This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 4dd2b54104e840112ef3ad7f290180abb667149b Author: Brian Neradt <[email protected]> AuthorDate: Fri Aug 2 19:32:18 2024 -0500 ACL filter action documentation updates (#11635) This renames the ACL filter behavior as "legacy" and "modern" and documents that the legacy behavior, while the default for 10.x, is deprecated and will be removed in 11.x This also adds documentation for set_allow and set_deny. (cherry picked from commit 6dfbff32353a34233605ce8f90a62bcb97f2d5e8) --- configs/records.yaml.default.in | 1 + doc/admin-guide/files/ip_allow.yaml.en.rst | 15 +- doc/admin-guide/files/records.yaml.en.rst | 25 ++- doc/admin-guide/files/remap.config.en.rst | 234 +++++++++++++++++++------ include/proxy/http/remap/RemapConfig.h | 6 +- include/proxy/http/remap/UrlRewrite.h | 12 +- src/proxy/IPAllow.cc | 2 +- src/proxy/http/remap/RemapConfig.cc | 16 +- src/proxy/http/remap/UrlRewrite.cc | 30 ++-- src/records/RecordsConfig.cc | 2 +- tests/gold_tests/ip_allow/ip_category.test.py | 2 +- tests/gold_tests/remap/all_acl_combinations.py | 176 +++++++++---------- tests/gold_tests/remap/deactivate_ip_allow.py | 102 +++++------ tests/gold_tests/remap/remap_acl.test.py | 54 +++--- 14 files changed, 410 insertions(+), 267 deletions(-) diff --git a/configs/records.yaml.default.in b/configs/records.yaml.default.in index a2506cce77..f59a1ffbdc 100644 --- a/configs/records.yaml.default.in +++ b/configs/records.yaml.default.in @@ -216,3 +216,4 @@ records: # https://docs.trafficserver.apache.org/en/latest/admin-guide/files/records.yaml.en.html#proxy-config-url-remap-pristine-host-hdr pristine_host_hdr: 0 remap_required: 1 + acl_behavior_policy: 0 diff --git a/doc/admin-guide/files/ip_allow.yaml.en.rst b/doc/admin-guide/files/ip_allow.yaml.en.rst index 63e6d3ae2f..bfb840da17 100644 --- a/doc/admin-guide/files/ip_allow.yaml.en.rst +++ b/doc/admin-guide/files/ip_allow.yaml.en.rst @@ -99,7 +99,20 @@ The keys in a rule are: Either this or ``ip_addrs`` are required keys for a rule. ``action`` - The action, which must be ``allow`` or ``deny``. This is a required key. + The action describing the behavior of the rule. This can be either ``set_allow`` or ``set_deny``. + ``set_allow`` provides a list of allowed methods, while all requests with other methods are + denied. ``set_deny`` provides a list of denied methods, while all requests with other methods are + allowed. This is a required key. + +.. note:: + Prior to |TS| 10.x, these actions were named ``allow`` and ``deny``. In order to bring alignment + to the action names in remap ACL actions (see :ref:`acl-filters` for more details), these have + been renamed to ``set_allow`` and ``set_deny``. If + :ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to 0, which is the default, the old + ``allow`` and ``deny`` actions are still supported in order to provide backwards compatibility to + |TS| 9.x :file:`ip_allow.yaml` files. If it is set to 1, then the use of ``allow`` and ``deny`` + will result in a fatal error with a message asking the user to use ``set_allow`` and ``set_deny`` + instead. ``methods`` This is optional. If not present, the rule action applies to all methods. If present, the rule diff --git a/doc/admin-guide/files/records.yaml.en.rst b/doc/admin-guide/files/records.yaml.en.rst index b7759762a3..9a82486f73 100644 --- a/doc/admin-guide/files/records.yaml.en.rst +++ b/doc/admin-guide/files/records.yaml.en.rst @@ -3559,17 +3559,28 @@ URL Remap Rules This is dynamic to enable different requirements for startup and reloading. -.. ts:cv:: CONFIG proxy.config.url_remap.acl_matching_policy INT 0 +.. ts:cv:: CONFIG proxy.config.url_remap.acl_behavior_policy INT 0 :reloadable: - This controls matching policy of ACL filters in :file:`remap.config`. See :ref:`acl-filters` for more details. + This controls how the ACL filter ``allow`` and ``deny`` actions behave in :file:`remap.config`. See + :ref:`acl-filters` for more details. - ===== ============================= + ===== ================================= Value Description - ===== ============================= - ``0`` Match on IP and Method Policy - ``1`` Match on IP only Policy - ===== ============================= + ===== ================================= + ``0`` Legacy (9.x and below) behavior. + ``1`` Modern (10.x and above) behavior. + ===== ================================= + + The value ``0`` provides ACL filter ``allow`` and ``deny`` action behavior that is backwards compatible with previous + versions of |TS|. The value ``1`` results in a fatal log message if ``allow`` or ``deny`` is used with a message + encouraging the user to transition to either ``set_allow`` or ``set_deny`` or ``add_allow`` or ``add_deny`` actions. + ``0`` is the default value. + +.. note:: + + This configuration is deprecated in 10.x. Starting with 11.x, |TS| will always function like this configuration is + set to ``1`` (modern) and the configuration will be removed entirely. .. _records-config-ssl-termination: diff --git a/doc/admin-guide/files/remap.config.en.rst b/doc/admin-guide/files/remap.config.en.rst index 46d4e594cf..6790f8aa2f 100644 --- a/doc/admin-guide/files/remap.config.en.rst +++ b/doc/admin-guide/files/remap.config.en.rst @@ -455,7 +455,7 @@ As is the case with :file:`ip_allow.yaml` rules, each ACL filter takes one of a - ``allow``: This behaves like the ``allow`` action in :file:`ip_allow.yaml` in which a list of allowed methods are provided. Any request with a method in the list is allowed, while any request with a method not in the list is denied. - The exception to this is if :ts:cv:`proxy.config.url_remap.acl_matching_policy` is set to ``0``. In this case, the + The exception to this is if :ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to ``0``. In this case, the ``allow`` action is a synonym for ``add_allow``, described below. - ``add_allow``: This action adds a list of allowed methods to whatever other methods are allowed in a subsequently matched ACL filter or :file:`ip_allow.yaml` rule. Thus, if an ``add_allow`` ACL filter specifies the ``POST`` method, @@ -463,7 +463,7 @@ As is the case with :file:`ip_allow.yaml` rules, each ACL filter takes one of a have ``POST``, ``GET``, or ``HEAD`` methods will be allowed while all others will be denied. - ``deny``: This behaves like the ``deny`` action in :file:`ip_allow.yaml` in which a list of denied methods are provided. Any request with a method in the list is denied, while any request with a method not in the list is allowed. - The exception to this is if :ts:cv:`proxy.config.url_remap.acl_matching_policy` is set to ``0``. In this case, the + The exception to this is if :ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to ``0``. In this case, the ``deny`` action is a synonym for ``add_deny``, described below. - ``add_deny``: This action adds a list of denied methods to whatever other methods are denied in a subsequently matched ACL filter or :file:`ip_allow.yaml` rule. Thus, if an ``add_deny`` ACL filter specifies the ``POST`` method, and a @@ -564,84 +564,171 @@ Note this entirely disables :file:`ip_allow.yaml` checks for those remap rules. Evaluation Order and Matching Policy ------------------------------------ -ATS evaluates multiple ACL filters in the following order: +|TS| evaluates multiple ACL filters in the following order: 1. Special "deny all" filter in :file:`ip_allow.yaml` 2. In-line Filter in :file:`remap.config` 3. Named Filters in :file:`remap.config` 4. Filters in :file:`ip_allow.yaml` -When an ACL filter is found, ATS stops processing subsequent ACL filters depending on the mathcing policy configured by -:ts:cv:`proxy.config.url_remap.acl_matching_policy`. +When a matching ACL filter is found, |TS| stops processing subsequent ACL filters. -Note the step 1 happens at the start of the connection before any transactions are processed, unlike the other rules here. +Note that step 1 happens at the start of the connection before any transactions are processed, unlike the other rules +here. This is an optimization: if literally all requests are denied for a source IP address via an +:file:`ip_allow.yaml` rule, then there is no need to process any content from that IP for the connection at all, so the +connection is simply denied at the