Opened 9 years ago

Closed 8 years ago

Last modified 8 years ago

#769 closed task (complete)

ACLS: C++ access library

Reported by: stephen Owned by: vorner
Priority: medium Milestone: Sprint-20110628
Component: Unclassified Version:
Keywords: Cc:
CVSS Scoring: Parent Tickets:
Sensitive: no Defect Severity: N/A
Sub-Project: DNS Feature Depending on Ticket: ACL
Estimated Difficulty: 3.0 Add Hours to Ticket: 0
Total Hours: 0 Internal?: no

Description

Production of a library such that C++ code, given an accessor and a resource , is able to determine whether or not to allow access.

Subtickets

Change History (12)

comment:1 Changed 9 years ago by vorner

  • Defect Severity set to N/A
  • Feature Depending on Ticket set to ACL
  • Milestone changed from Year 3 Task Backlog to Next-Sprint-Proposed
  • Sub-Project set to DNS

I created some smaller items, this will be implemented by full loader (#978, #980, #982) and set of ACL checking classes:

  • Logic AND and OR (#979)
  • Logic NOT (#981)
  • IP check
  • TSIG check
  • FIRST-MATCH (see AclSyntax)
  • Anything else we come up in #766.

Everything except the logic operators and FIRST-MATCH depends only on #977.

While I expect these will be split off this ticket eventually, therefore the work done here would be 0, I'm keeping this ticket open as a place to track them for now until #766 is finished and tickets for all of them are created.

comment:2 Changed 9 years ago by stephen

  • Milestone changed from Next-Sprint-Proposed to Sprint-20110614

comment:3 Changed 8 years ago by vorner

  • Owner set to vorner
  • Status changed from new to accepted

I'm taking this task and will do a wrapper and initialization of current templates for DNS.

comment:4 Changed 8 years ago by vorner

  • Owner changed from vorner to UnAssigned
  • Status changed from accepted to assigned

I've created a libdnsacl library, with function returning ready-to-use ACL loader. It also contains the Context (Packet) struct, but if it turns out it needs more information, we can extend it.

There's a place where the default checks should be registered into it, but as we don't yet have the checks, it's left with TODO only.

comment:5 Changed 8 years ago by vorner

I forgot to mention, this is based on the #978 branch. The first commit on this branch is 06c9c2a763326d4b30ff9448f726928538fba94c, it should be possible to show the whole diff by git diff origin/trac978... command.

comment:6 Changed 8 years ago by vorner

  • Status changed from assigned to reviewing

comment:7 Changed 8 years ago by jelte

  • Owner changed from UnAssigned to jelte

comment:8 Changed 8 years ago by jelte

  • Owner changed from jelte to vorner

Looks good, just have a couple of naming nits;

  • tisg_key is misspelled, and perhaps should better be named tsig_key_name if it's only the name (i agree that we should only pass around the name)
  • I think the name Packet is both too general and too specific (heh); the DNS packet is only one of the elements, and I still suspect it's going to be one of the least important ones; I would prefer something like RequestContext? or ACLContext (or maybe just Context, since we're in acl namespace already)

And perhaps the dns.[cc|h] files should be dnsacl, to reflect the libname they'll end up in, but I can live with the current names, since we're already in the acl directory.

comment:9 Changed 8 years ago by vorner

  • Owner changed from vorner to jelte

Thanks for the review, I changed the names.

I'd like to keep the header name as it is, since this would look awkward to me (as the acl is twice there):

#include <acl/dnsacl.h>

comment:10 Changed 8 years ago by jelte

  • Owner changed from jelte to vorner

ok, no problem :)

All good, please merge

comment:11 Changed 8 years ago by vorner

  • Resolution set to complete
  • Status changed from reviewing to closed

OK, thanks, closing.

comment:12 Changed 8 years ago by stephen

  • Estimated Difficulty changed from 0.0 to 3
Note: See TracTickets for help on using tickets.