[thirdparty/squid.git] / src / acl / Checklist.h

/*
 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_ACLCHECKLIST_H
#define SQUID_ACLCHECKLIST_H

#include "acl/InnerNode.h"
#include <stack>

/// ACL checklist callback
typedef void ACLCB(allow_t, void *);

/** \ingroup ACLAPI
    Base class for maintaining Squid and transaction state for access checks.
    Provides basic ACL checking methods. Its only child, ACLFilledChecklist,
    keeps the actual state data. The split is necessary to avoid exposing
    all ACL-related code to virtually Squid data types. */
class ACLChecklist
{

public:

    /**
     * State class.
     * This abstract class defines the behaviour of
     * async lookups - which can vary for different ACL types.
     * Today, every state object must be a singleton.
     * See NULLState for an example.
     *
     \note *no* state should be stored in the state object,
     * they are used to change the behaviour of the checklist, not
     * to hold information. If you need to store information in the
     * state object, consider subclassing ACLChecklist, converting it
     * to a composite, or changing the state objects from singletons to
     * refcounted objects.
     */

    class AsyncState
    {

    public:
        virtual void checkForAsync(ACLChecklist *) const = 0;
        virtual ~AsyncState() {}
    };

    class NullState : public AsyncState
    {

    public:
        static NullState *Instance();
        virtual void checkForAsync(ACLChecklist *) const;
        virtual ~NullState() {}

    private:
        static NullState _instance;
    };

public:
    ACLChecklist();
    virtual ~ACLChecklist();

    /**
     * Start a non-blocking (async) check for a list of allow/deny rules.
     * Each rule comes with a list of ACLs.
     *
     * The callback specified will be called with the result of the check.
     *
     * The first rule where all ACLs match wins. If there is such a rule,
     * the result becomes that rule keyword (ACCESS_ALLOWED or ACCESS_DENIED).
     *
     * If there are rules but all ACL lists mismatch, an implicit rule is used.
     * Its result is the negation of the keyword of the last seen rule.
     *
     * Some ACLs may stop the check prematurely by setting an exceptional
     * check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a
     * match or mismatch.
     *
     * If there are no rules to check at all, the result becomes ACCESS_DUNNO.
     * Calling this method with no rules to check wastes a lot of CPU cycles
     * and will result in a DBG_CRITICAL debugging message.
     */
    void nonBlockingCheck(ACLCB * callback, void *callback_data);

    /**
     * Perform a blocking (immediate) check for a list of allow/deny rules.
     * Each rule comes with a list of ACLs.
     *
     * The first rule where all ACLs match wins. If there is such a rule,
     * the result becomes that rule keyword (ACCESS_ALLOWED or ACCESS_DENIED).
     *
     * If there are rules but all ACL lists mismatch, an implicit rule is used
     * Its result is the negation of the keyword of the last seen rule.
     *
     * Some ACLs may stop the check prematurely by setting an exceptional
     * check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a
     * match or mismatch.
     *
     * Some ACLs may require an async lookup which is prohibited by this
     * method. In this case, the exceptional check result of ACCESS_DUNNO is
     * immediately returned.
     *
     * If there are no rules to check at all, the result becomes ACCESS_DUNNO.
     */
    allow_t const & fastCheck();

    /**
     * Perform a blocking (immediate) check whether a list of ACLs matches.
     * This method is meant to be used with squid.conf ACL-driven options that
     * lack allow/deny keywords and are tested one ACL list at a time. Whether
     * the checks for other occurrences of the same option continue after this
     * call is up to the caller and option semantics.
     *
     * If all ACLs match, the result becomes ACCESS_ALLOWED.
     *
     * If all ACLs mismatch, the result becomes ACCESS_DENIED.
     *
     * Some ACLs may stop the check prematurely by setting an exceptional
     * check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a
     * match or mismatch.
     *
     * Some ACLs may require an async lookup which is prohibited by this
     * method. In this case, the exceptional check result of ACCESS_DUNNO is
     * immediately returned.
     *
     * If there are no ACLs to check at all, the result becomes ACCESS_ALLOWED.
     */
    allow_t const & fastCheck(const Acl::Tree *list);

    /// If slow lookups are allowed, switches into "async in progress" state.
    /// Otherwise, returns false; the caller is expected to handle the failure.
    bool goAsync(AsyncState *);

    /// Matches (or resumes matching of) a child node while maintaning
    /// resumption breadcrumbs if a [grand]child node goes async.
    bool matchChild(const Acl::InnerNode *parent, Acl::Nodes::const_iterator pos, const ACL *child);

    /// Whether we should continue to match tree nodes or stop/pause.
    bool keepMatching() const { return !finished() && !asyncInProgress(); }

