This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit eb7946e2cff00c6e11f44799dd9c8664154ba3d6 Author: Brian Neradt <[email protected]> AuthorDate: Tue Jul 30 13:58:39 2024 -0500 ACL filters: set_allow/set_deny (#11619) Add set_allow and set_deny ACL filter action names, replacing allow and deny as the previous names. These action names are required instead of the previous allow/deny actions with the new MATCH_ON_IP_ONLY matching policy. This replacement allows the new policy to detect if someone updates their policy to the new MATCH_ON_IP_ONLY without explicitly choosing either the new add_allow/add_deny action behavior or the previous action behavior now named set_allow/set_deny. (cherry picked from commit b2c7df16e1e84db46c66d9f1af6c5eff2f54d96b) --- include/proxy/IPAllow.h | 9 +- include/proxy/http/remap/RemapConfig.h | 13 +- include/proxy/http/remap/UrlRewrite.h | 16 ++- src/proxy/IPAllow.cc | 25 +++- src/proxy/http/remap/RemapConfig.cc | 44 +++++- src/proxy/http/remap/UrlRewrite.cc | 31 +++-- tests/gold_tests/ip_allow/ip_category.test.py | 10 +- tests/gold_tests/remap/all_acl_combinations.py | 184 ++++++++++++------------- tests/gold_tests/remap/remap_acl.test.py | 142 ++++++++++++++----- 9 files changed, 313 insertions(+), 161 deletions(-) diff --git a/include/proxy/IPAllow.h b/include/proxy/IPAllow.h index 7654948958..0a1929584d 100644 --- a/include/proxy/IPAllow.h +++ b/include/proxy/IPAllow.h @@ -138,8 +138,10 @@ public: static const inline std::string YAML_VALUE_APPLY_IN{"in"}; static const inline std::string YAML_VALUE_APPLY_OUT{"out"}; static const inline std::string YAML_TAG_ACTION{"action"}; - static const inline std::string YAML_VALUE_ACTION_ALLOW{"allow"}; - static const inline std::string YAML_VALUE_ACTION_DENY{"deny"}; + static const inline std::string YAML_VALUE_ACTION_ALLOW{"set_allow"}; + static const inline std::string YAML_VALUE_ACTION_ALLOW_OLD_NAME{"allow"}; + static const inline std::string YAML_VALUE_ACTION_DENY{"set_deny"}; + static const inline std::string YAML_VALUE_ACTION_DENY_OLD_NAME{"deny"}; static const inline std::string YAML_TAG_METHODS{"methods"}; static const inline std::string YAML_VALUE_METHODS_ALL{"all"}; @@ -281,6 +283,9 @@ private: /// Storage for records. swoc::MemArena _arena; + /// Whether to allow "allow" and "deny" as action tags. + bool _is_legacy_action_policy{true}; + friend swoc::BufferWriter &bwformat(swoc::BufferWriter &w, swoc::bwf::Spec const &spec, IpAllow::IpMap const &map); }; diff --git a/include/proxy/http/remap/RemapConfig.h b/include/proxy/http/remap/RemapConfig.h index 82d0a373ce..bfceef07ca 100644 --- a/include/proxy/http/remap/RemapConfig.h +++ b/include/proxy/http/remap/RemapConfig.h @@ -26,6 +26,7 @@ #include "proxy/http/remap/AclFiltering.h" class UrlRewrite; +enum class ACLMatchingPolicy; #define BUILD_TABLE_MAX_ARGS 2048 @@ -55,10 +56,12 @@ struct BUILD_TABLE_INFO { char *paramv[BUILD_TABLE_MAX_ARGS]; char *argv[BUILD_TABLE_MAX_ARGS]; - bool ip_allow_check_enabled_p = true; - bool accept_check_p = true; - acl_filter_rule *rules_list = nullptr; // all rules defined in config files as .define_filter foobar @src_ip=..... - UrlRewrite *rewrite = nullptr; // Pointer to the UrlRewrite object we are parsing for. + ACLMatchingPolicy matching_policy; + bool ip_allow_check_enabled_p = true; + bool accept_check_p = true; + + acl_filter_rule *rules_list = nullptr; // all rules defined in config files as .define_filter foobar @src_ip=..... + UrlRewrite *rewrite = nullptr; // Pointer to the UrlRewrite object we are parsing for. // Clear the argument vector. void reset(); @@ -71,7 +74,7 @@ struct BUILD_TABLE_INFO { const char *remap_parse_directive(BUILD_TABLE_INFO *bti, char *errbuf, size_t errbufsize); const char *remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int argc, char *errStrBuf, - size_t errStrBufSize); + size_t errStrBufSize, ACLMatchingPolicy matching_policy); unsigned long remap_check_option(const char **argv, int argc, unsigned long findmode = 0, int *_ret_idx = nullptr, const char **argptr = nullptr); diff --git a/include/proxy/http/remap/UrlRewrite.h b/include/proxy/http/remap/UrlRewrite.h index 1a67ed1253..a499ee79c6 100644 --- a/include/proxy/http/remap/UrlRewrite.h +++ b/include/proxy/http/remap/UrlRewrite.h @@ -53,6 +53,11 @@ enum mapping_type { NONE }; +enum class ACLMatchingPolicy { + MATCH_ON_IP_AND_METHOD = 0, + MATCH_ON_IP_ONLY, +}; + /** * **/ @@ -63,10 +68,13 @@ public: UrlRewrite() = default; ~UrlRewrite() override; - enum class ACLMatchingPolicy { - MATCH_ON_IP_AND_METHOD = 0, - MATCH_ON_IP_ONLY, - }; + /** Retrieve the configured ACL matching policy. + * + * @param[out] policy The configured ACL matching policy. + * @return @c true if the policy is