]>
Commit | Line | Data |
---|---|---|
d9572179 | 1 | |
2 | /* | |
d9572179 | 3 | * DEBUG: section 82 External ACL |
4 | * AUTHOR: Henrik Nordstrom, MARA Systems AB | |
5 | * | |
6 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
7 | * ---------------------------------------------------------- | |
8 | * | |
9 | * The contents of this file is Copyright (C) 2002 by MARA Systems AB, | |
10 | * Sweden, unless otherwise is indicated in the specific function. The | |
11 | * author gives his full permission to include this file into the Squid | |
12 | * software product under the terms of the GNU General Public License as | |
13 | * published by the Free Software Foundation; either version 2 of the | |
14 | * License, or (at your option) any later version. | |
15 | * | |
16 | * Squid is the result of efforts by numerous individuals from | |
17 | * the Internet community; see the CONTRIBUTORS file for full | |
18 | * details. Many organizations have provided support for Squid's | |
19 | * development; see the SPONSORS file for full details. Squid is | |
20 | * Copyrighted (C) 2001 by the Regents of the University of | |
21 | * California; see the COPYRIGHT file for full details. Squid | |
22 | * incorporates software developed and/or copyrighted by other | |
23 | * sources; see the CREDITS file for full details. | |
24 | * | |
25 | * This program is free software; you can redistribute it and/or modify | |
26 | * it under the terms of the GNU General Public License as published by | |
27 | * the Free Software Foundation; either version 2 of the License, or | |
28 | * (at your option) any later version. | |
26ac0430 | 29 | * |
d9572179 | 30 | * This program is distributed in the hope that it will be useful, |
31 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
32 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
33 | * GNU General Public License for more details. | |
26ac0430 | 34 | * |
d9572179 | 35 | * You should have received a copy of the GNU General Public License |
36 | * along with this program; if not, write to the Free Software | |
37 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
38 | * | |
39 | */ | |
40 | ||
582c2af2 | 41 | #include "squid.h" |
c0941a6a | 42 | #include "acl/Acl.h" |
582c2af2 | 43 | #include "acl/FilledChecklist.h" |
8a01b99e | 44 | #include "cache_cf.h" |
a46d2c0e | 45 | #include "client_side.h" |
5c336a3b | 46 | #include "comm/Connection.h" |
582c2af2 | 47 | #include "ExternalACL.h" |
f9b6ff6e | 48 | #include "ExternalACLEntry.h" |
582c2af2 | 49 | #include "fde.h" |
aa839030 | 50 | #include "helper.h" |
a5bac1d2 | 51 | #include "HttpHeaderTools.h" |
582c2af2 FC |
52 | #include "HttpReply.h" |
53 | #include "HttpRequest.h" | |
54 | #include "ip/tools.h" | |
0eb49b6d | 55 | #include "MemBuf.h" |
582c2af2 | 56 | #include "mgr/Registration.h" |
1fa9b1a7 | 57 | #include "rfc1738.h" |
4d5904f7 | 58 | #include "SquidConfig.h" |
f9b6ff6e | 59 | #include "SquidString.h" |
582c2af2 FC |
60 | #include "SquidTime.h" |
61 | #include "Store.h" | |
4e540555 | 62 | #include "tools.h" |
b1bd952a | 63 | #include "URL.h" |
f9b6ff6e | 64 | #include "URLScheme.h" |
d295d770 | 65 | #include "wordlist.h" |
4db984be CT |
66 | #if USE_SSL |
67 | #include "ssl/support.h" | |
68 | #endif | |
582c2af2 FC |
69 | #if USE_AUTH |
70 | #include "auth/Acl.h" | |
71 | #include "auth/Gadgets.h" | |
72 | #include "auth/UserRequest.h" | |
73 | #endif | |
74 | #if USE_IDENT | |
75 | #include "ident/AclIdent.h" | |
76 | #endif | |
d9572179 | 77 | |
78 | #ifndef DEFAULT_EXTERNAL_ACL_TTL | |
79 | #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60 | |
80 | #endif | |
d4f2f353 | 81 | #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN |
82 | #define DEFAULT_EXTERNAL_ACL_CHILDREN 5 | |
d9572179 | 83 | #endif |
84 | ||
85 | typedef struct _external_acl_format external_acl_format; | |
62e76326 | 86 | |
c0941a6a | 87 | static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data); |
d9572179 | 88 | static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry); |
89 | static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry); | |
47b0c1fa | 90 | static int external_acl_grace_expired(external_acl * def, external_acl_entry * entry); |
d9572179 | 91 | static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry); |
1e5562e3 | 92 | static external_acl_entry *external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data); |
d9572179 | 93 | |
94 | /****************************************************************** | |
95 | * external_acl directive | |
96 | */ | |
62e76326 | 97 | |
1e5562e3 | 98 | class external_acl |
62e76326 | 99 | { |
1e5562e3 | 100 | |
101 | public: | |
d9572179 | 102 | external_acl *next; |
1e5562e3 | 103 | |
6ca34f6f | 104 | void add(ExternalACLEntry *); |
1e5562e3 | 105 | |
106 | void trimCache(); | |
107 | ||
d9572179 | 108 | int ttl; |
1e5562e3 | 109 | |
d9572179 | 110 | int negative_ttl; |
1e5562e3 | 111 | |
47b0c1fa | 112 | int grace; |
113 | ||
d9572179 | 114 | char *name; |
1e5562e3 | 115 | |
d9572179 | 116 | external_acl_format *format; |
1e5562e3 | 117 | |
d9572179 | 118 | wordlist *cmdline; |
1e5562e3 | 119 | |
48d54e4d | 120 | HelperChildConfig children; |
07eca7e0 | 121 | |
e6ccf245 | 122 | helper *theHelper; |
1e5562e3 | 123 | |
d9572179 | 124 | hash_table *cache; |
1e5562e3 | 125 | |
d9572179 | 126 | dlink_list lru_list; |
1e5562e3 | 127 | |
d9572179 | 128 | int cache_size; |
1e5562e3 | 129 | |
d9572179 | 130 | int cache_entries; |
1e5562e3 | 131 | |
d9572179 | 132 | dlink_list queue; |
1e5562e3 | 133 | |
2f1431ea | 134 | #if USE_AUTH |
3265364b AJ |
135 | /** |
136 | * Configuration flag. May only be altered by the configuration parser. | |
137 | * | |
138 | * Indicates that all uses of this external_acl_type helper require authentication | |
139 | * details to be processed. If none are available its a fail match. | |
140 | */ | |
e870b1f8 | 141 | bool require_auth; |
2f1431ea | 142 | #endif |
dc1af3cf | 143 | |
26ac0430 | 144 | enum { |
dc1af3cf | 145 | QUOTE_METHOD_SHELL = 1, |
146 | QUOTE_METHOD_URL | |
2fadd50d | 147 | } quote; |
cc192b50 | 148 | |
b7ac5457 | 149 | Ip::Address local_addr; |
d9572179 | 150 | }; |
151 | ||
26ac0430 | 152 | struct _external_acl_format { |
4ecc6631 | 153 | enum format_type { |
62e76326 | 154 | EXT_ACL_UNKNOWN, |
2f1431ea | 155 | #if USE_AUTH |
62e76326 | 156 | EXT_ACL_LOGIN, |
2f1431ea | 157 | #endif |
7a16973f | 158 | #if USE_IDENT |
62e76326 | 159 | EXT_ACL_IDENT, |
7a16973f | 160 | #endif |
62e76326 | 161 | EXT_ACL_SRC, |
47b0c1fa | 162 | EXT_ACL_SRCPORT, |
a98c2da5 AJ |
163 | #if USE_SQUID_EUI |
164 | EXT_ACL_SRCEUI48, | |
165 | EXT_ACL_SRCEUI64, | |
166 | #endif | |
47b0c1fa | 167 | EXT_ACL_MYADDR, |
168 | EXT_ACL_MYPORT, | |
3cf6e9c5 | 169 | EXT_ACL_URI, |
62e76326 | 170 | EXT_ACL_DST, |
171 | EXT_ACL_PROTO, | |
172 | EXT_ACL_PORT, | |
173 | EXT_ACL_PATH, | |
174 | EXT_ACL_METHOD, | |
7b0ca1e8 AJ |
175 | |
176 | EXT_ACL_HEADER_REQUEST, | |
177 | EXT_ACL_HEADER_REQUEST_MEMBER, | |
178 | EXT_ACL_HEADER_REQUEST_ID, | |
179 | EXT_ACL_HEADER_REQUEST_ID_MEMBER, | |
180 | ||
181 | EXT_ACL_HEADER_REPLY, | |
182 | EXT_ACL_HEADER_REPLY_MEMBER, | |
183 | EXT_ACL_HEADER_REPLY_ID, | |
184 | EXT_ACL_HEADER_REPLY_ID_MEMBER, | |
185 | ||
a7ad6e4e | 186 | #if USE_SSL |
62e76326 | 187 | EXT_ACL_USER_CERT, |
188 | EXT_ACL_CA_CERT, | |
4ac9968f | 189 | EXT_ACL_USER_CERT_RAW, |
3d61c476 | 190 | EXT_ACL_USER_CERTCHAIN_RAW, |
a7ad6e4e | 191 | #endif |
2f1431ea | 192 | #if USE_AUTH |
abb929f0 | 193 | EXT_ACL_EXT_USER, |
2f1431ea | 194 | #endif |
99e4ad67 JB |
195 | EXT_ACL_EXT_LOG, |
196 | EXT_ACL_TAG, | |
