HPCC-24475 Move over to allowlist

Signed-off-by: Jake Smith <jake.smith@lexisnexisrisk.com>

dali/base/dadiags.cpp

@@ -256,11 +256,12 @@ public:
                     bool success = querySDSServer().setSDSDebug(arr, reply);
                     mb.append(success).append(reply);
                 }
-                else if (0 == stricmp(id, "whitelist")) {
+                else if (strieq(id, "whitelist") || strieq(id, "allowlist")) // NB: "whitelist" is deprecated
+                {
                     Owned<IMPServer> mpServer = getMPServer();
-                    IWhiteListHandler *whiteListHandler = mpServer->queryWhiteListCallback();
-                    if (whiteListHandler)
-                        mb.append(whiteListHandler->getWhiteList(buf).str());
+                    IAllowListHandler *allowListHandler = mpServer->queryAllowListCallback();
+                    if (allowListHandler)
+                        mb.append(allowListHandler->getAllowList(buf).str());
                 }
                 else
                     mb.append(StringBuffer("UNKNOWN OPTION: ").append(id).str());

dali/base/dasds.cpp

@@ -6488,9 +6488,9 @@ void CCovenSDSManager::saveDelta(const char *path, IPropertyTree &changeTree)
         if (startsWith(path, "/Environment") || (streq(path, "/") && changeTree.hasProp("*[@name=\"Environment\"]")))
         {
             Owned<IMPServer> mpServer = getMPServer();
-            IWhiteListHandler *whiteListHandler = mpServer->queryWhiteListCallback();
-            if (whiteListHandler)
-                whiteListHandler->refresh();
+            IAllowListHandler *allowListHandler = mpServer->queryAllowListCallback();
+            if (allowListHandler)
+                allowListHandler->refresh();
             PROGLOG("Dali Environment updated, path = %s", path);
             return;
         }

dali/dalidiag/dalidiag.cpp

@@ -42,7 +42,7 @@ void usage(const char *exe)
     printf("-sdsstats           -- SDS statistics\n");
     printf("-sdssubscribers     -- list active SDS subscribers\n");
     printf("-connections        -- list SDS connections\n");
-    printf("-whitelist          -- list white list\n");
+    printf("-allowlist          -- list entries in allowlist\n");
     printf("-threads            -- running threads\n");
     printf("-mpqueue            -- list waiting MP queue items\n");
     printf("-clients            -- list connected Dali clients\n");

dali/server/daserver.cpp

@@ -142,7 +142,7 @@ void usage(void)
 /* NB: Ideally this belongs within common/environment,
  * however, that would introduce a circular dependency.
  */
-static bool populateWhiteListFromEnvironment(IWhiteListWriter &writer)
+static bool populateAllowListFromEnvironment(IAllowListWriter &writer)
 {
     if (isContainerized())
         return false;
@@ -151,14 +151,20 @@ static bool populateWhiteListFromEnvironment(IWhiteListWriter &writer)
     if (!conn->queryRoot()->hasProp("Software/DaliServerProcess"))
         return false;
 
-    // only ever expecting 1 DaliServerProcess and 1 WhiteList
-    const IPropertyTree *whiteListTree = conn->queryRoot()->queryPropTree("Software/DaliServerProcess[1]/WhiteList[1]");
+    // only ever expecting 1 DaliServerProcess and 1 AllowList
+    const IPropertyTree *allowListTree = conn->queryRoot()->queryPropTree("Software/DaliServerProcess[1]/AllowList[1]");
+    if (!allowListTree)
+    {
+        // deprecated, but for backward compatibility..
+        allowListTree = conn->queryRoot()->queryPropTree("Software/DaliServerProcess[1]/WhiteList[1]");
+    }
+
     bool enabled = true;
-    if (whiteListTree)
+    if (allowListTree)
     {
-        enabled = whiteListTree->getPropBool("@enabled", true); // on by default
-        // Default for now is to allow clients that send no role (legacy) to connect if their IP is whitelisted.
-        writer.setAllowAnonRoles(whiteListTree->getPropBool("@allowAnonRoles", true));
+        enabled = allowListTree->getPropBool("@enabled", true); // on by default
+        // Default for now is to allow clients that send no role (legacy) to connect if their IP is in allowlist.
+        writer.setAllowAnonRoles(allowListTree->getPropBool("@allowAnonRoles", true));
     }
 
     std::unordered_map<std::string, std::string> machineMap;
@@ -311,12 +317,12 @@ static bool populateWhiteListFromEnvironment(IWhiteListWriter &writer)
         }
     }
 
-    if (whiteListTree)
+    if (allowListTree)
     {
-        Owned<IPropertyTreeIterator> whiteListIter = whiteListTree->getElements("Entry");
-        ForEach(*whiteListIter)
+        Owned<IPropertyTreeIterator> allowListIter = allowListTree->getElements("Entry");
+        ForEach(*allowListIter)
         {
-            const IPropertyTree &entry = whiteListIter->query();
+            const IPropertyTree &entry = allowListIter->query();
             StringArray hosts, roles;
             hosts.appendListUniq(entry.queryProp("@hosts"), ",");
             roles.appendListUniq(entry.queryProp("@roles"), ",");
@@ -607,8 +613,8 @@ int main(int argc, const char* argv[])
         unsigned short myport = epa.item(myrank).port;
         startMPServer(DCR_DaliServer, myport, true, true);
         Owned<IMPServer> mpServer = getMPServer();
-        Owned<IWhiteListHandler> whiteListHandler = createWhiteListHandler(populateWhiteListFromEnvironment, formatDaliRole);
-        mpServer->installWhiteListCallback(whiteListHandler);
+        Owned<IAllowListHandler> allowListHandler = createAllowListHandler(populateAllowListFromEnvironment, formatDaliRole);
+        mpServer->installAllowListCallback(allowListHandler);
 #ifndef _CONTAINERIZED
         setMsgLevel(fileMsgHandler, serverConfig->getPropInt("SDS/@msgLevel", 100));
 #endif

system/jlib/jsocket.cpp

@@ -6954,9 +6954,9 @@ bool isIPAddress(const char *ip)
 }
 
 
-class CWhiteListHandler : public CSimpleInterfaceOf<IWhiteListHandler>, implements IWhiteListWriter
+class CAllowListHandler : public CSimpleInterfaceOf<IAllowListHandler>, implements IAllowListWriter
 {
-    typedef CSimpleInterfaceOf<IWhiteListHandler> PARENT;
+    typedef CSimpleInterfaceOf<IAllowListHandler> PARENT;
 
     struct PairHasher
     {
@@ -6969,11 +6969,11 @@ class CWhiteListHandler : public CSimpleInterfaceOf<IWhiteListHandler>, implemen
         }
     };
 
-    using WhiteListHT = std::unordered_set<std::pair<std::string, unsigned __int64>, PairHasher>;
-    WhiteListPopulateFunction populateFunc;
-    WhiteListFormatFunction roleFormatFunc;
-    std::unordered_set<std::pair<std::string, unsigned __int64>, PairHasher> whiteList;
-    std::unordered_set<std::string> IPOnlyWhiteList;
+    using AllowListHT = std::unordered_set<std::pair<std::string, unsigned __int64>, PairHasher>;
+    AllowListPopulateFunction populateFunc;
+    AllowListFormatFunction roleFormatFunc;
+    std::unordered_set<std::pair<std::string, unsigned __int64>, PairHasher> allowList;
+    std::unordered_set<std::string> IPOnlyAllowList;
     bool allowAnonRoles = false;
     mutable CriticalSection populatedCrit;
     mutable bool populated = false;
@@ -6985,17 +6985,17 @@ class CWhiteListHandler : public CSimpleInterfaceOf<IWhiteListHandler>, implemen
         if (populated)
             return;
         // NB: want to keep this method const, as used by isXX functions that are const, but if need to refresh it's effectively mutable
-        enabled = populateFunc(* const_cast<IWhiteListWriter *>((const IWhiteListWriter *)this));
+        enabled = populateFunc(* const_cast<IAllowListWriter *>((const IAllowListWriter *)this));
         populated = true;
     }
 public:
     IMPLEMENT_IINTERFACE_O_USING(PARENT);
 
