tor-commits July 2012

tor-commits@lists.torproject.org

14 participants
949 discussions

[stem/master] Removing ExitPolicyLine and ExitPolicyError
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 77c3a5ffa871accde7cb62fb3f9c40b30051c9c2 Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Jul 15 14:06:16 2012 -0700 Removing ExitPolicyLine and ExitPolicyError The ExitPolicyRule is a drop-in replacement for ExitPolicyLine, and there's little reason to introduce a custom ExitPolicyError exception when a ValueError effectively describes its use cases. --- stem/exit_policy.py | 151 +++++---------------------------------- test/unit/exit_policy/policy.py | 61 ++++++++-------- 2 files changed, 47 insertions(+), 165 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 7040563..312ba65 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -31,10 +31,6 @@ exiting to a destination is permissable or not. For instance... |- is_match - checks if we match a given destination +- __str__ - string representation for this rule - ExitPolicyLine - Single rule from the exit policy - |- __str__ - string representation - +- check - check if exiting to this ip is allowed - ExitPolicy - List of ExitPolicyLine objects |- __str__ - string representation |- __iter__ - ExitPolicyLine entries for the exit policy @@ -258,12 +254,18 @@ class ExitPolicyRule: address = address.lstrip("[").rstrip("]") else: - raise ValueError("'%s' isn't a valid ipv4 or ipv6 address" % address) + raise ValueError("'%s' isn't a valid IPv4 or IPv6 address" % address) if port != None and not stem.util.connection.is_valid_port(port): raise ValueError("'%s' isn't a valid port" % port) if address is None: + # Note that this isn't the exact same as is_address_wildcard(). We only + # accept a None address if we got an '*' for our address. Not an IPv4 or + # IPv6 address that accepts everything (ex '0.0.0.0/0'). This is because + # those still only match against that type (ie, an IPv4 /0 won't match + # against IPv6 addresses). + if self.address_type != AddressType.WILDCARD: return False elif not self.is_address_wildcard(): @@ -326,125 +328,9 @@ class ExitPolicyRule: return self._str_representation -class ExitPolicyLine: - """ - Single rule from the user's exit policy. These are chained together to form - complete policies. - """ - - def __init__(self, rule_entry): - """ - Exit Policy line constructor. - """ - - # sanitize the input a bit, cleaning up tabs and stripping quotes - rule_entry = rule_entry.replace("\\t", " ").replace("\"", "") - - self.rule_entry = rule_entry - self.is_accept = rule_entry.startswith("accept") - - # strips off "accept " or "reject " and extra spaces - rule_entry = rule_entry[7:].replace(" ", "") - - # split ip address (with mask if provided) and port - if ":" in rule_entry: entry_ip, entry_port = rule_entry.split(":", 1) - else: entry_ip, entry_port = rule_entry, "*" - - # sets the ip address component - self.is_ip_wildcard = entry_ip == "*" or entry_ip.endswith("/0") - - # separate host and mask - if "/" in entry_ip: - ip_comp = entry_ip.split("/", 1) - self.ip_address = ip_comp[0] - self.ip_mask = int(ip_comp[1]) - else: - self.ip_address = entry_ip - self.ip_mask = 32 - - # constructs the binary address just in case of comparison with a mask - if self.ip_address != "*": - if not stem.util.connection.is_valid_ip_address(self.ip_address) and \ - not stem.util.connection.is_valid_ipv6_address(self.ip_address): - raise ExitPolicyError() - - self.ip_address_bin = "" - for octet in self.ip_address.split("."): - # Converts the int to a binary string, padded with zeros. Source: - # http://www.daniweb.com/code/snippet216539.html - self.ip_address_bin += "".join([str((int(octet) >> y) & 1) for y in range(7, -1, -1)]) - else: - self.ip_address_bin = "0" * 32 - - # sets the port component - self.min_port, self.max_port = 0, 0 - self.is_port_wildcard = entry_port == "*" - - if entry_port != "*": - if "-" in entry_port: - port_comp = entry_port.split("-", 1) - if not stem.util.connection.is_valid_port(port_comp): - raise ExitPolicyError - self.min_port = int(port_comp[0]) - self.max_port = int(port_comp[1]) - else: - if not stem.util.connection.is_valid_port(entry_port): - raise ExitPolicyError - self.min_port = int(entry_port) - self.max_port = int(entry_port) - - def __str__(self): - # This provides the actual policy rather than the entry used to construct - # it so the 'private' keyword is expanded. - - acceptance_label = "accept" if self.is_accept else "reject" - - if self.is_ip_wildcard: - ip_label = "*" - elif self.ip_mask != 32: - ip_label = "%s/%i" % (self.ip_address, self.ip_mask) - else: ip_label = self.ip_address - - if self.is_port_wildcard: - port_label = "*" - elif self.min_port != self.max_port: - port_label = "%i-%i" % (self.min_port, self.max_port) - else: port_label = str(self.min_port) - - my_policy = "%s %s:%s" % (acceptance_label, ip_label, port_label) - return my_policy - - def check(self, ip_address, port): - """ - Checks if the rule chain allows exiting to this address, returning true if - so and false otherwise. - """ - - port = int(port) - - # does the port check first since comparing ip masks is more work - is_port_match = self.is_port_wildcard or (port >= self.min_port and port <= self.max_port) - - if is_port_match: - is_ip_match = self.is_ip_wildcard or self.ip_address == ip_address - - # expands the check to include the mask if it has one - if not is_ip_match and self.ip_mask != 32: - input_address_bin = "" - for octet in ip_address.split("."): - input_address_bin += "".join([str((int(octet) >> y) & 1) for y in range(7, -1, -1)]) - - is_ip_match = self.ip_address_bin[:self.ip_mask] == input_address_bin[:self.ip_mask] - - if is_ip_match: return self.is_accept - - # fell off the chain without a conclusion (shouldn't happen...) - return False - - class ExitPolicy: """ - Provides a wrapper to ExitPolicyLine. This is iterable and can be stringified for + Provides a wrapper to ExitPolicyRule. This is iterable and can be stringified for individual Exit Policy lines. """ @@ -467,9 +353,9 @@ class ExitPolicy: if "private" in rule_entry.lower(): for addr in PRIVATE_IP_RANGES: new_entry = rule_entry.replace("private", addr) - self._policies.append(ExitPolicyLine(new_entry)) + self._policies.append(ExitPolicyRule(new_entry)) else: - self._policies.append(ExitPolicyLine(rule_entry)) + self._policies.append(ExitPolicyRule(rule_entry)) def get_summary(self): """ @@ -482,7 +368,7 @@ class ExitPolicy: is_whitelist = False # default in case we don't have a catch-all policy at the end for policy in self._policies: - if policy.is_ip_wildcard and policy.is_port_wildcard: + if policy.is_address_wildcard() and policy.is_port_wildcard(): is_whitelist = not policy.is_accept break @@ -494,7 +380,7 @@ class ExitPolicy: display_ports, skip_ports = [], [] for policy in self._policies: - if not policy.is_ip_wildcard: continue + if not policy.is_address_wildcard(): continue if policy.min_port == policy.max_port: port_range = [policy.min_port] @@ -543,7 +429,7 @@ class ExitPolicy: """ for policy in self._policies: if policy.is_accept: return True - elif policy.is_ip_wildcard and policy.is_port_wildcard: return False + elif policy.is_address_wildcard() and policy.is_port_wildcard(): return False def check(self, ip_address, port): """ @@ -552,7 +438,8 @@ class ExitPolicy: """ for policy in self._policies: - if policy.check(ip_address, port): return True + if policy.is_match(ip_address, port): + return policy.is_accept return False @@ -591,10 +478,10 @@ class MicrodescriptorExitPolicy: if '-' in ports: port_range = ports.split("-", 1) if not stem.util.connection.is_valid_port(port_range): - raise ExitPolicyError + raise ValueError("Invaid port range") self.ports.append(range(int(port_range[2])), int(port_range[1])) if not stem.util.connection.is_valid_port(ports): - raise ExitPolicyError + raise ValueError("Invalid port range") self.ports.append(int(ports)) def check(self, ip_address=None, port=None): @@ -627,7 +514,3 @@ class MicrodescriptorExitPolicy: def is_accept(self): return self.is_accept -class ExitPolicyError(Exception): - """ - Base error for exit policy issues. - """ diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index 10088e2..da19d85 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -23,30 +23,29 @@ class TestExitPolicy(unittest.TestCase): exit_policies = stem.exit_policy.ExitPolicy() # check ip address - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept 256.255.255.255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept -10.255.255.255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept 255.-10.255.255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept 255.255.-10.255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept -255.255.255.-10:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept a.b.c.d:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept 255.255.255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept -255.255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept 255:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept -:80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept :80") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept ...:80") + self.assertRaises(ValueError, exit_policies.add, "accept 256.255.255.255:80") + self.assertRaises(ValueError, exit_policies.add, "accept -10.255.255.255:80") + self.assertRaises(ValueError, exit_policies.add, "accept 255.-10.255.255:80") + self.assertRaises(ValueError, exit_policies.add, "accept 255.255.-10.255:80") + self.assertRaises(ValueError, exit_policies.add, "accept -255.255.255.-10:80") + self.assertRaises(ValueError, exit_policies.add, "accept a.b.c.d:80") + self.assertRaises(ValueError, exit_policies.add, "accept 255.255.255:80") + self.assertRaises(ValueError, exit_policies.add, "accept -255.255:80") + self.assertRaises(ValueError, exit_policies.add, "accept 255:80") + self.assertRaises(ValueError, exit_policies.add, "accept -:80") + self.assertRaises(ValueError, exit_policies.add, "accept :80") + self.assertRaises(ValueError, exit_policies.add, "accept ...:80") # check input string - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "foo 255.255.255.255:80") + self.assertRaises(ValueError, exit_policies.add, "foo 255.255.255.255:80") # check ports - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:0001") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:0") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:-1") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:+1") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:+1-1") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:a") - self.assertRaises(stem.exit_policy.ExitPolicyError, exit_policies.add, "accept *:70000") + self.assertRaises(ValueError, exit_policies.add, "accept *:0001") + self.assertRaises(ValueError, exit_policies.add, "accept *:-1") + self.assertRaises(ValueError, exit_policies.add, "accept *:+1") + self.assertRaises(ValueError, exit_policies.add, "accept *:+1-1") + self.assertRaises(ValueError, exit_policies.add, "accept *:a") + self.assertRaises(ValueError, exit_policies.add, "accept *:70000") def test_check(self): """ @@ -59,11 +58,11 @@ class TestExitPolicy(unittest.TestCase): exit_policies.add("accept *:443") exit_policies.add("reject *:*") - self.assertTrue(exit_policies.check("www.google.com", 80)) - self.assertTrue(exit_policies.check("www.atagar.com", 443)) + self.assertTrue(exit_policies.check("192.168.0.50", 80)) + self.assertTrue(exit_policies.check("192.168.0.50", 443)) - self.assertFalse(exit_policies.check("www.atagar.com", 22)) - self.assertFalse(exit_policies.check("www.atagar.com", 8118)) + self.assertFalse(exit_policies.check("192.168.0.50", 22)) + self.assertFalse(exit_policies.check("192.168.0.50", 8118)) def test_is_exiting_allowed(self): """ @@ -89,13 +88,13 @@ class TestExitPolicy(unittest.TestCase): self.assertEqual(str(microdesc_exit_policy),"accept 80,443") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,-443") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,+443") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,66666") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "reject 80,foo") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "bar 80,foo") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "foo") - self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "bar 80-foo") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,-443") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,+443") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,66666") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "reject 80,foo") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "bar 80,foo") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "foo") + self.assertRaises(ValueError, stem.exit_policy.MicrodescriptorExitPolicy, "bar 80-foo") def test_micodesc_exit_check(self): microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443")

1 0

[stem/master] Add microdescriptor exit policy
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 30ba1019fcbeca9220e85fa5216b6bac1b5db16f Author: Sathyanarayanan Gunasekaran <gsathya.ceg(a)gmail.com> Date: Tue Jul 3 02:03:12 2012 +0530 Add microdescriptor exit policy The microdescriptor policy class can now parse exit policy summaries. Add tests for this --- stem/exit_policy.py | 73 ++++++++++++++++++++++++++++++++++++++++++++++ test/unit/exit_policy.py | 54 +++++++++++++++++++++++++++++++++- 2 files changed, 126 insertions(+), 1 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 314110c..33f5cc1 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -10,6 +10,16 @@ easily parsed and compared, for instance... accept *:80 , accept *:443, reject *:* >>> print exit_policies.get_summary() accept 80, 443 +>>> exit_policies.check("www.google.com", 80) +True + +>>> microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443") +>>> print microdesc_exit_policy +accept 80,443 +>>> microdesc_exit_policy.check("www.google.com", 80) +True +>>> microdesc_exit_policy.check(80) +True ExitPolicyLine - Single rule from the exit policy |- __str__ - string representation @@ -23,6 +33,11 @@ ExitPolicy - List of ExitPolicyLine objects |- get_summary - provides a summary description of the policy chain +- is_exiting_allowed - check if exit node +MicrodescriptorExitPolicy - Microdescriptor exit policy + |- check - check if exiting to this port is allowed + |- ports - returns a list of ports + |- is_accept - check if it's a list of accepted/rejected ports + +- __str__ - return the summary """ import stem.util.connection @@ -271,6 +286,64 @@ class ExitPolicy: """ return ', '.join([str(policy) for policy in self._policies]) +class MicrodescriptorExitPolicy: + """ + Microdescriptor exit policy - 'accept 53,80,443' + """ + + def __init__(self, summary): + self.ports = [] + self.is_accept = None + self.summary = summary + + # sanitize the input a bit, cleaning up tabs and stripping quotes + summary = self.summary.replace("\\t", " ").replace("\"", "") + + self.is_accept = summary.startswith("accept") + + # strips off "accept " or "reject " and extra spaces + summary = summary[7:].replace(" ", "") + + for ports in summary.split(','): + if '-' in ports: + port_range = ports.split("-", 1) + if not stem.util.connection.is_valid_port(port_range): + raise ExitPolicyError + self.ports.append(range(int(port_range[2])), int(port_range[1])) + if not stem.util.connection.is_valid_port(ports): + raise ExitPolicyError + self.ports.append(int(ports)) + + def check(self, ip_address=None, port=None): + # stem is intelligent about the arguments + if not port: + if not '.' in str(ip_address): + port = ip_address + + port = int(port) + + if port in self.ports: + # its a list of accepted ports + if self.is_accept: + return True + else: + return False + else: + # its a list of rejected ports + if not self.is_accept: + return True + else: + return False + + def __str__(self): + return self.summary + + def ports(self): + return self.ports + + def is_accept(self): + return self.is_accept + class ExitPolicyError(Exception): """ Base error for exit policy issues. diff --git a/test/unit/exit_policy.py b/test/unit/exit_policy.py index d4fd7e0..b12cd9a 100644 --- a/test/unit/exit_policy.py +++ b/test/unit/exit_policy.py @@ -55,4 +55,56 @@ class TestExitPolicy(unittest.TestCase): """ Tests if exiting to this ip is allowed. """ - pass + + exit_policies = stem.exit_policy.ExitPolicy() + exit_policies = stem.exit_policy.ExitPolicy() + exit_policies.add("accept *:80") + exit_policies.add("accept *:443") + exit_policies.add("reject *:*") + + self.assertTrue(exit_policies.check("www.google.com", 80)) + self.assertTrue(exit_policies.check("www.atagar.com", 443)) + + self.assertFalse(exit_policies.check("www.atagar.com", 22)) + self.assertFalse(exit_policies.check("www.atagar.com", 8118)) + + def test_is_exiting_allowed(self): + """ + Tests if this is an exit node + """ + + exit_policies = stem.exit_policy.ExitPolicy() + exit_policies = stem.exit_policy.ExitPolicy() + exit_policies.add("accept *:80") + exit_policies.add("accept *:443") + exit_policies.add("reject *:*") + + self.assertTrue(exit_policies.is_exiting_allowed()) + + exit_policies = stem.exit_policy.ExitPolicy() + exit_policies = stem.exit_policy.ExitPolicy() + exit_policies.add("reject *:*") + + self.assertFalse(exit_policies.is_exiting_allowed()) + + def test_microdesc_exit_parsing(self): + microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443") + + self.assertEqual(str(microdesc_exit_policy),"accept 80,443") + + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,-443") + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,+443") + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "accept 80,66666") + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "reject 80,foo") + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "bar 80,foo") + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "foo") + self.assertRaises(stem.exit_policy.ExitPolicyError, stem.exit_policy.MicrodescriptorExitPolicy, "bar 80-foo") + + def test_micodesc_exit_check(self): + microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443") + + self.assertTrue(microdesc_exit_policy.check(80)) + self.assertTrue(microdesc_exit_policy.check("www.atagar.com", 443)) + + self.assertFalse(microdesc_exit_policy.check(22)) + self.assertFalse(microdesc_exit_policy.check("www.atagar.com", 8118))

1 0

[stem/master] Splitting up ExitPolicyRule parsing
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 004650ae2b09ec295f6e7ce4d70993c1764761d9 Author: Damian Johnson <atagar(a)torproject.org> Date: Sun Jul 15 14:53:53 2012 -0700 Splitting up ExitPolicyRule parsing The ExitPolicyRule constructor was unpleasantly huge (and by extension, hard to read). Moving most of it to helper funcitons for parsing the addrspec and portspec. --- stem/exit_policy.py | 226 ++++++++++++++++++++++++++++----------------------- 1 files changed, 124 insertions(+), 102 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 312ba65..9f1cd94 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -55,7 +55,26 @@ AddressType = stem.util.enum.Enum(("WILDCARD", "Wildcard"), ("IPv4", "IPv4"), (" PRIVATE_IP_RANGES = ("0.0.0.0/8", "169.254.0.0/16", "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") -class ExitPolicyRule: +# TODO: The ExitPolicyRule's exitpatterns are used everywhere except the torrc. +# This is fine for now, but we should add a subclass to handle those slight +# differences later if we want to provide the ability to parse torrcs. + +# TODO: The ExitPolicyRule could easily be a mutable class if we did the +# following... +# +# * Provided setter methods that acquired an RLock which also wrapped all of +# our current methods to provide thread safety. +# +# * Reset our derived attributes (self._addr_bin, self._mask_bin, and +# self._str_representation) when we changed something that it was based on. +# +# That said, I'm not sure if this is entirely desirable since for most use +# cases we *want* the caller to have an immutable ExitPolicy (since it +# reflects something they... well, can't modify). However, I can think of +# some use cases where we might want to construct custom policies. Mabye make +# it a CustomExitPolicyRule subclass? + +class ExitPolicyRule(object): """ Single rule from the user's exit policy. These rules are chained together to form complete policies that describe where a relay will and will not allow @@ -67,7 +86,9 @@ class ExitPolicyRule: scricter in what it'll accept. For instance, ports are not optional and it does not contain the 'private' alias. - :var str rule: rule that we were created from + This should be treated as an immutable object. + + :var str rule: rule that we were originally created from :var bool is_accept: indicates if exiting is allowed or disallowed :var AddressType address_type: type of address that we have @@ -83,10 +104,6 @@ class ExitPolicyRule: :raises: ValueError if input isn't a valid tor exit policy rule """ - # TODO: Exitpatterns are used everywhere except the torrc. This is fine for - # now, but we should add a subclass to handle those slight differences later - # if we want to provide the ability to parse torrcs. - def __init__(self, rule): self.rule = rule @@ -110,96 +127,14 @@ class ExitPolicyRule: if not ":" in exitpattern: raise ValueError("An exitpattern must be of the form 'addrspec:portspec': %s" % rule) - addrspec, portspec = exitpattern.rsplit(":", 1) - self._addr_bin = self._mask_bin = None - - # Parses the addrspec... - # addrspec ::= "*" | ip4spec | ip6spec - - if "/" in addrspec: - self.address, addr_extra = addrspec.split("/", 1) - else: - self.address, addr_extra = addrspec, None + self.address = None + self.address_type = None + self.mask = self.masked_bits = None + self.min_port = self.max_port = None - if addrspec == "*": - self.address_type = AddressType.WILDCARD - self.address = self.mask = self.masked_bits = None - elif stem.util.connection.is_valid_ip_address(self.address): - # ipv4spec ::= ip4 | ip4 "/" num_ip4_bits | ip4 "/" ip4mask - # ip4 ::= an IPv4 address in dotted-quad format - # ip4mask ::= an IPv4 mask in dotted-quad format - # num_ip4_bits ::= an integer between 0 and 32 - - self.address_type = AddressType.IPv4 - - if addr_extra is None: - self.mask = stem.util.connection.FULL_IPv4_MASK - self.masked_bits = 32 - elif stem.util.connection.is_valid_ip_address(addr_extra): - # provided with an ip4mask - self.mask = addr_extra - - try: - self.masked_bits = stem.util.connection.get_masked_bits(addr_extra) - except ValueError: - # mask can't be represented as a number of bits (ex. "255.255.0.255") - self.masked_bits = None - elif addr_extra.isdigit(): - # provided with a num_ip4_bits - self.mask = stem.util.connection.get_mask(int(addr_extra)) - self.masked_bits = int(addr_extra) - else: - raise ValueError("The '%s' isn't a mask nor number of bits: %s" % (addr_extra, rule)) - elif self.address.startswith("[") and self.address.endswith("]") and \ - stem.util.connection.is_valid_ipv6_address(self.address[1:-1]): - # ip6spec ::= ip6 | ip6 "/" num_ip6_bits - # ip6 ::= an IPv6 address, surrounded by square brackets. - # num_ip6_bits ::= an integer between 0 and 128 - - self.address = stem.util.connection.expand_ipv6_address(self.address[1:-1].upper()) - self.address_type = AddressType.IPv6 - - if addr_extra is None: - self.mask = stem.util.connection.FULL_IPv6_MASK - self.masked_bits = 128 - elif addr_extra.isdigit(): - # provided with a num_ip6_bits - self.mask = stem.util.connection.get_mask_ipv6(int(addr_extra)) - self.masked_bits = int(addr_extra) - else: - raise ValueError("The '%s' isn't a number of bits: %s" % (addr_extra, rule)) - else: - raise ValueError("Address isn't a wildcard, IPv4, or IPv6 address: %s" % rule) - - # Parses the portspec... - # portspec ::= "*" | port | port "-" port - # port ::= an integer between 1 and 65535, inclusive. - # - # Due to a tor bug the spec says that we should accept port of zero, but - # connections to port zero are never permitted. - - if portspec == "*": - self.min_port, self.max_port = 1, 65535 - elif portspec.isdigit(): - # provided with a single port - if stem.util.connection.is_valid_port(portspec, allow_zero = True): - self.min_port = self.max_port = int(portspec) - else: - raise ValueError("'%s' isn't within a valid port range: %s" % (portspec, rule)) - elif "-" in portspec: - # provided with a port range - port_comp = portspec.split("-", 1) - - if stem.util.connection.is_valid_port(port_comp, allow_zero = True): - self.min_port = int(port_comp[0]) - self.max_port = int(port_comp[1]) - - if self.min_port > self.max_port: - raise ValueError("Port range has a lower bound that's greater than its upper bound: %s" % rule) - else: - raise ValueError("Malformed port range: %s" % rule) - else: - raise ValueError("Port value isn't a wildcard, integer, or range: %s" % rule) + addrspec, portspec = exitpattern.rsplit(":", 1) + self._apply_addrspec(addrspec) + self._apply_portspec(portspec) # Pre-calculating the integer representation of our mask and masked # address. These are used by our is_match() method to compare ourselves to @@ -327,17 +262,104 @@ class ExitPolicyRule: self._str_representation = label return self._str_representation + + def _apply_addrspec(self, addrspec): + # Parses the addrspec... + # addrspec ::= "*" | ip4spec | ip6spec + + if "/" in addrspec: + self.address, addr_extra = addrspec.split("/", 1) + else: + self.address, addr_extra = addrspec, None + + if addrspec == "*": + self.address_type = AddressType.WILDCARD + self.address = self.mask = self.masked_bits = None + elif stem.util.connection.is_valid_ip_address(self.address): + # ipv4spec ::= ip4 | ip4 "/" num_ip4_bits | ip4 "/" ip4mask + # ip4 ::= an IPv4 address in dotted-quad format + # ip4mask ::= an IPv4 mask in dotted-quad format + # num_ip4_bits ::= an integer between 0 and 32 + + self.address_type = AddressType.IPv4 + + if addr_extra is None: + self.mask = stem.util.connection.FULL_IPv4_MASK + self.masked_bits = 32 + elif stem.util.connection.is_valid_ip_address(addr_extra): + # provided with an ip4mask + self.mask = addr_extra + + try: + self.masked_bits = stem.util.connection.get_masked_bits(addr_extra) + except ValueError: + # mask can't be represented as a number of bits (ex. "255.255.0.255") + self.masked_bits = None + elif addr_extra.isdigit(): + # provided with a num_ip4_bits + self.mask = stem.util.connection.get_mask(int(addr_extra)) + self.masked_bits = int(addr_extra) + else: + raise ValueError("The '%s' isn't a mask nor number of bits: %s" % (addr_extra, self.rule)) + elif self.address.startswith("[") and self.address.endswith("]") and \ + stem.util.connection.is_valid_ipv6_address(self.address[1:-1]): + # ip6spec ::= ip6 | ip6 "/" num_ip6_bits + # ip6 ::= an IPv6 address, surrounded by square brackets. + # num_ip6_bits ::= an integer between 0 and 128 + + self.address = stem.util.connection.expand_ipv6_address(self.address[1:-1].upper()) + self.address_type = AddressType.IPv6 + + if addr_extra is None: + self.mask = stem.util.connection.FULL_IPv6_MASK + self.masked_bits = 128 + elif addr_extra.isdigit(): + # provided with a num_ip6_bits + self.mask = stem.util.connection.get_mask_ipv6(int(addr_extra)) + self.masked_bits = int(addr_extra) + else: + raise ValueError("The '%s' isn't a number of bits: %s" % (addr_extra, self.rule)) + else: + raise ValueError("Address isn't a wildcard, IPv4, or IPv6 address: %s" % self.rule) + + def _apply_portspec(self, portspec): + # Parses the portspec... + # portspec ::= "*" | port | port "-" port + # port ::= an integer between 1 and 65535, inclusive. + # + # Due to a tor bug the spec says that we should accept port of zero, but + # connections to port zero are never permitted. + + if portspec == "*": + self.min_port, self.max_port = 1, 65535 + elif portspec.isdigit(): + # provided with a single port + if stem.util.connection.is_valid_port(portspec, allow_zero = True): + self.min_port = self.max_port = int(portspec) + else: + raise ValueError("'%s' isn't within a valid port range: %s" % (portspec, self.rule)) + elif "-" in portspec: + # provided with a port range + port_comp = portspec.split("-", 1) + + if stem.util.connection.is_valid_port(port_comp, allow_zero = True): + self.min_port = int(port_comp[0]) + self.max_port = int(port_comp[1]) + + if self.min_port > self.max_port: + raise ValueError("Port range has a lower bound that's greater than its upper bound: %s" % self.rule) + else: + raise ValueError("Malformed port range: %s" % self.rule) + else: + raise ValueError("Port value isn't a wildcard, integer, or range: %s" % self.rule) -class ExitPolicy: +class ExitPolicy(object): """ - Provides a wrapper to ExitPolicyRule. This is iterable and can be stringified for - individual Exit Policy lines. + Policy for the destinations that a relay allows or denies exiting to. This + is, in effect, simply a list of ExitPolicyRule entries. """ - + def __init__(self): - """ - ExitPolicy constructor - """ self._policies = [] self.summary = ""

