# frozen_string_literal: false

[0] Fix | Delete

# Copyright (c) 2000,2002,2003 Masatoshi SEKI

[1] Fix | Delete

#

[2] Fix | Delete

# acl.rb is copyrighted free software by Masatoshi SEKI.

[3] Fix | Delete

# You can redistribute it and/or modify it under the same terms as Ruby.

[4] Fix | Delete

[5] Fix | Delete

require 'ipaddr'

[6] Fix | Delete

[7] Fix | Delete

##

[8] Fix | Delete

# Simple Access Control Lists.

[9] Fix | Delete

#

[10] Fix | Delete

# Access control lists are composed of "allow" and "deny" halves to control

[11] Fix | Delete

# access. Use "all" or "*" to match any address. To match a specific address

[12] Fix | Delete

# use any address or address mask that IPAddr can understand.

[13] Fix | Delete

#

[14] Fix | Delete

# Example:

[15] Fix | Delete

#

[16] Fix | Delete

# list = %w[

[17] Fix | Delete

# deny all

[18] Fix | Delete

# allow 192.168.1.1

[19] Fix | Delete

# allow ::ffff:192.168.1.2

[20] Fix | Delete

# allow 192.168.1.3

[21] Fix | Delete

# ]

[22] Fix | Delete

#

[23] Fix | Delete

# # From Socket#peeraddr, see also ACL#allow_socket?

[24] Fix | Delete

# addr = ["AF_INET", 10, "lc630", "192.168.1.3"]

[25] Fix | Delete

#

[26] Fix | Delete

# acl = ACL.new

[27] Fix | Delete

# p acl.allow_addr?(addr) # => true

[28] Fix | Delete

#

[29] Fix | Delete

# acl = ACL.new(list, ACL::DENY_ALLOW)

[30] Fix | Delete

# p acl.allow_addr?(addr) # => true

[31] Fix | Delete

[32] Fix | Delete

class ACL

[33] Fix | Delete

[34] Fix | Delete

##

[35] Fix | Delete

# The current version of ACL

[36] Fix | Delete

[37] Fix | Delete

VERSION=["2.0.0"]

[38] Fix | Delete

[39] Fix | Delete

##

[40] Fix | Delete

# An entry in an ACL

[41] Fix | Delete

[42] Fix | Delete

class ACLEntry

[43] Fix | Delete

[44] Fix | Delete

##

[45] Fix | Delete

# Creates a new entry using +str+.

[46] Fix | Delete

#

[47] Fix | Delete

# +str+ may be "*" or "all" to match any address, an IP address string

[48] Fix | Delete

# to match a specific address, an IP address mask per IPAddr, or one

[49] Fix | Delete

# containing "*" to match part of an IPv4 address.

[50] Fix | Delete

#

[51] Fix | Delete

# IPAddr::InvalidPrefixError may be raised when an IP network

[52] Fix | Delete

# address with an invalid netmask/prefix is given.

[53] Fix | Delete

[54] Fix | Delete

def initialize(str)

[55] Fix | Delete

if str == '*' or str == 'all'

[56] Fix | Delete

@pat = [:all]

[57] Fix | Delete

elsif str.include?('*')

[58] Fix | Delete

@pat = [:name, dot_pat(str)]

[59] Fix | Delete

else

[60] Fix | Delete

begin

[61] Fix | Delete

@pat = [:ip, IPAddr.new(str)]

[62] Fix | Delete

rescue IPAddr::InvalidPrefixError

[63] Fix | Delete

# In this case, `str` shouldn't be a host name pattern

[64] Fix | Delete

# because it contains a slash.

[65] Fix | Delete

raise

[66] Fix | Delete

rescue ArgumentError

[67] Fix | Delete

@pat = [:name, dot_pat(str)]

[68] Fix | Delete

end

[69] Fix | Delete

end

[70] Fix | Delete

end

[71] Fix | Delete

[72] Fix | Delete

private

[73] Fix | Delete

[74] Fix | Delete

##

[75] Fix | Delete

# Creates a regular expression to match IPv4 addresses

[76] Fix | Delete

[77] Fix | Delete

def dot_pat_str(str)

[78] Fix | Delete

list = str.split('.').collect { |s|

[79] Fix | Delete

(s == '*') ? '.+' : s

[80] Fix | Delete

}

[81] Fix | Delete

list.join("\\.")

[82] Fix | Delete

end

[83] Fix | Delete

[84] Fix | Delete

private

[85] Fix | Delete

[86] Fix | Delete

##

[87] Fix | Delete

# Creates a Regexp to match an address.

[88] Fix | Delete

[89] Fix | Delete

def dot_pat(str)

[90] Fix | Delete

/\A#{dot_pat_str(str)}\z/

[91] Fix | Delete

end

[92] Fix | Delete

[93] Fix | Delete

public

[94] Fix | Delete

[95] Fix | Delete

##

[96] Fix | Delete

# Matches +addr+ against this entry.

[97] Fix | Delete

[98] Fix | Delete

def match(addr)

[99] Fix | Delete

case @pat[0]

[100] Fix | Delete

when :all

[101] Fix | Delete

true

[102] Fix | Delete

when :ip

[103] Fix | Delete

begin

[104] Fix | Delete

ipaddr = IPAddr.new(addr[3])

[105] Fix | Delete

ipaddr = ipaddr.ipv4_mapped if @pat[1].ipv6? && ipaddr.ipv4?

