add acl feature #1016
add acl feature #1016
Conversation
| end | ||
|
|
||
| def satisfy?(env) | ||
| return @cond.nil? || MatchingBlock.new(env).instance_eval(&@cond) |
There was a problem hiding this comment.
Is my understanding that satisfy? is called for every request? If so, please move the call to instance_eval to somewhere during the initialization phase.
To generalize, I think we should refrain from calling slow functions (e.g. instance_eval) while processing each request.
There was a problem hiding this comment.
As we discussed, we have to call satisfy? method for every requests because whether the request match conditions or not cannot be decided without each request information.
I guess that not so many acl conditions will appear, so it won't be performance issue.
|
Thank you for the PR. I like it very much, since the DSL looks very attractive (and easy to use). Please take a look at my in-line comments. |
| fprintf(stderr, "%s: no memory\n", H2O_MRUBY_MODULE_NAME); | ||
| abort(); | ||
| } | ||
| int ok = !mrb_nil_p(h2o_mruby_compile_code(mrb, config, errbuf)); |
|
@kazuho all issues are fixed. |
.gitmodules
Outdated
| url = https://github.com/h2o/cache-digest.js.git | ||
| [submodule "misc/mruby-mtest"] | ||
| path = misc/mruby-mtest | ||
| url = https://github.com/iij/mruby-mtest.git |
There was a problem hiding this comment.
Please use misc/dump-github-repository.pl to dump mruby-mtest into misc/mruby-mtest. Run the perl script without arguments to find out how to use the program.
The reason we should do so is because tarballs created by GitHub will not include submodules; files required for building and testing H2O should never be a git-submodule.
|
Thank you for the updates. I've left two comments in-line, PTAL. |
…b8b3bb0dcf2a0966 () at misc/mruby-mtest
|
@kazuho fixed the points you said.
Before this fix, acl {
deny { path.match/../ }
allow { addr.start_with?("192.") }
proc {|env| [200, {}, []] } # this proc will be called when other directives don't match their conditions
}The covering test cases were: 3346d3c#diff-1f0e213b76131d8d4093df0099c9d190R95 But as you said, it is a bit unclear behavior for the users and makes impl complicated, so I removed this behavior. I think this is more intuitive. |
lib/handler/mruby.c
Outdated
| /* require and include built-in libraries */ | ||
| h2o_mruby_eval_expr(mrb, "require \"h2o.rb\"\n" | ||
| "require \"acl.rb\"\n" | ||
| "include H2O::ACL\n"); |
There was a problem hiding this comment.
Just one more thing...
How about doing all of the following?
- renaming h2o.rb to bootstrap.rb
- require and include the acl code from bootstrap.rb
|
Maybe merge the contents of h2o.rb to bootstrap.rb? |
|
@kazuho I created new |
lib/handler/mruby.c
Outdated
|
|
||
| /* require core modules and include built-in libraries */ | ||
| h2o_mruby_eval_expr(mrb, "require \"preloads.rb\""); | ||
| h2o_mruby_assert(mrb); |
There was a problem hiding this comment.
Can we expect adequate information emitted to the log in case either requiring preloads.rb or doing the requires in preloads.rb fails?
If the answer is yes, I think we can merge this PR right away.
|
LGTM. Thank you for all your efforts. Will merge once you finish applying clang-format. |
|
@kazuho Thank YOU for all your kind comments. |
This adds a feature which makes it easy to write access control handler, as below
H2O::ACLmodule will be automatically included, which has only one methodacl.make mruby-testand executet/00unit.mruby.tWhen you use
aclin a handler code,aclmust be called only once, and the return value of the code is exactlyacl's return value (i.e. you must wrap whole handler's code byaclblock)See the following example:
This setting is danger because
aclsetting is absolutely ignored (so check it and abort if so)You can correct it as the below.
or separate it into multple handlers.