1 0

[stem/master] Test for the ExitPolicy's constructor
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 5ccc2ca7b4d7ab1974871400e0b8fb3ff1478df4 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Jul 16 09:55:06 2012 -0700 Test for the ExitPolicy's constructor Test to make sure that we can handle both string and ExitPolicy lists. This also checks that we can easily handle the split() output when breaking up a csv. Added __eq__() methods for the ExitPolicy and ExitPolicyRule to make policy comparisons easier. --- stem/exit_policy.py | 18 +++++++++++++++++- test/unit/exit_policy/policy.py | 19 ++++++++++++++++++- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 71602f3..07886c3 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -218,6 +218,12 @@ class ExitPolicy(object): def __str__(self): return ', '.join([str(rule) for rule in self._rules]) + + def __eq__(self, other): + if isinstance(other, ExitPolicy): + return self._rules == list(other) + else: + return False class ExitPolicyRule(object): """ @@ -494,7 +500,17 @@ class ExitPolicyRule(object): raise ValueError("Malformed port range: %s" % self.rule) else: raise ValueError("Port value isn't a wildcard, integer, or range: %s" % self.rule) - + + def __eq__(self, other): + if isinstance(other, ExitPolicyRule): + # Our string representation encompasses our effective policy. Technically + # this isn't quite right since our rule attribute may differ (ie, "accept + # 0.0.0.0/0" == "accept 0.0.0.0/0.0.0.0" will be True), but these + # policies are effectively equivilant. + + return str(self) == str(other) + else: + return False class MicrodescriptorExitPolicy: """ diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index 4d544b3..ea5ab90 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -1,14 +1,31 @@ """ -Unit tests for the stem.exit_policy.ExitPolicy parsing and class. +Unit tests for the stem.exit_policy.ExitPolicy class. """ import unittest import stem.exit_policy import stem.util.system +from stem.exit_policy import ExitPolicy, ExitPolicyRule import test.mocking as mocking class TestExitPolicy(unittest.TestCase): + def test_constructor(self): + # The ExitPolicy constructor takes a series of string or ExitPolicyRule + # entries. Extra whitespace is ignored to make csvs easier to handle. + + expected_policy = ExitPolicy( + ExitPolicyRule('accept *:80'), + ExitPolicyRule('accept *:443'), + ExitPolicyRule('reject *:*'), + ) + + policy = ExitPolicy('accept *:80', 'accept *:443', 'reject *:*') + self.assertEquals(expected_policy, policy) + + policy = ExitPolicy(*"accept *:80, accept *:443, reject *:*".split(",")) + self.assertEquals(expected_policy, policy) + def test_parsing(self): """ Tests parsing by the ExitPolicy class constructor.

1 0

[stem/master] Adding a test for pydoc header examples
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 6f36f95711d54fee1bdf7391842f5e76dde8538b Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 17 08:10:17 2012 -0700 Adding a test for pydoc header examples Little test for our pydoc example, and fixing a couple little bugs. There's a larger bug due to our naive summary() implementation though a better solution isn't immediately coming to mind. --- stem/exit_policy.py | 20 +++++++++++++++----- test/unit/exit_policy/policy.py | 9 +++++++++ 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index fca6034..12cc11f 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -168,21 +168,31 @@ class ExitPolicy(object): is_whitelist = not rule.is_accept break - # Iterates over the policys and adds the the ports we'll return (ie, allows - # if a whitelist and rejects if a blacklist). Regardless of a port's - # allow/reject policy, all further entries with that port are ignored since - # policies respect the first matching policy. + # Iterates over the policys and adds the the ports we'll return (ie, + # allows if a whitelist and rejects if a blacklist). Regardless of a + # port's allow/reject policy, all further entries with that port are + # ignored since policies respect the first matching policy. + + # TODO: The following will be prohibitively expensive if someome has + # policy entries that aren't a wildcard, but covers most ports. For + # instance... + # + # accept 1025-65535 # just accepts non-privilaged ports + # + # On one hand handling ranges is a pita, but on the other this + # implementation is naive. Patches welcome. display_ports, skip_ports = [], [] for rule in self._rules: if not rule.is_address_wildcard(): continue + elif rule.is_port_wildcard(): break for port in xrange(rule.min_port, rule.max_port + 1): if port in skip_ports: continue # if accept + whitelist or reject + blacklist then add - if policy.is_accept == is_whitelist: + if rule.is_accept == is_whitelist: display_ports.append(port) # all further entries with this port should be ignored diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index ea5ab90..a6eb00e 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -10,6 +10,15 @@ from stem.exit_policy import ExitPolicy, ExitPolicyRule import test.mocking as mocking class TestExitPolicy(unittest.TestCase): + def test_example(self): + # tests the ExitPolicy and MicrodescriptorExitPolicy pydoc examples + policy = ExitPolicy("accept *:80", "accept *:443", "reject *:*") + self.assertEquals("accept *:80, accept *:443, reject *:*", str(policy)) + self.assertEquals("accept 80, 443", policy.summary()) + self.assertTrue(policy.can_exit_to("75.119.206.243", 80)) + + # TODO: add MicrodescriptorExitPolicy after it has been revised + def test_constructor(self): # The ExitPolicy constructor takes a series of string or ExitPolicyRule # entries. Extra whitespace is ignored to make csvs easier to handle.

