[thirdparty/squid.git] / src / acl / Gadgets.cc

/*
 * DEBUG: section 28    Access Control
 * AUTHOR: Duane Wessels
 *
 * This file contains ACL routines that are not part of the
 * ACL class, nor any other class yet, and that need to be
 * factored into appropriate places. They are here to reduce
 * unneeded dependencies between the ACL class and the rest
 * of squid.
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */

#include "squid.h"
#include "acl/Acl.h"
#include "acl/AclNameList.h"
#include "acl/AclDenyInfoList.h"
#include "acl/Checklist.h"
#include "acl/Tree.h"
#include "acl/Strategised.h"
#include "acl/Gadgets.h"
#include "ConfigParser.h"
#include "errorpage.h"
#include "globals.h"
#include "HttpRequest.h"
#include "Mem.h"

/* does name lookup, returns page_id */
err_type
aclGetDenyInfoPage(AclDenyInfoList ** head, const char *name, int redirect_allowed)
{
    AclDenyInfoList *A = NULL;

    debugs(28, 8, HERE << "got called for " << name);

    for (A = *head; A; A = A->next) {
        AclNameList *L = NULL;

        if (!redirect_allowed && strchr(A->err_page_name, ':') ) {
            debugs(28, 8, HERE << "Skip '" << A->err_page_name << "' 30x redirects not allowed as response here.");
            continue;
        }

        for (L = A->acl_list; L; L = L->next) {
            if (!strcmp(name, L->name)) {
                debugs(28, 8, HERE << "match on " << name);
                return A->err_page_id;
            }

        }
    }

    debugs(28, 8, "aclGetDenyInfoPage: no match");
    return ERR_NONE;
}

/* does name lookup, returns if it is a proxy_auth acl */
int
aclIsProxyAuth(const char *name)
{
    debugs(28, 5, "aclIsProxyAuth: called for " << name);

    if (NULL == name)
        return false;

    ACL *a;

    if ((a = ACL::FindByName(name))) {
        debugs(28, 5, "aclIsProxyAuth: returning " << a->isProxyAuth());
        return a->isProxyAuth();
    }

    debugs(28, 3, "aclIsProxyAuth: WARNING, called for nonexistent ACL");
    return false;
}

/* maex@space.net (05.09.96)
 *    get the info for redirecting "access denied" to info pages
 *      TODO (probably ;-)
 *      currently there is no optimization for
 *      - more than one deny_info line with the same url
 *      - a check, whether the given acl really is defined
 *      - a check, whether an acl is added more than once for the same url
 */

void
aclParseDenyInfoLine(AclDenyInfoList ** head)
{
    char *t = NULL;
    AclDenyInfoList *A = NULL;
    AclDenyInfoList *B = NULL;
    AclDenyInfoList **T = NULL;
    AclNameList *L = NULL;
    AclNameList **Tail = NULL;

    /* first expect a page name */

    if ((t = strtok(NULL, w_space)) == NULL) {
        debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: missing 'error page' parameter.");
        return;
    }

    A = (AclDenyInfoList *)memAllocate(MEM_ACL_DENY_INFO_LIST);
    A->err_page_id = errorReservePageId(t);
    A->err_page_name = xstrdup(t);
    A->next = (AclDenyInfoList *) NULL;
    /* next expect a list of ACL names */
    Tail = &A->acl_list;

    while ((t = strtok(NULL, w_space))) {
        L = (AclNameList *)memAllocate(MEM_ACL_NAME_LIST);
        xstrncpy(L->name, t, ACL_NAME_SZ-1);
        *Tail = L;
        Tail = &L->next;
    }

    if (A->acl_list == NULL) {
        debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: deny_info line contains no ACL's, skipping");
        memFree(A, MEM_ACL_DENY_INFO_LIST);
        return;
    }

    for (B = *head, T = head; B; T = &B->next, B = B->next)

        ;	/* find the tail */
    *T = A;
}

void
aclParseAccessLine(const char *directive, ConfigParser &, acl_access **treep)
{
    /* first expect either 'allow' or 'deny' */
    const char *t = ConfigParser::strtokFile();

    if (!t) {
        debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_CRITICAL, "aclParseAccessLine: missing 'allow' or 'deny'.");
        return;
    }

    allow_t action = ACCESS_DUNNO;
    if (!strcmp(t, "allow"))
        action = ACCESS_ALLOWED;
    else if (!strcmp(t, "deny"))
        action = ACCESS_DENIED;
    else {
        debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_CRITICAL, "aclParseAccessLine: expecting 'allow' or 'deny', got '" << t << "'.");
        return;
    }

    const int ruleId = ((treep && *treep) ? (*treep)->childrenCount() : 0) + 1;
    MemBuf ctxBuf;
    ctxBuf.init();
    ctxBuf.Printf("%s#%d", directive, ruleId);
    ctxBuf.terminate();

    Acl::AndNode *rule = new Acl::AndNode;
    rule->context(ctxBuf.content(), config_input_line);
    rule->lineParse();
    if (rule->empty()) {
        debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
        debugs(28, DBG_CRITICAL, "aclParseAccessLine: Access line contains no ACL's, skipping");
        delete rule;
        return;
    }

    /* Append to the end of this list */

    assert(treep);
    if (!*treep) {
        *treep = new Acl::Tree;
        (*treep)->context(directive, config_input_line);
    }

    (*treep)->add(rule, action);

    /* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */
}

// aclParseAclList does not expect or set actions (cf. aclParseAccessLine)
void
aclParseAclList(ConfigParser &, Acl::Tree **treep, const char *label)
{
    // accomodate callers unable to convert their ACL list context to string
    if (!label)
        label = "...";

    MemBuf ctxLine;
    ctxLine.init();
    ctxLine.Printf("(%s %s line)", cfg_directive, label);
    ctxLine.terminate();

    Acl::AndNode *rule = new Acl::AndNode;
    rule->context(ctxLine.content(), config_input_line);
    rule->lineParse();

    MemBuf ctxTree;
    ctxTree.init();
    ctxTree.Printf("%s %s", cfg_directive, label);
    ctxTree.terminate();

    // We want a cbdata-protected Tree (despite giving it only one child node).
    Acl::Tree *tree = new Acl::Tree;
    tree->add(rule);
    tree->context(ctxTree.content(), config_input_line);

    assert(treep);
    assert(!*treep);
    *treep = tree;
}

/*********************/
/* Destroy functions */
/*********************/

void
aclDestroyAcls(ACL ** head)
{
    ACL *next = NULL;

    debugs(28, 8, "aclDestroyACLs: invoked");

    for (ACL *a = *head; a; a = next) {
        next = a->next;
        delete a;
    }

    *head = NULL;
}

void
aclDestroyAclList(ACLList **list)
{
    debugs(28, 8, "aclDestroyAclList: invoked");
    assert(list);
    cbdataFree(*list);
}

void
aclDestroyAccessList(acl_access ** list)
{
    assert(list);
    if (*list)
        debugs(28, 3, "destroying: " << *list << ' ' << (*list)->name);
    cbdataFree(*list);
}

/* maex@space.net (06.09.1996)
 *    destroy an AclDenyInfoList */

void
aclDestroyDenyInfoList(AclDenyInfoList ** list)
{
    AclDenyInfoList *a = NULL;
    AclDenyInfoList *a_next = NULL;
    AclNameList *l = NULL;
    AclNameList *l_next = NULL;

    debugs(28, 8, "aclDestroyDenyInfoList: invoked");

    for (a = *list; a; a = a_next) {
        for (l = a->acl_list; l; l = l_next) {
            l_next = l->next;
            safe_free(l);
        }

        a_next = a->next;
        xfree(a->err_page_name);
        memFree(a, MEM_ACL_DENY_INFO_LIST);
    }

    *list = NULL;
}
Commit	Line	Data
d295d770	1	/*
d295d770	2	* DEBUG: section 28 Access Control
	3	* AUTHOR: Duane Wessels
	4	*
26ac0430	5	* This file contains ACL routines that are not part of the
d295d770	6	* ACL class, nor any other class yet, and that need to be
26ac0430	7	* factored into appropriate places. They are here to reduce
d295d770	8	* unneeded dependencies between the ACL class and the rest
d295d770	9	* of squid.
26ac0430	10	*
d295d770	11	* SQUID Web Proxy Cache http://www.squid-cache.org/
	12	* ----------------------------------------------------------
	13	*
	14	* Squid is the result of efforts by numerous individuals from
	15	* the Internet community; see the CONTRIBUTORS file for full
	16	* details. Many organizations have provided support for Squid's
	17	* development; see the SPONSORS file for full details. Squid is
	18	* Copyrighted (C) 2001 by the Regents of the University of
	19	* California; see the COPYRIGHT file for full details. Squid
	20	* incorporates software developed and/or copyrighted by other
	21	* sources; see the CREDITS file for full details.
	22	*
	23	* This program is free software; you can redistribute it and/or modify
	24	* it under the terms of the GNU General Public License as published by
	25	* the Free Software Foundation; either version 2 of the License, or
	26	* (at your option) any later version.
26ac0430	27	*
d295d770	28	* This program is distributed in the hope that it will be useful,
	29	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	30	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	31	* GNU General Public License for more details.
26ac0430	32	*
d295d770	33	* You should have received a copy of the GNU General Public License
	34	* along with this program; if not, write to the Free Software
	35	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	36	*
	37	*/
	38
582c2af2	39	#include "squid.h"
c15d448c	40	#include "acl/Acl.h"
6be70545	41	#include "acl/AclNameList.h"
7f0b3324	42	#include "acl/AclDenyInfoList.h"
c15d448c	43	#include "acl/Checklist.h"
6f58d7d7	44	#include "acl/Tree.h"
c15d448c AR	45	#include "acl/Strategised.h"
c15d448c AR	46	#include "acl/Gadgets.h"
d295d770	47	#include "ConfigParser.h"
aa839030	48	#include "errorpage.h"
582c2af2	49	#include "globals.h"
a9f20260	50	#include "HttpRequest.h"
8a89c28f	51	#include "Mem.h"
d295d770	52
d295d770	53	/* does name lookup, returns page_id */
d295d770	54	err_type
7f0b3324	55	aclGetDenyInfoPage(AclDenyInfoList ** head, const char *name, int redirect_allowed)
d295d770	56	{
7f0b3324	57	AclDenyInfoList *A = NULL;
d295d770	58
99697e8e	59	debugs(28, 8, HERE << "got called for " << name);
d295d770	60
9ce7856a	61	for (A = *head; A; A = A->next) {
6be70545	62	AclNameList *L = NULL;
d295d770	63
99697e8e AJ	64	if (!redirect_allowed && strchr(A->err_page_name, ':') ) {
99697e8e AJ	65	debugs(28, 8, HERE << "Skip '" << A->err_page_name << "' 30x redirects not allowed as response here.");
d295d770	66	continue;
	67	}
	68
9ce7856a	69	for (L = A->acl_list; L; L = L->next) {
d295d770	70	if (!strcmp(name, L->name)) {
99697e8e	71	debugs(28, 8, HERE << "match on " << name);
d295d770	72	return A->err_page_id;
	73	}
	74
d295d770	75	}
d295d770	76	}
d295d770	77
bf8fe701	78	debugs(28, 8, "aclGetDenyInfoPage: no match");
d295d770	79	return ERR_NONE;
	80	}
	81
	82	/* does name lookup, returns if it is a proxy_auth acl */
	83	int
	84	aclIsProxyAuth(const char *name)
	85	{
bf8fe701	86	debugs(28, 5, "aclIsProxyAuth: called for " << name);
d295d770	87
	88	if (NULL == name)
	89	return false;
	90
	91	ACL *a;
	92
	93	if ((a = ACL::FindByName(name))) {
bf8fe701	94	debugs(28, 5, "aclIsProxyAuth: returning " << a->isProxyAuth());
d295d770	95	return a->isProxyAuth();
	96	}
	97
bf8fe701	98	debugs(28, 3, "aclIsProxyAuth: WARNING, called for nonexistent ACL");
d295d770	99	return false;
	100	}
	101
d295d770	102	/* maex@space.net (05.09.96)
	103	* get the info for redirecting "access denied" to info pages
	104	* TODO (probably ;-)
	105	* currently there is no optimization for
	106	* - more than one deny_info line with the same url
	107	* - a check, whether the given acl really is defined
	108	* - a check, whether an acl is added more than once for the same url
	109	*/
	110
	111	void
7f0b3324	112	aclParseDenyInfoLine(AclDenyInfoList ** head)
d295d770	113	{
d295d770	114	char *t = NULL;
7f0b3324 FC	115	AclDenyInfoList *A = NULL;
	116	AclDenyInfoList *B = NULL;
	117	AclDenyInfoList **T = NULL;
6be70545 FC	118	AclNameList *L = NULL;
6be70545 FC	119	AclNameList **Tail = NULL;
d295d770	120
	121	/* first expect a page name */
	122
	123	if ((t = strtok(NULL, w_space)) == NULL) {
fa84c01d FC	124	debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
fa84c01d FC	125	debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: missing 'error page' parameter.");
d295d770	126	return;
	127	}
	128
7f0b3324	129	A = (AclDenyInfoList *)memAllocate(MEM_ACL_DENY_INFO_LIST);
d295d770	130	A->err_page_id = errorReservePageId(t);
d295d770	131	A->err_page_name = xstrdup(t);
7f0b3324	132	A->next = (AclDenyInfoList *) NULL;
d295d770	133	/* next expect a list of ACL names */
	134	Tail = &A->acl_list;
	135
	136	while ((t = strtok(NULL, w_space))) {
6be70545	137	L = (AclNameList *)memAllocate(MEM_ACL_NAME_LIST);
6f58d7d7	138	xstrncpy(L->name, t, ACL_NAME_SZ-1);
d295d770	139	*Tail = L;
	140	Tail = &L->next;
	141	}
	142
	143	if (A->acl_list == NULL) {
fa84c01d FC	144	debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
fa84c01d FC	145	debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: deny_info line contains no ACL's, skipping");
d295d770	146	memFree(A, MEM_ACL_DENY_INFO_LIST);
	147	return;
	148	}
	149
	150	for (B = *head, T = head; B; T = &B->next, B = B->next)
	151
	152	; /* find the tail */
	153	*T = A;
	154	}
	155
	156	void
6f58d7d7	157	aclParseAccessLine(const char directive, ConfigParser &, acl_access *treep)
d295d770	158	{
d295d770	159	/* first expect either 'allow' or 'deny' */
6f58d7d7	160	const char *t = ConfigParser::strtokFile();
d295d770	161
6f58d7d7	162	if (!t) {
fa84c01d FC	163	debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
fa84c01d FC	164	debugs(28, DBG_CRITICAL, "aclParseAccessLine: missing 'allow' or 'deny'.");
d295d770	165	return;
	166	}
	167
6f58d7d7	168	allow_t action = ACCESS_DUNNO;
d295d770	169	if (!strcmp(t, "allow"))
6f58d7d7	170	action = ACCESS_ALLOWED;
d295d770	171	else if (!strcmp(t, "deny"))
6f58d7d7	172	action = ACCESS_DENIED;
d295d770	173	else {
fa84c01d FC	174	debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
fa84c01d FC	175	debugs(28, DBG_CRITICAL, "aclParseAccessLine: expecting 'allow' or 'deny', got '" << t << "'.");
d295d770	176	return;
	177	}
	178
6f58d7d7 AR	179	const int ruleId = ((treep && treep) ? (treep)->childrenCount() : 0) + 1;
	180	MemBuf ctxBuf;
