introduce a new 'order' keyword in the ACL rules (see #305)

b558c117 · Benjamin "Ziirish" SANS · 85e513bf · b558c117 · b558c117 · b558c117
Commit b558c117 authored Sep 25, 2019 by Benjamin "Ziirish" SANS
Showing with 92 additions and 76 deletions

CHANGELOG.rst CHANGELOG.rst +1 -0

burpui/app.py burpui/app.py +2 -1

burpui/misc/acl/meta.py burpui/misc/acl/meta.py +73 -75

docs/advanced_usage.rst docs/advanced_usage.rst +16 -0

No files found.
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -11,6 +11,7 @@ Current
 - Add: new `audit logging <https://git.ziirish.me/ziirish/burp-ui/issues/260>`_ system
 - Add: new ``bui-monitor`` processes pool + ``async`` backend to parallelize some requests `#278 <https://git.ziirish.me/ziirish/burp-ui/issues/278>`_ 
 - Add: new `listen` and `listen_status` options in burp-2.2.10 `#279 <https://git.ziirish.me/ziirish/burp-ui/issues/279>`_ 
+- Add: new `order` keyword in ACL definitions in order to decide whether `rw` should be evaluated first or not `#305 <https://git.ziirish.me/ziirish/burp-ui/issues/305>`__
 - Add: allow to hide selected clients/servers `#282 <https://git.ziirish.me/ziirish/burp-ui/issues/282>`_
 - Add: allow to delete clients data upon removal `#232 <https://git.ziirish.me/ziirish/burp-ui/issues/232>`_
 - Add: allow to create clients from templates in one call `#266 <https://git.ziirish.me/ziirish/burp-ui/issues/266>`_

--- a/burpui/app.py
+++ b/burpui/app.py
@@ -10,6 +10,7 @@ jQuery/Bootstrap
 .. moduleauthor:: Ziirish <hi+burpui@ziirish.me>
 """
 import os
+import sys
 import json
 import time
 import logging
@@ -116,7 +117,7 @@ def create_app(conf=None, verbose=0, logfile=None, **kwargs):
    logger.info('Using configuration: {}'.format(app.config['CFG']))

    app.setup(app.config['CFG'], unittest, cli)
-    if cli and not websocket_server:
+    if cli and not websocket_server and 'shell' not in sys.argv:
        return app

    if debug:

--- a/burpui/misc/acl/meta.py
+++ b/burpui/misc/acl/meta.py
--- a/docs/advanced_usage.rst
+++ b/docs/advanced_usage.rst
@@ -787,6 +787,22 @@ keyword.
  deletable), you can also create/update/delete client configuration files.


+Since *v0.7.0*, you can also define an additional ``order`` keyword in order
+to specify in which order the ACL engine should evaluate the rules (should we
+match ``ro`` first or ``rw``). The default evaluation order is ``rw`` then ``ro``.
+Example:
+
+::
+
+    myuser = '{"agents": {"agent1": {"order": ["ro", "rw"], "ro": ["client.specific.*"], "rw": ["client.*"]}}}'
+
+
+With the above rule, the engine will treat ``client.specific.test`` as ``ro``
+whereas without the ``order`` keywoard, ``client.specific.test`` would have
+matched the ``rw`` rule first and thus would be considered as ``rw``.
+
+
+
 About the ``inverse_inheritance`` option, here is a concrete example. We assume
 you have this piece of configuration: