Allow to exclude patterns as well (fix #305)

30a25503 · Benjamin "Ziirish" SANS · ed2a646a · 30a25503 · 30a25503 · 30a25503
Verified Commit 30a25503 authored Sep 27, 2019 by Benjamin "Ziirish" SANS
4 changed files
--- a/burpui/misc/acl/meta.py
+++ b/burpui/misc/acl/meta.py
@@ -49,6 +49,27 @@ def _extract_key(data, key, name, default=[], fallback='clients'):
    return extract.get(fallback, default)


+def _glob_match(globs, string, extended=True):
+    def __eval_glob(glob):
+        if extended:
+            reg = fnmatch.translate(glob)
+            return re.match(reg, string)
+        return glob == string
+    if not isinstance(globs, list):
+        if __eval_glob(globs):
+            return [globs]
+        return []
+    ret = []
+    for glob in globs:
+        if __eval_glob(glob):
+            if extended:
+                ret.append(glob)
+            else:
+                ret.append(string)
+                break
+    return ret
+
+
 class BUImetaGrant(object):

    def _merge_data(self, d1, d2):
@@ -549,7 +570,7 @@ class BUIgrantHandler(BUImetaGrant, BUIacl):
                            for odr in order:
                                if odr == 'exclude' and (
                                        any(x in excludes for x in client_match) or
-                                        client in excludes):
+                                        _glob_match(excludes, client, self.opt('extended'))):
                                    return False
                                elif any(x in y
                                         for x in server_match
@@ -565,7 +586,7 @@ class BUIgrantHandler(BUImetaGrant, BUIacl):
                        for odr in order:
                            if odr == 'exclude' and (
                                    any(x in excludes for x in client_match) or
-                                    client in excludes):
+                                    _glob_match(excludes, client, self.opt('extended'))):
                                return False
                            elif client_match is not False and \
                                    (any(x in adv2 for x in client_match) or
@@ -580,7 +601,7 @@ class BUIgrantHandler(BUImetaGrant, BUIacl):
        for odr in order:
            if odr == 'exclude' and client_match and (
                    any(x in excludes for x in client_match) or
-                    client in excludes):
+                    _glob_match(excludes, client, self.opt('extended'))):
                return False
            return client_match is not False or is_admin


--- a/docs/advanced_usage.rst
+++ b/docs/advanced_usage.rst
@@ -788,8 +788,10 @@ keyword.


 Since *v0.7.0*, you can also define an additional ``order`` keyword in order
-to specify in which order the ACL engine should evaluate the rules (should we
-match ``ro`` first or ``rw``). The default evaluation order is ``rw`` then ``ro``.
+to specify in which order the ACL engine should evaluate the rules.
+The default being ``exclude``, then ``rw`` then ``ro``.
+Note: any omitted value will be appended to your list (ie. ``"order": ["ro", "rw"]``
+will be interpreted as ``["ro", "rw", "exclude"]``).
 Example:

 ::
@@ -802,7 +804,7 @@ whereas without the ``order`` keywoard, ``client.specific.test`` would have
 matched the ``rw`` rule first and thus would be considered as ``rw``.

 There is also a new ``exclude`` keyword that supports excluding clients from
-the matching rules.
+the matching rules. Of course, ``exclude`` also supports *globs* patterns.

 Here is an example:


--- a/docs/upgrading.rst
+++ b/docs/upgrading.rst
@@ -63,6 +63,11 @@ v0.7.0
  server in a single place with the ability to process hundreds of requests
  asynchronously.

+- **New** - The ``ACL`` engine now allows you to specify the evaluation *order*
+  through a new ``order`` keyword. You can also explicitly exclude clients
+  from any rule with the ``exclude`` keyword. See the
+  `BASIC ACL <advanced_usage.html#basic-acl>`__ documentation for details.
+
 v0.6.0
 ------


--- a/share/burpui/etc/burpui.sample.cfg
+++ b/share/burpui/etc/burpui.sample.cfg
@@ -352,6 +352,17 @@ rotate = 5
 #+group2 = user5
 ## As a result, user5 will be granted the following rights:
 ## '{"ro": {"agents": ["*", "agent1"], "www*": ["desk*"]}, "rw": {"clients": ["dev*"], "www*": ["desk1"]}}
+## You can also explicitly exclude some clients from a rule:
+## '{"agents": {"agent1": {"rw": ["client.*"], "exclude": ["client.win*"]}}}'
+## With the above rule, every client named "client.something" will be considered
+## "rw" on "agent1" except those starting with "client.win".
+## Finally, you can specify per rule evaluation order. The default being:
+## 1) exclude rules 2) rw 3) ro
+## With the default evaluation order, the following rule:
+## '{"agents": {"agent1": {"rw": ["client.*"], "ro": ["client.specific.*"]}}}'
+## will consider "client.specific.test" as "rw", whereas with the following
+## '{"order": ["ro", "rw"], "agents": {"agent1": {"rw": ["client.*"], "ro": ["client.specific.*"]}}}'
+## "client.specific.test" will match "ro" first and hence won't be considered "rw"

 ## If you set backend to 'multi', add at least one section like this per
 ## bui-agent