fastly · guybedford · Dec 11, 2024 · Jan 20, 2025
diff --git a/runtime/fastly/host-api/fastly.h b/runtime/fastly/host-api/fastly.h
@@ -911,6 +911,25 @@ int device_detection_lookup(const char *user_agent, size_t user_agent_len, const
 WASM_IMPORT("fastly_compute_runtime", "get_vcpu_ms")
 int compute_get_vcpu_ms(uint64_t *vcpu_ms);
 
+// ACL handle type
+typedef uint32_t fastly_acl_handle;
+
+// ACL error enum
+typedef uint32_t fastly_acl_error;
+
+#define FASTLY_ACL_ERROR_UNINITIALIZED 0
+#define FASTLY_ACL_ERROR_OK 1
+#define FASTLY_ACL_ERROR_NO_CONTENT 2
+#define FASTLY_ACL_ERROR_TOO_MANY_REQUESTS 3
+
+// ACL host calls
+WASM_IMPORT("fastly_acl", "open")
+int acl_open(const char *name, size_t name_len, uint32_t *acl_handle_out);
+
+WASM_IMPORT("fastly_acl", "lookup")
+int acl_lookup(uint32_t acl_handle, const uint8_t *ip_octets, size_t ip_len,
+               uint32_t *body_handle_out, fastly_acl_error *acl_error_out);
+
 #ifdef __cplusplus
 } // namespace fastly
 } // extern C

diff --git a/runtime/fastly/host-api/host_api.cpp b/runtime/fastly/host-api/host_api.cpp
@@ -3422,6 +3422,46 @@ FastlyAsyncTask::Handle KVStorePendingInsert::async_handle() const {
   return FastlyAsyncTask::Handle{this->handle};
 }
 
+Result<std::optional<Acl>> Acl::open(std::string_view name) {
+  uint32_t handle_out;
+  fastly::fastly_host_error err;
+  if (!convert_result(fastly::acl_open(name.data(), name.size(), &handle_out), &err)) {
+    if (error_is_optional_none(err)) {
+      return Result<std::optional<Acl>>::ok(std::nullopt);
+    } else {
+      return Result<std::optional<Acl>>::err(host_api::APIError(err));
+    }
+  }
+  return Result<std::optional<Acl>>::ok(Acl(handle_out));
+}
+
+Result<std::tuple<std::optional<HttpBody>, Acl::LookupError>>
+Acl::lookup(std::span<uint8_t> ip_octets) const {
+  uint32_t body_handle_out;
+  fastly::fastly_acl_error acl_error_out = FASTLY_ACL_ERROR_UNINITIALIZED;
+  fastly::fastly_host_error err;
+
+  std::optional<HttpBody> body;
+
+  if (!convert_result(fastly::acl_lookup(this->handle, ip_octets.data(), ip_octets.size(),
+                                         &body_handle_out, &acl_error_out),
+                      &err)) {
+    if (acl_error_out != FASTLY_ACL_ERROR_OK && acl_error_out != FASTLY_ACL_ERROR_UNINITIALIZED) {
+      return Result<std::tuple<std::optional<HttpBody>, LookupError>>::ok(
+          std::make_tuple(std::move(body), static_cast<Acl::LookupError>(acl_error_out)));
+    } else {
+      return Result<std::tuple<std::optional<HttpBody>, LookupError>>::err(err);
+    }
+  }
+
+  if (body_handle_out != HttpBody::invalid) {
+    body = HttpBody(body_handle_out);
+  }
+
+  return Result<std::tuple<std::optional<HttpBody>, Acl::LookupError>>::ok(
+      std::make_tuple(std::move(body), static_cast<Acl::LookupError>(FASTLY_ACL_ERROR_OK)));
+}
+
 Result<uint64_t> Compute::get_vcpu_ms() {
   Result<uint64_t> res;
   uint64_t ret;

diff --git a/runtime/fastly/host-api/host_api_fastly.h b/runtime/fastly/host-api/host_api_fastly.h
@@ -10,6 +10,7 @@
 #include <variant>
 #include <vector>
 
+#include "./fastly.h"
 #include "extension-api.h"
 #include "host_api.h"
 #include "js/TypeDecls.h"
@@ -1044,6 +1045,34 @@ class KVStore final {
                                           std::optional<string_view> prefix, bool eventual);
 };
 
+class Acl final {
+public:
+  using Handle = uint32_t;
+
+  static constexpr Handle invalid = UINT32_MAX - 1;
+
+  // Acl error type
+  enum class LookupError : uint32_t {
+    Uninitialized = FASTLY_ACL_ERROR_UNINITIALIZED,
+    Ok = FASTLY_ACL_ERROR_OK,
+    NoContent = FASTLY_ACL_ERROR_NO_CONTENT,
+    TooManyRequests = FASTLY_ACL_ERROR_TOO_MANY_REQUESTS
+  };
+
+  Handle handle = invalid;
+
+  Acl() = default;
+  explicit Acl(Handle handle) : handle{handle} {}
+
+  bool is_valid() const { return handle != invalid; }
+
+  static Result<std::optional<Acl>> open(std::string_view name);
+
+  /// Lookup an IP address in the ACL
+  Result<std::tuple<std::optional<HttpBody>, LookupError>>
+  lookup(std::span<uint8_t> ip_octets) const;
+};
+
 class Compute final {
 public:
   static Result<uint64_t> get_vcpu_ms();