.",
+ replay_file='deny_head_post.replay.yaml',
+ ip_allow_content=IP_ALLOW_CONTENT,
+ deactivate_ip_allow=False,
+ acl_configuration='',
+ named_acls=[('deny', '@action=deny @method=HEAD @method=POST')],
+ expected_responses=[200, 403, 403, 403])
