Module: IPAccess::Patches::ACL

Included in:

Net::FTP, Net::HTTP, Net::IMAP, Net::POP3, Net::SMTP, Net::Telnet, SOCKSocket, Socket, TCPServer, TCPSocket, UDPSocket

Defined in:

lib/ipaccess/patches/generic.rb,
lib/ipaccess/patches/sockets.rb

Overview

Helper methods for easy checking and arming sockets.

Instance Attribute Summary

• #acl ⇒ Object (also: #access)

  Returns the value of attribute acl.

• #opened_on_deny ⇒ Object

  Setting it to false disables closing connection when raising access denied exception.

Instance Method Summary

• #__ipa_wrap_socket_call(*args, &block) ⇒ Object protected

  This method is used to safely pass an eventual exception and fill its useables field with a current object.

• #acl_recheck ⇒ Object

  This method should be called each time the access set related to an object is changed and there is a need to validate remote peer again, since it might be blacklisted.

• #blacklist(*addresses) ⇒ Object (also: #add_black, #deny, #block)

  :call-seq: blacklist(list, *addresses) blacklist(*addresses).

• #blacklist!(*addresses) ⇒ Object (also: #add_black!, #deny!, #block!)

  :call-seq: blacklist!(list, *addresses) blacklist!(*addresses).

• #blacklist_reasonable(reason, *addresses) ⇒ Object

  This method works like blacklist but allows to set reason.

• #blacklist_reasonable!(reason, *addresses) ⇒ Object

  This method works like blacklist! but allows to set reason.

• #close_on_deny ⇒ Object
• #close_on_deny=(x) ⇒ Object

  Setting it to true disables closing connection when raising access denied exception.

• #default_list ⇒ Object

  This method returns default access list indicator used by protected object; usually :input or :output.

• #terminate ⇒ Object

  This method is universal wrapper for closing connection.

• #unblacklist(*addresses) ⇒ Object (also: #unblack, #undeny, #unblock, #del_black)

  :call-seq: unblacklist(list, *addresses) unblacklist(*addresses).

• #unblacklist!(*addresses) ⇒ Object (also: #unblack!, #undeny!, #unblock!, #del_black!)

  :call-seq: unblacklist!(list, *addresses) unblacklist!(*addresses).

• #unwhitelist(*addresses) ⇒ Object (also: #unwhite, #del_white, #unallow, #unpermit)

  :call-seq: unwhitelist(list, *addresses) unwhitelist(*addresses).

• #unwhitelist!(*addresses) ⇒ Object (also: #unwhite!, #del_white!, #unallow!, #unpermit!)

  :call-seq: unwhitelist!(list, *addresses) unwhitelist!(*addresses).

• #valid_acl?(obj) ⇒ Boolean

  This method returns true if the given object can be used to initialize ACL.

• #whitelist(*addresses) ⇒ Object (also: #add_white, #allow, #permit)

  :call-seq: whitelist(list, *addresses) whitelist(*addresses).

• #whitelist!(*addresses) ⇒ Object (also: #add_white!, #allow!, #permit!)

  :call-seq: whitelist!(list, *addresses) whitelist!(*addresses).

• #whitelist_reasonable(reason, *addresses) ⇒ Object

  This method works like whitelist but allows to set reason.

• #whitelist_reasonable!(*addresses) ⇒ Object

  This method works like whitelist! but allows to set reason.

Instance Attribute Details

#acl ⇒ Object Also known as: access

Returns the value of attribute acl.

# File 'lib/ipaccess/patches/generic.rb', line 350

def acl
  @acl
end

#opened_on_deny ⇒ Object

Setting it to false disables closing connection when raising access denied exception

# File 'lib/ipaccess/patches/generic.rb', line 751

def opened_on_deny
  @opened_on_deny
end

Instance Method Details

#__ipa_wrap_socket_call(*args, &block) ⇒ Object (protected)

This method is used to safely pass an eventual exception and fill its useables field with a current object.

# File 'lib/ipaccess/patches/generic.rb', line 263

def __ipa_wrap_socket_call(*args, &block)
  IPAccess.take_care(self, *args, &block)
end

#acl_recheck ⇒ Object

This method should be called each time the access set related to an object is changed and there is a need to validate remote peer again, since it might be blacklisted.

Each class that patches Ruby’s network class should redefine this method and call it in a proper place (e.g. from hook executed when singleton methods are added to network object).

# File 'lib/ipaccess/patches/generic.rb', line 333

def acl_recheck
  ;
end

#blacklist(*addresses) ⇒ Object Also known as: add_black, deny, block

:call-seq:

blacklist(list, *addresses)
blacklist(*addresses)

This method blacklists IP address(-es) in the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any whitelisted item.

It will return the result of calling IPAccess::List#blacklist on the list.

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use blacklist! instead.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 587

def blacklist(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = @acl.send(aclist).blacklist(*addresses)
  self.acl_recheck
  return r
end

#blacklist!(*addresses) ⇒ Object Also known as: add_black!, deny!, block!

:call-seq:

blacklist!(list, *addresses)
blacklist!(*addresses)

This method blacklists IP address(-es) in the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any whitelisted item.

It will return the result of calling IPAccess::List#blacklist on the list.

This method will allow you to modify the list even if the global access set is used by object.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 639

def blacklist!(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = real_acl.send(aclist).blacklist(*addresses)
  self.acl_recheck
  return r
end

#blacklist_reasonable(reason, *addresses) ⇒ Object

This method works like blacklist but allows to set reason.

# File 'lib/ipaccess/patches/generic.rb', line 601

def blacklist_reasonable(reason, *addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = @acl.send(aclist).blacklist_reasonable(reason, *addresses)
  self.acl_recheck
  return r
end

#blacklist_reasonable!(reason, *addresses) ⇒ Object

This method works like blacklist! but allows to set reason.