start. .. note:: - ATS v10 introduced following matching policies. Prior to the change, ATS traverses all matched ACL filters by IP and "deny" - action had priority. + Prior to |TS| 10.x, |TS| traversed all matched ACL filters by IP and "deny" action had priority. + +ACL Action Behavior Changes for 10.x +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Before |TS| 10.x, ACL filters used the same action names as :file:`ip_allow.yaml` (``allow`` and ``deny``) but these +actions behaved differently. + +- As described in :file:`ip_allow.yaml`, for any transaction matching an :file:`ip_allow.yaml` rule whose action is + ``allow``, any request with a method in the allow list will be accepted, while all other methods are denied. ``deny`` + actions instead list methods which are denied, while all other methods are implicitly allowed. +- These same action names for ACL filters, on the other hand, functioned essentially additively in nature. For instance, + an ``allow`` ACL filter action would list a set of methods which would be allowed in addition to any other allowed + methods specified by :file:`ip_allow.yaml` rules. Similarly, a ``deny`` ACL filter action would list a set of methods + which would be denied in addition to any other denied methods specified by :file:`ip_allow.yaml` rules. + +This difference in behavior lead at times to confusion as users would expect the two actions having the same name to +behave the same across the ACL filter and :file:`ip_allow.yaml` rule systems. + +For |TS| 10.x, a few action naming changes are being done to disambiguate the behavior of :file:`ip_allow.yaml` and +remap ACL filter actions. The following new action names are introduced: + +- ``add_allow``: this ACL filter action name, new to |TS| 10.x, behaves like ``allow`` used to behave for ACL filters + pre |TS| 10.x: that is, it adds methods which are allowed to the :file:`ip_allow.yaml` rule otherwise matched for the + given transaction. +- ``add_deny``: this ACL filter action name, new to |TS| 10.x, behaves like ``deny`` used to behave for ACL filters pre + |TS| 10.x: that is, it adds methods which are denied the :file:`ip_allow.yaml` rule otherwise matched for the given + transaction. +- ``set_allow``: this is an entirely new ACL filter action being introduced in |TS| 10.x. The new ``set_allow`` action + creates a remap filter that behaves like an :file:`ip_allow.yaml` rule with an ``allow`` action. All requests with a + method in the list will be allowed, requests with methods not in the list will be denied, and no other filters or + :file:`ip_allow.yaml` rules will be applied. To demonstrate the consistency between this action and how it acts like + the corresponding :file:`ip_allow.yaml` rule action, the ``set_allow`` action is also introduced for + :file:`ip_allow.yaml` rules and its behavior is identical to the ``allow`` :file:`ip_allow.yaml` rule action for pre + |TS| 10.x releases. +- ``set_deny``: this is an entirely new ACL filter action being introduced in |TS| 10.x. The new ``set_deny`` action + creates a remap filter that behaves like an :file:`ip_allow.yaml` rule with a ``deny`` action. All requests with a + method in the list will be denied, requests with methods not in the list will be allowed, and no other filters or + :file:`ip_allow.yaml` rules will be applied. To demonstrate the consistency between this action and how it acts like + the corresponding :file:`ip_allow.yaml` rule action, the ``set_deny`` action is also introduced for + :file:`ip_allow.yaml` rules and its behavior is identical to the ``deny`` :file:`ip_allow.yaml` rule action for pre + |TS| 10.x releases. + +The behavior of the |TS| 9.x ``allow`` and ``deny`` actions are configurable via +:ts:cv:`proxy.config.url_remap.acl_behavior_policy`. This configuration is described in the next two sections, but in +short, by default the ``allow`` and ``deny`` actions behave like they did in |TS| 9.x in order to provide backwards +compatibility and avoid surprises for people upgrading to |TS| 10.x. + +Legacy Policy +~~~~~~~~~~~~~ + +This is the default ACL action policy and it is configured by setting +:ts:cv:`proxy.config.url_remap.acl_behavior_policy` to ``0``. With this policy, ACL filter ``allow`` and ``deny`` +actions behave like they did pre |TS| 10.x: they additively add allowed or denied methods for transactions. +Functionally, this means that with this set to ``0``, ``allow`` is a synonym for ``add_allow`` and ``deny`` is a synonym +for ``add_deny``. Because of this, an organization can easily, and incrementally prepare for the new ACL filter action +behavior by transitioning a rule one at a time by simply replacing ``allow`` with ``add_allow`` and ``deny`` with +``add_deny``. Once all actions are transitioned, an organization can then switch to the modern policy. + +As mentioned above, the legacy and modern ACL filter action policies described in these two sections configure how |TS| +will respond to the older ``allow`` and ``deny`` actions. ``set_allow``, ``set_deny``, ``add_allow``, and ``add_deny`` +actions are not affected by this configuration and they behave the same between the two policies. -Match on IP and Method Policy -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This is the default matching policy. With this policy, ACL filters, in-line or named, only take effect if both IP address and HTTP -method match the incoming request. If there is no match, ATS proceeds to the next ACL filter to find a matching one. - -This policy is useful for organizations that want ACL rules to additively allow or deny specific methods in addition to other ACL -filters and :file:`ip_allow.yaml` rules. - Consider a filter like the following: :: map http://www.example.com/ http://internal.example.com/ @action=deny @method=POST -The implicit ``@src_ip`` is all client IP addresses, so this filter will match on any ``POST`` request matched by this remap rule -from any client and its action will be to deny such POST requests. For all other methods, the filter will not take effect, thus -allowing other active ACL filters or an :file:`ip_allow.yaml` rule to determine the action to take for any other transaction. +The implicit ``@src_ip`` is all client IP addresses, so this filter will match on any ``POST`` request matched by this +remap rule from any client and its action will be to deny such POST requests. For all other methods, the filter will not +take effect, thus allowing other active ACL filters or an :file:`ip_allow.yaml` rule to determine the action to take for +any other transaction. -.. note:: +With the legacy policy being described here, this filter acts identically with an ``add_deny`` action. Thus, the above +rule is identical to: - This policy's behavior is similar to ATS v9 and older, but employs "first match wins" policy. +:: -Match on IP only Policy -~~~~~~~~~~~~~~~~~~~~~~~ + map http://www.example.com/ http://internal.example.com/ @action=add_deny @method=POST -With this policy, ACL filters match solely based upon IP address, meaning that ACL filters match like :file:`ip_allow.yaml` rules. -When a filter is processed, the action is applied to the specified methods and its opposite to **all other** methods. +.. note:: -This policy is useful for organizations that want to have ACL filters behave like :file:`ip_allow.yaml` rules specific to remap -targets. + This policy's behavior is similar to |TS| 9.x and older, but employs a "first match wins" policy. -Consider a filter like the following (the same as above): +And just to be complete, here is a rule using the new ``set_allow`` action: :: - map http://www.example.com/ http://internal.example.com/ @action=deny @method=POST + map http://www.example.com/ http://internal.example.com/ @action=set_allow @method=GET @method=HEAD + +This is a new type of rule that could not be added pre |TS| 10.x. It behaves like a corresponding :file:`ip_allow.yaml` +``allow`` action rule like this would have behaved in |TS| 9.x. This rule will allow only ``GET`` and ``HEAD`` requests +to the ``internal.example.com`` origin while all requests with any other method will be rejected. No other ACL filters +or :file:`ip_allow.yaml` rules will apply for this target. -The implicit ``@src_ip`` is all client IP address, so this filter will apply to **all** requests matching this remap rule. Again, -like an analogously crafted :file:`ip_allow.yaml` action rule, this will deny ``POST`` request while allowing **all** other methods -to the ``www.example.com``. No other ACL filters or :file:`ip_allow.yaml` rules will be applied for any request to this target. +Modern Policy +~~~~~~~~~~~~~ -More realistic example is following: +As described above in the section "ACL Action Behavior Changes for 10.x", we are moving away from the old ``allow`` and +``deny`` actions are transitioning to the new ``set_allow`` and ``set_deny`` and ``add_allow`` and ``add_deny`` actions. +Setting :ts:cv:`proxy.config.url_remap.acl_behavior_policy` to ``1`` enables the "modern" policy for organizations who +have made this transition to these new ACL filter names. With this modern policy set, the use of ``allow`` and ``deny`` +actions will be detected as an accidental and fatal error with a message requesting the user to convert to the new +action names. This policy will be the default in |TS| 11.x. This is the only behavioral difference between the two +policies. + +Thus, consider a filter like the following (the exact same as the first example in the legacy section above): :: - map http://www.example.com/ http://internal.example.com/ @action=allow @method=GET @method=HEAD + map http://www.example.com/ http://internal.example.com/ @action=deny @method=POST + +Note that this uses the old ``deny`` action. With the modern policy, this will be detected as a fatal error and |TS| +will not start with this configuration and the user will be expected to convert this to an ACL filter using either the +``add_deny`` or the ``set_deny`` actions. The same will happen with an ``@action=allow`` action. + +Again, ``set_allow``, ``set_deny``, ``add_allow``, and ``add_deny`` actions all act the same between modern and legacy +behavior configurations, so the examples for those above for the legacy configuration also apply identically to the +modern configuration. -The implicit ``@src_ip`` is all client IP address, so this filter will apply to all transactions matching this remap rule. Again, -like an analogously crafted ip_allow allow rule, this will allow ``GET`` and ``HEAD`` requests while denying all other methods to -the ``internal.example.com`` origin. No other ACL filters or ip_allow rules will apply for this target. +Upgrade Notes +~~~~~~~~~~~~~ -.. warning:: +As explained above, for 10.x, by default :ts:cv:`proxy.config.url_remap.acl_behavior_policy` is set to ``0`` to maintain +ACL filter action backwards compatibility with |TS| 9.x and older :file:`remap.config` files. This means that ACL filter +actions ``allow`` and ``deny`` behave additively like ``add_allow`` and ``add_deny`` just like they did for 9.x and +older. This is to ease the transition to the modern ACL filter behavior. + +When an organization is ready to upgrade to the modern ACL filter action behavior, they need to ensure that they +transitioned all of their ``allow`` and ``deny`` :file:`ip_allow.yaml` rules and :file:`remap.config` ACL filter actions +to either ``add_allow`` and ``add_deny`` or ``set_allow`` and ``set_deny`` actions. To maintain 9.x behavior, this +simply means replacing ``allow`` with ``add_allow`` and ``deny`` with ``add_deny``. In case it is helpful, +``tools/remap/convert_remap_actions_to_10x`` is provided to do this replacement programmatically. Once all rules are +updated, the organization can then switch to the modern policy by setting +:ts:cv:`proxy.config.url_remap.acl_behavior_policy` to ``1``. :ts:cv:`proxy.config.url_remap.acl_behavior_policy` will +be removed in 11.x and the modern policy will be the default and only behavior. - This policy has completly new behavior introduced by ATS v10. When the ``@action=deny`` is used with this policy, be careful to - list up **all** methods to deny. Otherwise, the cache control methods like ``PURGE`` and ``PUSH`` are allowed unintentionally. Example of ACL filter combinations ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +As described above, the new ``add_allow`` and ``add_deny`` actions behave the same in both legacy and modern ACL filter +policies: they add to underlying :file:`ip_allow.yaml` rules methods that are either allowed or denied, respectively. +The difference in behavior with these policies is how ``allow`` and ``deny`` actions behave. To help ensure that the +behaviors between these two modes is understood, this section walks through examples of differences between these two +policies for ``allow`` and ``deny`` actions. + This is an example of in-line filter, named filters in :file:`remap.config`, and :file:`ip_allow.yaml`. :: @@ -662,32 +749,63 @@ This is an example of in-line filter, named filters in :file:`remap.config`, and map http://www.example.com/ http://internal.example.com/ @action=deny @method=POST -With the "Match on IP and Method Policy", the evaluation applied from left to right until match is found: +With the "Legacy" policy, the evaluation applied from left to right until match is found: ====== ============== ============== ============== ================ ============= Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml result ====== ============== ============== ============== ================ ============= GET \- \- \- allow (implicit) allowed (200) -POST deny \- \- \- denied (403) -HEAD \- allow \- \- allowed (200) -DELETE \- \- deny \- denied (403) +POST deny \- \- allow (implicit) denied (403) +HEAD \- allow \- allow (implicit) allowed (200) +DELETE \- \- deny allow (implicit) denied (403) PURGE \- \- \- deny denied (403) PUSH \- \- \- deny denied (403) ====== ============== ============== ============== ================ ============= -With the "Match on IP only Policy", the in-line filter works like an :file:`ip_allow.yaml` rule applies to all requests to -``www.example.com`` that denies ``POST`` requests and implicitly allows all other methods: - -====== ================ ============== ============== ============= ============= -Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml result -====== ================ ============== ============== ============= ============= -GET allow (implicit) \- \- \- allowed (200) -POST deny \- \- \- denied (403) -HEAD allow (implicit) allow \- \- allowed (200) -DELETE allow (implicit) \- deny \- allowed (200) -PURGE allow (implicit) \- \- deny allowed (200) -PUSH allow (implicit) \- \- deny allowed (200) -====== ================ ============== ============== ============= ============= +With the "Modern" policy, the :file:`ip_allow.yaml` rule as well as all of the +filter rules would trigger a fatal error message and |TS| would not start. The +user would need to transition to ``set_allow``, ``set_deny``, ``add_allow``, and +``add_deny`` actions. + +So let's try a set of conversions like that and consider the following updated example: + +:: + + # ip_allow.yaml + ip_allow: + - apply: in + ip_addrs: [0/0, ::/0] + action: set_deny + method: [PURGE, PUSH] + + # remap.config + .definefilter named-filter-1 @action=add_allow @method=HEAD + .definefilter named-filter-2 @action=add_deny @method=DELETE + + .activatefilter named-filter-1 + .activatefilter named-filter-2 + + map http://www.example.com/ http://internal.example.com/ @action=set_deny @method=POST + + +In this case, we changed the :file:`ip_allow.yaml` rule to use ``set_deny`` +instead of ``deny``. This makes it function as it did before in the previous +example. Also, we changed the two named filter actions to ``add_allow`` and +``add_deny``. Again, this makes them function as they did in legacy mode. +Finally, we changed the in-line filter action to ``set_deny`` which changes its +behavior to be like that of an :file:`ip_allow.yaml` rule: it will deny all POST +requests and allow all other requests. + +====== ================ ============== ============== ================ ============= +Method In-line Filter Named Filter 1 Named Filter 2 ip_allow.yaml result +====== ================ ============== ============== ================ ============= +GET allow \- \- allow (implicit) allowed (200) +POST deny \- \- allow (implicit) denied (403) +HEAD allow allow \- allow (implicit) allowed (200) +DELETE allow \- deny allow (implicit) allowed (200) +PURGE allow \- \- deny allowed (200) +PUSH allow \- \- deny allowed (200) +====== ================ ============== ============== ================ ============= Including Additional Remap Files ================================ diff --git a/include/proxy/http/remap/RemapConfig.h b/include/proxy/http/remap/RemapConfig.h index bfceef07ca..024a86142b 100644 --- a/include/proxy/http/remap/RemapConfig.h +++ b/include/proxy/http/remap/RemapConfig.h @@ -26,7 +26,7 @@ #include "proxy/http/remap/AclFiltering.h" class UrlRewrite; -enum class ACLMatchingPolicy; +enum class ACLBehaviorPolicy; #define BUILD_TABLE_MAX_ARGS 2048 @@ -56,7 +56,7 @@ struct BUILD_TABLE_INFO { char *paramv[BUILD_TABLE_MAX_ARGS]; char *argv[BUILD_TABLE_MAX_ARGS]; - ACLMatchingPolicy matching_policy; + ACLBehaviorPolicy behavior_policy; bool ip_allow_check_enabled_p = true; bool accept_check_p = true; @@ -74,7 +74,7 @@ struct BUILD_TABLE_INFO { const char *remap_parse_directive(BUILD_TABLE_INFO *bti, char *errbuf, size_t errbufsize); const char *remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int argc, char *errStrBuf, - size_t errStrBufSize, ACLMatchingPolicy matching_policy); + size_t errStrBufSize, ACLBehaviorPolicy behavior_policy); unsigned long remap_check_option(const char **argv, int argc, unsigned long findmode = 0, int *_ret_idx = nullptr, const char **argptr = nullptr); diff --git a/include/proxy/http/remap/UrlRewrite.h b/include/proxy/http/remap/UrlRewrite.h index a499ee79c6..37faaa374f 100644 --- a/include/proxy/http/remap/UrlRewrite.h +++ b/include/proxy/http/remap/UrlRewrite.h @@ -53,9 +53,9 @@ enum mapping_type { NONE }; -enum class ACLMatchingPolicy { - MATCH_ON_IP_AND_METHOD = 0, - MATCH_ON_IP_ONLY, +enum class ACLBehaviorPolicy { + ACL_BEHAVIOR_LEGACY = 0, + ACL_BEHAVIOR_MODERN, }; /** @@ -70,11 +70,11 @@ public: /** Retrieve the configured ACL matching policy. * - * @param[out] policy The configured ACL matching policy. + * @param[out] policy The configured ACL behavior policy. * @return @c true if the policy is configured to an appropriate value, @c * false if not. */ - static bool get_acl_matching_policy(ACLMatchingPolicy &policy); + static bool get_acl_behavior_policy(ACLBehaviorPolicy &policy); /** Load the configuration. * @@ -238,7 +238,7 @@ public: private: bool _valid = false; - ACLMatchingPolicy _acl_matching_policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD; + ACLBehaviorPolicy _acl_behavior_policy = ACLBehaviorPolicy::ACL_BEHAVIOR_LEGACY; bool _mappingLookup(MappingsStore &mappings, URL *request_url, int request_port, const char *request_host, int request_host_len, UrlMappingContainer &mapping_container); diff --git a/src/proxy/IPAllow.cc b/src/proxy/IPAllow.cc index d0e1e29b15..21f8cf85a7 100644 --- a/src/proxy/IPAllow.cc +++ b/src/proxy/IPAllow.cc @@ -202,7 +202,7 @@ IpAllow::IpAllow(const char *ip_allow_config_var, const char *ip_categories_conf : ip_allow_config_file(ats_scoped_str(RecConfigReadConfigPath(ip_allow_config_var)).get()) { int matching_policy = 0; - REC_ReadConfigInteger(matching_policy, "proxy.config.url_remap.acl_matching_policy"); + REC_ReadConfigInteger(matching_policy, "proxy.config.url_remap.acl_behavior_policy"); if (matching_policy == 0) { this->_is_legacy_action_policy = true; } else { diff --git a/src/proxy/http/remap/RemapConfig.cc b/src/proxy/http/remap/RemapConfig.cc index a578479566..f26177f363 100644 --- a/src/proxy/http/remap/RemapConfig.cc +++ b/src/proxy/http/remap/RemapConfig.cc @@ -129,7 +129,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char *errStrBuf for (rpp = &mp->filter; *rpp; rpp = &((*rpp)->next)) { ; } - errStr = remap_validate_filter_args(rpp, (const char **)bti->argv, bti->argc, errStrBuf, errStrBufSize, bti->matching_policy); + errStr = remap_validate_filter_args(rpp, (const char **)bti->argv, bti->argc, errStrBuf, errStrBufSize, bti->behavior_policy); } for (rp = bti->rules_list; rp; rp = rp->next) { @@ -143,7 +143,7 @@ process_filter_opt(url_mapping *mp, const BUILD_TABLE_INFO *bti, char *errStrBuf ; } if ((errStr = remap_validate_filter_args(rpp, (const char **)rp->argv, rp->argc, errStrBuf, errStrBufSize, - bti->matching_policy)) != nullptr) { + bti->behavior_policy)) != nullptr) { break; } } @@ -200,7 +200,7 @@ parse_define_directive(const char *directive, BUILD_TABLE_INFO *bti, char *errbu flg = ((rp = acl_filter_rule::find_byname(bti->rules_list, (const char *)bti->paramv[1])) == nullptr) ? true : false; // coverity[alloc_arg] - if ((cstr = remap_validate_filter_args(&rp, (const char **)bti->argv, bti->argc, errbuf, errbufsize, bti->matching_policy)) == + if ((cstr = remap_validate_filter_args(&rp, (const char **)bti->argv, bti->argc, errbuf, errbufsize, bti->behavior_policy)) == nullptr && rp) { if (flg) { // new filter - add to list @@ -442,7 +442,7 @@ remap_parse_directive(BUILD_TABLE_INFO *bti, char *errbuf, size_t errbufsize) const char * remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int argc, char *errStrBuf, size_t errStrBufSize, - ACLMatchingPolicy matching_policy) + ACLBehaviorPolicy behavior_policy) { acl_filter_rule *rule; int i, j; @@ -632,7 +632,7 @@ remap_validate_filter_args(acl_filter_rule **rule_pp, const char **argv, int arg } if (ul & REMAP_OPTFLG_ACTION) { /* "action=" option */ - if (matching_policy == ACLMatchingPolicy::MATCH_ON_IP_ONLY) { + if (behavior_policy == ACLBehaviorPolicy::ACL_BEHAVIOR_MODERN) { // With the new matching policy, we don't allow the legacy "allow" and // "deny" actions. Users must transition to either add_allow/add_deny or // set_allow/set_deny. @@ -1066,12 +1066,12 @@ remap_parse_config_bti(const char *path, BUILD_TABLE_INFO *bti) Dbg(dbg_ctl_url_rewrite, "[BuildTable] UrlRewrite::BuildTable()"); - ACLMatchingPolicy matching_policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD; - if (!UrlRewrite::get_acl_matching_policy(matching_policy)) { + ACLBehaviorPolicy behavior_policy = ACLBehaviorPolicy::ACL_BEHAVIOR_LEGACY; + if (!UrlRewrite::get_acl_behavior_policy(behavior_policy)) { Warning("Failed to get ACL matching policy."); return false; } - bti->matching_policy = matching_policy; + bti->behavior_policy = behavior_policy; for (cur_line = tokLine(content.data(), &tok_state, '\\'); cur_line != nullptr;) { reg_map = nullptr; diff --git a/src/proxy/http/remap/UrlRewrite.cc b/src/proxy/http/remap/UrlRewrite.cc index 82336b55c7..91d990beda 100644 --- a/src/proxy/http/remap/UrlRewrite.cc +++ b/src/proxy/http/remap/UrlRewrite.cc @@ -58,19 +58,19 @@ SetHomePageRedirectFlag(url_mapping *new_mapping, URL &new_to_url) } // end anonymous namespace bool -UrlRewrite::get_acl_matching_policy(ACLMatchingPolicy &policy) +UrlRewrite::get_acl_behavior_policy(ACLBehaviorPolicy &policy) { - int matching_policy = 0; - REC_ReadConfigInteger(matching_policy, "proxy.config.url_remap.acl_matching_policy"); - switch (matching_policy) { + int behavior_policy = 0; + REC_ReadConfigInteger(behavior_policy, "proxy.config.url_remap.acl_behavior_policy"); + switch (behavior_policy) { case 0: - policy = ACLMatchingPolicy::MATCH_ON_IP_AND_METHOD; + policy = ACLBehaviorPolicy::ACL_BEHAVIOR_LEGACY; break; case 1: - policy = ACLMatchingPolicy::MATCH_ON_IP_ONLY; + policy = ACLBehaviorPolicy::ACL_BEHAVIOR_MODERN; break; default: - Warning("unkown ACL Matching Policy: %d", matching_policy); + Warning("unkown ACL Behavior Policy: %d", behavior_policy); return false; } return true; @@ -147,7 +147,7 @@ UrlRewrite::load() } // ACL Matching Policy - if (!get_acl_matching_policy(_acl_matching_policy)) { + if (!get_acl_behavior_policy(_acl_behavior_policy)) { _valid = false; } @@ -570,13 +570,13 @@ UrlRewrite::PerformACLFiltering(HttpTransact::State *s, const url_mapping *const break; } - // @action=add_allow and @action=add_deny behave the same for each ACL - // policy behavior. The difference in behavior applies to @action=allow - // and @action=deny. For these, in Match on IP and Method mode they are - // synonyms for @action=add_allow and @action=add_deny because that is - // how they behaved pre-10.x. For the Match on IP Only behavior, they - // behave like the corresponding ip_allow actions. - if (!rp->add_flag && _acl_matching_policy == ACLMatchingPolicy::MATCH_ON_IP_ONLY) { + // @action=add_allow and @action=add_deny behave the same for legacy and + // modern