-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | restricting the servers that http-client will use
--   
--   Addition to the http-client and http-client-tls libraries, that
--   restricts the HTTP servers that can be used.
--   
--   This is useful when a security policy needs to eg, prevent connections
--   to HTTP servers on localhost or a local network, or only allow
--   connections to a specific HTTP server.
--   
--   It handles restricting redirects as well as the initial HTTP
--   connection, and it also guards against DNS poisoning attacks.
@package http-client-restricted
@version 0.0.5


-- | Restricted <a>ManagerSettings</a> for
--   <a>https://haskell-lang.org/library/http-client</a> - - Copyright 2018
--   Joey Hess <a>id@joeyh.name</a> - - Portions from http-client-tls
--   Copyright (c) 2013 Michael Snoyman - - License: MIT
module Network.HTTP.Client.Restricted

-- | Configuration of which HTTP connections to allow and which to
--   restrict.
data Restriction
checkAddressRestriction :: Restriction -> AddrInfo -> Maybe ConnectionRestricted

-- | Decide if a HTTP connection is allowed based on the IP address of the
--   server.
--   
--   After the restriction is checked, the same IP address is used to
--   connect to the server. This avoids DNS rebinding attacks being used to
--   bypass the restriction.
--   
--   <pre>
--   myRestriction :: Restriction
--   myRestriction = addressRestriction $ \addr -&gt;
--   if isPrivateAddress addr
--   	then Just $ connectionRestricted
--   		("blocked connection to private IP address " ++)
--   		else Nothing
--   </pre>
addressRestriction :: (AddrInfo -> Maybe ConnectionRestricted) -> Restriction

-- | Makes a TLS-capable ManagerSettings with a Restriction applied to it.
--   
--   The Restriction will be checked each time a Request is made, and for
--   each redirect followed.
--   
--   Aside from checking the Restriction, it should behave the same as
--   <a>mkManagerSettingsContext</a> from http-client-tls.
--   
--   <pre>
--   main = do
--   	manager &lt;- newManager . fst 
--   		=&lt;&lt; mkRestrictedManagerSettings myRestriction Nothing Nothing
--   request &lt;- parseRequest "http://httpbin.org/get"
--   	response &lt;- httpLbs request manager
--   	print $ responseBody response
--   </pre>
--   
--   The HTTP proxy is also checked against the Restriction, and will not
--   be used if the Restriction does not allow it. Just ProxyRestricted is
--   returned when the HTTP proxy has been restricted.
--   
--   See <a>mkManagerSettingsContext</a> for why it can be useful to
--   provide a <a>ConnectionContext</a>.
--   
--   Note that SOCKS is not supported.
mkRestrictedManagerSettings :: Restriction -> Maybe ConnectionContext -> Maybe TLSSettings -> IO (ManagerSettings, Maybe ProxyRestricted)

-- | Value indicating that a connection was restricted, and giving the
--   reason why.
data ConnectionRestricted
ConnectionRestricted :: String -> ConnectionRestricted

-- | Constructs a ConnectionRestricted, passing the function a string
--   containing the IP address of the HTTP server.
connectionRestricted :: (IPAddrString -> String) -> AddrInfo -> ConnectionRestricted

-- | Value indicating that the http proxy will not be used.
data ProxyRestricted
ProxyRestricted :: ProxyRestricted

-- | A string containing an IP address, for display to a user.
type IPAddrString = String
instance GHC.Show.Show Network.HTTP.Client.Restricted.ConnectionRestricted
instance GHC.Show.Show Network.HTTP.Client.Restricted.ProxyRestricted
instance GHC.Base.Monoid Network.HTTP.Client.Restricted.Restriction
instance GHC.Base.Semigroup Network.HTTP.Client.Restricted.Restriction
instance GHC.Exception.Type.Exception Network.HTTP.Client.Restricted.ConnectionRestricted
