Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
L
libvmod-hoailona
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
uplex-varnish
libvmod-hoailona
Commits
277df1f9
Commit
277df1f9
authored
Jan 16, 2017
by
Geoff Simmons
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
a TTL > 0 is required in the policy constructor when the type is TOKEN,
but may be left out for the other types
parent
f2dded65
Pipeline
#115
skipped
Changes
9
Pipelines
1
Show whitespace changes
Inline
Side-by-side
Showing
9 changed files
with
108 additions
and
84 deletions
+108
-84
README.rst
README.rst
+22
-18
add.vtc
src/tests/add.vtc
+26
-26
explain.vtc
src/tests/explain.vtc
+1
-1
policy_method.vtc
src/tests/policy_method.vtc
+13
-13
policy_obj.vtc
src/tests/policy_obj.vtc
+13
-4
secret.vtc
src/tests/secret.vtc
+1
-1
token.vtc
src/tests/token.vtc
+1
-1
vmod_hoailona.c
src/vmod_hoailona.c
+9
-2
vmod_hoailona.vcc
src/vmod_hoailona.vcc
+22
-18
No files found.
README.rst
View file @
277df1f9
...
@@ -26,7 +26,7 @@ import hoailona [from "path"] ;
...
@@ -26,7 +26,7 @@ import hoailona [from "path"] ;
::
::
new OBJECT = hoailona.policy(ENUM type
, DURATION ttl
new OBJECT = hoailona.policy(ENUM type
[, DURATION ttl]
[, STRING description] [, BLOB secret]
[, STRING description] [, BLOB secret]
[, INT start_offset])
[, INT start_offset])
...
@@ -81,9 +81,10 @@ of Hawaiian about the choice of the name.
...
@@ -81,9 +81,10 @@ of Hawaiian about the choice of the name.
Defining policies
Defining policies
-----------------
-----------------
Policies are defined by means of ``policy`` objects that are constructed
Policies are defined by means of ``policy`` objects that are
in ``vcl_init``. A policy is defined by its type (TOKEN, OPEN or DENY),
constructed in ``vcl_init``. A policy is defined by its type (TOKEN,
a TTL, and possibly a shared secret used for authorization. For example::
OPEN or DENY), a TTL for the TOKEN type, and possibly a shared secret
used for authorization. For example::
import hoailona;
import hoailona;
import blobcode;
import blobcode;
...
@@ -96,10 +97,10 @@ a TTL, and possibly a shared secret used for authorization. For example::
...
@@ -96,10 +97,10 @@ a TTL, and possibly a shared secret used for authorization. For example::
blobcode.decode(encoded="secret"));
blobcode.decode(encoded="secret"));
# Define a policy for open access (authorization not required)
# Define a policy for open access (authorization not required)
new open_policy = hoailona.policy(OPEN
, 1h
);
new open_policy = hoailona.policy(OPEN);
# Define an "access denied" policy
# Define an "access denied" policy
new deny_policy = hoailona.policy(DENY
, 1h
);
new deny_policy = hoailona.policy(DENY);
}
}
Policy objects have no methods; they become useful when they are
Policy objects have no methods; they become useful when they are
...
@@ -239,15 +240,18 @@ policy
...
@@ -239,15 +240,18 @@ policy
::
::
new OBJ = policy(PRIV_TASK, ENUM {OPEN,DENY,TOKEN} type, DURATION ttl, STRING description=0, BLOB secret=0, INT start_offset=0)
new OBJ = policy(PRIV_TASK, ENUM {OPEN,DENY,TOKEN} type, DURATION ttl
=0
, STRING description=0, BLOB secret=0, INT start_offset=0)
Create a policy. The ``type`` enum classifies the policy as ``OPEN``,
Create a policy. The ``type`` enum is required, to classify the policy
``DENY`` or ``TOKEN``, and ``ttl`` determines the length of time for
as ``OPEN``, ``DENY`` or ``TOKEN``.