1 0

[stem/master] Revised ExitPolicy class
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 363e87f5bd55b4ecac9514d6f423fba52d4f55ec Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Jul 16 09:05:25 2012 -0700 Revised ExitPolicy class Revising the ExitPolicy class to something resembling its final incarnation. Next gonna revise the tests (they pass, but could use some love). --- stem/exit_policy.py | 352 ++++++++++++++++++++------------------ test/unit/exit_policy/policy.py | 71 ++++----- test/unit/exit_policy/rule.py | 4 +- 3 files changed, 216 insertions(+), 211 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 9f1cd94..71602f3 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -4,41 +4,38 @@ exiting to a destination is permissable or not. For instance... :: - >>> exit_policies = stem.exit_policy.ExitPolicy() - >>> exit_policies.add("accept *:80") - >>> exit_policies.add("accept *:443") - >>> exit_policies.add("reject *:*") - >>> print exit_policies - accept *:80 , accept *:443, reject *:* - >>> print exit_policies.get_summary() + >>> policy = stem.exit_policy.ExitPolicy("accept *:80", "accept *:443", "reject *:*") + >>> print policy + accept *:80, accept *:443, reject *:* + >>> print policy.summary() accept 80, 443 - >>> exit_policies.check("www.google.com", 80) + >>> policy.can_exit_to("75.119.206.243", 80) True - >>> microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443") - >>> print microdesc_exit_policy + >>> policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443") + >>> print policy accept 80,443 - >>> microdesc_exit_policy.check("www.google.com", 80) + >>> policy.check("www.google.com", 80) True - >>> microdesc_exit_policy.check(80) + >>> policy.check(80) True :: - ExitPolicyRule - Single rule of an exit policy - |- is_address_wildcard - checks if we'll accept any address for our type + ExitPolicy - Exit policy for a Tor relay + |- set_default_allowed - sets the default can_exit_to() response if no rules apply + |- can_exit_to - check if exiting to this destination is allowed or not + |- is_exiting_allowed - check if any exiting is allowed + |- summary - provides a short label, similar to a microdescriptor + |- __str__ - string representation + +- __iter__ - ExitPolicyRule entries that this contains + + ExitPolicyRule - Single rule of an exit policy chain + |- is_address_wildcard - checks if we'll accept any address |- is_port_wildcard - checks if we'll accept any port |- is_match - checks if we match a given destination +- __str__ - string representation for this rule - ExitPolicy - List of ExitPolicyLine objects - |- __str__ - string representation - |- __iter__ - ExitPolicyLine entries for the exit policy - |- check - check if exiting to this ip is allowed - |- add - add new rule to the exit policy - |- get_summary - provides a summary description of the policy chain - +- is_exiting_allowed - check if exit node - MicrodescriptorExitPolicy - Microdescriptor exit policy |- check - check if exiting to this port is allowed |- ports - returns a list of ports @@ -51,10 +48,6 @@ import stem.util.enum AddressType = stem.util.enum.Enum(("WILDCARD", "Wildcard"), ("IPv4", "IPv4"), ("IPv6", "IPv6")) -# ip address ranges substituted by the 'private' keyword -PRIVATE_IP_RANGES = ("0.0.0.0/8", "169.254.0.0/16", "127.0.0.0/8", - "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12") - # TODO: The ExitPolicyRule's exitpatterns are used everywhere except the torrc. # This is fine for now, but we should add a subclass to handle those slight # differences later if we want to provide the ability to parse torrcs. @@ -74,6 +67,158 @@ PRIVATE_IP_RANGES = ("0.0.0.0/8", "169.254.0.0/16", "127.0.0.0/8", # some use cases where we might want to construct custom policies. Mabye make # it a CustomExitPolicyRule subclass? +class ExitPolicy(object): + """ + Policy for the destinations that a relay allows or denies exiting to. This + is, in effect, simply a list of ExitPolicyRule entries. + + :param list rules: str or ExitPolicyRule entries that make up this policy + """ + + def __init__(self, *rules): + self._rules = [] + + for rule in rules: + if isinstance(rule, str): + self._rules.append(ExitPolicyRule(rule.strip())) + elif isinstance(rule, ExitPolicyRule): + self._rules.append(rule) + else: + raise TypeError("Exit policy rules can only contain strings or ExitPolicyRules, got a %s (%s)" % (type(rule), rules)) + + self._is_allowed_default = True + self._summary_representation = None + + def set_default_allowed(self, is_allowed_default): + """ + Generally policies end with either an 'reject *:*' or 'accept *:*' policy, + but if it doesn't then is_allowed_default will determine the default + response for our :meth:`~stem.exit_policy.ExitPolicy.can_exit_to` method. + This defaults to True because, according to the dir-spec, this is Tor's + default... + + :: + + The rules are considered in order; if no rule matches, the address will + be accepted. For clarity, the last such entry SHOULD be accept *:* or + reject *:*. + + :param bool is_allowed_default: :meth:`~stem.exit_policy.ExitPolicy.can_exit_to` default when no rules apply + """ + + self._is_allowed_default = is_allowed_default + + def can_exit_to(self, address = None, port = None): + """ + Checks if this policy allows exiting to a given destination or not. If the + address or port is omitted then this will check if we allow for its + wildcard. + + :param str address: IPv4 or IPv6 address (with or without brackets) + :param int port: port number + + :returns: True if exiting to this destination is allowed, False otherwise + """ + + for rule in self._rules: + if rule.is_match(address, port): + return rule.is_accept + + return self._is_allowed_default + + def is_exiting_allowed(self): + """ + Provides True if the policy allows exiting whatsoever, False otherwise. + """ + + for rule in self._rules: + if rule.is_accept: + return True + elif rule.is_address_wildcard() and rule.is_port_wildcard(): + return False + + return self._is_allowed_default + + def summary(self): + """ + Provides a short description of our policy chain, similar to a + microdescriptor. This excludes entries that don't cover all IP + addresses, and is either whitelist or blacklist policy based on + the final entry. For instance... + + :: + + >>> policy = ExitPolicy.from_str("accept *:80, accept *:443, reject *:*") + >>> policy.summary() + "accept 80, 443" + + :returns: str with a concise summary for our policy + """ + + if self._summary_representation is None: + # determines if we're a whitelist or blacklist + is_whitelist = not self._is_allowed_default + + for rule in self._rules: + if rule.is_address_wildcard() and rule.is_port_wildcard(): + is_whitelist = not rule.is_accept + break + + # Iterates over the policys and adds the the ports we'll return (ie, allows + # if a whitelist and rejects if a blacklist). Regardless of a port's + # allow/reject policy, all further entries with that port are ignored since + # policies respect the first matching policy. + + display_ports, skip_ports = [], [] + + for rule in self._rules: + if not rule.is_address_wildcard(): continue + + for port in xrange(rule.min_port, rule.max_port + 1): + if port in skip_ports: continue + + # if accept + whitelist or reject + blacklist then add + if policy.is_accept == is_whitelist: + display_ports.append(port) + + # all further entries with this port should be ignored + skip_ports.append(port) + + # convert port list to a list of ranges (ie, ['1-3'] rather than [1, 2, 3]) + if display_ports: + display_ranges, temp_range = [], [] + display_ports.sort() + display_ports.append(None) # ending item to include last range in loop + + for port in display_ports: + if not temp_range or temp_range[-1] + 1 == port: + temp_range.append(port) + else: + if len(temp_range) > 1: + display_ranges.append("%i-%i" % (temp_range[0], temp_range[-1])) + else: + display_ranges.append(str(temp_range[0])) + + temp_range = [port] + else: + # everything for the inverse + is_whitelist = not is_whitelist + display_ranges = ["1-65535"] + + # constructs the summary string + label_prefix = "accept " if is_whitelist else "reject " + + self._summary_representation = (label_prefix + ", ".join(display_ranges)).strip() + + return self._summary_representation + + def __iter__(self): + for rule in self._rules: + yield rule + + def __str__(self): + return ', '.join([str(rule) for rule in self._rules]) + class ExitPolicyRule(object): """ Single rule from the user's exit policy. These rules are chained together to @@ -140,7 +285,7 @@ class ExitPolicyRule(object): # address. These are used by our is_match() method to compare ourselves to # other addresses. - if self.address_type == AddressType.WILDCARD: + if self.is_address_wildcard(): # is_match() will short circuit so these are unused self._mask_bin = self._addr_bin = None else: @@ -151,12 +296,15 @@ class ExitPolicyRule(object): def is_address_wildcard(self): """ - True if we'll match against any address for our type, False otherwise. + True if we'll match against any address, False otherwise. Note that this + may be different from matching against a /0 because policies can contain + both IPv4 and IPv6 addresses (so 0.0.0.0/0 won't match against an IPv6 + address). :returns: bool for if our address matching is a wildcard """ - return self.address_type == AddressType.WILDCARD or self.masked_bits == 0 + return self.address_type == AddressType.WILDCARD def is_port_wildcard(self): """ @@ -194,23 +342,17 @@ class ExitPolicyRule(object): if port != None and not stem.util.connection.is_valid_port(port): raise ValueError("'%s' isn't a valid port" % port) - if address is None: - # Note that this isn't the exact same as is_address_wildcard(). We only - # accept a None address if we got an '*' for our address. Not an IPv4 or - # IPv6 address that accepts everything (ex '0.0.0.0/0'). This is because - # those still only match against that type (ie, an IPv4 /0 won't match - # against IPv6 addresses). - - if self.address_type != AddressType.WILDCARD: - return False - elif not self.is_address_wildcard(): + if not self.is_address_wildcard(): # Already got the integer representation of our mask and our address # with the mask applied. Just need to check if this address with the # mask applied matches. - comparison_addr_bin = int(stem.util.connection.get_address_binary(address), 2) - comparison_addr_bin &= self._mask_bin - if self._addr_bin != comparison_addr_bin: return False + if address is None: + return False + else: + comparison_addr_bin = int(stem.util.connection.get_address_binary(address), 2) + comparison_addr_bin &= self._mask_bin + if self._addr_bin != comparison_addr_bin: return False if not self.is_port_wildcard(): if port is None: @@ -232,7 +374,7 @@ class ExitPolicyRule(object): if self._str_representation is None: label = "accept " if self.is_accept else "reject " - if self.address_type == AddressType.WILDCARD: + if self.is_address_wildcard(): label += "*:" else: if self.address_type == AddressType.IPv4: @@ -353,130 +495,6 @@ class ExitPolicyRule(object): else: raise ValueError("Port value isn't a wildcard, integer, or range: %s" % self.rule) -class ExitPolicy(object): - """ - Policy for the destinations that a relay allows or denies exiting to. This - is, in effect, simply a list of ExitPolicyRule entries. - """ - - def __init__(self): - self._policies = [] - self.summary = "" - - def add(self, rule_entry): - """ - This method is used to add an Exit Policy rule to the list of policies. - - Arguments: - rule_entry (str) - exit policy rule in the format "accept|reject ADDR[/MASK][:PORT]" - ex - "accept 18.7.22.69:*" - """ - # checks for the private alias (which expands this to a chain of entries) - if "private" in rule_entry.lower(): - for addr in PRIVATE_IP_RANGES: - new_entry = rule_entry.replace("private", addr) - self._policies.append(ExitPolicyRule(new_entry)) - else: - self._policies.append(ExitPolicyRule(rule_entry)) - - def get_summary(self): - """ - Provides a summary description of the policy chain similar to the - consensus. This excludes entries that don't cover all ips, and is either - a whitelist or blacklist policy based on the final entry. - """ - - # determines if we're a whitelist or blacklist - is_whitelist = False # default in case we don't have a catch-all policy at the end - - for policy in self._policies: - if policy.is_address_wildcard() and policy.is_port_wildcard(): - is_whitelist = not policy.is_accept - break - - # Iterates over the policys and adds the the ports we'll return (ie, allows - # if a whitelist and rejects if a blacklist). Regardless of a port's - # allow/reject policy, all further entries with that port are ignored since - # policies respect the first matching policy. - - display_ports, skip_ports = [], [] - - for policy in self._policies: - if not policy.is_address_wildcard(): continue - - if policy.min_port == policy.max_port: - port_range = [policy.min_port] - else: - port_range = range(policy.min_port, policy.max_port + 1) - - for port in port_range: - if port in skip_ports: continue - - # if accept + whitelist or reject + blacklist then add - if policy.is_accept == is_whitelist: - display_ports.append(port) - - # all further entries with this port are to be ignored - skip_ports.append(port) - - # gets a list of the port ranges - if display_ports: - display_ranges, temp_range = [], [] - display_ports.sort() - display_ports.append(None) # ending item to include last range in loop - - for port in display_ports: - if not temp_range or temp_range[-1] + 1 == port: - temp_range.append(port) - else: - if len(temp_range) > 1: - display_ranges.append("%i-%i" % (temp_range[0], temp_range[-1])) - else: - display_ranges.append(str(temp_range[0])) - - temp_range = [port] - else: - # everything for the inverse - is_whitelist = not is_whitelist - display_ranges = ["1-65535"] - - # constructs the summary string - label_prefix = "accept " if is_whitelist else "reject " - - self.summary = (label_prefix + ", ".join(display_ranges)).strip() - - def is_exiting_allowed(self): - """ - Provides true if the policy allows exiting whatsoever, false otherwise. - """ - for policy in self._policies: - if policy.is_accept: return True - elif policy.is_address_wildcard() and policy.is_port_wildcard(): return False - - def check(self, ip_address, port): - """ - Checks if the rule chain allows exiting to this address, returning true if - so and false otherwise. - """ - - for policy in self._policies: - if policy.is_match(ip_address, port): - return policy.is_accept - - return False - - def __iter__(self): - """ - Provides an ordered listing of policies in this Exit Policy - """ - for policy in self._policies: - yield policy - - def __str__(self): - """ - Provides the string used to construct the Exit Policy - """ - return ', '.join([str(policy) for policy in self._policies]) class MicrodescriptorExitPolicy: """ diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index da19d85..4d544b3 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -14,72 +14,59 @@ class TestExitPolicy(unittest.TestCase): Tests parsing by the ExitPolicy class constructor. """ - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies.add("accept *:80") - exit_policies.add("accept *:443") - exit_policies.add("reject *:*") + exit_policies = stem.exit_policy.ExitPolicy("accept *:80", "accept *:443", "reject *:*") self.assertEqual(str(exit_policies), "accept *:80, accept *:443, reject *:*") exit_policies = stem.exit_policy.ExitPolicy() # check ip address - self.assertRaises(ValueError, exit_policies.add, "accept 256.255.255.255:80") - self.assertRaises(ValueError, exit_policies.add, "accept -10.255.255.255:80") - self.assertRaises(ValueError, exit_policies.add, "accept 255.-10.255.255:80") - self.assertRaises(ValueError, exit_policies.add, "accept 255.255.-10.255:80") - self.assertRaises(ValueError, exit_policies.add, "accept -255.255.255.-10:80") - self.assertRaises(ValueError, exit_policies.add, "accept a.b.c.d:80") - self.assertRaises(ValueError, exit_policies.add, "accept 255.255.255:80") - self.assertRaises(ValueError, exit_policies.add, "accept -255.255:80") - self.assertRaises(ValueError, exit_policies.add, "accept 255:80") - self.assertRaises(ValueError, exit_policies.add, "accept -:80") - self.assertRaises(ValueError, exit_policies.add, "accept :80") - self.assertRaises(ValueError, exit_policies.add, "accept ...:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept 256.255.255.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept -10.255.255.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept 255.-10.255.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept 255.255.-10.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept -255.255.255.-10:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept a.b.c.d:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept 255.255.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept -255.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept 255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept -:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept :80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept ...:80") # check input string - self.assertRaises(ValueError, exit_policies.add, "foo 255.255.255.255:80") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "foo 255.255.255.255:80") # check ports - self.assertRaises(ValueError, exit_policies.add, "accept *:0001") - self.assertRaises(ValueError, exit_policies.add, "accept *:-1") - self.assertRaises(ValueError, exit_policies.add, "accept *:+1") - self.assertRaises(ValueError, exit_policies.add, "accept *:+1-1") - self.assertRaises(ValueError, exit_policies.add, "accept *:a") - self.assertRaises(ValueError, exit_policies.add, "accept *:70000") - - def test_check(self): + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:0001") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:-1") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:+1") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:+1-1") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:a") + self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:70000") + + def test_can_exit_to(self): """ Tests if exiting to this ip is allowed. """ - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies.add("accept *:80") - exit_policies.add("accept *:443") - exit_policies.add("reject *:*") + exit_policies = stem.exit_policy.ExitPolicy("accept *:80", "accept *:443", "reject *:*") - self.assertTrue(exit_policies.check("192.168.0.50", 80)) - self.assertTrue(exit_policies.check("192.168.0.50", 443)) + self.assertTrue(exit_policies.can_exit_to("192.168.0.50", 80)) + self.assertTrue(exit_policies.can_exit_to("192.168.0.50", 443)) - self.assertFalse(exit_policies.check("192.168.0.50", 22)) - self.assertFalse(exit_policies.check("192.168.0.50", 8118)) + self.assertFalse(exit_policies.can_exit_to("192.168.0.50", 22)) + self.assertFalse(exit_policies.can_exit_to("192.168.0.50", 8118)) def test_is_exiting_allowed(self): """ Tests if this is an exit node """ - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies.add("accept *:80") - exit_policies.add("accept *:443") - exit_policies.add("reject *:*") + exit_policies = stem.exit_policy.ExitPolicy("accept *:80", "accept *:443", "reject *:*") self.assertTrue(exit_policies.is_exiting_allowed()) - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies = stem.exit_policy.ExitPolicy() - exit_policies.add("reject *:*") + exit_policies = stem.exit_policy.ExitPolicy("reject *:*") self.assertFalse(exit_policies.is_exiting_allowed()) diff --git a/test/unit/exit_policy/rule.py b/test/unit/exit_policy/rule.py index 13a414d..baebf96 100644 --- a/test/unit/exit_policy/rule.py +++ b/test/unit/exit_policy/rule.py @@ -70,10 +70,10 @@ class TestExitPolicyRule(unittest.TestCase): "accept 192.168.0.1:*": (False, True), "accept 192.168.0.1:80": (False, False), - "reject 127.0.0.1/0:*": (True, True), + "reject 127.0.0.1/0:*": (False, True), "reject 127.0.0.1/16:*": (False, True), "reject 127.0.0.1/32:*": (False, True), - "reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80": (True, False), + "reject [0000:0000:0000:0000:0000:0000:0000:0000]/0:80": (False, False), "reject [0000:0000:0000:0000:0000:0000:0000:0000]/64:80": (False, False), "reject [0000:0000:0000:0000:0000:0000:0000:0000]/128:80": (False, False),

