This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 6dfbff3235 ACL filter action documentation updates (#11635)
6dfbff3235 is described below
commit 6dfbff32353a34233605ce8f90a62bcb97f2d5e8
Author: Brian Neradt <[email protected]>
AuthorDate: Fri Aug 2 19:32:18 2024 -0500
ACL filter action documentation updates (#11635)
This renames the ACL filter behavior as "legacy" and "modern" and
documents that the legacy behavior, while the default for 10.x, is
deprecated and will be removed in 11.x
This also adds documentation for set_allow and set_deny.
---
configs/records.yaml.default.in | 1 +
doc/admin-guide/files/ip_allow.yaml.en.rst | 15 +-
doc/admin-guide/files/records.yaml.en.rst | 25 ++-
doc/admin-guide/files/remap.config.en.rst | 234 +++++++++++++++++++------
include/proxy/http/remap/RemapConfig.h | 6 +-
include/proxy/http/remap/UrlRewrite.h | 12 +-
src/proxy/IPAllow.cc | 2 +-
src/proxy/http/remap/RemapConfig.cc | 16 +-
src/proxy/http/remap/UrlRewrite.cc | 30 ++--
src/records/RecordsConfig.cc | 2 +-
tests/gold_tests/ip_allow/ip_category.test.py | 2 +-
tests/gold_tests/remap/all_acl_combinations.py | 176 +++++++++----------
tests/gold_tests/remap/deactivate_ip_allow.py | 102 +++++------
tests/gold_tests/remap/remap_acl.test.py | 54 +++---
14 files changed, 410 insertions(+), 267 deletions(-)
diff --git a/configs/records.yaml.default.in b/configs/records.yaml.default.in
index a2506cce77..f59a1ffbdc 100644
--- a/configs/records.yaml.default.in
+++ b/configs/records.yaml.default.in
@@ -216,3 +216,4 @@ records:
#
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.yaml.en.html#proxy-config-url-remap-pristine-host-hdr
pristine_host_hdr: 0
remap_required: 1
+ acl_behavior_policy: 0
diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst
b/doc/admin-guide/files/ip_allow.yaml.en.rst
index 63e6d3ae2f..bfb840da17 100644
--- a/doc/admin-guide/files/ip_allow.yaml.en.rst
+++ b/doc/admin-guide/files/ip_allow.yaml.en.rst
@@ -99,7 +99,20 @@ The keys in a rule are:
Either this or ``ip_addrs`` are required keys for a rule.
``action``
- The action, which must be ``allow`` or ``deny``. This is a required key.
+ The action describing the behavior of the rule. This can be either
``set_allow`` or ``set_deny``.
+ ``set_allow`` provides a list of allowed methods, while all requests with
other methods are
+ denied. ``set_deny`` provides a list of denied methods, while all requests
with other methods are
+ allowed. This is a required key.
+
+.. note::
+ Prior to |TS| 10.x, these actions were named ``allow`` and ``deny``. In
order to bring alignment
+ to the action names in remap ACL actions (see :ref:`acl-filters` for more
details), these have
+ been renamed to ``set_allow`` and ``set_deny``. If
+ :ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to 0, which is
the default, the old
+ ``allow`` and ``deny`` actions are still supported in order to provide
backwards compatibility to
+ |TS| 9.x :file:`ip_allow.yaml` files. If it is set to 1, then the use of
``allow`` and ``deny``
+ will result in a fatal error with a message asking the user to use
``set_allow`` and ``set_deny``
+ instead.
``methods``
This is optional. If not present, the rule action applies to all methods.
If present, the rule
diff --git a/doc/admin-guide/files/records.yaml.en.rst
b/doc/admin-guide/files/records.yaml.en.rst
index 41c6bb3a2a..3061387b9c 100644
--- a/doc/admin-guide/files/records.yaml.en.rst
+++ b/doc/admin-guide/files/records.yaml.en.rst
@@ -3559,17 +3559,28 @@ URL Remap Rules
This is dynamic to enable different requirements for startup and reloading.
-.. ts:cv:: CONFIG proxy.config.url_remap.acl_matching_policy INT 0
+.. ts:cv:: CONFIG proxy.config.url_remap.acl_behavior_policy INT 0
:reloadable:
- This controls matching policy of ACL filters in :file:`remap.config`. See
:ref:`acl-filters` for more details.
+ This controls how the ACL filter ``allow`` and ``deny`` actions behave in
:file:`remap.config`. See
+ :ref:`acl-filters` for more details.
- ===== =============================
+ ===== =================================
Value Description
- ===== =============================
- ``0`` Match on IP and Method Policy
- ``1`` Match on IP only Policy
- ===== =============================
+ ===== =================================
+ ``0`` Legacy (9.x and below) behavior.
+ ``1`` Modern (10.x and above) behavior.
+ ===== =================================
+
+ The value ``0`` provides ACL filter ``allow`` and ``deny`` action behavior
that is backwards compatible with previous
+ versions of |TS|. The value ``1`` results in a fatal log message if
``allow`` or ``deny`` is used with a message
+ encouraging the user to transition to either ``set_allow`` or ``set_deny``
or ``add_allow`` or ``add_deny`` actions.
+ ``0`` is the default value.
+
+.. note::
+
+ This configuration is deprecated in 10.x. Starting with 11.x, |TS| will
always function like this configuration is
+ set to ``1`` (modern) and the configuration will be removed entirely.
.. _records-config-ssl-termination:
diff --git a/doc/admin-guide/files/remap.config.en.rst
b/doc/admin-guide/files/remap.config.en.rst
index 72fcc0aa96..131744a036 100644
--- a/doc/admin-guide/files/remap.config.en.rst
+++ b/doc/admin-guide/files/remap.config.en.rst
@@ -455,7 +455,7 @@ As is the case with :file:`ip_allow.yaml` rules, each ACL
filter takes one of a
- ``allow``: This behaves like the ``allow`` action in :file:`ip_allow.yaml`
in which a list of allowed methods are
provided. Any request with a method in the list is allowed, while any
request with a method not in the list is denied.
- The exception to this is if
:ts:cv:`proxy.config.url_remap.acl_matching_policy` is set to ``0``. In this
case, the
+ The exception to this is if
:ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to ``0``. In this
case, the
``allow`` action is a synonym for ``add_allow``, described below.
- ``add_allow``: This action adds a list of allowed methods to whatever other
methods are allowed in a subsequently
matched ACL filter or :file:`ip_allow.yaml` rule. Thus, if an ``add_allow``
ACL filter specifies the ``POST`` method,
@@ -463,7 +463,7 @@ As is the case with :file:`ip_allow.yaml` rules, each ACL
filter takes one of a
have ``POST``, ``GET``, or ``HEAD`` methods will be allowed while all others
will be denied.
- ``deny``: This behaves like the ``deny`` action in :file:`ip_allow.yaml` in
which a list of denied methods are
provided. Any request with a method in the list is denied, while any request
with a method not in the list is allowed.
- The exception to this is if
:ts:cv:`proxy.config.url_remap.acl_matching_policy` is set to ``0``. In this
case, the
+ The exception to this is if
:ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to ``0``. In this
case, the
``deny`` action is a synonym for ``add_deny``, described below.
- ``add_deny``: This action adds a list of denied methods to whatever other
methods are denied in a subsequently matched
ACL filter or :file:`ip_allow.yaml` rule. Thus, if an ``add_deny`` ACL
filter specifies the ``POST`` method, and a
@@ -564,84 +564,171 @@ Note this entirely disables :file:`ip_allow.yaml` checks
for those remap rules.
Evaluation Order and Matching Policy
------------------------------------
-ATS evaluates multiple ACL filters in the following order:
+|TS| evaluates multiple ACL filters in the following order:
1. Special "deny all" filter in :file:`ip_allow.yaml`
2. In-line Filter in :file:`remap.config`
3. Named Filters in :file:`remap.config`
4. Filters in :file:`ip_allow.yaml`
-When an ACL filter is found, ATS stops processing subsequent ACL filters
depending on the mathcing policy configured by
-:ts:cv:`proxy.config.url_remap.acl_matching_policy`.
+When a matching ACL filter is found, |TS| stops processing subsequent ACL
filters.
-Note the step 1 happens at the start of the connection before any transactions
are processed, unlike the other rules here.
+Note that step 1 happens at the start of the connection before any
transactions are processed, unlike the other rules
+here. This is an optimization: if literally all requests are denied for a
source IP address via an
+:file:`ip_allow.yaml` rule, then there is no need to process any content from
that IP for the connection at all, so the
+connection is simply denied at the start.
.. note::
- ATS v10 introduced following matching policies. Prior to the change, ATS
traverses all matched ACL filters by IP and "deny"
- action had priority.
+ Prior to |TS| 10.x, |TS| traversed all matched ACL filters by IP and "deny"
action had priority.
+
+ACL Action Behavior Changes for 10.x
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Before |TS| 10.x, ACL filters used the same action names as
:file:`ip_allow.yaml` (``allow`` and ``deny``) but these
+actions behaved differently.
+
+- As described in :file:`ip_allow.yaml`, for any transaction matching an
:file:`ip_allow.yaml` rule whose action is
+ ``allow``, any request with a method in the allow list will be accepted,
while all other methods are denied. ``deny``
+ actions instead list methods which are denied, while all other methods are
implicitly allowed.
+- These same action names for ACL filters, on the other hand, functioned
essentially additively in nature. For instance,
+ an ``allow`` ACL filter action would list a set of methods which would be
allowed in addition to any other allowed
+ methods specified by :file:`ip_allow.yaml` rules. Similarly, a ``deny`` ACL
filter action would list a set of methods
+ which would be denied in addition to any other denied methods specified by
:file:`ip_allow.yaml` rules.
+
+This difference in behavior lead at times to confusion as users would expect
the two actions having the same name to
+behave the same across the ACL filter and :file:`ip_allow.yaml` rule systems.
+
+For |TS| 10.x, a few action naming changes are being done to disambiguate the
behavior of :file:`ip_allow.yaml` and
+remap ACL filter actions. The following new action names are introduced:
+
+- ``add_allow``: this ACL filter action name, new to |TS| 10.x, behaves like
``allow`` used to behave for ACL filters
+ pre |TS| 10.x: that is, it adds methods which are allowed to the
:file:`ip_allow.yaml` rule otherwise matched for the
+ given transaction.
+- ``add_deny``: this ACL filter action name, new to |TS| 10.x, behaves like
``deny`` used to behave for ACL filters pre
+ |TS| 10.x: that is, it adds methods which are denied the
:file:`ip_allow.yaml` rule otherwise matched for the given
+ transaction.
+- ``set_allow``: this is an entirely new ACL filter action being introduced in
|TS| 10.x. The new ``set_allow`` action
+ creates a remap filter that behaves like an :file:`ip_allow.yaml` rule with
an ``allow`` action. All requests with a
+ method in the list will be allowed, requests with methods not in the list
will be denied, and no other filters or
+ :file:`ip_allow.yaml` rules will be applied. To demonstrate the consistency
between this action and how it acts like
+ the corresponding :file:`ip_allow.yaml` rule action, the ``set_allow``
action is also introduced for
+ :file:`ip_allow.yaml` rules and its behavior is identical to the ``allow``
:file:`ip_allow.yaml` rule action for pre
+ |TS| 10.x releases.
+- ``set_deny``: this is an entirely new ACL filter action being introduced in
|TS| 10.x. The new ``set_deny`` action
+ creates a remap filter that behaves like an :file:`ip_allow.yaml` rule with
a ``deny`` action. All requests with a
+ method in the list will be denied, requests with methods not in the list
will be allowed, and no other filters or
+ :file:`ip_allow.yaml` rules will be applied. To demonstrate the consistency
between this action and how it acts like
+ the corresponding :file:`ip_allow.yaml` rule action, the ``set_deny`` action
is also introduced for
+ :file:`ip_allow.yaml` rules and its behavior is identical to the ``deny``
:file:`ip_allow.yaml` rule action for pre
+ |TS| 10.x releases.
+
+The behavior of the |TS| 9.x ``allow`` and ``deny`` actions are configurable
via
+:ts:cv:`proxy.config.url_remap.acl_behavior_policy`. This configuration is
described in the next two sections, but in
+short, by default the ``allow`` and ``deny`` actions behave like they did in
|TS| 9.x in order to provide backwards
+compatibility and avoid surprises for people upgrading to |TS| 10.x.
+
+Legacy Policy
+~~~~~~~~~~~~~
+
+This is the default ACL action policy and it is configured by setting
+:ts:cv:`proxy.config.url_remap.acl_behavior_policy` to ``0``. With this
policy, ACL filter ``allow`` and ``deny``
+actions behave like they did pre |TS| 10.x: they additively add allowed or
denied methods for transactions.
+Functionally, this means that with this set to ``0``, ``allow`` is a synonym
for ``add_allow`` and ``deny`` is a synonym
+for ``add_deny``. Because of this, an organization can easily, and
incrementally prepare for the new ACL filter action
+behavior by transitioning a rule one at a time by simply replacing ``allow``
with ``add_allow`` and ``deny`` with
+``add_deny``. Once all actions are transitioned, an organization can then
switch to the modern policy.
+
+As mentioned above, the legacy and modern ACL filter action policies described
in these two sections configure how |TS|
+will respond to the older ``allow`` and ``deny`` actions. ``set_allow``,
``set_deny``, ``add_allow``, and ``add_deny``
+actions are not affected by this configuration and they behave the same
between the two policies.
-Match on IP and Method Policy
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This is the default matching policy. With this policy, ACL filters, in-line or
named, only take effect if both IP address and HTTP
-method match the incoming request. If there is no match, ATS proceeds to the
next ACL filter to find a matching one.
-
-This policy is useful for organizations that want ACL rules to additively
allow or deny specific methods in addition to other ACL
-filters and :file:`ip_allow.yaml` rules.
-
Consider a filter like the following:
::
map http://www.example.com/ http://internal.example.com/ @action=deny
@method=POST
-The implicit ``@src_ip`` is all client IP addresses, so this filter will match
on any ``POST`` request matched by this remap rule
-from any client and its action will be to deny such POST requests. For all
other methods, the filter will not take effect, thus
-allowing other active ACL filters or an :file:`ip_allow.yaml` rule to
determine the action to take for any other transaction.
+The implicit ``@src_ip`` is all client IP addresses, so this filter will match
on any ``POST`` request matched by this
+remap rule from any client and its action will be to deny such POST requests.
For all other methods, the filter will not
+take effect, thus allowing other active ACL filters or an
:file:`ip_allow.yaml` rule to determine the action to take for
+any other transaction.
-.. note::
+With the legacy policy being described here, this filter acts identically with
an ``add_deny`` action. Thus, the above
+rule is identical to:
- This policy's behavior is similar to ATS v9 and older, but employs "first
match wins" policy.
+::
-Match on IP only Policy
-~~~~~~~~~~~~~~~~~~~~~~~
+ map http://www.example.com/ http://internal.example.com/ @action=add_deny
@method=POST
-With this policy, ACL filters match solely based upon IP address, meaning that
ACL filters match like :file:`ip_allow.yaml` rules.
-When a filter is processed, the action is applied to the specified methods and
its opposite to **all other** methods.
+.. note::
-This policy is useful for organizations that want to have ACL filters behave
like :file:`ip_allow.yaml` rules specific to remap
-targets.
+ This policy's behavior is similar to |TS| 9.x and older, but employs a
"first match wins" policy.
-Consider a filter like the following (the same as above):
+And just to be complete, here is a rule using the new ``set_allow`` action:
::
- map http://www.example.com/ http://internal.example.com/ @action=deny
@method=POST
+ map http://www.example.com/ http://internal.example.com/ @action=set_allow
@method=GET @method=HEAD
+
+This is a new type of rule that could not be added pre |TS| 10.x. It behaves
like a corresponding :file:`ip_allow.yaml`
+``allow`` action rule like this would have behaved in |TS| 9.x. This rule will
allow only ``GET`` and ``HEAD`` requests
+to the ``internal.example.com`` origin while all requests with any other
method will be rejected. No other ACL filters
+or :file:`ip_allow.yaml` rules will apply for this target.
-The implicit ``@src_ip`` is all client IP address, so this filter will apply
to **all** requests matching this remap rule. Again,
-like an analogously crafted :file:`ip_allow.yaml` action rule, this will deny
``POST`` request while allowing **all** other methods
-to the ``www.example.com``. No other ACL filters or :file:`ip_allow.yaml`
rules will be applied for any request to this target.
+Modern Policy
+~~~~~~~~~~~~~
-More realistic example is following:
+As described above in the section "ACL Action Behavior Changes for 10.x", we
are moving away from the old ``allow`` and
+``deny`` actions are transitioning to the new ``set_allow`` and ``set_deny``
and ``add_allow`` and ``add_deny`` actions.
+Setting :ts:cv:`proxy.config.url_remap.acl_behavior_policy` to ``1`` enables
the "modern" policy for organizations who
+have made this transition to these new ACL filter names. With this modern
policy set, the use of ``allow`` and ``deny``
+actions will be detected as an accidental and fatal error with a message
requesting the user to convert to the new
+action names. This policy will be the default in |TS| 11.x. This is the only
behavioral difference between the two
+policies.
+
+Thus, consider a filter like the following (the exact same as the first
example in the legacy section above):
::
- map http://www.example.com/ http://internal.example.com/ @action=allow
@method=GET @method=HEAD
+ map http://www.example.com/ http://internal.example.com/ @action=deny
@method=POST
+
+Note that this uses the old ``deny`` action. With the modern policy, this will
be detected as a fatal error and |TS|
+will not start with this configuration and the user will be expected to
convert this to an ACL filter using either the
+``add_deny`` or the ``set_deny`` actions. The same will happen with an
``@action=allow`` action.
+
+Again, ``set_allow``, ``set_deny``, ``add_allow``, and ``add_deny`` actions
all act the same between modern and legacy
+behavior configurations, so the examples for those above for the legacy
configuration also apply identically to the
+modern configuration.
-The implicit ``@src_ip`` is all client IP address, so this filter will apply
to all transactions matching this remap rule. Again,
-like an analogously crafted ip_allow allow rule, this will allow ``GET`` and
``HEAD`` requests while denying all other methods to
-the ``internal.example.com`` origin. No other ACL filters or ip_allow rules
will apply for this target.