which token authorization is valid by default. Unless the TTL is
overriden, strings generated by the ``hosts.token()`` method contain
When ``TOKEN`` is specified, then a ``ttl`` greater than 0 MUST be
parameters (epoch times) that define the duration of the authorization
specified; the TTL has no effect for the ``OPEN`` and ``DENY`` types
to correspond with ``ttl``. The ``type`` and ``ttl`` parameters are
and may be left out. The TTL determines the length of time for which
required.
token authorization is valid by default. Unless the TTL is overriden,
strings generated by the ``hosts.token()`` method contain parameters
(epoch times) that define the duration of the authorization to
correspond with ``ttl``.
The optional ``secret`` parameter may contain a shared secret for
The optional ``secret`` parameter may contain a shared secret for
authorization, which serves as the key for an HMAC. The data type for
authorization, which serves as the key for an HMAC. The data type for
...
@@ -275,7 +279,7 @@ unsynchronized clocks).
...
@@ -275,7 +279,7 @@ unsynchronized clocks).
Examples::
Examples::
# Open policy, no authorization required
# Open policy, no authorization required
new open = hoailona.policy(OPEN
, 1h
);
new open = hoailona.policy(OPEN);
# Token authorization required, where authorization lasts 2 hours,
# Token authorization required, where authorization lasts 2 hours,
# using the given shared secret, and setting the start offset to
# using the given shared secret, and setting the start offset to
...
@@ -289,7 +293,7 @@ Examples::
...
@@ -289,7 +293,7 @@ Examples::
"717569636B2062726F776E20666F7879"));
"717569636B2062726F776E20666F7879"));
# A policy for "access denied"
# A policy for "access denied"
new forbid = hoailona.policy(DENY,
1h,
description="access denied");
new forbid = hoailona.policy(DENY, description="access denied");
.. _obj_hosts:
.. _obj_hosts:
...
@@ -411,11 +415,11 @@ description is set.
...
@@ -411,11 +415,11 @@ description is set.
Examples::
Examples::
sub vcl_init {
sub vcl_init {
new p1 = hoailona.policy(OPEN
, 1h
);
new p1 = hoailona.policy(OPEN);
new p2 = hoailona.policy(TOKEN, 1h);
new p2 = hoailona.policy(TOKEN, 1h);
new p3 = hoailona.policy(TOKEN, 2h);
new p3 = hoailona.policy(TOKEN, 2h);
new p4 = hoailona.policy(TOKEN, 3h);
new p4 = hoailona.policy(TOKEN, 3h);
new deny = hoailona.policy(DENY
, 1h
);
new deny = hoailona.policy(DENY);
new h = hoailona.hosts();
new h = hoailona.hosts();
...
...
src/tests/add.vtc
View file @
277df1f9
...
@@ -7,9 +7,9 @@ varnish v1 -vcl {
...
@@ -7,9 +7,9 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new r = hoailona.policy(DENY
, 3h
);
new r = hoailona.policy(DENY);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "q", "/*/...");
h.add("example.com", "q", "/*/...");
h.add(host="example.org", policy="p");
h.add(host="example.org", policy="p");
...
@@ -23,7 +23,7 @@ varnish v1 -vcl {
...
@@ -23,7 +23,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
}
}
...
@@ -48,7 +48,7 @@ varnish v1 -errvcl {vmod hoailona error: host is empty in h.add()} {
...
@@ -48,7 +48,7 @@ varnish v1 -errvcl {vmod hoailona error: host is empty in h.add()} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("", "p", "/foo/bar");
h.add("", "p", "/foo/bar");
}
}
...
@@ -59,7 +59,7 @@ varnish v1 -errvcl {vmod hoailona error: policy is empty in h.add()} {
...
@@ -59,7 +59,7 @@ varnish v1 -errvcl {vmod hoailona error: policy is empty in h.add()} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "", "/foo/bar");
h.add("example.com", "", "/foo/bar");
}
}
...
@@ -70,7 +70,7 @@ varnish v1 -errvcl {vmod hoailona error: path is set but empty in h.add()} {
...
@@ -70,7 +70,7 @@ varnish v1 -errvcl {vmod hoailona error: path is set but empty in h.add()} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "");
h.add("example.com", "p", "");
}
}
...
@@ -81,7 +81,7 @@ varnish v1 -errvcl {vmod hoailona error: path ""<>?\^`| in h.add(): invalid char
...
@@ -81,7 +81,7 @@ varnish v1 -errvcl {vmod hoailona error: path ""<>?\^`| in h.add(): invalid char
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", {"""<>?\^`|"});
h.add("example.com", "p", {"""<>?\^`|"});
}
}
...
@@ -92,7 +92,7 @@ varnish v1 -errvcl {vmod hoailona error: path /x... in h.add(): ... must only be
...
@@ -92,7 +92,7 @@ varnish v1 -errvcl {vmod hoailona error: path /x... in h.add(): ... must only be
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/x...");
h.add("example.com", "p", "/x...");
}
}
...
@@ -103,7 +103,7 @@ varnish v1 -errvcl {vmod hoailona error: path /.../...x in h.add(): ... must onl
...
@@ -103,7 +103,7 @@ varnish v1 -errvcl {vmod hoailona error: path /.../...x in h.add(): ... must onl
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/.../...x");
h.add("example.com", "p", "/.../...x");
}
}
...
@@ -114,7 +114,7 @@ varnish v1 -errvcl {vmod hoailona error: path /x/**/y in h.add(): more than one
...
@@ -114,7 +114,7 @@ varnish v1 -errvcl {vmod hoailona error: path /x/**/y in h.add(): more than one
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/x/**/y");
h.add("example.com", "p", "/x/**/y");
}
}
...
@@ -135,7 +135,7 @@ varnish v1 -errvcl {vmod hoailona error: Policy object q not found in h.add()} {
...
@@ -135,7 +135,7 @@ varnish v1 -errvcl {vmod hoailona error: Policy object q not found in h.add()} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "q", "/x/y");
h.add("example.com", "q", "/x/y");
}
}
...
@@ -146,7 +146,7 @@ varnish v1 -errvcl {vmod hoailona error: Policy p already set globally for host
...
@@ -146,7 +146,7 @@ varnish v1 -errvcl {vmod hoailona error: Policy p already set globally for host
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p");
h.add("example.com", "p");
...
@@ -159,7 +159,7 @@ varnish v1 -errvcl {vmod hoailona error: Path-specific policies already set for
...
@@ -159,7 +159,7 @@ varnish v1 -errvcl {vmod hoailona error: Path-specific policies already set for
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -172,7 +172,7 @@ varnish v1 -errvcl {vmod hoailona error: Policy p already assigned for host exam
...
@@ -172,7 +172,7 @@ varnish v1 -errvcl {vmod hoailona error: Policy p already assigned for host exam
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -187,7 +187,7 @@ varnish v1 -vcl {
...
@@ -187,7 +187,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -200,7 +200,7 @@ varnish v1 -vcl {
...
@@ -200,7 +200,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -226,7 +226,7 @@ varnish v1 -vcl {
...
@@ -226,7 +226,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -239,7 +239,7 @@ varnish v1 -vcl {
...
@@ -239,7 +239,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", ".../bar");
h.add("example.com", "p", ".../bar");
...
@@ -252,7 +252,7 @@ varnish v1 -vcl {
...
@@ -252,7 +252,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -265,7 +265,7 @@ varnish v1 -vcl {
...
@@ -265,7 +265,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -279,7 +279,7 @@ varnish v1 -vcl {
...
@@ -279,7 +279,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("*example.com", "p");
h.add("*example.com", "p");
h.add("EXAMPLE-EXAMPLE.EXAMPLE.COM", "p");
h.add("EXAMPLE-EXAMPLE.EXAMPLE.COM", "p");
...
@@ -292,7 +292,7 @@ varnish v1 -errvcl {invalid hostname -example.com: may not begin with - or .} {
...
