Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
L
libvmod-hoailona
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
uplex-varnish
libvmod-hoailona
Commits
6d81eea3
Commit
6d81eea3
authored
Apr 25, 2017
by
Nils Goroll
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
fgs is not the only person with a whitespace ocd
parent
bb022962
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
64 additions
and
64 deletions
+64
-64
README.rst
README.rst
+31
-31
vmod_hoailona.vcc
src/vmod_hoailona.vcc
+33
-33
No files found.
README.rst
View file @
6d81eea3
...
...
@@ -27,12 +27,12 @@ import hoailona [from "path"] ;
::
new OBJECT = hoailona.policy(ENUM type [, DURATION ttl]
[, STRING description] [, BLOB secret]
[, STRING description] [, BLOB secret]
[, INT start_offset])
new OBJECT = hoailona.hosts()
<obj>.add(STRING host, STRING policy [, STRING path]
[, STRING description])
[, STRING description])
INT <obj>.policy(STRING host, STRING path)
STRING <obj>.token([STRING acl] [, DURATION ttl] [, STRING data])
BLOB <obj>.secret()
...
...
@@ -93,12 +93,12 @@ used for authorization. For example::
# Define a policy for token authorization lasting one hour,
# and associate it with a shared secret.
new token_policy
= hoailona.policy(TOKEN, 1h,
blobcode.decode(encoded="secret"));
= hoailona.policy(TOKEN, 1h,
blobcode.decode(encoded="secret"));
# Define a policy for open access (authorization not required)
new open_policy = hoailona.policy(OPEN);
# Define an "access denied" policy
new deny_policy = hoailona.policy(DENY);
}
...
...
@@ -121,10 +121,10 @@ Policy Editor::
# Assign the token_policy globally to host example.com
config.add("example.com", "token_policy");
# Assign the open_policy to the path /foo/bar on host example.org
config.add("example.org", "open_policy", "/foo/bar");
# Assign the deny_policy to any path beginning with /baz/quux
# on subdomains of example.org
config.add("*.example.org", "deny_policy", "/baz/quux/...");
...
...
@@ -146,19 +146,19 @@ object::
sub vcl_recv {
# The policy method returns 0 for policy type DENY
if (config.policy(req.http.Host, req.url) == 0) {
# Handle "access denied" by returning 403 Forbidden
return(synth(403));
# Handle "access denied" by returning 403 Forbidden
return(synth(403));
}
# .policy() returns 1 for policy type OPEN
if (config.policy() == 1) {
return(pass);
return(pass);
}
# .policy() returns 2 for policy type TOKEN
if (config.policy() == 2) {
# Handle token authorization ...
# [...]
# Handle token authorization ...
# [...]
}
}
...
...
@@ -178,10 +178,10 @@ HMAC for the token::
sub vcl_recv {
# .policy() returns 2 for policy type TOKEN
if (config.policy(req.http.Host, req.url) == 2) {
# Handle token authorization:
# Handle token authorization:
# Assign the non-cryptographic part of the token to a temp
# header
set req.http.Tmp-Token = config.token();
# header
set req.http.Tmp-Token = config.token();
# Use VMOD blobdigest to generate the HMAC, and VMOD blobcode
# to encode the result in lower case hex.
...
...
@@ -190,10 +190,10 @@ HMAC for the token::
set req.http.Tmp-HMAC
= blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, config.secret(),
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
# These two temp headers can now be combined to form the full
# These two temp headers can now be combined to form the full
# token string required for authorization at the Akamai
# server, such as:
#
...
...
@@ -289,8 +289,8 @@ Examples::
# correctly.)
import blobcode;
new token = hoailona.policy(type=TOKEN, ttl=2h, start_offset=0-10,
secret=blobcode.decode(HEX,
"717569636B2062726F776E20666F7879"));
secret=blobcode.decode(HEX,
"717569636B2062726F776E20666F7879"));
# A policy for "access denied"
new forbid = hoailona.policy(DENY, description="access denied");
...
...
@@ -425,18 +425,18 @@ Examples::
# Assign a policy globally to example.com
h.add("example.com", "p1");
# Assign a policy to a fixed path on subdomains of example.com
h.add("*.example.com", "p2", "/foo/bar");
# Assign a policy to any path beginning with /baz/quux/
# on example.org
h.add("example.org", "p3", "/baz/quux/...");
# Assign a policy to any path with three components, where
# the first component is /foo/ and the last is /bar, on example.org
h.add("example.org", "p4", "/foo/*/bar");
# Deny access to any path on evil.org, with a description to be used
# by h.explain()
h.add("evil.org", "deny", description="no access to evil.org");
...
...
@@ -596,14 +596,14 @@ Examples::
# Use VMOD blobdigest to generate the HMAC, where
# the shared secret serves as the HMAC key.
set req.http.Tmp-HMAC
= blobcode.encode(HEXLC,
= blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, config.secret(),
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
# Concatenate elements of the authorization token
set req.http.Token = "hdnea=" + req.http.Tmp + "~hmac="
+ req.http.Tmp-HMAC;
+ req.http.Tmp-HMAC;
# The contents of the Tmp header may now be used as
# a query string or cookie contents, as required for
...
...
@@ -663,7 +663,7 @@ Returns the version string for this VMOD.
Example::
std.log("Using VMOD hoailona version " + hoailona.version());
std.log("Using VMOD hoailona version " + hoailona.version());
REQUIREMENTS
============
...
...
src/vmod_hoailona.vcc
View file @
6d81eea3
...
...