behavior. The difference in behavior applies to @action=allow + // and @action=deny. For these, in legacy mode they are synonyms for + // @action=add_allow and @action=add_deny because that is how they + // behaved pre-10.x. For modern behavior, they behave like the + // corresponding ip_allow actions. + if (!rp->add_flag && _acl_behavior_policy == ACLBehaviorPolicy::ACL_BEHAVIOR_MODERN) { // Flipping the action for unspecified methods. Dbg(dbg_ctl_url_rewrite, "ACL rule matched on IP but not on method, action: %s, %s the request", rp->get_action_description(), (rp->allow_flag ? "denying" : "allowing")); diff --git a/src/records/RecordsConfig.cc b/src/records/RecordsConfig.cc index 4204975398..8fe22b8876 100644 --- a/src/records/RecordsConfig.cc +++ b/src/records/RecordsConfig.cc @@ -1068,7 +1068,7 @@ static const RecordElement RecordsConfig[] = , {RECT_CONFIG, "proxy.config.url_remap.min_rules_required", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-9]+", RECA_NULL} , - {RECT_CONFIG, "proxy.config.url_remap.acl_matching_policy", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} + {RECT_CONFIG, "proxy.config.url_remap.acl_behavior_policy", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-1]", RECA_NULL} , //############################################################################## diff --git a/tests/gold_tests/ip_allow/ip_category.test.py b/tests/gold_tests/ip_allow/ip_category.test.py index b53d7e299d..76a8c1b773 100644 --- a/tests/gold_tests/ip_allow/ip_category.test.py +++ b/tests/gold_tests/ip_allow/ip_category.test.py @@ -230,7 +230,7 @@ class Test_ip_category: 'proxy.config.ssl.server.private_key.path': ts.Variables.SSLDir, 'proxy.config.ssl.client.verify.server.policy': 'PERMISSIVE', 'proxy.config.http.connect_ports': Test_ip_category._server.Variables.http_port, - 'proxy.config.url_remap.acl_matching_policy': 1, # TODO: adjust expected_responses with the default config + 'proxy.config.url_remap.acl_behavior_policy': 1, # TODO: adjust expected_responses with the default config }) ts.Disk.remap_config.AddLine( diff --git a/tests/gold_tests/remap/all_acl_combinations.py b/tests/gold_tests/remap/all_acl_combinations.py index 6c3ce87ae6..0f76101e47 100644 --- a/tests/gold_tests/remap/all_acl_combinations.py +++ b/tests/gold_tests/remap/all_acl_combinations.py @@ -52,94 +52,94 @@ ip_allow: # yapf: disable keys = ["index", "policy", "inline", "named_acl", "ip_allow", "GET response", "POST response"] all_acl_combinations = [ - [ 0, "ip_and_method", "", "", ALLOW_GET_AND_POST, 200, 200, ], - [ 1, "ip_and_method", "", "", ALLOW_GET, 200, 403, ], - [ 2, "ip_and_method", "", "", DENY_GET, 403, 200, ], - [ 3, "ip_and_method", "", "", DENY_GET_AND_POST, 403, 403, ], - [ 4, "ip_and_method", "", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], - [ 5, "ip_and_method", "", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], - [ 6, "ip_and_method", "", "@action=allow @method=GET", DENY_GET, 200, 200, ], - [ 7, "ip_and_method", "", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 8, "ip_and_method", "", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 9, "ip_and_method", "", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], - [ 10, "ip_and_method", "", "@action=deny @method=GET", DENY_GET, 403, 200, ], - [ 11, "ip_and_method", "", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], - [ 12, "ip_and_method", "@action=allow @method=GET", "", ALLOW_GET_AND_POST, 200, 200, ], - [ 13, "ip_and_method", "@action=allow @method=GET", "", ALLOW_GET, 200, 403, ], - [ 14, "ip_and_method", "@action=allow @method=GET", "", DENY_GET, 200, 200, ], - [ 15, "ip_and_method", "@action=allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], - [ 16, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], - [ 17, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], - [ 18, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET, 200, 200, ], - [ 19, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 20, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 200, 200, ], - [ 21, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET, 200, 403, ], - [ 22, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET, 200, 200, ], - [ 23, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 24, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 200, 200, ], - [ 25, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET, 200, 200, ], - [ 26, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET, 200, 200, ], - [ 27, "ip_and_method", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 200, 200, ], - [ 28, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 200, 403, ], - [ 29, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET, 200, 403, ], - [ 30, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET, 200, 403, ], - [ 31, "ip_and_method", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 200, 403, ], - [ 32, "ip_and_method", "@action=deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], - [ 33, "ip_and_method", "@action=deny @method=GET", "", ALLOW_GET, 403, 403, ], - [ 34, "ip_and_method", "@action=deny @method=GET", "", DENY_GET, 403, 200, ], - [ 35, "ip_and_method", "@action=deny @method=GET", "", DENY_GET_AND_POST, 403, 403, ], - [ 36, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 37, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET, 403, 403, ], - [ 38, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET, 403, 200, ], - [ 39, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 403, 403, ], - [ 40, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 41, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], - [ 42, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET, 403, 200, ], - [ 43, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], - [ 44, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 403, 200, ], - [ 45, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET, 403, 200, ], - [ 46, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET, 403, 200, ], - [ 47, "ip_and_method", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 403, 200, ], - [ 48, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 403, 403, ], - [ 49, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET, 403, 403, ], - [ 50, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET, 403, 403, ], - [ 51, "ip_and_method", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 403, 403, ], - [ 52, "ip_only", "", "", ALLOW_GET_AND_POST, 200, 200, ], - [ 53, "ip_only", "", "", ALLOW_GET, 200, 403, ], - [ 54, "ip_only", "", "", DENY_GET, 403, 200, ], - [ 55, "ip_only", "", "", DENY_GET_AND_POST, 403, 403, ], - [ 56, "ip_only", "", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], - [ 57, "ip_only", "", "@action=set_allow @method=GET", ALLOW_GET, 200, 403, ], - [ 58, "ip_only", "", "@action=set_allow @method=GET", DENY_GET, 200, 403, ], - [ 59, "ip_only", "", "@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 60, "ip_only", "", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 61, "ip_only", "", "@action=set_deny @method=GET", ALLOW_GET, 403, 200, ], - [ 62, "ip_only", "", "@action=set_deny @method=GET", DENY_GET, 403, 200, ], - [ 63, "ip_only", "", "@action=set_deny @method=GET", DENY_GET_AND_POST, 403, 200, ], - [ 64, "ip_only", "@action=set_allow @method=GET", "", ALLOW_GET_AND_POST, 200, 403, ], - [ 65, "ip_only", "@action=set_allow @method=GET", "", ALLOW_GET, 200, 403, ], - [ 66, "ip_only", "@action=set_allow @method=GET", "", DENY_GET, 200, 403, ], - [ 67, "ip_only", "@action=set_allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], - [ 68, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], - [ 69, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", ALLOW_GET, 200, 403, ], - [ 70, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", DENY_GET, 200, 403, ], - [ 71, "ip_only", "@action=set_allow @method=GET", "@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 72, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 200, 403, ], - [ 73, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", ALLOW_GET, 200, 403, ], - [ 74, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", DENY_GET, 200, 403, ], - [ 75, "ip_only", "@action=set_allow @method=GET", "@action=set_deny @method=GET", DENY_GET_AND_POST, 