aboutsummaryrefslogtreecommitdiff
path: root/vnc-auth-sasl.c
diff options
context:
space:
mode:
Diffstat (limited to 'vnc-auth-sasl.c')
-rw-r--r--vnc-auth-sasl.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/vnc-auth-sasl.c b/vnc-auth-sasl.c
index 2882a357d8..4b4aca9475 100644
--- a/vnc-auth-sasl.c
+++ b/vnc-auth-sasl.c
@@ -120,22 +120,32 @@ static int vnc_auth_sasl_check_access(VncState *vs)
{
const void *val;
int err;
+ int allow;
err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val);
if (err != SASL_OK) {
- VNC_DEBUG("cannot query SASL username on connection %d (%s)\n",
+ VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n",
err, sasl_errstring(err, NULL, NULL));
return -1;
}
if (val == NULL) {
- VNC_DEBUG("no client username was found\n");
+ VNC_DEBUG("no client username was found, denying access\n");
return -1;
}
VNC_DEBUG("SASL client username %s\n", (const char *)val);
vs->sasl.username = qemu_strdup((const char*)val);
- return 0;
+ if (vs->vd->sasl.acl == NULL) {
+ VNC_DEBUG("no ACL activated, allowing access\n");
+ return 0;
+ }
+
+ allow = qemu_acl_party_is_allowed(vs->vd->sasl.acl, vs->sasl.username);
+
+ VNC_DEBUG("SASL client %s %s by ACL\n", vs->sasl.username,
+ allow ? "allowed" : "denied");
+ return allow ? 0 : -1;
}
static int vnc_auth_sasl_check_ssf(VncState *vs)