    /// whether markFinished() was called
    bool finished() const { return finished_; }
    /// async call has been started and has not finished (or failed) yet
    bool asyncInProgress() const { return asyncStage_ != asyncNone; }
    /// called when no more ACLs should be checked; sets the final answer and
    /// prints a debugging message explaining the reason for that answer
    void markFinished(const allow_t &newAnswer, const char *reason);

    const allow_t &currentAnswer() const { return allow_; }

    // XXX: ACLs that need request or reply have to use ACLFilledChecklist and
    // should do their own checks so that we do not have to povide these two
    // for ACL::checklistMatches to use
    virtual bool hasRequest() const = 0;
    virtual bool hasReply() const = 0;

private:
    /// Calls non-blocking check callback with the answer and destroys self.
    void checkCallback(allow_t answer);

    void matchAndFinish();

    void changeState(AsyncState *);
    AsyncState *asyncState() const;

public:
    const Acl::Tree *accessList;

    ACLCB *callback;
    void *callback_data;

    /// Resumes non-blocking check started by nonBlockingCheck() and
    /// suspended until some async operation updated Squid state.
    void resumeNonBlockingCheck(AsyncState *state);

private: /* internal methods */
    /// Position of a child node within an ACL tree.
    class Breadcrumb
    {
    public:
        Breadcrumb(): parent(NULL) {}
        Breadcrumb(const Acl::InnerNode *aParent, Acl::Nodes::const_iterator aPos): parent(aParent), position(aPos) {}
        bool operator ==(const Breadcrumb &b) const { return parent == b.parent && (!parent || position == b.position); }
        bool operator !=(const Breadcrumb &b) const { return !this->operator ==(b); }
        void clear() { parent = NULL; }
        const Acl::InnerNode *parent; ///< intermediate node in the ACL tree
        Acl::Nodes::const_iterator position; ///< child position inside parent
    };

    /// possible outcomes when trying to match a single ACL node in a list
    typedef enum { nmrMatch, nmrMismatch, nmrFinished, nmrNeedsAsync }
    NodeMatchingResult;

    /// prepare for checking ACLs; called once per check
    void preCheck(const char *what);
    bool prepNonBlocking();
    void completeNonBlocking();
    void calcImplicitAnswer();

    bool asyncCaller_; ///< whether the caller supports async/slow ACLs
    bool occupied_; ///< whether a check (fast or non-blocking) is in progress
    bool finished_;
    allow_t allow_;

    enum AsyncStage { asyncNone, asyncStarting, asyncRunning, asyncFailed };
    AsyncStage asyncStage_;
    AsyncState *state_;
    Breadcrumb matchLoc_; ///< location of the node running matches() now
    Breadcrumb asyncLoc_; ///< currentNode_ that called goAsync()
    unsigned asyncLoopDepth_; ///< how many times the current async state has resumed

    bool callerGone();

    /// suspended (due to an async lookup) matches() in the ACL tree
    std::stack<Breadcrumb> matchPath;
};

