"RULE_SUBJECT_CERT",
"RULE_CRL_VALIDATION",
"RULE_OCSP_VALIDATION",
- "RULE_AC_GROUP",
+ "RULE_GROUP",
"HELPER_IM_CERT",
"HELPER_SUBJECT_CERT",
"HELPER_IM_HASH_URL",
{
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
{
identification_t *id = (identification_t*)entry->value;
id->destroy(id);
break;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
return (void*)VALIDATION_FAILED;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
break;
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
case AUTH_RULE_CA_CERT:
case AUTH_RULE_IM_CERT:
case AUTH_RULE_SUBJECT_CERT:
}
break;
}
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
{
- success = FALSE;
- if (log_error)
+ identification_t *id1, *id2;
+
+ id1 = (identification_t*)value;
+ id2 = get(this, t1);
+ if (!id2 || !id2->matches(id2, id1))
{
- DBG1(DBG_CFG, "constraint check %N not implemented!",
- auth_rule_names, t1);
+ success = FALSE;
+ if (log_error)
+ {
+ DBG1(DBG_CFG, "constraint check failed: membership to "
+ "group '%Y' required", id1);
+ }
}
break;
}
}
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
{
identification_t *id = (identification_t*)value;
}
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
{
identification_t *id1, *id2;
{
case AUTH_RULE_IDENTITY:
case AUTH_RULE_EAP_IDENTITY:
- case AUTH_RULE_AC_GROUP:
+ case AUTH_RULE_GROUP:
{
identification_t *id = (identification_t*)entry->value;
clone->add(clone, entry->type, id->clone(id));
AUTH_RULE_CRL_VALIDATION,
/** result of a OCSP validation, cert_validation_t */
AUTH_RULE_OCSP_VALIDATION,
- /** subject is in attribute certificate group, identification_t* */
- AUTH_RULE_AC_GROUP,
+ /** subject is member of a group, identification_t* */
+ AUTH_RULE_GROUP,
/** intermediate certificate, certificate_t* */
AUTH_HELPER_IM_CERT,
}
}
- /* AC groups */
+ /* groups */
if (end->groups)
{
enumerator_t *enumerator;
enumerator = enumerator_create_token(end->groups, ",", " ");
while (enumerator->enumerate(enumerator, &group))
{
- identity = identification_create_from_encoding(ID_IETF_ATTR_STRING,
- chunk_create(group, strlen(group)));
- cfg->add(cfg, AUTH_RULE_AC_GROUP, identity);
+ cfg->add(cfg, AUTH_RULE_GROUP,
+ identification_create_from_string(group));
}
enumerator->destroy(enumerator);
}
rules = auth->create_enumerator(auth);
while (rules->enumerate(rules, &rule, &id))
{
- if (rule == AUTH_RULE_AC_GROUP)
+ if (rule == AUTH_RULE_GROUP)
{
fprintf(out, "%12s: group: %Y\n", name, id);
}
"ID_DER_ASN1_GN",
"ID_KEY_ID");
ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
- "ID_DER_ASN1_GN_URI"
- "ID_IETF_ATTR_STRING"
+ "ID_DER_ASN1_GN_URI",
"ID_MYID");
ENUM_END(id_type_names, ID_MYID);
case ID_FQDN:
case ID_RFC822_ADDR:
case ID_DER_ASN1_GN_URI:
- case ID_IETF_ATTR_STRING:
chunk_printable(this->encoded, &proper, '?');
snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr);
chunk_free(&proper);
ID_DER_ASN1_GN_URI = 201,
/**
- * IETF Attribute Syntax String (RFC 3281)
- */
- ID_IETF_ATTR_STRING = 202,
-
- /**
* Private ID used by the pluto daemon for opportunistic encryption
*/
ID_MYID = 203,