]> git.ipfire.org Git - thirdparty/squid.git/blob - src/external_acl.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Renamed squid.h to squid-old.h and config.h to squid.h
[thirdparty/squid.git] / src / external_acl.cc
1
2 /*
3 * $Id$
4 *
5 * DEBUG: section 82 External ACL
6 * AUTHOR: Henrik Nordstrom, MARA Systems AB
7 *
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
10 *
11 * The contents of this file is Copyright (C) 2002 by MARA Systems AB,
12 * Sweden, unless otherwise is indicated in the specific function. The
13 * author gives his full permission to include this file into the Squid
14 * software product under the terms of the GNU General Public License as
15 * published by the Free Software Foundation; either version 2 of the
16 * License, or (at your option) any later version.
17 *
18 * Squid is the result of efforts by numerous individuals from
19 * the Internet community; see the CONTRIBUTORS file for full
20 * details. Many organizations have provided support for Squid's
21 * development; see the SPONSORS file for full details. Squid is
22 * Copyrighted (C) 2001 by the Regents of the University of
23 * California; see the COPYRIGHT file for full details. Squid
24 * incorporates software developed and/or copyrighted by other
25 * sources; see the CREDITS file for full details.
26 *
27 * This program is free software; you can redistribute it and/or modify
28 * it under the terms of the GNU General Public License as published by
29 * the Free Software Foundation; either version 2 of the License, or
30 * (at your option) any later version.
31 *
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
36 *
37 * You should have received a copy of the GNU General Public License
38 * along with this program; if not, write to the Free Software
39 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
40 *
41 */
42
43 #include "squid-old.h"
44 #include "mgr/Registration.h"
45 #include "ExternalACL.h"
46 #include "ExternalACLEntry.h"
47 #if USE_AUTH
48 #include "auth/Acl.h"
49 #include "auth/Gadgets.h"
50 #include "auth/UserRequest.h"
51 #endif
52 #include "SquidTime.h"
53 #include "Store.h"
54 #include "fde.h"
55 #include "acl/FilledChecklist.h"
56 #include "acl/Acl.h"
57 #if USE_IDENT
58 #include "ident/AclIdent.h"
59 #endif
60 #include "ip/tools.h"
61 #include "client_side.h"
62 #include "comm/Connection.h"
63 #include "HttpRequest.h"
64 #include "HttpReply.h"
65 #include "helper.h"
66 #include "MemBuf.h"
67 #include "rfc1738.h"
68 #include "URLScheme.h"
69 #include "wordlist.h"
70 #if USE_SSL
71 #include "ssl/support.h"
72 #endif
73
74 #ifndef DEFAULT_EXTERNAL_ACL_TTL
75 #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
76 #endif
77 #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
78 #define DEFAULT_EXTERNAL_ACL_CHILDREN 5
79 #endif
80
81 typedef struct _external_acl_format external_acl_format;
82
83 static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
84 static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry);
85 static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry);
86 static int external_acl_grace_expired(external_acl * def, external_acl_entry * entry);
87 static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry);
88 static external_acl_entry *external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data);
89
90 /******************************************************************
91 * external_acl directive
92 */
93
94 class external_acl
95 {
96
97 public:
98 external_acl *next;
99
100 void add(ExternalACLEntry *);
101
102 void trimCache();
103
104 int ttl;
105
106 int negative_ttl;
107
108 int grace;
109
110 char *name;
111
112 external_acl_format *format;
113
114 wordlist *cmdline;
115
116 HelperChildConfig children;
117
118 helper *theHelper;
119
120 hash_table *cache;
121
122 dlink_list lru_list;
123
124 int cache_size;
125
126 int cache_entries;
127
128 dlink_list queue;
129
130 #if USE_AUTH
131 /**
132 * Configuration flag. May only be altered by the configuration parser.
133 *
134 * Indicates that all uses of this external_acl_type helper require authentication
135 * details to be processed. If none are available its a fail match.
136 */
137 bool require_auth;
138 #endif
139
140 enum {
141 QUOTE_METHOD_SHELL = 1,
142 QUOTE_METHOD_URL
143 } quote;
144
145 Ip::Address local_addr;
146 };
147
148 struct _external_acl_format {
149 enum format_type {
150 EXT_ACL_UNKNOWN,
151 #if USE_AUTH
152 EXT_ACL_LOGIN,
153 #endif
154 #if USE_IDENT
155 EXT_ACL_IDENT,
156 #endif
157 EXT_ACL_SRC,
158 EXT_ACL_SRCPORT,
159 #if USE_SQUID_EUI
160 EXT_ACL_SRCEUI48,
161 EXT_ACL_SRCEUI64,
162 #endif
163 EXT_ACL_MYADDR,
164 EXT_ACL_MYPORT,
165 EXT_ACL_URI,
166 EXT_ACL_DST,
167 EXT_ACL_PROTO,
168 EXT_ACL_PORT,
169 EXT_ACL_PATH,
170 EXT_ACL_METHOD,
171
172 EXT_ACL_HEADER_REQUEST,
173 EXT_ACL_HEADER_REQUEST_MEMBER,
174 EXT_ACL_HEADER_REQUEST_ID,
175 EXT_ACL_HEADER_REQUEST_ID_MEMBER,
176
177 EXT_ACL_HEADER_REPLY,
178 EXT_ACL_HEADER_REPLY_MEMBER,
179 EXT_ACL_HEADER_REPLY_ID,
180 EXT_ACL_HEADER_REPLY_ID_MEMBER,
181
182 #if USE_SSL
183 EXT_ACL_USER_CERT,
184 EXT_ACL_CA_CERT,
185 EXT_ACL_USER_CERT_RAW,
186 EXT_ACL_USER_CERTCHAIN_RAW,
187 #endif
188 #if USE_AUTH
189 EXT_ACL_EXT_USER,
190 #endif
191 EXT_ACL_EXT_LOG,
192 EXT_ACL_TAG,
193 EXT_ACL_PERCENT,
194 EXT_ACL_END
195 } type;
196 external_acl_format *next;
197 char *header;
198 char *member;
199 char separator;
200 http_hdr_type header_id;
201 };
202
203 /* FIXME: These are not really cbdata, but it is an easy way
204 * to get them pooled, refcounted, accounted and freed properly...
