2003-10-04 21:08:23 +04:00
|
|
|
# Copyright (c) 2000,2002,2003 Masatoshi SEKI
|
|
|
|
#
|
|
|
|
# acl.rb is copyrighted free software by Masatoshi SEKI.
|
|
|
|
# You can redistribute it and/or modify it under the same terms as Ruby.
|
|
|
|
|
|
|
|
require 'ipaddr'
|
|
|
|
|
2011-05-16 00:50:49 +04:00
|
|
|
##
|
|
|
|
# Simple Access Control Lists.
|
|
|
|
#
|
|
|
|
# Access control lists are composed of "allow" and "deny" halves to control
|
|
|
|
# access. Use "all" or "*" to match any address. To match a specific address
|
|
|
|
# use any address or address mask that IPAddr can understand.
|
|
|
|
#
|
|
|
|
# Example:
|
|
|
|
#
|
|
|
|
# list = %w[
|
|
|
|
# deny all
|
|
|
|
# allow 192.168.1.1
|
|
|
|
# allow ::ffff:192.168.1.2
|
|
|
|
# allow 192.168.1.3
|
|
|
|
# ]
|
|
|
|
#
|
|
|
|
# # From Socket#peeraddr, see also ACL#allow_socket?
|
|
|
|
# addr = ["AF_INET", 10, "lc630", "192.168.1.3"]
|
|
|
|
#
|
|
|
|
# acl = ACL.new
|
|
|
|
# p acl.allow_addr?(addr) # => true
|
|
|
|
#
|
|
|
|
# acl = ACL.new(list, ACL::DENY_ALLOW)
|
|
|
|
# p acl.allow_addr?(addr) # => true
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
class ACL
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# The current version of ACL
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
VERSION=["2.0.0"]
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# An entry in an ACL
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
class ACLEntry
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Creates a new entry using +str+.
|
|
|
|
#
|
|
|
|
# +str+ may be "*" or "all" to match any address, an IP address string
|
|
|
|
# to match a specific address, an IP address mask per IPAddr, or one
|
|
|
|
# containing "*" to match part of an IPv4 address.
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def initialize(str)
|
|
|
|
if str == '*' or str == 'all'
|
2011-05-19 01:19:18 +04:00
|
|
|
@pat = [:all]
|
2007-11-19 21:30:18 +03:00
|
|
|
elsif str.include?('*')
|
|
|
|
@pat = [:name, dot_pat(str)]
|
2003-10-04 21:08:23 +04:00
|
|
|
else
|
2011-05-19 01:19:18 +04:00
|
|
|
begin
|
|
|
|
@pat = [:ip, IPAddr.new(str)]
|
|
|
|
rescue ArgumentError
|
|
|
|
@pat = [:name, dot_pat(str)]
|
|
|
|
end
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Creates a regular expression to match IPv4 addresses
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def dot_pat_str(str)
|
|
|
|
list = str.split('.').collect { |s|
|
2011-05-19 01:19:18 +04:00
|
|
|
(s == '*') ? '.+' : s
|
2003-10-04 21:08:23 +04:00
|
|
|
}
|
|
|
|
list.join("\\.")
|
|
|
|
end
|
|
|
|
|
|
|
|
private
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Creates a Regexp to match an address.
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def dot_pat(str)
|
|
|
|
exp = "^" + dot_pat_str(str) + "$"
|
|
|
|
Regexp.new(exp)
|
|
|
|
end
|
|
|
|
|
|
|
|
public
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Matches +addr+ against this entry.
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def match(addr)
|
|
|
|
case @pat[0]
|
|
|
|
when :all
|
2011-05-19 01:19:18 +04:00
|
|
|
true
|
2003-10-04 21:08:23 +04:00
|
|
|
when :ip
|
2011-05-19 01:19:18 +04:00
|
|
|
begin
|
|
|
|
ipaddr = IPAddr.new(addr[3])
|
|
|
|
ipaddr = ipaddr.ipv4_mapped if @pat[1].ipv6? && ipaddr.ipv4?
|
|
|
|
rescue ArgumentError
|
|
|
|
return false
|
|
|
|
end
|
|
|
|
(@pat[1].include?(ipaddr)) ? true : false
|
2003-10-04 21:08:23 +04:00
|
|
|
when :name
|
2011-05-19 01:19:18 +04:00
|
|
|
(@pat[1] =~ addr[2]) ? true : false
|
2003-10-04 21:08:23 +04:00
|
|
|
else
|
2011-05-19 01:19:18 +04:00
|
|
|
false
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2011-05-16 00:50:49 +04:00
|
|
|
##
|
|
|
|
# A list of ACLEntry objects. Used to implement the allow and deny halves
|
|
|
|
# of an ACL
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
class ACLList
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Creates an empty ACLList
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def initialize
|
|
|
|
@list = []
|
|
|
|
end
|
|
|
|
|
|
|
|
public
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Matches +addr+ against each ACLEntry in this list.
