Branch data Line data Source code
1 : : // Copyright (C) 2011 Internet Systems Consortium, Inc. ("ISC")
2 : : //
3 : : // Permission to use, copy, modify, and/or distribute this software for any
4 : : // purpose with or without fee is hereby granted, provided that the above
5 : : // copyright notice and this permission notice appear in all copies.
6 : : //
7 : : // THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8 : : // REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9 : : // AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10 : : // INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11 : : // LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
12 : : // OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13 : : // PERFORMANCE OF THIS SOFTWARE.
14 : :
15 : : #ifndef ACL_DNS_H
16 : : #define ACL_DNS_H 1
17 : :
18 : : #include <string>
19 : : #include <vector>
20 : :
21 : : #include <boost/shared_ptr.hpp>
22 : :
23 : : #include <cc/data.h>
24 : :
25 : : #include <acl/ip_check.h>
26 : : #include <acl/dnsname_check.h>
27 : : #include <acl/loader.h>
28 : :
29 : : namespace isc {
30 : : namespace dns {
31 : : class TSIGRecord;
32 : : }
33 : : namespace acl {
34 : : namespace dns {
35 : :
36 : : /**
37 : : * \brief DNS request to be checked.
38 : : *
39 : : * This plays the role of Context of the generic template ACLs (in namespace
40 : : * isc::acl).
41 : : *
42 : : * It is a simple structure holding just the bunch of information. Therefore
43 : : * the names don't end up with an underscore; there are no methods so they
44 : : * can't be confused with local variables.
45 : : *
46 : : * This structure is generally expected to be ephemeral and read-only: It
47 : : * would be constructed immediately before a particular ACL is checked
48 : : * and used only for the ACL match purposes. Due to this nature, and since
49 : : * ACL processing is often performance sensitive (typically it's performed
50 : : * against all incoming packets), the construction is designed to be
51 : : * lightweight: it tries to avoid expensive data copies or dynamic memory
52 : : * allocation as much as possible. Specifically, the constructor can
53 : : * take a pointer or reference to an object and keeps it as a reference
54 : : * (not making a local copy). This also means the caller is responsible for
55 : : * keeping the passed parameters valid while this structure is used.
56 : : * This should generally be reasonable as this structure is expected to be
57 : : * used only for a very short period as stated above.
58 : : *
59 : : * Based on the minimalist philosophy, the initial implementation only
60 : : * maintains the remote (source) IP address of the request and (optionally)
61 : : * the TSIG record included in the request. We may add more parameters of
62 : : * the request as we see the need for them. Possible additional parameters
63 : : * are the local (destination) IP address, the remote and local port numbers,
64 : : * various fields of the DNS request (e.g. a particular header flag value).
65 : : */
66 : : struct RequestContext {
67 : : /// The constructor
68 : : ///
69 : : /// This is a trivial constructor that perform straightforward
70 : : /// initialization of the member variables from the given parameters.
71 : : ///
72 : : /// \exception None
73 : : ///
74 : : /// \param remote_address_param The remote IP address
75 : : /// \param tsig_param A valid pointer to the TSIG record included in
76 : : /// the request or NULL if the request doesn't contain a TSIG.
77 : : RequestContext(const IPAddress& remote_address_param,
78 : : const isc::dns::TSIGRecord* tsig_param) :
79 : : remote_address(remote_address_param),
80 : 109 : tsig(tsig_param)
81 : : {}
82 : :
83 : : ///
84 : : /// \name Parameter variables
85 : : ///
86 : : /// These member variables must be immutable so that the integrity of
87 : : /// the structure is kept throughout its lifetime. The easiest way is
88 : : /// to declare the variable as const. If it's not possible for a
89 : : /// particular variable, it must be defined as private and accessible
90 : : /// only via an accessor method.
91 : : //@{
92 : : /// \brief The remote IP address (eg. the client's IP address).
93 : : const IPAddress& remote_address;
94 : :
95 : : /// \brief The TSIG record included in the request message, if any.
96 : : ///
97 : : /// If the request doesn't include a TSIG, this member will be NULL.
98 : : const isc::dns::TSIGRecord* const tsig;
99 : : //@}
100 : : };
101 : :
102 : : /// \brief DNS based check.
103 : : typedef acl::Check<RequestContext> RequestCheck;
104 : : /// \brief DNS based compound check.
105 : : typedef acl::CompoundCheck<RequestContext> CompoundCheck;
106 : : /// \brief DNS based ACL.
107 : : typedef acl::ACL<RequestContext> RequestACL;
108 : : /// \brief DNS based ACL loader.
109 : : typedef acl::Loader<RequestContext> RequestLoader;
110 : :
111 : : /**
112 : : * \brief Loader singleton access function.
113 : : *
114 : : * This function returns a loader of ACLs. It is expected applications
115 : : * will use this function instead of creating their own loaders, because
116 : : * one is enough, this one will have registered default checks and it
117 : : * is known one, so any plugins can registrer additional checks as well.
118 : : */
119 : : RequestLoader& getRequestLoader();
120 : :
121 : : // The following is essentially private to the implementation and could
122 : : // be hidden in the implementation file. But it's visible via this header
123 : : // file for testing purposes. They are not supposed to be used by normal
124 : : // applications directly, and to signal the intent, they are given inside
125 : : // a separate namespace.
126 : : namespace internal {
127 : :
128 : : // Shortcut typedef
129 : : typedef isc::acl::IPCheck<RequestContext> RequestIPCheck;
130 : : typedef isc::acl::dns::NameCheck<RequestContext> RequestKeyCheck;
131 : :
132 : 0 : class RequestCheckCreator : public acl::Loader<RequestContext>::CheckCreator {
133 : : public:
134 : : virtual std::vector<std::string> names() const;
135 : :
136 : : virtual boost::shared_ptr<RequestCheck>
137 : : create(const std::string& name, isc::data::ConstElementPtr definition,
138 : : const acl::Loader<RequestContext>& loader);
139 : :
140 : : /// Until we are sure how the various rules work for this case, we won't
141 : : /// allow unexpected special interpretation for list definitions.
142 : 132 : virtual bool allowListAbbreviation() const { return (false); }
143 : : };
144 : : } // end of namespace "internal"
145 : :
146 : : } // end of namespace "dns"
147 : : } // end of namespace "acl"
148 : : } // end of namespace "isc"
149 : :
150 : : #endif
151 : :
152 : : // Local Variables:
153 : : // mode: c++
154 : : // End:
|
