]> git.ipfire.org Git - thirdparty/squid.git/blame - src/external_acl.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Allow MemPool late nitialization
[thirdparty/squid.git] / src / external_acl.cc
CommitLineData
d9572179 1
2/*
262a0e14 3 * $Id$
d9572179 4 *
5 * DEBUG: section 82 External ACL
6 * AUTHOR: Henrik Nordstrom, MARA Systems AB
7 *
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
10 *
11 * The contents of this file is Copyright (C) 2002 by MARA Systems AB,
12 * Sweden, unless otherwise is indicated in the specific function. The
13 * author gives his full permission to include this file into the Squid
14 * software product under the terms of the GNU General Public License as
15 * published by the Free Software Foundation; either version 2 of the
16 * License, or (at your option) any later version.
17 *
18 * Squid is the result of efforts by numerous individuals from
19 * the Internet community; see the CONTRIBUTORS file for full
20 * details. Many organizations have provided support for Squid's
21 * development; see the SPONSORS file for full details. Squid is
22 * Copyrighted (C) 2001 by the Regents of the University of
23 * California; see the COPYRIGHT file for full details. Squid
24 * incorporates software developed and/or copyrighted by other
25 * sources; see the CREDITS file for full details.
26 *
27 * This program is free software; you can redistribute it and/or modify
28 * it under the terms of the GNU General Public License as published by
29 * the Free Software Foundation; either version 2 of the License, or
30 * (at your option) any later version.
26ac0430 31 *
d9572179 32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
26ac0430 36 *
d9572179 37 * You should have received a copy of the GNU General Public License
38 * along with this program; if not, write to the Free Software
39 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
40 *
41 */
42
43#include "squid.h"
8822ebee 44#include "mgr/Registration.h"
225b7b10 45#include "ExternalACL.h"
1e5562e3 46#include "ExternalACLEntry.h"
2f1431ea
AJ		 47#if USE_AUTH
48#include "auth/Acl.h"
49#include "auth/Gadgets.h"
2d2b0bb7 50#include "auth/UserRequest.h"
2f1431ea 51#endif
985c86bc 52#include "SquidTime.h"
e6ccf245 53#include "Store.h"
ecb04c8c 54#include "fde.h"
c0941a6a
AR		 55#include "acl/FilledChecklist.h"
56#include "acl/Acl.h"
3841dd46 57#if USE_IDENT
4daaf3cb 58#include "ident/AclIdent.h"
3841dd46 59#endif
055421ee 60#include "ip/tools.h"
a46d2c0e 61#include "client_side.h"
5c336a3b 62#include "comm/Connection.h"
a2ac85d9 63#include "HttpRequest.h"
7b0ca1e8 64#include "HttpReply.h"
aa839030 65#include "helper.h"
0eb49b6d 66#include "MemBuf.h"
1fa9b1a7 67#include "rfc1738.h"
985c86bc 68#include "URLScheme.h"
d295d770 69#include "wordlist.h"
4db984be
CT		 70#if USE_SSL
71#include "ssl/support.h"
72#endif
d9572179 73
74#ifndef DEFAULT_EXTERNAL_ACL_TTL
75#define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
76#endif
d4f2f353 77#ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
78#define DEFAULT_EXTERNAL_ACL_CHILDREN 5
d9572179 79#endif
80
81typedef struct _external_acl_format external_acl_format;
62e76326 82
c0941a6a 83static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
d9572179 84static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry);
85static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry);
47b0c1fa 86static int external_acl_grace_expired(external_acl * def, external_acl_entry * entry);
d9572179 87static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry);
1e5562e3 88static external_acl_entry *external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data);
d9572179 89
90/******************************************************************
91 * external_acl directive
92 */
62e76326 93
1e5562e3 94class external_acl
62e76326 95{
1e5562e3 96
97public:
d9572179 98 external_acl *next;
1e5562e3 99
6ca34f6f 100 void add(ExternalACLEntry *);
1e5562e3 101
102 void trimCache();
103
d9572179 104 int ttl;
1e5562e3 105
d9572179 106 int negative_ttl;
1e5562e3 107
47b0c1fa 108 int grace;
109
d9572179 110 char *name;
1e5562e3 111
d9572179 112 external_acl_format *format;
1e5562e3 113
d9572179 114 wordlist *cmdline;
1e5562e3 115
48d54e4d 116 HelperChildConfig children;
07eca7e0 117
e6ccf245 118 helper *theHelper;
1e5562e3 119
d9572179 120 hash_table *cache;
1e5562e3 121
d9572179 122 dlink_list lru_list;
1e5562e3 123
d9572179 124 int cache_size;
1e5562e3 125
d9572179 126 int cache_entries;
1e5562e3 127
d9572179 128 dlink_list queue;
1e5562e3 129
2f1431ea 130#if USE_AUTH
3265364b
AJ		 131 /**
132 * Configuration flag. May only be altered by the configuration parser.
133 *
134 * Indicates that all uses of this external_acl_type helper require authentication
135 * details to be processed. If none are available its a fail match.
136 */
e870b1f8 137 bool require_auth;
2f1431ea 138#endif
dc1af3cf 139
26ac0430 140 enum {
dc1af3cf 141 QUOTE_METHOD_SHELL = 1,
142 QUOTE_METHOD_URL
2fadd50d 143 } quote;
cc192b50 144
b7ac5457 145 Ip::Address local_addr;
d9572179 146};
147
26ac0430 148struct _external_acl_format {
4ecc6631 149 enum format_type {
62e76326 150 EXT_ACL_UNKNOWN,
2f1431ea 151#if USE_AUTH
62e76326 152 EXT_ACL_LOGIN,
2f1431ea 153#endif
7a16973f 154#if USE_IDENT
62e76326 155 EXT_ACL_IDENT,
7a16973f 156#endif
62e76326 157 EXT_ACL_SRC,
47b0c1fa 158 EXT_ACL_SRCPORT,
a98c2da5
AJ		 159#if USE_SQUID_EUI
160 EXT_ACL_SRCEUI48,
161 EXT_ACL_SRCEUI64,
162#endif
47b0c1fa 163 EXT_ACL_MYADDR,
164 EXT_ACL_MYPORT,
3cf6e9c5 165 EXT_ACL_URI,
62e76326 166 EXT_ACL_DST,
167 EXT_ACL_PROTO,
168 EXT_ACL_PORT,
169 EXT_ACL_PATH,
170 EXT_ACL_METHOD,
7b0ca1e8
AJ		 171
172 EXT_ACL_HEADER_REQUEST,
173 EXT_ACL_HEADER_REQUEST_MEMBER,
174 EXT_ACL_HEADER_REQUEST_ID,
175 EXT_ACL_HEADER_REQUEST_ID_MEMBER,
176
177 EXT_ACL_HEADER_REPLY,
178 EXT_ACL_HEADER_REPLY_MEMBER,
179 EXT_ACL_HEADER_REPLY_ID,
180 EXT_ACL_HEADER_REPLY_ID_MEMBER,
181
a7ad6e4e 182#if USE_SSL
62e76326 183 EXT_ACL_USER_CERT,
184 EXT_ACL_CA_CERT,
4ac9968f 185 EXT_ACL_USER_CERT_RAW,
3d61c476 186 EXT_ACL_USER_CERTCHAIN_RAW,
a7ad6e4e 187#endif
2f1431ea 188#if USE_AUTH
abb929f0 189 EXT_ACL_EXT_USER,
2f1431ea 190#endif
99e4ad67
JB		 191 EXT_ACL_EXT_LOG,
192 EXT_ACL_TAG,
62e76326 193 EXT_ACL_END
d9572179 194 } type;
195 external_acl_format *next;
196 char *header;
197 char *member;
198 char separator;
199 http_hdr_type header_id;
200};
201
202/* FIXME: These are not really cbdata, but it is an easy way
203 * to get them pooled, refcounted, accounted and freed properly...
204 */
205CBDATA_TYPE(external_acl);
206CBDATA_TYPE(external_acl_format);
207
208static void
209free_external_acl_format(void *data)
210{
e6ccf245 211 external_acl_format *p = static_cast<external_acl_format *>(data);
d9572179 212 safe_free(p->header);
213}
214
215static void
216free_external_acl(void *data)
217{
e6ccf245 218 external_acl *p = static_cast<external_acl *>(data);
d9572179 219 safe_free(p->name);
62e76326 220
d9572179 221 while (p->format) {
62e76326 222 external_acl_format *f = p->format;
223 p->format = f->next;
224 cbdataFree(f);
d9572179 225 }
62e76326 226
d9572179 227 wordlistDestroy(&p->cmdline);
62e76326 228
e6ccf245 229 if (p->theHelper) {
62e76326 230 helperShutdown(p->theHelper);
48d54e4d 231 delete p->theHelper;
62e76326 232 p->theHelper = NULL;
d9572179 233 }
62e76326 234
d9572179 235 while (p->lru_list.tail)
62e76326 236 external_acl_cache_delete(p, static_cast<external_acl_entry *>(p->lru_list.tail->data));
d9572179 237 if (p->cache)
62e76326 238 hashFreeMemory(p->cache);
d9572179 239}
240
7b0ca1e8
AJ		 241/**
242 * Parse the External ACL format %<{.*} and %>{.*} token(s) to pass a specific
243 * request or reply header to external helper.
244 *
245 \param header - the token being parsed (without the identifying prefix)
246 \param type - format enum identifier for this element, pulled from identifying prefix
247 \param format - structure to contain all the info about this format element.
248 */
249void
4ecc6631 250parse_header_token(external_acl_format *format, char *header, const _external_acl_format::format_type type)
7b0ca1e8
AJ		 251{
252 /* header format */
253 char *member, *end;
254
255 /** Cut away the closing brace */
256 end = strchr(header, '}');
257 if (end && strlen(end) == 1)
258 *end = '\0';
259 else
260 self_destruct();
261
262 member = strchr(header, ':');
263
264 if (member) {
265 /* Split in header and member */
266 *member++ = '\0';
267
268 if (!xisalnum(*member))
269 format->separator = *member++;
270 else
271 format->separator = ',';
272
273 format->member = xstrdup(member);
274
26ac0430 275 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
7b0ca1e8
AJ		 276 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER;
277 else
278 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER;
279 } else {
280 format->type = type;
281 }
282
283 format->header = xstrdup(header);
284 format->header_id = httpHeaderIdByNameDef(header, strlen(header));
285
286 if (format->header_id != -1) {
287 if (member) {
26ac0430 288 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
7b0ca1e8
AJ		 289 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER;
290 else
291 format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER;
292 } else {
26ac0430 293 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
7b0ca1e8
AJ		 294 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID;
295 else
296 format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID;
297 }
298 }
299}
300
d9572179 301void
302parse_externalAclHelper(external_acl ** list)
303{
304 external_acl *a;
305 char *token;
306 external_acl_format **p;
307
308 CBDATA_INIT_TYPE_FREECB(external_acl, free_external_acl);
309 CBDATA_INIT_TYPE_FREECB(external_acl_format, free_external_acl_format);
310
311 a = cbdataAlloc(external_acl);
312
cc192b50 313 /* set defaults */
d9572179 314 a->ttl = DEFAULT_EXTERNAL_ACL_TTL;
315 a->negative_ttl = -1;
84f795a5 316 a->cache_size = 256*1024;
48d54e4d
AJ		 317 a->children.n_max = DEFAULT_EXTERNAL_ACL_CHILDREN;
318 a->children.n_startup = a->children.n_max;
404cfda1 319 a->children.n_idle = 1;
cc192b50 320 a->local_addr.SetLocalhost();
321 a->quote = external_acl::QUOTE_METHOD_URL;
322
d9572179 323 token = strtok(NULL, w_space);
62e76326 324
d9572179 325 if (!token)
62e76326 326 self_destruct();
327
d9572179 328 a->name = xstrdup(token);
329
330 token = strtok(NULL, w_space);
62e76326 331
d9572179 332 /* Parse options */
333 while (token) {
62e76326 334 if (strncmp(token, "ttl=", 4) == 0) {
335 a->ttl = atoi(token + 4);
336 } else if (strncmp(token, "negative_ttl=", 13) == 0) {
337 a->negative_ttl = atoi(token + 13);
07eca7e0 338 } else if (strncmp(token, "children=", 9) == 0) {
48d54e4d
AJ		 339 a->children.n_max = atoi(token + 9);
340 debugs(0, 0, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
341 } else if (strncmp(token, "children-max=", 13) == 0) {
342 a->children.n_max = atoi(token + 13);
343 } else if (strncmp(token, "children-startup=", 17) == 0) {
344 a->children.n_startup = atoi(token + 17);
345 } else if (strncmp(token, "children-idle=", 14) == 0) {
346 a->children.n_idle = atoi(token + 14);
07eca7e0 347 } else if (strncmp(token, "concurrency=", 12) == 0) {
48d54e4d 348 a->children.concurrency = atoi(token + 12);
62e76326 349 } else if (strncmp(token, "cache=", 6) == 0) {
350 a->cache_size = atoi(token + 6);
47b0c1fa 351 } else if (strncmp(token, "grace=", 6) == 0) {
352 a->grace = atoi(token + 6);
dc1af3cf 353 } else if (strcmp(token, "protocol=2.5") == 0) {
354 a->quote = external_acl::QUOTE_METHOD_SHELL;
355 } else if (strcmp(token, "protocol=3.0") == 0) {
356 a->quote = external_acl::QUOTE_METHOD_URL;
357 } else if (strcmp(token, "quote=url") == 0) {
358 a->quote = external_acl::QUOTE_METHOD_URL;
359 } else if (strcmp(token, "quote=shell") == 0) {
360 a->quote = external_acl::QUOTE_METHOD_SHELL;
cc192b50 361
26ac0430
AJ		 362 /* INET6: allow admin to configure some helpers explicitly to
363 bind to IPv4/v6 localhost port. */
cc192b50 364 } else if (strcmp(token, "ipv4") == 0) {
26ac0430 365 if ( !a->local_addr.SetIPv4() ) {
cc192b50 366 debugs(3, 0, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name );
367 }
368 } else if (strcmp(token, "ipv6") == 0) {
055421ee
AJ		 369 if (!Ip::EnableIpv6)
370 debugs(3, 0, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name );
371 // else nothing to do.
62e76326 372 } else {
373 break;
374 }
375
376 token = strtok(NULL, w_space);
d9572179 377 }
62e76326 378
6f78f0ed 379 /* check that child startup value is sane. */
a3cecd6c
AJ		 380 if (a->children.n_startup > a->children.n_max)
381 a->children.n_startup = a->children.n_max;
48d54e4d 382
6f78f0ed 383 /* check that child idle value is sane. */
a3cecd6c
AJ		 384 if (a->children.n_idle > a->children.n_max)
385 a->children.n_idle = a->children.n_max;
386 if (a->children.n_idle < 1)
387 a->children.n_idle = 1;
48d54e4d 388
d9572179 389 if (a->negative_ttl == -1)
62e76326 390 a->negative_ttl = a->ttl;
d9572179 391
392 /* Parse format */
393 p = &a->format;
62e76326 394
d9572179 395 while (token) {
62e76326 396 external_acl_format *format;
397
398 /* stop on first non-format token found */
399
400 if (*token != '%')
401 break;
402
403 format = cbdataAlloc(external_acl_format);
404
405 if (strncmp(token, "%{", 2) == 0) {
7b0ca1e8
AJ		 406 // deprecated. but assume the old configs all referred to request headers.
407 debugs(82, DBG_IMPORTANT, "WARNING: external_acl_type format %{...} is being replaced by %>{...} for : " << token);
4ecc6631 408 parse_header_token(format, (token+2), _external_acl_format::EXT_ACL_HEADER_REQUEST);
c68c9682 409 } else if (strncmp(token, "%>{", 3) == 0) {
4ecc6631 410 parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REQUEST);
c68c9682 411 } else if (strncmp(token, "%<{", 3) == 0) {
4ecc6631 412 parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REPLY);
2f1431ea 413#if USE_AUTH
62e76326 414 } else if (strcmp(token, "%LOGIN") == 0) {
415 format->type = _external_acl_format::EXT_ACL_LOGIN;
e870b1f8 416 a->require_auth = true;
2f1431ea 417#endif
62e76326 418 }
419
7a16973f 420#if USE_IDENT
62e76326 421 else if (strcmp(token, "%IDENT") == 0)
422 format->type = _external_acl_format::EXT_ACL_IDENT;
423
7a16973f 424#endif
62e76326 425
426 else if (strcmp(token, "%SRC") == 0)
427 format->type = _external_acl_format::EXT_ACL_SRC;
47b0c1fa 428 else if (strcmp(token, "%SRCPORT") == 0)
429 format->type = _external_acl_format::EXT_ACL_SRCPORT;
a98c2da5
AJ		 430#if USE_SQUID_EUI
431 else if (strcmp(token, "%SRCEUI48") == 0)
432 format->type = _external_acl_format::EXT_ACL_SRCEUI48;
433 else if (strcmp(token, "%SRCEUI64") == 0)
434 format->type = _external_acl_format::EXT_ACL_SRCEUI64;
435#endif
47b0c1fa 436 else if (strcmp(token, "%MYADDR") == 0)
437 format->type = _external_acl_format::EXT_ACL_MYADDR;
438 else if (strcmp(token, "%MYPORT") == 0)
439 format->type = _external_acl_format::EXT_ACL_MYPORT;
3cf6e9c5 440 else if (strcmp(token, "%URI") == 0)
441 format->type = _external_acl_format::EXT_ACL_URI;
62e76326 442 else if (strcmp(token, "%DST") == 0)
443 format->type = _external_acl_format::EXT_ACL_DST;
444 else if (strcmp(token, "%PROTO") == 0)
445 format->type = _external_acl_format::EXT_ACL_PROTO;
446 else if (strcmp(token, "%PORT") == 0)
447 format->type = _external_acl_format::EXT_ACL_PORT;
448 else if (strcmp(token, "%PATH") == 0)
449 format->type = _external_acl_format::EXT_ACL_PATH;
450 else if (strcmp(token, "%METHOD") == 0)
451 format->type = _external_acl_format::EXT_ACL_METHOD;
452
a7ad6e4e 453#if USE_SSL
4ac9968f 454 else if (strcmp(token, "%USER_CERT") == 0)
3de409f0 455 format->type = _external_acl_format::EXT_ACL_USER_CERT_RAW;
3d61c476 456 else if (strcmp(token, "%USER_CERTCHAIN") == 0)
3de409f0 457 format->type = _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW;
c68c9682 458 else if (strncmp(token, "%USER_CERT_", 11) == 0) {
62e76326 459 format->type = _external_acl_format::EXT_ACL_USER_CERT;
460 format->header = xstrdup(token + 11);
c68c9682 461 } else if (strncmp(token, "%CA_CERT_", 11) == 0) {
62e76326 462 format->type = _external_acl_format::EXT_ACL_USER_CERT;
463 format->header = xstrdup(token + 11);
464 }
a7ad6e4e 465#endif
2f1431ea 466#if USE_AUTH
abb929f0 467 else if (strcmp(token, "%EXT_USER") == 0)
468 format->type = _external_acl_format::EXT_ACL_EXT_USER;
2f1431ea 469#endif
99e4ad67
JB		 470 else if (strcmp(token, "%EXT_LOG") == 0)
471 format->type = _external_acl_format::EXT_ACL_EXT_LOG;
472 else if (strcmp(token, "%TAG") == 0)
473 format->type = _external_acl_format::EXT_ACL_TAG;
62e76326 474 else {
a98c2da5 475 debugs(0,0, "ERROR: Unknown Format token " << token);
62e76326 476 self_destruct();
477 }
478
479 *p = format;
480 p = &format->next;
481 token = strtok(NULL, w_space);
d9572179 482 }
483
484 /* There must be at least one format token */
485 if (!a->format)
62e76326 486 self_destruct();
d9572179 487
488 /* helper */
489 if (!token)
62e76326 490 self_destruct();
491
d9572179 492 wordlistAdd(&a->cmdline, token);
493
494 /* arguments */
a336d130 495 parse_wordlist(&a->cmdline);
d9572179 496
497 while (*list)
62e76326 498 list = &(*list)->next;
499
d9572179 500 *list = a;
501}
502
503void
504dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list)
505{
506 const external_acl *node;
507 const external_acl_format *format;
508 const wordlist *word;
62e76326 509
d9572179 510 for (node = list; node; node = node->next) {
62e76326 511 storeAppendPrintf(sentry, "%s %s", name, node->name);
512
cc192b50 513 if (!node->local_addr.IsIPv6())
514 storeAppendPrintf(sentry, " ipv4");
515 else
516 storeAppendPrintf(sentry, " ipv6");
517
62e76326 518 if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL)
519 storeAppendPrintf(sentry, " ttl=%d", node->ttl);
520
521 if (node->negative_ttl != node->ttl)
522 storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl);
523
47b0c1fa 524 if (node->grace)
525 storeAppendPrintf(sentry, " grace=%d", node->grace);
526
48d54e4d
AJ		 527 if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
528 storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
62e76326 529
48d54e4d
AJ		 530 if (node->children.n_startup != 1)
531 storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
62e76326 532
48d54e4d
AJ		 533 if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
534 storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
535
536 if (node->children.concurrency)
537 storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
07eca7e0 538
47b0c1fa 539 if (node->cache)
540 storeAppendPrintf(sentry, " cache=%d", node->cache_size);
541
62e76326 542 for (format = node->format; format; format = format->next) {
543 switch (format->type) {
544
4ecc6631 545 case _external_acl_format::EXT_ACL_HEADER_REQUEST:
4ecc6631 546 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID:
2170db3e 547 storeAppendPrintf(sentry, " %%>{%s}", format->header);
62e76326 548 break;
549
4ecc6631 550 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER:
4ecc6631 551 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER:
2170db3e
AJ		 552 storeAppendPrintf(sentry, " %%>{%s:%s}", format->header, format->member);
553 break;
554
555 case _external_acl_format::EXT_ACL_HEADER_REPLY:
556 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID:
557 storeAppendPrintf(sentry, " %%<{%s}", format->header);
558 break;
559
560 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER:
561 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER:
562 storeAppendPrintf(sentry, " %%<{%s:%s}", format->header, format->member);
62e76326 563 break;
d9572179 564#define DUMP_EXT_ACL_TYPE(a) \
dc1af3cf 565 case _external_acl_format::EXT_ACL_##a: \
566 storeAppendPrintf(sentry, " %%%s", #a); \
567 break
2f1431ea 568#if USE_AUTH
62e76326 569 DUMP_EXT_ACL_TYPE(LOGIN);
2f1431ea 570#endif
8f45b34c 571#if USE_IDENT
62e76326 572
573 DUMP_EXT_ACL_TYPE(IDENT);
8f45b34c 574#endif
62e76326 575
576 DUMP_EXT_ACL_TYPE(SRC);
47b0c1fa 577 DUMP_EXT_ACL_TYPE(SRCPORT);
a98c2da5
AJ		 578#if USE_SQUID_EUI
579 DUMP_EXT_ACL_TYPE(SRCEUI48);
580 DUMP_EXT_ACL_TYPE(SRCEUI64);
581#endif
