As of 2019-10-03 development has moved to https://gitlab.com/arpa2/liba2common
This repository contains command-line tools and libraries to work with ARPA2 Identities, Selectors and ACLs.
Features:
- liba2id - library to parse and match A2IDs
- a2acl - command-line tool to test if communication between two A2IDs is allowed
- liba2acl - library to work with A2ACLs
- a2idmatch - command-line tool to test if an A2ID matches a selector
- Libraries are POSIX C89 without extra dependencies
Status: beta
Build requirements:
- A C89 compiler
- CMake >= 3.3
Run-time requirements:
- Any POSIX-compliant system
$ git clone https://github.com/arpa2/libarpa2service.git
$ cd libarpa2service/build
$ cmake ..
$ make
$ sudo make install
$ sudo ldconfigAfter the libraries are installed, make sure to include arpa2/a2id.h or
arpa2/a2acl.h in your source file and hint the compiler to include the a2id or
a2acl library with the -l flag.
$ cc -la2id yourcode.cFor further documentation please refer to ARPA2 Identifier and ACL introduction and the manpages:
Some examples on how-to use the two included command-line tools a2acl(1) and a2idmatch(1). If you're not yet familiar with ARPA2 IDs or ACLs, please see the ARPA2 Identifier and ACL introduction.
NOTE: the following example can be easily replayed by using the docker-demo:
git clone https://github.com/arpa2/docker-demo.git cd docker-demo/demo-acl docker build -t a2acl . docker run -it a2acl bash cd /root/arpa2
We are going to define the following policy:
- Whitelist all communication from anyone @ashop.example.com to tim+ashop@dev.arpa2.org
- Blacklist all communication from anyone @ashop.example.com to tim@dev.arpa2.org or any other alias of tim@dev.arpa2.org
- Abandon all communication from anyone @.tk to tim@dev.arpa2.org (or any alias)
- Blacklist all communication from anyone to tim@dev.arpa2.org (or any alias)
The above ACL policy is notated in the text file demopolicy as follows:
@ashop.example.com tim@dev.arpa2.org %W +ashop %B +
@.tk tim@dev.arpa2.org %A +
@. tim@dev.arpa2.org %B +
Each line in the file contains one ACL rule. A rule is a triplet of a remote selector, a local ID in core form, and one (or more) ACL segments. So the first rule can be broken down as follows:
- the remote selector:
@ashop.example.com - the local ID in core form:
tim@dev.arpa2.org - the ACL segments:
%W +ashopand%B +
Each ACL segment consists of the first letter of the list and an alias, %W and
+ashop, respectively. The alias must be combined with the local ID and would
yield tim+ashop@dev.arpa2.org. This holds for each ACL segment. The full meaning
of the first rule is that any communication from remote selector
@ashop.example.com to tim+ashop@dev.arpa2.org is whitelisted and any
communication from remote selector @ashop.example.com to tim@dev.arpa2.org
or any other alias of tim@dev.arpa2.org is blacklisted.
A couple of other things to note. Order is significant and the first match wins,
so if a rule matches, subsequent rules are not evaluated. Second, @.tk matches
any user at any subdomain of the .tk top-level domain. Third, @. is the
catch-all selector, matching any user at any domain. Fourth, the + alias in an
ACL segment matches any alias. And at last, the combination of a remote selector
and the local ID in core form must be unique. As said, for a detailed
explanation see ARPA2 Identifier and ACL introduction.
XXX The current rule syntax closely resembles the internal storage format which is fine for a machine, but not for human beings. At the same time it is vital that no mistakes are made, so expect a new import format somewhere in the future. Possibly something like the following (open for suggestions):
W @ashop.example.com tim+ashop@dev.arpa2.org B @ashop.example.com tim+@dev.arpa2.org A @.tk tim+@dev.arpa2.org B @. tim+@dev.arpa2.org
The policy can be used with a2acl(1) by testing different combinations of sender and receiver. The first test will check whether communication between order@ashop.example.com and tim@dev.arpa2.org is allowed according to the above policy.
$ a2acl demopolicy order@ashop.example.com tim@dev.arpa2.org
BThe result of this test is that communication between these two A2IDs is
blacklisted. The first letter of the list this pair is listed on is echoed back,
in this case the B of blacklist because it matches the second rule.
$ a2acl demopolicy order@ashop.example.com tim+ashop@dev.arpa2.org
WThis matches the first rule and the result is that communication between order@ashop.example.com and tim+ashop@dev.arpa2.org is whitelisted.
$ a2acl demopolicy some@one.com tim+analias@dev.arpa2.org
BThis matches the fourth rule and the result is that this communication pair is blacklisted.
$ a2acl demopolicy jane@somedomain.tk tim@dev.arpa2.org
AThis matches the third rule and communication between these two IDs is abandoned.
Remember that you can easily execute these examples yourself by using the docker-demo as noted at the beginning of this chapter.
This tool is created to easily experiment with A2IDs and A2ID Selectors. This way you can test whether a selector matches an ID.
For example, test whether the A2ID "john+dev@example.com" matches the A2ID selector "@example.com".
$ a2idmatch john+dev@example.com @example.com
MATCHOr test whether the A2ID "john@example.com" matches the A2ID selector "@.example.com".
$ a2idmatch john@example.com @.example.com
MISMATCHISC
Copyright (c) 2018, 2019 Tim Kuijsten
Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.