0db8942f | 197 | EXT_ACL_PERCENT, |
62e76326 | 198 | EXT_ACL_END |
d9572179 | 199 | } type; |
200 | external_acl_format *next; | |
201 | char *header; | |
202 | char *member; | |
203 | char separator; | |
204 | http_hdr_type header_id; | |
205 | }; | |
206 | ||
207 | /* FIXME: These are not really cbdata, but it is an easy way | |
208 | * to get them pooled, refcounted, accounted and freed properly... | |
209 | */ | |
210 | CBDATA_TYPE(external_acl); | |
211 | CBDATA_TYPE(external_acl_format); | |
212 | ||
213 | static void | |
214 | free_external_acl_format(void *data) | |
215 | { | |
e6ccf245 | 216 | external_acl_format *p = static_cast<external_acl_format *>(data); |
d9572179 | 217 | safe_free(p->header); |
218 | } | |
219 | ||
220 | static void | |
221 | free_external_acl(void *data) | |
222 | { | |
e6ccf245 | 223 | external_acl *p = static_cast<external_acl *>(data); |
d9572179 | 224 | safe_free(p->name); |
62e76326 | 225 | |
d9572179 | 226 | while (p->format) { |
62e76326 | 227 | external_acl_format *f = p->format; |
228 | p->format = f->next; | |
229 | cbdataFree(f); | |
d9572179 | 230 | } |
62e76326 | 231 | |
d9572179 | 232 | wordlistDestroy(&p->cmdline); |
62e76326 | 233 | |
e6ccf245 | 234 | if (p->theHelper) { |
62e76326 | 235 | helperShutdown(p->theHelper); |
48d54e4d | 236 | delete p->theHelper; |
62e76326 | 237 | p->theHelper = NULL; |
d9572179 | 238 | } |
62e76326 | 239 | |
d9572179 | 240 | while (p->lru_list.tail) |
62e76326 | 241 | external_acl_cache_delete(p, static_cast<external_acl_entry *>(p->lru_list.tail->data)); |
d9572179 | 242 | if (p->cache) |
62e76326 | 243 | hashFreeMemory(p->cache); |
d9572179 | 244 | } |
245 | ||
7b0ca1e8 AJ |
246 | /** |
247 | * Parse the External ACL format %<{.*} and %>{.*} token(s) to pass a specific | |
248 | * request or reply header to external helper. | |
249 | * | |
250 | \param header - the token being parsed (without the identifying prefix) | |
251 | \param type - format enum identifier for this element, pulled from identifying prefix | |
252 | \param format - structure to contain all the info about this format element. | |
253 | */ | |
254 | void | |
4ecc6631 | 255 | parse_header_token(external_acl_format *format, char *header, const _external_acl_format::format_type type) |
7b0ca1e8 AJ |
256 | { |
257 | /* header format */ | |
258 | char *member, *end; | |
259 | ||
260 | /** Cut away the closing brace */ | |
261 | end = strchr(header, '}'); | |
262 | if (end && strlen(end) == 1) | |
263 | *end = '\0'; | |
264 | else | |
265 | self_destruct(); | |
266 | ||
267 | member = strchr(header, ':'); | |
268 | ||
269 | if (member) { | |
270 | /* Split in header and member */ | |
a38ec4b1 FC |
271 | *member = '\0'; |
272 | ++member; | |
7b0ca1e8 | 273 | |
a38ec4b1 FC |
274 | if (!xisalnum(*member)) { |
275 | format->separator = *member; | |
276 | ++member; | |
277 | } else { | |
7b0ca1e8 | 278 | format->separator = ','; |
a38ec4b1 | 279 | } |
7b0ca1e8 AJ |
280 | |
281 | format->member = xstrdup(member); | |
282 | ||
26ac0430 | 283 | if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST) |
7b0ca1e8 AJ |
284 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER; |
285 | else | |
286 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER; | |
287 | } else { | |
288 | format->type = type; | |
289 | } | |
290 | ||
291 | format->header = xstrdup(header); | |
292 | format->header_id = httpHeaderIdByNameDef(header, strlen(header)); | |
293 | ||
294 | if (format->header_id != -1) { | |
295 | if (member) { | |
26ac0430 | 296 | if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST) |
7b0ca1e8 AJ |
297 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER; |
298 | else | |
299 | format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER; | |
300 | } else { | |
26ac0430 | 301 | if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST) |
7b0ca1e8 AJ |
302 | format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID; |
303 | else | |
304 | format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID; | |
305 | } | |
306 | } | |
307 | } | |
308 | ||
d9572179 | 309 | void |
310 | parse_externalAclHelper(external_acl ** list) | |
311 | { | |
312 | external_acl *a; | |
313 | char *token; | |
314 | external_acl_format **p; | |
315 | ||
316 | CBDATA_INIT_TYPE_FREECB(external_acl, free_external_acl); | |
317 | CBDATA_INIT_TYPE_FREECB(external_acl_format, free_external_acl_format); | |
318 | ||
319 | a = cbdataAlloc(external_acl); | |
320 | ||
cc192b50 | 321 | /* set defaults */ |
d9572179 | 322 | a->ttl = DEFAULT_EXTERNAL_ACL_TTL; |
323 | a->negative_ttl = -1; | |
84f795a5 | 324 | a->cache_size = 256*1024; |
48d54e4d AJ |
325 | a->children.n_max = DEFAULT_EXTERNAL_ACL_CHILDREN; |
326 | a->children.n_startup = a->children.n_max; | |
404cfda1 | 327 | a->children.n_idle = 1; |
cc192b50 | 328 | a->local_addr.SetLocalhost(); |
329 | a->quote = external_acl::QUOTE_METHOD_URL; | |
330 | ||
d9572179 | 331 | token = strtok(NULL, w_space); |
62e76326 | 332 | |
d9572179 | 333 | if (!token) |
62e76326 | 334 | self_destruct(); |
335 | ||
d9572179 | 336 | a->name = xstrdup(token); |
337 | ||
338 | token = strtok(NULL, w_space); | |
62e76326 | 339 | |
d9572179 | 340 | /* Parse options */ |
341 | while (token) { | |
62e76326 | 342 | if (strncmp(token, "ttl=", 4) == 0) { |
343 | a->ttl = atoi(token + 4); | |
344 | } else if (strncmp(token, "negative_ttl=", 13) == 0) { | |
345 | a->negative_ttl = atoi(token + 13); | |
07eca7e0 | 346 | } else if (strncmp(token, "children=", 9) == 0) { |
48d54e4d | 347 | a->children.n_max = atoi(token + 9); |
fa84c01d | 348 | debugs(0, DBG_CRITICAL, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N"); |
48d54e4d AJ |
349 | } else if (strncmp(token, "children-max=", 13) == 0) { |
350 | a->children.n_max = atoi(token + 13); | |
351 | } else if (strncmp(token, "children-startup=", 17) == 0) { | |
352 | a->children.n_startup = atoi(token + 17); | |
353 | } else if (strncmp(token, "children-idle=", 14) == 0) { | |
354 | a->children.n_idle = atoi(token + 14); | |
07eca7e0 | 355 | } else if (strncmp(token, "concurrency=", 12) == 0) { |
48d54e4d | 356 | a->children.concurrency = atoi(token + 12); |
62e76326 | 357 | } else if (strncmp(token, "cache=", 6) == 0) { |
358 | a->cache_size = atoi(token + 6); | |
47b0c1fa | 359 | } else if (strncmp(token, "grace=", 6) == 0) { |
360 | a->grace = atoi(token + 6); | |
dc1af3cf | 361 | } else if (strcmp(token, "protocol=2.5") == 0) { |
362 | a->quote = external_acl::QUOTE_METHOD_SHELL; | |
363 | } else if (strcmp(token, "protocol=3.0") == 0) { | |
364 | a->quote = external_acl::QUOTE_METHOD_URL; | |
365 | } else if (strcmp(token, "quote=url") == 0) { | |
366 | a->quote = external_acl::QUOTE_METHOD_URL; | |
367 | } else if (strcmp(token, "quote=shell") == 0) { | |
368 | a->quote = external_acl::QUOTE_METHOD_SHELL; | |
cc192b50 | 369 | |
26ac0430 AJ |
370 | /* INET6: allow admin to configure some helpers explicitly to |
371 | bind to IPv4/v6 localhost port. */ | |
cc192b50 | 372 | } else if (strcmp(token, "ipv4") == 0) { |
26ac0430 | 373 | if ( !a->local_addr.SetIPv4() ) { |
fa84c01d | 374 | debugs(3, DBG_CRITICAL, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name ); |
cc192b50 | 375 | } |
376 | } else if (strcmp(token, "ipv6") == 0) { | |
055421ee | 377 | if (!Ip::EnableIpv6) |
fa84c01d | 378 | debugs(3, DBG_CRITICAL, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name ); |
055421ee | 379 | // else nothing to do. |
62e76326 | 380 | } else { |
381 | break; | |
382 | } | |
383 | ||
384 | token = strtok(NULL, w_space); | |
d9572179 | 385 | } |
62e76326 | 386 | |
6f78f0ed | 387 | /* check that child startup value is sane. */ |
a3cecd6c AJ |
388 | if (a->children.n_startup > a->children.n_max) |
389 | a->children.n_startup = a->children.n_max; | |
48d54e4d | 390 | |
6f78f0ed | 391 | /* check that child idle value is sane. */ |
a3cecd6c AJ |
392 | if (a->children.n_idle > a->children.n_max) |
393 | a->children.n_idle = a->children.n_max; | |
394 | if (a->children.n_idle < 1) | |
395 | a->children.n_idle = 1; | |
48d54e4d | 396 | |
d9572179 | 397 | if (a->negative_ttl == -1) |
62e76326 | 398 | a->negative_ttl = a->ttl; |
d9572179 | 399 | |
400 | /* Parse format */ | |
401 | p = &a->format; | |
62e76326 | 402 | |
d9572179 | 403 | while (token) { |
62e76326 | 404 | external_acl_format *format; |
405 | ||
406 | /* stop on first non-format token found */ | |
407 | ||
408 | if (*token != '%') | |
409 | break; | |
410 | ||
411 | format = cbdataAlloc(external_acl_format); | |
412 | ||
413 | if (strncmp(token, "%{", 2) == 0) { | |
7b0ca1e8 AJ |
414 | // deprecated. but assume the old configs all referred to request headers. |
415 | debugs(82, DBG_IMPORTANT, "WARNING: external_acl_type format %{...} is being replaced by %>{...} for : " << token); | |
4ecc6631 | 416 | parse_header_token(format, (token+2), _external_acl_format::EXT_ACL_HEADER_REQUEST); |
c68c9682 | 417 | } else if (strncmp(token, "%>{", 3) == 0) { |
4ecc6631 | 418 | parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REQUEST); |
c68c9682 | 419 | } else if (strncmp(token, "%<{", 3) == 0) { |
4ecc6631 | 420 | parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REPLY); |
2f1431ea | 421 | #if USE_AUTH |
62e76326 | 422 | } else if (strcmp(token, "%LOGIN") == 0) { |
423 | format->type = _external_acl_format::EXT_ACL_LOGIN; | |
e870b1f8 | 424 | a->require_auth = true; |
2f1431ea | 425 | #endif |
62e76326 | 426 | } |
427 | ||
7a16973f | 428 | #if USE_IDENT |
62e76326 | 429 | else if (strcmp(token, "%IDENT") == 0) |
430 | format->type = _external_acl_format::EXT_ACL_IDENT; | |
431 | ||
7a16973f | 432 | #endif |
62e76326 | 433 | |
434 | else if (strcmp(token, "%SRC") == 0) | |
435 | format->type = _external_acl_format::EXT_ACL_SRC; | |
47b0c1fa | 436 | else if (strcmp(token, "%SRCPORT") == 0) |
437 | format->type = _external_acl_format::EXT_ACL_SRCPORT; | |
a98c2da5 AJ |
438 | #if USE_SQUID_EUI |
439 | else if (strcmp(token, "%SRCEUI48") == 0) | |
440 | format->type = _external_acl_format::EXT_ACL_SRCEUI48; | |
441 | else if (strcmp(token, "%SRCEUI64") == 0) | |
442 | format->type = _external_acl_format::EXT_ACL_SRCEUI64; | |
443 | #endif | |
47b0c1fa | 444 | else if (strcmp(token, "%MYADDR") == 0) |
445 | format->type = _external_acl_format::EXT_ACL_MYADDR; | |
446 | else if (strcmp(token, "%MYPORT") == 0) | |
447 | format->type = _external_acl_format::EXT_ACL_MYPORT; | |
3cf6e9c5 | 448 | else if (strcmp(token, "%URI") == 0) |
449 | format->type = _external_acl_format::EXT_ACL_URI; | |
62e76326 | 450 | else if (strcmp(token, "%DST") == 0) |
451 | format->type = _external_acl_format::EXT_ACL_DST; | |
452 | else if (strcmp(token, "%PROTO") == 0) | |
453 | format->type = _external_acl_format::EXT_ACL_PROTO; | |
454 | else if (strcmp(token, "%PORT") == 0) | |
455 | format->type = _external_acl_format::EXT_ACL_PORT; | |
456 | else if (strcmp(token, "%PATH") == 0) | |
457 | format->type = _external_acl_format::EXT_ACL_PATH; | |
458 | else if (strcmp(token, "%METHOD") == 0) | |
459 | format->type = _external_acl_format::EXT_ACL_METHOD; | |
460 | ||
a7ad6e4e | 461 | #if USE_SSL |
4ac9968f | 462 | else if (strcmp(token, "%USER_CERT") == 0) |
3de409f0 | 463 | format->type = _external_acl_format::EXT_ACL_USER_CERT_RAW; |
3d61c476 | 464 | else if (strcmp(token, "%USER_CERTCHAIN") == 0) |
3de409f0 | 465 | format->type = _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW; |
c68c9682 | 466 | else if (strncmp(token, "%USER_CERT_", 11) == 0) { |
62e76326 | 467 | format->type = _external_acl_format::EXT_ACL_USER_CERT; |
468 | format->header = xstrdup(token + 11); | |
c68c9682 | 469 | } else if (strncmp(token, "%CA_CERT_", 11) == 0) { |
62e76326 | 470 | format->type = _external_acl_format::EXT_ACL_USER_CERT; |
471 | format->header = xstrdup(token + 11); | |
472 | } | |
a7ad6e4e | 473 | #endif |
2f1431ea | 474 | #if USE_AUTH |
abb929f0 | 475 | else if (strcmp(token, "%EXT_USER") == 0) |
476 | format->type = _external_acl_format::EXT_ACL_EXT_USER; | |
2f1431ea | 477 | #endif |
99e4ad67 JB |
478 | else if (strcmp(token, "%EXT_LOG") == 0) |
479 | format->type = _external_acl_format::EXT_ACL_EXT_LOG; | |
480 | else if (strcmp(token, "%TAG") == 0) | |
481 | format->type = _external_acl_format::EXT_ACL_TAG; | |
0db8942f AJ |
482 | else if (strcmp(token, "%%") == 0) |
483 | format->type = _external_acl_format::EXT_ACL_PERCENT; | |
62e76326 | 484 | else { |
fa84c01d | 485 | debugs(0, DBG_CRITICAL, "ERROR: Unknown Format token " << token); |
62e76326 | 486 | self_destruct(); |
487 | } | |
488 | ||
489 | *p = format; | |
490 | p = &format->next; | |
491 | token = strtok(NULL, w_space); | |
d9572179 | 492 | } |
493 | ||
494 | /* There must be at least one format token */ | |
495 | if (!a->format) | |
62e76326 | 496 | self_destruct(); |
d9572179 | 497 | |
498 | /* helper */ | |
499 | if (!token) | |
62e76326 | 500 | self_destruct(); |
501 | ||
d9572179 | 502 | wordlistAdd(&a->cmdline, token); |
503 | ||
504 | /* arguments */ | |
a336d130 | 505 | parse_wordlist(&a->cmdline); |
d9572179 | 506 | |
507 | while (*list) | |
62e76326 | 508 | list = &(*list)->next; |
509 | ||
d9572179 | 510 | *list = a; |
511 | } | |
512 | ||
513 | void | |
514 | dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list) | |
515 | { | |
516 | const external_acl *node; | |
517 | const external_acl_format *format; | |
518 | const wordlist *word; | |
62e76326 | 519 | |
d9572179 | 520 | for (node = list; node; node = node->next) { |
62e76326 | 521 | storeAppendPrintf(sentry, "%s %s", name, node->name); |
522 | ||
cc192b50 | 523 | if (!node->local_addr.IsIPv6()) |
524 | storeAppendPrintf(sentry, " ipv4"); | |
525 | else | |
526 | storeAppendPrintf(sentry, " ipv6"); | |
527 | ||
62e76326 | 528 | if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL) |
529 | storeAppendPrintf(sentry, " ttl=%d", node->ttl); | |
530 | ||
531 | if (node->negative_ttl != node->ttl) | |
532 | storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl); | |
533 | ||
47b0c1fa | 534 | if (node->grace) |
535 | storeAppendPrintf(sentry, " grace=%d", node->grace); | |
536 | ||
48d54e4d AJ |
537 | if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN) |
538 | storeAppendPrintf(sentry, " children-max=%d", node->children.n_max); | |
62e76326 | 539 | |
48d54e4d AJ |
540 | if (node->children.n_startup != 1) |
541 | storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup); | |
62e76326 | 542 | |
48d54e4d AJ |
543 | if (node->children.n_idle != (node->children.n_max + node->children.n_startup) ) |
544 | storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle); | |
545 | ||
546 | if (node->children.concurrency) | |
547 | storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency); | |
07eca7e0 | 548 | |
47b0c1fa | 549 | if (node->cache) |
550 | storeAppendPrintf(sentry, " cache=%d", node->cache_size); | |
551 | ||
62e76326 | 552 | for (format = node->format; format; format = format->next) { |
553 | switch (format->type) { | |
554 | ||
4ecc6631 | 555 | case _external_acl_format::EXT_ACL_HEADER_REQUEST: |
4ecc6631 | 556 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID: |
2170db3e | 557 | storeAppendPrintf(sentry, " %%>{%s}", format->header); |
62e76326 | 558 | break; |