configured to an appropriate value, @c + * false if not. + */ + static bool get_acl_matching_policy(ACLMatchingPolicy &policy); /** Load the configuration. * diff --git a/src/proxy/IPAllow.cc b/src/proxy/IPAllow.cc index f38dc43553..d0e1e29b15 100644 --- a/src/proxy/IPAllow.cc +++ b/src/proxy/IPAllow.cc @@ -123,7 +123,11 @@ IpAllow::reconfigure() if (auto errata = new_table->BuildTable(); !errata.is_ok()) { std::string text; swoc::bwprint(text, "{} failed to load\n{}", ts::filename::IP_ALLOW, errata); - Error("%s", text.c_str()); + if (errata.severity() <= ERRATA_ERROR) { + Error("%s", text.c_str()); + } else { + Fatal("%s", text.c_str()); + } delete new_table; return; } @@ -197,6 +201,13 @@ IpAllow::match(swoc::IPAddr const &addr, match_key_t key) IpAllow::IpAllow(const char *ip_allow_config_var, const char *ip_categories_config_var) : ip_allow_config_file(ats_scoped_str(RecConfigReadConfigPath(ip_allow_config_var)).get()) { + int matching_policy = 0; + REC_ReadConfigInteger(matching_policy, "proxy.config.url_remap.acl_matching_policy"); + if (matching_policy == 0) { + this->_is_legacy_action_policy = true; + } else { + this->_is_legacy_action_policy = false; + } std::string const path = RecConfigReadConfigPath(ip_categories_config_var); if (!path.empty()) { ip_categories_config_file = ats_scoped_str(path).get(); @@ -399,15 +410,21 @@ IpAllow::YAMLLoadEntry(const YAML::Node &entry) YAML_VALUE_APPLY_IN, YAML_VALUE_APPLY_OUT); } } else { - return swoc::Errata(ERRATA_ERROR, R"("Object at {} must have a "{}" key.)", entry.Mark(), YAML_TAG_APPLY); + return swoc::Errata(ERRATA_ERROR, R"(Object at {} must have a "{}" key.)", entry.Mark(), YAML_TAG_APPLY); } if (node = entry[YAML_TAG_ACTION]; node) { if (node.IsScalar()) { swoc::TextView value(node.Scalar()); - if (value == YAML_VALUE_ACTION_ALLOW) { + if (!this->_is_legacy_action_policy && + (value == YAML_VALUE_ACTION_ALLOW_OLD_NAME || value == YAML_VALUE_ACTION_DENY_OLD_NAME)) { + return swoc::Errata( + ERRATA_FATAL, R"(Legacy action name of "{}" detected at {}. Use "set_allow" or "set_deny" instead of "allow" or "deny".)", + value, entry.Mark()); + } + if (value == YAML_VALUE_ACTION_ALLOW || value == YAML_VALUE_ACTION_ALLOW_OLD_NAME) { op = ACL_OP_ALLOW; - } else if (value == YAML_VALUE_ACTION_DENY) { + } else if (value == YAML_VALUE_ACTION_DENY || value == YAML_VALUE_ACTION_DENY_OLD_NAME) { op = ACL_OP_DENY; } else { return swoc::Errata(ERRATA_ERROR, "{} {} - item ignored, value for tag '{}' must be '{}' or '{}'", this, node.Mark(), diff --git a/src/proxy/http/remap/RemapConfig.cc b/src/proxy/http/remap/RemapConfig.cc index 0617f6b151..a578479566 100644 --- a/src/proxy/http/remap/RemapConfig.cc +++ b/src/proxy/http/remap/RemapConfig.cc @@ -129,7 +129,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char *errStrBuf for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) { ; } - errStr = remap_validate_filter_args(rpp, (const char **)bti->argv, bti->argc, errStrBuf, errStrBufSize); + errStr = remap_validate_filter_args(rpp, (const char **)bti->argv, bti->argc, errStrBuf, errStrBufSize, bti->matching_policy); } for (rp = bti->rules_list; rp; rp = rp->next) { @@ -142,7 +142,8 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char *errStrBuf for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) { ; } - if ((errStr = remap_validate_filter_args(rpp, (const char **)rp->argv, rp->argc, errStrBuf, errStrBufSize)) != nullptr) { + if ((errStr = remap_validate_filter_args(rpp, (const char **)rp->argv, rp->argc, errStrBuf, errStrBufSize, + bti->matching_policy)) != nullptr) { break; } } @@ -199,7 +200,9 @@ parse_define_directive(const char *directive, BUILD_TABLE_INFO *bti, char *errbu flg = ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char *)bti->paramv[1])) == nullptr) ? true : false; // coverity[alloc_arg] - if ((cstr = remap_validate_filter_args(&rp, (const char **)bti->argv, bti->argc, errbuf, errbufsize)) == nullptr && rp) { + if ((cstr = remap_validate_filter_args(&rp, (const char **)bti->argv, bti->argc, errbuf, errbufsize, bti->matching_policy)) == + nullptr && + rp) { if (flg) { // new filter - add to list acl_filter_rule **rpp = nullptr; Dbg(dbg_ctl_url_rewrite, "[parse_directive] new rule \"%s\" was created", bti->paramv[1]); @@ -438,7 +441,8 @@ remap_parse_directive(BUILD_TABLE_INFO *bti, char *errbuf, size_t errbufsize) } const char * -remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int argc, char *errStrBuf, size_t errStrBufSize) +remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int argc, char *errStrBuf, size_t errStrBufSize, + ACLMatchingPolicy matching_policy) { acl_filter_rule *rule; int i, j; @@ -628,14 +632,35 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int