@@ -10,12 +10,12 @@ $Module hoailona 3 Akamai SecureHD Token Authorization VMOD
::
new OBJECT = hoailona.policy(ENUM type [, DURATION ttl]
[, STRING description] [, BLOB secret]
[, STRING description] [, BLOB secret]
[, INT start_offset])
new OBJECT = hoailona.hosts()
<obj>.add(STRING host, STRING policy [, STRING path]
[, STRING description])
[, STRING description])
INT <obj>.policy(STRING host, STRING path)
STRING <obj>.token([STRING acl] [, DURATION ttl] [, STRING data])
BLOB <obj>.secret()
...
...
@@ -76,12 +76,12 @@ used for authorization. For example::
# Define a policy for token authorization lasting one hour,
# and associate it with a shared secret.
new token_policy
= hoailona.policy(TOKEN, 1h,
blobcode.decode(encoded="secret"));
= hoailona.policy(TOKEN, 1h,
blobcode.decode(encoded="secret"));
# Define a policy for open access (authorization not required)
new open_policy = hoailona.policy(OPEN);
# Define an "access denied" policy
new deny_policy = hoailona.policy(DENY);
}
...
...
@@ -104,10 +104,10 @@ Policy Editor::
# Assign the token_policy globally to host example.com
config.add("example.com", "token_policy");
# Assign the open_policy to the path /foo/bar on host example.org
config.add("example.org", "open_policy", "/foo/bar");
# Assign the deny_policy to any path beginning with /baz/quux
# on subdomains of example.org
config.add("*.example.org", "deny_policy", "/baz/quux/...");
...
...
@@ -129,19 +129,19 @@ object::
sub vcl_recv {
# The policy method returns 0 for policy type DENY
if (config.policy(req.http.Host, req.url) == 0) {
# Handle "access denied" by returning 403 Forbidden
return(synth(403));
# Handle "access denied" by returning 403 Forbidden
return(synth(403));
}
# .policy() returns 1 for policy type OPEN
if (config.policy() == 1) {
return(pass);
return(pass);
}
# .policy() returns 2 for policy type TOKEN
if (config.policy() == 2) {
# Handle token authorization ...
# [...]
# Handle token authorization ...
# [...]
}
}
...
...
@@ -161,10 +161,10 @@ HMAC for the token::
sub vcl_recv {
# .policy() returns 2 for policy type TOKEN
if (config.policy(req.http.Host, req.url) == 2) {
# Handle token authorization:
# Handle token authorization:
# Assign the non-cryptographic part of the token to a temp
# header
set req.http.Tmp-Token = config.token();
# header
set req.http.Tmp-Token = config.token();
# Use VMOD blobdigest to generate the HMAC, and VMOD blobcode
# to encode the result in lower case hex.
...
...
@@ -173,10 +173,10 @@ HMAC for the token::
set req.http.Tmp-HMAC
= blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, config.secret(),
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
# These two temp headers can now be combined to form the full
# These two temp headers can now be combined to form the full
# token string required for authorization at the Akamai
# server, such as:
#
...
...
@@ -210,7 +210,7 @@ same backend transaction are based on the policy that was determined
by that call.
$Object policy(PRIV_TASK, ENUM {OPEN, DENY, TOKEN} type, DURATION ttl=0,
STRING description=0, BLOB secret=0, INT start_offset=0)
STRING description=0, BLOB secret=0, INT start_offset=0)
Create a policy. The ``type`` enum is required, to classify the policy
as ``OPEN``, ``DENY`` or ``TOKEN``.
...
...
@@ -259,8 +259,8 @@ Examples::
# correctly.)
import blobcode;
new token = hoailona.policy(type=TOKEN, ttl=2h, start_offset=0-10,
secret=blobcode.decode(HEX,
"717569636B2062726F776E20666F7879"));
secret=blobcode.decode(HEX,
"717569636B2062726F776E20666F7879"));
# A policy for "access denied"
new forbid = hoailona.policy(DENY, description="access denied");
...
...
@@ -273,7 +273,7 @@ path patterns. The constructor has no parameters; the object only
becomes useful by calling the ``.add()`` method.
$Method VOID .add(PRIV_TASK, STRING host, STRING policy, STRING path=0,
STRING description=0)
STRING description=0)
Associate ``policy`` with the ``host``, optionally restricted to the
path pattern described by ``path``. The ``host`` and ``policy``
...
...
@@ -382,18 +382,18 @@ Examples::
# Assign a policy globally to example.com
h.add("example.com", "p1");
# Assign a policy to a fixed path on subdomains of example.com
h.add("*.example.com", "p2", "/foo/bar");
# Assign a policy to any path beginning with /baz/quux/
# on example.org
h.add("example.org", "p3", "/baz/quux/...");
# Assign a policy to any path with three components, where
# the first component is /foo/ and the last is /bar, on example.org
h.add("example.org", "p4", "/foo/*/bar");
# Deny access to any path on evil.org, with a description to be used
# by h.explain()
h.add("evil.org", "deny", description="no access to evil.org");
...
...
@@ -532,14 +532,14 @@ Examples::
# Use VMOD blobdigest to generate the HMAC, where
# the shared secret serves as the HMAC key.
set req.http.Tmp-HMAC
= blobcode.encode(HEXLC,
= blobcode.encode(HEXLC,
blobdigest.hmacf(SHA256, config.secret(),
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
blobcode.decode(IDENTITY,
req.http.Tmp-Token)));
# Concatenate elements of the authorization token
set req.http.Token = "hdnea=" + req.http.Tmp + "~hmac="
+ req.http.Tmp-HMAC;
+ req.http.Tmp-HMAC;
# The contents of the Tmp header may now be used as
# a query string or cookie contents, as required for
...
...
@@ -585,7 +585,7 @@ Returns the version string for this VMOD.
Example::
std.log("Using VMOD hoailona version " + hoailona.version());
std.log("Using VMOD hoailona version " + hoailona.version());
REQUIREMENTS
============
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment