Module access - parse access.conf files

[Contents] [Prev] [Next]
Table of Contents

Overview

The access module implements an structure suitable for parsing NCSA httpd style access configuration files. In addition, access supports additional Limit Group Tags rather than the fixed set supported by the NCSA httpd server.

A high-level overview of access and how to set up configuration files is included as part of the document A Simple Access Control Mechanism.

Classes

BaseConfParser
Abstract superclass that is the base class for parsing all groups . This class is never instantiated.

BaseKey
Abstract superclass that is the base class for all container objects. This class is never instantiated.

Limit
Container class for all the Limit groups.

LimitParser
Parser class for all the Limit groups.

Examples

Here is an example that could be used in the implementation of the KOS.Receiver: 

try:
    p = access.LimitParser()
except OpenError:
    raise MyIOException
except ParseError:
    raise MyBadFileException 
if p.is_allowed_from('submit', 'somehost.somedomain.com'):
    print 'OK'
else:
    print 'Access Denied'

Here is an example that could be used in the HTTP plugin (which specifies an alternate access.conf file): 

p = access.LimitParser(filename='plugins/http/access.conf')
if p.is_allowed_to('get', 'myhost.mydomain.org'):
    print 'OK'
else:
    print 'Access Denied'

Exceptions

ParseError
Raised when the LimitParser encounters syntax errors. If the strong_types argument to LimitParser is set, it is also raised for unknown groups or group tags.

OpenError
Raised upon encountering an IOError opening the configuration file.

ResourceError
The default exception raised upon encountering an errors when determining access. (The exception used for this condition can be overridden as an argument to function ilu_allow_access() below.)

Functions

get_fqdn (addr[, rx]) -> string
Return a fully qualified domain name (FQDN) corresponding with addr.

Parameters:
addr
string object as a valid IP address (four dot-separated-octets).
rx
Compiled regular expression object returned from regex.compile().

ilu_callers_fqdn() -> string
Get and verify (to some degree) an ILU caller's fully qualified domain name (FQDN).

This is meant to be used from an ILU true server and relies on the validity of the information returned by ilu.CallerIdentity() and get_fqdn().

ilu_allow_access (tag[, exception[, where[, fqdn]]]) -> boolean
Examine the access file and the credentials of the ILU caller to insure that we wish to allow a connection of this type.

This function is designed to be called from an ILU true server that wishes to identify the caller and determine if access is granted.

This function will raise ResourceError upon encountering an error (other than denied access) if exception is not specified.

Parameters:
tag
String object representing a valid limit group tag.
exception
An object that can be raised as an exception (e.g. a string object). Default is ResourceError.
where
String object specifying the way limiting is to be checked. 'to' a host, or 'from' a host. The default value is 'from'.
fqdn
String object representing a FQDN. Default value is None (which forces the use of ilu_callers_fqdn()).

BaseConfParser Objects

Not all methods are documented.

__init__ (filename, parse_method, container_class[, strong_types[, debug]])
Basic framework for parsing access.conf files.

This class should be derived from and never instantiated. We expect a container_class to be instansiatable. It will hold all the group information found. For example, 

<Limit GET>
...
</Limit>
has a name of 'limit' and a tag of 'get'. (Limit could also have a tag of post, submit, etc)

Non zero strong_types will force the precompilation and strong type checking of tags from the global VALIDTYPES data. Otherwise, all tags are parsed and saved.

If strong_types is non zero, all supported group name/tag-port combinations must be appear in the VALIDTYPES global or parsing errors will most likely occur.

This method raises OpenError upon encountering an IOError opening the configuration file. It calls readfile() which may raise ParseError upon encountering syntax errors.

Parameters:
filename
Pathname of a configuration file.
parse_method
A callable object that parses a line config file line.
container_class
A class object whose instances are intended to be used for group/tag state containers.
strong_types
Boolean which indicates weither the parser should raise ParseError upon encountering groups or tags not in VALIDTYPES.
debug
Boolean indicating wheither debugging statements should be printed.

Exceptions:
OpenError
Raised if there is an error opening the configuration file.
ParseError
Raised if there are any syntax errors or, if strong_types is set, if there are unknown group or tag names in the configuration file.

LimitParser Objects

LimitParser inherits from BaseConfParser.

Not all methods are documented.

__init__ ([filename[, strong_types[, debug]]])
Provide the implementation to fill a Limit object.

All keywords supported in this class fall inside a <Limit something> block and are case insensitve. The following exemplifies limit group directives that are currently implemented: 

order deny,allow
order allow, deny
deny from	all
deny from .cnri.reston.va.us, all
allow from host.mumble.edu
allow to host.mumble.edu
allow to	host.mumble.edu, 8001
allow to all
deny to badhost.evil.empire.com
deny to aaa
deny to badhost.evil.empire.com,81

Security Note: Currently all 'allow from' and 'deny from' directives are parsed and saved. However, in the case of KPs, since they can do their own 'source routing' using migration, and the only semi-trustworthy origin information for a connecting host is via "ILU caller Identity" for the host that is currently connecting to us. Since there is no guarentee that that host didn't allow a random connection, in order to more safely use the 'from' clauses, KPs will have to provide some form of authentication or origin which is not yet implemented. For the moment, the alternative is to insure that every KOS in your Intranet KOE enforces the same set of 'allow from' and 'deny from' rules so that weak hosts cannot be used as a springboard.

The 'deny to' and 'allow to' directives restrict or allow specific requests to those sites to be processed (in the case of the http plugin), as apposed to from hosts that are connecting to us (in the case of using these classes to validate KP submission).

Parameters:
filename
string object containing the pathname of a configuration file. Default is None, which assumes config/access.conf.
strong_types
Boolean. Indicates whether the parser should raise ParseError upon encountering groups or tags not in VALIDTYPES. Default is 0.
debug
Boolean. Indicates wheither debugging statements should be printed. Default is 0.

group_line (line, container)
Handle a line of input for the limit group.

Developer Note: This method is only interesting if you are developing a sister class to LimitParser. The method group_line is the callable object passed as the parse_method parameter in the call to init the parent class (BaseConfParser).

Parameters:
line
string object containing a read line of a configuration file.
container
A container class instance

The exception ParseError is raised whenever syntax errors are encountered.

is_allowed (tag, where, host[, port]) -> boolean
Determine if host/port combination is allowed where ('to' or 'from') in Limit group tag.

Parameters:
tag
string object containing a valid limit group tag.
where
string object; must be either 'to' or 'from'
host
string object containing a host name
port
string object containing a port number

is_allowed_to (tag, host[, port]) -> boolean
Determine if the caller is allowed to connect to host/port combination in Limit group tag.

Parameters:
tag
string object containing a valid limit group tag.
host
string object containing a host name
port
string object containing a port number

is_allowed_from (tag, host[, port]) -> boolean
Determine if the caller is allowed to connect from host in Limit group tag. port is ignored in this case.

Parameters:
tag
string object containing a valid limit group tag.
host
string object containing a host name
port
string object containing a port number

BaseKey Objects

__init__ (name, tag)
Base class of all containers.

Parameters:
name
string object containing a group name.
tag
string object containing a limit group tag name

Limit Objects

Limit inherits from BaseKey.

__init__ (name, tag)
Container class for all the <Limit> groups.

Parameters:
name
string object containing a group name.
tag
string object containing a limit group tag name
Table of Contents
[Contents] [Prev] [Next]
Copyright © 1998 by the Corporation for National Research Initiatives.