Acl (mavkit-libs.Mavryk_rpc_http_server.RPC

include module type of Resto_acl.Acl

type chunk_matcher = Resto_acl__Acl.chunk_matcher =

| Literal of string
| Wildcard

type path_matcher = Resto_acl__Acl.path_matcher =

| Exact of chunk_matcher list
| FollowedByAnySuffix of chunk_matcher list

type meth_matcher = Resto_acl__Acl.meth_matcher =

| Exact of Resto.meth
| Any

type matcher = Resto_acl__Acl.matcher = {

meth : meth_matcher;
path : path_matcher;

}

val parse : string -> matcher

val to_string : matcher -> string

type t = Resto_acl__Acl.t =

| Allow_all of {
1. except : matcher list;
}
| Deny_all of {
1. except : matcher list;
}

val allowed : t -> meth:Resto.meth -> path:string list -> bool

type policy

A policy for the whole RPC server is a set of access control lists for the different addresses that the RPC server listens to. It is represented as an association list mapping listening addresses (in string literal forms) to deny/access access policies.

val secure : t

Default ACL policy in case none is defined in configuration. It only exposes such endpoints that are necessary for the node to allow clients to make use of their Tez. It applies to all listening addresses except for localhost (see allow_all for this address).

val allow_all : t

An allow-all policy, which is the default for the localhost listening address.

val default : Mavryk_base.TzPervasives.P2p_addr.t -> t

Selects default ACL based on listening address. Selects allow_all for loopback addresses and secure for everything else.

val put_policy : 
  (Mavryk_base.TzPervasives.P2p_point.Id.addr_port_id * t) ->
  policy ->
  policy

Add an ACL for given address into the policy. Overrides previously existing policy for that address if any.

val empty_policy : policy

Empty ACL policy allows access to all endpoints. Currently it's the same as default below, but that will likely change in the future, therefore it's better to use default rather than this value. It's mainly intended for testing.

val policy_type : t -> string

policy_type p returns the "type" of p, either "Secure" or "AllowAll" or "Custom".

val policy_encoding : policy Mavryk_base.TzPervasives.Data_encoding.t

val policy_to_string : policy -> string

Returns the JSON representation of the policy.

val find_policy : policy -> (string * int option) -> t option

find_policy policy address looks for the address within the policy and returns corresponding access control list.

An ACL is considered matching if its corresponding IP part matches the IP part of the address and either:

its corresponding port also matches address's port OR
its corresponding address does not mention any port at all.

The first ACL whose corresponding address matches these criteria is returned.

val matcher_to_string : matcher -> string

Returns string representation of a given matcher. Useful for testing.

val acl_type : t -> [ `Whitelist | `Blacklist ]

Returns the ACL type, either `Whitelist or `Blacklist.

Replace domain-name addresses in the policy with the IP addresses they resolve to.

resolve_domain_names p returns a policy equivalent to p but with all domain-name addresses resolved to IPs. This is useful to make it easier to match them with listening addresses given to the server.

val resolve_domain_names : policy -> policy Lwt.t

module Internal_for_test : sig ... end