Skip to content

Commit

Permalink
Acl fix (#993)
Browse files Browse the repository at this point in the history 
* ACL does not intercept messages with no key_expr

* Update DEFAULT_CONFIG.json5
  • Loading branch information
@OlivierHecart
OlivierHecart authored Apr 30, 2024
1 parent 4c277d3 commit 4806af0
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 10 deletions.
2 changes: 2 additions & 0 deletions DEFAULT_CONFIG.json5
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,7 @@
// ],
// },
// ],

// /// configure access control (ACL) rules
// access_control: {
// ///[true/false] acl will be activated only if this is set to true
Expand All @@ -199,6 +200,7 @@
// },
// ]
//},

/// Configure internal transport parameters
transport: {
unicast: {
Expand Down
20 changes: 10 additions & 10 deletions zenoh/src/net/routing/interceptor/access_control.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -162,22 +162,22 @@ impl InterceptorTrait for IngressAclEnforcer {
None
}
})
.or_else(|| ctx.full_expr())?;
.or_else(|| ctx.full_expr());

match &ctx.msg.body {
NetworkBody::Push(Push {
payload: PushBody::Put(_),
..
}) => {
if self.action(Action::Put, "Put (ingress)", key_expr) == Permission::Deny {
if self.action(Action::Put, "Put (ingress)", key_expr?) == Permission::Deny {
return None;
}
}
NetworkBody::Request(Request {
payload: RequestBody::Query(_),
..
}) => {
if self.action(Action::Get, "Get (ingress)", key_expr) == Permission::Deny {
if self.action(Action::Get, "Get (ingress)", key_expr?) == Permission::Deny {
return None;
}
}
Expand All @@ -188,7 +188,7 @@ impl InterceptorTrait for IngressAclEnforcer {
if self.action(
Action::DeclareSubscriber,
"Declare Subscriber (ingress)",
key_expr,
key_expr?,
) == Permission::Deny
{
return None;
Expand All @@ -201,7 +201,7 @@ impl InterceptorTrait for IngressAclEnforcer {
if self.action(
Action::DeclareQueryable,
"Declare Queryable (ingress)",
key_expr,
key_expr?,
) == Permission::Deny
{
return None;
Expand Down Expand Up @@ -230,22 +230,22 @@ impl InterceptorTrait for EgressAclEnforcer {
None
}
})
.or_else(|| ctx.full_expr())?;
.or_else(|| ctx.full_expr());

match &ctx.msg.body {
NetworkBody::Push(Push {
payload: PushBody::Put(_),
..
}) => {
if self.action(Action::Put, "Put (egress)", key_expr) == Permission::Deny {
if self.action(Action::Put, "Put (egress)", key_expr?) == Permission::Deny {
return None;
}
}
NetworkBody::Request(Request {
payload: RequestBody::Query(_),
..
}) => {
if self.action(Action::Get, "Get (egress)", key_expr) == Permission::Deny {
if self.action(Action::Get, "Get (egress)", key_expr?) == Permission::Deny {
return None;
}
}
Expand All @@ -256,7 +256,7 @@ impl InterceptorTrait for EgressAclEnforcer {
if self.action(
Action::DeclareSubscriber,
"Declare Subscriber (egress)",
key_expr,
key_expr?,
) == Permission::Deny
{
return None;
Expand All @@ -269,7 +269,7 @@ impl InterceptorTrait for EgressAclEnforcer {
if self.action(
Action::DeclareQueryable,
"Declare Queryable (egress)",
key_expr,
key_expr?,
) == Permission::Deny
{
return None;
Expand Down

0 comments on commit 4806af0

Please sign in to comment.