@@ -292,7 +292,7 @@ varnish v1 -errvcl {invalid hostname -example.com: may not begin with - or .} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("-example.com", "p");
h.add("-example.com", "p");
}
}
...
@@ -303,7 +303,7 @@ varnish v1 -errvcl {invalid hostname .example.com: may not begin with - or .} {
...
@@ -303,7 +303,7 @@ varnish v1 -errvcl {invalid hostname .example.com: may not begin with - or .} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add(".example.com", "p");
h.add(".example.com", "p");
}
}
...
@@ -314,7 +314,7 @@ varnish v1 -errvcl {invalid hostname *.*.example.com: illegal characters} {
...
@@ -314,7 +314,7 @@ varnish v1 -errvcl {invalid hostname *.*.example.com: illegal characters} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("*.*.example.com", "p");
h.add("*.*.example.com", "p");
}
}
...
@@ -325,7 +325,7 @@ varnish v1 -errvcl {invalid hostname example-%.com: illegal characters} {
...
@@ -325,7 +325,7 @@ varnish v1 -errvcl {invalid hostname example-%.com: illegal characters} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example-%.com", "p");
h.add("example-%.com", "p");
}
}
...
@@ -336,7 +336,7 @@ varnish v1 -errvcl {invalid hostname example-ä.com: illegal characters} {
...
@@ -336,7 +336,7 @@ varnish v1 -errvcl {invalid hostname example-ä.com: illegal characters} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example-ä.com", "p");
h.add("example-ä.com", "p");
}
}
...
...
src/tests/explain.vtc
View file @
277df1f9
...
@@ -8,7 +8,7 @@ varnish v1 -vcl {
...
@@ -8,7 +8,7 @@ varnish v1 -vcl {
sub vcl_init {
sub vcl_init {
new p1 = hoailona.policy(TOKEN, 1h);
new p1 = hoailona.policy(TOKEN, 1h);
new p2 = hoailona.policy(OPEN,
1h,
description="open");
new p2 = hoailona.policy(OPEN, description="open");
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p1");
h.add("example.com", "p1");
h.add("example.org", "p2");
h.add("example.org", "p2");
...
...
src/tests/policy_method.vtc
View file @
277df1f9
...
@@ -7,9 +7,9 @@ varnish v1 -vcl {
...
@@ -7,9 +7,9 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new r = hoailona.policy(DENY
, 3h
);
new r = hoailona.policy(DENY);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "q", "/foo/bar");
h.add("example.com", "q", "/foo/bar");
h.add(host="example.org", policy="p");
h.add(host="example.org", policy="p");
...
@@ -42,7 +42,7 @@ varnish v1 -vcl {
...
@@ -42,7 +42,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/z/...");
h.add("example.com", "p", "/z/...");
...
@@ -83,7 +83,7 @@ varnish v1 -vcl {
...
@@ -83,7 +83,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p");
h.add("example.com", "p");
...
@@ -119,7 +119,7 @@ varnish v1 -vcl {
...
@@ -119,7 +119,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar");
h.add("example.com", "p", "/foo/bar");
...
@@ -153,7 +153,7 @@ varnish v1 -vcl {
...
@@ -153,7 +153,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/bar/...");
h.add("example.com", "p", "/foo/bar/...");
...
@@ -187,7 +187,7 @@ varnish v1 -vcl {
...
@@ -187,7 +187,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/*/bar");
h.add("example.com", "p", "/foo/*/bar");
...
@@ -229,7 +229,7 @@ varnish v1 -vcl {
...
@@ -229,7 +229,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/*/bar/...");
h.add("example.com", "p", "/foo/*/bar/...");
...
@@ -273,7 +273,7 @@ varnish v1 -vcl {
...
@@ -273,7 +273,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", ".../foo/bar");
h.add("example.com", "p", ".../foo/bar");
...
@@ -307,7 +307,7 @@ varnish v1 -vcl {
...