200, 403, ], - [ 76, "ip_only", "@action=set_deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], - [ 77, "ip_only", "@action=set_deny @method=GET", "", ALLOW_GET, 403, 200, ], - [ 78, "ip_only", "@action=set_deny @method=GET", "", DENY_GET, 403, 200, ], - [ 79, "ip_only", "@action=set_deny @method=GET", "", DENY_GET_AND_POST, 403, 200, ], - [ 80, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 81, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", ALLOW_GET, 403, 200, ], - [ 82, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", DENY_GET, 403, 200, ], - [ 83, "ip_only", "@action=set_deny @method=GET", "@action=set_allow @method=GET", DENY_GET_AND_POST, 403, 200, ], - [ 84, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], - [ 85, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", ALLOW_GET, 403, 200, ], - [ 86, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", DENY_GET, 403, 200, ], - [ 87, "ip_only", "@action=set_deny @method=GET", "@action=set_deny @method=GET", DENY_GET_AND_POST, 403, 200, ], + [ 0, "legacy", "", "", ALLOW_GET_AND_POST, 200, 200, ], + [ 1, "legacy", "", "", ALLOW_GET, 200, 403, ], + [ 2, "legacy", "", "", DENY_GET, 403, 200, ], + [ 3, "legacy", "", "", DENY_GET_AND_POST, 403, 403, ], + [ 4, "legacy", "", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], + [ 5, "legacy", "", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], + [ 6, "legacy", "", "@action=allow @method=GET", DENY_GET, 200, 200, ], + [ 7, "legacy", "", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 8, "legacy", "", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 9, "legacy", "", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], + [ 10, "legacy", "", "@action=deny @method=GET", DENY_GET, 403, 200, ], + [ 11, "legacy", "", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], + [ 12, "legacy", "@action=allow @method=GET", "", ALLOW_GET_AND_POST, 200, 200, ], + [ 13, "legacy", "@action=allow @method=GET", "", ALLOW_GET, 200, 403, ], + [ 14, "legacy", "@action=allow @method=GET", "", DENY_GET, 200, 200, ], + [ 15, "legacy", "@action=allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], + [ 16, "legacy", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 200, 200, ], + [ 17, "legacy", "@action=allow @method=GET", "@action=allow @method=GET", ALLOW_GET, 200, 403, ], + [ 18, "legacy", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET, 200, 200, ], + [ 19, "legacy", "@action=allow @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 20, "legacy", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 200, 200, ], + [ 21, "legacy", "@action=allow @method=GET", "@action=deny @method=GET", ALLOW_GET, 200, 403, ], + [ 22, "legacy", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET, 200, 200, ], + [ 23, "legacy", "@action=allow @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 24, "legacy", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 200, 200, ], + [ 25, "legacy", "@action=allow @method=GET", "@action=allow @method=POST", ALLOW_GET, 200, 200, ], + [ 26, "legacy", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET, 200, 200, ], + [ 27, "legacy", "@action=allow @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 200, 200, ], + [ 28, "legacy", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 200, 403, ], + [ 29, "legacy", "@action=allow @method=GET", "@action=deny @method=POST", ALLOW_GET, 200, 403, ], + [ 30, "legacy", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET, 200, 403, ], + [ 31, "legacy", "@action=allow @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 200, 403, ], + [ 32, "legacy", "@action=deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], + [ 33, "legacy", "@action=deny @method=GET", "", ALLOW_GET, 403, 403, ], + [ 34, "legacy", "@action=deny @method=GET", "", DENY_GET, 403, 200, ], + [ 35, "legacy", "@action=deny @method=GET", "", DENY_GET_AND_POST, 403, 403, ], + [ 36, "legacy", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 37, "legacy", "@action=deny @method=GET", "@action=allow @method=GET", ALLOW_GET, 403, 403, ], + [ 38, "legacy", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET, 403, 200, ], + [ 39, "legacy", "@action=deny @method=GET", "@action=allow @method=GET", DENY_GET_AND_POST, 403, 403, ], + [ 40, "legacy", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 41, "legacy", "@action=deny @method=GET", "@action=deny @method=GET", ALLOW_GET, 403, 403, ], + [ 42, "legacy", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET, 403, 200, ], + [ 43, "legacy", "@action=deny @method=GET", "@action=deny @method=GET", DENY_GET_AND_POST, 403, 403, ], + [ 44, "legacy", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET_AND_POST, 403, 200, ], + [ 45, "legacy", "@action=deny @method=GET", "@action=allow @method=POST", ALLOW_GET, 403, 200, ], + [ 46, "legacy", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET, 403, 200, ], + [ 47, "legacy", "@action=deny @method=GET", "@action=allow @method=POST", DENY_GET_AND_POST, 403, 200, ], + [ 48, "legacy", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET_AND_POST, 403, 403, ], + [ 49, "legacy", "@action=deny @method=GET", "@action=deny @method=POST", ALLOW_GET, 403, 403, ], + [ 50, "legacy", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET, 403, 403, ], + [ 51, "legacy", "@action=deny @method=GET", "@action=deny @method=POST", DENY_GET_AND_POST, 403, 403, ], + [ 52, "modern", "", "", ALLOW_GET_AND_POST, 200, 200, ], + [ 53, "modern", "", "", ALLOW_GET, 200, 403, ], + [ 54, "modern", "", "", DENY_GET, 403, 200, ], + [ 55, "modern", "", "", DENY_GET_AND_POST, 403, 403, ], + [ 56, "modern", "", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], + [ 57, "modern", "", "@action=set_allow @method=GET", ALLOW_GET, 200, 403, ], + [ 58, "modern", "", "@action=set_allow @method=GET", DENY_GET, 200, 403, ], + [ 59, "modern", "", "@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 60, "modern", "", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 61, "modern", "", "@action=set_deny @method=GET", ALLOW_GET, 403, 200, ], + [ 62, "modern", "", "@action=set_deny @method=GET", DENY_GET, 403, 200, ], + [ 63, "modern", "", "@action=set_deny @method=GET", DENY_GET_AND_POST, 403, 200, ], + [ 64, "modern", "@action=set_allow @method=GET", "", ALLOW_GET_AND_POST, 200, 403, ], + [ 65, "modern", "@action=set_allow @method=GET", "", ALLOW_GET, 200, 403, ], + [ 66, "modern", "@action=set_allow @method=GET", "", DENY_GET, 200, 403, ], + [ 67, "modern", "@action=set_allow @method=GET", "", DENY_GET_AND_POST, 200, 403, ], + [ 68, "modern", "@action=set_allow @method=GET", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 200, 403, ], + [ 69, "modern", "@action=set_allow @method=GET", "@action=set_allow @method=GET", ALLOW_GET, 200, 403, ], + [ 70, "modern", "@action=set_allow @method=GET", "@action=set_allow @method=GET", DENY_GET, 200, 403, ], + [ 71, "modern", "@action=set_allow @method=GET", "@action=set_allow @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 72, "modern", "@action=set_allow @method=GET", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 200, 403, ], + [ 73, "modern", "@action=set_allow @method=GET", "@action=set_deny @method=GET", ALLOW_GET, 200, 403, ], + [ 74, "modern", "@action=set_allow @method=GET", "@action=set_deny @method=GET", DENY_GET, 200, 403, ], + [ 75, "modern", "@action=set_allow @method=GET", "@action=set_deny @method=GET", DENY_GET_AND_POST, 200, 403, ], + [ 76, "modern", "@action=set_deny @method=GET", "", ALLOW_GET_AND_POST, 403, 200, ], + [ 77, "modern", "@action=set_deny @method=GET", "", ALLOW_GET, 403, 200, ], + [ 78, "modern", "@action=set_deny @method=GET", "", DENY_GET, 403, 200, ], + [ 79, "modern", "@action=set_deny @method=GET", "", DENY_GET_AND_POST, 403, 200, ], + [ 80, "modern", "@action=set_deny @method=GET", "@action=set_allow @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 81, "modern", "@action=set_deny @method=GET", "@action=set_allow @method=GET", ALLOW_GET, 403, 200, ], + [ 82, "modern", "@action=set_deny @method=GET", "@action=set_allow @method=GET", DENY_GET, 403, 200, ], + [ 83, "modern", "@action=set_deny @method=GET", "@action=set_allow @method=GET", DENY_GET_AND_POST, 403, 200, ], + [ 