Clarify forbit/permit coding for ACL conditions

author Jeremy Harris <jgh146exb@wizmail.org>

Mon, 26 Aug 2024 15:44:06 +0000 (16:44 +0100)

committer Jeremy Harris <jgh146exb@wizmail.org>

Tue, 27 Aug 2024 23:03:34 +0000 (00:03 +0100)
author Jeremy Harris <jgh146exb@wizmail.org>
Mon, 26 Aug 2024 15:44:06 +0000 (16:44 +0100)
committer Jeremy Harris <jgh146exb@wizmail.org>
Tue, 27 Aug 2024 23:03:34 +0000 (00:03 +0100)
diff --git a/src/src/acl.c b/src/src/acl.c

index 36f31d7d15153812e6948722158351da31f1eb69..533dcd60a39c77de9b3dfa9b5020743a1a019720 100644 (file)
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -138,15 +138,17 @@ times. For each condition and modifier, there's a bitmap of dis-allowed times.
  For some, it is easier to specify the negation of a small number of allowed
  times. */
    unsigned     forbids;
  For some, it is easier to specify the negation of a small number of allowed
  times. */
    unsigned     forbids;
+#define FORBIDDEN(times)       (times)
+#define PERMITTED(times)       ((unsigned) ~(times))
  
  } condition_def;
  
  static condition_def conditions[] = {
  
  } condition_def;
  
  static condition_def conditions[] = {
-  [ACLC_ACL] =                 { US"acl",              0,      0 },
+  [ACLC_ACL] =                 { US"acl",              0,
+                                 FORBIDDEN(0) },
  
    [ACLC_ADD_HEADER] =          { US"add_header",       ACD_EXP | ACD_MOD,
  
    [ACLC_ADD_HEADER] =          { US"add_header",       ACD_EXP | ACD_MOD,
-                                 (unsigned)
-                                 ~(ACL_BIT_MAIL | ACL_BIT_RCPT |
+                                 PERMITTED(ACL_BIT_MAIL | ACL_BIT_RCPT |
                                     ACL_BIT_PREDATA | ACL_BIT_DATA |
  #ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
                                     ACL_BIT_PREDATA | ACL_BIT_DATA |
  #ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
@@ -157,12 +159,13 @@ static condition_def conditions[] = {
    },
  
    [ACLC_AUTHENTICATED] =       { US"authenticated",    0,
    },
  
    [ACLC_AUTHENTICATED] =       { US"authenticated",    0,
-                                 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
-                                   ACL_BIT_CONNECT | ACL_BIT_HELO,
+                                 FORBIDDEN(ACL_BIT_NOTSMTP |
+                                   ACL_BIT_NOTSMTP_START |
+                                   ACL_BIT_CONNECT | ACL_BIT_HELO),
    },
  #ifdef EXPERIMENTAL_BRIGHTMAIL
    [ACLC_BMI_OPTIN] =           { US"bmi_optin",        ACD_EXP | ACD_MOD,
    },
  #ifdef EXPERIMENTAL_BRIGHTMAIL
    [ACLC_BMI_OPTIN] =           { US"bmi_optin",        ACD_EXP | ACD_MOD,
-                                 ACL_BIT_AUTH |
+                                 FORBIDDEN(ACL_BIT_AUTH |
                                     ACL_BIT_CONNECT | ACL_BIT_HELO |
                                     ACL_BIT_DATA | ACL_BIT_MIME |
  # ifndef DISABLE_PRDR
                                     ACL_BIT_CONNECT | ACL_BIT_HELO |
                                     ACL_BIT_DATA | ACL_BIT_MIME |
  # ifndef DISABLE_PRDR
@@ -172,20 +175,22 @@ static condition_def conditions[] = {
                                     ACL_BIT_MAILAUTH |
                                     ACL_BIT_MAIL | ACL_BIT_STARTTLS |
                                     ACL_BIT_VRFY | ACL_BIT_PREDATA |
                                     ACL_BIT_MAILAUTH |
                                     ACL_BIT_MAIL | ACL_BIT_STARTTLS |
                                     ACL_BIT_VRFY | ACL_BIT_PREDATA |
-                                   ACL_BIT_NOTSMTP_START,
+                                   ACL_BIT_NOTSMTP_START),
    },
  #endif
    },
  #endif
-  [ACLC_CONDITION] =           { US"condition",        ACD_EXP,        0 },
-  [ACLC_CONTINUE] =            { US"continue",         ACD_EXP | ACD_MOD, 0 },
+  [ACLC_CONDITION] =           { US"condition",        ACD_EXP,
+                                 FORBIDDEN(0) },
+  [ACLC_CONTINUE] =            { US"continue",         ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  
    /* Certain types of control are always allowed, so we let it through
    always and check in the control processing itself. */
  
    /* Certain types of control are always allowed, so we let it through
    always and check in the control processing itself. */
-  [ACLC_CONTROL] =             { US"control",          ACD_EXP | ACD_MOD, 0 },
+  [ACLC_CONTROL] =             { US"control",          ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  
  #ifdef EXPERIMENTAL_DCC
    [ACLC_DCC] =                 { US"dcc",              ACD_EXP,
  
  #ifdef EXPERIMENTAL_DCC
    [ACLC_DCC] =                 { US"dcc",              ACD_EXP,
-                                 (unsigned)
-                                 ~(ACL_BIT_DATA |
+                                 PERMITTED(ACL_BIT_DATA |
  # ifndef DISABLE_PRDR
                                   ACL_BIT_PRDR |
  # endif
  # ifndef DISABLE_PRDR
                                   ACL_BIT_PRDR |
  # endif
@@ -193,15 +198,17 @@ static condition_def conditions[] = {
    },
  #endif
  #ifdef WITH_CONTENT_SCAN
    },
  #endif
  #ifdef WITH_CONTENT_SCAN
-  [ACLC_DECODE] =              { US"decode",           ACD_EXP, (unsigned) ~ACL_BIT_MIME },
+  [ACLC_DECODE] =              { US"decode",           ACD_EXP,
+                                 PERMITTED(ACL_BIT_MIME) },
  
  #endif
  
  #endif
-  [ACLC_DELAY] =               { US"delay",            ACD_EXP | ACD_MOD, ACL_BIT_NOTQUIT },
+  [ACLC_DELAY] =               { US"delay",            ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(ACL_BIT_NOTQUIT) },
  #ifndef DISABLE_DKIM
  #ifndef DISABLE_DKIM
-  [ACLC_DKIM_SIGNER] =         { US"dkim_signers",     ACD_EXP, (unsigned) ~ACL_BIT_DKIM },
+  [ACLC_DKIM_SIGNER] =         { US"dkim_signers",     ACD_EXP, 
+                                 PERMITTED(ACL_BIT_DKIM) },
    [ACLC_DKIM_STATUS] =         { US"dkim_status",      ACD_EXP,
    [ACLC_DKIM_STATUS] =         { US"dkim_status",      ACD_EXP,
-                                 (unsigned)
-                                 ~(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
+                                 PERMITTED(ACL_BIT_DKIM | ACL_BIT_DATA | ACL_BIT_MIME
  # ifndef DISABLE_PRDR
                                   | ACL_BIT_PRDR
  # endif
  # ifndef DISABLE_PRDR
                                   | ACL_BIT_PRDR
  # endif
@@ -209,48 +216,52 @@ static condition_def conditions[] = {
    },
  #endif
  #ifdef SUPPORT_DMARC
    },
  #endif
  #ifdef SUPPORT_DMARC
-  [ACLC_DMARC_STATUS] =                { US"dmarc_status",     ACD_EXP, (unsigned int) ~ACL_BIT_DATA },
+  [ACLC_DMARC_STATUS] =                { US"dmarc_status",     ACD_EXP,
+                                 PERMITTED(ACL_BIT_DATA) },
  #endif
  