arg } if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */ + if (matching_policy == ACLMatchingPolicy::MATCH_ON_IP_ONLY) { + // With the new matching policy, we don't allow the legacy "allow" and + // "deny" actions. Users must transition to either add_allow/add_deny or + // set_allow/set_deny. + if (is_inkeylist(argptr, "allow", "deny", nullptr)) { + Dbg( + dbg_ctl_url_rewrite, + R"([validate_filter_args] "allow" and "deny" are no longer valid. Use add_allow/add_deny or set_allow/set_deny: "%s"")", + argv[i]); + snprintf(errStrBuf, errStrBufSize, + R"("allow" and "deny" are no longer valid. Use add_allow/add_deny or set_allow/set_deny: "%s"")", argv[i]); + errStrBuf[errStrBufSize - 1] = 0; + if (new_rule_flg) { + delete rule; + *rule_pp = nullptr; + } + return (const char *)errStrBuf; + } + } if (is_inkeylist(argptr, "add_allow", "add_deny", nullptr)) { rule->add_flag = 1; } else { rule->add_flag = 0; } - if (is_inkeylist(argptr, "0", "off", "deny", "add_deny", "disable", nullptr)) { + // Remove "deny" from this list when MATCH_ON_IP_AND_METHOD is removed in 11.x. + if (is_inkeylist(argptr, "0", "off", "deny", "set_deny", "add_deny", "disable", nullptr)) { rule->allow_flag = 0; - } else if (is_inkeylist(argptr, "1", "on", "allow", "add_allow", "enable", nullptr)) { + // Remove "allow" from this list when MATCH_ON_IP_AND_METHOD is removed in 11.x. + } else if (is_inkeylist(argptr, "1", "on", "allow", "set_allow", "add_allow", "enable", nullptr)) { rule->allow_flag = 1; } else { Dbg(dbg_ctl_url_rewrite, "[validate_filter_args] Unknown argument \"%s\"", argv[i]); @@ -1041,6 +1066,13 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO *bti) Dbg(dbg_ctl_url_rewrite, "[BuildTable] UrlRewrite::BuildTable()"); + ACLMatchingPolicy matching_policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD; + if (!UrlRewrite::get_acl_matching_policy(matching_policy)) { + Warning("Failed to get ACL matching policy."); + return false; + } + bti->matching_policy = matching_policy; + for (cur_line = tokLine(content.data(), &tok_state, '\\'); cur_line != nullptr;) { reg_map = nullptr; new_mapping = nullptr; diff --git a/src/proxy/http/remap/UrlRewrite.cc b/src/proxy/http/remap/UrlRewrite.cc index 8bd0676454..82336b55c7 100644 --- a/src/proxy/http/remap/UrlRewrite.cc +++ b/src/proxy/http/remap/UrlRewrite.cc @@ -57,6 +57,25 @@ SetHomePageRedirectFlag(url_mapping *new_mapping, URL &new_to_url) } } // end anonymous namespace +bool +UrlRewrite::get_acl_matching_policy(ACLMatchingPolicy &policy) +{ + int matching_policy = 0; + REC_ReadConfigInteger(matching_policy, "proxy.config.url_remap.acl_matching_policy"); + switch (matching_policy) { + case 0: + policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD; + break; + case 1: + policy = ACLMatchingPolicy::MATCH_ON_IP_ONLY; + break; + default: + Warning("unkown ACL Matching Policy: %d", matching_policy); + return false; + } + return true; +} + bool UrlRewrite::load() { @@ -128,17 +147,7 @@ UrlRewrite::load() } // ACL Matching Policy - int matching_policy = 0; - REC_ReadConfigInteger(matching_policy, "proxy.config.url_remap.acl_matching_policy"); - switch (matching_policy) { - case 0: - _acl_matching_policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD; - break; - case 1: - _acl_matching_policy = ACLMatchingPolicy::MATCH_ON_IP_ONLY; - break; - default: - Warning("unkown ACL Matching Policy :%d", matching_policy); + if (!get_acl_matching_policy(_acl_matching_policy)) { _valid = false; } diff --git a/tests/gold_tests/ip_allow/ip_category.test.py b/tests/gold_tests/ip_allow/ip_category.test.py index c22c266df2..b53d7e299d 100644 --- a/tests/gold_tests/ip_allow/ip_category.test.py +++ b/tests/gold_tests/ip_allow/ip_category.test.py @@ -271,7 +271,7 @@ IP_ALLOW_CONTENT = f''' ip_allow: - apply: in ip_categories: ACME_INTERNAL - action: allow + action: set_allow methods: - GET - HEAD @@ -279,18 +279,18 @@ ip_allow: - PUSH - apply: in ip_categories: ACME_EXTERNAL - action: allow + action: set_allow methods: - GET - HEAD - apply: in ip_categories: ACME_ALL - action: allow + action: set_allow methods: - HEAD - apply: in ip_categories: ALL - action: deny + action: set_deny ''' test_ip_allow_optional_methods = Test_ip_category( @@ -325,5 +325,5 @@ test_ip_allow_optional_methods = Test_ip_category( replay_file='replays/https_categories_external_remap.replay.yaml', ip_allow_config=IP_ALLOW_CONTENT, ip_category_config=localhost_is_external, - acl_configuration='@action=deny @src_ip_category=ACME_REMAP_EXTERNAL @method=GET', + acl_configuration='@action=set_deny @src_ip_category=ACME_REMAP_EXTERNAL @method=GET', expected_responses=[403, 200, 200]) diff --git a/tests/gold_tests/remap/all_acl_combinations.py