[106] Fix | Delete

rescue ArgumentError

[107] Fix | Delete

return false

[108] Fix | Delete

end

[109] Fix | Delete

(@pat[1].include?(ipaddr)) ? true : false

[110] Fix | Delete

when :name

[111] Fix | Delete

(@pat[1] =~ addr[2]) ? true : false

[112] Fix | Delete

else

[113] Fix | Delete

false

[114] Fix | Delete

end

[115] Fix | Delete

end

[116] Fix | Delete

end

[117] Fix | Delete

[118] Fix | Delete

##

[119] Fix | Delete

# A list of ACLEntry objects. Used to implement the allow and deny halves

[120] Fix | Delete

# of an ACL

[121] Fix | Delete

[122] Fix | Delete

class ACLList

[123] Fix | Delete

[124] Fix | Delete

##

[125] Fix | Delete

# Creates an empty ACLList

[126] Fix | Delete

[127] Fix | Delete

def initialize

[128] Fix | Delete

@list = []

[129] Fix | Delete

end

[130] Fix | Delete

[131] Fix | Delete

public

[132] Fix | Delete

[133] Fix | Delete

##

[134] Fix | Delete

# Matches +addr+ against each ACLEntry in this list.

[135] Fix | Delete

[136] Fix | Delete

def match(addr)

[137] Fix | Delete

@list.each do |e|

[138] Fix | Delete

return true if e.match(addr)

[139] Fix | Delete

end

[140] Fix | Delete

false

[141] Fix | Delete

end

[142] Fix | Delete

[143] Fix | Delete

public

[144] Fix | Delete

[145] Fix | Delete

##

[146] Fix | Delete

# Adds +str+ as an ACLEntry in this list

[147] Fix | Delete

[148] Fix | Delete

def add(str)

[149] Fix | Delete

@list.push(ACLEntry.new(str))

[150] Fix | Delete

end

[151] Fix | Delete

[152] Fix | Delete

end

[153] Fix | Delete

[154] Fix | Delete

##

[155] Fix | Delete

# Default to deny

[156] Fix | Delete

[157] Fix | Delete

DENY_ALLOW = 0

[158] Fix | Delete

[159] Fix | Delete

##

[160] Fix | Delete

# Default to allow

[161] Fix | Delete

[162] Fix | Delete

ALLOW_DENY = 1

[163] Fix | Delete

[164] Fix | Delete

##

[165] Fix | Delete

# Creates a new ACL from +list+ with an evaluation +order+ of DENY_ALLOW or

[166] Fix | Delete

# ALLOW_DENY.

[167] Fix | Delete

#

[168] Fix | Delete

# An ACL +list+ is an Array of "allow" or "deny" and an address or address

[169] Fix | Delete

# mask or "all" or "*" to match any address:

[170] Fix | Delete

#

[171] Fix | Delete

# %w[

[172] Fix | Delete

# deny all

[173] Fix | Delete

# allow 192.0.2.2

[174] Fix | Delete

# allow 192.0.2.128/26

[175] Fix | Delete

# ]

[176] Fix | Delete

[177] Fix | Delete

def initialize(list=nil, order = DENY_ALLOW)

[178] Fix | Delete

@order = order

[179] Fix | Delete

@deny = ACLList.new

[180] Fix | Delete

@allow = ACLList.new

[181] Fix | Delete

install_list(list) if list

[182] Fix | Delete

end

[183] Fix | Delete

[184] Fix | Delete

public

[185] Fix | Delete

[186] Fix | Delete

##

[187] Fix | Delete

# Allow connections from Socket +soc+?

[188] Fix | Delete

[189] Fix | Delete

def allow_socket?(soc)

[190] Fix | Delete

allow_addr?(soc.peeraddr)

[191] Fix | Delete

end

[192] Fix | Delete

[193] Fix | Delete

public

[194] Fix | Delete

[195] Fix | Delete

##

[196] Fix | Delete

# Allow connections from addrinfo +addr+? It must be formatted like

[197] Fix | Delete

# Socket#peeraddr:

[198] Fix | Delete

#

[199] Fix | Delete

# ["AF_INET", 10, "lc630", "192.0.2.1"]

[200] Fix | Delete

[201] Fix | Delete

def allow_addr?(addr)

[202] Fix | Delete

case @order

[203] Fix | Delete

when DENY_ALLOW

[204] Fix | Delete

return true if @allow.match(addr)

[205] Fix | Delete

return false if @deny.match(addr)

[206] Fix | Delete

return true

[207] Fix | Delete

when ALLOW_DENY

[208] Fix | Delete

return false if @deny.match(addr)

[209] Fix | Delete

return true if @allow.match(addr)

[210] Fix | Delete

return false

[211] Fix | Delete

else

[212] Fix | Delete

false

[213] Fix | Delete

end

[214] Fix | Delete

end

[215] Fix | Delete

[216] Fix | Delete

public

[217] Fix | Delete

[218] Fix | Delete

##

[219] Fix | Delete

# Adds +list+ of ACL entries to this ACL.

[220] Fix | Delete

[221] Fix | Delete

def install_list(list)

[222] Fix | Delete

i = 0

[223] Fix | Delete

while i < list.size

[224] Fix | Delete

permission, domain = list.slice(i,2)

[225] Fix | Delete

case permission.downcase

[226] Fix | Delete

when 'allow'

[227] Fix | Delete

@allow.add(domain)

[228] Fix | Delete

when 'deny'

[229] Fix | Delete

@deny.add(domain)

[230] Fix | Delete

else

[231] Fix | Delete

raise "Invalid ACL entry #{list}"

[232] Fix | Delete

end

[233] Fix | Delete

i += 2

[234] Fix | Delete

end

[235] Fix | Delete

end

[236] Fix | Delete

[237] Fix | Delete

end

[238] Fix | Delete

[239] Fix | Delete