559 | ||
4ecc6631 | 560 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER: |
4ecc6631 | 561 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER: |
2170db3e AJ |
562 | storeAppendPrintf(sentry, " %%>{%s:%s}", format->header, format->member); |
563 | break; | |
564 | ||
565 | case _external_acl_format::EXT_ACL_HEADER_REPLY: | |
566 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID: | |
567 | storeAppendPrintf(sentry, " %%<{%s}", format->header); | |
568 | break; | |
569 | ||
570 | case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER: | |
571 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER: | |
572 | storeAppendPrintf(sentry, " %%<{%s:%s}", format->header, format->member); | |
62e76326 | 573 | break; |
d9572179 | 574 | #define DUMP_EXT_ACL_TYPE(a) \ |
dc1af3cf | 575 | case _external_acl_format::EXT_ACL_##a: \ |
576 | storeAppendPrintf(sentry, " %%%s", #a); \ | |
577 | break | |
7456a5c9 RC |
578 | #define DUMP_EXT_ACL_TYPE_FMT(a, fmt, ...) \ |
579 | case _external_acl_format::EXT_ACL_##a: \ | |
580 | storeAppendPrintf(sentry, fmt, ##__VA_ARGS__); \ | |
581 | break | |
2f1431ea | 582 | #if USE_AUTH |
62e76326 | 583 | DUMP_EXT_ACL_TYPE(LOGIN); |
2f1431ea | 584 | #endif |
8f45b34c | 585 | #if USE_IDENT |
62e76326 | 586 | |
587 | DUMP_EXT_ACL_TYPE(IDENT); | |
8f45b34c | 588 | #endif |
62e76326 | 589 | |
590 | DUMP_EXT_ACL_TYPE(SRC); | |
47b0c1fa | 591 | DUMP_EXT_ACL_TYPE(SRCPORT); |
a98c2da5 AJ |
592 | #if USE_SQUID_EUI |
593 | DUMP_EXT_ACL_TYPE(SRCEUI48); | |
594 | DUMP_EXT_ACL_TYPE(SRCEUI64); | |
595 | #endif | |
596 | ||
47b0c1fa | 597 | DUMP_EXT_ACL_TYPE(MYADDR); |
598 | DUMP_EXT_ACL_TYPE(MYPORT); | |
3cf6e9c5 | 599 | DUMP_EXT_ACL_TYPE(URI); |
62e76326 | 600 | DUMP_EXT_ACL_TYPE(DST); |
601 | DUMP_EXT_ACL_TYPE(PROTO); | |
602 | DUMP_EXT_ACL_TYPE(PORT); | |
603 | DUMP_EXT_ACL_TYPE(PATH); | |
604 | DUMP_EXT_ACL_TYPE(METHOD); | |
1f183752 | 605 | #if USE_SSL |
7456a5c9 RC |
606 | DUMP_EXT_ACL_TYPE_FMT(USER_CERT_RAW, " %%USER_CERT_RAW"); |
607 | DUMP_EXT_ACL_TYPE_FMT(USER_CERTCHAIN_RAW, " %%USER_CERTCHAIN_RAW"); | |
608 | DUMP_EXT_ACL_TYPE_FMT(USER_CERT, " %%USER_CERT_%s", format->header); | |
609 | DUMP_EXT_ACL_TYPE_FMT(CA_CERT, " %%CA_CERT_%s", format->header); | |
1f183752 | 610 | #endif |
2f1431ea | 611 | #if USE_AUTH |
abb929f0 | 612 | DUMP_EXT_ACL_TYPE(EXT_USER); |
2f1431ea | 613 | #endif |
99e4ad67 JB |
614 | DUMP_EXT_ACL_TYPE(EXT_LOG); |
615 | DUMP_EXT_ACL_TYPE(TAG); | |
7456a5c9 | 616 | DUMP_EXT_ACL_TYPE_FMT(PERCENT, " %%%%"); |
4ecc6631 | 617 | default: |
62e76326 | 618 | fatal("unknown external_acl format error"); |
619 | break; | |
620 | } | |
621 | } | |
622 | ||
623 | for (word = node->cmdline; word; word = word->next) | |
624 | storeAppendPrintf(sentry, " %s", word->key); | |
625 | ||
626 | storeAppendPrintf(sentry, "\n"); | |
d9572179 | 627 | } |
628 | } | |
629 | ||
630 | void | |
631 | free_externalAclHelper(external_acl ** list) | |
632 | { | |
633 | while (*list) { | |
62e76326 | 634 | external_acl *node = *list; |
635 | *list = node->next; | |
636 | node->next = NULL; | |
637 | cbdataFree(node); | |
d9572179 | 638 | } |
639 | } | |
640 | ||
641 | static external_acl * | |
642 | find_externalAclHelper(const char *name) | |
643 | { | |
644 | external_acl *node; | |
645 | ||
646 | for (node = Config.externalAclHelperList; node; node = node->next) { | |
62e76326 | 647 | if (strcmp(node->name, name) == 0) |
648 | return node; | |
d9572179 | 649 | } |
62e76326 | 650 | |
d9572179 | 651 | return NULL; |
652 | } | |
653 | ||
1e5562e3 | 654 | void |
6ca34f6f | 655 | external_acl::add(ExternalACLEntry *anEntry) |
1e5562e3 | 656 | { |
657 | trimCache(); | |
658 | assert (anEntry->def == NULL); | |
659 | anEntry->def = this; | |
660 | hash_join(cache, anEntry); | |
661 | dlinkAdd(anEntry, &anEntry->lru, &lru_list); | |
95dc7ff4 | 662 | ++cache_entries; |
1e5562e3 | 663 | } |
664 | ||
665 | void | |
666 | external_acl::trimCache() | |
667 | { | |
668 | if (cache_size && cache_entries >= cache_size) | |
669 | external_acl_cache_delete(this, static_cast<external_acl_entry *>(lru_list.tail->data)); | |
670 | } | |
671 | ||
d9572179 | 672 | /****************************************************************** |
673 | * external acl type | |
674 | */ | |
675 | ||
26ac0430 | 676 | struct _external_acl_data { |
d9572179 | 677 | external_acl *def; |
678 | wordlist *arguments; | |
679 | }; | |
680 | ||
681 | CBDATA_TYPE(external_acl_data); | |
682 | static void | |
683 | free_external_acl_data(void *data) | |
684 | { | |
e6ccf245 | 685 | external_acl_data *p = static_cast<external_acl_data *>(data); |
d9572179 | 686 | wordlistDestroy(&p->arguments); |
687 | cbdataReferenceDone(p->def); | |
688 | } | |
689 | ||
690 | void | |
b0dd28ba | 691 | ACLExternal::parse() |
d9572179 | 692 | { |
d9572179 | 693 | char *token; |
62e76326 | 694 | |
b0dd28ba | 695 | if (data) |
62e76326 | 696 | self_destruct(); |
697 | ||
d9572179 | 698 | CBDATA_INIT_TYPE_FREECB(external_acl_data, free_external_acl_data); |
62e76326 | 699 | |
d9572179 | 700 | data = cbdataAlloc(external_acl_data); |
62e76326 | 701 | |
d9572179 | 702 | token = strtok(NULL, w_space); |
62e76326 | 703 | |
d9572179 | 704 | if (!token) |
62e76326 | 705 | self_destruct(); |
706 | ||
d9572179 | 707 | data->def = cbdataReference(find_externalAclHelper(token)); |
62e76326 | 708 | |
d9572179 | 709 | if (!data->def) |
62e76326 | 710 | self_destruct(); |
711 | ||
4d091667 | 712 | while ((token = strtokFile())) { |
62e76326 | 713 | wordlistAdd(&data->arguments, token); |
d9572179 | 714 | } |
d9572179 | 715 | } |
716 | ||
4b0f5de8 | 717 | bool |
718 | ACLExternal::valid () const | |
719 | { | |
2f1431ea | 720 | #if USE_AUTH |
4b0f5de8 | 721 | if (data->def->require_auth) { |
722 | if (authenticateSchemeCount() == 0) { | |
fa84c01d | 723 | debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled."); |
4b0f5de8 | 724 | return false; |
725 | } | |
726 | ||
727 | if (authenticateActiveSchemeCount() == 0) { | |
fa84c01d | 728 | debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured."); |
4b0f5de8 | 729 | return false; |
730 | } | |
731 | } | |
2f1431ea | 732 | #endif |
4b0f5de8 | 733 | |
734 | return true; | |
735 | } | |
736 | ||
737 | bool | |
738 | ACLExternal::empty () const | |
739 | { | |
740 | return false; | |
741 | } | |
742 | ||
b0dd28ba | 743 | ACLExternal::~ACLExternal() |
d9572179 | 744 | { |
b0dd28ba | 745 | cbdataFree(data); |
746 | safe_free (class_); | |
d9572179 | 747 | } |
748 | ||
1abe0161 AJ |
749 | static void |
750 | copyResultsFromEntry(HttpRequest *req, external_acl_entry *entry) | |
751 | { | |
752 | if (req) { | |
753 | #if USE_AUTH | |
754 | if (entry->user.size()) | |
755 | req->extacl_user = entry->user; | |
756 | ||
757 | if (entry->password.size()) | |
758 | req->extacl_passwd = entry->password; | |
759 | #endif | |
760 | if (!req->tag.size()) | |
761 | req->tag = entry->tag; | |
762 | ||
763 | if (entry->log.size()) | |
764 | req->extacl_log = entry->log; | |
765 | ||
766 | if (entry->message.size()) | |
767 | req->extacl_message = entry->message; | |
768 | } | |
769 | } | |
770 | ||
e5f825ea | 771 | static allow_t |
c0941a6a | 772 | aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch) |
d9572179 | 773 | { |
d9572179 | 774 | const char *key = ""; |
c69ce640 | 775 | debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\""); |
e5f825ea | 776 | external_acl_entry *entry = ch->extacl_entry; |
62e76326 | 777 | |
d9572179 | 778 | if (entry) { |
c69ce640 | 779 | if (cbdataReferenceValid(entry) && entry->def == acl->def) { |
ad06254e AJ |
780 | /* Ours, use it.. if the key matches */ |
