ruby/lib/drb/acl.rb

234 строки
4.4 KiB
Ruby

# frozen_string_literal: false
# Copyright (c) 2000,2002,2003 Masatoshi SEKI
#
# acl.rb is copyrighted free software by Masatoshi SEKI.
# You can redistribute it and/or modify it under the same terms as Ruby.
require 'ipaddr'
##
# Simple Access Control Lists.
#
# Access control lists are composed of "allow" and "deny" halves to control
# access. Use "all" or "*" to match any address. To match a specific address
# use any address or address mask that IPAddr can understand.
#
# Example:
#
# list = %w[
# deny all
# allow 192.168.1.1
# allow ::ffff:192.168.1.2
# allow 192.168.1.3
# ]
#
# # From Socket#peeraddr, see also ACL#allow_socket?
# addr = ["AF_INET", 10, "lc630", "192.168.1.3"]
#
# acl = ACL.new
# p acl.allow_addr?(addr) # => true
#
# acl = ACL.new(list, ACL::DENY_ALLOW)
# p acl.allow_addr?(addr) # => true
class ACL
##
# The current version of ACL
VERSION=["2.0.0"]
##
# An entry in an ACL
class ACLEntry
##
# Creates a new entry using +str+.
#
# +str+ may be "*" or "all" to match any address, an IP address string
# to match a specific address, an IP address mask per IPAddr, or one
# containing "*" to match part of an IPv4 address.
def initialize(str)
if str == '*' or str == 'all'
@pat = [:all]
elsif str.include?('*')
@pat = [:name, dot_pat(str)]
else
begin
@pat = [:ip, IPAddr.new(str)]
rescue ArgumentError
@pat = [:name, dot_pat(str)]
end
end
end
private
##
# Creates a regular expression to match IPv4 addresses
def dot_pat_str(str)
list = str.split('.').collect { |s|
(s == '*') ? '.+' : s
}
list.join("\\.")
end
private
##
# Creates a Regexp to match an address.
def dot_pat(str)
exp = "^" + dot_pat_str(str) + "$"
Regexp.new(exp)
end
public
##
# Matches +addr+ against this entry.
def match(addr)
case @pat[0]
when :all
true
when :ip
begin
ipaddr = IPAddr.new(addr[3])
ipaddr = ipaddr.ipv4_mapped if @pat[1].ipv6? && ipaddr.ipv4?
rescue ArgumentError
return false
end
(@pat[1].include?(ipaddr)) ? true : false
when :name
(@pat[1] =~ addr[2]) ? true : false
else
false
end
end
end
##
# A list of ACLEntry objects. Used to implement the allow and deny halves
# of an ACL
class ACLList
##
# Creates an empty ACLList
def initialize
@list = []
end
public
##
# Matches +addr+ against each ACLEntry in this list.
def match(addr)
@list.each do |e|
return true if e.match(addr)
end
false
end
public
##
# Adds +str+ as an ACLEntry in this list
def add(str)
@list.push(ACLEntry.new(str))
end
end
##
# Default to deny
DENY_ALLOW = 0
##
# Default to allow
ALLOW_DENY = 1
##
# Creates a new ACL from +list+ with an evaluation +order+ of DENY_ALLOW or
# ALLOW_DENY.
#
# An ACL +list+ is an Array of "allow" or "deny" and an address or address
# mask or "all" or "*" to match any address:
#
# %w[
# deny all
# allow 192.0.2.2
# allow 192.0.2.128/26
# ]
def initialize(list=nil, order = DENY_ALLOW)
@order = order
@deny = ACLList.new
@allow = ACLList.new
install_list(list) if list
end
public
##
# Allow connections from Socket +soc+?
def allow_socket?(soc)
allow_addr?(soc.peeraddr)
end
public
##
# Allow connections from addrinfo +addr+? It must be formatted like
# Socket#peeraddr:
#
# ["AF_INET", 10, "lc630", "192.0.2.1"]
def allow_addr?(addr)
case @order
when DENY_ALLOW
return true if @allow.match(addr)
return false if @deny.match(addr)
return true
when ALLOW_DENY
return false if @deny.match(addr)
return true if @allow.match(addr)
return false
else
false
end
end
public
##
# Adds +list+ of ACL entries to this ACL.
def install_list(list)
i = 0
while i < list.size
permission, domain = list.slice(i,2)
case permission.downcase
when 'allow'
@allow.add(domain)
when 'deny'
@deny.add(domain)
else
raise "Invalid ACL entry #{list}"
end
i += 2
end
end
end