205 */
206 CBDATA_TYPE(external_acl);
207 CBDATA_TYPE(external_acl_format);
208
209 static void
210 free_external_acl_format(void *data)
211 {
212 external_acl_format *p = static_cast<external_acl_format *>(data);
213 safe_free(p->header);
214 }
215
216 static void
217 free_external_acl(void *data)
218 {
219 external_acl *p = static_cast<external_acl *>(data);
220 safe_free(p->name);
221
222 while (p->format) {
223 external_acl_format *f = p->format;
224 p->format = f->next;
225 cbdataFree(f);
226 }
227
228 wordlistDestroy(&p->cmdline);
229
230 if (p->theHelper) {
231 helperShutdown(p->theHelper);
232 delete p->theHelper;
233 p->theHelper = NULL;
234 }
235
236 while (p->lru_list.tail)
237 external_acl_cache_delete(p, static_cast<external_acl_entry *>(p->lru_list.tail->data));
238 if (p->cache)
239 hashFreeMemory(p->cache);
240 }
241
242 /**
243 * Parse the External ACL format %<{.*} and %>{.*} token(s) to pass a specific
244 * request or reply header to external helper.
245 *
246 \param header - the token being parsed (without the identifying prefix)
247 \param type - format enum identifier for this element, pulled from identifying prefix
248 \param format - structure to contain all the info about this format element.
249 */
250 void
251 parse_header_token(external_acl_format *format, char *header, const _external_acl_format::format_type type)
252 {
253 /* header format */
254 char *member, *end;
255
256 /** Cut away the closing brace */
257 end = strchr(header, '}');
258 if (end && strlen(end) == 1)
259 *end = '\0';
260 else
261 self_destruct();
262
263 member = strchr(header, ':');
264
265 if (member) {
266 /* Split in header and member */
267 *member++ = '\0';
268
269 if (!xisalnum(*member))
270 format->separator = *member++;
271 else
272 format->separator = ',';
273
274 format->member = xstrdup(member);
275
276 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
277 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER;
278 else
279 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER;
280 } else {
281 format->type = type;
282 }
283
284 format->header = xstrdup(header);
285 format->header_id = httpHeaderIdByNameDef(header, strlen(header));
286
287 if (format->header_id != -1) {
288 if (member) {
289 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
290 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER;
291 else
292 format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER;
293 } else {
294 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
295 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID;
296 else
297 format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID;
298 }
299 }
300 }
301
302 void
303 parse_externalAclHelper(external_acl ** list)
304 {
305 external_acl *a;
306 char *token;
307 external_acl_format **p;
308
309 CBDATA_INIT_TYPE_FREECB(external_acl, free_external_acl);
310 CBDATA_INIT_TYPE_FREECB(external_acl_format, free_external_acl_format);
311
312 a = cbdataAlloc(external_acl);
313
314 /* set defaults */
315 a->ttl = DEFAULT_EXTERNAL_ACL_TTL;
316 a->negative_ttl = -1;
317 a->cache_size = 256*1024;
318 a->children.n_max = DEFAULT_EXTERNAL_ACL_CHILDREN;
319 a->children.n_startup = a->children.n_max;
320 a->children.n_idle = 1;
321 a->local_addr.SetLocalhost();
322 a->quote = external_acl::QUOTE_METHOD_URL;
323
324 token = strtok(NULL, w_space);
325
326 if (!token)
327 self_destruct();
328
329 a->name = xstrdup(token);
330
331 token = strtok(NULL, w_space);
332
333 /* Parse options */
334 while (token) {
335 if (strncmp(token, "ttl=", 4) == 0) {
336 a->ttl = atoi(token + 4);
337 } else if (strncmp(token, "negative_ttl=", 13) == 0) {
338 a->negative_ttl = atoi(token + 13);
339 } else if (strncmp(token, "children=", 9) == 0) {
340 a->children.n_max = atoi(token + 9);
341 debugs(0, 0, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
342 } else if (strncmp(token, "children-max=", 13) == 0) {
343 a->children.n_max = atoi(token + 13);
344 } else if (strncmp(token, "children-startup=", 17) == 0) {
345 a->children.n_startup = atoi(token + 17);
346 } else if (strncmp(token, "children-idle=", 14) == 0) {
347 a->children.n_idle = atoi(token + 14);
348 } else if (strncmp(token, "concurrency=", 12) == 0) {
349 a->children.concurrency = atoi(token + 12);
350 } else if (strncmp(token, "cache=", 6) == 0) {
351 a->cache_size = atoi(token + 6);
352 } else if (strncmp(token, "grace=", 6) == 0) {
353 a->grace = atoi(token + 6);
354 } else if (strcmp(token, "protocol=2.5") == 0) {
355 a->quote = external_acl::QUOTE_METHOD_SHELL;
356 } else if (strcmp(token, "protocol=3.0") == 0) {
357 a->quote = external_acl::QUOTE_METHOD_URL;
358 } else if (strcmp(token, "quote=url") == 0) {
359 a->quote = external_acl::QUOTE_METHOD_URL;
360 } else if (strcmp(token, "quote=shell") == 0) {
361 a->quote = external_acl::QUOTE_METHOD_SHELL;
362
363 /* INET6: allow admin to configure some helpers explicitly to
364 bind to IPv4/v6 localhost port. */
365 } else if (strcmp(token, "ipv4") == 0) {
366 if ( !a->local_addr.SetIPv4() ) {
367 debugs(3, 0, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name );
368 }
369 } else if (strcmp(token, "ipv6") == 0) {
370 if (!Ip::EnableIpv6)
371 debugs(3, 0, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name );
372 // else nothing to do.
373 } else {
374 break;
375 }
376
377 token = strtok(NULL, w_space);
378 }
379
380 /* check that child startup value is sane. */
381 if (a->children.n_startup > a->children.n_max)
382 a->children.n_startup = a->children.n_max;
383
384 /* check that child idle value is sane. */
385 if (a->children.n_idle > a->children.n_max)
386 a->children.n_idle = a->children.n_max;
387 if (a->children.n_idle < 1)
388 a->children.n_idle = 1;
389
390 if (a->negative_ttl == -1)
391 a->negative_ttl = a->ttl;
392
393 /* Parse format */
394 p = &a->format;
395
396 while (token) {
397 external_acl_format *format;
398
399 /* stop on first non-format token found */
400
401 if (*token != '%')
402 break;
403
404 format = cbdataAlloc(external_acl_format);
405
406 if (strncmp(token, "%{", 2) == 0) {
407 // deprecated. but assume the old configs all referred to request headers.