b/tests/gold_tests/remap/all_acl_combinations.py index 34487630ee..6c3ce87ae6 100644 --- a/tests/gold_tests/remap/all_acl_combinations.py +++ b/tests/gold_tests/remap/all_acl_combinations.py @@ -21,7 +21,7 @@ ALLOW_GET_AND_POST = f''' ip_allow: - apply: in ip_addrs: [0/0, ::/0] - action: allow + action: set_allow methods: [GET, POST] ''' @@ -29,7 +29,7 @@ ALLOW_GET = f''' ip_allow: - apply: in ip_addrs: [0/0, ::/0] - action: allow + action: set_allow methods: [GET] ''' @@ -37,7 +37,7 @@ DENY_GET = f''' ip_allow: - apply: in ip_addrs: [0/0, ::/0] - action: deny + action: set_deny methods: [GET] ''' @@ -45,101 +45,101 @@ DENY_GET_AND_POST = f''' ip_allow: - apply: in ip_addrs: [0/0, ::/0] - action: deny + action: set_deny methods: [GET, POST] ''' # yapf: disable keys = ["index", "policy", "inline", "named_acl", "ip_allow", "GET response", "POST response"] all_acl_combinations = [ - [ 0, "ip_and_method", "", "", ALLOW_GET_AND_POST, 200, 200, ], - [ 1, "ip_and_method", "", "", ALLOW_GET, 200, 403, ], - [ 2, "ip_and_method", "", "", DENY_GET, 403, 200, ], - [ 3, "ip_and_method", "", "", DENY_GET_AND_POST, 403, 403, ], - [ 4, "ip_and_method", "", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], - [ 5, "ip_and_method", "", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], - [ 6, "ip_and_method", "", "@action=allow @method=GET", DENY_GET, 200, 200, ], - [ 7, "ip_and_method", "", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 8, "ip_and_method", "", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 9, "ip_and_method", "", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], - [ 10, "ip_and_method", "", "@action=deny @method=GET", DENY_GET, 403, 200, ], - [ 11, "ip_and_method", "", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], - [ 12, "ip_and_method", "@action=allow @method=GET", "", ALLOW_GET_AND_POST, 200, 200, ], - [ 13, "ip_and_method", "@action=allow @method=GET", "", ALLOW_GET, 200, 403, ], - [ 14, "ip_and_method", "@action=allow @method=GET", "", DENY_GET, 200, 200, ], - [ 15, "ip_and_method", "@action=allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], - [ 16, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], - [ 17, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], - [ 18, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET, 200, 200, ], - [ 19, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 20, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 200, 200, ], - [ 21, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET, 200, 403, ], - [ 22, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET, 200, 200, ], - [ 23, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 24, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 200, 200, ], - [ 25, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET, 200, 200, ], - [ 26, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET, 200, 200, ], - [ 27, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 200, 200, ], - [ 28, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 200, 403, ], - [ 29, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET, 200, 403, ], - [ 30, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET, 200, 403, ], - [ 31, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 200, 403, ], - [ 32, "ip_and_method", "@action=deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], - [ 33, "ip_and_method", "@action=deny @method=GET", "", ALLOW_GET, 403, 403, ], - [ 34, "ip_and_method", "@action=deny @method=GET", "", DENY_GET, 403, 200, ], - [ 35, "ip_and_method", "@action=deny @method=GET", "", DENY_GET_AND_POST, 403, 403, ], - [ 36, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 37, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET, 403, 403, ], - [ 38, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET, 403, 200, ], - [ 39, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 403, 403, ], - [ 40, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 41, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], - [ 42, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET, 403, 200, ], - [ 43, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], - [ 44, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 403, 200, ], - [ 45, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET, 403, 200, ], - [ 46, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET, 403, 200, ], - [ 47, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 403, 200, ], - [ 48, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 403, 403, ], - [ 49, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET, 403, 403, ], - [ 50, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET, 403, 403, ], - [ 51, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 