-    CWhiteListHandler(WhiteListPopulateFunction _populateFunc, WhiteListFormatFunction _roleFormatFunc) : populateFunc(_populateFunc), roleFormatFunc(_roleFormatFunc)
+    CAllowListHandler(AllowListPopulateFunction _populateFunc, AllowListFormatFunction _roleFormatFunc) : populateFunc(_populateFunc), roleFormatFunc(_roleFormatFunc)
     {
     }
-// IWhiteListHandler impl.
-    virtual bool isWhiteListed(const char *ip, unsigned __int64 role, StringBuffer *responseText) const override
+// IAllowListHandler impl.
+    virtual bool isAllowListed(const char *ip, unsigned __int64 role, StringBuffer *responseText) const override
     {
         CriticalBlock block(populatedCrit);
         ensurePopulated();
@@ -7003,15 +7003,15 @@ public:
         {
             if (allowAnonRoles)
             {
-                const auto &it = IPOnlyWhiteList.find(ip);
-                if (it != IPOnlyWhiteList.end())
+                const auto &it = IPOnlyAllowList.find(ip);
+                if (it != IPOnlyAllowList.end())
                     return true;
             }
         }
         else
         {
-            const auto &it = whiteList.find({ip, role});
-            if (it != whiteList.end())
+            const auto &it = allowList.find({ip, role});
+            if (it != allowList.end())
                 return true;
         }
 
@@ -7034,22 +7034,22 @@ public:
                 else
                     responseText->append(role);
             }
-            responseText->append("] not whitelisted");
+            responseText->append("] not in allowlist");
         }
 
         if (enabled)
             return false;
         else
         {
-            OWARNLOG("WhiteListing is disabled, ignoring: %s", responseText->str());
+            OWARNLOG("Allowlist is disabled, ignoring: %s", responseText->str());
             return true;
         }
     }
-    virtual StringBuffer &getWhiteList(StringBuffer &out) const override
+    virtual StringBuffer &getAllowList(StringBuffer &out) const override
     {
         CriticalBlock block(populatedCrit);
         ensurePopulated();
-        for (const auto &it: whiteList)
+        for (const auto &it: allowList)
         {
             out.append(it.first.c_str()).append(", ");
             if (roleFormatFunc)
@@ -7058,7 +7058,7 @@ public:
                 out.append(it.second);
             out.newline();
         }
-        out.newline().appendf("Whitelisting is currently: %s", enabled ? "enabled" : "disabled").newline();
+        out.newline().appendf("Allowlist is currently: %s", enabled ? "enabled" : "disabled").newline();
         return out;
     }
     virtual void refresh() override
@@ -7068,17 +7068,17 @@ public:
          */
         CriticalBlock block(populatedCrit);
         enabled = true;
-        whiteList.clear();
-        IPOnlyWhiteList.clear();
+        allowList.clear();
+        IPOnlyAllowList.clear();
         populated = false;
     }
-// IWhiteListWriter impl.
+// IAllowListWriter impl.
     virtual void add(const char *ip, unsigned __int64 role) override
     {
         // NB: called via populateFunc, which is called whilst populatedCrit is locked.
-        whiteList.insert({ ip, role });
+        allowList.insert({ ip, role });
         if (allowAnonRoles)
-            IPOnlyWhiteList.insert(ip);
+            IPOnlyAllowList.insert(ip);
     }
     virtual void setAllowAnonRoles(bool tf) override
     {
@@ -7087,9 +7087,9 @@ public:
     }
 };
 
-IWhiteListHandler *createWhiteListHandler(WhiteListPopulateFunction populateFunc, WhiteListFormatFunction roleFormatFunc)
+IAllowListHandler *createAllowListHandler(AllowListPopulateFunction populateFunc, AllowListFormatFunction roleFormatFunc)
 {
-    return new CWhiteListHandler(populateFunc, roleFormatFunc);
+    return new CAllowListHandler(populateFunc, roleFormatFunc);
 }
 
 static_assert(sizeof(IpAddress) == 16, "check size of IpAddress");

system/jlib/jsocket.hpp

@@ -646,22 +646,22 @@ extern jlib_decl bool isIPV4(const char *ip);
 extern jlib_decl bool isIPV6(const char *ip);
 extern jlib_decl bool isIPAddress(const char *ip);
 
-interface IWhiteListHandler : extends IInterface
+interface IAllowListHandler : extends IInterface
 {
-    virtual bool isWhiteListed(const char *ip, unsigned __int64 role, StringBuffer *responseText=nullptr) const = 0;
-    virtual StringBuffer &getWhiteList(StringBuffer &out) const = 0;
+    virtual bool isAllowListed(const char *ip, unsigned __int64 role, StringBuffer *responseText=nullptr) const = 0;
+    virtual StringBuffer &getAllowList(StringBuffer &out) const = 0;
     virtual void refresh() = 0;
 };
 