408 debugs(82, DBG_IMPORTANT, "WARNING: external_acl_type format %{...} is being replaced by %>{...} for : " << token);
409 parse_header_token(format, (token+2), _external_acl_format::EXT_ACL_HEADER_REQUEST);
410 } else if (strncmp(token, "%>{", 3) == 0) {
411 parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REQUEST);
412 } else if (strncmp(token, "%<{", 3) == 0) {
413 parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REPLY);
414 #if USE_AUTH
415 } else if (strcmp(token, "%LOGIN") == 0) {
416 format->type = _external_acl_format::EXT_ACL_LOGIN;
417 a->require_auth = true;
418 #endif
419 }
420
421 #if USE_IDENT
422 else if (strcmp(token, "%IDENT") == 0)
423 format->type = _external_acl_format::EXT_ACL_IDENT;
424
425 #endif
426
427 else if (strcmp(token, "%SRC") == 0)
428 format->type = _external_acl_format::EXT_ACL_SRC;
429 else if (strcmp(token, "%SRCPORT") == 0)
430 format->type = _external_acl_format::EXT_ACL_SRCPORT;
431 #if USE_SQUID_EUI
432 else if (strcmp(token, "%SRCEUI48") == 0)
433 format->type = _external_acl_format::EXT_ACL_SRCEUI48;
434 else if (strcmp(token, "%SRCEUI64") == 0)
435 format->type = _external_acl_format::EXT_ACL_SRCEUI64;
436 #endif
437 else if (strcmp(token, "%MYADDR") == 0)
438 format->type = _external_acl_format::EXT_ACL_MYADDR;
439 else if (strcmp(token, "%MYPORT") == 0)
440 format->type = _external_acl_format::EXT_ACL_MYPORT;
441 else if (strcmp(token, "%URI") == 0)
442 format->type = _external_acl_format::EXT_ACL_URI;
443 else if (strcmp(token, "%DST") == 0)
444 format->type = _external_acl_format::EXT_ACL_DST;
445 else if (strcmp(token, "%PROTO") == 0)
446 format->type = _external_acl_format::EXT_ACL_PROTO;
447 else if (strcmp(token, "%PORT") == 0)
448 format->type = _external_acl_format::EXT_ACL_PORT;
449 else if (strcmp(token, "%PATH") == 0)
450 format->type = _external_acl_format::EXT_ACL_PATH;
451 else if (strcmp(token, "%METHOD") == 0)
452 format->type = _external_acl_format::EXT_ACL_METHOD;
453
454 #if USE_SSL
455 else if (strcmp(token, "%USER_CERT") == 0)
456 format->type = _external_acl_format::EXT_ACL_USER_CERT_RAW;
457 else if (strcmp(token, "%USER_CERTCHAIN") == 0)
458 format->type = _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW;
459 else if (strncmp(token, "%USER_CERT_", 11) == 0) {
460 format->type = _external_acl_format::EXT_ACL_USER_CERT;
461 format->header = xstrdup(token + 11);
462 } else if (strncmp(token, "%CA_CERT_", 11) == 0) {
463 format->type = _external_acl_format::EXT_ACL_USER_CERT;
464 format->header = xstrdup(token + 11);
465 }
466 #endif
467 #if USE_AUTH
468 else if (strcmp(token, "%EXT_USER") == 0)
469 format->type = _external_acl_format::EXT_ACL_EXT_USER;
470 #endif
471 else if (strcmp(token, "%EXT_LOG") == 0)
472 format->type = _external_acl_format::EXT_ACL_EXT_LOG;
473 else if (strcmp(token, "%TAG") == 0)
474 format->type = _external_acl_format::EXT_ACL_TAG;
475 else if (strcmp(token, "%%") == 0)
476 format->type = _external_acl_format::EXT_ACL_PERCENT;
477 else {
478 debugs(0,0, "ERROR: Unknown Format token " << token);
479 self_destruct();
480 }
481
482 *p = format;
483 p = &format->next;
484 token = strtok(NULL, w_space);
485 }
486
487 /* There must be at least one format token */
488 if (!a->format)
489 self_destruct();
490
491 /* helper */
492 if (!token)
493 self_destruct();
494
495 wordlistAdd(&a->cmdline, token);
496
497 /* arguments */
498 parse_wordlist(&a->cmdline);
499
500 while (*list)
501 list = &(*list)->next;
502
503 *list = a;
504 }
505
506 void
507 dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list)
508 {
509 const external_acl *node;
510 const external_acl_format *format;
511 const wordlist *word;
512
513 for (node = list; node; node = node->next) {
514 storeAppendPrintf(sentry, "%s %s", name, node->name);
515
516 if (!node->local_addr.IsIPv6())
517 storeAppendPrintf(sentry, " ipv4");
518 else
519 storeAppendPrintf(sentry, " ipv6");
520
521 if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL)
522 storeAppendPrintf(sentry, " ttl=%d", node->ttl);
523
524 if (node->negative_ttl != node->ttl)
525 storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl);
526
527 if (node->grace)
528 storeAppendPrintf(sentry, " grace=%d", node->grace);
529
530 if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
531 storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
532
533 if (node->children.n_startup != 1)
534 storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
535
536 if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
537 storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
538
539 if (node->children.concurrency)
540 storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
541
542 if (node->cache)
543 storeAppendPrintf(sentry, " cache=%d", node->cache_size);
544
545 for (format = node->format; format; format = format->next) {
546 switch (format->type) {
547
548 case _external_acl_format::EXT_ACL_HEADER_REQUEST:
549 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID:
550 storeAppendPrintf(sentry, " %%>{%s}", format->header);
551 break;
552
553 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER:
554 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER:
555 storeAppendPrintf(sentry, " %%>{%s:%s}", format->header, format->member);
556 break;
557
558 case _external_acl_format::EXT_ACL_HEADER_REPLY:
559 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID:
560 storeAppendPrintf(sentry, " %%<{%s}", format->header);
561 break;
562
563 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER:
564 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER:
565 storeAppendPrintf(sentry, " %%<{%s:%s}", format->header, format->member);
566 break;
567 #define DUMP_EXT_ACL_TYPE(a) \
568 case _external_acl_format::EXT_ACL_##a: \
569 storeAppendPrintf(sentry, " %%%s", #a); \
570 break
571 #if USE_AUTH
572 DUMP_EXT_ACL_TYPE(LOGIN);
573 #endif
574 #if USE_IDENT
575
576 DUMP_EXT_ACL_TYPE(IDENT);
577 #endif
578
579 DUMP_EXT_ACL_TYPE(SRC);
580 DUMP_EXT_ACL_TYPE(SRCPORT);
581 #if USE_SQUID_EUI
582 DUMP_EXT_ACL_TYPE(SRCEUI48);
583 DUMP_EXT_ACL_TYPE(SRCEUI64);
584 #endif
585
586 DUMP_EXT_ACL_TYPE(MYADDR);
587 DUMP_EXT_ACL_TYPE(MYPORT);
588 DUMP_EXT_ACL_TYPE(URI);
589 DUMP_EXT_ACL_TYPE(DST);
590 DUMP_EXT_ACL_TYPE(PROTO);
591 DUMP_EXT_ACL_TYPE(PORT);
592 DUMP_EXT_ACL_TYPE(PATH);
593 DUMP_EXT_ACL_TYPE(METHOD);
594 #if USE_SSL
595
596 case _external_acl_format::EXT_ACL_USER_CERT_RAW:
597 storeAppendPrintf(sentry, " %%USER_CERT");
598 break;
599
600 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
601 storeAppendPrintf(sentry, " %%USER_CERTCHAIN");
602 break;
603
604 case _external_acl_format::EXT_ACL_USER_CERT:
605 storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
606 break;
607
608 case _external_acl_format::EXT_ACL_CA_CERT:
609 storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
610 break;
611 #endif
612 #if USE_AUTH
613 DUMP_EXT_ACL_TYPE(EXT_USER);
614 #endif
615 DUMP_EXT_ACL_TYPE(EXT_LOG);
616 DUMP_EXT_ACL_TYPE(TAG);
617 default:
618 fatal("unknown external_acl format error");
619 break;
620 }
621 }
622
623 for (word = node->cmdline; word; word = word->next)
624 storeAppendPrintf(sentry, " %s", word->key);
625
626 storeAppendPrintf(sentry, "\n");
627 }
628 }
629
630 void
631 free_externalAclHelper(external_acl ** list)
632 {
633 while (*list) {
634 external_acl *node = *list;
635 *list = node->next;
636 node->next = NULL;
637 cbdataFree(node);
638 }
639 }
640
641 static external_acl *
642 find_externalAclHelper(const char *name)
643 {
644 external_acl *node;
645
646 for (node = Config.externalAclHelperList; node; node = node->next) {
647 if (strcmp(node->name, name) == 0)
648 return node;
649 }
650
651 return NULL;
652 }
653
654 void
655 external_acl::add(ExternalACLEntry *anEntry)
656 {
657 trimCache();
658 assert (anEntry->def == NULL);
659 anEntry->def = this;
660 hash_join(cache, anEntry);
661 dlinkAdd(anEntry, &anEntry->lru, &lru_list);
662 cache_entries++;
663 }
664
665 void
666 external_acl::trimCache()
667 {
668 if (cache_size && cache_entries >= cache_size)
669 external_acl_cache_delete(this, static_cast<external_acl_entry *>(lru_list.tail->data));
670 }
671
672
673 /******************************************************************
674 * external acl type
675 */
676
677 struct _external_acl_data {
678 external_acl *def;
679 wordlist *arguments;
680 };
681
682 CBDATA_TYPE(external_acl_data);
683 static void
684 free_external_acl_data(void *data)
685 {
686 external_acl_data *p = static_cast<external_acl_data *>(data);
687 wordlistDestroy(&p->arguments);
688 cbdataReferenceDone(p->def);
689 }
690
691 void
692 ACLExternal::parse()
693 {
694 char *token;
695
696 if (data)
697 self_destruct();
698
699 CBDATA_INIT_TYPE_FREECB(external_acl_data, free_external_acl_data);
700
701 data = cbdataAlloc(external_acl_data);
702
703 token = strtok(NULL, w_space);
704
705 if (!token)
706 self_destruct();
707
708 data->def = cbdataReference(find_externalAclHelper(token));
709
710 if (!data->def)
711 self_destruct();
712
713 while ((token = strtokFile())) {
714 wordlistAdd(&data->arguments, token);
715 }
716 }
717
718 bool
719 ACLExternal::valid () const
720 {
721 #if USE_AUTH
722 if (data->def->require_auth) {
723 if (authenticateSchemeCount() == 0) {
724 debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
725 return false;
726 }
727
728 if (authenticateActiveSchemeCount() == 0) {
729 debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
730 return false;
731 }
732 }
733 #endif
734
735 return true;
736 }
737
738 bool
739 ACLExternal::empty () const
740 {
741 return false;
742 }
743
744 ACLExternal::~ACLExternal()
745 {
746 cbdataFree(data);
747 safe_free (class_);
748 }
749
750 static void
751 copyResultsFromEntry(HttpRequest *req, external_acl_entry *entry)
752 {
753 if (req) {
754 #if USE_AUTH
755 if (entry->user.size())
756 req->extacl_user = entry->user;
757
758 if (entry->password.size())
759 req->extacl_passwd = entry->password;
760 #endif
761 if (!req->tag.size())
762 req->tag = entry->tag;
763
764 if (entry->log.size())
765 req->extacl_log = entry->log;
766
767 if (entry->message.size())
768 req->extacl_message = entry->message;
769 }
770 }
771
772 static allow_t
773 aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
774 {
775 const char *key = "";
776 debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\"");
777 external_acl_entry *entry = ch->extacl_entry;
778
779 if (entry) {
780 if (cbdataReferenceValid(entry) && entry->def == acl->def) {
781 /* Ours, use it.. if the key matches */
782 key = makeExternalAclKey(ch, acl);
783 if (strcmp(key, (char*)entry->key) != 0) {
784 debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "' dont match. Discarded.");
785 // too bad. need a new lookup.
786 cbdataReferenceDone(ch->extacl_entry);
787 entry = NULL;
788 }
789 } else {
790 /* Not valid, or not ours.. get rid of it */
791 debugs(82, 9, HERE << "entry " << entry << " not valid or not ours. Discarded.");
792 if (entry) {
793 debugs(82, 9, HERE << "entry def=" << entry->def << ", our def=" << acl->def);
794 key = makeExternalAclKey(ch, acl);
795 debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "'");
796 }
797 cbdataReferenceDone(ch->extacl_entry);
798 entry = NULL;
799 }
800 }
801
802 external_acl_message = "MISSING REQUIRED INFORMATION";
803
804 if (!entry) {
805 debugs(82, 9, HERE << "No helper entry available");
806 #if USE_AUTH
807 if (acl->def->require_auth) {
808 int ti = AuthenticateAcl(ch);
809 /* Make sure the user is authenticated */
810 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
811 if (ti != 1) {
812 debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")");
813 return ACCESS_AUTH_REQUIRED;
814 }
815 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
816 }
817 #endif
818 key = makeExternalAclKey(ch, acl);
819
820 if (!key) {
821 /* Not sufficient data to process */
822 return ACCESS_DUNNO;
823 }
824
825 entry = static_cast<external_acl_entry *>(hash_lookup(acl->def->cache, key));
826
827 if (!entry || external_acl_grace_expired(acl->def, entry)) {
828 debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed");
829 debugs(82, 2, HERE << "\"" << key << "\": entry=@" <<
830 entry << ", age=" << (entry ? (long int) squid_curtime - entry->date : 0));
831
832 if (acl->def->theHelper->stats.queue_size <= (int)acl->def->theHelper->childs.n_active) {
833 debugs(82, 2, HERE << "\"" << key << "\": queueing a call.");
834 ch->changeState(ExternalACLLookup::Instance());
835 debugs(82, 2, HERE << "\"" << key << "\": return -1.");
836 return ACCESS_DUNNO; // to get here we have to have an expired cache entry. MUST not use.
837 } else {
838 if (!entry) {
839 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
840 "' queue overload. Request rejected '" << key << "'.");
841 external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER";
842 return ACCESS_DUNNO;
843 } else {
844 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
845 "' queue overload. Using stale result. '" << key << "'.");
846 /* Fall thru to processing below */
847 }
848 }
849 }
850 }
851
852 external_acl_cache_touch(acl->def, entry);
853 external_acl_message = entry->message.termedBuf();
854
855 debugs(82, 2, HERE << acl->def->name << " = " << entry->result);
856 copyResultsFromEntry(ch->request, entry);
857 return entry->result;
858 }
859
860 int
861 ACLExternal::match(ACLChecklist *checklist)
862 {
863 allow_t answer = aclMatchExternal(data, Filled(checklist));
864 checklist->currentAnswer(answer);
865
866 // convert to tri-state ACL match 1,0,-1
867 switch (answer) {
868 case ACCESS_ALLOWED:
869 case ACCESS_AUTH_EXPIRED_OK:
870 return 1; // match
871
872 case ACCESS_DENIED:
873 case ACCESS_AUTH_EXPIRED_BAD:
874 return 0; // non-match
875
876 case ACCESS_DUNNO:
877 case ACCESS_AUTH_REQUIRED:
878 default:
879 return -1; // other
880 }
881 }
882
883 wordlist *
884 ACLExternal::dump() const
885 {
886 external_acl_data const *acl = data;
887 wordlist *result = NULL;
888 wordlist *arg;
889 MemBuf mb;
890 mb.init();
891 mb.Printf("%s", acl->def->name);
892
893 for (arg = acl->arguments; arg; arg = arg->next) {
894 mb.Printf(" %s", arg->key);
895 }
896
897 wordlistAdd(&result, mb.buf);
898 mb.clean();
899 return result;
900 }
901
902 /******************************************************************
903 * external_acl cache
904 */
905
906 static void
907 external_acl_cache_touch(external_acl * def, external_acl_entry * entry)
908 {
909 // this must not be done when nothing is being cached.
910 if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1))
911 return;
912
913 dlinkDelete(&entry->lru, &def->lru_list);
914 dlinkAdd(entry, &entry->lru, &def->lru_list);
915 }
916
917 static char *
918 makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
919 {
920 static MemBuf mb;
921 char buf[256];
922 int first = 1;
923 wordlist *arg;
924 external_acl_format *format;
925 HttpRequest *request = ch->request;
926 HttpReply *reply = ch->reply;
927 mb.reset();
928
929 for (format = acl_data->def->format; format; format = format->next) {
930 const char *str = NULL;
931 String sb;
932
933 switch (format->type) {
934 #if USE_AUTH
935 case _external_acl_format::EXT_ACL_LOGIN:
936 // if this ACL line was the cause of credentials fetch
937 // they may not already be in the checklist
938 if (ch->auth_user_request == NULL && ch->request)
939 ch->auth_user_request = ch->request->auth_user_request;
940
941 if (ch->auth_user_request != NULL)
942 str = ch->auth_user_request->username();
943 break;
944 #endif
945 #if USE_IDENT
946 case _external_acl_format::EXT_ACL_IDENT:
947 str = ch->rfc931;
948
949 if (!str || !*str) {
950 ch->changeState(IdentLookup::Instance());
951 return NULL;
952 }
953
954 break;
955 #endif
956
957 case _external_acl_format::EXT_ACL_SRC:
958 str = ch->src_addr.NtoA(buf,sizeof(buf));
959 break;
960
961 case _external_acl_format::EXT_ACL_SRCPORT:
962 snprintf(buf, sizeof(buf), "%d", request->client_addr.GetPort());
963 str = buf;
964 break;
965
966 #if USE_SQUID_EUI
967 case _external_acl_format::EXT_ACL_SRCEUI48:
968 if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
969 request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf)))
970 str = buf;
971 break;
972
973 case _external_acl_format::EXT_ACL_SRCEUI64:
974 if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
975 request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf)))
976 str = buf;
977 break;
978 #endif
979
980 case _external_acl_format::EXT_ACL_MYADDR:
981 str = request->my_addr.NtoA(buf, sizeof(buf));
982 break;
983
984 case _external_acl_format::EXT_ACL_MYPORT:
985 snprintf(buf, sizeof(buf), "%d", request->my_addr.GetPort());
986 str = buf;
987 break;
988
989 case _external_acl_format::EXT_ACL_URI:
990 str = urlCanonical(request);
991 break;
992
993 case _external_acl_format::EXT_ACL_DST:
994 str = request->GetHost();
995 break;
996
997 case _external_acl_format::EXT_ACL_PROTO:
998 str = AnyP::ProtocolType_str[request->protocol];
999 break;
1000
1001 case _external_acl_format::EXT_ACL_PORT:
1002 snprintf(buf, sizeof(buf), "%d", request->port);
1003 str = buf;
1004 break;
1005
1006 case _external_acl_format::EXT_ACL_PATH:
1007 str = request->urlpath.termedBuf();
1008 break;
1009
1010 case _external_acl_format::EXT_ACL_METHOD:
1011 str = RequestMethodStr(request->method);
1012 break;
1013
1014 case _external_acl_format::EXT_ACL_HEADER_REQUEST:
