feat: Acl Support (#1073)

Author: Guy Bedford

.github/workflows/main.yml

@@ -14,7 +14,7 @@ env:
   viceroy_version: 0.12.2
   # Note: when updated, also update version in ensure-cargo-installs ! AND ! release-please.yml
   wasm-tools_version: 1.216.0
-  fastly-cli_version: 10.13.3
+  fastly-cli_version: 10.19.0
 
 jobs:
   check-changelog:

documentation/docs/acl/Acl/open.mdx

@@ -0,0 +1,20 @@
+---
+hide_title: false
+hide_table_of_contents: false
+pagination_next: null
+pagination_prev: null
+---
+
+# Acl.open()
+
+Opens the ACL with the given name, returning a new `Acl` instance with the given name on success.
+
+## Syntax
+
+```js
+Acl.open(name)
+```
+
+### Return value
+
+An `Acl` instance.

documentation/docs/acl/Acl/prototype/lookup.mdx

@@ -0,0 +1,38 @@
+---
+hide_title: false
+hide_table_of_contents: false
+pagination_next: null
+pagination_prev: null
+---
+
+# Acl.prototype.lookup()
+
+The **`lookup(ipAddress)`** method returns the name associated with the `Acl` instance.
+
+## Syntax
+
+```js
+acl.lookup(ipAddress)
+```
+
+### Parameters
+
+- `ipAddress` _: string_
+  - IPv4 or IPv6 address to lookup
+
+### Return value
+
+An Object of the form `{ action: 'ALLOW' | 'BlOCK', prefix: string }`, where `prefix` is the IP
+address prefix that was matched in the ACL.
+
+## Example
+
+```js
+/// <reference types="@fastly/js-compute" />
+import { Acl } from 'fastly:acl';
+addEventListener('fetch', async (evt) => {
+  const myAcl = Acl.open('myacl');
+  const { action, prefix } = await myAcl.lookup(evt.client.address);
+  evt.respondWith(new Response(action === 'BLOCK' ? 'blocked' : 'allowed'));
+});
+```

integration-tests/js-compute/env.js

@@ -4,5 +4,6 @@ export function getEnv(serviceName) {
     CONFIG_STORE_NAME: `testconfig${serviceName ? '__' + serviceName.replace(/-/g, '_') : ''}`,
     KV_STORE_NAME: `example-test-kv-store${serviceName ? '--' + serviceName : ''}`,
     SECRET_STORE_NAME: `example-test-secret-store${serviceName ? '--' + serviceName : ''}`,
+    ACL_NAME: `exampleacl${serviceName ? '__' + serviceName.replace(/-/g, '_') : ''}`,
   };
 }

integration-tests/js-compute/fixtures/app/fastly.toml.in

@@ -9,7 +9,7 @@ name = "js-test-app"
 service_id = ""
 
 [scripts]
-  build = "node ../../../../js-compute-runtime-cli.js --env FASTLY_DEBUG_LOGGING,CONFIG_STORE_NAME,DICTIONARY_NAME,KV_STORE_NAME,SECRET_STORE_NAME,LOCAL_TEST,TEST=\"foo\" --enable-experimental-high-resolution-time-methods src/index.js"
+  build = "node ../../../../js-compute-runtime-cli.js --env FASTLY_DEBUG_LOGGING,ACL_NAME,CONFIG_STORE_NAME,DICTIONARY_NAME,KV_STORE_NAME,SECRET_STORE_NAME,LOCAL_TEST,TEST=\"foo\" --enable-experimental-high-resolution-time-methods src/index.js"
 
 [local_server]
 

integration-tests/js-compute/fixtures/module-mode/fastly.toml.in

@@ -9,7 +9,7 @@ name = "js-test-app"
 service_id = ""
 
 [scripts]
-  build = "node ../../../../js-compute-runtime-cli.js --env FASTLY_DEBUG_LOGGING,CONFIG_STORE_NAME,DICTIONARY_NAME,KV_STORE_NAME,SECRET_STORE_NAME,LOCAL_TEST,TEST=\"foo\" --enable-experimental-high-resolution-time-methods --module-mode src/index.js"
+  build = "node ../../../../js-compute-runtime-cli.js --env FASTLY_DEBUG_LOGGING,ACL_NAME,CONFIG_STORE_NAME,DICTIONARY_NAME,KV_STORE_NAME,SECRET_STORE_NAME,LOCAL_TEST,TEST=\"foo\" --enable-experimental-high-resolution-time-methods --module-mode src/index.js"
 
