checking for obsolete entries in an ACL

scionproto · Apr 17, 2024 · e67b7ba · e67b7ba
1 parent e5b1f72
commit e67b7ba
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/private/path/pathpol/acl.go b/private/path/pathpol/acl.go
@@ -27,6 +27,9 @@ import (
 var (
  // ErrNoDefault indicates that there is no default acl entry.
  ErrNoDefault = errors.New("ACL does not have a default")
+ // ErrObsoleteEntries indicates that there is a default acl entry posisioned in
+ // the middle, making the following acl entries obsolete.
+ ErrObsoleteEntries = errors.New("ACL has a default entry posisioned in the middle, making the following entries obsolete")
 )
 
 type ACL struct {
@@ -97,9 +100,26 @@ func (a *ACL) evalInterface(iface snet.PathInterface, ingress bool) ACLAction {
 }
 
 func validateACL(entries []*ACLEntry) error {
- if len(entries) == 0 || !entries[len(entries)-1].Rule.matchesAll() {
+ if len(entries) == 0 {
  return ErrNoDefault
  }
+
+ foundAt := -1
+ for i, e := range entries {
+ if e.Rule.matchesAll() {
+ foundAt = i
+ break
+ }
+ }
+
+ if foundAt < 0 {
+ return ErrNoDefault
+ }
+
+ if foundAt != len(entries)-1 {
+ return ErrObsoleteEntries
+ }
+
  return nil
 }
 

diff --git a/private/path/pathpol/acl_test.go b/private/path/pathpol/acl_test.go
@@ -79,6 +79,14 @@ func TestUnmarshalJSON(t *testing.T) {
  "Entry with hop predicates": {
  Input: `["+ 42", "-"]`,
  },
+ "Obsolete entries (first)": {
+ Input: `["-", "+ 27"]`,
+ ExpectedErr: ErrObsoleteEntries,
+ },
+ "Obsolete entries (in the middle)": {
+ Input: `["+ 42", "-", "+ 27", "- 30"]`,
+ ExpectedErr: ErrObsoleteEntries,
+ },
  }
  for name, test := range tests {
  t.Run(name, func(t *testing.T) {