2002-03-02 Sam Hartman <hartmans@mit.edu>

	* server_acl.c (acl_find_entry):  Patch from sxw@sxw.org.uk:
	patch to correct handling of ACL targets.  Previous patch from
	Matt Crawford  seems to only work for * targets where it ignores
	the restrictions.  This patch seems to work for all the semantics
	described in MATt's original message, at least as far as I tested.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14214 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog
index d9a7ee7d91f2f718750b4cfac558b63a6ca0d4c7..b3921ea564be96e0635cd21e70225e238cf10a2f 100644 (file)
--- a/src/lib/kadm5/srv/ChangeLog
+++ b/src/lib/kadm5/srv/ChangeLog
@@ -1,3 +1,11 @@
+2002-03-02  Sam Hartman  <hartmans@mit.edu>
+
+       * server_acl.c (acl_find_entry):  Patch from sxw@sxw.org.uk:
+       patch to correct handling of ACL targets.  Previous patch from
+       Matt Crawford  seems to only work for * targets where it ignores
+       the restrictions.  This patch seems to work for all the semantics
+       described in MATt's original message, at least as far as I tested.
+
 2001-10-22  Tom Yu  <tlyu@mit.edu>
 
        * svr_principal.c (kadm5_decrypt_key): For now, coerce enctype of

diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index e114bfc865b3a1cb4b63edb4cd5a578831a44bc7..b2ebaaa3647553a7244d63bfe533585de265caa1 100644 (file)
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -643,39 +643,37 @@ acl_find_entry(kcontext, principal, dest_princ)
            continue;
 
        /* We've matched the principal.  If we have a target, then try it */
-       if (entry->ae_target) {
-           if (!strcmp(entry->ae_target, "*"))
-               break;
+       if (entry->ae_target && strcmp(entry->ae_target, "*")) {
            if (!entry->ae_target_princ && !entry->ae_target_bad) {
                kret = krb5_parse_name(kcontext, entry->ae_target,
                                       &entry->ae_target_princ);
                if (kret)
                    entry->ae_target_bad = 1;
            }
-       }
-       if (entry->ae_target_bad) {
-           DPRINT(DEBUG_ACL, acl_debug_level,
-                  ("Bad target in ACL entry for %s\n", entry->ae_name));
-           entry->ae_name_bad = 1;
-           continue;
-       }
-       if (entry->ae_target && !dest_princ)
-           matchgood = 0;
-       else if (entry->ae_target && entry->ae_target_princ && dest_princ) {
-           if (acl_match_data(&entry->ae_target_princ->realm,
-                              &dest_princ->realm, 1, (wildstate_t *)0) &&
-               (entry->ae_target_princ->length == dest_princ->length)) {
-               for (i=0; i<dest_princ->length; i++) {
-                   if (!acl_match_data(&entry->ae_target_princ->data[i],
-                                       &dest_princ->data[i], 1, &state)) {
-                       matchgood = 0;
-                       break;
+           if (entry->ae_target_bad) {
+               DPRINT(DEBUG_ACL, acl_debug_level,
+                      ("Bad target in ACL entry for %s\n", entry->ae_name));
+               entry->ae_name_bad = 1;
+               continue;
+           }
+           if (!dest_princ)
+               matchgood = 0;
+           else if (entry->ae_target_princ && dest_princ) {
+               if (acl_match_data(&entry->ae_target_princ->realm,
+                                  &dest_princ->realm, 1, (wildstate_t *)0) &&
+                   (entry->ae_target_princ->length == dest_princ->length)) {
+                   for (i=0; i<dest_princ->length; i++) {
+                       if (!acl_match_data(&entry->ae_target_princ->data[i],
+                                           &dest_princ->data[i], 1, &state)) {
+                           matchgood = 0;
+                           break;
+                       }
                    }
-               }
+               }
+               else
+                   matchgood = 0;
            }
-           else
-               matchgood = 0;
-       }
+        }
        if (!matchgood)
            continue;