ApacheTrafficServer: IPAllow.h Source File

Go to the documentation of this file.
00001 /** @file
00002 
00003   Access control by IP address and HTTP method.
00004 
00005   @section license License
00006 
00007   Licensed to the Apache Software Foundation (ASF) under one
00008   or more contributor license agreements.  See the NOTICE file
00009   distributed with this work for additional information
00010   regarding copyright ownership.  The ASF licenses this file
00011   to you under the Apache License, Version 2.0 (the
00012   "License"); you may not use this file except in compliance
00013   with the License.  You may obtain a copy of the License at
00014 
00015       http://www.apache.org/licenses/LICENSE-2.0
00016 
00017   Unless required by applicable law or agreed to in writing, software
00018   distributed under the License is distributed on an "AS IS" BASIS,
00019   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00020   See the License for the specific language governing permissions and
00021   limitations under the License.
00022  */
00023 
00024 /*****************************************************************************
00025  *
00026  *  IPAllow.h - Interface to IP Access Control systtem
00027  *
00028  *
00029  ****************************************************************************/
00030 
00031 #ifndef _IP_ALLOW_H_
00032 #define _IP_ALLOW_H_
00033 
00034 #include "Main.h"
00035 #include "hdrs/HTTP.h"
00036 #include "ts/IpMap.h"
00037 #include "ts/Vec.h"
00038 #include "ProxyConfig.h"
00039 
00040 #include <string>
00041 #include <set>
00042 
00043 // forward declare in name only so it can be a friend.
00044 struct IpAllowUpdate;
00045 
00046 //
00047 // Timeout the IpAllowTable * this amount of time after the
00048 //    a reconfig event happens that the old table gets thrown
00049 //    away
00050 //
00051 static uint64_t const IP_ALLOW_TIMEOUT = HRTIME_HOUR;
00052 
00053 /** An access control record.
00054     It has the methods permitted and the source line.
00055 */
00056 struct AclRecord {
00057   uint32_t _method_mask;
00058   int _src_line;
00059   typedef std::set<std::string> MethodSet;
00060   MethodSet _nonstandard_methods;
00061   bool _deny_nonstandard_methods;
00062   static const uint32_t ALL_METHOD_MASK = ~0; // Mask for all methods.
00063 
00064   /// Default constructor.
00065   /// Present only to make Vec<> happy, do not use.
00066   AclRecord() : _method_mask(0), _src_line(0), _deny_nonstandard_methods(false) { }
00067 
00068   AclRecord(uint32_t method_mask) : _method_mask(method_mask), _src_line(0),
00069                                     _deny_nonstandard_methods(false) { }
00070 
00071   AclRecord(uint32_t method_mask, int ln, const MethodSet &nonstandard_methods, bool deny_nonstandard_methods)
00072     : _method_mask(method_mask), _src_line(ln), _nonstandard_methods(nonstandard_methods),
00073       _deny_nonstandard_methods(deny_nonstandard_methods) { }
00074 
00075   static uint32_t MethodIdxToMask(int wksidx) { return 1 << (wksidx - HTTP_WKSIDX_CONNECT); }
00076 
00077   bool isEmpty() const {
00078     return (_method_mask == 0) && _nonstandard_methods.empty();
00079   }
00080 
00081   bool isMethodAllowed(int method_wksidx) const {
00082     return _method_mask & MethodIdxToMask(method_wksidx);
00083   }
00084   
00085   bool isNonstandardMethodAllowed(const std::string &method_str) const {
00086     if (_method_mask == ALL_METHOD_MASK) {
00087       return true;
00088     }
00089     bool method_in_set = _nonstandard_methods.count(method_str);
00090     return _deny_nonstandard_methods ? !method_in_set : method_in_set;
00091   }
00092 };
00093 
00094 /** Singleton class for access controls.
00095  */
00096 class IpAllow : public ConfigInfo
00097 {
00098   friend int main(int, char**);
00099   friend struct IpAllowUpdate;
00100 
00101 public:
00102   typedef IpAllow self; ///< Self reference type.
00103 
00104   IpAllow(const char *config_var, const char *name, const char *action_val);
00105    ~IpAllow();
00106   void Print();
00107   AclRecord *match(IpEndpoint const* ip) const;
00108   AclRecord *match(sockaddr const* ip) const;
00109 
00110   static void startup();
00111   static void reconfigure();
00112   /// @return The global instance.
00113   static IpAllow * acquire();
00114   static void release(IpAllow * params);
00115 
00116   /// @return A mask that permits all methods.
00117   static const AclRecord *AllMethodAcl() {
00118     return &ALL_METHOD_ACL;
00119   }
00120 
00121   typedef ConfigProcessor::scoped_config<IpAllow, IpAllow> scoped_config;
00122 
00123 private:
00124   static int configid;
00125   static const AclRecord ALL_METHOD_ACL;
00126 
00127   int BuildTable();
00128 
00129   char config_file_path[PATH_NAME_MAX];
00130   const char *module_name;
00131   const char *action;
00132   IpMap _map;
00133   Vec<AclRecord> _acls;
00134 };
00135 
00136 inline AclRecord *
00137 IpAllow::match(IpEndpoint const* ip) const {
00138   return this->match(&ip->sa);
00139 }
00140 
00141 inline AclRecord *
00142 IpAllow::match(sockaddr const* ip) const {
00143   void *raw;
00144   if (_map.contains(ip, &raw)) {
00145     return static_cast<AclRecord*>(raw);
00146   }
00147   return NULL;
00148 }
00149 
00150 #endif