 [local_server]
 

integration-tests/js-compute/fixtures/module-mode/src/acl.js

@@ -0,0 +1,99 @@
+/// <reference path="../../../../../types/index.d.ts" />
+import {
+  strictEqual,
+  assertThrows,
+  assertRejects,
+  deepStrictEqual,
+} from './assertions.js';
+import { routes } from './routes.js';
+import { env } from 'fastly:env';
+import { Acl } from 'fastly:acl';
+
+const ACL_NAME = env('ACL_NAME');
+
+routes.set('/acl', async () => {
+  assertThrows(
+    () => Acl(),
+    TypeError,
+    "Acl builtin can't be instantiated directly",
+  );
+  assertThrows(
+    () => new Acl(),
+    TypeError,
+    "Acl builtin can't be instantiated directly",
+  );
+  assertThrows(
+    () => Acl.open(),
+    TypeError,
+    'Acl open: At least 1 argument required, but only 0 passed',
+  );
+  assertThrows(() => Acl.open(4), TypeError, 'Acl open: name must be a string');
+  assertThrows(
+    () => Acl.open(''),
+    TypeError,
+    'Acl open: name can not be an empty string',
+  );
+  assertThrows(
+    () => Acl.open('foo'),
+    TypeError,
+    'Acl open: "foo" acl not found',
+  );
+
+  const acl = Acl.open(ACL_NAME);
+
+  await assertRejects(
+    () => acl.lookup(),
+    TypeError,
+    'lookup: At least 1 argument required, but only 0 passed',
+  );
+  await assertRejects(
+    () => acl.lookup(5),
+    Error,
+    'Invalid address passed to acl.lookup',
+  );
+  await assertRejects(
+    () => acl.lookup('not ip'),
+    Error,
+    'Invalid address passed to acl.lookup',
+  );
+  await assertRejects(
+    () => acl.lookup('999.999.999.999'),
+    Error,
+    'Invalid address passed to acl.lookup',
+  );
+  await assertRejects(
+    () => acl.lookup('123.123.123'),
+    Error,
+    'Invalid address passed to acl.lookup',
+  );
+  await assertRejects(
+    () => acl.lookup('123.123.123.123.123'),
+    Error,
+    'Invalid address passed to acl.lookup',
+  );
+  await assertRejects(
+    () => acl.lookup('100.100.0.0/16'),
+    Error,
+    'Invalid address passed to acl.lookup',
+  );
+
+  strictEqual(await acl.lookup('123.123.123.123'), null);
+  strictEqual(await acl.lookup('100.99.100.100'), null);
+  strictEqual(
+    await acl.lookup('2a04:4b80:1234:5678:9abc:def0:1234:5678'),
+    null,
+  );
+
+  deepStrictEqual(await acl.lookup('100.100.100.100'), {
+    action: 'BLOCK',
+    prefix: '100.100.0.0/16',
+  });
+  deepStrictEqual(await acl.lookup('2a03:4b80::1'), {
+    action: 'ALLOW',
+    prefix: '2a03:4b80:0000:0000:0000:0000:0000:0000/32',
+  });
+  deepStrictEqual(await acl.lookup('2a03:4b80:5c1d:e8f7:92a3:b45c:61d8:7e9f'), {
+    action: 'ALLOW',
+    prefix: '2a03:4b80:0000:0000:0000:0000:0000:0000/32',
+  });
+});

integration-tests/js-compute/fixtures/module-mode/src/index.js

@@ -5,6 +5,7 @@ import { routes } from './routes.js';
 import { env } from 'fastly:env';
 import { enableDebugLogging } from 'fastly:experimental';
 
+import './acl.js';
 import './console.js';
 import './dynamic-backend.js';
 import './hello-world.js';

integration-tests/js-compute/fixtures/module-mode/tests.json

@@ -1,4 +1,5 @@
 {
+  "GET /acl": { "environments": ["compute"] },
   "GET /backend/timeout": {
     "environments": ["compute"],
     "downstream_response": {

integration-tests/js-compute/setup.js

@@ -7,10 +7,15 @@ import { getEnv } from './env.js';
 const serviceId = argv[2];
 const serviceName = argv[3];
 
-const { DICTIONARY_NAME, CONFIG_STORE_NAME, KV_STORE_NAME, SECRET_STORE_NAME } =
-  getEnv(serviceName);
+const {
+  DICTIONARY_NAME,
+  CONFIG_STORE_NAME,
+  KV_STORE_NAME,
+  SECRET_STORE_NAME,
+  ACL_NAME,
+} = getEnv(serviceName);
 
