vilmibm · May 10, 2016 23:39
diff --git a/acl.clj b/acl.clj
 (schema/defn match-extensions? :- schema/Bool
  "Returns true if the provided SSL extension map matches the configured ACE.
  All of the keys in the ACE must appear in the extensions map and, if the value
  for a key in the ACE is a list, at least one of the listed values must be set
  in the incoming extensions map.

  Note the behavior in the following scenario: If an ACE specifies
  {:deny {:extensions {:pp_env 'test'
                       :pp_image 'bad image'}}}

  *ONLY* a request with both :pp_env set to 'test' and :pp_image set to 'bad
  image' would be denied. If *any* request with :pp_env set to 'test' is to be
  denied, it needs a standalone deny rule.

  If the :subject_alt_name key is present in the extension map, a match is done
  for each givenName key in the incoming request. For example, given a rule like
  this:

  {:extensions {:subject_alt_name {:dns-name [\"foobar.org\" \"barbaz.net\"]
                                   :ip \"192.168.0.1\"}}}

  these requests would match:

  {:extensions {:subject_alt_name {:dns-name [\"foobar.org\" \"slimjim.net\"]}}}

  {:extensions {:subject_alt_name {:dns-name [\"snapinto.org\" \"slimjim.net\"]
                                   :ip       [\"192.168.0.1\"]}}}

  and these would not match:

  {:extensions {:subject_alt_name {:dns-name [\"snapinto.org\" \"slimjim.net\"]
                                   :ip       [\"192.168.0.0\"]}}}

  {:extensions {:subject_alt_name {:dns-name [\"foobar.org\" \"slimjim.net\"]
                                   :ip       [\"192.168.0.1\"]}}}"
  [oid-map :- OIDMap
   ace :- ACE
   extensions :- Extensions]
  (let [oid-map' (merge default-oid-map oid-map)
        wrap-scalar (fn [x] (if (sequential? x) x [x]))
        match-key (fn [k]
                    (let [ace-value (get (:value ace) k)
                          ;; potentially translate from oid -> shortname
                          k' (get oid-map' (name k) k)
                          ext-value (get extensions k' false)
                          given-names-match? (fn [k] (not
                                                      (empty?
                                                       (intersection (set (get ext-value k))
                                                                     (set (wrap-scalar
                                                                           (get ace-value k)))))))]
                      (if ext-value
                        (if (= :subject_alt_name k')
                          (reduce (fn [acc key] (or acc (given-names-match? key)))
                                  false
                                  (keys ext-value))
                          (not (nil? (some (partial = ext-value)
                                           (wrap-scalar ace-value)))))
                        false)))]
    (every? match-key (keys (:value ace)))))
	(schema/defn match-extensions? :- schema/Bool
	"Returns true if the provided SSL extension map matches the configured ACE.
	All of the keys in the ACE must appear in the extensions map and, if the value
	for a key in the ACE is a list, at least one of the listed values must be set
	in the incoming extensions map.

	Note the behavior in the following scenario: If an ACE specifies
	{:deny {:extensions {:pp_env 'test'
	:pp_image 'bad image'}}}

	ONLY a request with both :pp_env set to 'test' and :pp_image set to 'bad
	image' would be denied. If any request with :pp_env set to 'test' is to be
	denied, it needs a standalone deny rule.

	If the :subject_alt_name key is present in the extension map, a match is done
	for each givenName key in the incoming request. For example, given a rule like
	this:

	{:extensions {:subject_alt_name {:dns-name [\"foobar.org\" \"barbaz.net\"]
	:ip \"192.168.0.1\"}}}

	these requests would match:

	{:extensions {:subject_alt_name {:dns-name [\"foobar.org\" \"slimjim.net\"]}}}

	{:extensions {:subject_alt_name {:dns-name [\"snapinto.org\" \"slimjim.net\"]
	:ip [\"192.168.0.1\"]}}}

	and these would not match:

	{:extensions {:subject_alt_name {:dns-name [\"snapinto.org\" \"slimjim.net\"]
	:ip [\"192.168.0.0\"]}}}

	{:extensions {:subject_alt_name {:dns-name [\"foobar.org\" \"slimjim.net\"]
	:ip [\"192.168.0.1\"]}}}"
	[oid-map :- OIDMap
	ace :- ACE
	extensions :- Extensions]
	(let [oid-map' (merge default-oid-map oid-map)
	wrap-scalar (fn [x] (if (sequential? x) x [x]))
	match-key (fn [k]
	(let [ace-value (get (:value ace) k)
	;; potentially translate from oid -> shortname
	k' (get oid-map' (name k) k)
	ext-value (get extensions k' false)
	given-names-match? (fn [k] (not
	(empty?
	(intersection (set (get ext-value k))
	(set (wrap-scalar
	(get ace-value k)))))))]
	(if ext-value
	(if (= :subject_alt_name k')
	(reduce (fn [acc key] (or acc (given-names-match? key)))
	false
	(keys ext-value))
	(not (nil? (some (partial = ext-value)
	(wrap-scalar ace-value)))))
	false)))]
	(every? match-key (keys (:value ace)))))