582
47b0c1fa 583 DUMP_EXT_ACL_TYPE(MYADDR);
584 DUMP_EXT_ACL_TYPE(MYPORT);
3cf6e9c5 585 DUMP_EXT_ACL_TYPE(URI);
62e76326 586 DUMP_EXT_ACL_TYPE(DST);
587 DUMP_EXT_ACL_TYPE(PROTO);
588 DUMP_EXT_ACL_TYPE(PORT);
589 DUMP_EXT_ACL_TYPE(PATH);
590 DUMP_EXT_ACL_TYPE(METHOD);
1f183752 591#if USE_SSL
62e76326 592
4ac9968f 593 case _external_acl_format::EXT_ACL_USER_CERT_RAW:
594 storeAppendPrintf(sentry, " %%USER_CERT");
595 break;
596
3d61c476 597 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
598 storeAppendPrintf(sentry, " %%USER_CERTCHAIN");
599 break;
600
62e76326 601 case _external_acl_format::EXT_ACL_USER_CERT:
602 storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
603 break;
604
605 case _external_acl_format::EXT_ACL_CA_CERT:
606 storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
607 break;
1f183752 608#endif
2f1431ea 609#if USE_AUTH
abb929f0 610 DUMP_EXT_ACL_TYPE(EXT_USER);
2f1431ea 611#endif
99e4ad67
JB		 612 DUMP_EXT_ACL_TYPE(EXT_LOG);
613 DUMP_EXT_ACL_TYPE(TAG);
4ecc6631 614 default:
62e76326 615 fatal("unknown external_acl format error");
616 break;
617 }
618 }
619
620 for (word = node->cmdline; word; word = word->next)
621 storeAppendPrintf(sentry, " %s", word->key);
622
623 storeAppendPrintf(sentry, "\n");
d9572179 624 }
625}
626
627void
628free_externalAclHelper(external_acl ** list)
629{
630 while (*list) {
62e76326 631 external_acl *node = *list;
632 *list = node->next;
633 node->next = NULL;
634 cbdataFree(node);
d9572179 635 }
636}
637
638static external_acl *
639find_externalAclHelper(const char *name)
640{
641 external_acl *node;
642
643 for (node = Config.externalAclHelperList; node; node = node->next) {
62e76326 644 if (strcmp(node->name, name) == 0)
645 return node;
d9572179 646 }
62e76326 647
d9572179 648 return NULL;
649}
650
1e5562e3 651void
6ca34f6f 652external_acl::add(ExternalACLEntry *anEntry)
1e5562e3 653{
654 trimCache();
655 assert (anEntry->def == NULL);
656 anEntry->def = this;
657 hash_join(cache, anEntry);
658 dlinkAdd(anEntry, &anEntry->lru, &lru_list);
659 cache_entries++;
660}
661
662void
663external_acl::trimCache()
664{
665 if (cache_size && cache_entries >= cache_size)
666 external_acl_cache_delete(this, static_cast<external_acl_entry *>(lru_list.tail->data));
667}
668
d9572179 669
670/******************************************************************
671 * external acl type
672 */
673
26ac0430 674struct _external_acl_data {
d9572179 675 external_acl *def;
676 wordlist *arguments;
677};
678
679CBDATA_TYPE(external_acl_data);
680static void
681free_external_acl_data(void *data)
682{
e6ccf245 683 external_acl_data *p = static_cast<external_acl_data *>(data);
d9572179 684 wordlistDestroy(&p->arguments);
685 cbdataReferenceDone(p->def);
686}
687
688void
b0dd28ba 689ACLExternal::parse()
d9572179 690{
d9572179 691 char *token;
62e76326 692
b0dd28ba 693 if (data)
62e76326 694 self_destruct();
695
d9572179 696 CBDATA_INIT_TYPE_FREECB(external_acl_data, free_external_acl_data);
62e76326 697
d9572179 698 data = cbdataAlloc(external_acl_data);
62e76326 699
d9572179 700 token = strtok(NULL, w_space);
62e76326 701
d9572179 702 if (!token)
62e76326 703 self_destruct();
704
d9572179 705 data->def = cbdataReference(find_externalAclHelper(token));
62e76326 706
d9572179 707 if (!data->def)
62e76326 708 self_destruct();
709
4d091667 710 while ((token = strtokFile())) {
62e76326 711 wordlistAdd(&data->arguments, token);
d9572179 712 }
d9572179 713}
714
4b0f5de8 715bool
716ACLExternal::valid () const
717{
2f1431ea 718#if USE_AUTH
4b0f5de8 719 if (data->def->require_auth) {
720 if (authenticateSchemeCount() == 0) {
bf8fe701 721 debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
4b0f5de8 722 return false;
723 }
724
725 if (authenticateActiveSchemeCount() == 0) {
bf8fe701 726 debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
4b0f5de8 727 return false;
728 }
729 }
2f1431ea 730#endif
4b0f5de8 731
732 return true;
733}
734
735bool
736ACLExternal::empty () const
737{
738 return false;
739}
740
b0dd28ba 741ACLExternal::~ACLExternal()
d9572179 742{
b0dd28ba 743 cbdataFree(data);
744 safe_free (class_);
d9572179 745}
746
b0dd28ba 747static int
c0941a6a 748aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
d9572179 749{
750 int result;
751 external_acl_entry *entry;
d9572179 752 const char *key = "";
c69ce640 753 debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\"");
d9572179 754 entry = ch->extacl_entry;
62e76326 755
d9572179 756 if (entry) {
c69ce640 757 if (cbdataReferenceValid(entry) && entry->def == acl->def) {
62e76326 758 /* Ours, use it.. */
759 } else {
760 /* Not valid, or not ours.. get rid of it */
c69ce640
AJ		 761 debugs(82, 9, HERE << "entry " << entry << " not valid or not ours. Discarded.");
762 if (entry) {
763 debugs(82, 9, HERE << "entry def=" << entry->def << ", our def=" << acl->def);
764 key = makeExternalAclKey(ch, acl);
765 debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "'");
766 }
62e76326 767 cbdataReferenceDone(ch->extacl_entry);
768 entry = NULL;
769 }
d9572179 770 }
62e76326 771
4a972fa2 772 external_acl_message = "MISSING REQUIRED INFORMATION";
773
d9572179 774 if (!entry) {
c69ce640 775 debugs(82, 9, HERE << "No helper entry available");
2f1431ea 776#if USE_AUTH
62e76326 777 if (acl->def->require_auth) {
778 int ti;
779 /* Make sure the user is authenticated */
3265364b 780 debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated.");
c0941a6a 781 if ((ti = AuthenticateAcl(ch)) != 1) {
bf8fe701 782 debugs(82, 2, "aclMatchExternal: " << acl->def->name << " user not authenticated (" << ti << ")");
62e76326 783 return ti;
784 }
3265364b 785 debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated.");
62e76326 786 }
2f1431ea 787#endif
62e76326 788 key = makeExternalAclKey(ch, acl);
41218131 789
790 if (!key) {
791 /* Not sufficient data to process */
792 return -1;
793 }
794
62e76326 795 entry = static_cast<external_acl_entry *>(hash_lookup(acl->def->cache, key));
796
47b0c1fa 797 if (!entry || external_acl_grace_expired(acl->def, entry)) {
bf8fe701 798 debugs(82, 2, "aclMatchExternal: " << acl->def->name << "(\"" << key << "\") = lookup needed");
799 debugs(82, 2, "aclMatchExternal: \"" << key << "\": entry=@" <<
800 entry << ", age=" << (entry ? (long int) squid_curtime - entry->date : 0));
95a83c22 801
48d54e4d 802 if (acl->def->theHelper->stats.queue_size <= (int)acl->def->theHelper->childs.n_active) {
bf8fe701 803 debugs(82, 2, "aclMatchExternal: \"" << key << "\": queueing a call.");
dc1839a5
AJ		 804 ch->changeState(ExternalACLLookup::Instance());
805 debugs(82, 2, "aclMatchExternal: \"" << key << "\": return -1.");
806 return -1; // to get here we have to have an expired cache entry. MUST not use.