781 | key = makeExternalAclKey(ch, acl); | |
782 | if (strcmp(key, (char*)entry->key) != 0) { | |
783 | debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "' dont match. Discarded."); | |
784 | // too bad. need a new lookup. | |
785 | cbdataReferenceDone(ch->extacl_entry); | |
786 | entry = NULL; | |
787 | } | |
62e76326 | 788 | } else { |
789 | /* Not valid, or not ours.. get rid of it */ | |
c69ce640 AJ |
790 | debugs(82, 9, HERE << "entry " << entry << " not valid or not ours. Discarded."); |
791 | if (entry) { | |
792 | debugs(82, 9, HERE << "entry def=" << entry->def << ", our def=" << acl->def); | |
793 | key = makeExternalAclKey(ch, acl); | |
794 | debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "'"); | |
795 | } | |
62e76326 | 796 | cbdataReferenceDone(ch->extacl_entry); |
797 | entry = NULL; | |
798 | } | |
d9572179 | 799 | } |
62e76326 | 800 | |
4a972fa2 | 801 | external_acl_message = "MISSING REQUIRED INFORMATION"; |
802 | ||
d9572179 | 803 | if (!entry) { |
c69ce640 | 804 | debugs(82, 9, HERE << "No helper entry available"); |
2f1431ea | 805 | #if USE_AUTH |
62e76326 | 806 | if (acl->def->require_auth) { |
62e76326 | 807 | /* Make sure the user is authenticated */ |
e5f825ea | 808 | debugs(82, 3, HERE << acl->def->name << " check user authenticated."); |
e0f7153c AR |
809 | const allow_t ti = AuthenticateAcl(ch); |
810 | if (ti != ACCESS_ALLOWED) { | |
e5f825ea | 811 | debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")"); |
e0f7153c | 812 | return ti; |
62e76326 | 813 | } |
e5f825ea | 814 | debugs(82, 3, HERE << acl->def->name << " user is authenticated."); |
62e76326 | 815 | } |
2f1431ea | 816 | #endif |
62e76326 | 817 | key = makeExternalAclKey(ch, acl); |
41218131 | 818 | |
819 | if (!key) { | |
820 | /* Not sufficient data to process */ | |
e5f825ea | 821 | return ACCESS_DUNNO; |
41218131 | 822 | } |
823 | ||
62e76326 | 824 | entry = static_cast<external_acl_entry *>(hash_lookup(acl->def->cache, key)); |
825 | ||
e0f7153c AR |
826 | external_acl_entry *staleEntry = entry; |
827 | if (entry && external_acl_entry_expired(acl->def, entry)) | |
828 | entry = NULL; | |
829 | ||
830 | if (entry && external_acl_grace_expired(acl->def, entry)) { | |
831 | // refresh in the background | |
832 | ExternalACLLookup::Start(ch, acl, true); | |
833 | debugs(82, 4, HERE << "no need to wait for the refresh of '" << | |
834 | key << "' in '" << acl->def->name << "' (ch=" << ch << ")."); | |
835 | } | |
836 | ||
837 | if (!entry) { | |
e5f825ea AJ |
838 | debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed"); |
839 | debugs(82, 2, HERE << "\"" << key << "\": entry=@" << | |
bf8fe701 | 840 | entry << ", age=" << (entry ? (long int) squid_curtime - entry->date : 0)); |
95a83c22 | 841 | |
48d54e4d | 842 | if (acl->def->theHelper->stats.queue_size <= (int)acl->def->theHelper->childs.n_active) { |
e5f825ea | 843 | debugs(82, 2, HERE << "\"" << key << "\": queueing a call."); |
dc1839a5 | 844 | ch->changeState(ExternalACLLookup::Instance()); |
e5f825ea | 845 | debugs(82, 2, HERE << "\"" << key << "\": return -1."); |
e0f7153c | 846 | return ACCESS_DUNNO; // expired cached or simply absent entry |
47b0c1fa | 847 | } else { |
e0f7153c | 848 | if (!staleEntry) { |
e5f825ea | 849 | debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name << |
bf8fe701 | 850 | "' queue overload. Request rejected '" << key << "'."); |
4a972fa2 | 851 | external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER"; |
e5f825ea | 852 | return ACCESS_DUNNO; |
47b0c1fa | 853 | } else { |
e5f825ea | 854 | debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name << |
bf8fe701 | 855 | "' queue overload. Using stale result. '" << key << "'."); |
e0f7153c | 856 | entry = staleEntry; |
47b0c1fa | 857 | /* Fall thru to processing below */ |
858 | } | |
859 | } | |
860 | } | |
d9572179 | 861 | } |
62e76326 | 862 | |
e0f7153c AR |
863 | debugs(82, 4, HERE << "entry = { date=" << |
864 | (long unsigned int) entry->date << | |
865 | ", result=" << entry->result << | |
866 | " tag=" << entry->tag << | |
867 | " log=" << entry->log << " }"); | |
868 | #if USE_AUTH | |
869 | debugs(82, 4, HERE << "entry user=" << entry->user); | |
870 | #endif | |
871 | ||
d9572179 | 872 | external_acl_cache_touch(acl->def, entry); |
a7a42b14 | 873 | external_acl_message = entry->message.termedBuf(); |
4a972fa2 | 874 | |
e5f825ea | 875 | debugs(82, 2, HERE << acl->def->name << " = " << entry->result); |
1abe0161 | 876 | copyResultsFromEntry(ch->request, entry); |
e5f825ea | 877 | return entry->result; |
d9572179 | 878 | } |
879 | ||
b0dd28ba | 880 | int |
881 | ACLExternal::match(ACLChecklist *checklist) | |
882 | { | |
e5f825ea | 883 | allow_t answer = aclMatchExternal(data, Filled(checklist)); |
e5f825ea AJ |
884 | |
885 | // convert to tri-state ACL match 1,0,-1 | |
9b831d57 | 886 | switch (answer) { |
e5f825ea | 887 | case ACCESS_ALLOWED: |
e5f825ea AJ |
888 | return 1; // match |
889 | ||
890 | case ACCESS_DENIED: | |
e5f825ea AJ |
891 | return 0; // non-match |
892 | ||
893 | case ACCESS_DUNNO: | |
894 | case ACCESS_AUTH_REQUIRED: | |
895 | default: | |
e0f7153c AR |
896 | // If the answer is not allowed or denied (matches/not matches) and |
897 | // async authentication is not needed (asyncNeeded), then we are done. | |
898 | if (!checklist->asyncNeeded()) | |
899 | checklist->markFinished(answer, "aclMatchExternal exception"); | |
e5f825ea AJ |
900 | return -1; // other |
901 | } | |
b0dd28ba | 902 | } |
903 | ||
d9572179 | 904 | wordlist * |
b0dd28ba | 905 | ACLExternal::dump() const |
d9572179 | 906 | { |
b0dd28ba | 907 | external_acl_data const *acl = data; |
d9572179 | 908 | wordlist *result = NULL; |
909 | wordlist *arg; | |
910 | MemBuf mb; | |
2fe7eff9 | 911 | mb.init(); |
912 | mb.Printf("%s", acl->def->name); | |
62e76326 | 913 | |
d9572179 | 914 | for (arg = acl->arguments; arg; arg = arg->next) { |
2fe7eff9 | 915 | mb.Printf(" %s", arg->key); |
d9572179 | 916 | } |
62e76326 | 917 | |
d9572179 | 918 | wordlistAdd(&result, mb.buf); |
2fe7eff9 | 919 | mb.clean(); |
d9572179 | 920 | return result; |
921 | } | |
922 | ||
923 | /****************************************************************** | |
924 | * external_acl cache | |
925 | */ | |
926 | ||
d9572179 | 927 | static void |
928 | external_acl_cache_touch(external_acl * def, external_acl_entry * entry) | |
929 | { | |
c69ce640 AJ |
930 | // this must not be done when nothing is being cached. |
931 | if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1)) | |
932 | return; | |
933 | ||
d9572179 | 934 | dlinkDelete(&entry->lru, &def->lru_list); |
935 | dlinkAdd(entry, &entry->lru, &def->lru_list); | |
936 | } | |
937 | ||
938 | static char * | |
c0941a6a | 939 | makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) |
d9572179 | 940 | { |
032785bf | 941 | static MemBuf mb; |
d9572179 | 942 | char buf[256]; |
943 | int first = 1; | |
944 | wordlist *arg; | |
945 | external_acl_format *format; | |
190154cf | 946 | HttpRequest *request = ch->request; |
7b0ca1e8 | 947 | HttpReply *reply = ch->reply; |
2fe7eff9 | 948 | mb.reset(); |
62e76326 | 949 | |
d9572179 | 950 | for (format = acl_data->def->format; format; format = format->next) { |
62e76326 | 951 | const char *str = NULL; |
30abd221 | 952 | String sb; |
62e76326 | 953 | |
954 | switch (format->type) { | |
2f1431ea | 955 | #if USE_AUTH |
62e76326 | 956 | case _external_acl_format::EXT_ACL_LOGIN: |
d28c476f AJ |
957 | // if this ACL line was the cause of credentials fetch |
958 | // they may not already be in the checklist | |
959 | if (ch->auth_user_request == NULL && ch->request) | |