1 0

[stem/master] Test for the set_default_allowed() method
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 1936c4d5bdb861c34409a3e366e63035cce3a4a3 Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 17 08:29:56 2012 -0700 Test for the set_default_allowed() method --- test/unit/exit_policy/policy.py | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index a6eb00e..51d650c 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -35,6 +35,29 @@ class TestExitPolicy(unittest.TestCase): policy = ExitPolicy(*"accept *:80, accept *:443, reject *:*".split(",")) self.assertEquals(expected_policy, policy) + def test_set_default_allowed(self): + policy = ExitPolicy('reject *:80', 'accept *:443') + + # our default for being allowed defaults to True + self.assertFalse(policy.can_exit_to("75.119.206.243", 80)) + self.assertTrue(policy.can_exit_to("75.119.206.243", 443)) + self.assertTrue(policy.can_exit_to("75.119.206.243", 999)) + + policy.set_default_allowed(False) + self.assertFalse(policy.can_exit_to("75.119.206.243", 80)) + self.assertTrue(policy.can_exit_to("75.119.206.243", 443)) + self.assertFalse(policy.can_exit_to("75.119.206.243", 999)) + + # Our is_exiting_allowed() is also influcenced by this flag if we lack any + # 'accept' rules. + + policy = ExitPolicy() + self.assertTrue(policy.is_exiting_allowed()) + + policy.set_default_allowed(False) + self.assertFalse(policy.is_exiting_allowed()) + + def test_parsing(self): """ Tests parsing by the ExitPolicy class constructor.

1 0

[stem/master] Correcting and expanding summary() example
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit 384e78df0594c7d60af4b4a0096b12d4419db7f8 Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 17 07:58:14 2012 -0700 Correcting and expanding summary() example The ExitPolicy class no longer has a from_str() function. Also adding an example that better exemplifies how ranges work. --- stem/exit_policy.py | 6 +++++- 1 files changed, 5 insertions(+), 1 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 07886c3..fca6034 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -148,9 +148,13 @@ class ExitPolicy(object): :: - >>> policy = ExitPolicy.from_str("accept *:80, accept *:443, reject *:*") + >>> policy = ExitPolicy('accept *:80', 'accept *:443', 'reject *:*') >>> policy.summary() "accept 80, 443" + + >>> policy = ExitPolicy('accept *:443', 'reject *:1-1024', 'accept *:*') + >>> policy.summary() + "reject 1-442, 444-1024" :returns: str with a concise summary for our policy """

1 0

[stem/master] Tests for is_exiting_allowed() and can_exit_to()
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit ac5b8e74f4b07ee0e2ab25745519417711bdf576 Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 17 09:27:31 2012 -0700 Tests for is_exiting_allowed() and can_exit_to() Tests for a couple more ExitPolicy methods, and fixes for issues with is_exiting_allowed() that they revealed. --- stem/exit_policy.py | 12 ++++++-- test/unit/exit_policy/policy.py | 57 +++++++++++++++++++++----------------- 2 files changed, 40 insertions(+), 29 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 12cc11f..2d00553 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -131,11 +131,17 @@ class ExitPolicy(object): Provides True if the policy allows exiting whatsoever, False otherwise. """ + rejected_ports = set() for rule in self._rules: if rule.is_accept: - return True - elif rule.is_address_wildcard() and rule.is_port_wildcard(): - return False + for port in xrange(rule.min_port, rule.max_port + 1): + if not port in rejected_ports: + return True + elif rule.is_address_wildcard(): + if rule.is_port_wildcard(): + return False + else: + rejected_ports.update(range(rule.min_port, rule.max_port + 1)) return self._is_allowed_default diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index 51d650c..8b74998 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -57,6 +57,37 @@ class TestExitPolicy(unittest.TestCase): policy.set_default_allowed(False) self.assertFalse(policy.is_exiting_allowed()) + def test_can_exit_to(self): + # Basic sanity test for our can_exit_to() method. Most of the interesting + # use cases (ip masks, wildcards, etc) are covered by the ExitPolicyRule + # tests. + + policy = ExitPolicy('accept *:80', 'accept *:443', 'reject *:*') + + for i in xrange(1, 500): + ip_addr = "%i.%i.%i.%i" % (i / 2, i / 2, i / 2, i / 2) + expected_result = i in (80, 443) + + self.assertEquals(expected_result, policy.can_exit_to(ip_addr, i)) + self.assertEquals(expected_result, policy.can_exit_to(port = i)) + + def test_is_exiting_allowed(self): + test_inputs = { + (): True, + ('accept *:*', ): True, + ('reject *:*', ): False, + ('accept *:80', 'reject *:*'): True, + ('reject *:80', 'accept *:80', 'reject *:*'): False, + ('reject *:50-90', 'accept *:80', 'reject *:*'): False, + ('reject *:2-65535', 'accept *:80-65535', 'reject *:*'): False, + ('reject *:2-65535', 'accept 127.0.0.0:1', 'reject *:*'): True, + ('reject 127.0.0.1:*', 'accept *:80', 'reject *:*'): True, + } + + for rules, expected_result in test_inputs.items(): + policy = ExitPolicy(*rules) + self.assertEquals(expected_result, policy.is_exiting_allowed()) + def test_parsing(self): """ @@ -93,32 +124,6 @@ class TestExitPolicy(unittest.TestCase): self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:a") self.assertRaises(ValueError, stem.exit_policy.ExitPolicy, "accept *:70000") - def test_can_exit_to(self): - """ - Tests if exiting to this ip is allowed. - """ - - exit_policies = stem.exit_policy.ExitPolicy("accept *:80", "accept *:443", "reject *:*") - - self.assertTrue(exit_policies.can_exit_to("192.168.0.50", 80)) - self.assertTrue(exit_policies.can_exit_to("192.168.0.50", 443)) - - self.assertFalse(exit_policies.can_exit_to("192.168.0.50", 22)) - self.assertFalse(exit_policies.can_exit_to("192.168.0.50", 8118)) - - def test_is_exiting_allowed(self): - """ - Tests if this is an exit node - """ - - exit_policies = stem.exit_policy.ExitPolicy("accept *:80", "accept *:443", "reject *:*") - - self.assertTrue(exit_policies.is_exiting_allowed()) - - exit_policies = stem.exit_policy.ExitPolicy("reject *:*") - - self.assertFalse(exit_policies.is_exiting_allowed()) - def test_microdesc_exit_parsing(self): microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443")

1 0

[stem/master] Test and fix for the ExitPolicy's summary() method
by atagar＠torproject.org 19 Jul '12

19 Jul '12

commit c1ced39c89092a81dad3bd3d8ad3545296a64190 Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 17 09:47:21 2012 -0700 Test and fix for the ExitPolicy's summary() method Ok, I was being stupid. The performance issue for the summary() method was due to an O(n) lookup when checking if we had seen a port (which made, for instance, to full-port-range policies choke on a 65535^2 operation). Swapped to using a set instead to make it constant time. --- stem/exit_policy.py | 13 ++----------- test/unit/exit_policy/policy.py | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/stem/exit_policy.py b/stem/exit_policy.py index 2d00553..8a5f528 100644 --- a/stem/exit_policy.py +++ b/stem/exit_policy.py @@ -179,16 +179,7 @@ class ExitPolicy(object): # port's allow/reject policy, all further entries with that port are # ignored since policies respect the first matching policy. - # TODO: The following will be prohibitively expensive if someome has - # policy entries that aren't a wildcard, but covers most ports. For - # instance... - # - # accept 1025-65535 # just accepts non-privilaged ports - # - # On one hand handling ranges is a pita, but on the other this - # implementation is naive. Patches welcome. - - display_ports, skip_ports = [], [] + display_ports, skip_ports = [], set() for rule in self._rules: if not rule.is_address_wildcard(): continue @@ -202,7 +193,7 @@ class ExitPolicy(object): display_ports.append(port) # all further entries with this port should be ignored - skip_ports.append(port) + skip_ports.add(port) # convert port list to a list of ranges (ie, ['1-3'] rather than [1, 2, 3]) if display_ports: diff --git a/test/unit/exit_policy/policy.py b/test/unit/exit_policy/policy.py index 97cad1a..5b7324e 100644 --- a/test/unit/exit_policy/policy.py +++ b/test/unit/exit_policy/policy.py @@ -88,6 +88,22 @@ class TestExitPolicy(unittest.TestCase): policy = ExitPolicy(*rules) self.assertEquals(expected_result, policy.is_exiting_allowed()) + def test_summary_examples(self): + # checks the summary() method's pydoc examples + + policy = ExitPolicy('accept *:80', 'accept *:443', 'reject *:*') + self.assertEquals("accept 80, 443", policy.summary()) + + policy = ExitPolicy('accept *:443', 'reject *:1-1024', 'accept *:*') + self.assertEquals("reject 1-442, 444-1024", policy.summary()) + + def test_summary_large_ranges(self): + # checks the summary() method when the policy includes very large port ranges + + policy = ExitPolicy('reject *:80-65535', 'accept *:1-65533', 'reject *:*') + self.assertEquals("accept 1-79", policy.summary()) + + def test_microdesc_exit_parsing(self): microdesc_exit_policy = stem.exit_policy.MicrodescriptorExitPolicy("accept 80,443")

1 0

← Newer
1
...
45
46
47
48
49
50
51
...
95
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

tor-commits July 2012