403, 403, ], - [ 52, "ip_only", "", "", ALLOW_GET_AND_POST, 200, 200, ], - [ 53, "ip_only", "", "", ALLOW_GET, 200, 403, ], - [ 54, "ip_only", "", "", DENY_GET, 403, 200, ], - [ 55, "ip_only", "", "", DENY_GET_AND_POST, 403, 403, ], - [ 56, "ip_only", "", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], - [ 57, "ip_only", "", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], - [ 58, "ip_only", "", "@action=allow @method=GET", DENY_GET, 200, 403, ], - [ 59, "ip_only", "", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 60, "ip_only", "", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 61, "ip_only", "", "@action=deny @method=GET", ALLOW_GET, 403, 200, ], - [ 62, "ip_only", "", "@action=deny @method=GET", DENY_GET, 403, 200, ], - [ 63, "ip_only", "", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 200, ], - [ 64, "ip_only", "@action=allow @method=GET", "", ALLOW_GET_AND_POST, 200, 403, ], - [ 65, "ip_only", "@action=allow @method=GET", "", ALLOW_GET, 200, 403, ], - [ 66, "ip_only", "@action=allow @method=GET", "", DENY_GET, 200, 403, ], - [ 67, "ip_only", "@action=allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], - [ 68, "ip_only", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], - [ 69, "ip_only", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], - [ 70, "ip_only", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET, 200, 403, ], - [ 71, "ip_only", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 72, "ip_only", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 200, 403, ], - [ 73, "ip_only", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET, 200, 403, ], - [ 74, "ip_only", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET, 200, 403, ], - [ 75, "ip_only", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 76, "ip_only", "@action=deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], - [ 77, "ip_only", "@action=deny @method=GET", "", ALLOW_GET, 403, 200, ], - [ 78, "ip_only", "@action=deny @method=GET", "", DENY_GET, 403, 200, ], - [ 79, "ip_only", "@action=deny @method=GET", "", DENY_GET_AND_POST, 403, 200, ], - [ 80, "ip_only", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 81, "ip_only", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET, 403, 200, ], - [ 82, "ip_only", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET, 403, 200, ], - [ 83, "ip_only", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 403, 200, ], - [ 84, "ip_only", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 85, "ip_only", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET, 403, 200, ], - [ 86, "ip_only", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET, 403, 200, ], - [ 87, "ip_only", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 200, ], + [ 0, "ip_and_method", "", "", ALLOW_GET_AND_POST, 200, 200, ], + [ 1, "ip_and_method", "", "", ALLOW_GET, 200, 403, ], + [ 2, "ip_and_method", "", "", DENY_GET, 403, 200, ], + [ 3, "ip_and_method", "", "", DENY_GET_AND_POST, 403, 403, ], + [ 4, "ip_and_method", "", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], + [ 5, "ip_and_method", "", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], + [ 6, "ip_and_method", "", "@action=allow @method=GET", DENY_GET, 200, 200, ], + [ 7, "ip_and_method", "", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 8, "ip_and_method", "", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 9, "ip_and_method", "", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], + [ 10, "ip_and_method", "", "@action=deny @method=GET", DENY_GET, 403, 200, ], + [ 11, "ip_and_method", "", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], + [ 12, "ip_and_method", "@action=allow @method=GET", "", ALLOW_GET_AND_POST, 200, 200, ], + [ 13, "ip_and_method", "@action=allow @method=GET", "", ALLOW_GET, 200, 403, ], + [ 14, "ip_and_method", "@action=allow @method=GET", "", DENY_GET, 200, 200, ], + [ 15, "ip_and_method", "@action=allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], + [ 16, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], + [ 17, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], + [ 18, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET, 200, 200, ], + [ 19, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 20, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 200, 200, ], + [ 21, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET, 200, 403, ], + [ 22, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET, 200, 200, ], + [ 23, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 24, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 200, 200, ], + [ 25, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET, 200, 200, ], + [ 26, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET, 