960 | ch->auth_user_request = ch->request->auth_user_request; | |
961 | ||
962 | if (ch->auth_user_request != NULL) | |
963 | str = ch->auth_user_request->username(); | |
62e76326 | 964 | break; |
2f1431ea | 965 | #endif |
7a16973f | 966 | #if USE_IDENT |
62e76326 | 967 | case _external_acl_format::EXT_ACL_IDENT: |
968 | str = ch->rfc931; | |
969 | ||
41218131 | 970 | if (!str || !*str) { |
62e76326 | 971 | ch->changeState(IdentLookup::Instance()); |
972 | return NULL; | |
973 | } | |
974 | ||
975 | break; | |
7a16973f | 976 | #endif |
62e76326 | 977 | |
978 | case _external_acl_format::EXT_ACL_SRC: | |
cc192b50 | 979 | str = ch->src_addr.NtoA(buf,sizeof(buf)); |
62e76326 | 980 | break; |
981 | ||
47b0c1fa | 982 | case _external_acl_format::EXT_ACL_SRCPORT: |
cc192b50 | 983 | snprintf(buf, sizeof(buf), "%d", request->client_addr.GetPort()); |
47b0c1fa | 984 | str = buf; |
985 | break; | |
986 | ||
a98c2da5 AJ |
987 | #if USE_SQUID_EUI |
988 | case _external_acl_format::EXT_ACL_SRCEUI48: | |
40d34a62 AJ |
989 | if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL && |
990 | request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf))) | |
a98c2da5 AJ |
991 | str = buf; |
992 | break; | |
993 | ||
994 | case _external_acl_format::EXT_ACL_SRCEUI64: | |
40d34a62 AJ |
995 | if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL && |
996 | request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf))) | |
a98c2da5 AJ |
997 | str = buf; |
998 | break; | |
999 | #endif | |
1000 | ||
47b0c1fa | 1001 | case _external_acl_format::EXT_ACL_MYADDR: |
cc192b50 | 1002 | str = request->my_addr.NtoA(buf, sizeof(buf)); |
47b0c1fa | 1003 | break; |
1004 | ||
1005 | case _external_acl_format::EXT_ACL_MYPORT: | |
cc192b50 | 1006 | snprintf(buf, sizeof(buf), "%d", request->my_addr.GetPort()); |
47b0c1fa | 1007 | str = buf; |
1008 | break; | |
1009 | ||
3cf6e9c5 | 1010 | case _external_acl_format::EXT_ACL_URI: |
1011 | str = urlCanonical(request); | |
1012 | break; | |
1013 | ||
62e76326 | 1014 | case _external_acl_format::EXT_ACL_DST: |
cc192b50 | 1015 | str = request->GetHost(); |
62e76326 | 1016 | break; |
1017 | ||
1018 | case _external_acl_format::EXT_ACL_PROTO: | |
0c3d3f65 | 1019 | str = AnyP::ProtocolType_str[request->protocol]; |
62e76326 | 1020 | break; |
1021 | ||
1022 | case _external_acl_format::EXT_ACL_PORT: | |
1023 | snprintf(buf, sizeof(buf), "%d", request->port); | |
1024 | str = buf; | |
1025 | break; | |
1026 | ||
1027 | case _external_acl_format::EXT_ACL_PATH: | |
a313a9ba | 1028 | str = request->urlpath.termedBuf(); |
62e76326 | 1029 | break; |
1030 | ||
1031 | case _external_acl_format::EXT_ACL_METHOD: | |
60745f24 | 1032 | str = RequestMethodStr(request->method); |
62e76326 | 1033 | break; |
1034 | ||
7b0ca1e8 | 1035 | case _external_acl_format::EXT_ACL_HEADER_REQUEST: |
a9925b40 | 1036 | sb = request->header.getByName(format->header); |
a313a9ba | 1037 | str = sb.termedBuf(); |
62e76326 | 1038 | break; |
1039 | ||
7b0ca1e8 | 1040 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID: |
a9925b40 | 1041 | sb = request->header.getStrOrList(format->header_id); |
a313a9ba | 1042 | str = sb.termedBuf(); |
62e76326 | 1043 | break; |
1044 | ||
7b0ca1e8 | 1045 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER: |
a9925b40 | 1046 | sb = request->header.getByNameListMember(format->header, format->member, format->separator); |
a313a9ba | 1047 | str = sb.termedBuf(); |
62e76326 | 1048 | break; |
1049 | ||
7b0ca1e8 | 1050 | case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER: |
a9925b40 | 1051 | sb = request->header.getListMember(format->header_id, format->member, format->separator); |
a313a9ba | 1052 | str = sb.termedBuf(); |
62e76326 | 1053 | break; |
7b0ca1e8 AJ |
1054 | |
1055 | case _external_acl_format::EXT_ACL_HEADER_REPLY: | |
26ac0430 | 1056 | if (reply) { |
7b0ca1e8 | 1057 | sb = reply->header.getByName(format->header); |
a313a9ba | 1058 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1059 | } |
1060 | break; | |
1061 | ||
1062 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID: | |
26ac0430 | 1063 | if (reply) { |
7b0ca1e8 | 1064 | sb = reply->header.getStrOrList(format->header_id); |
a313a9ba | 1065 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1066 | } |
1067 | break; | |
1068 | ||
1069 | case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER: | |
26ac0430 | 1070 | if (reply) { |
7b0ca1e8 | 1071 | sb = reply->header.getByNameListMember(format->header, format->member, format->separator); |
a313a9ba | 1072 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1073 | } |
1074 | break; | |
1075 | ||
1076 | case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER: | |
26ac0430 | 1077 | if (reply) { |
7b0ca1e8 | 1078 | sb = reply->header.getListMember(format->header_id, format->member, format->separator); |
a313a9ba | 1079 | str = sb.termedBuf(); |
7b0ca1e8 AJ |
1080 | } |
1081 | break; | |
a7ad6e4e | 1082 | #if USE_SSL |
62e76326 | 1083 | |
4ac9968f | 1084 | case _external_acl_format::EXT_ACL_USER_CERT_RAW: |
1085 | ||
73c36fd9 AJ |
1086 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1087 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
4ac9968f | 1088 | |
1089 | if (ssl) | |
1090 | str = sslGetUserCertificatePEM(ssl); | |
1091 | } | |
1092 | ||
1093 | break; | |
1094 | ||
3d61c476 | 1095 | case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW: |
1096 | ||
73c36fd9 AJ |
1097 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1098 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
3d61c476 | 1099 | |
1100 | if (ssl) | |
1101 | str = sslGetUserCertificateChainPEM(ssl); | |
1102 | } | |
1103 | ||
1104 | break; | |
1105 | ||
62e76326 | 1106 | case _external_acl_format::EXT_ACL_USER_CERT: |
1107 | ||
73c36fd9 AJ |
1108 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1109 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
62e76326 | 1110 | |
1111 | if (ssl) | |
1112 | str = sslGetUserAttribute(ssl, format->header); | |
1113 | } | |
1114 | ||
1115 | break; | |
1116 | ||
1117 | case _external_acl_format::EXT_ACL_CA_CERT: | |
1118 | ||
73c36fd9 AJ |
1119 | if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) { |
1120 | SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl; | |
62e76326 | 1121 | |
1122 | if (ssl) | |
1123 | str = sslGetCAAttribute(ssl, format->header); | |
1124 | } | |
1125 | ||
1126 | break; | |
a7ad6e4e | 1127 | #endif |
2f1431ea | 1128 | #if USE_AUTH |
abb929f0 | 1129 | case _external_acl_format::EXT_ACL_EXT_USER: |
a313a9ba | 1130 | str = request->extacl_user.termedBuf(); |
abb929f0 | 1131 | break; |
2f1431ea | 1132 | #endif |
99e4ad67 JB |
1133 | case _external_acl_format::EXT_ACL_EXT_LOG: |
1134 | str = request->extacl_log.termedBuf(); | |
1135 | break; | |
1136 | case _external_acl_format::EXT_ACL_TAG: | |
1137 | str = request->tag.termedBuf(); | |
1138 | break; | |
0db8942f AJ |
1139 | case _external_acl_format::EXT_ACL_PERCENT: |
1140 | str = "%"; | |
1141 | break; | |
62e76326 | 1142 | case _external_acl_format::EXT_ACL_UNKNOWN: |
1143 | ||
1144 | case _external_acl_format::EXT_ACL_END: | |
1145 | fatal("unknown external_acl format error"); | |
1146 | break; | |
1147 | } | |
1148 | ||
1149 | if (str) | |
1150 | if (!*str) | |
1151 | str = NULL; | |
1152 | ||
1153 | if (!str) | |
1154 | str = "-"; | |
1155 | ||
1156 | if (!first) | |
2fe7eff9 | 1157 | mb.append(" ", 1); |
62e76326 | 1158 | |
dc1af3cf | 1159 | if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) { |
1160 | const char *quoted = rfc1738_escape(str); | |
2fe7eff9 | 1161 | mb.append(quoted, strlen(quoted)); |
dc1af3cf | 1162 | } else { |
1163 | strwordquote(&mb, str); | |
1164 | } | |
62e76326 | 1165 | |
30abd221 | 1166 | sb.clean(); |
62e76326 | 1167 | |
1168 | first = 0; | |
d9572179 | 1169 | } |
62e76326 | 1170 | |
d9572179 | 1171 | for (arg = acl_data->arguments; arg; arg = arg->next) { |
62e76326 | 1172 | if (!first) |
2fe7eff9 | 1173 | mb.append(" ", 1); |
62e76326 | 1174 | |
dc1af3cf | 1175 | if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) { |
1176 | const char *quoted = rfc1738_escape(arg->key); | |
2fe7eff9 | 1177 | mb.append(quoted, strlen(quoted)); |
dc1af3cf | 1178 | } else { |
1179 | strwordquote(&mb, arg->key); | |
1180 | } | |
62e76326 | 1181 | |
1182 | first = 0; | |
d9572179 | 1183 | } |
62e76326 | 1184 | |
d9572179 | 1185 | return mb.buf; |
d9572179 | 1186 | } |
1187 | ||
1188 | static int | |
1189 | external_acl_entry_expired(external_acl * def, external_acl_entry * entry) | |
1190 | { | |
c69ce640 AJ |
1191 | if (def->cache_size <= 0) |
1192 | return 1; | |
1193 | ||
d9572179 | 1194 | if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime) |
62e76326 | 1195 | return 1; |
d9572179 | 1196 | else |
62e76326 | 1197 | return 0; |
d9572179 | 1198 | } |
62e76326 | 1199 | |
47b0c1fa | 1200 | static int |
1201 | external_acl_grace_expired(external_acl * def, external_acl_entry * entry) | |
1202 | { | |
c69ce640 AJ |
1203 | if (def->cache_size <= 0) |
1204 | return 1; | |
1205 | ||
47b0c1fa | 1206 | int ttl; |
1207 | ttl = entry->result == 1 ? def->ttl : def->negative_ttl; | |
1208 | ttl = (ttl * (100 - def->grace)) / 100; | |
1209 | ||
2e1359a0 | 1210 | if (entry->date + ttl <= squid_curtime) |
47b0c1fa | 1211 | return 1; |
1212 | else | |
1213 | return 0; | |
1214 | } | |
1215 | ||
d9572179 | 1216 | static external_acl_entry * |
1e5562e3 | 1217 | external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data) |
d9572179 | 1218 | { |
c69ce640 AJ |
1219 | ExternalACLEntry *entry; |
1220 | ||
1221 | // do not bother caching this result if TTL is going to expire it immediately | |
1222 | if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) { | |
1223 | debugs(82,6, HERE); | |
1224 | entry = new ExternalACLEntry; | |
1225 | entry->key = xstrdup(key); | |
1226 | entry->update(data); | |
1227 | entry->def = def; | |
1228 | return entry; | |
1229 | } | |
1230 | ||
1231 | entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key)); | |
bf8fe701 | 1232 | debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result); |
62e76326 | 1233 | |
d9572179 | 1234 | if (entry) { |
bf8fe701 | 1235 | debugs(82, 3, "ExternalACLEntry::update: updating existing entry"); |
c69ce640 | 1236 | entry->update(data); |
62e76326 | 1237 | external_acl_cache_touch(def, entry); |
1238 | ||
1239 | return entry; | |
d9572179 | 1240 | } |
62e76326 | 1241 | |
1e5562e3 | 1242 | entry = new ExternalACLEntry; |
4a8b20e8 | 1243 | entry->key = xstrdup(key); |
c69ce640 | 1244 | entry->update(data); |
1e5562e3 | 1245 | |
6ca34f6f | 1246 | def->add(entry); |
1e5562e3 | 1247 | |
d9572179 | 1248 | return entry; |
1249 | } | |
1250 | ||
1251 | static void | |
1252 | external_acl_cache_delete(external_acl * def, external_acl_entry * entry) | |
1253 | { | |
c69ce640 | 1254 | assert(def->cache_size > 0 && entry->def == def); |
4a8b20e8 | 1255 | hash_remove_link(def->cache, entry); |
d9572179 | 1256 | dlinkDelete(&entry->lru, &def->lru_list); |
1257 | def->cache_entries -= 1; | |
00d77d6b | 1258 | delete entry; |
d9572179 | 1259 | } |
1260 | ||
1261 | /****************************************************************** | |
1262 | * external_acl helpers | |
1263 | */ | |
1264 | ||
1265 | typedef struct _externalAclState externalAclState; | |
62e76326 | 1266 | |
26ac0430 | 1267 | struct _externalAclState { |
d9572179 | 1268 | EAH *callback; |
1269 | void *callback_data; | |
1270 | char *key; | |
1271 | external_acl *def; | |
1272 | dlink_node list; | |
1273 | externalAclState *queue; | |
1274 | }; | |
1275 | ||
1276 | CBDATA_TYPE(externalAclState); | |
1277 | static void | |
1278 | free_externalAclState(void *data) | |
1279 | { | |
e6ccf245 | 1280 | externalAclState *state = static_cast<externalAclState *>(data); |
d9572179 | 1281 | safe_free(state->key); |
1282 | cbdataReferenceDone(state->callback_data); | |
1283 | cbdataReferenceDone(state->def); | |
1284 | } | |
1285 | ||
d9572179 | 1286 | /* |
1287 | * The helper program receives queries on stdin, one | |
07eca7e0 | 1288 | * per line, and must return the result on on stdout |
d9572179 | 1289 | * |
1290 | * General result syntax: | |
1291 | * | |
1292 | * OK/ERR keyword=value ... | |
1293 | * | |
1294 | * Keywords: | |
1295 | * | |
4a972fa2 | 1296 | * user= The users name (login) |
1297 | * message= Message describing the reason | |
1298 | * tag= A string tag to be applied to the request that triggered the acl match. | |
1299 | * applies to both OK and ERR responses. | |
1300 | * Won't override existing request tags. | |
1301 | * log= A string to be used in access logging | |
d9572179 | 1302 | * |
1303 | * Other keywords may be added to the protocol later | |
1304 | * | |
26ac0430 AJ |
1305 | * value needs to be enclosed in quotes if it may contain whitespace, or |
1306 | * the whitespace escaped using \ (\ escaping obviously also applies to | |
d9572179 | 1307 | * any " characters) |
1308 | */ | |
d9572179 | 1309 | static void |
0272dd08 | 1310 | externalAclHandleReply(void *data, const HelperReply &reply) |
d9572179 | 1311 | { |
e6ccf245 | 1312 | externalAclState *state = static_cast<externalAclState *>(data); |
d9572179 | 1313 | externalAclState *next; |
c69ce640 | 1314 | char *t = NULL; |
1e5562e3 | 1315 | ExternalACLEntryData entryData; |
e5f825ea | 1316 | entryData.result = ACCESS_DENIED; |
466090ac | 1317 | external_acl_entry *entry = NULL; |
d9572179 | 1318 | |
0272dd08 | 1319 | debugs(82, 2, HERE << "reply=" << reply); |
d9572179 | 1320 | |
0272dd08 AJ |
1321 | if (reply.result == HelperReply::Okay) |
1322 | entryData.result = ACCESS_ALLOWED; | |
1323 | // XXX: handle other non-DENIED results better | |
62e76326 | 1324 | |
ab332e27 AJ |
1325 | if (reply.tag.hasContent()) |
1326 | entryData.tag = reply.tag; | |
1327 | if (reply.message.hasContent()) | |
1328 | entryData.message = reply.message; | |
1329 | if (reply.log.hasContent()) | |
1330 | entryData.log = reply.log; | |
1331 | #if USE_AUTH | |
1332 | if (reply.user.hasContent()) | |
1333 | entryData.user = reply.user; | |
1334 | if (reply.password.hasContent()) | |
1335 | entryData.password = reply.password; | |
1336 | #endif | |
1337 | ||
1338 | // legacy reply parser | |
0272dd08 AJ |
1339 | if (reply.other().hasContent()) { |
1340 | char *temp = reply.modifiableOther().content(); | |
1341 | char *token = strwordtok(temp, &t); | |
62e76326 | 1342 | |
1343 | while ((token = strwordtok(NULL, &t))) { | |
ab332e27 | 1344 | debugs(82, DBG_IMPORTANT, "WARNING: key '" << token << "' is not supported by this Squid."); |
0272dd08 | 1345 | char *value = strchr(token, '='); |
62e76326 | 1346 | |
1347 | if (value) { | |
a38ec4b1 FC |
1348 | *value = '\0'; /* terminate the token, and move up to the value */ |
1349 | ++value; | |
62e76326 | 1350 | |
dc1af3cf | 1351 | if (state->def->quote == external_acl::QUOTE_METHOD_URL) |
1352 | rfc1738_unescape(value); | |
1353 | ||
ab332e27 | 1354 | if (strcmp(token, "error") == 0) { |
d7bd27db | 1355 | entryData.message = value; |
2f1431ea | 1356 | #if USE_AUTH |
ab332e27 | 1357 | } else if (strcmp(token, "passwd") == 0) { |
abb929f0 | 1358 | entryData.password = value; |
ab332e27 | 1359 | } else if (strcmp(token, "login") == 0) { |