+Upgrade Notes
+~~~~~~~~~~~~~
-.. warning::
+As explained above, for 10.x, by default
:ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to ``0`` to maintain
+ACL filter action backwards compatibility with |TS| 9.x and older
:file:`remap.config` files. This means that ACL filter
+actions ``allow`` and ``deny`` behave additively like ``add_allow`` and
``add_deny`` just like they did for 9.x and
+older. This is to ease the transition to the modern ACL filter behavior.
+
+When an organization is ready to upgrade to the modern ACL filter action
behavior, they need to ensure that they
+transitioned all of their ``allow`` and ``deny`` :file:`ip_allow.yaml` rules
and :file:`remap.config` ACL filter actions
+to either ``add_allow`` and ``add_deny`` or ``set_allow`` and ``set_deny``
actions. To maintain 9.x behavior, this
+simply means replacing ``allow`` with ``add_allow`` and ``deny`` with
``add_deny``. In case it is helpful,
+``tools/remap/convert_remap_actions_to_10x`` is provided to do this
replacement programmatically. Once all rules are
+updated, the organization can then switch to the modern policy by setting
+:ts:cv:`proxy.config.url_remap.acl_behavior_policy` to ``1``.
:ts:cv:`proxy.config.url_remap.acl_behavior_policy` will
+be removed in 11.x and the modern policy will be the default and only behavior.
- This policy has completly new behavior introduced by ATS v10. When the
``@action=deny`` is used with this policy, be careful to
- list up **all** methods to deny. Otherwise, the cache control methods like
``PURGE`` and ``PUSH`` are allowed unintentionally.
Example of ACL filter combinations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+As described above, the new ``add_allow`` and ``add_deny`` actions behave the
same in both legacy and modern ACL filter
+policies: they add to underlying :file:`ip_allow.yaml` rules methods that are
either allowed or denied, respectively.
+The difference in behavior with these policies is how ``allow`` and ``deny``
actions behave. To help ensure that the
+behaviors between these two modes is understood, this section walks through
examples of differences between these two
+policies for ``allow`` and ``deny`` actions.
+
This is an example of in-line filter, named filters in :file:`remap.config`,
and :file:`ip_allow.yaml`.
::
@@ -662,32 +749,63 @@ This is an example of in-line filter, named filters in
:file:`remap.config`, and
map http://www.example.com/ http://internal.example.com/ @action=deny
@method=POST
-With the "Match on IP and Method Policy", the evaluation applied from left to
right until match is found:
+With the "Legacy" policy, the evaluation applied from left to right until
match is found:
====== ============== ============== ============== ================
=============
Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml result
====== ============== ============== ============== ================
=============
GET \- \- \- allow (implicit) allowed
(200)
-POST deny \- \- \- denied
(403)
-HEAD \- allow \- \- allowed
(200)
-DELETE \- \- deny \- denied
(403)
+POST deny \- \- allow (implicit) denied
(403)
+HEAD \- allow \- allow (implicit) allowed
(200)
+DELETE \- \- deny allow (implicit) denied
(403)
PURGE \- \- \- deny denied
(403)
PUSH \- \- \- deny denied
(403)
====== ============== ============== ============== ================
=============
-With the "Match on IP only Policy", the in-line filter works like an
:file:`ip_allow.yaml` rule applies to all requests to
-``www.example.com`` that denies ``POST`` requests and implicitly allows all
other methods:
-
-====== ================ ============== ============== =============
=============
-Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml result
-====== ================ ============== ============== =============
=============
-GET allow (implicit) \- \- \- allowed
(200)
-POST deny \- \- \- denied
(403)
-HEAD allow (implicit) allow \- \- allowed
(200)
-DELETE allow (implicit) \- deny \- allowed
(200)
-PURGE allow (implicit) \- \- deny allowed
(200)
-PUSH allow (implicit) \- \- deny allowed
(200)
-====== ================ ============== ============== =============
=============
+With the "Modern" policy, the :file:`ip_allow.yaml` rule as well as all of the
+filter rules would trigger a fatal error message and |TS| would not start. The
+user would need to transition to ``set_allow``, ``set_deny``, ``add_allow``,
and
+``add_deny`` actions.
+
+So let's try a set of conversions like that and consider the following updated
example:
+
+::
+
+ # ip_allow.yaml
+ ip_allow:
+ - apply: in
+ ip_addrs: [0/0, ::/0]
+ action: set_deny
+ method: [PURGE, PUSH]
+
+ # remap.config
+ .definefilter named-filter-1 @action=add_allow @method=HEAD
+ .definefilter named-filter-2 @action=add_deny @method=DELETE
+
+ .activatefilter named-filter-1
+ .activatefilter named-filter-2
+
+ map http://www.example.com/ http://internal.example.com/ @action=set_deny
@method=POST
+
+
+In this case, we changed the :file:`ip_allow.yaml` rule to use ``set_deny``
+instead of ``deny``. This makes it function as it did before in the previous
+example. Also, we changed the two named filter actions to ``add_allow`` and
+``add_deny``. Again, this makes them function as they did in legacy mode.
+Finally, we changed the in-line filter action to ``set_deny`` which changes its
+behavior to be like that of an :file:`ip_allow.yaml` rule: it will deny all
POST
+requests and allow all other requests.
+
+====== ================ ============== ============== ================
=============
+Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml result
+====== ================ ============== ============== ================
=============
+GET allow \- \- allow (implicit) allowed
(200)
+POST deny \- \- allow (implicit) denied
(403)
+HEAD allow allow \- allow (implicit) allowed
(200)
+DELETE allow \- deny allow (implicit) allowed
(200)
+PURGE allow \- \- deny allowed
(200)
+PUSH allow \- \- deny allowed
(200)
+====== ================ ============== ============== ================
=============
Including Additional Remap Files
================================
diff --git a/include/proxy/http/remap/RemapConfig.h
b/include/proxy/http/remap/RemapConfig.h
index bfceef07ca..024a86142b 100644
--- a/include/proxy/http/remap/RemapConfig.h
+++ b/include/proxy/http/remap/RemapConfig.h
@@ -26,7 +26,7 @@
#include "proxy/http/remap/AclFiltering.h"
class UrlRewrite;
-enum class ACLMatchingPolicy;
+enum class ACLBehaviorPolicy;
#define BUILD_TABLE_MAX_ARGS 2048
@@ -56,7 +56,7 @@ struct BUILD_TABLE_INFO {
char *paramv[BUILD_TABLE_MAX_ARGS];
char *argv[BUILD_TABLE_MAX_ARGS];
- ACLMatchingPolicy matching_policy;
+ ACLBehaviorPolicy behavior_policy;
bool ip_allow_check_enabled_p = true;
bool accept_check_p = true;
@@ -74,7 +74,7 @@ struct BUILD_TABLE_INFO {
const char *remap_parse_directive(BUILD_TABLE_INFO *bti, char *errbuf, size_t
errbufsize);
const char *remap_validate_filter_args(acl_filter_rule **rule_pp, const char
**argv, int argc, char *errStrBuf,
- size_t errStrBufSize, ACLMatchingPolicy
matching_policy);
+ size_t errStrBufSize, ACLBehaviorPolicy
behavior_policy);
unsigned long remap_check_option(const char **argv, int argc, unsigned long
findmode = 0, int *_ret_idx = nullptr,
const char **argptr = nullptr);
diff --git a/include/proxy/http/remap/UrlRewrite.h
b/include/proxy/http/remap/UrlRewrite.h
index 94ef4aa9bc..f9e138aeff 100644
--- a/include/proxy/http/remap/UrlRewrite.h
+++ b/include/proxy/http/remap/UrlRewrite.h
@@ -54,9 +54,9 @@ enum mapping_type {
NONE
};
-enum class ACLMatchingPolicy {
- MATCH_ON_IP_AND_METHOD = 0,
- MATCH_ON_IP_ONLY,
+enum class ACLBehaviorPolicy {
+ ACL_BEHAVIOR_LEGACY = 0,
+ ACL_BEHAVIOR_MODERN,
};
/**
@@ -71,11 +71,11 @@ public:
/** Retrieve the configured ACL matching policy.
*
- * @param[out] policy The configured ACL matching policy.
+ * @param[out] policy The configured ACL behavior policy.
* @return @c true if the policy is configured to an appropriate value, @c
* false if not.
*/
- static bool get_acl_matching_policy(ACLMatchingPolicy &policy);
+ static bool get_acl_behavior_policy(ACLBehaviorPolicy &policy);
/** Load the configuration.