#endif /* SQUID_ACLCHECKLIST_H */
Commit	Line	Data
4fb35c3c	1	/*
bde978a6	2	* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
4fb35c3c	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
4fb35c3c	7	*/
	8
	9	#ifndef SQUID_ACLCHECKLIST_H
	10	#define SQUID_ACLCHECKLIST_H
	11
6f58d7d7 AR	12	#include "acl/InnerNode.h"
6f58d7d7 AR	13	#include <stack>
4fb35c3c	14
2efeb0b7 AJ	15	/// ACL checklist callback
	16	typedef void ACLCB(allow_t, void *);
	17
351fe86d AR	18	/** \ingroup ACLAPI
351fe86d AR	19	Base class for maintaining Squid and transaction state for access checks.
f53969cc SM	20	Provides basic ACL checking methods. Its only child, ACLFilledChecklist,
f53969cc SM	21	keeps the actual state data. The split is necessary to avoid exposing
351fe86d	22	all ACL-related code to virtually Squid data types. */
62e76326	23	class ACLChecklist
	24	{
	25
	26	public:
8000a965	27
63be0a78	28	/**
63be0a78	29	* State class.
8000a965	30	* This abstract class defines the behaviour of
	31	* async lookups - which can vary for different ACL types.
	32	* Today, every state object must be a singleton.
	33	* See NULLState for an example.
63be0a78	34	*
63be0a78	35	\note no state should be stored in the state object,
8000a965	36	* they are used to change the behaviour of the checklist, not
	37	* to hold information. If you need to store information in the
	38	* state object, consider subclassing ACLChecklist, converting it
	39	* to a composite, or changing the state objects from singletons to
	40	* refcounted objects.
	41	*/
	42
62e76326	43	class AsyncState
	44	{
	45
	46	public:
	47	virtual void checkForAsync(ACLChecklist *) const = 0;
f75662c9	48	virtual ~AsyncState() {}
8000a965	49	};
8000a965	50
26ac0430	51	class NullState : public AsyncState
62e76326	52	{
	53
	54	public:
	55	static NullState *Instance();
	56	virtual void checkForAsync(ACLChecklist *) const;
f75662c9	57	virtual ~NullState() {}
62e76326	58
	59	private:
	60	static NullState _instance;
8000a965	61	};
62e76326	62
351fe86d	63	public:
4fb35c3c	64	ACLChecklist();
351fe86d	65	virtual ~ACLChecklist();
b50e327b AJ	66
b50e327b AJ	67	/**
e0f7153c AR	68	* Start a non-blocking (async) check for a list of allow/deny rules.
	69	* Each rule comes with a list of ACLs.
	70	*
	71	* The callback specified will be called with the result of the check.
	72	*
	73	* The first rule where all ACLs match wins. If there is such a rule,
	74	* the result becomes that rule keyword (ACCESS_ALLOWED or ACCESS_DENIED).
	75	*
	76	* If there are rules but all ACL lists mismatch, an implicit rule is used.
	77	* Its result is the negation of the keyword of the last seen rule.
	78	*
	79	* Some ACLs may stop the check prematurely by setting an exceptional
	80	* check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a
	81	* match or mismatch.
	82	*
	83	* If there are no rules to check at all, the result becomes ACCESS_DUNNO.
	84	* Calling this method with no rules to check wastes a lot of CPU cycles
	85	* and will result in a DBG_CRITICAL debugging message.
b50e327b	86	*/
2efeb0b7	87	void nonBlockingCheck(ACLCB * callback, void *callback_data);
b50e327b AJ	88
b50e327b AJ	89	/**
e0f7153c AR	90	* Perform a blocking (immediate) check for a list of allow/deny rules.
	91	* Each rule comes with a list of ACLs.
	92	*
	93	* The first rule where all ACLs match wins. If there is such a rule,
	94	* the result becomes that rule keyword (ACCESS_ALLOWED or ACCESS_DENIED).
af6a12ee	95	*
e0f7153c AR	96	* If there are rules but all ACL lists mismatch, an implicit rule is used
e0f7153c AR	97	* Its result is the negation of the keyword of the last seen rule.
b50e327b	98	*
e0f7153c AR	99	* Some ACLs may stop the check prematurely by setting an exceptional
	100	* check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a
	101	* match or mismatch.
af6a12ee	102	*
e0f7153c AR	103	* Some ACLs may require an async lookup which is prohibited by this
	104	* method. In this case, the exceptional check result of ACCESS_DUNNO is
	105	* immediately returned.
	106	*
	107	* If there are no rules to check at all, the result becomes ACCESS_DUNNO.
b50e327b	108	*/
2efeb0b7	109	allow_t const & fastCheck();
b50e327b AJ	110
b50e327b AJ	111	/**
e0f7153c AR	112	* Perform a blocking (immediate) check whether a list of ACLs matches.
	113	* This method is meant to be used with squid.conf ACL-driven options that
	114	* lack allow/deny keywords and are tested one ACL list at a time. Whether
	115	* the checks for other occurrences of the same option continue after this
	116	* call is up to the caller and option semantics.
	117	*
	118	* If all ACLs match, the result becomes ACCESS_ALLOWED.
af6a12ee	119	*
e0f7153c AR	120	* If all ACLs mismatch, the result becomes ACCESS_DENIED.
	121	*
	122	* Some ACLs may stop the check prematurely by setting an exceptional
