Juju Charms Collection
squid-forwardproxy package

Merge lp:~wgrant/charms/precise/squid-forwardproxy/auth_list-deny into lp:~canonical-launchpad-branches/charms/precise/squid-forwardproxy/trunk

  1. Precise Pangolin (12.04)
  2. auth_list-deny
  3. Merge into trunk
Proposed by William Grant on 2015-08-11
Status: Merged
Merged at revision: 28
Proposed branch: lp:~wgrant/charms/precise/squid-forwardproxy/auth_list-deny
Merge into: lp:~canonical-launchpad-branches/charms/precise/squid-forwardproxy/trunk
Diff against target: 103 lines (+54/-10)
3 files modified
config.yaml (+1/-1)
hooks/hooks.py (+46/-2)
templates/main_config.template (+7/-7)
To merge this branch: bzr merge lp:~wgrant/charms/precise/squid-forwardproxy/auth_list-deny
Reviewer Review Type Date Requested Status
Kit Randel 2015-08-11 Approve on 2015-08-12
Review via email: mp+267626@code.launchpad.net

Commit Message

Allow auth_list to specify inverted matches and deny entries.

Description of the Change

Allow auth_list to specify inverted matches and deny entries.

The syntax is slightly awkward in order to maintain backward compatibility, but it's not too bad. A key in an auth dict can be prefixed with "!" to invert the http_access match, and a special "http_access" key can be used to emit an "http_access deny" rather than the previously hardcoded "http_access allow". "http_access" still defaults to "allow" if it is omitted.

To post a comment you must log in.
Kit Randel (blr) wrote :

One trivial thing, otherwise looks fine.

review: Approve
lp:~wgrant/charms/precise/squid-forwardproxy/auth_list-deny updated on 2015-08-12
31. By William Grant on 2015-08-12

Spacing.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'config.yaml'
2--- config.yaml 2013-01-22 12:45:52 +0000
3+++ config.yaml 2015-08-12 06:04:10 +0000
4@@ -75,6 +75,6 @@
5 default: ''
6 description: >
7 YAML-formatted list of squid auth dictionaries. For example:
8- '[{dstdomain: [www.ubuntu.com], src: [1.2.3.4, 5.6.7.0/24]}, {url_regex: ["https?://[^/]+[.]internal(/.*)?"], src: [192.168.0.0/16]}]'
9+ '[{dstdomain: [www.ubuntu.com], src: [1.2.3.4, 5.6.7.0/24]}, {"!port": [80], http_access: deny}, {url_regex: ["https?://[^/]+[.]internal(/.*)?"], src: [192.168.0.0/16]}]'
10 NOTE: you can use the following oneliner to verify your YAML string:
11 python -c 'import yaml;import sys;print yaml.dump(yaml.load(sys.argv[1]))' '<string>'
12
13=== modified file 'hooks/hooks.py'
14--- hooks/hooks.py 2015-07-30 06:40:10 +0000
15+++ hooks/hooks.py 2015-08-12 06:04:10 +0000
16@@ -229,7 +229,51 @@
17 if config_data['auth_list']:
18 auth_list = yaml.load(config_data['auth_list'])
19 else:
20- auth_list = {}
21+ auth_list = []
22+
23+ # Process auth_list into acl and http_access directives.
24+ #
25+ # Each dict in auth_list specifies a set of acl directives and an
26+ # http_access directive that refers to them. The dict maps acl types
27+ # to multiple values. A type may be prefixed with ! to invert the
28+ # match. The special "http_access" key decides whether to allow or
29+ # deny, defaulting to "allow".
30+ #
31+ # This:
32+ # [{"src": ["10.0.0.0/8"], "!dst": ["192.168.0.0/24"],
33+ # "http_access": "deny"},
34+ # {"src": ["10.0.0.0/8"], "dstdomain": ["example.com", "a.example.com"]}
35+ # ]
36+ #
37+ # Turns into this:
38+ # acl l1_src src 10.0.0.0/8
39+ # acl l1n_dst dst 192.168.0.0/24
40+ # http_access deny l1_src !l1n_dst
41+ # acl l2_src src 10.0.0.0/8
42+ # acl l2_dstdomain example.com
43+ # acl l2_dstdomain a.example.com
44+ # http_access allow l2_src l2_dstdomain
45+ acls_and_access = []
46+ for idx, combined in enumerate(auth_list):
47+ acls = {}
48+ aclspecs = []
49+ for type, vals in combined.items():
50+ if type == 'http_access':
51+ continue
52+ if type.startswith('!'):
53+ inverted = True
54+ type = type[1:]
55+ else:
56+ inverted = False
57+ name = 'l%d%s_%s' % (idx + 1, 'n' if inverted else '', type)
58+ acls[name] = (type, vals)
59+ aclspecs.append('%s%s' % ('!' if inverted else '', name))
60+ # http_access defaults to allow if it's not specified.
61+ access = {
62+ 'http_access': combined.get('http_access', 'allow'),
63+ 'acls': aclspecs,
64+ }
65+ acls_and_access.append((acls, access))
66
67 config_data['cache_l1'] = int(math.ceil(math.sqrt(
68 int(config_data['cache_size_mb']) * 1024 / (16 *
69@@ -241,7 +285,7 @@
70 'config': config_data,
71 'relations': relations,
72 'refresh_patterns': refresh_patterns,
73- 'auth_list': auth_list,
74+ 'acls_and_access': acls_and_access,
75 }
76 squid3_config.write(utils.render_template('main_config.template',
77 templ_vars))
78
79=== modified file 'templates/main_config.template'
80--- templates/main_config.template 2013-01-22 12:45:52 +0000
81+++ templates/main_config.template 2015-08-12 06:04:10 +0000
82@@ -37,14 +37,14 @@
83 {% endfor -%}
84 refresh_pattern . 30 20% 4320
85
86-{% for auth in auth_list -%}
87+{% for acls, access in acls_and_access -%}
88 {% set idx = loop.index -%}
89-{% for auth_name in auth.keys() -%}
90-{% for auth_val in auth[auth_name] -%}
91-acl l{{idx}}_{{ auth_name }} {{auth_name}} {{ auth_val }}
92-{% endfor -%}
93-{% endfor -%}
94-http_access allow {% for auth_name in auth.keys() -%} l{{idx}}_{{auth_name}} {% endfor %}
95+{% for acl_name, (acl_type, acl_vals) in acls.items() -%}
96+{% for acl_val in acl_vals -%}
97+acl {{ acl_name }} {{ acl_type }} {{ acl_val }}
98+{% endfor -%}
99+{% endfor -%}
100+http_access {{ access['http_access'] }} {% for acl_spec in access['acls'] -%} {{ acl_spec }} {% endfor %}
101 {% endfor %}
102
103 {% for relid in relations.keys() -%}

Subscribers

People subscribed via source and target branches

to all changes: