fix scionproto#4504: ensure acl default rule matches all for unmarsha…

…lled json and yaml acls
fbuetler · Apr 12, 2024 · fd01f12 · fd01f12
1 parent f9c9639
commit fd01f12
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 2 deletions.
diff --git a/private/path/pathpol/acl.go b/private/path/pathpol/acl.go
@@ -61,15 +61,23 @@ func (a *ACL) MarshalJSON() ([]byte, error) {
 }
 
 func (a *ACL) UnmarshalJSON(b []byte) error {
-	return json.Unmarshal(b, &a.Entries)
+	err := json.Unmarshal(b, &a.Entries)
+	if len(a.Entries) == 0 || !a.Entries[len(a.Entries)-1].Rule.matchesAll() {
+		return ErrNoDefault
+	}
+	return err
 }
 
 func (a *ACL) MarshalYAML() (interface{}, error) {
 	return a.Entries, nil
 }
 
 func (a *ACL) UnmarshalYAML(unmarshal func(interface{}) error) error {
-	return unmarshal(&a.Entries)
+	err := unmarshal(&a.Entries)
+	if len(a.Entries) == 0 || !a.Entries[len(a.Entries)-1].Rule.matchesAll() {
+		return ErrNoDefault
+	}
+	return err
 }
 
 func (a *ACL) evalPath(pm *snet.PathMetadata) ACLAction {

diff --git a/private/path/pathpol/acl_test.go b/private/path/pathpol/acl_test.go
@@ -60,6 +60,38 @@ func TestNewACL(t *testing.T) {
 	}
 }
 
+func TestUnmarshalJSON(t *testing.T) {
+	tests := map[string]struct {
+		Input       []byte
+		ExpectedErr error
+	}{
+		"No entry": {
+			Input:       []byte{},
+			ExpectedErr: ErrNoDefault,
+		},
+		"No default entry": {
+			Input:       []byte(`"+ 42"`),
+			ExpectedErr: ErrNoDefault,
+		},
+		"Entry without rule": {
+			Input: []byte(`["+"]`),
+		},
+		"Entry with hop predicates": {
+			Input: []byte(`["+ 42", "-"]`),
+		},
+	}
+	for name, test := range tests {
+		t.Run(name, func(t *testing.T) {
+			var acl ACL
+			err := acl.UnmarshalJSON(test.Input)
+			assert.ErrorIs(t, err, test.ExpectedErr)
+			if test.ExpectedErr == nil {
+				assert.NotNil(t, acl)
+			}
+		})
+	}
+}
+
 func TestACLEntryLoadFromString(t *testing.T) {
 	tests := map[string]struct {
 		String         string