adding Glacier2.Filter.Regex.Order property and tests

5 files changed, 60 insertions, 30 deletions

diff --git a/cpp/config/PropertyNames.def b/cpp/config/PropertyNames.def
index be911ee4932..41bd6ca5b8e 100644
--- a/cpp/config/PropertyNames.def
+++ b/cpp/config/PropertyNames.def
@@ -363,6 +363,7 @@ Glacier2:
     Client.Trace.Request
     Filter.Regex.Reject
     Filter.Regex.Accept
+    Filter.Regex.Order
     Filter.MaxProxyLength
     CryptPasswords
     InstanceName
diff --git a/cpp/src/Glacier2/ProxyVerifier.cpp b/cpp/src/Glacier2/ProxyVerifier.cpp
index 5f14e855b9c..8028448ff10 100644
--- a/cpp/src/Glacier2/ProxyVerifier.cpp
+++ b/cpp/src/Glacier2/ProxyVerifier.cpp
@@ -26,6 +26,21 @@ using namespace Ice;
 //
 namespace Glacier2
 {
+//
+// Helper function for checking a rule set. 
+//
+static bool
+match(const vector<ProxyRule*>& rules, const ObjectPrx& proxy)
+{
+    for(vector<ProxyRule*>::const_iterator i = rules.begin(); i != rules.end(); ++i)
+    {
+	if((*i)->check(proxy))
+	{
+	    return true;
+	}
+    }
+    return false;
+}
 
 //
 // RegexRule returns true if the proxy matches the configured regular
@@ -152,6 +167,8 @@ Glacier2::ProxyVerifier::ProxyVerifier(const CommunicatorPtr& communicator, cons
     {
 	_rejectRules.push_back(new MaxEndpointsRule(communicator, s, _traceLevel));
     }
+    _rejectOverrides =
+	communicator->getProperties()->getPropertyAsIntWithDefault("Glacier2.Filter.Regex.Order", 0) == 0;
 }
 
 Glacier2::ProxyVerifier::~ProxyVerifier()
@@ -184,51 +201,61 @@ Glacier2::ProxyVerifier::verify(const ObjectPrx& proxy)
 	//
 	// If there are no reject rules, we assume "reject all".
 	//
-	bool matched = false;
-	for(vector<ProxyRule*>::const_iterator i = _acceptRules.begin(); i != _acceptRules.end() && !matched; ++i)
-	{
-	    matched = (*i)->check(proxy);
-	}
-	result = matched;
+	result = match(_acceptRules, proxy);
     }
     else if(_acceptRules.size() == 0)
     {
 	//
 	// If no accept rules are defined we assume accept all.
 	//
-	bool matched = false;
-	for(vector<ProxyRule*>::const_iterator i = _rejectRules.begin(); i != _rejectRules.end() && !matched; ++i)
-	{
-	    matched = (*i)->check(proxy);
-	}
-	result = !matched;
+	result = !match(_rejectRules, proxy);
     }
     else
     {
 	//
-	// Reject first, then accept.
+	// _rejectOverrides indicates that any accept rules can be
+	// overriden by a reject rule. This allows the user to refine
+	// the allow filter's without having to specify exclusions in
+	// the accept filter's regular expression. Conversely if
+	// rejectOverrides is not set then accept rules are allowed to
+	// override any reject rules that match.
 	//
-	bool matched = false;
-	for(vector<ProxyRule*>::const_iterator i = _rejectRules.begin(); i != _rejectRules.end() && !matched; ++i)
-	{
-	    matched = (*i)->check(proxy);
-	}
-
-	if(!matched)
+	// Note that there is implicit additional meaning in the
+	// _rejectOverrides. If true, then the overall evaluation
+	// context is 'default reject'. Otherwise there would be no
+	// point in considering the allow filters and we might as well
+	// just check the reject filters. Conversely, if false then
+	// overall context is 'default accept'. Otherwise the accept
+	// filters would be meaningless, only the reject filters would
+	// matter.
+	//
+	if(_rejectOverrides)
 	{
+	    result = match(_acceptRules, proxy);
+	    
 	    //
-	    // The proxy wasn't rejected, so there isn't any point in
-	    // running the accept rules.
+	    // In this context we are default reject, there is no point
+	    // of running the reject filters if there is no accept
+	    // match.
 	    //
-	    return true;
+	    if(result)
+	    {
+		result = !match(_rejectRules, proxy);
+	    }
 	}
-
-	matched = false;
-	for(vector<ProxyRule*>::const_iterator j = _acceptRules.begin(); j != _acceptRules.end() && !matched; ++j)
+	else
 	{
-	    matched = (*j)->check(proxy);
+	    //
+	    // In this context we are default accept, there is not point
+	    // of running the accept filters if there is no rejection
+	    // match.
+	    //
+	    result = !match(_rejectRules, proxy);
+	    if(!result)
+	    {
+		result = match(_acceptRules, proxy);
+	    }
 	}
-	result = matched;
     }
 
     //
diff --git a/cpp/src/Glacier2/ProxyVerifier.h b/cpp/src/Glacier2/ProxyVerifier.h
index a7e1e73b97d..5045ec7a5e6 100644
--- a/cpp/src/Glacier2/ProxyVerifier.h
+++ b/cpp/src/Glacier2/ProxyVerifier.h
@@ -50,6 +50,7 @@ private:
 
     std::vector<ProxyRule*> _acceptRules;
     std::vector<ProxyRule*> _rejectRules;
+    bool _rejectOverrides;
 };
 
 }
diff --git a/cpp/src/Ice/PropertyNames.cpp b/cpp/src/Ice/PropertyNames.cpp
index 2d83f60a053..6916ca4d50f 100644
--- a/cpp/src/Ice/PropertyNames.cpp
+++ b/cpp/src/Ice/PropertyNames.cpp
@@ -7,7 +7,7 @@
 //
 // **********************************************************************
 
-// Generated by makeprops.py from file `../config/PropertyNames.def', Mon May  1 12:13:27 2006
+// Generated by makeprops.py from file `../config/PropertyNames.def', Tue May  2 10:18:08 2006
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!
 
@@ -283,6 +283,7 @@ const char* IceInternal::PropertyNames::Glacier2Props[] =
     "Glacier2.Client.Trace.Request",
     "Glacier2.Filter.Regex.Reject",
     "Glacier2.Filter.Regex.Accept",
+    "Glacier2.Filter.Regex.Order",
     "Glacier2.Filter.MaxProxyLength",
     "Glacier2.CryptPasswords",
     "Glacier2.InstanceName",
diff --git a/cpp/src/Ice/PropertyNames.h b/cpp/src/Ice/PropertyNames.h
index 759eae8835f..4d4c707ae4e 100644
--- a/cpp/src/Ice/PropertyNames.h
+++ b/cpp/src/Ice/PropertyNames.h
@@ -7,7 +7,7 @@
 //
 // **********************************************************************
 
-// Generated by makeprops.py from file `../config/PropertyNames.def', Mon May  1 12:13:27 2006
+// Generated by makeprops.py from file `../config/PropertyNames.def', Tue May  2 10:18:08 2006
 
 // IMPORTANT: Do not edit this file -- any edits made here will be lost!