@@ -307,7 +307,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/.../bar");
h.add("example.com", "p", "/foo/.../bar");
...
@@ -347,7 +347,7 @@ varnish v1 -vcl {
...
@@ -347,7 +347,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new q = hoailona.policy(TOKEN, 2h);
new q = hoailona.policy(TOKEN, 2h);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p", "/foo/./bar");
h.add("example.com", "p", "/foo/./bar");
...
@@ -384,7 +384,7 @@ varnish v1 -errvcl {h.policy() may not be called in vcl_init} {
...
@@ -384,7 +384,7 @@ varnish v1 -errvcl {h.policy() may not be called in vcl_init} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p");
h.add("example.com", "p");
if (h.policy("example.com", "/foo") != 1) {
if (h.policy("example.com", "/foo") != 1) {
...
@@ -398,7 +398,7 @@ varnish v1 -vcl {
...
@@ -398,7 +398,7 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p");
h.add("example.com", "p");
}
}
...
...
src/tests/policy_obj.vtc
View file @
277df1f9
...
@@ -11,12 +11,12 @@ varnish v1 -vcl {
...
@@ -11,12 +11,12 @@ varnish v1 -vcl {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p1 = hoailona.policy(OPEN
, 1h
);
new p1 = hoailona.policy(OPEN);
new p2 = hoailona.policy(TOKEN, 2h);
new p2 = hoailona.policy(TOKEN, 2h);
new p3 = hoailona.policy(DENY
, 3h
);
new p3 = hoailona.policy(DENY);
new p4 = hoailona.policy(TOKEN, 1h, description="policy p4");
new p4 = hoailona.policy(TOKEN, 1h, description="policy p4");
new p5 = hoailona.policy(OPEN,
1h,
start_offset= 0-10);
new p5 = hoailona.policy(OPEN, start_offset= 0-10);
new p6 = hoailona.policy(DENY,
1h,
new p6 = hoailona.policy(DENY,
secret=blobcode.decode(encoded="foo"));
secret=blobcode.decode(encoded="foo"));
new p7 = hoailona.policy(TOKEN, 1h, "p7",
new p7 = hoailona.policy(TOKEN, 1h, "p7",
blobcode.decode(encoded="bar"), 0-30);
blobcode.decode(encoded="bar"), 0-30);
...
@@ -27,3 +27,12 @@ varnish v1 -vcl { backend b { .host = "${bad_ip}"; } }
...
@@ -27,3 +27,12 @@ varnish v1 -vcl { backend b { .host = "${bad_ip}"; } }
# Runs fini
# Runs fini
varnish v1 -cli "vcl.discard vcl1"
varnish v1 -cli "vcl.discard vcl1"
varnish v1 -errvcl {ttl must be >= 0 when type is TOKEN in p constructor} {
import hoailona from "${vmod_topbuild}/src/.libs/libvmod_hoailona.so";
backend b { .host = "${bad_ip}"; }
sub vcl_init {
new p = hoailona.policy(TOKEN);
}
}
src/tests/secret.vtc
View file @
277df1f9
...
@@ -41,7 +41,7 @@ varnish v1 -errvcl {h.secret() may not be called in vcl_init} {
...
@@ -41,7 +41,7 @@ varnish v1 -errvcl {h.secret() may not be called in vcl_init} {
backend b { .host = "${bad_ip}"; }
backend b { .host = "${bad_ip}"; }
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(OPEN
, 1h
);
new p = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
if (blobcode.encode(blob=h.secret()) == "foo") {
if (blobcode.encode(blob=h.secret()) == "foo") {
return(fail);
return(fail);
...
...
src/tests/token.vtc
View file @
277df1f9
...
@@ -174,7 +174,7 @@ varnish v1 -vcl {
...
@@ -174,7 +174,7 @@ varnish v1 -vcl {
sub vcl_init {
sub vcl_init {
new p = hoailona.policy(TOKEN, 1h);
new p = hoailona.policy(TOKEN, 1h);
new q = hoailona.policy(OPEN
, 1h
);
new q = hoailona.policy(OPEN);
new h = hoailona.hosts();
new h = hoailona.hosts();
h.add("example.com", "p");
h.add("example.com", "p");
h.add("example.org", "q");
h.add("example.org", "q");
...
...
src/vmod_hoailona.c
View file @
277df1f9
...
@@ -170,8 +170,6 @@ vmod_policy__init(VRT_CTX, struct vmod_hoailona_policy **policyp,
...
@@ -170,8 +170,6 @@ vmod_policy__init(VRT_CTX, struct vmod_hoailona_policy **policyp,
vcl_name
);
vcl_name
);
return
;
return
;
}
}
item
->
policy
=
policy
;
VSLIST_INSERT_HEAD
(
policyhead
,
item
,
list
);
if
(
strcmp
(
policys
,
"DENY"
)
==
0
)
if
(
strcmp
(
policys
,
"DENY"
)
==
0
)
policy
->
type
=
DENY
;
policy
->
type
=
DENY
;
...
@@ -181,6 +179,15 @@ vmod_policy__init(VRT_CTX, struct vmod_hoailona_policy **policyp,
...
@@ -181,6 +179,15 @@ vmod_policy__init(VRT_CTX, struct vmod_hoailona_policy **policyp,
policy
->
type
=
TOKEN
;
policy
->
type
=
TOKEN
;
else
else
WRONG
(
"illegal policy enum"
);
WRONG
(
"illegal policy enum"
);
if
(
policy
->
type
==
TOKEN
&&
ttl
<=
0
.)
{
VERR
(
ctx
,
"ttl must be >= 0 when type is TOKEN "
"in %s constructor"
,
vcl_name
);
return
;
}
item
->
policy
=
policy
;
VSLIST_INSERT_HEAD
(
policyhead
,
item
,
list
);
policy
->
vcl_name
=
strdup
(
vcl_name
);
policy
->
vcl_name
=
strdup
(
vcl_name
);
AN
(
policy
->
vcl_name
);
AN
(
policy
->
vcl_name
);
if
(
description
!=
NULL
)
if
(
description
!=
NULL
)
...
...
src/vmod_hoailona.vcc
View file @
277df1f9
...
@@ -9,7 +9,7 @@ $Module hoailona 3 Akamai SecureHD Token Authorization VMOD
...
@@ -9,7 +9,7 @@ $Module hoailona 3 Akamai SecureHD Token Authorization VMOD
::
::
new OBJECT = hoailona.policy(ENUM type
, DURATION ttl
new OBJECT = hoailona.policy(ENUM type
[, DURATION ttl]
[, STRING description] [, BLOB secret]
[, STRING description] [, BLOB secret]
[, INT start_offset])
[, INT start_offset])
...
@@ -64,9 +64,10 @@ of Hawaiian about the choice of the name.
...
@@ -64,9 +64,10 @@ of Hawaiian about the choice of the name.
Defining policies
Defining policies
-----------------
-----------------
Policies are defined by means of ``policy`` objects that are constructed
Policies are defined by means of ``policy`` objects that are
in ``vcl_init``. A policy is defined by its type (TOKEN, OPEN or DENY),
constructed in ``vcl_init``. A policy is defined by its type (TOKEN,
a TTL, and possibly a shared secret used for authorization. For example::
OPEN or DENY), a TTL for the TOKEN type, and possibly a shared secret
used for authorization. For example::
import hoailona;
import hoailona;
import blobcode;
import blobcode;
...
@@ -79,10 +80,10 @@ a TTL, and possibly a shared secret used for authorization. For example::
...
@@ -79,10 +80,10 @@ a TTL, and possibly a shared secret used for authorization. For example::
blobcode.decode(encoded="secret"));
blobcode.decode(encoded="secret"));
# Define a policy for open access (authorization not required)
# Define a policy for open access (authorization not required)
new open_policy = hoailona.policy(OPEN
, 1h
);
new open_policy = hoailona.policy(OPEN);
# Define an "access denied" policy
# Define an "access denied" policy
new deny_policy = hoailona.policy(DENY
, 1h
);
new deny_policy = hoailona.policy(DENY);
}
}
Policy objects have no methods; they become useful when they are
Policy objects have no methods; they become useful when they are
...