*
@@ -239,7 +239,7 @@ public:
private:
bool _valid = false;
- ACLMatchingPolicy _acl_matching_policy =
ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD;
+ ACLBehaviorPolicy _acl_behavior_policy =
ACLBehaviorPolicy::ACL_BEHAVIOR_LEGACY;
bool _mappingLookup(MappingsStore &mappings, URL *request_url, int
request_port, const char *request_host, int request_host_len,
UrlMappingContainer &mapping_container);
diff --git a/src/proxy/IPAllow.cc b/src/proxy/IPAllow.cc
index d0e1e29b15..21f8cf85a7 100644
--- a/src/proxy/IPAllow.cc
+++ b/src/proxy/IPAllow.cc
@@ -202,7 +202,7 @@ IpAllow::IpAllow(const char *ip_allow_config_var, const
char *ip_categories_conf
:
ip_allow_config_file(ats_scoped_str(RecConfigReadConfigPath(ip_allow_config_var)).get())
{
int matching_policy = 0;
- REC_ReadConfigInteger(matching_policy,
"proxy.config.url_remap.acl_matching_policy");
+ REC_ReadConfigInteger(matching_policy,
"proxy.config.url_remap.acl_behavior_policy");
if (matching_policy == 0) {
this->_is_legacy_action_policy = true;
} else {
diff --git a/src/proxy/http/remap/RemapConfig.cc
b/src/proxy/http/remap/RemapConfig.cc
index a578479566..f26177f363 100644
--- a/src/proxy/http/remap/RemapConfig.cc
+++ b/src/proxy/http/remap/RemapConfig.cc
@@ -129,7 +129,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO
*bti, char *errStrBuf
for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) {
;
}
- errStr = remap_validate_filter_args(rpp, (const char **)bti->argv,
bti->argc, errStrBuf, errStrBufSize, bti->matching_policy);
+ errStr = remap_validate_filter_args(rpp, (const char **)bti->argv,
bti->argc, errStrBuf, errStrBufSize, bti->behavior_policy);
}
for (rp = bti->rules_list; rp; rp = rp->next) {
@@ -143,7 +143,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO
*bti, char *errStrBuf
;
}
if ((errStr = remap_validate_filter_args(rpp, (const char **)rp->argv,
rp->argc, errStrBuf, errStrBufSize,
- bti->matching_policy)) !=
nullptr) {
+ bti->behavior_policy)) !=
nullptr) {
break;
}
}
@@ -200,7 +200,7 @@ parse_define_directive(const char *directive,
BUILD_TABLE_INFO *bti, char *errbu
flg = ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char
*)bti->paramv[1])) == nullptr) ? true : false;
// coverity[alloc_arg]
- if ((cstr = remap_validate_filter_args(&rp, (const char **)bti->argv,
bti->argc, errbuf, errbufsize, bti->matching_policy)) ==
+ if ((cstr = remap_validate_filter_args(&rp, (const char **)bti->argv,
bti->argc, errbuf, errbufsize, bti->behavior_policy)) ==
nullptr &&
rp) {
if (flg) { // new filter - add to list
@@ -442,7 +442,7 @@ remap_parse_directive(BUILD_TABLE_INFO *bti, char *errbuf,
size_t errbufsize)
const char *
remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int
argc, char *errStrBuf, size_t errStrBufSize,
- ACLMatchingPolicy matching_policy)
+ ACLBehaviorPolicy behavior_policy)
{
acl_filter_rule *rule;
int i, j;
@@ -632,7 +632,7 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const
char **argv, int arg
}
if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */
- if (matching_policy == ACLMatchingPolicy::MATCH_ON_IP_ONLY) {
+ if (behavior_policy == ACLBehaviorPolicy::ACL_BEHAVIOR_MODERN) {
// With the new matching policy, we don't allow the legacy "allow" and
// "deny" actions. Users must transition to either add_allow/add_deny
or
// set_allow/set_deny.
@@ -1066,12 +1066,12 @@ remap_parse_config_bti(const char *path,
BUILD_TABLE_INFO *bti)
Dbg(dbg_ctl_url_rewrite, "[BuildTable] UrlRewrite::BuildTable()");
- ACLMatchingPolicy matching_policy =
ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD;
- if (!UrlRewrite::get_acl_matching_policy(matching_policy)) {
+ ACLBehaviorPolicy behavior_policy = ACLBehaviorPolicy::ACL_BEHAVIOR_LEGACY;
+ if (!UrlRewrite::get_acl_behavior_policy(behavior_policy)) {
Warning("Failed to get ACL matching policy.");
return false;
}
- bti->matching_policy = matching_policy;
+ bti->behavior_policy = behavior_policy;
for (cur_line = tokLine(content.data(), &tok_state, '\\'); cur_line !=
nullptr;) {
reg_map = nullptr;
diff --git a/src/proxy/http/remap/UrlRewrite.cc
b/src/proxy/http/remap/UrlRewrite.cc
index 82336b55c7..91d990beda 100644
--- a/src/proxy/http/remap/UrlRewrite.cc
+++ b/src/proxy/http/remap/UrlRewrite.cc
@@ -58,19 +58,19 @@ SetHomePageRedirectFlag(url_mapping *new_mapping, URL
&new_to_url)
} // end anonymous namespace
bool
-UrlRewrite::get_acl_matching_policy(ACLMatchingPolicy &policy)
+UrlRewrite::get_acl_behavior_policy(ACLBehaviorPolicy &policy)
{
- int matching_policy = 0;
- REC_ReadConfigInteger(matching_policy,
"proxy.config.url_remap.acl_matching_policy");
- switch (matching_policy) {
+ int behavior_policy = 0;
+ REC_ReadConfigInteger(behavior_policy,
"proxy.config.url_remap.acl_behavior_policy");
+ switch (behavior_policy) {
case 0:
- policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD;
+ policy = ACLBehaviorPolicy::ACL_BEHAVIOR_LEGACY;
break;
case 1:
- policy = ACLMatchingPolicy::MATCH_ON_IP_ONLY;
+ policy = ACLBehaviorPolicy::ACL_BEHAVIOR_MODERN;
break;
default:
- Warning("unkown ACL Matching Policy: %d", matching_policy);
+ Warning("unkown ACL Behavior Policy: %d", behavior_policy);
return false;
}
return true;
@@ -147,7 +147,7 @@ UrlRewrite::load()
}
// ACL Matching Policy
- if (!get_acl_matching_policy(_acl_matching_policy)) {
+ if (!get_acl_behavior_policy(_acl_behavior_policy)) {
_valid = false;
}
@@ -570,13 +570,13 @@ UrlRewrite::PerformACLFiltering(HttpTransact::State *s,
const url_mapping *const
break;
}
- // @action=add_allow and @action=add_deny behave the same for each ACL
- // policy behavior. The difference in behavior applies to @action=allow
- // and @action=deny. For these, in Match on IP and Method mode they are
- // synonyms for @action=add_allow and @action=add_deny because that is
- // how they behaved pre-10.x. For the Match on IP Only behavior, they
- // behave like the corresponding ip_allow actions.
- if (!rp->add_flag && _acl_matching_policy ==
ACLMatchingPolicy::MATCH_ON_IP_ONLY) {
+ // @action=add_allow and @action=add_deny behave the same for legacy
and
+ // modern behavior. The difference in behavior applies to @action=allow
+ // and @action=deny. For these, in legacy mode they are synonyms for
+ // @action=add_allow and @action=add_deny because that is how they
+ // behaved pre-10.x. For modern behavior, they behave like the
+ // corresponding ip_allow actions.
+ if (!rp->add_flag && _acl_behavior_policy ==
ACLBehaviorPolicy::ACL_BEHAVIOR_MODERN) {
// Flipping the action for unspecified methods.
Dbg(dbg_ctl_url_rewrite, "ACL rule matched on IP but not on method,
action: %s, %s the request",
rp->get_action_description(), (rp->allow_flag ? "denying" :
"allowing"));
diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc
index d4dd74eb51..47879359b4 100644
--- a/src/records/RecordsConfig.cc
+++ b/src/records/RecordsConfig.cc
@@ -1068,7 +1068,7 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.url_remap.min_rules_required", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-9]+", RECA_NULL}
,
- {RECT_CONFIG, "proxy.config.url_remap.acl_matching_policy", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
+ {RECT_CONFIG, "proxy.config.url_remap.acl_behavior_policy", RECD_INT, "0",
RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
,
//##############################################################################
diff --git a/tests/gold_tests/ip_allow/ip_category.test.py
b/tests/gold_tests/ip_allow/ip_category.test.py
index b53d7e299d..76a8c1b773 100644
--- a/tests/gold_tests/ip_allow/ip_category.test.py
+++ b/tests/gold_tests/ip_allow/ip_category.test.py
@@ -230,7 +230,7 @@ class Test_ip_category:
'proxy.config.ssl.server.private_key.path':
ts.Variables.SSLDir,
'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE',
'proxy.config.http.connect_ports':
Test_ip_category._server.Variables.http_port,
- 'proxy.config.url_remap.acl_matching_policy': 1, # TODO:
adjust expected_responses with the default config
+ 'proxy.config.url_remap.acl_behavior_policy': 1, # TODO:
adjust expected_responses with the default config
})
ts.Disk.remap_config.AddLine(
diff --git a/tests/gold_tests/remap/all_acl_combinations.py
b/tests/gold_tests/remap/all_acl_combinations.py
index 6c3ce87ae6..0f76101e47 100644
--- a/tests/gold_tests/remap/all_acl_combinations.py
+++ b/tests/gold_tests/remap/all_acl_combinations.py
@@ -52,94 +52,94 @@ ip_allow:
# yapf: disable
keys = ["index", "policy", "inline", "named_acl", "ip_allow", "GET response",
"POST response"]
all_acl_combinations = [
- [ 0, "ip_and_method", "", "",
ALLOW_GET_AND_POST, 200, 200, ],
- [ 1, "ip_and_method", "", "",
ALLOW_GET, 200, 403, ],
- [ 2, "ip_and_method", "", "",
DENY_GET, 403, 200, ],
- [ 3, "ip_and_method", "", "",
DENY_GET_AND_POST, 403, 403, ],
- [ 4, "ip_and_method", "", "@action=allow
@method=GET", ALLOW_GET_AND_POST, 200, 200, ],
- [ 5, "ip_and_method", "", "@action=allow
@method=GET", ALLOW_GET, 200, 403, ],
- [ 6, "ip_and_method", "", "@action=allow
@method=GET", DENY_GET, 200, 200, ],
- [ 7, "ip_and_method", "", "@action=allow
@method=GET", DENY_GET_AND_POST, 200, 403, ],
- [ 8, "ip_and_method", "", "@action=deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
- [ 9, "ip_and_method", "", "@action=deny
@method=GET", ALLOW_GET, 403, 403, ],
- [ 10, "ip_and_method", "", "@action=deny
@method=GET", DENY_GET, 403, 200, ],
- [ 11, "ip_and_method", "", "@action=deny
@method=GET", DENY_GET_AND_POST, 403, 403, ],
- [ 12, "ip_and_method", "@action=allow @method=GET", "",
ALLOW_GET_AND_POST, 200, 200, ],
- [ 13, "ip_and_method", "@action=allow @method=GET", "",
ALLOW_GET, 200, 403, ],
- [ 14, "ip_and_method", "@action=allow @method=GET", "",
DENY_GET, 200, 200, ],
- [ 15, "ip_and_method", "@action=allow @method=GET", "",
DENY_GET_AND_POST, 200, 403, ],
- [ 16, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=GET", ALLOW_GET_AND_POST, 200, 200, ],
- [ 17, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=GET", ALLOW_GET, 200, 403, ],
- [ 18, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=GET", DENY_GET, 200, 200, ],
- [ 19, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=GET", DENY_GET_AND_POST, 200, 403, ],
- [ 20, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=GET", ALLOW_GET_AND_POST, 200, 200, ],
- [ 21, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=GET", ALLOW_GET, 200, 403, ],
- [ 22, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=GET", DENY_GET, 200, 200, ],
- [ 23, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=GET", DENY_GET_AND_POST, 200, 403, ],
- [ 24, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=POST", ALLOW_GET_AND_POST, 200, 200, ],
- [ 25, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=POST", ALLOW_GET, 200, 200, ],
- [ 26, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=POST", DENY_GET, 200, 200, ],
- [ 27, "ip_and_method", "@action=allow @method=GET", "@action=allow
@method=POST", DENY_GET_AND_POST, 200, 200, ],
- [ 28, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=POST", ALLOW_GET_AND_POST, 200, 403, ],
- [ 29, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=POST", ALLOW_GET, 200, 403, ],
- [ 30, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=POST", DENY_GET, 200, 403, ],
- [ 31, "ip_and_method", "@action=allow @method=GET", "@action=deny
@method=POST", DENY_GET_AND_POST, 200, 403, ],
- [ 32, "ip_and_method", "@action=deny @method=GET", "",
ALLOW_GET_AND_POST, 403, 200, ],
- [ 33, "ip_and_method", "@action=deny @method=GET", "",
ALLOW_GET, 403, 403, ],
- [ 34, "ip_and_method", "@action=deny @method=GET", "",
DENY_GET, 403, 200, ],
- [ 35, "ip_and_method", "@action=deny @method=GET", "",
DENY_GET_AND_POST, 403, 403, ],
- [ 36, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
- [ 37, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=GET", ALLOW_GET, 403, 403, ],
- [ 38, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=GET", DENY_GET, 403, 200, ],
- [ 39, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=GET", DENY_GET_AND_POST, 403, 403, ],
- [ 40, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
- [ 41, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=GET", ALLOW_GET, 403, 403, ],
- [ 42, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=GET", DENY_GET, 403, 200, ],
- [ 43, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=GET", DENY_GET_AND_POST, 403, 403, ],
- [ 44, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=POST", ALLOW_GET_AND_POST, 403, 200, ],
- [ 45, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=POST", ALLOW_GET, 403, 200, ],
- [ 46, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=POST", DENY_GET, 403, 200, ],
- [ 47, "ip_and_method", "@action=deny @method=GET", "@action=allow
@method=POST", DENY_GET_AND_POST, 403, 200, ],
- [ 48, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=POST", ALLOW_GET_AND_POST, 403, 403, ],
- [ 49, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=POST", ALLOW_GET, 403, 403, ],
- [ 50, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=POST", DENY_GET, 403, 403, ],
- [ 51, "ip_and_method", "@action=deny @method=GET", "@action=deny
@method=POST", DENY_GET_AND_POST, 403, 403, ],
- [ 52, "ip_only", "", "",
ALLOW_GET_AND_POST, 200, 200, ],
- [ 53, "ip_only", "", "",
ALLOW_GET, 200, 403, ],
- [ 54, "ip_only", "", "",
DENY_GET, 403, 200, ],
- [ 55, "ip_only", "", "",
DENY_GET_AND_POST, 403, 403, ],
- [ 56, "ip_only", "",
"@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ],
- [ 57, "ip_only", "",
"@action=set_allow @method=GET", ALLOW_GET, 200, 403, ],
- [ 58, "ip_only", "",
"@action=set_allow @method=GET", DENY_GET, 200, 403, ],
- [ 59, "ip_only", "",
"@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ],
- [ 60, "ip_only", "", "@action=set_deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
- [ 61, "ip_only", "", "@action=set_deny
@method=GET", ALLOW_GET, 403, 200, ],
- [ 62, "ip_only", "", "@action=set_deny
@method=GET", DENY_GET, 403, 200, ],
- [ 63, "ip_only", "", "@action=set_deny
@method=GET", DENY_GET_AND_POST, 403, 200, ],
- [ 64, "ip_only", "@action=set_allow @method=GET", "",
ALLOW_GET_AND_POST, 200, 403, ],
- [ 65, "ip_only", "@action=set_allow @method=GET", "",
ALLOW_GET, 200, 403, ],
- [ 66, "ip_only", "@action=set_allow @method=GET", "",
DENY_GET, 200, 403, ],
- [ 67, "ip_only", "@action=set_allow @method=GET", "",
DENY_GET_AND_POST, 200, 403, ],
- [ 68, "ip_only", "@action=set_allow @method=GET",
"@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ],
- [ 69, "ip_only", "@action=set_allow @method=GET",
"@action=set_allow @method=GET", ALLOW_GET, 200, 403, ],
- [ 70, "ip_only", "@action=set_allow @method=GET",
"@action=set_allow @method=GET", DENY_GET, 200, 403, ],
- [ 71, "ip_only", "@action=set_allow @method=GET",
"@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ],
- [ 72, "ip_only", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", ALLOW_GET_AND_POST, 200, 403, ],