200, 200, ], + [ 27, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 200, 200, ], + [ 28, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 200, 403, ], + [ 29, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET, 200, 403, ], + [ 30, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET, 200, 403, ], + [ 31, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 200, 403, ], + [ 32, "ip_and_method", "@action=deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], + [ 33, "ip_and_method", "@action=deny @method=GET", "", ALLOW_GET, 403, 403, ], + [ 34, "ip_and_method", "@action=deny @method=GET", "", DENY_GET, 403, 200, ], + [ 35, "ip_and_method", "@action=deny @method=GET", "", DENY_GET_AND_POST, 403, 403, ], + [ 36, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 37, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET, 403, 403, ], + [ 38, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET, 403, 200, ], + [ 39, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 403, 403, ], + [ 40, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 41, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], + [ 42, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET, 403, 200, ], + [ 43, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], + [ 44, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 403, 200, ], + [ 45, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET, 403, 200, ], + [ 46, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET, 403, 200, ], + [ 47, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 403, 200, ], + [ 48, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 403, 403, ], + [ 49, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET, 403, 403, ], + [ 50, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET, 403, 403, ], + [ 51, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 403, 403, ], + [ 52, "ip_only", "", "", ALLOW_GET_AND_POST, 200, 200, ], + [ 53, "ip_only", "", "", ALLOW_GET, 200, 403, ], + [ 54, "ip_only", "", "", DENY_GET, 403, 200, ], + [ 55, "ip_only", "", "", DENY_GET_AND_POST, 403, 403, ], + [ 56, "ip_only", "", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], + [ 57, "ip_only", "", "@action=set_allow @method=GET", ALLOW_GET, 200, 403, ], + [ 58, "ip_only", "", "@action=set_allow @method=GET", DENY_GET, 200, 403, ], + [ 59, "ip_only", "", "@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 60, "ip_only", "", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 61, "ip_only", "", "@action=set_deny @method=GET", ALLOW_GET, 403, 200, ], + [ 62, "ip_only", "", "@action=set_deny @method=GET", DENY_GET, 403, 200, ], + [ 63, "ip_only", "", "@action=set_deny @method=GET", DENY_GET_AND_POST, 403, 200, ], + [ 64, "ip_only", "@action=set_allow @method=GET", "", ALLOW_GET_AND_POST, 200, 403, ], + [ 65, "ip_only", "@action=set_allow @method=GET", "", ALLOW_GET, 200, 403, ], + [ 66, "ip_only", "@action=set_allow @method=GET", "", DENY_GET, 200, 403, ], + [ 67, "ip_only", "@action=set_allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], + [ 68, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], + [ 69, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", ALLOW_GET, 200, 403, ], + [ 70, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", DENY_GET, 200, 403, ], + [ 71, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 72, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 200, 403, ], + [ 73, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", ALLOW_GET, 200, 403, ], + [ 74, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", DENY_GET, 200, 403, ], + [ 75, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 76, "ip_only", "@action=set_deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], + [ 77, "ip_only", "@action=set_deny @method=GET", "", ALLOW_GET, 403, 200, ], + [ 78, "ip_only", "@action=set_deny @method=GET", "", DENY_GET, 403, 200, ], + [ 79, "ip_only", "@action=set_deny @method=GET", "", DENY_GET_AND_POST, 403, 200, ], + [ 80, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 81, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", ALLOW_GET, 403, 200, ], + [ 82, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", DENY_GET, 403, 200, ], + [ 83, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", DENY_GET_AND_POST, 403, 200, ], + [ 84, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 85, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", ALLOW_GET, 403, 200, ], + [ 86, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", DENY_GET, 403, 200, ], + [ 87, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", DENY_GET_AND_POST, 403, 200, ], ] # yapf: enable diff --git a/tests/gold_tests/remap/remap_acl.test.py b/tests/gold_tests/remap/remap_acl.test.py index 57b24b3f76..9115723ee5 100644 --- a/tests/gold_tests/remap/remap_acl.test.py +++ b/tests/gold_tests/remap/remap_acl.test.py @@ -8,9 +8,7 @@ Verify remap.config acl behavior. # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# +# # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -20,7 +18,6 @@ Verify remap.config acl behavior. import os import io import re -import pathlib import inspect import tempfile from yaml import load, dump @@ -136,7 +133,71 @@ class Test_remap_acl: '.*'.join(codes), "Verifying the expected order of responses", reflags=re.DOTALL | re.MULTILINE) -IP_ALLOW_CONTENT = f''' +class Test_old_action: + _ts_counter: int = 0 + + def __init__(self, name: str, acl_filter: str, ip_allow_content: str) -> None: + '''Test that ATS fails with a FATAL message if an old action is used with modern ACL filter policy. + + :param name: The name of the test run. + :param acl_filter: The ACL filter to use. + :param ip_allow_content: The ip_allow configuration to use. + ''' + + tr = Test.AddTestRun(name) + ts = self._configure_traffic_server(tr, acl_filter, ip_allow_content) + + def _configure_traffic_server(self, tr: 'TestRun', acl_filter: str, ip_allow_content: str) -> 'Process': + '''Configure Traffic Server process + + :param tr: The TestRun object to associate the Traffic Server process with. + :param acl_filter: The ACL filter to configure in remap.config. + :param ip_allow_content: The ip_allow configuration to use. + :return: The Traffic Server process. + ''' + name = f"ts-old-action-{Test_old_action._ts_counter}" + Test_old_action._ts_counter += 1 + ts = tr.MakeATSProcess(name) + self._ts = ts + + ts.Disk.records_config.update( + { + 'proxy.config.diags.debug.enabled': 1, + 'proxy.config.diags.debug.tags': 'http|url|remap|ip_allow', + 'proxy.config.url_remap.acl_matching_policy': 1, + }) + + ts.Disk.remap_config.AddLine(f'map / http://127.0.0.1:8080 {acl_filter}') + if ip_allow_content: + ts.Disk.ip_allow_yaml.AddLines(ip_allow_content.split("\n")) + + if acl_filter != '': + expected_error = '"allow" and "deny" are no longer valid.' + else: + expected_error = 'Legacy action name of' + + # We have to wait upon TS to emit the expected log message, but it cannot be + # the ts Ready criteria because autest might detect the process going away + # before it detects the log message. So we add a separate process that waits + # upon the log message. + watcher = tr.Processes.Process("watcher") + watcher.Command = "sleep 10" + watcher.Ready = When.FileContains(ts.Disk.diags_log.Name, expected_error) + watcher.StartBefore(ts) + + tr.Processes.Default.Command = 'printf "Fatal Shutdown Test"' + tr.Processes.Default.ReturnCode = 0 + tr.Processes.Default.StartBefore(watcher) + + tr.Timeout = 5 + ts.ReturnCode = Any(33, 70) + ts.Ready = 0 + ts.Disk.diags_log.Content = Testers.IncludesExpression(expected_error, 'ATS should fatal with the old actions.') + + return ts + + +IP_ALLOW_OLD_ACTION = f''' ip_categories: - name: ACME_LOCAL ip_addrs: 127.0.0.1 @@ -151,13 +212,32 @@ ip_allow: - GET ''' +IP_ALLOW_CONTENT = f''' +ip_categories: + - name: ACME_LOCAL + ip_addrs: 127.0.0.1 + - name: ACME_EXTERNAL + ip_addrs: 5.6.7.8 + +ip_allow: + - apply: in + ip_addrs: 0/0 + action: set_allow + methods: + - GET +''' + +Test_old_action("Verify allow is reject in modern policy", "@action=allow @method=GET", IP_ALLOW_CONTENT) +Test_old_action("Verify deny is reject in modern policy", "@action=deny @method=GET", IP_ALLOW_CONTENT) +Test_old_action("Verify deny is reject in modern policy", "", IP_ALLOW_OLD_ACTION) + test_ip_allow_optional_methods = Test_remap_acl( "Verify non-allowed methods are blocked.", replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=127.0.0.1 @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -187,7 +267,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=1.2.3.4 @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET @method=POST', named_acls=[], expected_responses=[200, 403, 403, 403, 403]) @@ -197,7 +277,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=all @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip=all @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -207,7 +287,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip_category=ACME_LOCAL @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip_category=ACME_LOCAL @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -217,7 +297,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @method=GET @method=POST', + acl_configuration='@action=set_allow @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -227,7 +307,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=deny @src_ip=127.0.0.1 @method=GET @method=POST', + acl_configuration='@action=set_deny @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[403, 403, 200, 200, 400]) @@ -247,8 +327,8 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=1.2.3.4 @method=GET @method=POST', - named_acls=[('deny', '@action=deny')], + acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET @method=POST', + named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -257,8 +337,8 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=~127.0.0.1 @method=GET @method=POST', - named_acls=[('deny', '@action=deny')], + acl_configuration='@action=set_allow @src_ip=~127.0.0.1 @method=GET @method=POST', + named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -267,8 +347,8 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=~3.4.5.6 @method=GET @method=POST', - named_acls=[('deny', '@action=deny')], + acl_configuration='@action=set_allow @src_ip=~3.4.5.6 @method=GET @method=POST', + named_acls=[('deny', '@action=set_deny')], expected_responses=[200, 200, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -277,8 +357,8 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip_category=~ACME_LOCAL @method=GET @method=POST', - named_acls=[('deny', '@action=deny')], + acl_configuration='@action=set_allow @src_ip_category=~ACME_LOCAL @method=GET @method=POST', + named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -287,8 +367,8 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip_category=~ACME_EXTERNAL @method=GET @method=POST', - named_acls=[('deny', '@action=deny')], + acl_configuration='@action=set_allow @src_ip_category=~ACME_EXTERNAL @method=GET @method=POST', + named_acls=[('deny', '@action=set_deny')], expected_responses=[200, 200, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -298,9 +378,9 @@ test_ip_allow_optional_methods = Test_remap_acl( deactivate_ip_allow=False, acl_matching_policy=1, # The rule will not match because, while @src_ip matches, @src_ip_category does not. - acl_configuration='@action=allow @src_ip=127.0.0.1 @src_ip_category=ACME_EXTERNAL @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip=127.0.0.1 @src_ip_category=ACME_EXTERNAL @method=GET @method=POST', # Therefore, this named deny filter will block. - named_acls=[('deny', '@action=deny')], + named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -309,8 +389,8 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=127.0.0.1 @method=GET @method=POST', - named_acls=[('deny', '@action=deny')], + acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET @method=POST', + named_acls=[('deny', '@action=set_deny')], expected_responses=[200, 200, 403, 403, 403]) test_ip_allow_optional_methods = Test_remap_acl( @@ -319,7 +399,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @src_ip=127.0.0.1 @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -330,7 +410,7 @@ test_ip_allow_optional_methods = Test_remap_acl( deactivate_ip_allow=True, acl_matching_policy=1, # This won't match, so nothing will match since ip_allow.yaml is off. - acl_configuration='@action=allow @src_ip=1.2.3.4 @method=GET @method=POST', + acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET @method=POST', named_acls=[], # Nothing will block the request since ip_allow.yaml is off. expected_responses=[200, 200, 200, 200, 400]) @@ -341,7 +421,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @in_ip=127.0.0.1 @method=GET @method=POST', + acl_configuration='@action=set_allow @in_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -351,7 +431,7 @@ test_ip_allow_optional_methods = Test_remap_acl( ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, acl_matching_policy=1, - acl_configuration='@action=allow @in_ip=3.4.5.6 @method=GET @method=POST', + acl_configuration='@action=set_allow @in_ip=3.4.5.6 @method=GET @method=POST', named_acls=[], expected_responses=[200, 403, 403, 403, 403]) @@ -362,7 +442,7 @@ test_named_acl_deny = Test_remap_acl( deactivate_ip_allow=False, acl_matching_policy=1, acl_configuration='', - named_acls=[('deny', '@action=deny @method=HEAD @method=POST')], + named_acls=[('deny', '@action=set_deny @method=HEAD @method=POST')], expected_responses=[200, 403, 403, 403]) @@ -403,7 +483,6 @@ for idx, test in enumerate(all_acl_combination_tests): test["GET response"], test["POST response"], ) - Test.Summary = "table test {0}".format(idx) Test_remap_acl( "{0} {1} {2}".format(test["inline"], test["named_acl"], test["ip_allow"]), replay_file=replay_file_name, @@ -429,7 +508,6 @@ for idx, test in enumerate(all_deactivate_ip_allow_tests): test["GET response"], test["POST response"], ) - Test.Summary = "table test {0}".format(idx) Test_remap_acl( "{0} {1} {2}".format(test["inline"], test["named_acl"], test["ip_allow"]), replay_file=replay_file_name,