1015 sb = request->header.getByName(format->header);
1016 str = sb.termedBuf();
1017 break;
1018
1019 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID:
1020 sb = request->header.getStrOrList(format->header_id);
1021 str = sb.termedBuf();
1022 break;
1023
1024 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER:
1025 sb = request->header.getByNameListMember(format->header, format->member, format->separator);
1026 str = sb.termedBuf();
1027 break;
1028
1029 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER:
1030 sb = request->header.getListMember(format->header_id, format->member, format->separator);
1031 str = sb.termedBuf();
1032 break;
1033
1034 case _external_acl_format::EXT_ACL_HEADER_REPLY:
1035 if (reply) {
1036 sb = reply->header.getByName(format->header);
1037 str = sb.termedBuf();
1038 }
1039 break;
1040
1041 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID:
1042 if (reply) {
1043 sb = reply->header.getStrOrList(format->header_id);
1044 str = sb.termedBuf();
1045 }
1046 break;
1047
1048 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER:
1049 if (reply) {
1050 sb = reply->header.getByNameListMember(format->header, format->member, format->separator);
1051 str = sb.termedBuf();
1052 }
1053 break;
1054
1055 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER:
1056 if (reply) {
1057 sb = reply->header.getListMember(format->header_id, format->member, format->separator);
1058 str = sb.termedBuf();
1059 }
1060 break;
1061 #if USE_SSL
1062
1063 case _external_acl_format::EXT_ACL_USER_CERT_RAW:
1064
1065 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1066 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1067
1068 if (ssl)
1069 str = sslGetUserCertificatePEM(ssl);
1070 }
1071
1072 break;
1073
1074 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
1075
1076 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1077 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1078
1079 if (ssl)
1080 str = sslGetUserCertificateChainPEM(ssl);
1081 }
1082
1083 break;
1084
1085 case _external_acl_format::EXT_ACL_USER_CERT:
1086
1087 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1088 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1089
1090 if (ssl)
1091 str = sslGetUserAttribute(ssl, format->header);
1092 }
1093
1094 break;
1095
1096 case _external_acl_format::EXT_ACL_CA_CERT:
1097
1098 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1099 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1100
1101 if (ssl)
1102 str = sslGetCAAttribute(ssl, format->header);
1103 }
1104
1105 break;
1106 #endif
1107 #if USE_AUTH
1108 case _external_acl_format::EXT_ACL_EXT_USER:
1109 str = request->extacl_user.termedBuf();
1110 break;
1111 #endif
1112 case _external_acl_format::EXT_ACL_EXT_LOG:
1113 str = request->extacl_log.termedBuf();
1114 break;
1115 case _external_acl_format::EXT_ACL_TAG:
1116 str = request->tag.termedBuf();
1117 break;
1118 case _external_acl_format::EXT_ACL_PERCENT:
1119 str = "%";
1120 break;
1121 case _external_acl_format::EXT_ACL_UNKNOWN:
1122
1123 case _external_acl_format::EXT_ACL_END:
1124 fatal("unknown external_acl format error");
1125 break;
1126 }
1127
1128 if (str)
1129 if (!*str)
1130 str = NULL;
1131
1132 if (!str)
1133 str = "-";
1134
1135 if (!first)
1136 mb.append(" ", 1);
1137
1138 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
1139 const char *quoted = rfc1738_escape(str);
1140 mb.append(quoted, strlen(quoted));
1141 } else {
1142 strwordquote(&mb, str);
1143 }
1144
1145 sb.clean();
1146
1147 first = 0;
1148 }
1149
1150 for (arg = acl_data->arguments; arg; arg = arg->next) {
1151 if (!first)
1152 mb.append(" ", 1);
1153
1154 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
1155 const char *quoted = rfc1738_escape(arg->key);
1156 mb.append(quoted, strlen(quoted));
1157 } else {
1158 strwordquote(&mb, arg->key);
1159 }
1160
1161 first = 0;
1162 }
1163
1164 return mb.buf;
1165 }
1166
1167 static int
1168 external_acl_entry_expired(external_acl * def, external_acl_entry * entry)
1169 {
1170 if (def->cache_size <= 0)
1171 return 1;
1172
1173 if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime)
1174 return 1;
1175 else
1176 return 0;
1177 }
1178
1179 static int
1180 external_acl_grace_expired(external_acl * def, external_acl_entry * entry)
1181 {
1182 if (def->cache_size <= 0)
1183 return 1;
1184
1185 int ttl;
1186 ttl = entry->result == 1 ? def->ttl : def->negative_ttl;
1187 ttl = (ttl * (100 - def->grace)) / 100;
1188
1189 if (entry->date + ttl <= squid_curtime)
1190 return 1;
1191 else
1192 return 0;
1193 }
1194
1195 static external_acl_entry *
1196 external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data)
1197 {
1198 ExternalACLEntry *entry;
1199
1200 // do not bother caching this result if TTL is going to expire it immediately
1201 if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) {
1202 debugs(82,6, HERE);
1203 entry = new ExternalACLEntry;
1204 entry->key = xstrdup(key);
1205 entry->update(data);
1206 entry->def = def;
1207 return entry;
1208 }
1209
1210 entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key));
1211 debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result);
1212
1213 if (entry) {
1214 debugs(82, 3, "ExternalACLEntry::update: updating existing entry");
1215 entry->update(data);
1216 external_acl_cache_touch(def, entry);
1217
1218 return entry;
1219 }
1220
1221 entry = new ExternalACLEntry;
1222 entry->key = xstrdup(key);
1223 entry->update(data);
1224
1225 def->add(entry);
1226
1227 return entry;
1228 }
1229
1230 static void
1231 external_acl_cache_delete(external_acl * def, external_acl_entry * entry)
1232 {
1233 assert(def->cache_size > 0 && entry->def == def);
1234 hash_remove_link(def->cache, entry);
1235 dlinkDelete(&entry->lru, &def->lru_list);
1236 def->cache_entries -= 1;
1237 delete entry;
1238 }
1239
1240 /******************************************************************
1241 * external_acl helpers
1242 */
1243
1244 typedef struct _externalAclState externalAclState;
1245
1246 struct _externalAclState {
1247 EAH *callback;
1248 void *callback_data;
1249 char *key;
1250 external_acl *def;
1251 dlink_node list;
1252 externalAclState *queue;
1253 };
1254
1255 CBDATA_TYPE(externalAclState);
1256 static void
1257 free_externalAclState(void *data)
1258 {
1259 externalAclState *state = static_cast<externalAclState *>(data);
1260 safe_free(state->key);
1261 cbdataReferenceDone(state->callback_data);
1262 cbdataReferenceDone(state->def);
1263 }
1264
1265 /*
1266 * The helper program receives queries on stdin, one
1267 * per line, and must return the result on on stdout
1268 *
1269 * General result syntax:
1270 *
1271 * OK/ERR keyword=value ...
1272 *
1273 * Keywords:
1274 *
1275 * user= The users name (login)
1276 * message= Message describing the reason
1277 * tag= A string tag to be applied to the request that triggered the acl match.
1278 * applies to both OK and ERR responses.
1279 * Won't override existing request tags.
1280 * log= A string to be used in access logging
1281 *
1282 * Other keywords may be added to the protocol later
1283 *
1284 * value needs to be enclosed in quotes if it may contain whitespace, or
1285 * the whitespace escaped using \ (\ escaping obviously also applies to
1286 * any " characters)
1287 */
1288
1289 static void
1290 externalAclHandleReply(void *data, char *reply)
1291 {
1292 externalAclState *state = static_cast<externalAclState *>(data);
1293 externalAclState *next;
1294 char *status;
1295 char *token;
1296 char *value;
1297 char *t = NULL;
1298 ExternalACLEntryData entryData;
1299 entryData.result = ACCESS_DENIED;
1300 external_acl_entry *entry = NULL;
1301
1302 debugs(82, 2, "externalAclHandleReply: reply=\"" << reply << "\"");
1303
1304 if (reply) {
1305 status = strwordtok(reply, &t);
1306
1307 if (status && strcmp(status, "OK") == 0)
1308 entryData.result = ACCESS_ALLOWED;
1309
1310 while ((token = strwordtok(NULL, &t))) {
1311 value = strchr(token, '=');
1312
1313 if (value) {
1314 *value++ = '\0'; /* terminate the token, and move up to the value */
1315
1316 if (state->def->quote == external_acl::QUOTE_METHOD_URL)
1317 rfc1738_unescape(value);
1318
1319 if (strcmp(token, "message") == 0)
1320 entryData.message = value;
1321 else if (strcmp(token, "error") == 0)
1322 entryData.message = value;
1323 else if (strcmp(token, "tag") == 0)
1324 entryData.tag = value;
1325 else if (strcmp(token, "log") == 0)
1326 entryData.log = value;
1327 #if USE_AUTH
1328 else if (strcmp(token, "user") == 0)
1329 entryData.user = value;
1330 else if (strcmp(token, "password") == 0)
1331 entryData.password = value;
1332 else if (strcmp(token, "passwd") == 0)
1333 entryData.password = value;
1334 else if (strcmp(token, "login") == 0)
1335 entryData.user = value;
1336 #endif
1337 }
1338 }
1339 }
1340
1341 dlinkDelete(&state->list, &state->def->queue);
1342
1343 if (cbdataReferenceValid(state->def)) {
1344 if (reply)
1345 entry = external_acl_cache_add(state->def, state->key, entryData);
1346 else {
1347 external_acl_entry *oldentry = (external_acl_entry *)hash_lookup(state->def->cache, state->key);
1348
1349 if (oldentry)
1350 external_acl_cache_delete(state->def, oldentry);
1351 }
1352 }
1353
1354 do {
1355 void *cbdata;
1356 cbdataReferenceDone(state->def);
1357
1358 if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata))
1359 state->callback(cbdata, entry);
1360
1361 next = state->queue;
1362
1363 cbdataFree(state);
1364
1365 state = next;
1366 } while (state);
1367 }
1368
1369 void
1370 ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * callback, void *callback_data)
1371 {
1372 MemBuf buf;
1373 external_acl_data *acl = me->data;
1374 external_acl *def = acl->def;
1375 externalAclState *state;
1376 dlink_node *node;
1377 externalAclState *oldstate = NULL;
1378 bool graceful = 0;
1379
1380 ACLFilledChecklist *ch = Filled(checklist);
1381 #if USE_AUTH
1382 if (acl->def->require_auth) {
1383 int ti;
1384 /* Make sure the user is authenticated */
1385 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
1386
1387 if ((ti = AuthenticateAcl(ch)) != 1) {
1388 debugs(82, DBG_IMPORTANT, "WARNING: " << acl->def->name <<
1389 " user authentication failure (" << ti << ", ch=" << ch << ")");
1390 callback(callback_data, NULL);
1391 return;
1392 }
1393 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
1394 }
1395 #endif
1396
1397 const char *key = makeExternalAclKey(ch, acl);
1398
1399 if (!key) {
1400 debugs(82, 1, "externalAclLookup: lookup in '" << def->name <<
1401 "', prerequisit failure (ch=" << ch << ")");
1402 callback(callback_data, NULL);
1403 return;
1404 }
1405
1406 debugs(82, 2, "externalAclLookup: lookup in '" << def->name << "' for '" << key << "'");
1407
1408 external_acl_entry *entry = static_cast<external_acl_entry *>(hash_lookup(def->cache, key));
1409
1410 if (entry && external_acl_entry_expired(def, entry))
1411 entry = NULL;
1412
1413 /* Check for a pending lookup to hook into */
1414 // only possible if we are caching results.
1415 if (def->cache_size > 0) {
1416 for (node = def->queue.head; node; node = node->next) {
1417 externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data);
1418
1419 if (strcmp(key, oldstatetmp->key) == 0) {
1420 oldstate = oldstatetmp;
1421 break;
1422 }
1423 }
1424 }
1425
1426 if (entry && external_acl_grace_expired(def, entry)) {
1427 if (oldstate) {
1428 debugs(82, 4, "externalAclLookup: in grace period, but already pending lookup ('" << key << "', ch=" << ch << ")");
1429 callback(callback_data, entry);
1430 return;
1431 } else {
1432 graceful = 1; // grace expired, (neg)ttl did not, and we must start a new lookup.
1433 }
1434 }
1435
1436 // The entry is in the cache, grace_ttl did not expired.
1437 if (!graceful && entry && !external_acl_grace_expired(def, entry)) {
1438 /* Should not really happen, but why not.. */
1439 callback(callback_data, entry);
1440 debugs(82, 4, "externalAclLookup: no lookup pending for '" << key << "', and grace not expired");
1441 debugs(82, 4, "externalAclLookup: (what tha' hell?)");
1442 return;
1443 }
1444
1445 /* No pending lookup found. Sumbit to helper */
1446 state = cbdataAlloc(externalAclState);
1447
1448 state->def = cbdataReference(def);
1449
1450 state->key = xstrdup(key);
1451
1452 if (!graceful) {
1453 state->callback = callback;
1454 state->callback_data = cbdataReference(callback_data);
1455 }
1456
1457 if (oldstate) {
1458 /* Hook into pending lookup */
1459 state->queue = oldstate->queue;
1460 oldstate->queue = state;
1461 } else {
1462 /* Check for queue overload */
1463
1464 if (def->theHelper->stats.queue_size >= (int)def->theHelper->childs.n_running) {
1465 debugs(82, 1, "externalAclLookup: '" << def->name << "' queue overload (ch=" << ch << ")");
1466 cbdataFree(state);
1467 callback(callback_data, entry);
1468 return;
1469 }
1470
1471 /* Send it off to the helper */
1472 buf.init();
1473
1474 buf.Printf("%s\n", key);
1475
1476 debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'.");
1477
1478 helperSubmit(def->theHelper, buf.buf, externalAclHandleReply, state);
1479
1480 dlinkAdd(state, &state->list, &def->queue);
1481
1482 buf.clean();
1483 }
1484
1485 if (graceful) {
1486 /* No need to wait during grace period */
1487 debugs(82, 4, "externalAclLookup: no need to wait for the result of '" <<
1488 key << "' in '" << def->name << "' (ch=" << ch << ").");
1489 debugs(82, 4, "externalAclLookup: using cached entry " << entry);
1490
1491 if (entry != NULL) {
1492 debugs(82, 4, "externalAclLookup: entry = { date=" <<
1493 (long unsigned int) entry->date <<
1494 ", result=" << entry->result <<
1495 " tag=" << entry->tag <<
1496 " log=" << entry->log << " }");
1497 #if USE_AUTH
1498 debugs(82, 4, "externalAclLookup: user=" << entry->user);
1499 #endif
1500 copyResultsFromEntry(ch->request, entry);
1501 }
1502
1503 callback(callback_data, entry);
1504 return;
1505 }
1506
1507 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key <<
1508 "' in '" << def->name << "' (ch=" << ch << ").");
1509 }
1510
1511 static void
1512 externalAclStats(StoreEntry * sentry)
1513 {
1514 external_acl *p;
1515
1516 for (p = Config.externalAclHelperList; p; p = p->next) {
1517 storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name);
1518 storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count);
1519 helperStats(sentry, p->theHelper);
1520 storeAppendPrintf(sentry, "\n");
1521 }
1522 }
1523
1524 static void
1525 externalAclRegisterWithCacheManager(void)
1526 {
1527 Mgr::RegisterAction("external_acl",
1528 "External ACL stats",
1529 externalAclStats, 0, 1);
1530 }
1531
1532 void
1533 externalAclInit(void)
1534 {
1535 static int firstTimeInit = 1;
1536 external_acl *p;
1537
1538 for (p = Config.externalAclHelperList; p; p = p->next) {
1539 if (!p->cache)
1540 p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4);
1541
1542 if (!p->theHelper)
1543 p->theHelper = new helper(p->name);
1544
1545 p->theHelper->cmdline = p->cmdline;
1546
1547 p->theHelper->childs.updateLimits(p->children);
1548
1549 p->theHelper->ipc_type = IPC_TCP_SOCKET;
1550
1551 p->theHelper->addr = p->local_addr;
1552
1553 helperOpenServers(p->theHelper);
1554 }
1555
1556 if (firstTimeInit) {
1557 firstTimeInit = 0;
1558 CBDATA_INIT_TYPE_FREECB(externalAclState, free_externalAclState);
1559 }
1560
1561 externalAclRegisterWithCacheManager();
1562 }
1563
1564 void
1565 externalAclShutdown(void)
1566 {
1567 external_acl *p;
1568
1569 for (p = Config.externalAclHelperList; p; p = p->next) {
1570 helperShutdown(p->theHelper);
1571 }
1572 }
1573
1574 ExternalACLLookup ExternalACLLookup::instance_;
1575 ExternalACLLookup *
1576 ExternalACLLookup::Instance()
1577 {
1578 return &instance_;
1579 }
1580
1581 void
1582 ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const
1583 {
1584 /* TODO: optimise this - we probably have a pointer to this
1585 * around somewhere */
1586 ACL *acl = ACL::FindByName(AclMatchedName);
1587 assert(acl);
1588 ACLExternal *me = dynamic_cast<ACLExternal *> (acl);
1589 assert (me);
1590 checklist->asyncInProgress(true);
1591 ACLExternal::ExternalAclLookup(checklist, me, LookupDone, checklist);
1592 }
1593
1594 void
1595 ExternalACLLookup::LookupDone(void *data, void *result)
1596 {
1597 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
1598 checklist->extacl_entry = cbdataReference((external_acl_entry *)result);
1599 checklist->asyncInProgress(false);
1600 checklist->changeState (ACLChecklist::NullState::Instance());
1601 checklist->matchNonBlocking();
1602 }
1603
1604 /* This registers "external" in the registry. To do dynamic definitions
1605 * of external ACL's, rather than a static prototype, have a Prototype instance
1606 * prototype in the class that defines each external acl 'class'.
1607 * Then, then the external acl instance is created, it self registers under
1608 * it's name.
1609 * Be sure that clone is fully functional for that acl class though!
1610 */
1611 ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external");
1612
1613 ACLExternal ACLExternal::RegistryEntry_("external");
1614
1615 ACL *
1616 ACLExternal::clone() const
1617 {
1618 return new ACLExternal(*this);
1619 }
1620
1621 ACLExternal::ACLExternal (char const *theClass) : data (NULL), class_ (xstrdup (theClass))
1622 {}
1623
1624 ACLExternal::ACLExternal (ACLExternal const & old) : data (NULL), class_ (old.class_ ? xstrdup (old.class_) : NULL)
1625 {
1626 /* we don't have copy constructors for the data yet */
1627 assert (!old.data);
1628 }
1629
1630 char const *
1631 ACLExternal::typeString() const
1632 {
1633 return class_;
1634 }
1635
1636 bool
1637 ACLExternal::isProxyAuth() const
1638 {
1639 #if USE_AUTH
1640 return data->def->require_auth;
1641 #else
1642 return false;
1643 #endif
1644 }
Mirror of https://github.com/squid-cache/squid.git