- [ 73, "ip_only", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", ALLOW_GET, 200, 403, ],
- [ 74, "ip_only", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", DENY_GET, 200, 403, ],
- [ 75, "ip_only", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", DENY_GET_AND_POST, 200, 403, ],
- [ 76, "ip_only", "@action=set_deny @method=GET", "",
ALLOW_GET_AND_POST, 403, 200, ],
- [ 77, "ip_only", "@action=set_deny @method=GET", "",
ALLOW_GET, 403, 200, ],
- [ 78, "ip_only", "@action=set_deny @method=GET", "",
DENY_GET, 403, 200, ],
- [ 79, "ip_only", "@action=set_deny @method=GET", "",
DENY_GET_AND_POST, 403, 200, ],
- [ 80, "ip_only", "@action=set_deny @method=GET",
"@action=set_allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ],
- [ 81, "ip_only", "@action=set_deny @method=GET",
"@action=set_allow @method=GET", ALLOW_GET, 403, 200, ],
- [ 82, "ip_only", "@action=set_deny @method=GET",
"@action=set_allow @method=GET", DENY_GET, 403, 200, ],
- [ 83, "ip_only", "@action=set_deny @method=GET",
"@action=set_allow @method=GET", DENY_GET_AND_POST, 403, 200, ],
- [ 84, "ip_only", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
- [ 85, "ip_only", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", ALLOW_GET, 403, 200, ],
- [ 86, "ip_only", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", DENY_GET, 403, 200, ],
- [ 87, "ip_only", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", DENY_GET_AND_POST, 403, 200, ],
+ [ 0, "legacy", "", "",
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 1, "legacy", "", "",
ALLOW_GET, 200, 403, ],
+ [ 2, "legacy", "", "",
DENY_GET, 403, 200, ],
+ [ 3, "legacy", "", "",
DENY_GET_AND_POST, 403, 403, ],
+ [ 4, "legacy", "", "@action=allow
@method=GET", ALLOW_GET_AND_POST, 200, 200, ],
+ [ 5, "legacy", "", "@action=allow
@method=GET", ALLOW_GET, 200, 403, ],
+ [ 6, "legacy", "", "@action=allow
@method=GET", DENY_GET, 200, 200, ],
+ [ 7, "legacy", "", "@action=allow
@method=GET", DENY_GET_AND_POST, 200, 403, ],
+ [ 8, "legacy", "", "@action=deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 9, "legacy", "", "@action=deny
@method=GET", ALLOW_GET, 403, 403, ],
+ [ 10, "legacy", "", "@action=deny
@method=GET", DENY_GET, 403, 200, ],
+ [ 11, "legacy", "", "@action=deny
@method=GET", DENY_GET_AND_POST, 403, 403, ],
+ [ 12, "legacy", "@action=allow @method=GET", "",
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 13, "legacy", "@action=allow @method=GET", "",
ALLOW_GET, 200, 403, ],
+ [ 14, "legacy", "@action=allow @method=GET", "",
DENY_GET, 200, 200, ],
+ [ 15, "legacy", "@action=allow @method=GET", "",
DENY_GET_AND_POST, 200, 403, ],
+ [ 16, "legacy", "@action=allow @method=GET", "@action=allow
@method=GET", ALLOW_GET_AND_POST, 200, 200, ],
+ [ 17, "legacy", "@action=allow @method=GET", "@action=allow
@method=GET", ALLOW_GET, 200, 403, ],
+ [ 18, "legacy", "@action=allow @method=GET", "@action=allow
@method=GET", DENY_GET, 200, 200, ],
+ [ 19, "legacy", "@action=allow @method=GET", "@action=allow
@method=GET", DENY_GET_AND_POST, 200, 403, ],
+ [ 20, "legacy", "@action=allow @method=GET", "@action=deny
@method=GET", ALLOW_GET_AND_POST, 200, 200, ],
+ [ 21, "legacy", "@action=allow @method=GET", "@action=deny
@method=GET", ALLOW_GET, 200, 403, ],
+ [ 22, "legacy", "@action=allow @method=GET", "@action=deny
@method=GET", DENY_GET, 200, 200, ],
+ [ 23, "legacy", "@action=allow @method=GET", "@action=deny
@method=GET", DENY_GET_AND_POST, 200, 403, ],
+ [ 24, "legacy", "@action=allow @method=GET", "@action=allow
@method=POST", ALLOW_GET_AND_POST, 200, 200, ],
+ [ 25, "legacy", "@action=allow @method=GET", "@action=allow
@method=POST", ALLOW_GET, 200, 200, ],
+ [ 26, "legacy", "@action=allow @method=GET", "@action=allow
@method=POST", DENY_GET, 200, 200, ],
+ [ 27, "legacy", "@action=allow @method=GET", "@action=allow
@method=POST", DENY_GET_AND_POST, 200, 200, ],
+ [ 28, "legacy", "@action=allow @method=GET", "@action=deny
@method=POST", ALLOW_GET_AND_POST, 200, 403, ],
+ [ 29, "legacy", "@action=allow @method=GET", "@action=deny
@method=POST", ALLOW_GET, 200, 403, ],
+ [ 30, "legacy", "@action=allow @method=GET", "@action=deny
@method=POST", DENY_GET, 200, 403, ],
+ [ 31, "legacy", "@action=allow @method=GET", "@action=deny
@method=POST", DENY_GET_AND_POST, 200, 403, ],
+ [ 32, "legacy", "@action=deny @method=GET", "",
ALLOW_GET_AND_POST, 403, 200, ],
+ [ 33, "legacy", "@action=deny @method=GET", "",
ALLOW_GET, 403, 403, ],
+ [ 34, "legacy", "@action=deny @method=GET", "",
DENY_GET, 403, 200, ],
+ [ 35, "legacy", "@action=deny @method=GET", "",
DENY_GET_AND_POST, 403, 403, ],
+ [ 36, "legacy", "@action=deny @method=GET", "@action=allow
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 37, "legacy", "@action=deny @method=GET", "@action=allow
@method=GET", ALLOW_GET, 403, 403, ],
+ [ 38, "legacy", "@action=deny @method=GET", "@action=allow
@method=GET", DENY_GET, 403, 200, ],
+ [ 39, "legacy", "@action=deny @method=GET", "@action=allow
@method=GET", DENY_GET_AND_POST, 403, 403, ],
+ [ 40, "legacy", "@action=deny @method=GET", "@action=deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 41, "legacy", "@action=deny @method=GET", "@action=deny
@method=GET", ALLOW_GET, 403, 403, ],
+ [ 42, "legacy", "@action=deny @method=GET", "@action=deny
@method=GET", DENY_GET, 403, 200, ],
+ [ 43, "legacy", "@action=deny @method=GET", "@action=deny
@method=GET", DENY_GET_AND_POST, 403, 403, ],
+ [ 44, "legacy", "@action=deny @method=GET", "@action=allow
@method=POST", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 45, "legacy", "@action=deny @method=GET", "@action=allow
@method=POST", ALLOW_GET, 403, 200, ],
+ [ 46, "legacy", "@action=deny @method=GET", "@action=allow
@method=POST", DENY_GET, 403, 200, ],
+ [ 47, "legacy", "@action=deny @method=GET", "@action=allow
@method=POST", DENY_GET_AND_POST, 403, 200, ],
+ [ 48, "legacy", "@action=deny @method=GET", "@action=deny
@method=POST", ALLOW_GET_AND_POST, 403, 403, ],
+ [ 49, "legacy", "@action=deny @method=GET", "@action=deny
@method=POST", ALLOW_GET, 403, 403, ],
+ [ 50, "legacy", "@action=deny @method=GET", "@action=deny
@method=POST", DENY_GET, 403, 403, ],
+ [ 51, "legacy", "@action=deny @method=GET", "@action=deny
@method=POST", DENY_GET_AND_POST, 403, 403, ],
+ [ 52, "modern", "", "",
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 53, "modern", "", "",
ALLOW_GET, 200, 403, ],
+ [ 54, "modern", "", "",
DENY_GET, 403, 200, ],
+ [ 55, "modern", "", "",
DENY_GET_AND_POST, 403, 403, ],
+ [ 56, "modern", "", "@action=set_allow
@method=GET", ALLOW_GET_AND_POST, 200, 403, ],
+ [ 57, "modern", "", "@action=set_allow
@method=GET", ALLOW_GET, 200, 403, ],
+ [ 58, "modern", "", "@action=set_allow
@method=GET", DENY_GET, 200, 403, ],
+ [ 59, "modern", "", "@action=set_allow
@method=GET", DENY_GET_AND_POST, 200, 403, ],
+ [ 60, "modern", "", "@action=set_deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 61, "modern", "", "@action=set_deny
@method=GET", ALLOW_GET, 403, 200, ],
+ [ 62, "modern", "", "@action=set_deny
@method=GET", DENY_GET, 403, 200, ],
+ [ 63, "modern", "", "@action=set_deny
@method=GET", DENY_GET_AND_POST, 403, 200, ],
+ [ 64, "modern", "@action=set_allow @method=GET", "",
ALLOW_GET_AND_POST, 200, 403, ],
+ [ 65, "modern", "@action=set_allow @method=GET", "",
ALLOW_GET, 200, 403, ],
+ [ 66, "modern", "@action=set_allow @method=GET", "",
DENY_GET, 200, 403, ],
+ [ 67, "modern", "@action=set_allow @method=GET", "",
DENY_GET_AND_POST, 200, 403, ],
+ [ 68, "modern", "@action=set_allow @method=GET", "@action=set_allow
@method=GET", ALLOW_GET_AND_POST, 200, 403, ],
+ [ 69, "modern", "@action=set_allow @method=GET", "@action=set_allow
@method=GET", ALLOW_GET, 200, 403, ],
+ [ 70, "modern", "@action=set_allow @method=GET", "@action=set_allow
@method=GET", DENY_GET, 200, 403, ],
+ [ 71, "modern", "@action=set_allow @method=GET", "@action=set_allow
@method=GET", DENY_GET_AND_POST, 200, 403, ],
+ [ 72, "modern", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", ALLOW_GET_AND_POST, 200, 403, ],
+ [ 73, "modern", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", ALLOW_GET, 200, 403, ],
+ [ 74, "modern", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", DENY_GET, 200, 403, ],
+ [ 75, "modern", "@action=set_allow @method=GET", "@action=set_deny
@method=GET", DENY_GET_AND_POST, 200, 403, ],
+ [ 76, "modern", "@action=set_deny @method=GET", "",
ALLOW_GET_AND_POST, 403, 200, ],
+ [ 77, "modern", "@action=set_deny @method=GET", "",
