analyzer: Move disabling_analyzer() hook into Analyzer module

When disabling_analyzer() was introduced, it was added to the GLOBAL
module. The awkward side-effect is that implementing a hook handler
in another module requires to prefix it with GLOBAL. Alternatively, one
can re-open the GLOBAL module and implement the handler in that scope.

Both are not great, and prefixing with GLOBAL is ugly, so move the
identifier to the Analyzer module and ask users to prefix with Analyzer.

NEWS

@@ -213,6 +213,9 @@ Deprecated Functionality
   deprecated in favor of the more generic ``analyzer_confirmation_info`` and
   ``analyzer_violation_info`` events.
 
+- The global ``disabling_analyzer()`` hook has been deprecated and replaced
+  with ``Analyzer::disabling_analyzer()`` that has the same semantics.
+
 - The const values for toggling individual tunnel packet analyzers have
   been deprecated in favor of using ``Analyzer::disable_analyzer()``
   directly. This affects:

scripts/base/init-bare.zeek

@@ -597,23 +597,32 @@ type fa_metadata: record {
 	inferred: bool &default=T;
 };
 
-## A hook taking a connection, analyzer tag and analyzer id that can be
+## Same as :zeek:see:`Analyzer::disabling_analyzer`, but deprecated due
-## used to veto disabling analyzers. Specifically, an analyzer can be prevented
+## to living in the global namespace.
-## from being disabled by using a :zeek:see:`break` statement within the hook.
+type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef &deprecated="Remove in v6.1. Use Analyzer::disabling_analyzer() instead.";
-## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
-##
-## Scripts implementing this hook should have other logic that will eventually
-## disable the analyzer for the given connection. That is, if a script vetoes
-## disabling an analyzer, it takes responsibility for a later call to
-## :zeek:see:`disable_analyzer`, which may be never.
-##
-## c: The connection
-##
-## atype: The type / tag of the analyzer being disabled.
-##
-## aid: The analyzer ID.
-type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count);
 
+module Analyzer;
+export {
+	## A hook taking a connection, analyzer tag and analyzer id that can be
+	## used to veto disabling protocol analyzers. Specifically, an analyzer
+	## can be prevented from being disabled by using a :zeek:see:`break`
+	## statement within the hook.
+	## This hook is invoked synchronously during a :zeek:see:`disable_analyzer` call.
+	##
+	## Scripts implementing this hook should have other logic that will eventually
+	## disable the analyzer for the given connection. That is, if a script vetoes
+	## disabling an analyzer, it takes responsibility for a later call to
+	## :zeek:see:`disable_analyzer`, which may be never.
+	##
+	## c: The connection
+	##
+	## atype: The type / tag of the analyzer being disabled.
+	##
+	## aid: The analyzer ID.
+	type disabling_analyzer: hook(c: connection, atype: AllAnalyzers::Tag, aid: count) &redef;
+}
+
+module GLOBAL;
 ## Fields of a SYN packet.
 ##
 ## .. zeek:see:: connection_SYN_packet

src/zeek.bif

@@ -4697,7 +4697,10 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 		return zeek::val_mgr->False();
 		}
 
+	// Remove in v6.1: Global disabling_analyzer is to be removed.
 	static auto disabling_analyzer_hook = id::find_func("disabling_analyzer");
+	static auto analyzer_disabling_analyzer_hook = id::find_func("Analyzer::disabling_analyzer");
+
 	if ( disabling_analyzer_hook )
 		{
 		auto hook_rval = disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(),
@@ -4706,6 +4709,14 @@ function disable_analyzer%(cid: conn_id, aid: count, err_if_no_conn: bool &defau
 			return zeek::val_mgr->False();
 		}
 
+	if ( analyzer_disabling_analyzer_hook )
+		{
+		auto hook_rval = analyzer_disabling_analyzer_hook->Invoke(c->GetVal(), a->GetAnalyzerTag().AsVal(),
+		                                                 zeek::val_mgr->Count(aid));
+		if ( hook_rval && ! hook_rval->AsBool() )
+			return zeek::val_mgr->False();
+		}
+
 	if ( prevent )
 		a->Parent()->PreventChildren(a->GetAnalyzerTag());
 

testing/btest/Baseline/bifs.disable_analyzer-hook-module/out

@@ -0,0 +1,16 @@
+### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
+http_request, GET, /style/enhanced.css
+prevent disabling
+F
+http_request, GET, /script/urchin.js
+prevent disabling
+F
+http_request, GET, /images/template/screen/bullet_utility.png
+prevent disabling
+F
+http_request, GET, /images/template/screen/key-point-top.png
+prevent disabling
+F
+http_request, GET, /projects/calendar/images/header-sunbird.png
+prevent disabling
+F

testing/btest/bifs/disable_analyzer-hook-module.zeek

@@ -0,0 +1,21 @@
+# @TEST-DOC: Hook Analyzer::disabling_analyzer in a module
+# @TEST-EXEC: zeek -b -r $TRACES/http/pipelined-requests.trace %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+@load base/protocols/http
+
+module MyHTTP;
+
+
+# Prevent disabling all analyzers.
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+	{
+	print("prevent disabling");
+	break;
+	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+	{
+	print "http_request", method, original_URI;
+	print disable_analyzer(c$id, current_analyzer(), T, T);
+	}

testing/btest/bifs/disable_analyzer-hook.zeek

@@ -6,7 +6,7 @@
 
 global msg_count: table[conn_id] of count &default=0;
 
-event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count) &priority=10
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo) &priority=10
 	{
 	if ( atype != Analyzer::ANALYZER_HTTP )
 		return;
@@ -15,7 +15,7 @@ event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	}
 
 # Prevent disabling all analyzers.
-hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	if ( msg_count[c$id] < 4 )
 		{

testing/btest/scripts/base/protocols/ssl/prevent-disable-analyzer.test

@@ -17,7 +17,7 @@ global encrypted_data_wanted = 4;
 
 # Prevent disabling the SSL analyzer for this connection until we've seen encrypted_data_wanted
 # encrypted data events on it. Our ssl_encrypted_data event handler has the inverse condition.
-hook disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
+hook Analyzer::disabling_analyzer(c: connection, atype: AllAnalyzers::Tag, aid: count)
 	{
 	print "disabling_analyzer", c$id, atype, aid;
 	if ( atype != Analyzer::ANALYZER_SSL || ! c?$ssl )
@@ -37,9 +37,9 @@ event ssl_established(c: connection)
 	print "established", c$id;
 	}
 
-event analyzer_confirmation(c: connection, atype: AllAnalyzers::Tag, aid: count)
+event analyzer_confirmation_info(atype: AllAnalyzers::Tag, info: AnalyzerConfirmationInfo)
 	{
-	print "analyzer_confirmation", c$id, atype, aid;
+	print "analyzer_confirmation", info$c$id, atype, info$aid;
 	}
 
 event ssl_encrypted_data(c: connection, is_client: bool, record_version: count, content_type: count, length: count)