-interface IWhiteListWriter : extends IInterface
+interface IAllowListWriter : extends IInterface
 {
     virtual void add(const char *ip, unsigned __int64 role) = 0;
     virtual void setAllowAnonRoles(bool tf) = 0;
 };
 
-typedef std::function<bool(IWhiteListWriter &)> WhiteListPopulateFunction;
-typedef std::function<StringBuffer &(StringBuffer &, unsigned __int64)> WhiteListFormatFunction;
-extern jlib_decl IWhiteListHandler *createWhiteListHandler(WhiteListPopulateFunction populateFunc, WhiteListFormatFunction roleFormatFunc = {}); // format function optional
+typedef std::function<bool(IAllowListWriter &)> AllowListPopulateFunction;
+typedef std::function<StringBuffer &(StringBuffer &, unsigned __int64)> AllowListFormatFunction;
+extern jlib_decl IAllowListHandler *createAllowListHandler(AllowListPopulateFunction populateFunc, AllowListFormatFunction roleFormatFunc = {}); // format function optional
 
 #endif
 

system/mp/mpcomm.cpp

@@ -441,7 +441,7 @@ class CMPConnectThread: public Thread
     CMPServer *parent;
     int mpSoMaxConn;
     unsigned mpTraceLevel;
-    Owned<IWhiteListHandler> whiteListCallback;
+    Owned<IAllowListHandler> allowListCallback;
     void checkSelfDestruct(void *p,size32_t sz);
 
 public:
@@ -461,13 +461,13 @@ public:
                 printf("CMPConnectThread::stop timed out\n");
         }
     }
-    void installWhiteListCallback(IWhiteListHandler *_whiteListCallback)
+    void installAllowListCallback(IAllowListHandler *_allowListCallback)
     {
-        whiteListCallback.set(_whiteListCallback);
+        allowListCallback.set(_allowListCallback);
     }
-    IWhiteListHandler *queryWhiteListCallback() const
+    IAllowListHandler *queryAllowListCallback() const
     {
-        return whiteListCallback;
+        return allowListCallback;
     }
 };
 
@@ -584,13 +584,13 @@ public:
                 break;
         }
     }
-    virtual void installWhiteListCallback(IWhiteListHandler *whiteListCallback) override
+    virtual void installAllowListCallback(IAllowListHandler *allowListCallback) override
     {
-        connectthread->installWhiteListCallback(whiteListCallback);
+        connectthread->installAllowListCallback(allowListCallback);
     }
-    virtual IWhiteListHandler *queryWhiteListCallback() const override
+    virtual IAllowListHandler *queryAllowListCallback() const override
     {
-        return connectthread->queryWhiteListCallback();
+        return connectthread->queryAllowListCallback();
     }
 };
 
@@ -2129,12 +2129,12 @@ int CMPConnectThread::run()
                     }
                 }
 
-                if (whiteListCallback)
+                if (allowListCallback)
                 {
                     StringBuffer ipStr;
                     peerEp.getIpText(ipStr);
                     StringBuffer responseText; // filled if denied
-                    if (!whiteListCallback->isWhiteListed(ipStr, connectHdr.getRole(), &responseText))
+                    if (!allowListCallback->isAllowListed(ipStr, connectHdr.getRole(), &responseText))
                     {
                         Owned<IException> e = makeStringException(-1, responseText);
                         OWARNLOG(e, nullptr);

system/mp/mpcomm.hpp

@@ -100,8 +100,8 @@ interface IMPServer : extends IInterface
     virtual void stop() = 0;
     virtual INode *queryMyNode() = 0;
     virtual void setOpt(MPServerOpts opt, const char *value) = 0;
-    virtual void installWhiteListCallback(IWhiteListHandler *whiteListCallback) = 0;
-    virtual IWhiteListHandler *queryWhiteListCallback() const = 0;
+    virtual void installAllowListCallback(IAllowListHandler *allowListCallback) = 0;
+    virtual IAllowListHandler *queryAllowListCallback() const = 0;
 };
 
 extern mp_decl void startMPServer(unsigned port, bool paused=false, bool listen=false);