From 7ca1257c8b6a6d3fa1adc292bbc6a1fc7900f9a7 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Sun, 3 Mar 2002 03:05:40 +0000
Subject: [PATCH] 2002-03-02  Sam Hartman  <hartmans@mit.edu>

	* server_acl.c (acl_find_entry):  Patch from sxw@sxw.org.uk:
	patch to correct handling of ACL targets.  Previous patch from
	Matt Crawford  seems to only work for * targets where it ignores
	the restrictions.  This patch seems to work for all the semantics
	described in MATt's original message, at least as far as I tested.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14214 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/lib/kadm5/srv/ChangeLog    |  8 ++++++
 src/lib/kadm5/srv/server_acl.c | 48 ++++++++++++++++------------------
 2 files changed, 31 insertions(+), 25 deletions(-)

diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog
index d9a7ee7d9..b3921ea56 100644
--- a/src/lib/kadm5/srv/ChangeLog
+++ b/src/lib/kadm5/srv/ChangeLog
@@ -1,3 +1,11 @@
+2002-03-02  Sam Hartman  <hartmans@mit.edu>
+
+	* server_acl.c (acl_find_entry):  Patch from sxw@sxw.org.uk:
+	patch to correct handling of ACL targets.  Previous patch from
+	Matt Crawford  seems to only work for * targets where it ignores
+	the restrictions.  This patch seems to work for all the semantics
+	described in MATt's original message, at least as far as I tested.
+
 2001-10-22  Tom Yu  <tlyu@mit.edu>
 
 	* svr_principal.c (kadm5_decrypt_key): For now, coerce enctype of
diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c
index e114bfc86..b2ebaaa36 100644
--- a/src/lib/kadm5/srv/server_acl.c
+++ b/src/lib/kadm5/srv/server_acl.c
@@ -643,39 +643,37 @@ acl_find_entry(kcontext, principal, dest_princ)
 	    continue;
 
 	/* We've matched the principal.  If we have a target, then try it */
-	if (entry->ae_target) {
-	    if (!strcmp(entry->ae_target, "*"))
-		break;
+	if (entry->ae_target && strcmp(entry->ae_target, "*")) {
 	    if (!entry->ae_target_princ && !entry->ae_target_bad) {
 		kret = krb5_parse_name(kcontext, entry->ae_target,
 				       &entry->ae_target_princ);
 		if (kret)
 		    entry->ae_target_bad = 1;
 	    }
-	}
-	if (entry->ae_target_bad) {
-	    DPRINT(DEBUG_ACL, acl_debug_level,
-		   ("Bad target in ACL entry for %s\n", entry->ae_name));
-	    entry->ae_name_bad = 1;
-	    continue;
-	}
-	if (entry->ae_target && !dest_princ)
-	    matchgood = 0;
-	else if (entry->ae_target && entry->ae_target_princ && dest_princ) {
-	    if (acl_match_data(&entry->ae_target_princ->realm,
-			       &dest_princ->realm, 1, (wildstate_t *)0) &&
-		(entry->ae_target_princ->length == dest_princ->length)) {
-		for (i=0; i<dest_princ->length; i++) {
-		    if (!acl_match_data(&entry->ae_target_princ->data[i],
-					&dest_princ->data[i], 1, &state)) {
-			matchgood = 0;
-			break;
+	    if (entry->ae_target_bad) {
+	        DPRINT(DEBUG_ACL, acl_debug_level,
+		       ("Bad target in ACL entry for %s\n", entry->ae_name));
+	        entry->ae_name_bad = 1;
+	        continue;
+	    }
+	    if (!dest_princ)
+	        matchgood = 0;
+	    else if (entry->ae_target_princ && dest_princ) {
+	        if (acl_match_data(&entry->ae_target_princ->realm,
+			           &dest_princ->realm, 1, (wildstate_t *)0) &&
+		    (entry->ae_target_princ->length == dest_princ->length)) {
+		    for (i=0; i<dest_princ->length; i++) {
+		        if (!acl_match_data(&entry->ae_target_princ->data[i],
+			  		    &dest_princ->data[i], 1, &state)) {
+			    matchgood = 0;
+			    break;
+		        }
 		    }
-		}
+	        }
+	        else
+		    matchgood = 0;
 	    }
-	    else
-		matchgood = 0;
-	}
+        }
 	if (!matchgood)
 	    continue;
 
-- 
2.26.2