# File 'lib/ipaccess/patches/generic.rb', line 653

def blacklist_reasonable!(reason, *addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = real_acl.send(aclist).blacklist(reason, *addresses)
  self.acl_recheck
  return r
end

#close_on_deny ⇒ Object

# File 'lib/ipaccess/patches/generic.rb', line 760

def close_on_deny
  not self.open_on_deny
end

#close_on_deny=(x) ⇒ Object

Setting it to true disables closing connection when raising access denied exception

# File 'lib/ipaccess/patches/generic.rb', line 756

def close_on_deny=(x)
  self.open_on_deny = !x
end

#default_list ⇒ Object

This method returns default access list indicator used by protected object; usually :input or :output.

# File 'lib/ipaccess/patches/generic.rb', line 358

def default_list; :output end

#terminate ⇒ Object

This method is universal wrapper for closing connection. Classes should override it.

# File 'lib/ipaccess/patches/generic.rb', line 768

def terminate
  self.close unless self.closed?
end

#unblacklist(*addresses) ⇒ Object Also known as: unblack, undeny, unblock, del_black

:call-seq:

unblacklist(list, *addresses)
unblacklist(*addresses)

This method removes blacklisted IP address(-es) from the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any whitelisted item.

It will return the result of calling IPAccess::List#unblacklist on the list.

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use unwhitelist! instead.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 693

def unblacklist(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = @acl.send(aclist).unblacklist(*addresses)
  self.acl_recheck
  return r
end

#unblacklist!(*addresses) ⇒ Object Also known as: unblack!, undeny!, unblock!, del_black!

:call-seq:

unblacklist!(list, *addresses)
unblacklist!(*addresses)

This method removes blacklisted IP address(-es) from the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any whitelisted item.

It will return the result of calling IPAccess::List#unblacklist on the list.

This method will allow you to modify the list even if the global access set is used by object.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 736

def unblacklist!(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = real_acl.send(aclist).unblacklist(*addresses)
  self.acl_recheck
  return r
end

#unwhitelist(*addresses) ⇒ Object Also known as: unwhite, del_white, unallow, unpermit

:call-seq:

unwhitelist(list, *addresses)
unwhitelist(*addresses)

This method removes whitelisted IP address(-es) from the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any blacklisted item.

It will return the result of calling IPAccess::List#unwhitelist on the list.

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use unwhitelist! instead.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 499

def unwhitelist(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = @acl.send(aclist).unwhitelist(*addresses)
  self.acl_recheck
  return r
end

#unwhitelist!(*addresses) ⇒ Object Also known as: unwhite!, del_white!, unallow!, unpermit!

:call-seq:

unwhitelist!(list, *addresses)
unwhitelist!(*addresses)

This method removes whitelisted IP address(-es) from the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any blacklisted item.

It will return the result of calling IPAccess::List#unwhitelist on the list.

This method will allow you to modify the list even if the global access set is used by object.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 542

def unwhitelist!(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = real_acl.send(aclist).unwhitelist(*addresses)
  self.acl_recheck
  return r
end

#valid_acl?(obj) ⇒ Boolean

This method returns true if the given object can be used to initialize ACL. Otherwise it returns false.

Returns:

• (Boolean)

# File 'lib/ipaccess/patches/generic.rb', line 321

def valid_acl?(obj)
  IPAccess.valid_acl?(obj)
end

#whitelist(*addresses) ⇒ Object Also known as: add_white, allow, permit

:call-seq:

whitelist(list, *addresses)
whitelist(*addresses)

This method whitelists IP address(-es) in the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any blacklisted item.

It will return the result of calling IPAccess::List#whitelist on the list.

This method won’t allow you to modify the list if the global access set is associated with an object. You may operate on IPAccess::Set.Global or use whitelist! instead.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 393

def whitelist(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = @acl.send(aclist).whitelist(*addresses)
  self.acl_recheck
  return r
end

#whitelist!(*addresses) ⇒ Object Also known as: add_white!, allow!, permit!

:call-seq:

whitelist!(list, *addresses)
whitelist!(*addresses)

This method whitelists IP address(-es) in the input or output access list selected by the list argument (:input or :output). If the access list selector is omited it operates on the default access list that certain kind of network object uses. The allowed format of address is the same as for IPAccess.to_cidrs. This method will not add nor remove any blacklisted item.

It will return the result of calling IPAccess::List#whitelist on the list.

This method will allow you to modify the list even if the global access set is used by object.

Revalidation

After modyfing access set current connection is validated again to avoid access leaks.

DNS Warning

You should avoid passing hostnames as arguments since DNS is not reliable and responses may change with time, which may cause security flaws.

# File 'lib/ipaccess/patches/generic.rb', line 445

def whitelist!(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = real_acl.send(aclist).whitelist(*addresses)
  self.acl_recheck
  return r
end

#whitelist_reasonable(reason, *addresses) ⇒ Object

This method works like whitelist but allows to set reason.

# File 'lib/ipaccess/patches/generic.rb', line 407

def whitelist_reasonable(reason, *addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = @acl.send(aclist).whitelist_reasonable(reason, *addresses)
  self.acl_recheck
  return r
end

#whitelist_reasonable!(*addresses) ⇒ Object

This method works like whitelist! but allows to set reason.

# File 'lib/ipaccess/patches/generic.rb', line 459

def whitelist_reasonable!(*addresses)
  aclist = ( addresses.first.is_a?(Symbol) && [:input,:output].include?(addresses.first) ) ? addresses.shift : self.default_list
  r = real_acl.send(aclist).whitelist_reasonable(reason, *addresses)
  self.acl_recheck
  return r
end