]>
Commit | Line | Data |
---|---|---|
b67e2c8c | 1 | /* |
77b1029d | 2 | * Copyright (C) 1996-2020 The Squid Software Foundation and contributors |
b67e2c8c | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
b67e2c8c | 7 | */ |
8 | ||
9 | #ifndef SQUID_ACL_H | |
10 | #define SQUID_ACL_H | |
63be0a78 | 11 | |
6f58d7d7 | 12 | #include "acl/forward.h" |
4eac3407 | 13 | #include "acl/Options.h" |
aa839030 | 14 | #include "cbdata.h" |
582c2af2 | 15 | #include "defines.h" |
25b6a907 | 16 | #include "dlink.h" |
4eac3407 | 17 | #include "sbuf/forward.h" |
29b17d63 | 18 | |
06bf5384 | 19 | #include <algorithm> |
b1a20197 | 20 | #include <ostream> |
b1a20197 | 21 | |
a9f20260 | 22 | class ConfigParser; |
8000a965 | 23 | |
4eac3407 | 24 | namespace Acl { |
33810b1d | 25 | |
4eac3407 CT |
26 | /// the ACL type name known to admins |
27 | typedef const char *TypeName; | |
28 | /// a "factory" function for making ACL objects (of some ACL child type) | |
29 | typedef ACL *(*Maker)(TypeName typeName); | |
30 | /// use the given ACL Maker for all ACLs of the named type | |
31 | void RegisterMaker(TypeName typeName, Maker maker); | |
32 | ||
33 | } // namespace Acl | |
33810b1d | 34 | |
6f58d7d7 AR |
35 | /// A configurable condition. A node in the ACL expression tree. |
36 | /// Can evaluate itself in FilledChecklist context. | |
e936c41c | 37 | /// Does not change during evaluation. |
63be0a78 | 38 | /// \ingroup ACLAPI |
62e76326 | 39 | class ACL |
40 | { | |
41 | ||
42 | public: | |
29b17d63 | 43 | void *operator new(size_t); |
44 | void operator delete(void *); | |
8000a965 | 45 | |
a9f20260 | 46 | static void ParseAclLine(ConfigParser &parser, ACL ** head); |
b0dd28ba | 47 | static void Initialize(); |
d6d0eb11 | 48 | static ACL *FindByName(const char *name); |
225b7b10 | 49 | |
8000a965 | 50 | ACL(); |
8000a965 | 51 | virtual ~ACL(); |
6f58d7d7 AR |
52 | |
53 | /// sets user-specified ACL name and squid.conf context | |
54 | void context(const char *name, const char *configuration); | |
55 | ||
56 | /// Orchestrates matching checklist against the ACL using match(), | |
57 | /// after checking preconditions and while providing debugging. | |
76ee67ac | 58 | /// \return true if and only if there was a successful match. |
6f58d7d7 AR |
59 | /// Updates the checklist state on match, async, and failure. |
60 | bool matches(ACLChecklist *checklist) const; | |
61 | ||
4eac3407 CT |
62 | /// \returns (linked) Options supported by this ACL |
63 | virtual const Acl::Options &options() { return Acl::NoOptions(); } | |
64 | ||
65 | /// configures ACL options, throwing on configuration errors | |
66 | virtual void parseFlags(); | |
6f58d7d7 | 67 | |
2f8abb64 | 68 | /// parses node representation in squid.conf; dies on failures |
b0dd28ba | 69 | virtual void parse() = 0; |
70 | virtual char const *typeString() const = 0; | |
8000a965 | 71 | virtual bool isProxyAuth() const; |
8966008b | 72 | virtual SBufList dump() const = 0; |
d6d0eb11 AJ |
73 | virtual bool empty() const = 0; |
74 | virtual bool valid() const; | |
62e76326 | 75 | |
225b7b10 | 76 | int cacheMatchAcl(dlink_list * cache, ACLChecklist *); |
77 | virtual int matchForCache(ACLChecklist *checklist); | |
8000a965 | 78 | |
b0dd28ba | 79 | virtual void prepareForUse() {} |
80 | ||
4eac3407 CT |
81 | SBufList dumpOptions(); ///< \returns approximate options configuration |
82 | ||
8000a965 | 83 | char name[ACL_NAME_SZ]; |
84 | char *cfgline; | |
928a53d6 | 85 | ACL *next; // XXX: remove or at least use refcounting |
ed898bdf | 86 | bool registered; ///< added to the global list of ACLs via aclRegister() |
62e76326 | 87 | |
6f58d7d7 AR |
88 | private: |
89 | /// Matches the actual data in checklist against this ACL. | |
90 | virtual int match(ACLChecklist *checklist) = 0; // XXX: missing const | |
91 | ||
4e56d7f6 | 92 | /// whether our (i.e. shallow) match() requires checklist to have a AccessLogEntry |
4ff6370b | 93 | virtual bool requiresAle() const; |
6f58d7d7 AR |
94 | /// whether our (i.e. shallow) match() requires checklist to have a request |
95 | virtual bool requiresRequest() const; | |
96 | /// whether our (i.e. shallow) match() requires checklist to have a reply | |
97 | virtual bool requiresReply() const; | |
29b17d63 | 98 | }; |
99 | ||
b50e327b AJ |
100 | /// \ingroup ACLAPI |
101 | typedef enum { | |
7dfddb79 | 102 | // Authorization ACL result states |
b50e327b AJ |
103 | ACCESS_DENIED, |
104 | ACCESS_ALLOWED, | |
2efeb0b7 | 105 | ACCESS_DUNNO, |
7dfddb79 AJ |
106 | |
107 | // Authentication ACL result states | |
7dfddb79 | 108 | ACCESS_AUTH_REQUIRED, // Missing Credentials |
f5f2ec03 AR |
109 | } aclMatchCode; |
110 | ||
111 | /// \ingroup ACLAPI | |
329c128c | 112 | /// ACL check answer |
113 | namespace Acl { | |
114 | ||
115 | class Answer | |
87f237a9 | 116 | { |
f5f2ec03 | 117 | public: |
329c128c | 118 | // not explicit: allow "aclMatchCode to Acl::Answer" conversions (for now) |
119 | Answer(const aclMatchCode aCode, int aKind = 0): code(aCode), kind(aKind) {} | |
f5f2ec03 | 120 | |
1c2b4465 | 121 | Answer() = default; |
f5f2ec03 AR |
122 | |
123 | bool operator ==(const aclMatchCode aCode) const { | |
124 | return code == aCode; | |
125 | } | |
126 | ||
127 | bool operator !=(const aclMatchCode aCode) const { | |
128 | return !(*this == aCode); | |
129 | } | |
130 | ||
329c128c | 131 | bool operator ==(const Answer allow) const { |
640fe8fb CT |
132 | return code == allow.code && kind == allow.kind; |
133 | } | |
134 | ||
f5f2ec03 AR |
135 | operator aclMatchCode() const { |
136 | return code; | |
137 | } | |
138 | ||
06bf5384 AR |
139 | /// Whether an "allow" rule matched. If in doubt, use this popular method. |
140 | /// Also use this method to treat exceptional ACCESS_DUNNO and | |
141 | /// ACCESS_AUTH_REQUIRED outcomes as if a "deny" rule matched. | |
142 | /// See also: denied(). | |
143 | bool allowed() const { return code == ACCESS_ALLOWED; } | |
144 | ||
145 | /// Whether a "deny" rule matched. Avoid this rarely used method. | |
146 | /// Use this method (only) to treat exceptional ACCESS_DUNNO and | |
147 | /// ACCESS_AUTH_REQUIRED outcomes as if an "allow" rule matched. | |
148 | /// See also: allowed(). | |
149 | bool denied() const { return code == ACCESS_DENIED; } | |
150 | ||
9b537f95 EB |
151 | /// whether Squid is uncertain about the allowed() or denied() answer |
152 | bool conflicted() const { return !allowed() && !denied(); } | |
06bf5384 | 153 | |
1c2b4465 CT |
154 | aclMatchCode code = ACCESS_DUNNO; ///< ACCESS_* code |
155 | ||
156 | /// the matched custom access list verb (or zero) | |
157 | int kind = 0; | |
158 | ||
159 | /// whether we were computed by the "negate the last explicit action" rule | |
160 | bool implicit = false; | |
f5f2ec03 AR |
161 | }; |
162 | ||
329c128c | 163 | } // namespace Acl |
164 | ||
b1a20197 | 165 | inline std::ostream & |
329c128c | 166 | operator <<(std::ostream &o, const Acl::Answer a) |
b1a20197 | 167 | { |
11796ba9 | 168 | switch (a) { |
b1a20197 AJ |
169 | case ACCESS_DENIED: |
170 | o << "DENIED"; | |
171 | break; | |
172 | case ACCESS_ALLOWED: | |
173 | o << "ALLOWED"; | |
174 | break; | |
175 | case ACCESS_DUNNO: | |
176 | o << "DUNNO"; | |
177 | break; | |
178 | case ACCESS_AUTH_REQUIRED: | |
179 | o << "AUTH_REQUIRED"; | |
180 | break; | |
b1a20197 AJ |
181 | } |
182 | return o; | |
183 | } | |
184 | ||
63be0a78 | 185 | /// \ingroup ACLAPI |
25b6a907 | 186 | class acl_proxy_auth_match_cache |
187 | { | |
741c2986 | 188 | MEMPROXY_CLASS(acl_proxy_auth_match_cache); |
25b6a907 | 189 | |
190 | public: | |
d59e4742 FC |
191 | acl_proxy_auth_match_cache(int matchRv, void * aclData) : |
192 | matchrv(matchRv), | |
193 | acl_data(aclData) | |
194 | {} | |
195 | ||
25b6a907 | 196 | dlink_node link; |
197 | int matchrv; | |
198 | void *acl_data; | |
199 | }; | |
200 | ||
c15d448c | 201 | /// \ingroup ACLAPI |
928a53d6 | 202 | /// XXX: find a way to remove or at least use a refcounted ACL pointer |
f53969cc | 203 | extern const char *AclMatchedName; /* NULL */ |
c15d448c | 204 | |
b67e2c8c | 205 | #endif /* SQUID_ACL_H */ |
f53969cc | 206 |