	123	* check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a
	124	* match or mismatch.
	125	*
	126	* Some ACLs may require an async lookup which is prohibited by this
	127	* method. In this case, the exceptional check result of ACCESS_DUNNO is
	128	* immediately returned.
	129	*
	130	* If there are no ACLs to check at all, the result becomes ACCESS_ALLOWED.
b50e327b	131	*/
6f58d7d7 AR	132	allow_t const & fastCheck(const Acl::Tree *list);
	133
	134	/// If slow lookups are allowed, switches into "async in progress" state.
	135	/// Otherwise, returns false; the caller is expected to handle the failure.
	136	bool goAsync(AsyncState *);
	137
e936c41c	138	/// Matches (or resumes matching of) a child node while maintaning
6f58d7d7 AR	139	/// resumption breadcrumbs if a [grand]child node goes async.
6f58d7d7 AR	140	bool matchChild(const Acl::InnerNode parent, Acl::Nodes::const_iterator pos, const ACL child);
b50e327b	141
6f58d7d7 AR	142	/// Whether we should continue to match tree nodes or stop/pause.
6f58d7d7 AR	143	bool keepMatching() const { return !finished() && !asyncInProgress(); }
b50e327b	144
e0f7153c	145	/// whether markFinished() was called
6f58d7d7 AR	146	bool finished() const { return finished_; }
	147	/// async call has been started and has not finished (or failed) yet
	148	bool asyncInProgress() const { return asyncStage_ != asyncNone; }
e0f7153c AR	149	/// called when no more ACLs should be checked; sets the final answer and
	150	/// prints a debugging message explaining the reason for that answer
	151	void markFinished(const allow_t &newAnswer, const char *reason);
b50e327b	152
e0f7153c	153	const allow_t &currentAnswer() const { return allow_; }
b50e327b	154
af6a12ee AJ	155	// XXX: ACLs that need request or reply have to use ACLFilledChecklist and
af6a12ee AJ	156	// should do their own checks so that we do not have to povide these two
351fe86d	157	// for ACL::checklistMatches to use
af6a12ee AJ	158	virtual bool hasRequest() const = 0;
af6a12ee AJ	159	virtual bool hasReply() const = 0;
b50e327b	160
eac759e1	161	private:
d5cbce97 AR	162	/// Calls non-blocking check callback with the answer and destroys self.
	163	void checkCallback(allow_t answer);
	164
6f58d7d7 AR	165	void matchAndFinish();
	166
	167	void changeState(AsyncState *);
	168	AsyncState *asyncState() const;
b50e327b	169
351fe86d	170	public:
6f58d7d7	171	const Acl::Tree *accessList;
62e76326	172
2efeb0b7	173	ACLCB *callback;
4fb35c3c	174	void *callback_data;
62e76326	175
6f58d7d7 AR	176	/// Resumes non-blocking check started by nonBlockingCheck() and
	177	/// suspended until some async operation updated Squid state.
	178	void resumeNonBlockingCheck(AsyncState *state);
2efeb0b7	179
b50e327b	180	private: /* internal methods */
6f58d7d7	181	/// Position of a child node within an ACL tree.
e936c41c AR	182	class Breadcrumb
e936c41c AR	183	{
6f58d7d7 AR	184	public:
	185	Breadcrumb(): parent(NULL) {}
	186	Breadcrumb(const Acl::InnerNode *aParent, Acl::Nodes::const_iterator aPos): parent(aParent), position(aPos) {}
	187	bool operator ==(const Breadcrumb &b) const { return parent == b.parent && (!parent \|\| position == b.position); }
	188	bool operator !=(const Breadcrumb &b) const { return !this->operator ==(b); }
	189	void clear() { parent = NULL; }
	190	const Acl::InnerNode *parent; ///< intermediate node in the ACL tree
	191	Acl::Nodes::const_iterator position; ///< child position inside parent
	192	};
	193
e0f7153c AR	194	/// possible outcomes when trying to match a single ACL node in a list
e0f7153c AR	195	typedef enum { nmrMatch, nmrMismatch, nmrFinished, nmrNeedsAsync }
c0f81932	196	NodeMatchingResult;
e0f7153c AR	197
	198	/// prepare for checking ACLs; called once per check
	199	void preCheck(const char *what);
6f58d7d7 AR	200	bool prepNonBlocking();
	201	void completeNonBlocking();
	202	void calcImplicitAnswer();
b50e327b	203
6f58d7d7	204	bool asyncCaller_; ///< whether the caller supports async/slow ACLs
7c469a68	205	bool occupied_; ///< whether a check (fast or non-blocking) is in progress
8000a965	206	bool finished_;
8000a965	207	allow_t allow_;
351fe86d	208
6f58d7d7 AR	209	enum AsyncStage { asyncNone, asyncStarting, asyncRunning, asyncFailed };
	210	AsyncStage asyncStage_;
	211	AsyncState *state_;
	212	Breadcrumb matchLoc_; ///< location of the node running matches() now
	213	Breadcrumb asyncLoc_; ///< currentNode_ that called goAsync()
1707b9ad	214	unsigned asyncLoopDepth_; ///< how many times the current async state has resumed
ab321f4b	215
315b856d	216	bool callerGone();
6f58d7d7 AR	217
	218	/// suspended (due to an async lookup) matches() in the ACL tree
	219	std::stack<Breadcrumb> matchPath;
4fb35c3c	220	};
	221
	222	#endif /* SQUID_ACLCHECKLIST_H */
f53969cc	223