tr_constraints: constraint set members can have limited types

If a constraint set member has a domain constraint but no realm
constraint treat that as a universal realm constraint (*).

However, if no constraint set member has that constraint type then
access is denied; we do not fail open.

diff --git a/common/tests.json b/common/tests.json
index 4dee665..ba607e6 100644 (file)
--- a/common/tests.json
+++ b/common/tests.json
@@ -27,8 +27,18 @@
                            }],
        "expected": [{
            "domain": ["*.cam.ac.uk"],
-           "realm": []
+           "realm": ['*']
            }],
        "valid": true
-       }
+       },
+    {"constraints": [
+       {"realm": ["painless-security.com", "*.painless-security.com"]},
+       {"domain": ["painless-security.com"]
+        }],
+     "expected": [{"realm": ["painless-security.com", "*.painless-security.com"],
+        "domain": ["painless-security.com"]
+        }],
+     "valid": true
+     }
+        
             ]

diff --git a/common/tr_constraint.c b/common/tr_constraint.c
index ac36958..c34d6ec 100644 (file)
--- a/common/tr_constraint.c
+++ b/common/tr_constraint.c
@@ -234,6 +234,13 @@ static json_t *constraint_intersect_internal( TR_CONSTRAINT_SET *constraints,
       json_t *intersect, *value_1, *value_2;
       size_t index_1, index_2;
       intersect = json_object_get(constraint, constraint_type);
+      /*If an element of the constraint set doesn't have a particular
+       * constraint type, we ignore that element of the constraint set.
+       * However, if no element of the constraint set has a particular
+       *     constraint type we return empty (no access) rather than universal
+       * access.*/
+      if (!intersect)
+       continue;
     result_loop:
       json_array_foreach(result, index_1, value_1) {
        json_array_foreach(intersect, index_2, value_2) {