	181	ctxBuf.init();
	182	ctxBuf.Printf("%s#%d", directive, ruleId);
	183	ctxBuf.terminate();
d295d770	184
6f58d7d7 AR	185	Acl::AndNode *rule = new Acl::AndNode;
	186	rule->context(ctxBuf.content(), config_input_line);
	187	rule->lineParse();
	188	if (rule->empty()) {
	189	debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
fa84c01d	190	debugs(28, DBG_CRITICAL, "aclParseAccessLine: Access line contains no ACL's, skipping");
6f58d7d7	191	delete rule;
d295d770	192	return;
	193	}
	194
d295d770	195	/* Append to the end of this list */
d295d770	196
6f58d7d7 AR	197	assert(treep);
	198	if (!*treep) {
	199	*treep = new Acl::Tree;
	200	(*treep)->context(directive, config_input_line);
	201	}
	202
	203	(*treep)->add(rule, action);
d295d770	204
2efeb0b7	205	/* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */
d295d770	206	}
d295d770	207
6f58d7d7	208	// aclParseAclList does not expect or set actions (cf. aclParseAccessLine)
d295d770	209	void
6f58d7d7	210	aclParseAclList(ConfigParser &, Acl::Tree *treep, const char label)
d295d770	211	{
6f58d7d7 AR	212	// accomodate callers unable to convert their ACL list context to string
	213	if (!label)
	214	label = "...";
	215
	216	MemBuf ctxLine;
	217	ctxLine.init();
	218	ctxLine.Printf("(%s %s line)", cfg_directive, label);
	219	ctxLine.terminate();
	220
	221	Acl::AndNode *rule = new Acl::AndNode;
	222	rule->context(ctxLine.content(), config_input_line);
	223	rule->lineParse();
	224
	225	MemBuf ctxTree;
	226	ctxTree.init();
	227	ctxTree.Printf("%s %s", cfg_directive, label);
	228	ctxTree.terminate();
	229
	230	// We want a cbdata-protected Tree (despite giving it only one child node).
	231	Acl::Tree *tree = new Acl::Tree;
	232	tree->add(rule);
	233	tree->context(ctxTree.content(), config_input_line);
	234
	235	assert(treep);
	236	assert(!*treep);
	237	*treep = tree;
d295d770	238	}
d295d770	239
d295d770	240	/*********************/
	241	/* Destroy functions */
	242	/*********************/
	243
	244	void
	245	aclDestroyAcls(ACL ** head)
	246	{
	247	ACL *next = NULL;
	248
bf8fe701	249	debugs(28, 8, "aclDestroyACLs: invoked");
d295d770	250
	251	for (ACL a = head; a; a = next) {
	252	next = a->next;
	253	delete a;
	254	}
	255
	256	*head = NULL;
	257	}
	258
	259	void
6f58d7d7	260	aclDestroyAclList(ACLList **list)
d295d770	261	{
bf8fe701	262	debugs(28, 8, "aclDestroyAclList: invoked");
6f58d7d7 AR	263	assert(list);
6f58d7d7 AR	264	cbdataFree(*list);
d295d770	265	}
	266
	267	void
	268	aclDestroyAccessList(acl_access ** list)
	269	{
6f58d7d7 AR	270	assert(list);
	271	if (*list)
	272	debugs(28, 3, "destroying: " << list << ' ' << (list)->name);
	273	cbdataFree(*list);
d295d770	274	}
	275
	276	/* maex@space.net (06.09.1996)
7f0b3324	277	* destroy an AclDenyInfoList */
d295d770	278
d295d770	279	void
7f0b3324	280	aclDestroyDenyInfoList(AclDenyInfoList ** list)
d295d770	281	{
7f0b3324 FC	282	AclDenyInfoList *a = NULL;
7f0b3324 FC	283	AclDenyInfoList *a_next = NULL;
6be70545 FC	284	AclNameList *l = NULL;
6be70545 FC	285	AclNameList *l_next = NULL;
d295d770	286
bf8fe701	287	debugs(28, 8, "aclDestroyDenyInfoList: invoked");
d295d770	288
	289	for (a = *list; a; a = a_next) {
	290	for (l = a->acl_list; l; l = l_next) {
	291	l_next = l->next;
	292	safe_free(l);
	293	}
	294
	295	a_next = a->next;
	296	xfree(a->err_page_name);
	297	memFree(a, MEM_ACL_DENY_INFO_LIST);
	298	}
	299
	300	*list = NULL;
	301	}