The access module implements an structure suitable for parsing NCSA httpd style access configuration files. In addition, access supports additional Limit Group Tags rather than the fixed set supported by the NCSA httpd server.
A high-level overview of access and how to set up configuration files is included as part of the document A Simple Access Control Mechanism.
Here is an example that could be used in the implementation of the KOS.Receiver:
try: p = access.LimitParser() except OpenError: raise MyIOException except ParseError: raise MyBadFileException if p.is_allowed_from('submit', 'somehost.somedomain.com'): print 'OK' else: print 'Access Denied'
Here is an example that could be used in the HTTP plugin (which specifies an alternate access.conf file):
p = access.LimitParser(filename='plugins/http/access.conf') if p.is_allowed_to('get', 'myhost.mydomain.org'): print 'OK' else: print 'Access Denied'
This is meant to be used from an ILU true server and relies on the validity of the information returned by ilu.CallerIdentity() and get_fqdn().
This function is designed to be called from an ILU true server that wishes to identify the caller and determine if access is granted.
This function will raise ResourceError upon encountering an error (other than denied access) if exception is not specified.
Parameters:'to'
a host,
or 'from'
a host.
The default value is 'from'
.
Not all methods are documented.
This class should be derived from and never instantiated. We expect a container_class to be instansiatable. It will hold all the group information found. For example,
has a name of 'limit' and a tag of 'get'. (Limit could also have a tag of post, submit, etc)<Limit GET> ... </Limit>
Non zero strong_types will force the precompilation and strong type checking of tags from the global VALIDTYPES data. Otherwise, all tags are parsed and saved.
If strong_types is non zero, all supported group name/tag-port combinations must be appear in the VALIDTYPES global or parsing errors will most likely occur.
This method raises OpenError upon encountering an IOError opening the configuration file. It calls readfile() which may raise ParseError upon encountering syntax errors.
Parameters:LimitParser inherits from BaseConfParser.
Not all methods are documented.
All keywords supported in this class fall inside a <Limit something> block and are case insensitve. The following exemplifies limit group directives that are currently implemented:
order deny,allow order allow, deny deny from all deny from .cnri.reston.va.us, all allow from host.mumble.edu allow to host.mumble.edu allow to host.mumble.edu, 8001 allow to all deny to badhost.evil.empire.com deny to aaa deny to badhost.evil.empire.com,81
Security Note:
Currently all 'allow from'
and
'deny from'
directives are parsed and
saved. However, in the case of KPs, since they can do
their own 'source routing' using migration, and the only
semi-trustworthy origin information for a connecting
host is via "ILU caller Identity" for the host that is
currently connecting to us. Since there is no
guarentee that that host didn't allow a random
connection, in order to more safely use the 'from'
clauses, KPs will have to provide some form of
authentication or origin which is not yet implemented.
For the moment, the alternative is to insure that
every KOS in your Intranet KOE enforces the
same set of 'allow from'
and
'deny from'
rules so that
weak hosts cannot be used as a springboard.
The 'deny to'
and 'allow to'
directives restrict or allow specific
requests to those sites to be processed (in the
case of the http plugin), as apposed to from
hosts that are connecting to us (in the case of using
these classes to validate KP submission).
Developer Note: This method is only interesting if you are developing a sister class to LimitParser. The method group_line is the callable object passed as the parse_method parameter in the call to init the parent class (BaseConfParser).
Parameters:The exception ParseError is raised whenever syntax errors are encountered.
'to'
or 'from'
) in Limit
group tag.
Parameters:
'to'
or 'from'
Limit inherits from BaseKey.
<Limit>
groups.
Parameters: