diff options
| author | Martin Willi <martin@revosec.ch> | 2010-07-09 13:51:58 +0200 |
|---|---|---|
| committer | Martin Willi <martin@revosec.ch> | 2010-07-09 13:51:58 +0200 |
| commit | cfa1c0760496f8963330803e07be8a8ba38bc506 (patch) | |
| tree | bc7f7cf11e3c901527a12d86544167d963f5351b | |
| parent | ec7adea0073a603f1ba40c45a931ec7eadab25d9 (diff) | |
| download | strongswan-cfa1c0760496f8963330803e07be8a8ba38bc506.tar.bz2 strongswan-cfa1c0760496f8963330803e07be8a8ba38bc506.tar.xz | |
Group membership constraint is fulfilled if subject is member in one of the groups
| -rw-r--r-- | src/libcharon/config/auth_cfg.c | 24 | ||||
| -rw-r--r-- | src/libcharon/config/auth_cfg.h | 4 |
2 files changed, 20 insertions, 8 deletions
diff --git a/src/libcharon/config/auth_cfg.c b/src/libcharon/config/auth_cfg.c index 6f249e89d..c34bdaffb 100644 --- a/src/libcharon/config/auth_cfg.c +++ b/src/libcharon/config/auth_cfg.c @@ -308,7 +308,7 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, bool log_error) { enumerator_t *e1, *e2; - bool success = TRUE; + bool success = TRUE, has_group = FALSE, group_match = FALSE; auth_rule_t t1, t2; void *value; @@ -463,17 +463,18 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, { identification_t *id1, *id2; + /* for groups, a match of a single group is sufficient */ + has_group = TRUE; id1 = (identification_t*)value; - id2 = get(this, t1); - if (!id2 || !id2->matches(id2, id1)) + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &id2)) { - success = FALSE; - if (log_error) + if (t2 == AUTH_RULE_GROUP && id2->matches(id2, id1)) { - DBG1(DBG_CFG, "constraint check failed: membership to " - "group '%Y' required", id1); + group_match = TRUE; } } + e2->destroy(e2); break; } case AUTH_HELPER_IM_CERT: @@ -489,6 +490,15 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, } } e1->destroy(e1); + + if (has_group && !group_match) + { + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: group membership required"); + } + return FALSE; + } return success; } diff --git a/src/libcharon/config/auth_cfg.h b/src/libcharon/config/auth_cfg.h index 6bee5fc5e..7a1454b4b 100644 --- a/src/libcharon/config/auth_cfg.h +++ b/src/libcharon/config/auth_cfg.h @@ -62,7 +62,9 @@ enum auth_rule_t { AUTH_RULE_CRL_VALIDATION, /** result of a OCSP validation, cert_validation_t */ AUTH_RULE_OCSP_VALIDATION, - /** subject is member of a group, identification_t* */ + /** subject is member of a group, identification_t* + * The group membership constraint is fulfilled if the subject is member of + * one group defined in the constraints. */ AUTH_RULE_GROUP, /** intermediate certificate, certificate_t* */ |