@@ -208,16 +209,19 @@ subroutines, subsequent calls to ``.token()`` and ``.secret()`` in the
...
@@ -208,16 +209,19 @@ subroutines, subsequent calls to ``.token()`` and ``.secret()`` in the
same backend transaction are based on the policy that was determined
same backend transaction are based on the policy that was determined
by that call.
by that call.
$Object policy(PRIV_TASK, ENUM {OPEN, DENY, TOKEN} type, DURATION ttl,
$Object policy(PRIV_TASK, ENUM {OPEN, DENY, TOKEN} type, DURATION ttl
=0
,
STRING description=0, BLOB secret=0, INT start_offset=0)
STRING description=0, BLOB secret=0, INT start_offset=0)
Create a policy. The ``type`` enum classifies the policy as ``OPEN``,
Create a policy. The ``type`` enum is required, to classify the policy
``DENY`` or ``TOKEN``, and ``ttl`` determines the length of time for
as ``OPEN``, ``DENY`` or ``TOKEN``.
which token authorization is valid by default. Unless the TTL is
overriden, strings generated by the ``hosts.token()`` method contain
When ``TOKEN`` is specified, then a ``ttl`` greater than 0 MUST be
parameters (epoch times) that define the duration of the authorization
specified; the TTL has no effect for the ``OPEN`` and ``DENY`` types
to correspond with ``ttl``. The ``type`` and ``ttl`` parameters are
and may be left out. The TTL determines the length of time for which
required.
token authorization is valid by default. Unless the TTL is overriden,
strings generated by the ``hosts.token()`` method contain parameters
(epoch times) that define the duration of the authorization to
correspond with ``ttl``.
The optional ``secret`` parameter may contain a shared secret for
The optional ``secret`` parameter may contain a shared secret for
authorization, which serves as the key for an HMAC. The data type for
authorization, which serves as the key for an HMAC. The data type for
...
@@ -245,7 +249,7 @@ unsynchronized clocks).
...
@@ -245,7 +249,7 @@ unsynchronized clocks).
Examples::
Examples::
# Open policy, no authorization required
# Open policy, no authorization required
new open = hoailona.policy(OPEN
, 1h
);
new open = hoailona.policy(OPEN);
# Token authorization required, where authorization lasts 2 hours,
# Token authorization required, where authorization lasts 2 hours,
# using the given shared secret, and setting the start offset to
# using the given shared secret, and setting the start offset to
...
@@ -259,7 +263,7 @@ Examples::
...
@@ -259,7 +263,7 @@ Examples::
"717569636B2062726F776E20666F7879"));
"717569636B2062726F776E20666F7879"));
# A policy for "access denied"
# A policy for "access denied"
new forbid = hoailona.policy(DENY,
1h,
description="access denied");
new forbid = hoailona.policy(DENY, description="access denied");
$Object hosts()
$Object hosts()
...
@@ -368,11 +372,11 @@ description is set.
...
@@ -368,11 +372,11 @@ description is set.
Examples::
Examples::
sub vcl_init {
sub vcl_init {
new p1 = hoailona.policy(OPEN
, 1h
);
new p1 = hoailona.policy(OPEN);
new p2 = hoailona.policy(TOKEN, 1h);
new p2 = hoailona.policy(TOKEN, 1h);
new p3 = hoailona.policy(TOKEN, 2h);
new p3 = hoailona.policy(TOKEN, 2h);
new p4 = hoailona.policy(TOKEN, 3h);
new p4 = hoailona.policy(TOKEN, 3h);
new deny = hoailona.policy(DENY
, 1h
);
new deny = hoailona.policy(DENY);
new h = hoailona.hosts();
new h = hoailona.hosts();
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment