]>
Commit | Line | Data |
---|---|---|
d9572179 | 1 | |
2 | /* | |
262a0e14 | 3 | * $Id$ |
d9572179 | 4 | * |
5 | * DEBUG: section 82 External ACL | |
6 | * AUTHOR: Henrik Nordstrom, MARA Systems AB | |
7 | * | |
8 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
9 | * ---------------------------------------------------------- | |
10 | * | |
11 | * The contents of this file is Copyright (C) 2002 by MARA Systems AB, | |
12 | * Sweden, unless otherwise is indicated in the specific function. The | |
13 | * author gives his full permission to include this file into the Squid | |
14 | * software product under the terms of the GNU General Public License as | |
15 | * published by the Free Software Foundation; either version 2 of the | |
16 | * License, or (at your option) any later version. | |
17 | * | |
18 | * Squid is the result of efforts by numerous individuals from | |
19 | * the Internet community; see the CONTRIBUTORS file for full | |
20 | * details. Many organizations have provided support for Squid's | |
21 | * development; see the SPONSORS file for full details. Squid is | |
22 | * Copyrighted (C) 2001 by the Regents of the University of | |
23 | * California; see the COPYRIGHT file for full details. Squid | |
24 | * incorporates software developed and/or copyrighted by other | |
25 | * sources; see the CREDITS file for full details. | |
26 | * | |
27 | * This program is free software; you can redistribute it and/or modify | |
28 | * it under the terms of the GNU General Public License as published by | |
29 | * the Free Software Foundation; either version 2 of the License, or | |
30 | * (at your option) any later version. | |
26ac0430 | 31 | * |
d9572179 | 32 | * This program is distributed in the hope that it will be useful, |
33 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
34 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
35 | * GNU General Public License for more details. | |
26ac0430 | 36 | * |
d9572179 | 37 | * You should have received a copy of the GNU General Public License |
38 | * along with this program; if not, write to the Free Software | |
39 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
40 | * | |
41 | */ | |
42 | ||
43 | #include "squid.h" | |
8822ebee | 44 | #include "mgr/Registration.h" |
225b7b10 | 45 | #include "ExternalACL.h" |
1e5562e3 | 46 | #include "ExternalACLEntry.h" |
2f1431ea AJ |
47 | #if USE_AUTH |
48 | #include "auth/Acl.h" | |
49 | #include "auth/Gadgets.h" | |
2d2b0bb7 | 50 | #include "auth/UserRequest.h" |
2f1431ea | 51 | #endif |
985c86bc | 52 | #include "SquidTime.h" |
e6ccf245 | 53 | #include "Store.h" |
ecb04c8c | 54 | #include "fde.h" |
c0941a6a AR |
55 | #include "acl/FilledChecklist.h" |
56 | #include "acl/Acl.h" | |
3841dd46 | 57 | #if USE_IDENT |
4daaf3cb | 58 | #include "ident/AclIdent.h" |
3841dd46 | 59 | #endif |
055421ee | 60 | #include "ip/tools.h" |
a46d2c0e | 61 | #include "client_side.h" |
5c336a3b | 62 | #include "comm/Connection.h" |
a2ac85d9 | 63 | #include "HttpRequest.h" |
7b0ca1e8 | 64 | #include "HttpReply.h" |
aa839030 | 65 | #include "helper.h" |
0eb49b6d | 66 | #include "MemBuf.h" |
1fa9b1a7 | 67 | #include "rfc1738.h" |
985c86bc | 68 | #include "URLScheme.h" |
d295d770 | 69 | #include "wordlist.h" |
4db984be CT |
70 | #if USE_SSL |
71 | #include "ssl/support.h" | |
72 | #endif | |
d9572179 | 73 | |
74 | #ifndef DEFAULT_EXTERNAL_ACL_TTL | |
75 | #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60 | |
76 | #endif | |
d4f2f353 | 77 | #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN |
78 | #define DEFAULT_EXTERNAL_ACL_CHILDREN 5 | |
d9572179 | 79 | #endif |
80 | ||
81 | typedef struct _external_acl_format external_acl_format; | |
62e76326 | 82 | |
c0941a6a | 83 | static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data); |
d9572179 | 84 | static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry); |
85 | static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry); | |
47b0c1fa | 86 | static int external_acl_grace_expired(external_acl * def, external_acl_entry * entry); |
d9572179 | 87 | static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry); |
1e5562e3 | 88 | static external_acl_entry *external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data); |
d9572179 | 89 | |
90 | /****************************************************************** | |
91 | * external_acl directive | |
92 | */ | |
62e76326 | 93 | |
1e5562e3 | 94 | class external_acl |
62e76326 | 95 | { |
1e5562e3 | 96 | |
97 | public: | |
d9572179 | 98 | external_acl *next; |
1e5562e3 | 99 | |
6ca34f6f | 100 | void add(ExternalACLEntry *); |
1e5562e3 | 101 | |
102 | void trimCache(); | |
103 | ||
d9572179 | 104 | int ttl; |
1e5562e3 | 105 | |
d9572179 | 106 | int negative_ttl; |
1e5562e3 | 107 | |
47b0c1fa | 108 | int grace; |
109 | ||
d9572179 | 110 | char *name; |
1e5562e3 | 111 | |
d9572179 | 112 | external_acl_format *format; |
1e5562e3 | 113 | |
d9572179 | 114 | wordlist *cmdline; |
1e5562e3 | 115 | |
48d54e4d | 116 | HelperChildConfig children; |
07eca7e0 | 117 | |
e6ccf245 | 118 | helper *theHelper; |
1e5562e3 | 119 | |
d9572179 | 120 | hash_table *cache; |
1e5562e3 | 121 | |
d9572179 | 122 | dlink_list lru_list; |
1e5562e3 | 123 | |
d9572179 | 124 | int cache_size; |
1e5562e3 | 125 | |
d9572179 | 126 | int cache_entries; |
1e5562e3 | 127 | |
d9572179 | 128 | dlink_list queue; |
1e5562e3 | 129 | |
2f1431ea | 130 | #if USE_AUTH |
3265364b AJ |
131 | /** |
132 | * Configuration flag. May only be altered by the configuration parser. | |
133 | * | |
134 | * Indicates that all uses of this external_acl_type helper require authentication | |
135 | * details to be processed. If none are available its a fail match. | |
136 | */ | |
e870b1f8 | 137 | bool require_auth; |
2f1431ea | 138 | #endif |
dc1af3cf | 139 | |
26ac0430 | 140 | enum { |
dc1af3cf | 141 | QUOTE_METHOD_SHELL = 1, |
142 | QUOTE_METHOD_URL | |
2fadd50d | 143 | } quote; |
cc192b50 | 144 | |
b7ac5457 | 145 | Ip::Address local_addr; |
d9572179 | 146 | }; |
147 | ||
26ac0430 | 148 | struct _external_acl_format { |
4ecc6631 | 149 | enum format_type { |
62e76326 | 150 | EXT_ACL_UNKNOWN, |
2f1431ea | 151 | #if USE_AUTH |
62e76326 | 152 | EXT_ACL_LOGIN, |
2f1431ea | 153 | #endif |
7a16973f | 154 | #if USE_IDENT |
62e76326 | 155 | EXT_ACL_IDENT, |
7a16973f | 156 | #endif |
62e76326 | 157 | EXT_ACL_SRC, |
47b0c1fa | 158 | EXT_ACL_SRCPORT, |
a98c2da5 AJ |
159 | #if USE_SQUID_EUI |
160 | EXT_ACL_SRCEUI48, | |
161 | EXT_ACL_SRCEUI64, | |
162 | #endif | |
47b0c1fa | 163 | EXT_ACL_MYADDR, |
164 | EXT_ACL_MYPORT, | |
3cf6e9c5 | 165 | EXT_ACL_URI, |
62e76326 | 166 | EXT_ACL_DST, |
167 | EXT_ACL_PROTO, | |
168 | EXT_ACL_PORT, | |
169 | EXT_ACL_PATH, | |
170 | EXT_ACL_METHOD, | |
7b0ca1e8 AJ |
171 | |
172 | EXT_ACL_HEADER_REQUEST, | |
173 | EXT_ACL_HEADER_REQUEST_MEMBER, | |
174 | EXT_ACL_HEADER_REQUEST_ID, | |
175 | EXT_ACL_HEADER_REQUEST_ID_MEMBER, | |
176 | ||
177 | EXT_ACL_HEADER_REPLY, | |
178 | EXT_ACL_HEADER_REPLY_MEMBER, | |
179 | EXT_ACL_HEADER_REPLY_ID, | |
180 | EXT_ACL_HEADER_REPLY_ID_MEMBER, | |
181 | ||
a7ad6e4e | 182 | #if USE_SSL |
62e76326 | 183 | EXT_ACL_USER_CERT, |
184 | EXT_ACL_CA_CERT, | |
4ac9968f | 185 | EXT_ACL_USER_CERT_RAW, |
3d61c476 | 186 | EXT_ACL_USER_CERTCHAIN_RAW, |
a7ad6e4e | 187 | #endif |
2f1431ea | 188 | #if USE_AUTH |
abb929f0 | 189 | EXT_ACL_EXT_USER, |
2f1431ea | 190 | #endif |
99e4ad67 JB |
191 | EXT_ACL_EXT_LOG, |
192 | EXT_ACL_TAG, | |
62e76326 | 193 | EXT_ACL_END |
d9572179 | 194 | } type; |
195 | external_acl_format *next; | |
196 | char *header; | |
197 | char *member; | |
198 | char separator; | |
199 | http_hdr_type header_id; | |
200 | }; | |
201 | ||
202 | /* FIXME: These are not really cbdata, but it is an easy way | |
203 | * to get them pooled, refcounted, accounted and freed properly... | |
204 | */ | |
205 | CBDATA_TYPE(external_acl); | |
206 | CBDATA_TYPE(external_acl_format); | |
207 | ||
208 | static void | |
209 | free_external_acl_format(void *data) | |
210 | { | |
e6ccf245 | 211 | external_acl_format *p = static_cast<external_acl_format *>(data); |
d9572179 | 212 | safe_free(p->header); |
213 | } | |
214 | ||
215 | static void | |
216 | free_external_acl(void *data) | |
217 | { | |
e6ccf245 | 218 | external_acl *p = static_cast<external_acl *>(data); |
d9572179 | 219 | safe_free(p->name); |
62e76326 | 220 | |
d9572179 | 221 | while (p->format) { |
62e76326 | 222 | external_acl_format *f = p->format; |
223 | p->format = f->next; | |
224 | cbdataFree(f); | |
d9572179 | 225 | } |
62e76326 | 226 | |
d9572179 | 227 | wordlistDestroy(&p->cmdline); |
62e76326 | 228 | |
e6ccf245 | 229 | if (p->theHelper) { |
62e76326 | 230 | helperShutdown(p->theHelper); |
48d54e4d | 231 | delete p->theHelper; |
62e76326 | 232 | p->theHelper = NULL; |
d9572179 | 233 | } |
62e76326 | 234 | |
d9572179 | 235 | while (p->lru_list.tail) |
62e76326 | 236 | external_acl_cache_delete(p, static_cast<external_acl_entry *>(p->lru_list.tail->data)); |
d9572179 | 237 | if (p->cache) |
62e76326 | 238 | hashFreeMemory(p->cache); |
d9572179 | 239 | } |
240 | ||
7b0ca1e8 AJ |
241 | /** |
242 | * Parse the External ACL format %<{.*} and %>{.*} token(s) to pass a specific | |
243 | * request or reply header to external helper. | |
244 | * | |
245 | \param header - the token being parsed (without the identifying prefix) | |
246 | \param type - format enum identifier for this element, pulled from identifying prefix | |
247 | \param format - structure to contain all the info about this format element. | |
248 | */ | |
249 | void | |
4ecc6631 | 250 | parse_header_token(external_acl_format *format, char *header, const _external_acl_format::format_type type) |
7b0ca1e8 AJ |
251 | { |
252 | /* header format */ | |
253 | char *member, *end; | |
254 | ||
255 | /** Cut away the closing brace */ | |
256 | end = strchr(header, '}'); | |
257 | if (end && strlen(end) == 1) | |
258 | *end = '\0'; | |
259 | else | |
260 | self_destruct(); | |
261 | ||
262 | member = strchr(header, ':'); | |
263 | ||
264 | if (member) { | |
265 | /* Split in header and member */ | |
266 | *member++ = '\0'; | |
267 | ||
268 | if (!xisalnum(*member)) | |
269 | format->separator = *member++; | |
270 | else | |
271 | format->separator = ','; | |
272 | ||
273 | format->member = xstrdup(member); | |
274 | ||
26ac0430 | 275 | if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST) |
7b0ca1e8 AJ |
276 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER; |
277 | else | |
278 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER; | |
279 | } else { | |
280 | format->type = type; | |
281 | } | |
282 | ||
283 | format->header = xstrdup(header); | |
284 | format->header_id = httpHeaderIdByNameDef(header, strlen(header)); | |
285 | ||
286 | if (format->header_id != -1) { | |
287 | if (member) { | |
26ac0430 | 288 | if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST) |
7b0ca1e8 AJ |
289 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER; |
290 | else | |
291 | format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER; | |
292 | } else { | |
26ac0430 | 293 | if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST) |
7b0ca1e8 AJ |
294 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID; |
295 | else | |
296 | format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID; | |
297 | } | |
298 | } | |
299 | } | |
300 | ||
d9572179 | 301 | void |
302 | parse_externalAclHelper(external_acl ** list) | |
303 | { | |
304 | external_acl *a; | |
305 | char *token; | |
306 | external_acl_format **p; | |
307 | ||
308 | CBDATA_INIT_TYPE_FREECB(external_acl, free_external_acl); | |
309 | CBDATA_INIT_TYPE_FREECB(external_acl_format, free_external_acl_format); | |
310 | ||
311 | a = cbdataAlloc(external_acl); | |
312 | ||
cc192b50 | 313 | /* set defaults */ |
d9572179 | 314 | a->ttl = DEFAULT_EXTERNAL_ACL_TTL; |
315 | a->negative_ttl = -1; | |
84f795a5 | 316 | a->cache_size = 256*1024; |
48d54e4d AJ |
317 | a->children.n_max = DEFAULT_EXTERNAL_ACL_CHILDREN; |
318 | a->children.n_startup = a->children.n_max; | |
404cfda1 | 319 | a->children.n_idle = 1; |
cc192b50 | 320 | a->local_addr.SetLocalhost(); |
321 | a->quote = external_acl::QUOTE_METHOD_URL; | |
322 | ||
d9572179 | 323 | token = strtok(NULL, w_space); |
62e76326 | 324 | |
d9572179 | 325 | if (!token) |
62e76326 | 326 | self_destruct(); |
327 | ||
d9572179 | 328 | a->name = xstrdup(token); |
329 | ||
330 | token = strtok(NULL, w_space); | |
62e76326 | 331 | |
d9572179 | 332 | /* Parse options */ |
333 | while (token) { | |
62e76326 | 334 | if (strncmp(token, "ttl=", 4) == 0) { |
335 | a->ttl = atoi(token + 4); | |
336 | } else if (strncmp(token, "negative_ttl=", 13) == 0) { | |
337 | a->negative_ttl = atoi(token + 13); | |
07eca7e0 | 338 | } else if (strncmp(token, "children=", 9) == 0) { |
48d54e4d AJ |
339 | a->children.n_max = atoi(token + 9); |
340 | debugs(0, 0, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N"); | |
341 | } else if (strncmp(token, "children-max=", 13) == 0) { | |
342 | a->children.n_max = atoi(token + 13); | |
343 | } else if (strncmp(token, "children-startup=", 17) == 0) { | |
344 | a->children.n_startup = atoi(token + 17); | |
345 | } else if (strncmp(token, "children-idle=", 14) == 0) { | |
346 | a->children.n_idle = atoi(token + 14); | |
07eca7e0 | 347 | } else if (strncmp(token, "concurrency=", 12) == 0) { |
48d54e4d | 348 | a->children.concurrency = atoi(token + 12); |
62e76326 | 349 | } else if (strncmp(token, "cache=", 6) == 0) { |
350 | a->cache_size = atoi(token + 6); | |
47b0c1fa | 351 | } else if (strncmp(token, "grace=", 6) == 0) { |
352 | a->grace = atoi(token + 6); | |
dc1af3cf | 353 | } else if (strcmp(token, "protocol=2.5") == 0) { |
354 | a->quote = external_acl::QUOTE_METHOD_SHELL; | |
355 | } else if (strcmp(token, "protocol=3.0") == 0) { | |
356 | a->quote = external_acl::QUOTE_METHOD_URL; | |
357 | } else if (strcmp(token, "quote=url") == 0) { | |
358 | a->quote = external_acl::QUOTE_METHOD_URL; | |
359 | } else if (strcmp(token, "quote=shell") == 0) { | |
360 | a->quote = external_acl::QUOTE_METHOD_SHELL; | |
cc192b50 | 361 | |
26ac0430 AJ |
362 | /* INET6: allow admin to configure some helpers explicitly to |
363 | bind to IPv4/v6 localhost port. */ | |
cc192b50 | 364 | } else if (strcmp(token, "ipv4") == 0) { |
26ac0430 | 365 | if ( !a->local_addr.SetIPv4() ) { |
cc192b50 | 366 | debugs(3, 0, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name ); |
367 | } | |
368 | } else if (strcmp(token, "ipv6") == 0) { | |
055421ee AJ |
369 | if (!Ip::EnableIpv6) |
370 | debugs(3, 0, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name ); | |
371 | // else nothing to do. | |
62e76326 | 372 | } else { |
373 | break; | |
374 | } | |
375 | ||
376 | token = strtok(NULL, w_space); | |
d9572179 | 377 | } |
62e76326 | 378 | |
6f78f0ed | 379 | /* check that child startup value is sane. */ |
a3cecd6c AJ |
380 | if (a->children.n_startup > a->children.n_max) |
381 | a->children.n_startup = a->children.n_max; | |
48d54e4d | 382 | |
6f78f0ed | 383 | /* check that child idle value is sane. */ |
a3cecd6c AJ |
384 | if (a->children.n_idle > a->children.n_max) |
385 | a->children.n_idle = a->children.n_max; | |
386 | if (a->children.n_idle < 1) | |
387 | a->children.n_idle = 1; | |
48d54e4d | 388 | |
d9572179 | 389 | if (a->negative_ttl == -1) |
62e76326 | 390 | a->negative_ttl = a->ttl; |
d9572179 | 391 | |
392 | /* Parse format */ | |
393 | p = &a->format; | |
62e76326 | 394 | |
d9572179 | 395 | while (token) { |
62e76326 | 396 | external_acl_format *format; |
397 | ||
398 | /* stop on first non-format token found */ | |
399 | ||
400 | if (*token != '%') | |
401 | break; | |
402 | ||
403 | format = cbdataAlloc(external_acl_format); | |
404 | ||
405 | if (strncmp(token, "%{", 2) == 0) { | |
7b0ca1e8 AJ |
406 | // deprecated. but assume the old configs all referred to request headers. |
407 | debugs(82, DBG_IMPORTANT, "WARNING: external_acl_type format %{...} is being replaced by %>{...} for : " << token); | |
4ecc6631 | 408 | parse_header_token(format, (token+2), _external_acl_format::EXT_ACL_HEADER_REQUEST); |
c68c9682 | 409 | } else if (strncmp(token, "%>{", 3) == 0) { |
4ecc6631 | 410 | parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REQUEST); |
c68c9682 | 411 | } else if (strncmp(token, "%<{", 3) == 0) { |
4ecc6631 | 412 | parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REPLY); |
2f1431ea | 413 | #if USE_AUTH |
62e76326 | 414 | } else if (strcmp(token, "%LOGIN") == 0) { |
415 | format->type = _external_acl_format::EXT_ACL_LOGIN; | |
e870b1f8 | 416 | a->require_auth = true; |
2f1431ea | 417 | #endif |
62e76326 | 418 | } |
419 | ||
7a16973f | 420 | #if USE_IDENT |
62e76326 | 421 | else if (strcmp(token, "%IDENT") == 0) |
422 | format->type = _external_acl_format::EXT_ACL_IDENT; | |
423 | ||
7a16973f | 424 | #endif |
62e76326 | 425 | |
426 | else if (strcmp(token, "%SRC") == 0) | |
427 | format->type = _external_acl_format::EXT_ACL_SRC; | |
47b0c1fa | 428 | else if (strcmp(token, "%SRCPORT") == 0) |
429 | format->type = _external_acl_format::EXT_ACL_SRCPORT; | |
a98c2da5 AJ |
430 | #if USE_SQUID_EUI |
431 | else if (strcmp(token, "%SRCEUI48") == 0) | |
432 | format->type = _external_acl_format::EXT_ACL_SRCEUI48; | |
433 | else if (strcmp(token, "%SRCEUI64") == 0) | |
434 | format->type = _external_acl_format::EXT_ACL_SRCEUI64; | |
435 | #endif | |
47b0c1fa | 436 | else if (strcmp(token, "%MYADDR") == 0) |
437 | format->type = _external_acl_format::EXT_ACL_MYADDR; | |
438 | else if (strcmp(token, "%MYPORT") == 0) | |
439 | format->type = _external_acl_format::EXT_ACL_MYPORT; | |
3cf6e9c5 | 440 | else if (strcmp(token, "%URI") == 0) |
441 | format->type = _external_acl_format::EXT_ACL_URI; | |
62e76326 | 442 | else if (strcmp(token, "%DST") == 0) |
443 | format->type = _external_acl_format::EXT_ACL_DST; | |
444 | else if (strcmp(token, "%PROTO") == 0) | |
445 | format->type = _external_acl_format::EXT_ACL_PROTO; | |
446 | else if (strcmp(token, "%PORT") == 0) | |
447 | format->type = _external_acl_format::EXT_ACL_PORT; | |
448 | else if (strcmp(token, "%PATH") == 0) | |
449 | format->type = _external_acl_format::EXT_ACL_PATH; | |
450 | else if (strcmp(token, "%METHOD") == 0) | |
451 | format->type = _external_acl_format::EXT_ACL_METHOD; | |
452 | ||
a7ad6e4e | 453 | #if USE_SSL |
4ac9968f | 454 | else if (strcmp(token, "%USER_CERT") == 0) |
3de409f0 | 455 | format->type = _external_acl_format::EXT_ACL_USER_CERT_RAW; |
3d61c476 | 456 | else if (strcmp(token, "%USER_CERTCHAIN") == 0) |
3de409f0 | 457 | format->type = _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW; |
c68c9682 | 458 | else if (strncmp(token, "%USER_CERT_", 11) == 0) { |
62e76326 | 459 | format->type = _external_acl_format::EXT_ACL_USER_CERT; |
460 | format->header = xstrdup(token + 11); | |
c68c9682 | 461 | } else if (strncmp(token, "%CA_CERT_", 11) == 0) { |
62e76326 | 462 | format->type = _external_acl_format::EXT_ACL_USER_CERT; |
463 | format->header = xstrdup(token + 11); | |
464 | } | |
a7ad6e4e | 465 | #endif |
2f1431ea | 466 | #if USE_AUTH |
abb929f0 | 467 | else if (strcmp(token, "%EXT_USER") == 0) |
468 | format->type = _external_acl_format::EXT_ACL_EXT_USER; | |
2f1431ea | 469 | #endif |
99e4ad67 JB |
470 | else if (strcmp(token, "%EXT_LOG") == 0) |
471 | format->type = _external_acl_format::EXT_ACL_EXT_LOG; | |
472 | else if (strcmp(token, "%TAG") == 0) | |
473 | format->type = _external_acl_format::EXT_ACL_TAG; | |
62e76326 | 474 | else { |
a98c2da5 | 475 | debugs(0,0, "ERROR: Unknown Format token " << token); |
62e76326 | 476 | self_destruct(); |
477 | } | |
478 | ||
479 | *p = format; | |
480 | p = &format->next; | |
481 | token = strtok(NULL, w_space); | |
d9572179 | 482 | } |
483 | ||
484 | /* There must be at least one format token */ | |
485 | if (!a->format) | |
62e76326 | 486 | self_destruct(); |
d9572179 | 487 | |
488 | /* helper */ | |
489 | if (!token) | |
62e76326 | 490 | self_destruct(); |
491 | ||
d9572179 | 492 | wordlistAdd(&a->cmdline, token); |
493 | ||
494 | /* arguments */ | |
a336d130 | 495 | parse_wordlist(&a->cmdline); |
d9572179 | 496 | |
497 | while (*list) | |
62e76326 | 498 | list = &(*list)->next; |
499 | ||
d9572179 | 500 | *list = a; |
501 | } | |
502 | ||
503 | void | |
504 | dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list) | |
505 | { | |
506 | const external_acl *node; | |
507 | const external_acl_format *format; | |
508 | const wordlist *word; | |
62e76326 | 509 | |
d9572179 | 510 | for (node = list; node; node = node->next) { |
62e76326 | 511 | storeAppendPrintf(sentry, "%s %s", name, node->name); |
512 | ||
cc192b50 | 513 | if (!node->local_addr.IsIPv6()) |
514 | storeAppendPrintf(sentry, " ipv4"); | |
515 | else | |
516 | storeAppendPrintf(sentry, " ipv6"); | |
517 | ||
62e76326 | 518 | if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL) |
519 | storeAppendPrintf(sentry, " ttl=%d", node->ttl); | |
520 | ||
521 | if (node->negative_ttl != node->ttl) | |
522 | storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl); | |
523 | ||
47b0c1fa | 524 | if (node->grace) |
525 | storeAppendPrintf(sentry, " grace=%d", node->grace); | |
526 | ||
48d54e4d AJ |
527 | if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN) |
528 | storeAppendPrintf(sentry, " children-max=%d", node->children.n_max); | |
62e76326 | 529 | |
48d54e4d AJ |
530 | if (node->children.n_startup != 1) |
531 | storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup); | |
62e76326 | 532 | |
48d54e4d AJ |
533 | if (node->children.n_idle != (node->children.n_max + node->children.n_startup) ) |
534 | storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle); | |
535 | ||
536 | if (node->children.concurrency) | |
537 | storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency); | |
07eca7e0 | 538 | |
47b0c1fa | 539 | if (node->cache) |
540 | storeAppendPrintf(sentry, " cache=%d", node->cache_size); | |
541 | ||
62e76326 | 542 | for (format = node->format; format; format = format->next) { |
543 | switch (format->type) { | |
544 | ||
4ecc6631 | 545 | case _external_acl_format::EXT_ACL_HEADER_REQUEST: |
4ecc6631 | 546 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID: |
2170db3e | 547 | storeAppendPrintf(sentry, " %%>{%s}", format->header); |
62e76326 | 548 | break; |
549 | ||
4ecc6631 | 550 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER: |
4ecc6631 | 551 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER: |
2170db3e AJ |
552 | storeAppendPrintf(sentry, " %%>{%s:%s}", format->header, format->member); |
553 | break; | |
554 | ||
555 | case _external_acl_format::EXT_ACL_HEADER_REPLY: | |
556 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID: | |
557 | storeAppendPrintf(sentry, " %%<{%s}", format->header); | |
558 | break; | |
559 | ||
560 | case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER: | |
561 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER: | |
562 | storeAppendPrintf(sentry, " %%<{%s:%s}", format->header, format->member); | |
62e76326 | 563 | break; |
d9572179 | 564 | #define DUMP_EXT_ACL_TYPE(a) \ |
dc1af3cf | 565 | case _external_acl_format::EXT_ACL_##a: \ |
566 | storeAppendPrintf(sentry, " %%%s", #a); \ | |
567 | break | |
2f1431ea | 568 | #if USE_AUTH |
62e76326 | 569 | DUMP_EXT_ACL_TYPE(LOGIN); |
2f1431ea | 570 | #endif |
8f45b34c | 571 | #if USE_IDENT |
62e76326 | 572 | |
573 | DUMP_EXT_ACL_TYPE(IDENT); | |
8f45b34c | 574 | #endif |
62e76326 | 575 | |
576 | DUMP_EXT_ACL_TYPE(SRC); | |
47b0c1fa | 577 | DUMP_EXT_ACL_TYPE(SRCPORT); |
a98c2da5 AJ |
578 | #if USE_SQUID_EUI |
579 | DUMP_EXT_ACL_TYPE(SRCEUI48); | |
580 | DUMP_EXT_ACL_TYPE(SRCEUI64); | |
581 | #endif | |
582 | ||
47b0c1fa | 583 | DUMP_EXT_ACL_TYPE(MYADDR); |
584 | DUMP_EXT_ACL_TYPE(MYPORT); | |
3cf6e9c5 | 585 | DUMP_EXT_ACL_TYPE(URI); |
62e76326 | 586 | DUMP_EXT_ACL_TYPE(DST); |
587 | DUMP_EXT_ACL_TYPE(PROTO); | |
588 | DUMP_EXT_ACL_TYPE(PORT); | |
589 | DUMP_EXT_ACL_TYPE(PATH); | |
590 | DUMP_EXT_ACL_TYPE(METHOD); | |
1f183752 | 591 | #if USE_SSL |
62e76326 | 592 | |
4ac9968f | 593 | case _external_acl_format::EXT_ACL_USER_CERT_RAW: |
594 | storeAppendPrintf(sentry, " %%USER_CERT"); | |
595 | break; | |
596 | ||
3d61c476 | 597 | case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW: |
598 | storeAppendPrintf(sentry, " %%USER_CERTCHAIN"); | |
599 | break; | |
600 | ||
62e76326 | 601 | case _external_acl_format::EXT_ACL_USER_CERT: |
602 | storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header); | |
603 | break; | |
604 | ||
605 | case _external_acl_format::EXT_ACL_CA_CERT: | |
606 | storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header); | |
607 | break; | |
1f183752 | 608 | #endif |
2f1431ea | 609 | #if USE_AUTH |
abb929f0 | 610 | DUMP_EXT_ACL_TYPE(EXT_USER); |
2f1431ea | 611 | #endif |
99e4ad67 JB |
612 | DUMP_EXT_ACL_TYPE(EXT_LOG); |
613 | DUMP_EXT_ACL_TYPE(TAG); | |
4ecc6631 | 614 | default: |
62e76326 | 615 | fatal("unknown external_acl format error"); |
616 | break; | |
617 | } | |
618 | } | |
619 | ||
620 | for (word = node->cmdline; word; word = word->next) | |
621 | storeAppendPrintf(sentry, " %s", word->key); | |
622 | ||
623 | storeAppendPrintf(sentry, "\n"); | |
d9572179 | 624 | } |
625 | } | |
626 | ||
627 | void | |
628 | free_externalAclHelper(external_acl ** list) | |
629 | { | |
630 | while (*list) { | |
62e76326 | 631 | external_acl *node = *list; |
632 | *list = node->next; | |
633 | node->next = NULL; | |
634 | cbdataFree(node); | |
d9572179 | 635 | } |
636 | } | |
637 | ||
638 | static external_acl * | |
639 | find_externalAclHelper(const char *name) | |
640 | { | |
641 | external_acl *node; | |
642 | ||
643 | for (node = Config.externalAclHelperList; node; node = node->next) { | |
62e76326 | 644 | if (strcmp(node->name, name) == 0) |
645 | return node; | |
d9572179 | 646 | } |
62e76326 | 647 | |
d9572179 | 648 | return NULL; |
649 | } | |
650 | ||
1e5562e3 | 651 | void |
6ca34f6f | 652 | external_acl::add(ExternalACLEntry *anEntry) |
1e5562e3 | 653 | { |
654 | trimCache(); | |
655 | assert (anEntry->def == NULL); | |
656 | anEntry->def = this; | |
657 | hash_join(cache, anEntry); | |
658 | dlinkAdd(anEntry, &anEntry->lru, &lru_list); | |
659 | cache_entries++; | |
660 | } | |
661 | ||
662 | void | |
663 | external_acl::trimCache() | |
664 | { | |
665 | if (cache_size && cache_entries >= cache_size) | |
666 | external_acl_cache_delete(this, static_cast<external_acl_entry *>(lru_list.tail->data)); | |
667 | } | |
668 | ||
d9572179 | 669 | |
670 | /****************************************************************** | |
671 | * external acl type | |
672 | */ | |
673 | ||
26ac0430 | 674 | struct _external_acl_data { |
d9572179 | 675 | external_acl *def; |
676 | wordlist *arguments; | |
677 | }; | |
678 | ||
679 | CBDATA_TYPE(external_acl_data); | |
680 | static void | |
681 | free_external_acl_data(void *data) | |
682 | { | |
e6ccf245 | 683 | external_acl_data *p = static_cast<external_acl_data *>(data); |
d9572179 | 684 | wordlistDestroy(&p->arguments); |
685 | cbdataReferenceDone(p->def); | |
686 | } | |
687 | ||
688 | void | |
b0dd28ba | 689 | ACLExternal::parse() |
d9572179 | 690 | { |
d9572179 | 691 | char *token; |
62e76326 | 692 | |
b0dd28ba | 693 | if (data) |
62e76326 | 694 | self_destruct(); |
695 | ||
d9572179 | 696 | CBDATA_INIT_TYPE_FREECB(external_acl_data, free_external_acl_data); |
62e76326 | 697 | |
d9572179 | 698 | data = cbdataAlloc(external_acl_data); |
62e76326 | 699 | |
d9572179 | 700 | token = strtok(NULL, w_space); |
62e76326 | 701 | |
d9572179 | 702 | if (!token) |
62e76326 | 703 | self_destruct(); |
704 | ||
d9572179 | 705 | data->def = cbdataReference(find_externalAclHelper(token)); |
62e76326 | 706 | |
d9572179 | 707 | if (!data->def) |
62e76326 | 708 | self_destruct(); |
709 | ||
4d091667 | 710 | while ((token = strtokFile())) { |
62e76326 | 711 | wordlistAdd(&data->arguments, token); |
d9572179 | 712 | } |
d9572179 | 713 | } |
714 | ||
4b0f5de8 | 715 | bool |
716 | ACLExternal::valid () const | |
717 | { | |
2f1431ea | 718 | #if USE_AUTH |
4b0f5de8 | 719 | if (data->def->require_auth) { |
720 | if (authenticateSchemeCount() == 0) { | |
bf8fe701 | 721 | debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled."); |
4b0f5de8 | 722 | return false; |
723 | } | |
724 | ||
725 | if (authenticateActiveSchemeCount() == 0) { | |
bf8fe701 | 726 | debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured."); |
4b0f5de8 | 727 | return false; |
728 | } | |
729 | } | |
2f1431ea | 730 | #endif |
4b0f5de8 | 731 | |
732 | return true; | |
733 | } | |
734 | ||
735 | bool | |
736 | ACLExternal::empty () const | |
737 | { | |
738 | return false; | |
739 | } | |
740 | ||
b0dd28ba | 741 | ACLExternal::~ACLExternal() |
d9572179 | 742 | { |
b0dd28ba | 743 | cbdataFree(data); |
744 | safe_free (class_); | |
d9572179 | 745 | } |
746 | ||
b0dd28ba | 747 | static int |
c0941a6a | 748 | aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch) |
d9572179 | 749 | { |
750 | int result; | |
751 | external_acl_entry *entry; | |
d9572179 | 752 | const char *key = ""; |
c69ce640 | 753 | debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\""); |
d9572179 | 754 | entry = ch->extacl_entry; |
62e76326 | 755 | |
d9572179 | 756 | if (entry) { |
c69ce640 | 757 | if (cbdataReferenceValid(entry) && entry->def == acl->def) { |
62e76326 | 758 | /* Ours, use it.. */ |
759 | } else { | |
760 | /* Not valid, or not ours.. get rid of it */ | |
c69ce640 AJ |
761 | debugs(82, 9, HERE << "entry " << entry << " not valid or not ours. Discarded."); |
762 | if (entry) { | |
763 | debugs(82, 9, HERE << "entry def=" << entry->def << ", our def=" << acl->def); | |
764 | key = makeExternalAclKey(ch, acl); | |
765 | debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "'"); | |
766 | } | |
62e76326 | 767 | cbdataReferenceDone(ch->extacl_entry); |
768 | entry = NULL; | |
769 | } | |
d9572179 | 770 | } |
62e76326 | 771 | |
4a972fa2 | 772 | external_acl_message = "MISSING REQUIRED INFORMATION"; |
773 | ||
d9572179 | 774 | if (!entry) { |
c69ce640 | 775 | debugs(82, 9, HERE << "No helper entry available"); |
2f1431ea | 776 | #if USE_AUTH |
62e76326 | 777 | if (acl->def->require_auth) { |
778 | int ti; | |
779 | /* Make sure the user is authenticated */ | |
3265364b | 780 | debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated."); |
c0941a6a | 781 | if ((ti = AuthenticateAcl(ch)) != 1) { |
bf8fe701 | 782 | debugs(82, 2, "aclMatchExternal: " << acl->def->name << " user not authenticated (" << ti << ")"); |
62e76326 | 783 | return ti; |
784 | } | |
3265364b | 785 | debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated."); |
62e76326 | 786 | } |
2f1431ea | 787 | #endif |
62e76326 | 788 | key = makeExternalAclKey(ch, acl); |
41218131 | 789 | |
790 | if (!key) { | |
791 | /* Not sufficient data to process */ | |
792 | return -1; | |
793 | } | |
794 | ||
62e76326 | 795 | entry = static_cast<external_acl_entry *>(hash_lookup(acl->def->cache, key)); |
796 | ||
47b0c1fa | 797 | if (!entry || external_acl_grace_expired(acl->def, entry)) { |
bf8fe701 | 798 | debugs(82, 2, "aclMatchExternal: " << acl->def->name << "(\"" << key << "\") = lookup needed"); |
799 | debugs(82, 2, "aclMatchExternal: \"" << key << "\": entry=@" << | |
800 | entry << ", age=" << (entry ? (long int) squid_curtime - entry->date : 0)); | |
95a83c22 | 801 | |
48d54e4d | 802 | if (acl->def->theHelper->stats.queue_size <= (int)acl->def->theHelper->childs.n_active) { |
bf8fe701 | 803 | debugs(82, 2, "aclMatchExternal: \"" << key << "\": queueing a call."); |
dc1839a5 AJ |
804 | ch->changeState(ExternalACLLookup::Instance()); |
805 | debugs(82, 2, "aclMatchExternal: \"" << key << "\": return -1."); | |
806 | return -1; // to get here we have to have an expired cache entry. MUST not use. | |
47b0c1fa | 807 | } else { |
808 | if (!entry) { | |
bf8fe701 | 809 | debugs(82, 1, "aclMatchExternal: '" << acl->def->name << |
810 | "' queue overload. Request rejected '" << key << "'."); | |
4a972fa2 | 811 | external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER"; |
47b0c1fa | 812 | return -1; |
813 | } else { | |
bf8fe701 | 814 | debugs(82, 1, "aclMatchExternal: '" << acl->def->name << |
815 | "' queue overload. Using stale result. '" << key << "'."); | |
47b0c1fa | 816 | /* Fall thru to processing below */ |
817 | } | |
818 | } | |
819 | } | |
d9572179 | 820 | } |
62e76326 | 821 | |
d9572179 | 822 | external_acl_cache_touch(acl->def, entry); |
823 | result = entry->result; | |
a7a42b14 | 824 | external_acl_message = entry->message.termedBuf(); |
4a972fa2 | 825 | |
bf8fe701 | 826 | debugs(82, 2, "aclMatchExternal: " << acl->def->name << " = " << result); |
62e76326 | 827 | |
abb929f0 | 828 | if (ch->request) { |
2f1431ea | 829 | #if USE_AUTH |
abb929f0 | 830 | if (entry->user.size()) |
831 | ch->request->extacl_user = entry->user; | |
cbd2dc91 | 832 | |
abb929f0 | 833 | if (entry->password.size()) |
834 | ch->request->extacl_passwd = entry->password; | |
2f1431ea | 835 | #endif |
abb929f0 | 836 | if (!ch->request->tag.size()) |
837 | ch->request->tag = entry->tag; | |
4a972fa2 | 838 | |
839 | if (entry->log.size()) | |
840 | ch->request->extacl_log = entry->log; | |
8c93a598 HN |
841 | |
842 | if (entry->message.size()) | |
843 | ch->request->extacl_message = entry->message; | |
abb929f0 | 844 | } |
1e5562e3 | 845 | |
d9572179 | 846 | return result; |
847 | } | |
848 | ||
b0dd28ba | 849 | int |
850 | ACLExternal::match(ACLChecklist *checklist) | |
851 | { | |
c0941a6a | 852 | return aclMatchExternal (data, Filled(checklist)); |
b0dd28ba | 853 | } |
854 | ||
d9572179 | 855 | wordlist * |
b0dd28ba | 856 | ACLExternal::dump() const |
d9572179 | 857 | { |
b0dd28ba | 858 | external_acl_data const *acl = data; |
d9572179 | 859 | wordlist *result = NULL; |
860 | wordlist *arg; | |
861 | MemBuf mb; | |
2fe7eff9 | 862 | mb.init(); |
863 | mb.Printf("%s", acl->def->name); | |
62e76326 | 864 | |
d9572179 | 865 | for (arg = acl->arguments; arg; arg = arg->next) { |
2fe7eff9 | 866 | mb.Printf(" %s", arg->key); |
d9572179 | 867 | } |
62e76326 | 868 | |
d9572179 | 869 | wordlistAdd(&result, mb.buf); |
2fe7eff9 | 870 | mb.clean(); |
d9572179 | 871 | return result; |
872 | } | |
873 | ||
874 | /****************************************************************** | |
875 | * external_acl cache | |
876 | */ | |
877 | ||
d9572179 | 878 | static void |
879 | external_acl_cache_touch(external_acl * def, external_acl_entry * entry) | |
880 | { | |
c69ce640 AJ |
881 | // this must not be done when nothing is being cached. |
882 | if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1)) | |
883 | return; | |
884 | ||
d9572179 | 885 | dlinkDelete(&entry->lru, &def->lru_list); |
886 | dlinkAdd(entry, &entry->lru, &def->lru_list); | |
887 | } | |
888 | ||
889 | static char * | |
c0941a6a | 890 | makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) |
d9572179 | 891 | { |
032785bf | 892 | static MemBuf mb; |
d9572179 | 893 | char buf[256]; |
894 | int first = 1; | |
895 | wordlist *arg; | |
896 | external_acl_format *format; | |
190154cf | 897 | HttpRequest *request = ch->request; |
7b0ca1e8 | 898 | HttpReply *reply = ch->reply; |
2fe7eff9 | 899 | mb.reset(); |
62e76326 | 900 | |
d9572179 | 901 | for (format = acl_data->def->format; format; format = format->next) { |
62e76326 | 902 | const char *str = NULL; |
30abd221 | 903 | String sb; |
62e76326 | 904 | |
905 | switch (format->type) { | |
2f1431ea | 906 | #if USE_AUTH |
62e76326 | 907 | case _external_acl_format::EXT_ACL_LOGIN: |
a33a428a | 908 | assert (ch->auth_user_request != NULL); |
f5691f9c | 909 | str = ch->auth_user_request->username(); |
62e76326 | 910 | break; |
2f1431ea | 911 | #endif |
7a16973f | 912 | #if USE_IDENT |
62e76326 | 913 | case _external_acl_format::EXT_ACL_IDENT: |
914 | str = ch->rfc931; | |
915 | ||
41218131 | 916 | if (!str || !*str) { |
62e76326 | 917 | ch->changeState(IdentLookup::Instance()); |
918 | return NULL; | |
919 | } | |
920 | ||
921 | break; | |
7a16973f | 922 | #endif |
62e76326 | 923 | |
924 | case _external_acl_format::EXT_ACL_SRC: | |
cc192b50 | 925 | str = ch->src_addr.NtoA(buf,sizeof(buf)); |
62e76326 | 926 | break; |
927 | ||
47b0c1fa | 928 | case _external_acl_format::EXT_ACL_SRCPORT: |
cc192b50 | 929 | snprintf(buf, sizeof(buf), "%d", request->client_addr.GetPort()); |
47b0c1fa | 930 | str = buf; |
931 | break; | |
932 | ||
a98c2da5 AJ |
933 | #if USE_SQUID_EUI |
934 | case _external_acl_format::EXT_ACL_SRCEUI48: | |
40d34a62 AJ |
935 | if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL && |
936 | request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf))) | |
a98c2da5 AJ |
937 | str = buf; |
938 | break; | |
939 | ||
940 | case _external_acl_format::EXT_ACL_SRCEUI64: | |
40d34a62 AJ |
941 | if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL && |
942 | request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf))) | |
a98c2da5 AJ |
943 | str = buf; |
944 | break; | |
945 | #endif | |
946 | ||
47b0c1fa | 947 | case _external_acl_format::EXT_ACL_MYADDR: |
cc192b50 | 948 | str = request->my_addr.NtoA(buf, sizeof(buf)); |
47b0c1fa | 949 | break; |
950 | ||
951 | case _external_acl_format::EXT_ACL_MYPORT: | |
cc192b50 | 952 | snprintf(buf, sizeof(buf), "%d", request->my_addr.GetPort()); |
47b0c1fa | 953 | str = buf; |
954 | break; | |
955 | ||
3cf6e9c5 | 956 | case _external_acl_format::EXT_ACL_URI: |
957 | str = urlCanonical(request); | |
958 | break; | |
959 | ||
62e76326 | 960 | case _external_acl_format::EXT_ACL_DST: |
cc192b50 | 961 | str = request->GetHost(); |
62e76326 | 962 | break; |
963 | ||
964 | case _external_acl_format::EXT_ACL_PROTO: | |
0c3d3f65 | 965 | str = AnyP::ProtocolType_str[request->protocol]; |
62e76326 | 966 | break; |
967 | ||
968 | case _external_acl_format::EXT_ACL_PORT: | |
969 | snprintf(buf, sizeof(buf), "%d", request->port); | |
970 | str = buf; | |
971 | break; | |
972 | ||
973 | case _external_acl_format::EXT_ACL_PATH: | |
a313a9ba | 974 | str = request->urlpath.termedBuf(); |
62e76326 | 975 | break; |
976 | ||
977 | case _external_acl_format::EXT_ACL_METHOD: | |
60745f24 | 978 | str = RequestMethodStr(request->method); |
62e76326 | 979 | break; |
980 | ||
7b0ca1e8 | 981 | case _external_acl_format::EXT_ACL_HEADER_REQUEST: |
a9925b40 | 982 | sb = request->header.getByName(format->header); |
a313a9ba | 983 | str = sb.termedBuf(); |
62e76326 | 984 | break; |
985 | ||
7b0ca1e8 | 986 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID: |
a9925b40 | 987 | sb = request->header.getStrOrList(format->header_id); |
a313a9ba | 988 | str = sb.termedBuf(); |
62e76326 | 989 | break; |
990 | ||
7b0ca1e8 | 991 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER: |
a9925b40 | 992 | sb = request->header.getByNameListMember(format->header, format->member, format->separator); |
a313a9ba | 993 | str = sb.termedBuf(); |
62e76326 | 994 | break; |
995 | ||
7b0ca1e8 | 996 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER: |
a9925b40 | 997 | sb = request->header.getListMember(format->header_id, format->member, format->separator); |
a313a9ba | 998 | str = sb.termedBuf(); |
62e76326 | 999 | break; |
7b0ca1e8 AJ |
1000 | |
1001 | case _external_acl_format::EXT_ACL_HEADER_REPLY: | |
26ac0430 | 1002 | if (reply) { |
7b0ca1e8 | 1003 | sb = reply->header.getByName(format->header); |
a313a9ba | 1004 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1005 | } |
1006 | break; | |
1007 | ||
1008 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID: | |
26ac0430 | 1009 | if (reply) { |
7b0ca1e8 | 1010 | sb = reply->header.getStrOrList(format->header_id); |
a313a9ba | 1011 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1012 | } |
1013 | break; | |
1014 | ||
1015 | case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER: | |
26ac0430 | 1016 | if (reply) { |
7b0ca1e8 | 1017 | sb = reply->header.getByNameListMember(format->header, format->member, format->separator); |
a313a9ba | 1018 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1019 | } |
1020 | break; | |
1021 | ||
1022 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER: | |
26ac0430 | 1023 | if (reply) { |
7b0ca1e8 | 1024 | sb = reply->header.getListMember(format->header_id, format->member, format->separator); |
a313a9ba | 1025 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1026 | } |
1027 | break; | |
a7ad6e4e | 1028 | #if USE_SSL |
62e76326 | 1029 | |
4ac9968f | 1030 | case _external_acl_format::EXT_ACL_USER_CERT_RAW: |
1031 | ||
73c36fd9 AJ |
1032 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1033 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
4ac9968f | 1034 | |
1035 | if (ssl) | |
1036 | str = sslGetUserCertificatePEM(ssl); | |
1037 | } | |
1038 | ||
1039 | break; | |
1040 | ||
3d61c476 | 1041 | case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW: |
1042 | ||
73c36fd9 AJ |
1043 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1044 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
3d61c476 | 1045 | |
1046 | if (ssl) | |
1047 | str = sslGetUserCertificateChainPEM(ssl); | |
1048 | } | |
1049 | ||
1050 | break; | |
1051 | ||
62e76326 | 1052 | case _external_acl_format::EXT_ACL_USER_CERT: |
1053 | ||
73c36fd9 AJ |
1054 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1055 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
62e76326 | 1056 | |
1057 | if (ssl) | |
1058 | str = sslGetUserAttribute(ssl, format->header); | |
1059 | } | |
1060 | ||
1061 | break; | |
1062 | ||
1063 | case _external_acl_format::EXT_ACL_CA_CERT: | |
1064 | ||
73c36fd9 AJ |
1065 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1066 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
62e76326 | 1067 | |
1068 | if (ssl) | |
1069 | str = sslGetCAAttribute(ssl, format->header); | |
1070 | } | |
1071 | ||
1072 | break; | |
a7ad6e4e | 1073 | #endif |
2f1431ea | 1074 | #if USE_AUTH |
abb929f0 | 1075 | case _external_acl_format::EXT_ACL_EXT_USER: |
a313a9ba | 1076 | str = request->extacl_user.termedBuf(); |
abb929f0 | 1077 | break; |
2f1431ea | 1078 | #endif |
99e4ad67 JB |
1079 | case _external_acl_format::EXT_ACL_EXT_LOG: |
1080 | str = request->extacl_log.termedBuf(); | |
1081 | break; | |
1082 | case _external_acl_format::EXT_ACL_TAG: | |
1083 | str = request->tag.termedBuf(); | |
1084 | break; | |
62e76326 | 1085 | case _external_acl_format::EXT_ACL_UNKNOWN: |
1086 | ||
1087 | case _external_acl_format::EXT_ACL_END: | |
1088 | fatal("unknown external_acl format error"); | |
1089 | break; | |
1090 | } | |
1091 | ||
1092 | if (str) | |
1093 | if (!*str) | |
1094 | str = NULL; | |
1095 | ||
1096 | if (!str) | |
1097 | str = "-"; | |
1098 | ||
1099 | if (!first) | |
2fe7eff9 | 1100 | mb.append(" ", 1); |
62e76326 | 1101 | |
dc1af3cf | 1102 | if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) { |
1103 | const char *quoted = rfc1738_escape(str); | |
2fe7eff9 | 1104 | mb.append(quoted, strlen(quoted)); |
dc1af3cf | 1105 | } else { |
1106 | strwordquote(&mb, str); | |
1107 | } | |
62e76326 | 1108 | |
30abd221 | 1109 | sb.clean(); |
62e76326 | 1110 | |
1111 | first = 0; | |
d9572179 | 1112 | } |
62e76326 | 1113 | |
d9572179 | 1114 | for (arg = acl_data->arguments; arg; arg = arg->next) { |
62e76326 | 1115 | if (!first) |
2fe7eff9 | 1116 | mb.append(" ", 1); |
62e76326 | 1117 | |
dc1af3cf | 1118 | if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) { |
1119 | const char *quoted = rfc1738_escape(arg->key); | |
2fe7eff9 | 1120 | mb.append(quoted, strlen(quoted)); |
dc1af3cf | 1121 | } else { |
1122 | strwordquote(&mb, arg->key); | |
1123 | } | |
62e76326 | 1124 | |
1125 | first = 0; | |
d9572179 | 1126 | } |
62e76326 | 1127 | |
d9572179 | 1128 | return mb.buf; |
d9572179 | 1129 | } |
1130 | ||
1131 | static int | |
1132 | external_acl_entry_expired(external_acl * def, external_acl_entry * entry) | |
1133 | { | |
c69ce640 AJ |
1134 | if (def->cache_size <= 0) |
1135 | return 1; | |
1136 | ||
d9572179 | 1137 | if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime) |
62e76326 | 1138 | return 1; |
d9572179 | 1139 | else |
62e76326 | 1140 | return 0; |
d9572179 | 1141 | } |
62e76326 | 1142 | |
47b0c1fa | 1143 | static int |
1144 | external_acl_grace_expired(external_acl * def, external_acl_entry * entry) | |
1145 | { | |
c69ce640 AJ |
1146 | if (def->cache_size <= 0) |
1147 | return 1; | |
1148 | ||
47b0c1fa | 1149 | int ttl; |
1150 | ttl = entry->result == 1 ? def->ttl : def->negative_ttl; | |
1151 | ttl = (ttl * (100 - def->grace)) / 100; | |
1152 | ||
2e1359a0 | 1153 | if (entry->date + ttl <= squid_curtime) |
47b0c1fa | 1154 | return 1; |
1155 | else | |
1156 | return 0; | |
1157 | } | |
1158 | ||
d9572179 | 1159 | static external_acl_entry * |
1e5562e3 | 1160 | external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data) |
d9572179 | 1161 | { |
c69ce640 AJ |
1162 | ExternalACLEntry *entry; |
1163 | ||
1164 | // do not bother caching this result if TTL is going to expire it immediately | |
1165 | if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) { | |
1166 | debugs(82,6, HERE); | |
1167 | entry = new ExternalACLEntry; | |
1168 | entry->key = xstrdup(key); | |
1169 | entry->update(data); | |
1170 | entry->def = def; | |
1171 | return entry; | |
1172 | } | |
1173 | ||
1174 | entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key)); | |
bf8fe701 | 1175 | debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result); |
62e76326 | 1176 | |
d9572179 | 1177 | if (entry) { |
bf8fe701 | 1178 | debugs(82, 3, "ExternalACLEntry::update: updating existing entry"); |
c69ce640 | 1179 | entry->update(data); |
62e76326 | 1180 | external_acl_cache_touch(def, entry); |
1181 | ||
1182 | return entry; | |
d9572179 | 1183 | } |
62e76326 | 1184 | |
1e5562e3 | 1185 | entry = new ExternalACLEntry; |
4a8b20e8 | 1186 | entry->key = xstrdup(key); |
c69ce640 | 1187 | entry->update(data); |
1e5562e3 | 1188 | |
6ca34f6f | 1189 | def->add(entry); |
1e5562e3 | 1190 | |
d9572179 | 1191 | return entry; |
1192 | } | |
1193 | ||
1194 | static void | |
1195 | external_acl_cache_delete(external_acl * def, external_acl_entry * entry) | |
1196 | { | |
c69ce640 | 1197 | assert(def->cache_size > 0 && entry->def == def); |
4a8b20e8 | 1198 | hash_remove_link(def->cache, entry); |
d9572179 | 1199 | dlinkDelete(&entry->lru, &def->lru_list); |
1200 | def->cache_entries -= 1; | |
00d77d6b | 1201 | delete entry; |
d9572179 | 1202 | } |
1203 | ||
1204 | /****************************************************************** | |
1205 | * external_acl helpers | |
1206 | */ | |
1207 | ||
1208 | typedef struct _externalAclState externalAclState; | |
62e76326 | 1209 | |
26ac0430 | 1210 | struct _externalAclState { |
d9572179 | 1211 | EAH *callback; |
1212 | void *callback_data; | |
1213 | char *key; | |
1214 | external_acl *def; | |
1215 | dlink_node list; | |
1216 | externalAclState *queue; | |
1217 | }; | |
1218 | ||
1219 | CBDATA_TYPE(externalAclState); | |
1220 | static void | |
1221 | free_externalAclState(void *data) | |
1222 | { | |
e6ccf245 | 1223 | externalAclState *state = static_cast<externalAclState *>(data); |
d9572179 | 1224 | safe_free(state->key); |
1225 | cbdataReferenceDone(state->callback_data); | |
1226 | cbdataReferenceDone(state->def); | |
1227 | } | |
1228 | ||
d9572179 | 1229 | /* |
1230 | * The helper program receives queries on stdin, one | |
07eca7e0 | 1231 | * per line, and must return the result on on stdout |
d9572179 | 1232 | * |
1233 | * General result syntax: | |
1234 | * | |
1235 | * OK/ERR keyword=value ... | |
1236 | * | |
1237 | * Keywords: | |
1238 | * | |
4a972fa2 | 1239 | * user= The users name (login) |
1240 | * message= Message describing the reason | |
1241 | * tag= A string tag to be applied to the request that triggered the acl match. | |
1242 | * applies to both OK and ERR responses. | |
1243 | * Won't override existing request tags. | |
1244 | * log= A string to be used in access logging | |
d9572179 | 1245 | * |
1246 | * Other keywords may be added to the protocol later | |
1247 | * | |
26ac0430 AJ |
1248 | * value needs to be enclosed in quotes if it may contain whitespace, or |
1249 | * the whitespace escaped using \ (\ escaping obviously also applies to | |
d9572179 | 1250 | * any " characters) |
1251 | */ | |
1252 | ||
1253 | static void | |
1254 | externalAclHandleReply(void *data, char *reply) | |
1255 | { | |
e6ccf245 | 1256 | externalAclState *state = static_cast<externalAclState *>(data); |
d9572179 | 1257 | externalAclState *next; |
d9572179 | 1258 | char *status; |
1259 | char *token; | |
1260 | char *value; | |
c69ce640 | 1261 | char *t = NULL; |
1e5562e3 | 1262 | ExternalACLEntryData entryData; |
1263 | entryData.result = 0; | |
466090ac | 1264 | external_acl_entry *entry = NULL; |
d9572179 | 1265 | |
bf8fe701 | 1266 | debugs(82, 2, "externalAclHandleReply: reply=\"" << reply << "\""); |
d9572179 | 1267 | |
4960475f | 1268 | if (reply) { |
62e76326 | 1269 | status = strwordtok(reply, &t); |
1270 | ||
1271 | if (status && strcmp(status, "OK") == 0) | |
1e5562e3 | 1272 | entryData.result = 1; |
62e76326 | 1273 | |
1274 | while ((token = strwordtok(NULL, &t))) { | |
1275 | value = strchr(token, '='); | |
1276 | ||
1277 | if (value) { | |
1278 | *value++ = '\0'; /* terminate the token, and move up to the value */ | |
1279 | ||
dc1af3cf | 1280 | if (state->def->quote == external_acl::QUOTE_METHOD_URL) |
1281 | rfc1738_unescape(value); | |
1282 | ||
2f1431ea | 1283 | if (strcmp(token, "message") == 0) |
d7bd27db | 1284 | entryData.message = value; |
62e76326 | 1285 | else if (strcmp(token, "error") == 0) |
d7bd27db | 1286 | entryData.message = value; |
abb929f0 | 1287 | else if (strcmp(token, "tag") == 0) |
1288 | entryData.tag = value; | |
4a972fa2 | 1289 | else if (strcmp(token, "log") == 0) |
1290 | entryData.log = value; | |
2f1431ea AJ |
1291 | #if USE_AUTH |
1292 | else if (strcmp(token, "user") == 0) | |
1293 | entryData.user = value; | |
abb929f0 | 1294 | else if (strcmp(token, "password") == 0) |
1295 | entryData.password = value; | |
1296 | else if (strcmp(token, "passwd") == 0) | |
1297 | entryData.password = value; | |
1298 | else if (strcmp(token, "login") == 0) | |
1299 | entryData.user = value; | |
2f1431ea | 1300 | #endif |
62e76326 | 1301 | } |
1302 | } | |
d9572179 | 1303 | } |
62e76326 | 1304 | |
d9572179 | 1305 | dlinkDelete(&state->list, &state->def->queue); |
62e76326 | 1306 | |
4960475f | 1307 | if (cbdataReferenceValid(state->def)) { |
62e76326 | 1308 | if (reply) |
1e5562e3 | 1309 | entry = external_acl_cache_add(state->def, state->key, entryData); |
62e76326 | 1310 | else { |
2ae2408b | 1311 | external_acl_entry *oldentry = (external_acl_entry *)hash_lookup(state->def->cache, state->key); |
62e76326 | 1312 | |
2ae2408b | 1313 | if (oldentry) |
1314 | external_acl_cache_delete(state->def, oldentry); | |
62e76326 | 1315 | } |
466090ac | 1316 | } |
d9572179 | 1317 | |
1318 | do { | |
62e76326 | 1319 | void *cbdata; |
1320 | cbdataReferenceDone(state->def); | |
1321 | ||
47b0c1fa | 1322 | if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata)) |
62e76326 | 1323 | state->callback(cbdata, entry); |
1324 | ||
1325 | next = state->queue; | |
d9572179 | 1326 | |
62e76326 | 1327 | cbdataFree(state); |
d9572179 | 1328 | |
62e76326 | 1329 | state = next; |
d9572179 | 1330 | } while (state); |
1331 | } | |
1332 | ||
1333 | void | |
c0941a6a | 1334 | ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * callback, void *callback_data) |
d9572179 | 1335 | { |
1336 | MemBuf buf; | |
e870b1f8 | 1337 | external_acl_data *acl = me->data; |
d9572179 | 1338 | external_acl *def = acl->def; |
d9572179 | 1339 | externalAclState *state; |
47b0c1fa | 1340 | dlink_node *node; |
1341 | externalAclState *oldstate = NULL; | |
1342 | bool graceful = 0; | |
c8e7608c | 1343 | |
c0941a6a | 1344 | ACLFilledChecklist *ch = Filled(checklist); |
2f1431ea | 1345 | #if USE_AUTH |
c8e7608c | 1346 | if (acl->def->require_auth) { |
1347 | int ti; | |
1348 | /* Make sure the user is authenticated */ | |
3265364b | 1349 | debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated."); |
c8e7608c | 1350 | |
c0941a6a | 1351 | if ((ti = AuthenticateAcl(ch)) != 1) { |
bf8fe701 | 1352 | debugs(82, 1, "externalAclLookup: " << acl->def->name << |
1353 | " user authentication failure (" << ti << ", ch=" << ch << ")"); | |
c8e7608c | 1354 | callback(callback_data, NULL); |
1355 | return; | |
1356 | } | |
3265364b | 1357 | debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated."); |
c8e7608c | 1358 | } |
2f1431ea | 1359 | #endif |
c8e7608c | 1360 | |
1361 | const char *key = makeExternalAclKey(ch, acl); | |
62e76326 | 1362 | |
d9572179 | 1363 | if (!key) { |
bf8fe701 | 1364 | debugs(82, 1, "externalAclLookup: lookup in '" << def->name << |
1365 | "', prerequisit failure (ch=" << ch << ")"); | |
62e76326 | 1366 | callback(callback_data, NULL); |
1367 | return; | |
d9572179 | 1368 | } |
62e76326 | 1369 | |
bf8fe701 | 1370 | debugs(82, 2, "externalAclLookup: lookup in '" << def->name << "' for '" << key << "'"); |
1371 | ||
c8e7608c | 1372 | external_acl_entry *entry = static_cast<external_acl_entry *>(hash_lookup(def->cache, key)); |
1373 | ||
47b0c1fa | 1374 | if (entry && external_acl_entry_expired(def, entry)) |
1375 | entry = NULL; | |
62e76326 | 1376 | |
47b0c1fa | 1377 | /* Check for a pending lookup to hook into */ |
c69ce640 AJ |
1378 | // only possible if we are caching results. |
1379 | if (def->cache_size > 0) { | |
1380 | for (node = def->queue.head; node; node = node->next) { | |
1381 | externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data); | |
62e76326 | 1382 | |
c69ce640 AJ |
1383 | if (strcmp(key, oldstatetmp->key) == 0) { |
1384 | oldstate = oldstatetmp; | |
1385 | break; | |
1386 | } | |
47b0c1fa | 1387 | } |
1388 | } | |
62e76326 | 1389 | |
47b0c1fa | 1390 | if (entry && external_acl_grace_expired(def, entry)) { |
1391 | if (oldstate) { | |
bf8fe701 | 1392 | debugs(82, 4, "externalAclLookup: in grace period, but already pending lookup ('" << key << "', ch=" << ch << ")"); |
62e76326 | 1393 | callback(callback_data, entry); |
62e76326 | 1394 | return; |
47b0c1fa | 1395 | } else { |
ab321f4b | 1396 | graceful = 1; // grace expired, (neg)ttl did not, and we must start a new lookup. |
62e76326 | 1397 | } |
d9572179 | 1398 | } |
62e76326 | 1399 | |
ab321f4b | 1400 | // The entry is in the cache, grace_ttl did not expired. |
47b0c1fa | 1401 | if (!graceful && entry && !external_acl_grace_expired(def, entry)) { |
1402 | /* Should not really happen, but why not.. */ | |
1403 | callback(callback_data, entry); | |
bf8fe701 | 1404 | debugs(82, 4, "externalAclLookup: no lookup pending for '" << key << "', and grace not expired"); |
1405 | debugs(82, 4, "externalAclLookup: (what tha' hell?)"); | |
47b0c1fa | 1406 | return; |
1407 | } | |
62e76326 | 1408 | |
47b0c1fa | 1409 | /* No pending lookup found. Sumbit to helper */ |
1410 | state = cbdataAlloc(externalAclState); | |
62e76326 | 1411 | |
47b0c1fa | 1412 | state->def = cbdataReference(def); |
62e76326 | 1413 | |
47b0c1fa | 1414 | state->key = xstrdup(key); |
62e76326 | 1415 | |
47b0c1fa | 1416 | if (!graceful) { |
1417 | state->callback = callback; | |
1418 | state->callback_data = cbdataReference(callback_data); | |
d9572179 | 1419 | } |
62e76326 | 1420 | |
47b0c1fa | 1421 | if (oldstate) { |
1422 | /* Hook into pending lookup */ | |
1423 | state->queue = oldstate->queue; | |
1424 | oldstate->queue = state; | |
1425 | } else { | |
1426 | /* Check for queue overload */ | |
1427 | ||
48d54e4d | 1428 | if (def->theHelper->stats.queue_size >= (int)def->theHelper->childs.n_running) { |
bf8fe701 | 1429 | debugs(82, 1, "externalAclLookup: '" << def->name << "' queue overload (ch=" << ch << ")"); |
47b0c1fa | 1430 | cbdataFree(state); |
1431 | callback(callback_data, entry); | |
1432 | return; | |
1433 | } | |
1434 | ||
1435 | /* Send it off to the helper */ | |
2fe7eff9 | 1436 | buf.init(); |
62e76326 | 1437 | |
2fe7eff9 | 1438 | buf.Printf("%s\n", key); |
62e76326 | 1439 | |
bf8fe701 | 1440 | debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'."); |
ab321f4b | 1441 | |
47b0c1fa | 1442 | helperSubmit(def->theHelper, buf.buf, externalAclHandleReply, state); |
62e76326 | 1443 | |
47b0c1fa | 1444 | dlinkAdd(state, &state->list, &def->queue); |
62e76326 | 1445 | |
2fe7eff9 | 1446 | buf.clean(); |
47b0c1fa | 1447 | } |
62e76326 | 1448 | |
47b0c1fa | 1449 | if (graceful) { |
1450 | /* No need to wait during grace period */ | |
bf8fe701 | 1451 | debugs(82, 4, "externalAclLookup: no need to wait for the result of '" << |
1452 | key << "' in '" << def->name << "' (ch=" << ch << ")."); | |
1453 | debugs(82, 4, "externalAclLookup: using cached entry " << entry); | |
ab321f4b | 1454 | |
1455 | if (entry != NULL) { | |
bf8fe701 | 1456 | debugs(82, 4, "externalAclLookup: entry = { date=" << |
666f0b34 | 1457 | (long unsigned int) entry->date << |
2f1431ea | 1458 | ", result=" << entry->result << |
2f1431ea AJ |
1459 | " tag=" << entry->tag << |
1460 | " log=" << entry->log << " }"); | |
e1814a90 FC |
1461 | #if USE_AUTH |
1462 | debugs(82, 4, "externalAclLookup: user=" << entry->user); | |
1463 | #endif | |
bf8fe701 | 1464 | |
ab321f4b | 1465 | } |
1466 | ||
47b0c1fa | 1467 | callback(callback_data, entry); |
1468 | return; | |
1469 | } | |
ab321f4b | 1470 | |
bf8fe701 | 1471 | debugs(82, 4, "externalAclLookup: will wait for the result of '" << key << |
1472 | "' in '" << def->name << "' (ch=" << ch << ")."); | |
d9572179 | 1473 | } |
1474 | ||
1475 | static void | |
1476 | externalAclStats(StoreEntry * sentry) | |
1477 | { | |
1478 | external_acl *p; | |
1479 | ||
1480 | for (p = Config.externalAclHelperList; p; p = p->next) { | |
62e76326 | 1481 | storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name); |
1482 | storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count); | |
1483 | helperStats(sentry, p->theHelper); | |
1484 | storeAppendPrintf(sentry, "\n"); | |
d9572179 | 1485 | } |
1486 | } | |
1487 | ||
6b7d87bb FC |
1488 | static void |
1489 | externalAclRegisterWithCacheManager(void) | |
1490 | { | |
8822ebee | 1491 | Mgr::RegisterAction("external_acl", |
d9fc6862 A |
1492 | "External ACL stats", |
1493 | externalAclStats, 0, 1); | |
6b7d87bb FC |
1494 | } |
1495 | ||
d9572179 | 1496 | void |
1497 | externalAclInit(void) | |
1498 | { | |
1499 | static int firstTimeInit = 1; | |
1500 | external_acl *p; | |
1501 | ||
1502 | for (p = Config.externalAclHelperList; p; p = p->next) { | |
62e76326 | 1503 | if (!p->cache) |
30abd221 | 1504 | p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4); |
62e76326 | 1505 | |
1506 | if (!p->theHelper) | |
48d54e4d | 1507 | p->theHelper = new helper(p->name); |
62e76326 | 1508 | |
1509 | p->theHelper->cmdline = p->cmdline; | |
1510 | ||
48d54e4d | 1511 | p->theHelper->childs = p->children; |
07eca7e0 | 1512 | |
62e76326 | 1513 | p->theHelper->ipc_type = IPC_TCP_SOCKET; |
1514 | ||
cc192b50 | 1515 | p->theHelper->addr = p->local_addr; |
1516 | ||
62e76326 | 1517 | helperOpenServers(p->theHelper); |
d9572179 | 1518 | } |
62e76326 | 1519 | |
d9572179 | 1520 | if (firstTimeInit) { |
62e76326 | 1521 | firstTimeInit = 0; |
62e76326 | 1522 | CBDATA_INIT_TYPE_FREECB(externalAclState, free_externalAclState); |
d9572179 | 1523 | } |
ea391f18 FC |
1524 | |
1525 | externalAclRegisterWithCacheManager(); | |
d9572179 | 1526 | } |
1527 | ||
1528 | void | |
1529 | externalAclShutdown(void) | |
1530 | { | |
1531 | external_acl *p; | |
62e76326 | 1532 | |
d9572179 | 1533 | for (p = Config.externalAclHelperList; p; p = p->next) { |
62e76326 | 1534 | helperShutdown(p->theHelper); |
d9572179 | 1535 | } |
1536 | } | |
225b7b10 | 1537 | |
1538 | ExternalACLLookup ExternalACLLookup::instance_; | |
1539 | ExternalACLLookup * | |
1540 | ExternalACLLookup::Instance() | |
1541 | { | |
1542 | return &instance_; | |
1543 | } | |
1544 | ||
1545 | void | |
1546 | ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const | |
1547 | { | |
b0dd28ba | 1548 | /* TODO: optimise this - we probably have a pointer to this |
1549 | * around somewhere */ | |
97427e90 | 1550 | ACL *acl = ACL::FindByName(AclMatchedName); |
ab321f4b | 1551 | assert(acl); |
b0dd28ba | 1552 | ACLExternal *me = dynamic_cast<ACLExternal *> (acl); |
1553 | assert (me); | |
225b7b10 | 1554 | checklist->asyncInProgress(true); |
b0dd28ba | 1555 | ACLExternal::ExternalAclLookup(checklist, me, LookupDone, checklist); |
225b7b10 | 1556 | } |
1557 | ||
1558 | void | |
1559 | ExternalACLLookup::LookupDone(void *data, void *result) | |
1560 | { | |
c0941a6a | 1561 | ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data)); |
225b7b10 | 1562 | checklist->extacl_entry = cbdataReference((external_acl_entry *)result); |
1563 | checklist->asyncInProgress(false); | |
c059ed04 | 1564 | checklist->changeState (ACLChecklist::NullState::Instance()); |
225b7b10 | 1565 | checklist->check(); |
1566 | } | |
b0dd28ba | 1567 | |
1568 | /* This registers "external" in the registry. To do dynamic definitions | |
1569 | * of external ACL's, rather than a static prototype, have a Prototype instance | |
1570 | * prototype in the class that defines each external acl 'class'. | |
1571 | * Then, then the external acl instance is created, it self registers under | |
1572 | * it's name. | |
1573 | * Be sure that clone is fully functional for that acl class though! | |
1574 | */ | |
1575 | ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external"); | |
1576 | ||
1577 | ACLExternal ACLExternal::RegistryEntry_("external"); | |
1578 | ||
1579 | ACL * | |
1580 | ACLExternal::clone() const | |
1581 | { | |
1582 | return new ACLExternal(*this); | |
1583 | } | |
1584 | ||
1585 | ACLExternal::ACLExternal (char const *theClass) : data (NULL), class_ (xstrdup (theClass)) | |
1586 | {} | |
1587 | ||
1588 | ACLExternal::ACLExternal (ACLExternal const & old) : data (NULL), class_ (old.class_ ? xstrdup (old.class_) : NULL) | |
1589 | { | |
1590 | /* we don't have copy constructors for the data yet */ | |
1591 | assert (!old.data); | |
1592 | } | |
1593 | ||
b0dd28ba | 1594 | char const * |
1595 | ACLExternal::typeString() const | |
1596 | { | |
1597 | return class_; | |
1598 | } | |
1599 | ||
e870b1f8 | 1600 | bool |
1601 | ACLExternal::isProxyAuth() const | |
1602 | { | |
2f1431ea | 1603 | #if USE_AUTH |
e870b1f8 | 1604 | return data->def->require_auth; |
2f1431ea AJ |
1605 | #else |
1606 | return false; | |
1607 | #endif | |
e870b1f8 | 1608 | } |