-function existingStoreId(stores, existingName) {
+function existingListId(stores, existingName) {
   const existing = stores.find(
     ({ Name, name }) => name === existingName || Name === existingName,
   );
@@ -34,108 +39,112 @@ if (process.env.FASTLY_API_TOKEN === undefined) {
   }
   zx.verbose = true;
 }
-const FASTLY_API_TOKEN = process.env.FASTLY_API_TOKEN;
 
 async function setupConfigStores() {
-  let stores = await (async function () {
-    try {
-      return JSON.parse(
-        await zx`fastly config-store list --quiet --json --token $FASTLY_API_TOKEN`,
-      );
-    } catch {
-      return [];
-    }
-  })();
+  const stores = JSON.parse(
+    await zx`fastly config-store list --quiet --json --token $FASTLY_API_TOKEN`,
+  );
 
-  let STORE_ID = existingStoreId(stores, DICTIONARY_NAME);
+  let STORE_ID = existingListId(stores, DICTIONARY_NAME);
   if (!STORE_ID) {
     console.log(`Creating new config store ${DICTIONARY_NAME}`);
-    process.env.STORE_ID = JSON.parse(
+    STORE_ID = JSON.parse(
       await zx`fastly config-store create --quiet --name=${DICTIONARY_NAME} --json --token $FASTLY_API_TOKEN`,
     ).id;
   } else {
     console.log(`Using existing config store ${DICTIONARY_NAME}`);
-    process.env.STORE_ID = STORE_ID;
+    STORE_ID = STORE_ID;
   }
-  await zx`echo -n 'https://twitter.com/fastly' | fastly config-store-entry update --upsert --key twitter --store-id=$STORE_ID --stdin --token $FASTLY_API_TOKEN`;
+  await zx`echo -n 'https://twitter.com/fastly' | fastly config-store-entry update --upsert --key twitter --store-id=${STORE_ID} --stdin --token $FASTLY_API_TOKEN`;
   try {
-    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id $STORE_ID --token $FASTLY_API_TOKEN --autoclone`;
+    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id ${STORE_ID} --token $FASTLY_API_TOKEN --autoclone`;
   } catch (e) {
     if (!e.message.includes('Duplicate record')) throw e;
   }
 
-  STORE_ID = existingStoreId(stores, CONFIG_STORE_NAME);
+  STORE_ID = existingListId(stores, CONFIG_STORE_NAME);
   if (!STORE_ID) {
     console.log(`Creating new config store ${CONFIG_STORE_NAME}`);
-    process.env.STORE_ID = JSON.parse(
+    STORE_ID = JSON.parse(
       await zx`fastly config-store create --quiet --name=${CONFIG_STORE_NAME} --json --token $FASTLY_API_TOKEN`,
     ).id;
   } else {
     console.log(`Using existing config store ${CONFIG_STORE_NAME}`);
-    process.env.STORE_ID = STORE_ID;
+    STORE_ID = STORE_ID;
   }
-  await zx`echo -n 'https://twitter.com/fastly' | fastly config-store-entry update --upsert --key twitter --store-id=$STORE_ID --stdin --token $FASTLY_API_TOKEN`;
+  await zx`echo -n 'https://twitter.com/fastly' | fastly config-store-entry update --upsert --key twitter --store-id=${STORE_ID} --stdin --token $FASTLY_API_TOKEN`;
   try {
-    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id $STORE_ID --token $FASTLY_API_TOKEN --autoclone`;
+    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id ${STORE_ID} --token $FASTLY_API_TOKEN --autoclone`;
   } catch (e) {
     if (!e.message.includes('Duplicate record')) throw e;
   }
 }
 
 async function setupKVStore() {
-  let stores = await (async function () {
-    try {
-      return JSON.parse(
-        await zx`fastly kv-store list --quiet --json --token $FASTLY_API_TOKEN`,
-      ).Data;
-    } catch {
-      return [];
-    }
-  })();
+  let stores = JSON.parse(
+    await zx`fastly kv-store list --quiet --json --token $FASTLY_API_TOKEN`,
+  ).Data;
 