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def match(addr)
|
|
|
|
@list.each do |e|
|
2011-05-19 01:19:18 +04:00
|
|
|
return true if e.match(addr)
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
public
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Adds +str+ as an ACLEntry in this list
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def add(str)
|
|
|
|
@list.push(ACLEntry.new(str))
|
|
|
|
end
|
2011-05-16 00:50:49 +04:00
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
|
2011-05-16 00:50:49 +04:00
|
|
|
##
|
|
|
|
# Default to deny
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
DENY_ALLOW = 0
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Default to allow
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
ALLOW_DENY = 1
|
|
|
|
|
2011-05-16 00:50:49 +04:00
|
|
|
##
|
|
|
|
# Creates a new ACL from +list+ with an evaluation +order+ of DENY_ALLOW or
|
|
|
|
# ALLOW_DENY.
|
|
|
|
#
|
|
|
|
# An ACL +list+ is an Array of "allow" or "deny" and an address or address
|
|
|
|
# mask or "all" or "*" to match any address:
|
|
|
|
#
|
|
|
|
# %w[
|
|
|
|
# deny all
|
|
|
|
# allow 192.0.2.2
|
|
|
|
# allow 192.0.2.128/26
|
|
|
|
# ]
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def initialize(list=nil, order = DENY_ALLOW)
|
|
|
|
@order = order
|
|
|
|
@deny = ACLList.new
|
|
|
|
@allow = ACLList.new
|
|
|
|
install_list(list) if list
|
|
|
|
end
|
|
|
|
|
|
|
|
public
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Allow connections from Socket +soc+?
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def allow_socket?(soc)
|
|
|
|
allow_addr?(soc.peeraddr)
|
|
|
|
end
|
|
|
|
|
|
|
|
public
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Allow connections from addrinfo +addr+? It must be formatted like
|
|
|
|
# Socket#peeraddr:
|
|
|
|
#
|
|
|
|
# ["AF_INET", 10, "lc630", "192.0.2.1"]
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def allow_addr?(addr)
|
|
|
|
case @order
|
|
|
|
when DENY_ALLOW
|
|
|
|
return true if @allow.match(addr)
|
|
|
|
return false if @deny.match(addr)
|
|
|
|
return true
|
|
|
|
when ALLOW_DENY
|
|
|
|
return false if @deny.match(addr)
|
|
|
|
return true if @allow.match(addr)
|
|
|
|
return false
|
|
|
|
else
|
|
|
|
false
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
public
|
2011-05-16 00:50:49 +04:00
|
|
|
|
|
|
|
##
|
|
|
|
# Adds +list+ of ACL entries to this ACL.
|
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
def install_list(list)
|
|
|
|
i = 0
|
|
|
|
while i < list.size
|
|
|
|
permission, domain = list.slice(i,2)
|
|
|
|
case permission.downcase
|
|
|
|
when 'allow'
|
2011-05-19 01:19:18 +04:00
|
|
|
@allow.add(domain)
|
2003-10-04 21:08:23 +04:00
|
|
|
when 'deny'
|
2011-05-19 01:19:18 +04:00
|
|
|
@deny.add(domain)
|
2003-10-04 21:08:23 +04:00
|
|
|
else
|
2011-05-19 01:19:18 +04:00
|
|
|
raise "Invalid ACL entry #{list.to_s}"
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
i += 2
|
|
|
|
end
|
|
|
|
end
|
2011-05-16 00:50:49 +04:00
|
|
|
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
|
|
|
|
if __FILE__ == $0
|
|
|
|
# example
|
|
|
|
list = %w(deny all
|
2011-05-19 04:07:25 +04:00
|
|
|
allow 192.168.1.1
|
2003-10-04 21:08:23 +04:00
|
|
|
allow ::ffff:192.168.1.2
|
|
|
|
allow 192.168.1.3
|
2011-05-19 04:07:25 +04:00
|
|
|
)
|
2003-10-04 21:08:23 +04:00
|
|
|
|
2011-05-19 04:07:25 +04:00
|
|
|
addr = ["AF_INET", 10, "lc630", "192.168.1.3"]
|
2003-10-04 21:08:23 +04:00
|
|
|
|
2011-05-19 04:07:25 +04:00
|
|
|
acl = ACL.new
|
|
|
|
p acl.allow_addr?(addr)
|
2003-10-04 21:08:23 +04:00
|
|
|
|
2011-05-19 04:07:25 +04:00
|
|
|
acl = ACL.new(list, ACL::DENY_ALLOW)
|
|
|
|
p acl.allow_addr?(addr)
|
2003-10-04 21:08:23 +04:00
|
|
|
end
|
|
|
|
|