Add support for newer and older

Author: tw4l

docs/manual/access-control.rst

@@ -95,7 +95,7 @@ An .aclj file may look as follows::
 
 Each JSON entry contains an ``access`` field and the original ``url`` field that was used to convert to the SURT (if any).
 
-The JSON entry may also contain ``user``, ``before``, and ``after`` fields, as explained below.
+The JSON entry may also contain ``user``, ``before``, ``after``, ``newer``, and ``older`` fields, as explained in the sections below.
 
 The prefix consists of a SURT key and a ``-`` (currently reserved for a timestamp/date range field to be added later).
 
@@ -166,10 +166,10 @@ Further examples of how to set this header will be provided in the deployments s
 See the :ref:`config-acl-header` section in Usage for examples on how to configure this header.
 
 
-Date-Based Access Controls
-^^^^^^^^^^^^^^^^^^^^^^^^^^
+Date-Based Access Controls: Before/After Exact Date
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-The access control rules can further be customized be specifying different permissions based on capture timestamp, using ``before`` and ``after`` fields that operate in the same manner as their embargo counterparts for a specific URL or domain.
+It is also possible to control access based on capture timestamp, using ``before`` and ``after`` fields to specify an exact timestamp.
 
 For example, the following access control settings restrict access to ``https://example.com/restricted/`` by default, but allow access for captures prior to December 1, 2010::
 
@@ -183,6 +183,24 @@ Combined with the embargo settings, this can also be used to override the embarg
   com,example)/restricted - {"access": "allow"}
 
 
+Date-Based Access Controls: Time Interval
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Access can also be controlled by specifying a relative time interval, similar to embargos.
+
+For example, the following access control settings restrict access to ``https://example.com/restricted/`` by default, but allow access to all captures newer than 1 year::
+
+  com,example)/restricted - {"access": "allow", "older": {"years": 1}}
+  com,example)/restricted - {"access": "block"}
+
+The following access control settings restrict access to ``https://example.com/restricted/`` by default, but allow access to all captures older than 1 year, 2 months, 3 weeks, and 4 days::
+
+  com,example)/restricted - {"access": "allow", "older": {"years": 1}, "months": 2, "weeks": 3, "days": 4}
+  com,example)/restricted - {"access": "block"}
+
+Any combination of years, months, weeks and days can be used (as long as at least one is provided) for the ``newer`` or ``older`` access control settings.
+
+
 Access Error Messages
 ^^^^^^^^^^^^^^^^^^^^^
 

pywb/warcserver/access_checker.py

@@ -196,6 +196,28 @@ def check_date_access(
             after = timestamp_to_datetime(after_ts, tz_aware=True)
             return access if dt > after else default_access
 
+        newer = rule.get('newer')
+        if newer:
+            delta = relativedelta(
+                years=newer.get('years', 0),
+                months=newer.get('months', 0),
+                weeks=newer.get('weeks', 0),
+                days=newer.get('days', 0)
+            )
+            actual = datetime.now(timezone.utc) - delta
+            return access if actual < dt else default_access
+
+        older = rule.get('older')
+        if older:
+            delta = relativedelta(
+                years=older.get('years', 0),
+                months=older.get('months', 0),
+                weeks=older.get('weeks', 0),
+                days=older.get('days', 0)
+            )
+            actual = datetime.now(timezone.utc) - delta
+            return access if actual > dt else default_access
+
         return access
 
     def create_access_aggregator(self, source_files):

sample_archive/access/newer.aclj

@@ -0,0 +1 @@
+org,iana)/ - {"access": "allow", "url": "http://www.iana.org/", "newer": {"years": 1, "months": 6}}

sample_archive/access/older.aclj

@@ -0,0 +1 @@
+org,iana)/ - {"access": "allow", "url": "http://www.iana.org/", "older": {"years": 1}}

tests/config_test_access.yaml

@@ -76,6 +76,20 @@ collections:
         acl_paths:
             - ./sample_archive/access/after.aclj
 
+    pywb-acl-newer:
+        index_paths: ./sample_archive/cdx/
+        archive_paths: ./sample_archive/warcs/
+        default_access: block
+        acl_paths:
+            - ./sample_archive/access/newer.aclj
+
+    pywb-acl-older:
+        index_paths: ./sample_archive/cdx/
+        archive_paths: ./sample_archive/warcs/
+        default_access: block
+        acl_paths:
+            - ./sample_archive/access/older.aclj
+
     pywb-wildcard-surt:
         index_paths: ./sample_archive/cdx/
         archive_paths: ./sample_archive/warcs/

tests/test_acl.py

@@ -114,3 +114,15 @@ def test_acl_after(self):
         assert 'Access Blocked' in resp.text
 
         resp = self.testapp.get('/pywb-acl-after/20140127171238mp_/http://www.iana.org/', status=200)
+
+    def test_acl_newer(self):
+        resp = self.testapp.get('/pywb-acl-newer/20140127171238mp_/http://www.iana.org/', status=451)
+        assert 'Access Blocked' in resp.text
+
+        resp = self.testapp.get('/pywb-acl-newer/20140126200624mp_/http://www.iana.org/', status=451)
+        assert 'Access Blocked' in resp.text
+        
+    def test_acl_older(self):
+        resp = self.testapp.get('/pywb-acl-older/20140127171238mp_/http://www.iana.org/', status=200)
+        
+        resp = self.testapp.get('/pywb-acl-older/20140126200624mp_/http://www.iana.org/', status=200)