-  const STORE_ID = existingStoreId(stores, KV_STORE_NAME);
+  let STORE_ID = existingListId(stores, KV_STORE_NAME);
   if (!STORE_ID) {
     console.log(`Creating new KV store ${KV_STORE_NAME}`);
-    process.env.STORE_ID = JSON.parse(
+    STORE_ID = JSON.parse(
       await zx`fastly kv-store create --quiet --name=${KV_STORE_NAME} --json --token $FASTLY_API_TOKEN`,
     ).StoreID;
   } else {
     console.log(`Using existing KV store ${KV_STORE_NAME}`);
-    process.env.STORE_ID = STORE_ID;
+    STORE_ID = STORE_ID;
   }
   try {
-    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id $STORE_ID --token $FASTLY_API_TOKEN --autoclone`;
+    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id ${STORE_ID} --token $FASTLY_API_TOKEN --autoclone`;
   } catch (e) {
     if (!e.message.includes('Duplicate record')) throw e;
   }
 }
 
 async function setupSecretStore() {
-  let stores = await (async function () {
-    try {
-      return JSON.parse(
-        await zx`fastly secret-store list --quiet --json --token $FASTLY_API_TOKEN`,
-      );
-    } catch (e) {
-      throw e;
-    }
-  })();
-  const STORE_ID = existingStoreId(stores, SECRET_STORE_NAME);
+  const stores = JSON.parse(
+    await zx`fastly secret-store list --quiet --json --token $FASTLY_API_TOKEN`,
+  );
+  let STORE_ID = existingListId(stores, SECRET_STORE_NAME);
   if (!STORE_ID) {
     console.log(`Creating new secret store ${SECRET_STORE_NAME}`);
-    process.env.STORE_ID = JSON.parse(
+    STORE_ID = JSON.parse(
       await zx`fastly secret-store create --quiet --name=${SECRET_STORE_NAME} --json --token $FASTLY_API_TOKEN`,
     ).id;
   } else {
     console.log(`Using existing secret store ${SECRET_STORE_NAME}`);
-    process.env.STORE_ID = STORE_ID;
   }
-  await zx`echo -n 'This is also some secret data' | fastly secret-store-entry create --recreate-allow --name first --store-id=$STORE_ID --stdin --token $FASTLY_API_TOKEN`;
+  await zx`echo -n 'This is also some secret data' | fastly secret-store-entry create --recreate-allow --name first --store-id=${STORE_ID} --stdin --token $FASTLY_API_TOKEN`;
   let key =
     'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa';
-  await zx`echo -n 'This is some secret data' | fastly secret-store-entry create --recreate-allow --name ${key} --store-id=$STORE_ID --stdin --token $FASTLY_API_TOKEN`;
+  await zx`echo -n 'This is some secret data' | fastly secret-store-entry create --recreate-allow --name ${key} --store-id=${STORE_ID} --stdin --token $FASTLY_API_TOKEN`;
+  try {
+    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id ${STORE_ID} --token $FASTLY_API_TOKEN --autoclone`;
+  } catch (e) {
+    if (!e.message.includes('Duplicate record')) throw e;
+  }
+}
+
+async function setupAcl() {
+  let ACL_ID = existingListId(
+    JSON.parse(
+      await zx`fastly compute acl list-acls --quiet --json --token $FASTLY_API_TOKEN`,
+    ).data,
+    ACL_NAME,
+  );
+  if (!ACL_ID) {
+    console.log(`Creating ACL ${ACL_NAME}`);
+    ACL_ID = JSON.parse(
+      await zx`fastly compute acl create --name=${ACL_NAME} --token $FASTLY_API_TOKEN --json`,
+    ).id;
+    await zx`fastly compute acl update --acl-id=${ACL_ID} --operation=create --prefix=100.100.0.0/16 --action=BLOCK --token $FASTLY_API_TOKEN`;
+    await zx`fastly compute acl update --acl-id=${ACL_ID} --operation=create --prefix=2a03:4b80::/32 --action=ALLOW --token $FASTLY_API_TOKEN`;
+  } else {
+    console.log(`Using existing ACL ${ACL_NAME}`);
+  }
   try {
-    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id $STORE_ID --token $FASTLY_API_TOKEN --autoclone`;
+    await zx`fastly resource-link create --service-id ${serviceId} --version latest --resource-id ${ACL_ID} --token $FASTLY_API_TOKEN --autoclone`;
   } catch (e) {
     if (!e.message.includes('Duplicate record')) throw e;
   }
@@ -144,5 +153,6 @@ async function setupSecretStore() {
 await setupConfigStores();
 await setupKVStore();
 await setupSecretStore();
+await setupAcl();
 
 await zx`fastly service-version activate --service-id ${serviceId} --version latest --token $FASTLY_API_TOKEN`;