    /* Explicit key lookups can be made in non-smtp ACLs so pass
    always and check in the verify processing itself. */
  #endif
  
    /* Explicit key lookups can be made in non-smtp ACLs so pass
    always and check in the verify processing itself. */
-  [ACLC_DNSLISTS] =            { US"dnslists",         ACD_EXP, 0 },
+  [ACLC_DNSLISTS] =            { US"dnslists",         ACD_EXP,
+                                 FORBIDDEN(0) },
  
    [ACLC_DOMAINS] =             { US"domains",          0,
  
    [ACLC_DOMAINS] =             { US"domains",          0,
-                                 (unsigned)
-                                 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
+                                 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
  #ifndef DISABLE_PRDR
  #ifndef DISABLE_PRDR
-                                 |ACL_BIT_PRDR
+                                 | ACL_BIT_PRDR
  #endif
        ),
    },
    [ACLC_ENCRYPTED] =           { US"encrypted",        0,
  #endif
        ),
    },
    [ACLC_ENCRYPTED] =           { US"encrypted",        0,
-                                 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
-                                   ACL_BIT_CONNECT
+                                 FORBIDDEN(ACL_BIT_NOTSMTP |
+                                   ACL_BIT_NOTSMTP_START | ACL_BIT_CONNECT)
    },
  
    },
  
-  [ACLC_ENDPASS] =             { US"endpass",  ACD_EXP | ACD_MOD,      0 },
+  [ACLC_ENDPASS] =             { US"endpass",  ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  
    [ACLC_HOSTS] =               { US"hosts",            0,
  
    [ACLC_HOSTS] =               { US"hosts",            0,
-                                 ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
+                                 FORBIDDEN(ACL_BIT_NOTSMTP |
+                                   ACL_BIT_NOTSMTP_START),
    },
    [ACLC_LOCAL_PARTS] =         { US"local_parts",      0,
    },
    [ACLC_LOCAL_PARTS] =         { US"local_parts",      0,
-                                 (unsigned)
-                                 ~(ACL_BIT_RCPT | ACL_BIT_VRFY
+                                 PERMITTED(ACL_BIT_RCPT | ACL_BIT_VRFY
  #ifndef DISABLE_PRDR
                                   | ACL_BIT_PRDR
  #endif
        ),
    },
  
  #ifndef DISABLE_PRDR
                                   | ACL_BIT_PRDR
  #endif
        ),
    },
  
-  [ACLC_LOG_MESSAGE] =         { US"log_message",      ACD_EXP | ACD_MOD, 0 },
-  [ACLC_LOG_REJECT_TARGET] =   { US"log_reject_target", ACD_EXP | ACD_MOD, 0 },
-  [ACLC_LOGWRITE] =            { US"logwrite",         ACD_EXP | ACD_MOD, 0 },
+  [ACLC_LOG_MESSAGE] =         { US"log_message",      ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
+  [ACLC_LOG_REJECT_TARGET] =   { US"log_reject_target", ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
+  [ACLC_LOGWRITE] =            { US"logwrite",         ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  
  #ifdef WITH_CONTENT_SCAN
    [ACLC_MALWARE] =             { US"malware",          ACD_EXP,
  
  #ifdef WITH_CONTENT_SCAN
    [ACLC_MALWARE] =             { US"malware",          ACD_EXP,
-                                 (unsigned)
-                                   ~(ACL_BIT_DATA |
+                                 PERMITTED(ACL_BIT_DATA |
  # ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
  # endif
  # ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
  # endif
@@ -258,26 +269,29 @@ static condition_def conditions[] = {
    },
  #endif
  
    },
  #endif
  
-  [ACLC_MESSAGE] =             { US"message",          ACD_EXP | ACD_MOD, 0 },
+  [ACLC_MESSAGE] =             { US"message",          ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  #ifdef WITH_CONTENT_SCAN
  #ifdef WITH_CONTENT_SCAN
-  [ACLC_MIME_REGEX] =          { US"mime_regex",       ACD_EXP, (unsigned) ~ACL_BIT_MIME },
+  [ACLC_MIME_REGEX] =          { US"mime_regex",       ACD_EXP,
+                                 PERMITTED(ACL_BIT_MIME) },
  #endif
  
    [ACLC_QUEUE] =               { US"queue",            ACD_EXP | ACD_MOD,
  #endif
  
    [ACLC_QUEUE] =               { US"queue",            ACD_EXP | ACD_MOD,
-                                 ACL_BIT_NOTSMTP |
+                                 FORBIDDEN(ACL_BIT_NOTSMTP |
  #ifndef DISABLE_PRDR
                                   ACL_BIT_PRDR |
  #endif
  #ifndef DISABLE_PRDR
                                   ACL_BIT_PRDR |
  #endif
-                                 ACL_BIT_DATA,
+                                 ACL_BIT_DATA),
    },
  
    },
  
-  [ACLC_RATELIMIT] =           { US"ratelimit",        ACD_EXP,        0 },
-  [ACLC_RECIPIENTS] =          { US"recipients",       0, (unsigned) ~ACL_BIT_RCPT },
+  [ACLC_RATELIMIT] =           { US"ratelimit",        ACD_EXP,
+                                 FORBIDDEN(0) },
+  [ACLC_RECIPIENTS] =          { US"recipients",       0,
+                                 PERMITTED(ACL_BIT_RCPT) },
  
  #ifdef WITH_CONTENT_SCAN
    [ACLC_REGEX] =               { US"regex",            ACD_EXP,
  
  #ifdef WITH_CONTENT_SCAN
    [ACLC_REGEX] =               { US"regex",            ACD_EXP,
-                                 (unsigned)
-                                 ~(ACL_BIT_DATA |
+                                 PERMITTED(ACL_BIT_DATA |
  # ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
  # endif
  # ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
  # endif
@@ -287,8 +301,7 @@ static condition_def conditions[] = {
  
  #endif
    [ACLC_REMOVE_HEADER] =       { US"remove_header",    ACD_EXP | ACD_MOD,
  
  #endif
    [ACLC_REMOVE_HEADER] =       { US"remove_header",    ACD_EXP | ACD_MOD,
-                                 (unsigned)
-                                 ~(ACL_BIT_MAIL|ACL_BIT_RCPT |
+                                 PERMITTED(ACL_BIT_MAIL|ACL_BIT_RCPT |
                                     ACL_BIT_PREDATA | ACL_BIT_DATA |
  #ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
                                     ACL_BIT_PREDATA | ACL_BIT_DATA |
  #ifndef DISABLE_PRDR
                                     ACL_BIT_PRDR |
@@ -296,27 +309,29 @@ static condition_def conditions[] = {
                                     ACL_BIT_MIME | ACL_BIT_NOTSMTP |
                                     ACL_BIT_NOTSMTP_START),
    },
                                     ACL_BIT_MIME | ACL_BIT_NOTSMTP |
                                     ACL_BIT_NOTSMTP_START),
    },
-  [ACLC_SEEN] =                        { US"seen",             ACD_EXP,        0 },
+  [ACLC_SEEN] =                        { US"seen",             ACD_EXP,
+                                 FORBIDDEN(0) },
    [ACLC_SENDER_DOMAINS] =      { US"sender_domains",   0,
    [ACLC_SENDER_DOMAINS] =      { US"sender_domains",   0,
-                                 ACL_BIT_AUTH | ACL_BIT_CONNECT |
+                                 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
                                     ACL_BIT_HELO |
                                     ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                                     ACL_BIT_HELO |
                                     ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
-                                   ACL_BIT_STARTTLS | ACL_BIT_VRFY,
+                                   ACL_BIT_STARTTLS | ACL_BIT_VRFY),
    },
    [ACLC_SENDERS] =             { US"senders",  0,
    },
    [ACLC_SENDERS] =             { US"senders",  0,
-                                 ACL_BIT_AUTH | ACL_BIT_CONNECT |
+                                 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
                                     ACL_BIT_HELO |
                                     ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                                     ACL_BIT_HELO |
                                     ACL_BIT_MAILAUTH | ACL_BIT_QUIT |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
-                                   ACL_BIT_STARTTLS | ACL_BIT_VRFY,
+                                   ACL_BIT_STARTTLS | ACL_BIT_VRFY),
    },
  
    },
  
-  [ACLC_SET] =                 { US"set",              ACD_EXP | ACD_MOD, 0 },
+  [ACLC_SET] =                 { US"set",              ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  
  #ifdef WITH_CONTENT_SCAN
    [ACLC_SPAM] =                        { US"spam",             ACD_EXP,
  
  #ifdef WITH_CONTENT_SCAN
    [ACLC_SPAM] =                        { US"spam",             ACD_EXP,
-                                 (unsigned) ~(ACL_BIT_DATA |
+                                 PERMITTED(ACL_BIT_DATA |
  # ifndef DISABLE_PRDR
                                   ACL_BIT_PRDR |
  # endif
  # ifndef DISABLE_PRDR
                                   ACL_BIT_PRDR |
  # endif
@@ -325,25 +340,27 @@ static condition_def conditions[] = {
  #endif
  #ifdef SUPPORT_SPF
    [ACLC_SPF] =                 { US"spf",              ACD_EXP,
  #endif
  #ifdef SUPPORT_SPF
    [ACLC_SPF] =                 { US"spf",              ACD_EXP,
-                                 ACL_BIT_AUTH | ACL_BIT_CONNECT |
+                                 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
                                     ACL_BIT_HELO | ACL_BIT_MAILAUTH |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                                     ACL_BIT_STARTTLS | ACL_BIT_VRFY |
                                     ACL_BIT_HELO | ACL_BIT_MAILAUTH |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                                     ACL_BIT_STARTTLS | ACL_BIT_VRFY |
-                                   ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
+                                   ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
    },
    [ACLC_SPF_GUESS] =           { US"spf_guess",        ACD_EXP,
    },
    [ACLC_SPF_GUESS] =           { US"spf_guess",        ACD_EXP,
-                                 ACL_BIT_AUTH | ACL_BIT_CONNECT |
+                                 FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
                                     ACL_BIT_HELO | ACL_BIT_MAILAUTH |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                                     ACL_BIT_STARTTLS | ACL_BIT_VRFY |
                                     ACL_BIT_HELO | ACL_BIT_MAILAUTH |
                                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                                     ACL_BIT_STARTTLS | ACL_BIT_VRFY |
-                                   ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START,
+                                   ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
    },
  #endif
    },
  #endif
-  [ACLC_UDPSEND] =             { US"udpsend",          ACD_EXP | ACD_MOD,      0 },
+  [ACLC_UDPSEND] =             { US"udpsend",          ACD_EXP | ACD_MOD,
+                                 FORBIDDEN(0) },
  
    /* Certain types of verify are always allowed, so we let it through
    always and check in the verify function itself */
  
    /* Certain types of verify are always allowed, so we let it through
    always and check in the verify function itself */
-  [ACLC_VERIFY] =              { US"verify",           ACD_EXP,        0 },
+  [ACLC_VERIFY] =              { US"verify",           ACD_EXP,
+                                 FORBIDDEN(0) },
  };
  
  
  };
author	Jeremy Harris <jgh146exb@wizmail.org>
	Mon, 26 Aug 2024 15:44:06 +0000 (16:44 +0100)
committer	Jeremy Harris <jgh146exb@wizmail.org>
	Tue, 27 Aug 2024 23:03:34 +0000 (00:03 +0100)