Fix multiple ACL handling bugs#1875
Merged
BareosBot merged 23 commits intobareos:masterfrom Jul 12, 2024
Merged
Conversation
8500660 to
587c4c0
Compare
sebsura
requested changes
Jul 8, 2024
Contributor
sebsura
left a comment
There was a problem hiding this comment.
Nice changes! I found some issues that i would like to see fixed.
b37a33d to
07b2935
Compare
11 tasks
Member
Author
|
The test |
78f3e2f to
ba910ad
Compare
sebsura
requested changes
Jul 11, 2024
Contributor
sebsura
left a comment
There was a problem hiding this comment.
I have not checked everything yet but these are things i noticed
71c9a0c to
5631ca1
Compare
This was referenced Jul 12, 2024
ACL handling for commands have been wrong. The UA detect a command, if all typed chars matches the start of a command string. E.g. "w" => "whoami", ".cons" => ".consoles", ... The ACL check also only used the typed part of the command, so if your ACL denies the command ".consoles", you could execute it with ".cons" (or ".co"). Now we check with the full command string against the ACL.
When using negative ACLs (ACLs starting with '!')
profiles could have overwritten this entries,
as the code did not distringuish between negative ACL and not found.
Now the ACL checking can have three states:
positive match found,
negative match found,
no match found.
Also unifies the ACL checking
and adding the ACL directive "!*all*"
to deny all (before a regex must be used ("!.*").
Make it work again with current python versions
Co-authored-by: Sebastian Sura <124262655+sebsura@users.noreply.github.com>
The usage strings are rewarped anyway,
so manual formating chars ("\n", "\t") are only misleading.
Before an invalid ACL emits and error but has than be igorned. Now parsing stops at an error and mark the whole configuration as invalid.
This is now implemented like it has been documented.
The documenation and code comments have described that an empty WhereACL would accept all input, like "*all*". In fact, that has never (?) been implemented in that way, therefore we removed this special case and handle the WhereACL like all other ACLs.
In some automated systemtests, the path did contain the "~", which is considerd invalid in a WhereACL. Changed the WhereACL to circumvent that.
Invalid chars in WhereAcls are now properly marked as configuration errors. Therefore in the original test config-syntax-crash, the Bareos Director refuses to start (with a proper error message), instead of just ignoring the invalid entry. Instead of adapting the config-syntax-crash, the test for invalid chars is now added to the python-bareos tests and the config-syntax-crash removed.
Co-authored-by: Sebastian Sura <124262655+sebsura@users.noreply.github.com>
exit is an alias to quit, so handle exit identical as quit.
On ModifyJobParameters, check PluginOptionsACL and the WhereACL also for regexwhere.
4fd5ecc to
af86d44
Compare
joergsteffens
added a commit
to joergsteffens/bareos
that referenced
this pull request
Jul 12, 2024
As bareos#1875 and its backports (down to bareos-21) have been merged, we could simply the ReaR configuration by using a standard Profile.
joergsteffens
added a commit
to joergsteffens/bareos
that referenced
this pull request
Jul 12, 2024
As bareos#1875 and its backports (down to bareos-21) have been merged, we could simplify the ReaR configuration by using a standard Profile.
joergsteffens
added a commit
to joergsteffens/bareos
that referenced
this pull request
Jul 12, 2024
As bareos#1875 and its backports (down to bareos-21) have been merged, we could simplify the ReaR configuration by using a standard Profile.
BareosBot
pushed a commit
to joergsteffens/bareos
that referenced
this pull request
Jul 12, 2024
As bareos#1875 and its backports (down to bareos-21) have been merged, we could simplify the ReaR configuration by using a standard Profile.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ACL handling for commands have been wrong.
The UA detect a command, if all typed chars matches the start of a
command string. E.g. "w" => "whoami", ".cons" => ".consoles", ...
The ACL check also only used the typed part of the command,
so if your ACL denies the command ".consoles",
you could execute it with ".cons" (or ".co").
Now we check with the full command string against the ACL.
Fix handling ACL profiles
When using negative ACLs (ACLs starting with '!')
profiles could have overwritten this entries,
as the code did not distringuish between negative ACL and not found.
Now the ACL checking can have three states:
positive match found,
negative match found,
no match found.
Also unifies the ACL checking
and adding the ACL directive
!*all*to deny all (before a regex must be used (
!.*).Please check
If you have any questions or problems, please give a comment in the PR.
Helpful documentation and best practices
Checklist for the reviewer of the PR (will be processed by the Bareos team)
Make sure you check/merge the PR using
devtools/pr-toolto have some simple automated checks run and a proper changelog record added.General
Source code quality
Tests