From: Jennifer Richards Date: Mon, 12 Jun 2017 17:54:11 +0000 (-0400) Subject: Use new tr_filter_apply() function for TID_REQ filtering X-Git-Tag: v3.0.0~19 X-Git-Url: http://www.project-moonshot.org/gitweb/?p=trust_router.git;a=commitdiff_plain;h=96d1ed78da99a3e5da24c25158ef24136e4789f8 Use new tr_filter_apply() function for TID_REQ filtering --- diff --git a/common/tr_filter.c b/common/tr_filter.c index d30ce7a..39a0fd7 100644 --- a/common/tr_filter.c +++ b/common/tr_filter.c @@ -196,47 +196,6 @@ int tr_filter_apply(void *target, return retval; } -int tr_filter_process_rp_permitted(TR_NAME *rp_realm, - TR_FILTER *rpp_filter, - TR_CONSTRAINT_SET *in_constraints, - TR_CONSTRAINT_SET **out_constraints, - TR_FILTER_ACTION *out_action) -{ - int i = 0, j = 0; - - *out_action = TR_FILTER_ACTION_REJECT; - *out_constraints = NULL; - - /* If this isn't a valid rp_permitted filter, return no match. */ - if ((!rpp_filter) || - (TR_FILTER_TYPE_TID_INBOUND != rpp_filter->type)) { - return TR_FILTER_NO_MATCH; - } - - /* Check if there is a match for this filter. */ - for (i = 0; i < TR_MAX_FILTER_LINES; i++) { - for (j = 0; j < TR_MAX_FILTER_SPECS; j++) { - - if ((rpp_filter->lines[i]) && - (rpp_filter->lines[i]->specs[j]) && - (tr_fspec_matches(rpp_filter->lines[i]->specs[j], 0, rp_realm))) { /* todo: fix or remove */ - *out_action = rpp_filter->lines[i]->action; - *out_constraints = in_constraints; - if (rpp_filter->lines[i]->realm_cons) - tr_constraint_add_to_set(out_constraints, - rpp_filter->lines[i]->realm_cons); - if (rpp_filter->lines[i]->domain_cons) - tr_constraint_add_to_set(out_constraints, - rpp_filter->lines[i]->domain_cons); - - return TR_FILTER_MATCH; - } - } - } - /* If there is no match, indicate that. */ - return TR_FILTER_NO_MATCH; -} - void tr_fspec_free(TR_FSPEC *fspec) { talloc_free(fspec); diff --git a/include/tr_filter.h b/include/tr_filter.h index a6f8651..bbee2dc 100644 --- a/include/tr_filter.h +++ b/include/tr_filter.h @@ -121,8 +121,6 @@ int tr_fspec_matches(TR_FSPEC *fspec, TR_FILTER_TYPE ftype, void *target); int TR_EXPORT tr_prefix_wildcard_match(const char *str, const char *wc_str); int tr_filter_apply(void *target, TR_FILTER *filt, TR_CONSTRAINT_SET **constraints, TR_FILTER_ACTION *out_action); -int tr_filter_process_rp_permitted(TR_NAME *rp_realm, TR_FILTER *rpp_filter, TR_CONSTRAINT_SET *in_constraints, - TR_CONSTRAINT_SET **out_constraints, TR_FILTER_ACTION *out_action); TR_CONSTRAINT_SET *tr_constraint_set_from_fline(TR_FLINE *fline); diff --git a/tr/tr_tid.c b/tr/tr_tid.c index 7a09dda..ee3fe1c 100644 --- a/tr/tr_tid.c +++ b/tr/tr_tid.c @@ -302,13 +302,16 @@ static int tr_tids_req_handler(TIDS_INSTANCE *tids, goto cleanup; } - if ((TR_FILTER_NO_MATCH == tr_filter_process_rp_permitted(orig_req->rp_realm, - tr_filter_set_get(tids->rp_gss->filters, - TR_FILTER_TYPE_TID_INBOUND), - orig_req->cons, - &fwd_req->cons, - &oaction)) || - (TR_FILTER_ACTION_REJECT == oaction)) { + /* Keep original constraints, may add more from the filter. These will be added to orig_req as + * well. Need to verify that this is acceptable behavior, but it's what we've always done. */ + fwd_req->cons=orig_req->cons; + + if ((TR_FILTER_NO_MATCH == tr_filter_apply(orig_req, + tr_filter_set_get(tids->rp_gss->filters, + TR_FILTER_TYPE_TID_INBOUND), + &(fwd_req->cons), + &oaction)) || + (TR_FILTER_ACTION_ACCEPT != oaction)) { tr_notice("tr_tids_req_handler: RP realm (%s) does not match RP Realm filter for GSS name", orig_req->rp_realm->buf); tids_send_err_response(tids, orig_req, "RP Realm filter error"); retval=-1;