47b0c1fa 807 } else {
808 if (!entry) {
bf8fe701 809 debugs(82, 1, "aclMatchExternal: '" << acl->def->name <<
810 "' queue overload. Request rejected '" << key << "'.");
4a972fa2 811 external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER";
47b0c1fa 812 return -1;
813 } else {
bf8fe701 814 debugs(82, 1, "aclMatchExternal: '" << acl->def->name <<
815 "' queue overload. Using stale result. '" << key << "'.");
47b0c1fa 816 /* Fall thru to processing below */
817 }
818 }
819 }
d9572179 820 }
62e76326 821
d9572179 822 external_acl_cache_touch(acl->def, entry);
823 result = entry->result;
a7a42b14 824 external_acl_message = entry->message.termedBuf();
4a972fa2 825
bf8fe701 826 debugs(82, 2, "aclMatchExternal: " << acl->def->name << " = " << result);
62e76326 827
abb929f0 828 if (ch->request) {
2f1431ea 829#if USE_AUTH
abb929f0 830 if (entry->user.size())
831 ch->request->extacl_user = entry->user;
cbd2dc91 832
abb929f0 833 if (entry->password.size())
834 ch->request->extacl_passwd = entry->password;
2f1431ea 835#endif
abb929f0 836 if (!ch->request->tag.size())
837 ch->request->tag = entry->tag;
4a972fa2 838
839 if (entry->log.size())
840 ch->request->extacl_log = entry->log;
8c93a598
HN		 841
842 if (entry->message.size())
843 ch->request->extacl_message = entry->message;
abb929f0 844 }
1e5562e3 845
d9572179 846 return result;
847}
848
b0dd28ba 849int
850ACLExternal::match(ACLChecklist *checklist)
851{
c0941a6a 852 return aclMatchExternal (data, Filled(checklist));
b0dd28ba 853}
854
d9572179 855wordlist *
b0dd28ba 856ACLExternal::dump() const
d9572179 857{
b0dd28ba 858 external_acl_data const *acl = data;
d9572179 859 wordlist *result = NULL;
860 wordlist *arg;
861 MemBuf mb;
2fe7eff9 862 mb.init();
863 mb.Printf("%s", acl->def->name);
62e76326 864
d9572179 865 for (arg = acl->arguments; arg; arg = arg->next) {
2fe7eff9 866 mb.Printf(" %s", arg->key);
d9572179 867 }
62e76326 868
d9572179 869 wordlistAdd(&result, mb.buf);
2fe7eff9 870 mb.clean();
d9572179 871 return result;
872}
873
874/******************************************************************
875 * external_acl cache
876 */
877
d9572179 878static void
879external_acl_cache_touch(external_acl * def, external_acl_entry * entry)
880{
c69ce640
AJ		 881 // this must not be done when nothing is being cached.
882 if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1))
883 return;
884
d9572179 885 dlinkDelete(&entry->lru, &def->lru_list);
886 dlinkAdd(entry, &entry->lru, &def->lru_list);
887}
888
889static char *
c0941a6a 890makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
d9572179 891{
032785bf 892 static MemBuf mb;
d9572179 893 char buf[256];
894 int first = 1;
895 wordlist *arg;
896 external_acl_format *format;
190154cf 897 HttpRequest *request = ch->request;
7b0ca1e8 898 HttpReply *reply = ch->reply;
2fe7eff9 899 mb.reset();
62e76326 900
d9572179 901 for (format = acl_data->def->format; format; format = format->next) {
62e76326 902 const char *str = NULL;
30abd221 903 String sb;
62e76326 904
905 switch (format->type) {
2f1431ea 906#if USE_AUTH
62e76326 907 case _external_acl_format::EXT_ACL_LOGIN:
a33a428a 908 assert (ch->auth_user_request != NULL);
f5691f9c 909 str = ch->auth_user_request->username();
62e76326 910 break;
2f1431ea 911#endif
7a16973f 912#if USE_IDENT
62e76326 913 case _external_acl_format::EXT_ACL_IDENT:
914 str = ch->rfc931;
915
41218131 916 if (!str || !*str) {
62e76326 917 ch->changeState(IdentLookup::Instance());
918 return NULL;
919 }
920
921 break;
7a16973f 922#endif
62e76326 923
924 case _external_acl_format::EXT_ACL_SRC:
cc192b50 925 str = ch->src_addr.NtoA(buf,sizeof(buf));
62e76326 926 break;
927
47b0c1fa 928 case _external_acl_format::EXT_ACL_SRCPORT:
cc192b50 929 snprintf(buf, sizeof(buf), "%d", request->client_addr.GetPort());
47b0c1fa 930 str = buf;
931 break;
932
a98c2da5
AJ		 933#if USE_SQUID_EUI
934 case _external_acl_format::EXT_ACL_SRCEUI48:
40d34a62
AJ		 935 if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
936 request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf)))
a98c2da5
AJ		 937 str = buf;
938 break;
939
940 case _external_acl_format::EXT_ACL_SRCEUI64:
40d34a62
AJ		 941 if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
942 request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf)))
a98c2da5
AJ		 943 str = buf;
944 break;
945#endif
946
47b0c1fa 947 case _external_acl_format::EXT_ACL_MYADDR:
cc192b50 948 str = request->my_addr.NtoA(buf, sizeof(buf));
47b0c1fa 949 break;
950
951 case _external_acl_format::EXT_ACL_MYPORT:
cc192b50 952 snprintf(buf, sizeof(buf), "%d", request->my_addr.GetPort());
47b0c1fa 953 str = buf;
954 break;
955
3cf6e9c5 956 case _external_acl_format::EXT_ACL_URI:
957 str = urlCanonical(request);
958 break;
959
62e76326 960 case _external_acl_format::EXT_ACL_DST:
cc192b50 961 str = request->GetHost();
62e76326 962 break;
963
964 case _external_acl_format::EXT_ACL_PROTO:
0c3d3f65 965 str = AnyP::ProtocolType_str[request->protocol];
62e76326 966 break;
967
968 case _external_acl_format::EXT_ACL_PORT:
969 snprintf(buf, sizeof(buf), "%d", request->port);
970 str = buf;
971 break;
972
973 case _external_acl_format::EXT_ACL_PATH:
a313a9ba 974 str = request->urlpath.termedBuf();
62e76326 975 break;
976
977 case _external_acl_format::EXT_ACL_METHOD:
60745f24 978 str = RequestMethodStr(request->method);
62e76326 979 break;
980
7b0ca1e8 981 case _external_acl_format::EXT_ACL_HEADER_REQUEST:
a9925b40 982 sb = request->header.getByName(format->header);
a313a9ba 983 str = sb.termedBuf();
62e76326 984 break;
985
7b0ca1e8 986 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID:
a9925b40 987 sb = request->header.getStrOrList(format->header_id);
a313a9ba 988 str = sb.termedBuf();
62e76326 989 break;
990
7b0ca1e8 991 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER:
a9925b40 992 sb = request->header.getByNameListMember(format->header, format->member, format->separator);
a313a9ba 993 str = sb.termedBuf();
62e76326 994 break;
995
7b0ca1e8 996 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER:
a9925b40 997 sb = request->header.getListMember(format->header_id, format->member, format->separator);
a313a9ba 998 str = sb.termedBuf();
62e76326 999 break;
7b0ca1e8
AJ		 1000
1001 case _external_acl_format::EXT_ACL_HEADER_REPLY:
26ac0430 1002 if (reply) {
7b0ca1e8 1003 sb = reply->header.getByName(format->header);
a313a9ba 1004 str = sb.termedBuf();
7b0ca1e8
AJ		 1005 }
1006 break;
1007
1008 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID:
26ac0430 1009 if (reply) {
7b0ca1e8 1010 sb = reply->header.getStrOrList(format->header_id);