ALLOW_GET, 403, 200, ],
+ [ 78, "modern", "@action=set_deny @method=GET", "",
DENY_GET, 403, 200, ],
+ [ 79, "modern", "@action=set_deny @method=GET", "",
DENY_GET_AND_POST, 403, 200, ],
+ [ 80, "modern", "@action=set_deny @method=GET", "@action=set_allow
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 81, "modern", "@action=set_deny @method=GET", "@action=set_allow
@method=GET", ALLOW_GET, 403, 200, ],
+ [ 82, "modern", "@action=set_deny @method=GET", "@action=set_allow
@method=GET", DENY_GET, 403, 200, ],
+ [ 83, "modern", "@action=set_deny @method=GET", "@action=set_allow
@method=GET", DENY_GET_AND_POST, 403, 200, ],
+ [ 84, "modern", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", ALLOW_GET_AND_POST, 403, 200, ],
+ [ 85, "modern", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", ALLOW_GET, 403, 200, ],
+ [ 86, "modern", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", DENY_GET, 403, 200, ],
+ [ 87, "modern", "@action=set_deny @method=GET", "@action=set_deny
@method=GET", DENY_GET_AND_POST, 403, 200, ],
]
# yapf: enable
diff --git a/tests/gold_tests/remap/deactivate_ip_allow.py
b/tests/gold_tests/remap/deactivate_ip_allow.py
index 7cfabcbc42..12763bc1ed 100644
--- a/tests/gold_tests/remap/deactivate_ip_allow.py
+++ b/tests/gold_tests/remap/deactivate_ip_allow.py
@@ -61,58 +61,58 @@ ip_allow:
# yapf: disable
keys = ["index", "policy", "inline", "named_acl", "deactivate_ip_allow",
"ip_allow", "GET response", "POST response"]
deactivate_ip_allow_combinations = [
- [ 0, "ip_and_method", "", "", False,
ALLOW_GET_AND_POST, 200, 200, ],
- [ 1, "ip_and_method", "", "", False,
ALLOW_GET, 200, 403, ],
- [ 2, "ip_and_method", "", "", False, DENY_GET,
403, 200, ],
- [ 3, "ip_and_method", "", "", False,
DENY_GET_AND_POST, 403, 403, ],
- [ 4, "ip_and_method", "", "", False, DENY_ALL,
None, None, ],
- [ 5, "ip_and_method", "", "", True,
ALLOW_GET_AND_POST, 200, 200, ],
- [ 6, "ip_and_method", "", "", True,
ALLOW_GET, 200, 200, ],
- [ 7, "ip_and_method", "", "", True, DENY_GET,
200, 200, ],
- [ 8, "ip_and_method", "", "", True,
DENY_GET_AND_POST, 200, 200, ],
- [ 9, "ip_and_method", "", "", True, DENY_ALL,
200, 200, ],
- [ 10, "ip_and_method", "@action=allow @method=GET", "", False,
ALLOW_GET_AND_POST, 200, 200, ],
- [ 11, "ip_and_method", "@action=allow @method=GET", "", False,
ALLOW_GET, 200, 403, ],
- [ 12, "ip_and_method", "@action=allow @method=GET", "", False, DENY_GET,
200, 200, ],
- [ 13, "ip_and_method", "@action=allow @method=GET", "", False,
DENY_GET_AND_POST, 200, 403, ],
- [ 14, "ip_and_method", "@action=allow @method=GET", "", False, DENY_ALL,
None, None, ],
- [ 15, "ip_and_method", "@action=allow @method=GET", "", True,
ALLOW_GET_AND_POST, 200, 200, ],
- [ 16, "ip_and_method", "@action=allow @method=GET", "", True,
ALLOW_GET, 200, 200, ],
- [ 17, "ip_and_method", "@action=allow @method=GET", "", True, DENY_GET,
200, 200, ],
- [ 18, "ip_and_method", "@action=allow @method=GET", "", True,
DENY_GET_AND_POST, 200, 200, ],
- [ 19, "ip_and_method", "@action=allow @method=GET", "", True, DENY_ALL,
200, 200, ],
- [ 20, "ip_and_method", "@action=deny @method=GET", "", False,
ALLOW_GET_AND_POST, 403, 200, ],
- [ 21, "ip_and_method", "@action=deny @method=GET", "", False,
ALLOW_GET, 403, 403, ],
- [ 22, "ip_and_method", "@action=deny @method=GET", "", False, DENY_GET,
403, 200, ],
- [ 23, "ip_and_method", "@action=deny @method=GET", "", False,
DENY_GET_AND_POST, 403, 403, ],
- [ 24, "ip_and_method", "@action=deny @method=GET", "", False, DENY_ALL,
None, None, ],
- [ 25, "ip_and_method", "@action=deny @method=GET", "", True,
ALLOW_GET_AND_POST, 403, 200, ],
- [ 26, "ip_and_method", "@action=deny @method=GET", "", True,
ALLOW_GET, 403, 200, ],
- [ 27, "ip_and_method", "@action=deny @method=GET", "", True, DENY_GET,
403, 200, ],
- [ 28, "ip_and_method", "@action=deny @method=GET", "", True,
DENY_GET_AND_POST, 403, 200, ],
- [ 29, "ip_and_method", "@action=deny @method=GET", "", True, DENY_ALL,
403, 200, ],
+ [ 0, "legacy", "", "", False,
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 1, "legacy", "", "", False, ALLOW_GET,
200, 403, ],
+ [ 2, "legacy", "", "", False, DENY_GET,
403, 200, ],
+ [ 3, "legacy", "", "", False,
DENY_GET_AND_POST, 403, 403, ],
+ [ 4, "legacy", "", "", False, DENY_ALL,
None, None, ],
+ [ 5, "legacy", "", "", True,
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 6, "legacy", "", "", True, ALLOW_GET,
200, 200, ],
+ [ 7, "legacy", "", "", True, DENY_GET,
200, 200, ],
+ [ 8, "legacy", "", "", True,
DENY_GET_AND_POST, 200, 200, ],
+ [ 9, "legacy", "", "", True, DENY_ALL,
200, 200, ],
+ [ 10, "legacy", "@action=allow @method=GET", "", False,
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 11, "legacy", "@action=allow @method=GET", "", False, ALLOW_GET,
200, 403, ],
+ [ 12, "legacy", "@action=allow @method=GET", "", False, DENY_GET,
200, 200, ],
+ [ 13, "legacy", "@action=allow @method=GET", "", False,
DENY_GET_AND_POST, 200, 403, ],
+ [ 14, "legacy", "@action=allow @method=GET", "", False, DENY_ALL,
None, None, ],
+ [ 15, "legacy", "@action=allow @method=GET", "", True,
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 16, "legacy", "@action=allow @method=GET", "", True, ALLOW_GET,
200, 200, ],
+ [ 17, "legacy", "@action=allow @method=GET", "", True, DENY_GET,
200, 200, ],
+ [ 18, "legacy", "@action=allow @method=GET", "", True,
DENY_GET_AND_POST, 200, 200, ],
+ [ 19, "legacy", "@action=allow @method=GET", "", True, DENY_ALL,
200, 200, ],
+ [ 20, "legacy", "@action=deny @method=GET", "", False,
ALLOW_GET_AND_POST, 403, 200, ],
+ [ 21, "legacy", "@action=deny @method=GET", "", False, ALLOW_GET,
403, 403, ],
+ [ 22, "legacy", "@action=deny @method=GET", "", False, DENY_GET,
403, 200, ],
+ [ 23, "legacy", "@action=deny @method=GET", "", False,
DENY_GET_AND_POST, 403, 403, ],
+ [ 24, "legacy", "@action=deny @method=GET", "", False, DENY_ALL,
None, None, ],
+ [ 25, "legacy", "@action=deny @method=GET", "", True,
ALLOW_GET_AND_POST, 403, 200, ],
+ [ 26, "legacy", "@action=deny @method=GET", "", True, ALLOW_GET,
403, 200, ],
+ [ 27, "legacy", "@action=deny @method=GET", "", True, DENY_GET,
403, 200, ],
+ [ 28, "legacy", "@action=deny @method=GET", "", True,
DENY_GET_AND_POST, 403, 200, ],
+ [ 29, "legacy", "@action=deny @method=GET", "", True, DENY_ALL,
403, 200, ],
- # Verify in ip_and_method mode that add_allow acts just like allow, and
add_deny acts just like deny.
- [ 30, "ip_and_method", "@action=add_allow @method=GET", "", False,
ALLOW_GET_AND_POST, 200, 200, ],
- [ 31, "ip_and_method", "@action=add_allow @method=GET", "", False,
ALLOW_GET, 200, 403, ],
- [ 32, "ip_and_method", "@action=add_allow @method=GET", "", False,
DENY_GET, 200, 200, ],
- [ 33, "ip_and_method", "@action=add_allow @method=GET", "", False,
DENY_GET_AND_POST, 200, 403, ],
- [ 34, "ip_and_method", "@action=add_allow @method=GET", "", False,
DENY_ALL, None, None, ],
- [ 35, "ip_and_method", "@action=add_allow @method=GET", "", True,
ALLOW_GET_AND_POST, 200, 200, ],
- [ 36, "ip_and_method", "@action=add_allow @method=GET", "", True,
ALLOW_GET, 200, 200, ],
- [ 37, "ip_and_method", "@action=add_allow @method=GET", "", True,
DENY_GET, 200, 200, ],
- [ 38, "ip_and_method", "@action=add_allow @method=GET", "", True,
DENY_GET_AND_POST, 200, 200, ],
- [ 39, "ip_and_method", "@action=add_allow @method=GET", "", True,
DENY_ALL, 200, 200, ],
- [ 40, "ip_and_method", "@action=add_deny @method=GET", "", False,
ALLOW_GET_AND_POST, 403, 200, ],
- [ 41, "ip_and_method", "@action=add_deny @method=GET", "", False,
ALLOW_GET, 403, 403, ],
- [ 42, "ip_and_method", "@action=add_deny @method=GET", "", False,
DENY_GET, 403, 200, ],
- [ 43, "ip_and_method", "@action=add_deny @method=GET", "", False,
DENY_GET_AND_POST, 403, 403, ],
- [ 44, "ip_and_method", "@action=add_deny @method=GET", "", False,
DENY_ALL, None, None, ],
- [ 45, "ip_and_method", "@action=add_deny @method=GET", "", True,
ALLOW_GET_AND_POST, 403, 200, ],
- [ 46, "ip_and_method", "@action=add_deny @method=GET", "", True,
ALLOW_GET, 403, 200, ],
- [ 47, "ip_and_method", "@action=add_deny @method=GET", "", True,
DENY_GET, 403, 200, ],
- [ 48, "ip_and_method", "@action=add_deny @method=GET", "", True,
DENY_GET_AND_POST, 403, 200, ],
- [ 49, "ip_and_method", "@action=add_deny @method=GET", "", True,
DENY_ALL, 403, 200, ],
+ # Verify in legacy mode that add_allow acts just like allow, and add_deny
acts just like deny.
+ [ 30, "legacy", "@action=add_allow @method=GET", "", False,
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 31, "legacy", "@action=add_allow @method=GET", "", False, ALLOW_GET,
200, 403, ],
+ [ 32, "legacy", "@action=add_allow @method=GET", "", False, DENY_GET,
200, 200, ],
+ [ 33, "legacy", "@action=add_allow @method=GET", "", False,
DENY_GET_AND_POST, 200, 403, ],
+ [ 34, "legacy", "@action=add_allow @method=GET", "", False, DENY_ALL,
None, None, ],
+ [ 35, "legacy", "@action=add_allow @method=GET", "", True,
ALLOW_GET_AND_POST, 200, 200, ],
+ [ 36, "legacy", "@action=add_allow @method=GET", "", True, ALLOW_GET,
200, 200, ],
+ [ 37, "legacy", "@action=add_allow @method=GET", "", True, DENY_GET,
200, 200, ],
+ [ 38, "legacy", "@action=add_allow @method=GET", "", True,
DENY_GET_AND_POST, 200, 200, ],
+ [ 39, "legacy", "@action=add_allow @method=GET", "", True, DENY_ALL,
200, 200, ],
+ [ 40, "legacy", "@action=add_deny @method=GET", "", False,
ALLOW_GET_AND_POST, 403, 200, ],
+ [ 41, "legacy", "@action=add_deny @method=GET", "", False, ALLOW_GET,
403, 403, ],
+ [ 42, "legacy", "@action=add_deny @method=GET", "", False, DENY_GET,
403, 200, ],
+ [ 43, "legacy", "@action=add_deny @method=GET", "", False,
DENY_GET_AND_POST, 403, 403, ],
+ [ 44, "legacy", "@action=add_deny @method=GET", "", False, DENY_ALL,
None, None, ],
+ [ 45, "legacy", "@action=add_deny @method=GET", "", True,
ALLOW_GET_AND_POST, 403, 200, ],
+ [ 46, "legacy", "@action=add_deny @method=GET", "", True, ALLOW_GET,
403, 200, ],
+ [ 47, "legacy", "@action=add_deny @method=GET", "", True, DENY_GET,
403, 200, ],
+ [ 48, "legacy", "@action=add_deny @method=GET", "", True,
DENY_GET_AND_POST, 403, 200, ],
+ [ 49, "legacy", "@action=add_deny @method=GET", "", True, DENY_ALL,
403, 200, ],
]
all_deactivate_ip_allow_tests = [dict(zip(keys, test)) for test in
deactivate_ip_allow_combinations]
# yapf: enable
diff --git a/tests/gold_tests/remap/remap_acl.test.py
b/tests/gold_tests/remap/remap_acl.test.py
index 9115723ee5..d70f6655e9 100644
--- a/tests/gold_tests/remap/remap_acl.test.py
+++ b/tests/gold_tests/remap/remap_acl.test.py
@@ -37,7 +37,7 @@ class Test_remap_acl:
_client_counter: int = 0
def __init__(
- self, name: str, replay_file: str, ip_allow_content: str,
deactivate_ip_allow: bool, acl_matching_policy: int,
+ self, name: str, replay_file: str, ip_allow_content: str,
deactivate_ip_allow: bool, acl_behavior_policy: int,
acl_configuration: str, named_acls: List[Tuple[str, str]],
expected_responses: List[int]):
"""Initialize the test.
@@ -52,7 +52,7 @@ class Test_remap_acl:
self._replay_file = replay_file
self._ip_allow_content = ip_allow_content
self._deactivate_ip_allow = deactivate_ip_allow
- self._acl_matching_policy = acl_matching_policy
+ self._acl_behavior_policy = acl_behavior_policy
self._acl_configuration = acl_configuration
self._named_acls = named_acls
self._expected_responses = expected_responses
@@ -89,7 +89,7 @@ class Test_remap_acl:
'proxy.config.diags.debug.tags': 'http|url|remap|ip_allow',
'proxy.config.http.push_method_enabled': 1,
'proxy.config.http.connect_ports':
self._server.Variables.http_port,
- 'proxy.config.url_remap.acl_matching_policy':
self._acl_matching_policy,
+ 'proxy.config.url_remap.acl_behavior_policy':
self._acl_behavior_policy,
})
remap_config_lines = []
@@ -164,7 +164,7 @@ class Test_old_action:
{
'proxy.config.diags.debug.enabled': 1,
'proxy.config.diags.debug.tags': 'http|url|remap|ip_allow',
- 'proxy.config.url_remap.acl_matching_policy': 1,
+ 'proxy.config.url_remap.acl_behavior_policy': 1,
})
ts.Disk.remap_config.AddLine(f'map / http://127.0.0.1:8080
{acl_filter}')
@@ -236,7 +236,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET
@method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -246,7 +246,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=add_allow @src_ip=127.0.0.1 @method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -256,7 +256,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=add_allow @src_ip=127.0.0.1 @method=GET
@method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -266,7 +266,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET
@method=POST',
named_acls=[],
expected_responses=[200, 403, 403, 403, 403])
@@ -276,7 +276,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=all @method=GET @method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -286,7 +286,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip_category=ACME_LOCAL
@method=GET @method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -296,7 +296,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @method=GET @method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -306,7 +306,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_denied.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_deny @src_ip=127.0.0.1 @method=GET
@method=POST',
named_acls=[],
expected_responses=[403, 403, 200, 200, 400])
@@ -316,7 +316,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_all_denied.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=add_deny @src_ip=127.0.0.1 @method=GET',
named_acls=[],
expected_responses=[403, 403, 403, 403, 403])
@@ -326,7 +326,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_all_denied.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET
@method=POST',
named_acls=[('deny', '@action=set_deny')],
expected_responses=[403, 403, 403, 403, 403])
@@ -336,7 +336,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_all_denied.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=~127.0.0.1 @method=GET
@method=POST',
named_acls=[('deny', '@action=set_deny')],
expected_responses=[403, 403, 403, 403, 403])
@@ -346,7 +346,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=~3.4.5.6 @method=GET
@method=POST',
named_acls=[('deny', '@action=set_deny')],
expected_responses=[200, 200, 403, 403, 403])
@@ -356,7 +356,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_all_denied.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip_category=~ACME_LOCAL
@method=GET @method=POST',
named_acls=[('deny', '@action=set_deny')],
expected_responses=[403, 403, 403, 403, 403])
@@ -366,7 +366,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip_category=~ACME_EXTERNAL
@method=GET @method=POST',
named_acls=[('deny', '@action=set_deny')],
expected_responses=[200, 200, 403, 403, 403])
@@ -376,7 +376,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_all_denied.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
# The rule will not match because, while @src_ip matches, @src_ip_category
does not.
acl_configuration='@action=set_allow @src_ip=127.0.0.1
@src_ip_category=ACME_EXTERNAL @method=GET @method=POST',
# Therefore, this named deny filter will block.
@@ -388,7 +388,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET
@method=POST',
named_acls=[('deny', '@action=set_deny')],
expected_responses=[200, 200, 403, 403, 403])
@@ -398,7 +398,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET
@method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -408,7 +408,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_all_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=True,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
# This won't match, so nothing will match since ip_allow.yaml is off.
acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET
@method=POST',
named_acls=[],
@@ -420,7 +420,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_post_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @in_ip=127.0.0.1 @method=GET
@method=POST',
named_acls=[],
expected_responses=[200, 200, 403, 403, 403])
@@ -430,7 +430,7 @@ test_ip_allow_optional_methods = Test_remap_acl(
replay_file='remap_acl_get_allowed.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='@action=set_allow @in_ip=3.4.5.6 @method=GET
@method=POST',
named_acls=[],
expected_responses=[200, 403, 403, 403, 403])
@@ -440,7 +440,7 @@ test_named_acl_deny = Test_remap_acl(
replay_file='deny_head_post.replay.yaml',
ip_allow_content=IP_ALLOW_CONTENT,
deactivate_ip_allow=False,
- acl_matching_policy=1,
+ acl_behavior_policy=1,
acl_configuration='',
named_acls=[('deny', '@action=set_deny @method=HEAD @method=POST')],
expected_responses=[200, 403, 403, 403])
@@ -488,7 +488,7 @@ for idx, test in enumerate(all_acl_combination_tests):
replay_file=replay_file_name,
ip_allow_content=test["ip_allow"],
deactivate_ip_allow=False,
- acl_matching_policy=0 if test["policy"] == "ip_and_method" else 1,
+ acl_behavior_policy=0 if test["policy"] == "legacy" else 1,
acl_configuration=test["inline"],
named_acls=[("acl", test["named_acl"])] if test["named_acl"] != ""
else [],
expected_responses=[test["GET response"], test["POST response"]],
@@ -513,7 +513,7 @@ for idx, test in enumerate(all_deactivate_ip_allow_tests):
replay_file=replay_file_name,
ip_allow_content=test["ip_allow"],
deactivate_ip_allow=test["deactivate_ip_allow"],
- acl_matching_policy=0 if test["policy"] == "ip_and_method" else 1,
+ acl_behavior_policy=0 if test["policy"] == "legacy" else 1,
acl_configuration=test["inline"],
named_acls=[("acl", test["named_acl"])] if test["named_acl"] != ""
else [],
expected_responses=[test["GET response"], test["POST response"]])
