Re: [RFC] Handle ACLs that are neither denied nor allowed

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Tue, 08 May 2012 12:41:03 -0600

Hello,

    This thread started with a suggestion to add "reason" information to
the allow_t enum type so that ACL check answers can be split into
primary yes/no/other return code and supplementary code-specific
information.

The patch quoted below implements something very similar. The
bump-server-first project needed to replace allow/deny with custom ACL
keywords to allow an admin to select between bump-server-first,
bump-client-first, and do-not-bump algorithms. The quoted patch does
this by returning the name of the matched algorithm in the "kind" part
of the allow_t object.

The reason I am posting this patch here is that the changes below
require no other changes for the old code to work. It is possible to
optimize things a little to minimize answer_t objects copying, but the
answer_t extension itself is not intrusive.

> === modified file 'src/acl/Acl.h'
> --- src/acl/Acl.h 2011-12-31 01:26:10 +0000
> +++ src/acl/Acl.h 2012-05-03 15:46:33 +0000
> @@ -101,41 +101,67 @@
>
> /// \ingroup ACLAPI
> typedef enum {
> // Authorization ACL result states
> ACCESS_DENIED,
> ACCESS_ALLOWED,
> ACCESS_DUNNO,
>
> // Authentication ACL result states
> ACCESS_AUTH_REQUIRED, // Missing Credentials
> ACCESS_AUTH_EXPIRED_OK, // Expired now. Were Okay.
> ACCESS_AUTH_EXPIRED_BAD // Expired now. Were Failed.
> -} allow_t;
> +} aclMatchCode;
> +
> +/// \ingroup ACLAPI
> +/// ACL check answer; TODO: Rename to Acl::Answer
> +class allow_t {
> +public:
> + // not explicit: allow "aclMatchCode to allow_t" conversions (for now)
> + allow_t(const aclMatchCode aCode): code(aCode), kind(0) {}
> +
> + allow_t(): code(ACCESS_DUNNO), kind(0) {}
> +
> + bool operator ==(const aclMatchCode aCode) const {
> + return code == aCode;
> + }
> +
> + bool operator !=(const aclMatchCode aCode) const {
> + return !(*this == aCode);
> + }
> +
> + operator aclMatchCode() const {
> + return code;
> + }
> +
> + aclMatchCode code; ///< ACCESS_* code
> + int kind; ///< which custom access list verb matched
> +};
> +

If we go down this route, more data members can be added to describe the
details of the ACL match or match failure, including whether
re-authentication is needed.

HTH,

Alex.
Received on Tue May 08 2012 - 18:41:19 MDT

This archive was generated by hypermail 2.2.0 : Wed May 09 2012 - 12:00:04 MDT