84, "modern", "@action=set_deny @method=GET", "@action=set_deny @method=GET", ALLOW_GET_AND_POST, 403, 200, ], + [ 85, "modern", "@action=set_deny @method=GET", "@action=set_deny @method=GET", ALLOW_GET, 403, 200, ], + [ 86, "modern", "@action=set_deny @method=GET", "@action=set_deny @method=GET", DENY_GET, 403, 200, ], + [ 87, "modern", "@action=set_deny @method=GET", "@action=set_deny @method=GET", DENY_GET_AND_POST, 403, 200, ], ] # yapf: enable diff --git a/tests/gold_tests/remap/deactivate_ip_allow.py b/tests/gold_tests/remap/deactivate_ip_allow.py index 7cfabcbc42..12763bc1ed 100644 --- a/tests/gold_tests/remap/deactivate_ip_allow.py +++ b/tests/gold_tests/remap/deactivate_ip_allow.py @@ -61,58 +61,58 @@ ip_allow: # yapf: disable keys = ["index", "policy", "inline", "named_acl", "deactivate_ip_allow", "ip_allow", "GET response", "POST response"] deactivate_ip_allow_combinations = [ - [ 0, "ip_and_method", "", "", False, ALLOW_GET_AND_POST, 200, 200, ], - [ 1, "ip_and_method", "", "", False, ALLOW_GET, 200, 403, ], - [ 2, "ip_and_method", "", "", False, DENY_GET, 403, 200, ], - [ 3, "ip_and_method", "", "", False, DENY_GET_AND_POST, 403, 403, ], - [ 4, "ip_and_method", "", "", False, DENY_ALL, None, None, ], - [ 5, "ip_and_method", "", "", True, ALLOW_GET_AND_POST, 200, 200, ], - [ 6, "ip_and_method", "", "", True, ALLOW_GET, 200, 200, ], - [ 7, "ip_and_method", "", "", True, DENY_GET, 200, 200, ], - [ 8, "ip_and_method", "", "", True, DENY_GET_AND_POST, 200, 200, ], - [ 9, "ip_and_method", "", "", True, DENY_ALL, 200, 200, ], - [ 10, "ip_and_method", "@action=allow @method=GET", "", False, ALLOW_GET_AND_POST, 200, 200, ], - [ 11, "ip_and_method", "@action=allow @method=GET", "", False, ALLOW_GET, 200, 403, ], - [ 12, "ip_and_method", "@action=allow @method=GET", "", False, DENY_GET, 200, 200, ], - [ 13, "ip_and_method", "@action=allow @method=GET", "", False, DENY_GET_AND_POST, 200, 403, ], - [ 14, "ip_and_method", "@action=allow @method=GET", "", False, DENY_ALL, None, None, ], - [ 15, "ip_and_method", "@action=allow @method=GET", "", True, ALLOW_GET_AND_POST, 200, 200, ], - [ 16, "ip_and_method", "@action=allow @method=GET", "", True, ALLOW_GET, 200, 200, ], - [ 17, "ip_and_method", "@action=allow @method=GET", "", True, DENY_GET, 200, 200, ], - [ 18, "ip_and_method", "@action=allow @method=GET", "", True, DENY_GET_AND_POST, 200, 200, ], - [ 19, "ip_and_method", "@action=allow @method=GET", "", True, DENY_ALL, 200, 200, ], - [ 20, "ip_and_method", "@action=deny @method=GET", "", False, ALLOW_GET_AND_POST, 403, 200, ], - [ 21, "ip_and_method", "@action=deny @method=GET", "", False, ALLOW_GET, 403, 403, ], - [ 22, "ip_and_method", "@action=deny @method=GET", "", False, DENY_GET, 403, 200, ], - [ 23, "ip_and_method", "@action=deny @method=GET", "", False, DENY_GET_AND_POST, 403, 403, ], - [ 24, "ip_and_method", "@action=deny @method=GET", "", False, DENY_ALL, None, None, ], - [ 25, "ip_and_method", "@action=deny @method=GET", "", True, ALLOW_GET_AND_POST, 403, 200, ], - [ 26, "ip_and_method", "@action=deny @method=GET", "", True, ALLOW_GET, 403, 200, ], - [ 27, "ip_and_method", "@action=deny @method=GET", "", True, DENY_GET, 403, 200, ], - [ 28, "ip_and_method", "@action=deny @method=GET", "", True, DENY_GET_AND_POST, 403, 200, ], - [ 29, "ip_and_method", "@action=deny @method=GET", "", True, DENY_ALL, 403, 200, ], + [ 0, "legacy", "", "", False, ALLOW_GET_AND_POST, 200, 200, ], + [ 1, "legacy", "", "", False, ALLOW_GET, 200, 403, ], + [ 2, "legacy", "", "", False, DENY_GET, 403, 200, ], + [ 3, "legacy", "", "", False, DENY_GET_AND_POST, 403, 403, ], + [ 4, "legacy", "", "", False, DENY_ALL, None, None, ], + [ 5, "legacy", "", "", True, ALLOW_GET_AND_POST, 200, 200, ], + [ 6, "legacy", "", "", True, ALLOW_GET, 200, 200, ], + [ 7, "legacy", "", "", True, DENY_GET, 200, 200, ], + [ 8, "legacy", "", "", True, DENY_GET_AND_POST, 200, 200, ], + [ 9, "legacy", "", "", True, DENY_ALL, 200, 200, ], + [ 10, "legacy", "@action=allow @method=GET", "", False, ALLOW_GET_AND_POST, 200, 200, ], + [ 11, "legacy", "@action=allow @method=GET", "", False, ALLOW_GET, 200, 403, ], + [ 12, "legacy", "@action=allow @method=GET", "", False, DENY_GET, 200, 200, ], + [ 13, "legacy", "@action=allow @method=GET", "", False, DENY_GET_AND_POST, 200, 403, ], + [ 14, "legacy", "@action=allow @method=GET", "", False, DENY_ALL, None, None, ], + [ 15, "legacy", "@action=allow @method=GET", "", True, ALLOW_GET_AND_POST, 200, 200, ], + [ 16, "legacy", "@action=allow @method=GET", "", True, ALLOW_GET, 200, 200, ], + [ 17, "legacy", "@action=allow @method=GET", "", True, DENY_GET, 200, 200, ], + [ 18, "legacy", "@action=allow @method=GET", "", True, DENY_GET_AND_POST, 200, 200, ], + [ 19, "legacy", "@action=allow @method=GET", "", True, DENY_ALL, 200, 200, ], + [ 20, "legacy", "@action=deny @method=GET", "", False, ALLOW_GET_AND_POST, 403, 200, ], + [ 21, "legacy", "@action=deny @method=GET", "", False, ALLOW_GET, 403, 403, ], + [ 22, "legacy", "@action=deny @method=GET", "", False, DENY_GET, 403, 200, ], + [ 23, "legacy", "@action=deny @method=GET", "", False, DENY_GET_AND_POST, 403, 403, ], + [ 24, "legacy", "@action=deny @method=GET", "", False, DENY_ALL, None, None, ], + [ 25, "legacy", "@action=deny @method=GET", "", True, ALLOW_GET_AND_POST, 403, 200, ], + [ 26, "legacy", "@action=deny @method=GET", "", True, ALLOW_GET, 403, 200, ], + [ 27, "legacy", "@action=deny @method=GET", "", True, DENY_GET, 403, 200, ], + [ 28, "legacy", "@action=deny @method=GET", "", True, DENY_GET_AND_POST, 403, 200, ], + [ 29, "legacy", "@action=deny @method=GET", "", True, DENY_ALL, 403, 200, ], - # Verify in ip_and_method mode that add_allow acts just like allow, and add_deny acts just like deny. - [ 30, "ip_and_method", "@action=add_allow @method=GET", "", False, ALLOW_GET_AND_POST, 200, 200, ], - [ 31, "ip_and_method", "@action=add_allow @method=GET", "", False, ALLOW_GET, 200, 403, ], - [ 32, "ip_and_method", "@action=add_allow @method=GET", "", False, DENY_GET, 200, 200, ], - [ 33, "ip_and_method", "@action=add_allow @method=GET", "", False, DENY_GET_AND_POST, 200, 403, ], - [ 34, "ip_and_method", "@action=add_allow @method=GET", "", False, DENY_ALL, None, None, ], - [ 35, "ip_and_method", "@action=add_allow @method=GET", "", True, ALLOW_GET_AND_POST, 200, 200, ], - [ 36, "ip_and_method", "@action=add_allow @method=GET", "", True, ALLOW_GET, 200, 200, ], - [ 37, "ip_and_method", "@action=add_allow @method=GET", "", True, DENY_GET, 200, 200, ], - [ 38, "ip_and_method", "@action=add_allow @method=GET", "", True, DENY_GET_AND_POST, 200, 200, ], - [ 39, "ip_and_method", "@action=add_allow @method=GET", "", True, DENY_ALL, 200, 200, ], - [ 40, "ip_and_method", "@action=add_deny @method=GET", "", False, ALLOW_GET_AND_POST, 403, 200, ], - [ 41, "ip_and_method", "@action=add_deny @method=GET", "", False, ALLOW_GET, 403, 403, ], - [ 42, "ip_and_method", "@action=add_deny @method=GET", "", False, DENY_GET, 403, 200, ], - [ 43, "ip_and_method", "@action=add_deny @method=GET", "", False, DENY_GET_AND_POST, 403, 403, ], - [ 44, "ip_and_method", "@action=add_deny @method=GET", "", False, DENY_ALL, None, None, ], - [ 45, "ip_and_method", "@action=add_deny @method=GET", "", True, ALLOW_GET_AND_POST, 403, 200, ], - [ 46, "ip_and_method", "@action=add_deny @method=GET", "", True, ALLOW_GET, 403, 200, ], - [ 47, "ip_and_method", "@action=add_deny @method=GET", "", True, DENY_GET, 403, 200, ], - [ 48, "ip_and_method", "@action=add_deny @method=GET", "", True, DENY_GET_AND_POST, 403, 200, ], - [ 49, "ip_and_method", "@action=add_deny @method=GET", "", True, DENY_ALL, 403, 200, ], + # Verify in legacy mode that add_allow acts just like allow, and add_deny acts just like deny. + [ 30, "legacy", "@action=add_allow @method=GET", "", False, ALLOW_GET_AND_POST, 200, 200, ], + [ 31, "legacy", "@action=add_allow @method=GET", "", False, ALLOW_GET, 200, 403, ], + [ 32, "legacy", "@action=add_allow @method=GET", "", False, DENY_GET, 200, 200, ], + [ 33, "legacy", "@action=add_allow @method=GET", "", False, DENY_GET_AND_POST, 200, 403, ], + [ 34, "legacy", "@action=add_allow @method=GET", "", False, DENY_ALL, None, None, ], + [ 35, "legacy", "@action=add_allow @method=GET", "", True, ALLOW_GET_AND_POST, 200, 200, ], + [ 36, "legacy", "@action=add_allow @method=GET", "", True, ALLOW_GET, 200, 200, ], + [ 37, "legacy", "@action=add_allow @method=GET", "", True, DENY_GET, 200, 200, ], + [ 38, "legacy", "@action=add_allow @method=GET", "", True, DENY_GET_AND_POST, 200, 200, ], + [ 39, "legacy", "@action=add_allow @method=GET", "", True, DENY_ALL, 200, 200, ], + [ 40, "legacy", "@action=add_deny @method=GET", "", False, ALLOW_GET_AND_POST, 403, 200, ], + [ 41, "legacy", "@action=add_deny @method=GET", "", False, ALLOW_GET, 403, 403, ], + [ 42, "legacy", "@action=add_deny @method=GET", "", False, DENY_GET, 403, 200, ], + [ 43, "legacy", "@action=add_deny @method=GET", "", False, DENY_GET_AND_POST, 403, 403, ], + [ 44, "legacy", "@action=add_deny @method=GET", "", False, DENY_ALL, None, None, ], + [ 45, "legacy", "@action=add_deny @method=GET", "", True, ALLOW_GET_AND_POST, 403, 200, ], + [ 46, "legacy", "@action=add_deny @method=GET", "", True, ALLOW_GET, 403, 200, ], + [ 47, "legacy", "@action=add_deny @method=GET", "", True, DENY_GET, 403, 200, ], + [ 48, "legacy", "@action=add_deny @method=GET", "", True, DENY_GET_AND_POST, 403, 200, ], + [ 49, "legacy", "@action=add_deny @method=GET", "", True, DENY_ALL, 403, 200, ], ] all_deactivate_ip_allow_tests = [dict(zip(keys, test)) for test in deactivate_ip_allow_combinations] # yapf: enable diff --git a/tests/gold_tests/remap/remap_acl.test.py b/tests/gold_tests/remap/remap_acl.test.py index 9115723ee5..d70f6655e9 100644 --- a/tests/gold_tests/remap/remap_acl.test.py +++ b/tests/gold_tests/remap/remap_acl.test.py @@ -37,7 +37,7 @@ class Test_remap_acl: _client_counter: int = 0 def __init__( - self, name: str, replay_file: str, ip_allow_content: str, deactivate_ip_allow: bool, acl_matching_policy: int, + self, name: str, replay_file: str, ip_allow_content: str, deactivate_ip_allow: bool, acl_behavior_policy: int, acl_configuration: str, named_acls: List[Tuple[str, str]], expected_responses: List[int]): """Initialize the test. @@ -52,7 +52,7 @@ class Test_remap_acl: self._replay_file = replay_file self._ip_allow_content = ip_allow_content self._deactivate_ip_allow = deactivate_ip_allow - self._acl_matching_policy = acl_matching_policy + self._acl_behavior_policy = acl_behavior_policy self._acl_configuration = acl_configuration self._named_acls = named_acls self._expected_responses = expected_responses @@ -89,7 +89,7 @@ class Test_remap_acl: 'proxy.config.diags.debug.tags': 'http|url|remap|ip_allow', 'proxy.config.http.push_method_enabled': 1, 'proxy.config.http.connect_ports': self._server.Variables.http_port, - 'proxy.config.url_remap.acl_matching_policy': self._acl_matching_policy, + 'proxy.config.url_remap.acl_behavior_policy': self._acl_behavior_policy, }) remap_config_lines = [] @@ -164,7 +164,7 @@ class Test_old_action: { 'proxy.config.diags.debug.enabled': 1, 'proxy.config.diags.debug.tags': 'http|url|remap|ip_allow', - 'proxy.config.url_remap.acl_matching_policy': 1, + 'proxy.config.url_remap.acl_behavior_policy': 1, }) ts.Disk.remap_config.AddLine(f'map / http://127.0.0.1:8080 {acl_filter}') @@ -236,7 +236,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -246,7 +246,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=add_allow @src_ip=127.0.0.1 @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -256,7 +256,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=add_allow @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -266,7 +266,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET @method=POST', named_acls=[], expected_responses=[200, 403, 403, 403, 403]) @@ -276,7 +276,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=all @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -286,7 +286,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip_category=ACME_LOCAL @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -296,7 +296,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -306,7 +306,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_denied.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_deny @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[403, 403, 200, 200, 400]) @@ -316,7 +316,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_all_denied.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=add_deny @src_ip=127.0.0.1 @method=GET', named_acls=[], expected_responses=[403, 403, 403, 403, 403]) @@ -326,7 +326,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_all_denied.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET @method=POST', named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) @@ -336,7 +336,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_all_denied.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=~127.0.0.1 @method=GET @method=POST', named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) @@ -346,7 +346,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=~3.4.5.6 @method=GET @method=POST', named_acls=[('deny', '@action=set_deny')], expected_responses=[200, 200, 403, 403, 403]) @@ -356,7 +356,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_all_denied.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip_category=~ACME_LOCAL @method=GET @method=POST', named_acls=[('deny', '@action=set_deny')], expected_responses=[403, 403, 403, 403, 403]) @@ -366,7 +366,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip_category=~ACME_EXTERNAL @method=GET @method=POST', named_acls=[('deny', '@action=set_deny')], expected_responses=[200, 200, 403, 403, 403]) @@ -376,7 +376,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_all_denied.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, # The rule will not match because, while @src_ip matches, @src_ip_category does not. acl_configuration='@action=set_allow @src_ip=127.0.0.1 @src_ip_category=ACME_EXTERNAL @method=GET @method=POST', # Therefore, this named deny filter will block. @@ -388,7 +388,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[('deny', '@action=set_deny')], expected_responses=[200, 200, 403, 403, 403]) @@ -398,7 +398,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @src_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -408,7 +408,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_all_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=True, - acl_matching_policy=1, + acl_behavior_policy=1, # This won't match, so nothing will match since ip_allow.yaml is off. acl_configuration='@action=set_allow @src_ip=1.2.3.4 @method=GET @method=POST', named_acls=[], @@ -420,7 +420,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_post_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @in_ip=127.0.0.1 @method=GET @method=POST', named_acls=[], expected_responses=[200, 200, 403, 403, 403]) @@ -430,7 +430,7 @@ test_ip_allow_optional_methods = Test_remap_acl( replay_file='remap_acl_get_allowed.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='@action=set_allow @in_ip=3.4.5.6 @method=GET @method=POST', named_acls=[], expected_responses=[200, 403, 403, 403, 403]) @@ -440,7 +440,7 @@ test_named_acl_deny = Test_remap_acl( replay_file='deny_head_post.replay.yaml', ip_allow_content=IP_ALLOW_CONTENT, deactivate_ip_allow=False, - acl_matching_policy=1, + acl_behavior_policy=1, acl_configuration='', named_acls=[('deny', '@action=set_deny @method=HEAD @method=POST')], expected_responses=[200, 403, 403, 403]) @@ -488,7 +488,7 @@ for idx, test in enumerate(all_acl_combination_tests): replay_file=replay_file_name, ip_allow_content=test["ip_allow"], deactivate_ip_allow=False, - acl_matching_policy=0 if test["policy"] == "ip_and_method" else 1, + acl_behavior_policy=0 if test["policy"] == "legacy" else 1, acl_configuration=test["inline"], named_acls=[("acl", test["named_acl"])] if test["named_acl"] != "" else [], expected_responses=[test["GET response"], test["POST response"]], @@ -513,7 +513,7 @@ for idx, test in enumerate(all_deactivate_ip_allow_tests): replay_file=replay_file_name, ip_allow_content=test["ip_allow"], deactivate_ip_allow=test["deactivate_ip_allow"], - acl_matching_policy=0 if test["policy"] == "ip_and_method" else 1, + acl_behavior_policy=0 if test["policy"] == "legacy" else 1, acl_configuration=test["inline"], named_acls=[("acl", test["named_acl"])] if test["named_acl"] != "" else [], expected_responses=[test["GET response"], test["POST response"]])
