domain-auth-0.2.2: Network/DomainAuth/SPF/Eval.hs
module Network.DomainAuth.SPF.Eval (
evalSPF
, Limit(..)
, defaultLimit
) where
import Data.IORef
import Data.IP
import Data.Maybe
import Network.DomainAuth.SPF.Types
import Network.DomainAuth.Types
-- | Limit for SPF authentication.
data Limit = Limit {
-- | How many \"redirect\"/\"include\" should be followed.
-- 'DAPermError' is returned if reached to this limit.
limit :: Int
-- | Ignoring IPv4 range whose mask length is shorter than this.
, ipv4_masklen :: Int
-- | Ignoring IPv6 range whose mask length is shorter than this.
, ipv6_masklen :: Int
-- | Whether or not \"+all\" is rejected.
, reject_plus_all :: Bool
} deriving (Eq, Show)
-- | Default value for 'Limit'.
--
-- >>> defaultLimit
-- Limit {limit = 10, ipv4_masklen = 16, ipv6_masklen = 48, reject_plus_all = True}
defaultLimit :: Limit
defaultLimit = Limit {
limit = 10
, ipv4_masklen = 16
, ipv6_masklen = 48
, reject_plus_all = True
}
----------------------------------------------------------------
evalSPF :: Limit -> IP -> [IO SpfSeq] -> IO DAResult
evalSPF lim ip ss = do
ref <- newIORef (0 :: Int)
fromJust <$> evalspf ref lim ip ss
----------------------------------------------------------------
evalspf :: IORef Int -> Limit -> IP -> [IO SpfSeq] -> IO (Maybe DAResult)
evalspf _ _ _ [] = return (Just DANeutral) -- default result
evalspf ref lim ip (s:ss) = do
cnt <- readIORef ref
if cnt > limit lim
then return (Just DAPermError) -- reached the limit
else do
mres <- eval ref lim ip s
case mres of
Nothing -> evalspf ref lim ip ss
res -> return res
----------------------------------------------------------------
-- Follow N of redirect/include. But the last one is not
-- evaluated.
eval :: IORef Int -> Limit -> IP -> IO SpfSeq -> IO (Maybe DAResult)
eval ref lim ip is = do
cnt <- readIORef ref
s <- is
case s of
SS_All q -> if q == Q_Pass && reject_plus_all lim
then result DAPermError
else ret q
SS_IPv4Range q ipr
| nastyMask4 lim ipr -> result DAPermError
| ipv4 ip `isMatchedTo` ipr -> ret q
| otherwise -> continue
SS_IPv4Ranges q iprs
| any (nastyMask4 lim) iprs -> result DAPermError
| any (ipv4 ip `isMatchedTo`) iprs -> ret q
| otherwise -> continue
SS_IPv6Range q ipr
| nastyMask6 lim ipr -> result DAPermError
| ipv6 ip `isMatchedTo` ipr -> ret q
| otherwise -> continue
SS_IPv6Ranges q iprs
| any (nastyMask6 lim) iprs -> result DAPermError
| any (ipv6 ip `isMatchedTo`) iprs -> ret q
| otherwise -> continue
SS_IF_Pass q ss -> do
writeIORef ref (cnt + 1)
r <- evalspf ref lim ip ss
if r == Just DAPass
then ret q
else continue
SS_SpfSeq ss -> do
writeIORef ref (cnt + 1)
evalspf ref lim ip ss
where
ret = return . Just . toEnum . fromEnum
result = return . Just
continue = return Nothing
nastyMask4 st ipr = mlen ipr < ipv4_masklen st
nastyMask6 st ipr = mlen ipr < ipv6_masklen st