a313a9ba 1011 str = sb.termedBuf();
7b0ca1e8
AJ		 1012 }
1013 break;
1014
1015 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER:
26ac0430 1016 if (reply) {
7b0ca1e8 1017 sb = reply->header.getByNameListMember(format->header, format->member, format->separator);
a313a9ba 1018 str = sb.termedBuf();
7b0ca1e8
AJ		 1019 }
1020 break;
1021
1022 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER:
26ac0430 1023 if (reply) {
7b0ca1e8 1024 sb = reply->header.getListMember(format->header_id, format->member, format->separator);
a313a9ba 1025 str = sb.termedBuf();
7b0ca1e8
AJ		 1026 }
1027 break;
a7ad6e4e 1028#if USE_SSL
62e76326 1029
4ac9968f 1030 case _external_acl_format::EXT_ACL_USER_CERT_RAW:
1031
73c36fd9
AJ		 1032 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1033 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
4ac9968f 1034
1035 if (ssl)
1036 str = sslGetUserCertificatePEM(ssl);
1037 }
1038
1039 break;
1040
3d61c476 1041 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
1042
73c36fd9
AJ		 1043 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1044 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
3d61c476 1045
1046 if (ssl)
1047 str = sslGetUserCertificateChainPEM(ssl);
1048 }
1049
1050 break;
1051
62e76326 1052 case _external_acl_format::EXT_ACL_USER_CERT:
1053
73c36fd9
AJ		 1054 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1055 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
62e76326 1056
1057 if (ssl)
1058 str = sslGetUserAttribute(ssl, format->header);
1059 }
1060
1061 break;
1062
1063 case _external_acl_format::EXT_ACL_CA_CERT:
1064
73c36fd9
AJ		 1065 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1066 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
62e76326 1067
1068 if (ssl)
1069 str = sslGetCAAttribute(ssl, format->header);
1070 }
1071
1072 break;
a7ad6e4e 1073#endif
2f1431ea 1074#if USE_AUTH
abb929f0 1075 case _external_acl_format::EXT_ACL_EXT_USER:
a313a9ba 1076 str = request->extacl_user.termedBuf();
abb929f0 1077 break;
2f1431ea 1078#endif
99e4ad67
JB		 1079 case _external_acl_format::EXT_ACL_EXT_LOG:
1080 str = request->extacl_log.termedBuf();
1081 break;
1082 case _external_acl_format::EXT_ACL_TAG:
1083 str = request->tag.termedBuf();
1084 break;
62e76326 1085 case _external_acl_format::EXT_ACL_UNKNOWN:
1086
1087 case _external_acl_format::EXT_ACL_END:
1088 fatal("unknown external_acl format error");
1089 break;
1090 }
1091
1092 if (str)
1093 if (!*str)
1094 str = NULL;
1095
1096 if (!str)
1097 str = "-";
1098
1099 if (!first)
2fe7eff9 1100 mb.append(" ", 1);
62e76326 1101
dc1af3cf 1102 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
1103 const char *quoted = rfc1738_escape(str);
2fe7eff9 1104 mb.append(quoted, strlen(quoted));
dc1af3cf 1105 } else {
1106 strwordquote(&mb, str);
1107 }
62e76326 1108
30abd221 1109 sb.clean();
62e76326 1110
1111 first = 0;
d9572179 1112 }
62e76326 1113
d9572179 1114 for (arg = acl_data->arguments; arg; arg = arg->next) {
62e76326 1115 if (!first)
2fe7eff9 1116 mb.append(" ", 1);
62e76326 1117
dc1af3cf 1118 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
1119 const char *quoted = rfc1738_escape(arg->key);
2fe7eff9 1120 mb.append(quoted, strlen(quoted));
dc1af3cf 1121 } else {
1122 strwordquote(&mb, arg->key);
1123 }
62e76326 1124
1125 first = 0;
d9572179 1126 }
62e76326 1127
d9572179 1128 return mb.buf;
d9572179 1129}
1130
1131static int
1132external_acl_entry_expired(external_acl * def, external_acl_entry * entry)
1133{
c69ce640
AJ		 1134 if (def->cache_size <= 0)
1135 return 1;
1136
d9572179 1137 if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime)
62e76326 1138 return 1;
d9572179 1139 else
62e76326 1140 return 0;
d9572179 1141}
62e76326 1142
47b0c1fa 1143static int
1144external_acl_grace_expired(external_acl * def, external_acl_entry * entry)
1145{
c69ce640
AJ		 1146 if (def->cache_size <= 0)
1147 return 1;
1148
47b0c1fa 1149 int ttl;
1150 ttl = entry->result == 1 ? def->ttl : def->negative_ttl;
1151 ttl = (ttl * (100 - def->grace)) / 100;
1152
2e1359a0 1153 if (entry->date + ttl <= squid_curtime)
47b0c1fa 1154 return 1;
1155 else
1156 return 0;
1157}
1158
d9572179 1159static external_acl_entry *
1e5562e3 1160external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data)
d9572179 1161{
c69ce640
AJ		 1162 ExternalACLEntry *entry;
1163
1164 // do not bother caching this result if TTL is going to expire it immediately
1165 if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) {
1166 debugs(82,6, HERE);
1167 entry = new ExternalACLEntry;
1168 entry->key = xstrdup(key);
1169 entry->update(data);
1170 entry->def = def;
1171 return entry;
1172 }
1173
1174 entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key));
bf8fe701 1175 debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result);
62e76326 1176
d9572179 1177 if (entry) {
bf8fe701 1178 debugs(82, 3, "ExternalACLEntry::update: updating existing entry");
c69ce640 1179 entry->update(data);
62e76326 1180 external_acl_cache_touch(def, entry);
1181
1182 return entry;
d9572179 1183 }
62e76326 1184
1e5562e3 1185 entry = new ExternalACLEntry;
4a8b20e8 1186 entry->key = xstrdup(key);
c69ce640 1187 entry->update(data);
1e5562e3 1188
6ca34f6f 1189 def->add(entry);
1e5562e3 1190
d9572179 1191 return entry;
1192}
1193
1194static void
1195external_acl_cache_delete(external_acl * def, external_acl_entry * entry)
1196{
c69ce640 1197 assert(def->cache_size > 0 && entry->def == def);
4a8b20e8 1198 hash_remove_link(def->cache, entry);
d9572179 1199 dlinkDelete(&entry->lru, &def->lru_list);
1200 def->cache_entries -= 1;
00d77d6b 1201 delete entry;
d9572179 1202}
1203
1204/******************************************************************
1205 * external_acl helpers
1206 */
1207
1208typedef struct _externalAclState externalAclState;
62e76326 1209
26ac0430 1210struct _externalAclState {
d9572179 1211 EAH *callback;
1212 void *callback_data;
1213 char *key;
1214 external_acl *def;
1215 dlink_node list;
1216 externalAclState *queue;
1217};
1218
1219CBDATA_TYPE(externalAclState);
1220static void
1221free_externalAclState(void *data)
1222{
e6ccf245 1223 externalAclState *state = static_cast<externalAclState *>(data);
d9572179 1224 safe_free(state->key);
1225 cbdataReferenceDone(state->callback_data);
1226 cbdataReferenceDone(state->def);
1227}
1228
d9572179 1229/*
1230 * The helper program receives queries on stdin, one
07eca7e0 1231 * per line, and must return the result on on stdout
d9572179 1232 *
1233 * General result syntax:
1234 *
1235 * OK/ERR keyword=value ...
1236 *
1237 * Keywords:
1238 *
4a972fa2 1239 * user= The users name (login)
1240 * message= Message describing the reason
1241 * tag= A string tag to be applied to the request that triggered the acl match.
1242 * applies to both OK and ERR responses.
1243 * Won't override existing request tags.
1244 * log= A string to be used in access logging
d9572179 1245 *
1246 * Other keywords may be added to the protocol later
1247 *
26ac0430
AJ		 1248 * value needs to be enclosed in quotes if it may contain whitespace, or
1249 * the whitespace escaped using \ (\ escaping obviously also applies to
d9572179 1250 * any " characters)
1251 */
1252
1253static void
1254externalAclHandleReply(void *data, char *reply)
1255{
e6ccf245 1256 externalAclState *state = static_cast<externalAclState *>(data);
d9572179 1257 externalAclState *next;
d9572179 1258 char *status;
1259 char *token;
1260 char *value;
c69ce640 1261 char *t = NULL;
1e5562e3 1262 ExternalACLEntryData entryData;
1263 entryData.result = 0;
466090ac 1264 external_acl_entry *entry = NULL;
d9572179 1265
bf8fe701 1266 debugs(82, 2, "externalAclHandleReply: reply=\"" << reply << "\"");
d9572179 1267
4960475f 1268 if (reply) {
62e76326 1269 status = strwordtok(reply, &t);
1270
1271 if (status && strcmp(status, "OK") == 0)
1e5562e3 1272 entryData.result = 1;
62e76326 1273
1274 while ((token = strwordtok(NULL, &t))) {
1275 value = strchr(token, '=');
1276
1277 if (value) {
1278 *value++ = '\0'; /* terminate the token, and move up to the value */
1279
dc1af3cf 1280 if (state->def->quote == external_acl::QUOTE_METHOD_URL)
1281 rfc1738_unescape(value);
1282
2f1431ea 1283 if (strcmp(token, "message") == 0)
d7bd27db 1284 entryData.message = value;
62e76326 1285 else if (strcmp(token, "error") == 0)
d7bd27db 1286 entryData.message = value;
abb929f0 1287 else if (strcmp(token, "tag") == 0)
1288 entryData.tag = value;
4a972fa2 1289 else if (strcmp(token, "log") == 0)
1290 entryData.log = value;
2f1431ea
AJ		 1291#if USE_AUTH
1292 else if (strcmp(token, "user") == 0)
1293 entryData.user = value;
abb929f0 1294 else if (strcmp(token, "password") == 0)
1295 entryData.password = value;
1296 else if (strcmp(token, "passwd") == 0)
1297 entryData.password = value;
1298 else if (strcmp(token, "login") == 0)
1299 entryData.user = value;
2f1431ea 1300#endif
62e76326 1301 }
1302 }
d9572179 1303 }
62e76326 1304
d9572179 1305 dlinkDelete(&state->list, &state->def->queue);
62e76326 1306
4960475f 1307 if (cbdataReferenceValid(state->def)) {
62e76326 1308 if (reply)
1e5562e3 1309 entry = external_acl_cache_add(state->def, state->key, entryData);
62e76326 1310 else {
2ae2408b 1311 external_acl_entry *oldentry = (external_acl_entry *)hash_lookup(state->def->cache, state->key);
62e76326 1312
2ae2408b 1313 if (oldentry)
1314 external_acl_cache_delete(state->def, oldentry);
62e76326 1315 }
466090ac 1316 }
d9572179 1317
1318 do {
62e76326 1319 void *cbdata;
1320 cbdataReferenceDone(state->def);
1321
47b0c1fa 1322 if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata))
62e76326 1323 state->callback(cbdata, entry);
1324
1325 next = state->queue;
d9572179 1326
62e76326 1327 cbdataFree(state);
d9572179 1328
62e76326 1329 state = next;
d9572179 1330 } while (state);
1331}
1332
1333void
c0941a6a 1334ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * callback, void *callback_data)
d9572179 1335{
1336 MemBuf buf;
e870b1f8 1337 external_acl_data *acl = me->data;
d9572179 1338 external_acl *def = acl->def;
d9572179 1339 externalAclState *state;
47b0c1fa 1340 dlink_node *node;
1341 externalAclState *oldstate = NULL;
1342 bool graceful = 0;
c8e7608c 1343
c0941a6a 1344 ACLFilledChecklist *ch = Filled(checklist);
2f1431ea 1345#if USE_AUTH
c8e7608c 1346 if (acl->def->require_auth) {
1347 int ti;
1348 /* Make sure the user is authenticated */
3265364b 1349 debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated.");
c8e7608c 1350
c0941a6a 1351 if ((ti = AuthenticateAcl(ch)) != 1) {
bf8fe701 1352 debugs(82, 1, "externalAclLookup: " << acl->def->name <<
1353 " user authentication failure (" << ti << ", ch=" << ch << ")");
c8e7608c 1354 callback(callback_data, NULL);
1355 return;
1356 }
3265364b 1357 debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated.");
c8e7608c 1358 }
2f1431ea 1359#endif
c8e7608c 1360
1361 const char *key = makeExternalAclKey(ch, acl);
62e76326 1362
d9572179 1363 if (!key) {
bf8fe701 1364 debugs(82, 1, "externalAclLookup: lookup in '" << def->name <<
1365 "', prerequisit failure (ch=" << ch << ")");
62e76326 1366 callback(callback_data, NULL);
1367 return;
d9572179 1368 }
62e76326 1369
bf8fe701 1370 debugs(82, 2, "externalAclLookup: lookup in '" << def->name << "' for '" << key << "'");
1371
c8e7608c 1372 external_acl_entry *entry = static_cast<external_acl_entry *>(hash_lookup(def->cache, key));
1373
47b0c1fa 1374 if (entry && external_acl_entry_expired(def, entry))
1375 entry = NULL;
62e76326 1376
47b0c1fa 1377 /* Check for a pending lookup to hook into */
c69ce640
AJ		 1378 // only possible if we are caching results.
1379 if (def->cache_size > 0) {
1380 for (node = def->queue.head; node; node = node->next) {
1381 externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data);
62e76326 1382
c69ce640
AJ		 1383 if (strcmp(key, oldstatetmp->key) == 0) {
1384 oldstate = oldstatetmp;
1385 break;
1386 }
47b0c1fa 1387 }
1388 }
62e76326 1389
47b0c1fa 1390 if (entry && external_acl_grace_expired(def, entry)) {
1391 if (oldstate) {
bf8fe701 1392 debugs(82, 4, "externalAclLookup: in grace period, but already pending lookup ('" << key << "', ch=" << ch << ")");
62e76326 1393 callback(callback_data, entry);
62e76326 1394 return;
47b0c1fa 1395 } else {
ab321f4b 1396 graceful = 1; // grace expired, (neg)ttl did not, and we must start a new lookup.
62e76326 1397 }
d9572179 1398 }
62e76326 1399
ab321f4b 1400 // The entry is in the cache, grace_ttl did not expired.
47b0c1fa 1401 if (!graceful && entry && !external_acl_grace_expired(def, entry)) {
1402 /* Should not really happen, but why not.. */
1403 callback(callback_data, entry);
bf8fe701 1404 debugs(82, 4, "externalAclLookup: no lookup pending for '" << key << "', and grace not expired");
1405 debugs(82, 4, "externalAclLookup: (what tha' hell?)");
47b0c1fa 1406 return;
1407 }
62e76326 1408
47b0c1fa 1409 /* No pending lookup found. Sumbit to helper */
1410 state = cbdataAlloc(externalAclState);
62e76326 1411
47b0c1fa 1412 state->def = cbdataReference(def);
62e76326 1413
47b0c1fa 1414 state->key = xstrdup(key);
62e76326 1415
47b0c1fa 1416 if (!graceful) {
1417 state->callback = callback;
1418 state->callback_data = cbdataReference(callback_data);
d9572179 1419 }
62e76326 1420
47b0c1fa 1421 if (oldstate) {
1422 /* Hook into pending lookup */
1423 state->queue = oldstate->queue;
1424 oldstate->queue = state;
1425 } else {
1426 /* Check for queue overload */
1427
48d54e4d 1428 if (def->theHelper->stats.queue_size >= (int)def->theHelper->childs.n_running) {
bf8fe701 1429 debugs(82, 1, "externalAclLookup: '" << def->name << "' queue overload (ch=" << ch << ")");
47b0c1fa 1430 cbdataFree(state);
1431 callback(callback_data, entry);
1432 return;
1433 }
1434
1435 /* Send it off to the helper */
2fe7eff9 1436 buf.init();
62e76326 1437
2fe7eff9 1438 buf.Printf("%s\n", key);
62e76326 1439
bf8fe701 1440 debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'.");
ab321f4b 1441
47b0c1fa 1442 helperSubmit(def->theHelper, buf.buf, externalAclHandleReply, state);
62e76326 1443
47b0c1fa 1444 dlinkAdd(state, &state->list, &def->queue);
62e76326 1445
2fe7eff9 1446 buf.clean();
47b0c1fa 1447 }
62e76326 1448
47b0c1fa 1449 if (graceful) {
1450 /* No need to wait during grace period */
bf8fe701 1451 debugs(82, 4, "externalAclLookup: no need to wait for the result of '" <<
1452 key << "' in '" << def->name << "' (ch=" << ch << ").");
1453 debugs(82, 4, "externalAclLookup: using cached entry " << entry);
ab321f4b 1454
1455 if (entry != NULL) {
bf8fe701 1456 debugs(82, 4, "externalAclLookup: entry = { date=" <<
666f0b34 1457 (long unsigned int) entry->date <<
2f1431ea 1458 ", result=" << entry->result <<
2f1431ea
AJ		 1459 " tag=" << entry->tag <<
1460 " log=" << entry->log << " }");
e1814a90
FC		 1461#if USE_AUTH
1462 debugs(82, 4, "externalAclLookup: user=" << entry->user);
1463#endif
bf8fe701 1464
ab321f4b 1465 }
1466
47b0c1fa 1467 callback(callback_data, entry);
1468 return;
1469 }
ab321f4b 1470
bf8fe701 1471 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key <<
1472 "' in '" << def->name << "' (ch=" << ch << ").");
d9572179 1473}
1474
1475static void
1476externalAclStats(StoreEntry * sentry)
1477{
1478 external_acl *p;
1479
1480 for (p = Config.externalAclHelperList; p; p = p->next) {
62e76326 1481 storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name);
1482 storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count);
1483 helperStats(sentry, p->theHelper);
1484 storeAppendPrintf(sentry, "\n");
d9572179 1485 }
1486}
1487
6b7d87bb
FC		 1488static void
1489externalAclRegisterWithCacheManager(void)
1490{
8822ebee 1491 Mgr::RegisterAction("external_acl",
d9fc6862
A		 1492 "External ACL stats",
1493 externalAclStats, 0, 1);
6b7d87bb
FC		 1494}
1495
d9572179 1496void
1497externalAclInit(void)
1498{
1499 static int firstTimeInit = 1;
1500 external_acl *p;
1501
1502 for (p = Config.externalAclHelperList; p; p = p->next) {
62e76326 1503 if (!p->cache)
30abd221 1504 p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4);
62e76326 1505
1506 if (!p->theHelper)
48d54e4d 1507 p->theHelper = new helper(p->name);
62e76326 1508
1509 p->theHelper->cmdline = p->cmdline;
1510
48d54e4d 1511 p->theHelper->childs = p->children;
07eca7e0 1512
62e76326 1513 p->theHelper->ipc_type = IPC_TCP_SOCKET;
1514
cc192b50 1515 p->theHelper->addr = p->local_addr;
1516
62e76326 1517 helperOpenServers(p->theHelper);
d9572179 1518 }
62e76326 1519
d9572179 1520 if (firstTimeInit) {
62e76326 1521 firstTimeInit = 0;
62e76326 1522 CBDATA_INIT_TYPE_FREECB(externalAclState, free_externalAclState);
d9572179 1523 }
ea391f18
FC		 1524
1525 externalAclRegisterWithCacheManager();
d9572179 1526}
1527
1528void
1529externalAclShutdown(void)
1530{
1531 external_acl *p;
62e76326 1532
d9572179 1533 for (p = Config.externalAclHelperList; p; p = p->next) {
62e76326 1534 helperShutdown(p->theHelper);
d9572179 1535 }
1536}
225b7b10 1537
1538ExternalACLLookup ExternalACLLookup::instance_;
1539ExternalACLLookup *
1540ExternalACLLookup::Instance()
1541{
1542 return &instance_;
1543}
1544
1545void
1546ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const
1547{
b0dd28ba 1548 /* TODO: optimise this - we probably have a pointer to this
1549 * around somewhere */
97427e90 1550 ACL *acl = ACL::FindByName(AclMatchedName);
ab321f4b 1551 assert(acl);
b0dd28ba 1552 ACLExternal *me = dynamic_cast<ACLExternal *> (acl);
1553 assert (me);
225b7b10 1554 checklist->asyncInProgress(true);
b0dd28ba 1555 ACLExternal::ExternalAclLookup(checklist, me, LookupDone, checklist);
225b7b10 1556}
1557
1558void
1559ExternalACLLookup::LookupDone(void *data, void *result)
1560{
c0941a6a 1561 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
225b7b10 1562 checklist->extacl_entry = cbdataReference((external_acl_entry *)result);
1563 checklist->asyncInProgress(false);
c059ed04 1564 checklist->changeState (ACLChecklist::NullState::Instance());
225b7b10 1565 checklist->check();
1566}
b0dd28ba 1567
1568/* This registers "external" in the registry. To do dynamic definitions
1569 * of external ACL's, rather than a static prototype, have a Prototype instance
1570 * prototype in the class that defines each external acl 'class'.
1571 * Then, then the external acl instance is created, it self registers under
1572 * it's name.
1573 * Be sure that clone is fully functional for that acl class though!
1574 */
1575ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external");
1576
1577ACLExternal ACLExternal::RegistryEntry_("external");
1578
1579ACL *
1580ACLExternal::clone() const
1581{
1582 return new ACLExternal(*this);
1583}
1584
1585ACLExternal::ACLExternal (char const *theClass) : data (NULL), class_ (xstrdup (theClass))
1586{}
1587
1588ACLExternal::ACLExternal (ACLExternal const & old) : data (NULL), class_ (old.class_ ? xstrdup (old.class_) : NULL)
1589{
1590 /* we don't have copy constructors for the data yet */
1591 assert (!old.data);
1592}
1593
b0dd28ba 1594char const *
1595ACLExternal::typeString() const
1596{
1597 return class_;
1598}
1599
e870b1f8 1600bool
1601ACLExternal::isProxyAuth() const
1602{
2f1431ea 1603#if USE_AUTH
e870b1f8 1604 return data->def->require_auth;
2f1431ea
AJ		 1605#else
1606 return false;
1607#endif
e870b1f8 1608}
Mirror of https://github.com/squid-cache/squid.git