Lua Access Control Engine

• Index

Contents

• Functions

Modules

• lace
• lace.builtin
• lace.compiler
• lace.engine
• lace.error
• lace.lex

Manual

• 1. Lua Access Control Engine
• 2. Syntax
• 2.1 Definition statements
• 2.2 Include statements
• 2.3 Allow and Deny statements
• 2.4 The default statement
• 3. Compilation
• 4. Execution
• Helping with Development
• README

Module lace.builtin

Lace builtin commands and match types.

The builtin match types and commands provided by Lace. These commands and match types are supported automatically by all lace compiles. The builtin command default and the builtin commands allow and deny collude with the compiler to ensure that all compiled rulesets will always either explicitly allow or deny access.

Functions

get_set_last_unconditional_result (newv)	Internal function to get/set the last result for unconditional access.
get_set_last_result (newv)	Internal function to get/set the last result for access.
commands.allow (compcontext, result, reason[, ...])	Compile an allow or deny.
commands.default (compcontext, def, result, reason[, unwanted])	Compile a default command.
commands.define (compcontext, define, name, controltype[, ...])	Compile a definition command Definitions are a core behaviour of Lace.
commands.include (comp_context, cmd, file[, ...])	Compile an include command.

Functions

get_set_last_unconditional_result (newv)

Internal function to get/set the last result for unconditional access.

The last result (unconditional only) is stored so that defaults can be processed in the absence of a default statement.

This function exists to collude with lace.compiler.internal_compile so that it can synthesise default access statements if needed.

Parameters:

• newv string or nil The new value for the last access result. It should be one of allow, deny or a nil.

Returns:

string or nil The old (current) value for the last access result.

get_set_last_result (newv)

Internal function to get/set the last result for access.

The last result (conditional perhaps) is stored so that defaults can be processed in the absence of a default statement.

This function exists to collude with lace.compiler.internal_compile so that it can synthesise default access statements if needed.

Parameters:

• newv string or nil The new value for the last access result. It should be one of allow, deny or a nil.

Returns:

string or nil The old (current) value for the last access result.

commands.allow (compcontext, result, reason[, ...])

Compile an allow or deny.

(_Note: this is also commands.deny_)

Allowing and denying access is, after all, what access control lists are all about. This function compiles in an allow or deny statement including noting what kind of access statement it is and what

Parameters:

• compcontext table The compilation context
• result string The result to be compiled (allow or deny).
• reason string The reason to be returned to the user for this.
• ... string The conditions placed on this allow or deny. (optional)

Returns:

table The compiled allow/deny.

commands.default (compcontext, def, result, reason[, unwanted])

Compile a default command.

All rulesets must, ultimately, allow or deny access. The default command allows rulesets to define whether they are permissive (defaulting to allow) or proscriptive (defaulting to deny).

In addition, setting default causes a record to be made, preventing additional attempts to set a default access mode. This ensures that once the default has been selected, additional ruleset included (perhaps from untrusted sources) cannot change the default behaviour.

Parameters:

• compcontext table The compilation context
• def string The command which triggered this compilation. (default)
• result string The default result (allow or deny)
• reason string The reason to be given.
• unwanted * If unwanted is anything but nil, an error occurs. (optional)

Returns:

table A null command

commands.define (compcontext, define, name, controltype[, ...])

Compile a definition command

Definitions are a core behaviour of Lace. This builtin allows the ruleset to define additional conditions on which allow, deny and include can operate.

Parameters:

• compcontext table The compilation context.
• define string The word which triggered this compilation command. (define)
• name string The name being defined.
• controltype string The control type to be used. (Such as anyof, allof or any of the match types defined by the caller of the compiler).
• ... string The content of the definition (consumed by the match type compiler). (optional)

Returns:

table The compiled definition command.

commands.include (comp_context, cmd, file[, ...])

Compile an include command.

Compile a lace include command. This uses the exported internal loader function lace.compiler.internal_loader to find a loader and if it finds one, it uses the internal compilation function lace.compiler.internal_compile to compile the loaded source before constructing a runtime "inclusion" which deals with the conditions before running the sub-ruleset if appropriate.

Regardless of the conditions placed on the include statement, includes are always processed during compilation.

Parameters:

• comp_context table The compilation context
• cmd string The command which triggered this include command. (include or include?)
• file string The file (source name) to include.
• ... string Zero or more conditions under which the included content will be run by the engine. If there are no conditions then the include is unconditional. (optional)

Returns:

table The compiled inclusion command.