abb929f0 | 1360 | entryData.user = value; |
2f1431ea | 1361 | #endif |
ab332e27 | 1362 | } |
62e76326 | 1363 | } |
1364 | } | |
d9572179 | 1365 | } |
62e76326 | 1366 | |
d9572179 | 1367 | dlinkDelete(&state->list, &state->def->queue); |
62e76326 | 1368 | |
4960475f | 1369 | if (cbdataReferenceValid(state->def)) { |
0272dd08 AJ |
1370 | // only cache OK and ERR results. |
1371 | if (reply.result == HelperReply::Okay || reply.result == HelperReply::Error) | |
1e5562e3 | 1372 | entry = external_acl_cache_add(state->def, state->key, entryData); |
62e76326 | 1373 | else { |
2ae2408b | 1374 | external_acl_entry *oldentry = (external_acl_entry *)hash_lookup(state->def->cache, state->key); |
62e76326 | 1375 | |
2ae2408b | 1376 | if (oldentry) |
1377 | external_acl_cache_delete(state->def, oldentry); | |
62e76326 | 1378 | } |
466090ac | 1379 | } |
d9572179 | 1380 | |
1381 | do { | |
62e76326 | 1382 | void *cbdata; |
1383 | cbdataReferenceDone(state->def); | |
1384 | ||
47b0c1fa | 1385 | if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata)) |
62e76326 | 1386 | state->callback(cbdata, entry); |
1387 | ||
1388 | next = state->queue; | |
d9572179 | 1389 | |
62e76326 | 1390 | cbdataFree(state); |
d9572179 | 1391 | |
62e76326 | 1392 | state = next; |
d9572179 | 1393 | } while (state); |
1394 | } | |
1395 | ||
1396 | void | |
e0f7153c | 1397 | ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me) |
d9572179 | 1398 | { |
e0f7153c AR |
1399 | ExternalACLLookup::Start(checklist, me->data, false); |
1400 | } | |
c8e7608c | 1401 | |
e0f7153c AR |
1402 | void |
1403 | ExternalACLLookup::Start(ACLChecklist *checklist, external_acl_data *acl, bool inBackground) | |
1404 | { | |
1405 | external_acl *def = acl->def; | |
c0f81932 | 1406 | |
c0941a6a | 1407 | ACLFilledChecklist *ch = Filled(checklist); |
c8e7608c | 1408 | const char *key = makeExternalAclKey(ch, acl); |
e0f7153c | 1409 | assert(key); |
62e76326 | 1410 | |
e0f7153c AR |
1411 | debugs(82, 2, HERE << (inBackground ? "bg" : "fg") << " lookup in '" << |
1412 | def->name << "' for '" << key << "'"); | |
62e76326 | 1413 | |
47b0c1fa | 1414 | /* Check for a pending lookup to hook into */ |
c69ce640 | 1415 | // only possible if we are caching results. |
e0f7153c | 1416 | externalAclState *oldstate = NULL; |
c69ce640 | 1417 | if (def->cache_size > 0) { |
e0f7153c | 1418 | for (dlink_node *node = def->queue.head; node; node = node->next) { |
c69ce640 | 1419 | externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data); |
62e76326 | 1420 | |
c69ce640 AJ |
1421 | if (strcmp(key, oldstatetmp->key) == 0) { |
1422 | oldstate = oldstatetmp; | |
1423 | break; | |
1424 | } | |
47b0c1fa | 1425 | } |
1426 | } | |
62e76326 | 1427 | |
e0f7153c AR |
1428 | // A background refresh has no need to piggiback on a pending request: |
1429 | // When the pending request completes, the cache will be refreshed anyway. | |
1430 | if (oldstate && inBackground) { | |
1431 | debugs(82, 7, HERE << "'" << def->name << "' queue is already being refreshed (ch=" << ch << ")"); | |
47b0c1fa | 1432 | return; |
1433 | } | |
62e76326 | 1434 | |
e0f7153c | 1435 | externalAclState *state = cbdataAlloc(externalAclState); |
47b0c1fa | 1436 | state->def = cbdataReference(def); |
62e76326 | 1437 | |
47b0c1fa | 1438 | state->key = xstrdup(key); |
62e76326 | 1439 | |
e0f7153c AR |
1440 | if (!inBackground) { |
1441 | state->callback = &ExternalACLLookup::LookupDone; | |
1442 | state->callback_data = cbdataReference(checklist); | |
d9572179 | 1443 | } |
62e76326 | 1444 | |
47b0c1fa | 1445 | if (oldstate) { |
1446 | /* Hook into pending lookup */ | |
1447 | state->queue = oldstate->queue; | |
1448 | oldstate->queue = state; | |
1449 | } else { | |
e0f7153c AR |
1450 | /* No pending lookup found. Sumbit to helper */ |
1451 | ||
47b0c1fa | 1452 | /* Check for queue overload */ |
1453 | ||
48d54e4d | 1454 | if (def->theHelper->stats.queue_size >= (int)def->theHelper->childs.n_running) { |
e0f7153c AR |
1455 | debugs(82, 7, HERE << "'" << def->name << "' queue is too long"); |
1456 | assert(inBackground); // or the caller should have checked | |
47b0c1fa | 1457 | cbdataFree(state); |
47b0c1fa | 1458 | return; |
1459 | } | |
1460 | ||
1461 | /* Send it off to the helper */ | |
e0f7153c | 1462 | MemBuf buf; |
2fe7eff9 | 1463 | buf.init(); |
62e76326 | 1464 | |
2fe7eff9 | 1465 | buf.Printf("%s\n", key); |
62e76326 | 1466 | |
bf8fe701 | 1467 | debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'."); |
ab321f4b | 1468 | |
47b0c1fa | 1469 | helperSubmit(def->theHelper, buf.buf, externalAclHandleReply, state); |
62e76326 | 1470 | |
47b0c1fa | 1471 | dlinkAdd(state, &state->list, &def->queue); |
62e76326 | 1472 | |
2fe7eff9 | 1473 | buf.clean(); |
47b0c1fa | 1474 | } |
62e76326 | 1475 | |
bf8fe701 | 1476 | debugs(82, 4, "externalAclLookup: will wait for the result of '" << key << |
1477 | "' in '" << def->name << "' (ch=" << ch << ")."); | |
d9572179 | 1478 | } |
1479 | ||
1480 | static void | |
1481 | externalAclStats(StoreEntry * sentry) | |
1482 | { | |
1483 | external_acl *p; | |
1484 | ||
1485 | for (p = Config.externalAclHelperList; p; p = p->next) { | |
62e76326 | 1486 | storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name); |
1487 | storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count); | |
1488 | helperStats(sentry, p->theHelper); | |
1489 | storeAppendPrintf(sentry, "\n"); | |
d9572179 | 1490 | } |
1491 | } | |
1492 | ||
6b7d87bb FC |
1493 | static void |
1494 | externalAclRegisterWithCacheManager(void) | |
1495 | { | |
8822ebee | 1496 | Mgr::RegisterAction("external_acl", |
d9fc6862 A |
1497 | "External ACL stats", |
1498 | externalAclStats, 0, 1); | |
6b7d87bb FC |
1499 | } |
1500 | ||
d9572179 | 1501 | void |
1502 | externalAclInit(void) | |
1503 | { | |
1504 | static int firstTimeInit = 1; | |
1505 | external_acl *p; | |
1506 | ||
1507 | for (p = Config.externalAclHelperList; p; p = p->next) { | |
62e76326 | 1508 | if (!p->cache) |
30abd221 | 1509 | p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4); |
62e76326 | 1510 | |
1511 | if (!p->theHelper) | |
48d54e4d | 1512 | p->theHelper = new helper(p->name); |
62e76326 | 1513 | |
1514 | p->theHelper->cmdline = p->cmdline; | |
1515 | ||
1af735c7 | 1516 | p->theHelper->childs.updateLimits(p->children); |
07eca7e0 | 1517 | |
62e76326 | 1518 | p->theHelper->ipc_type = IPC_TCP_SOCKET; |
1519 | ||
cc192b50 | 1520 | p->theHelper->addr = p->local_addr; |
1521 | ||
ab332e27 AJ |
1522 | if (p->quote == external_acl::QUOTE_METHOD_URL) |
1523 | p->theHelper->url_quoting = true; | |
1524 | ||
62e76326 | 1525 | helperOpenServers(p->theHelper); |
d9572179 | 1526 | } |
62e76326 | 1527 | |
d9572179 | 1528 | if (firstTimeInit) { |
62e76326 | 1529 | firstTimeInit = 0; |
62e76326 | 1530 | CBDATA_INIT_TYPE_FREECB(externalAclState, free_externalAclState); |
d9572179 | 1531 | } |
ea391f18 FC |
1532 | |
1533 | externalAclRegisterWithCacheManager(); | |
d9572179 | 1534 | } |
1535 | ||
1536 | void | |
1537 | externalAclShutdown(void) | |
1538 | { | |
1539 | external_acl *p; | |
62e76326 | 1540 | |
d9572179 | 1541 | for (p = Config.externalAclHelperList; p; p = p->next) { |
62e76326 | 1542 | helperShutdown(p->theHelper); |
d9572179 | 1543 | } |
1544 | } | |
225b7b10 | 1545 | |
1546 | ExternalACLLookup ExternalACLLookup::instance_; | |
1547 | ExternalACLLookup * | |
1548 | ExternalACLLookup::Instance() | |
1549 | { | |
1550 | return &instance_; | |
1551 | } | |
1552 | ||
1553 | void | |
1554 | ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const | |
1555 | { | |
b0dd28ba | 1556 | /* TODO: optimise this - we probably have a pointer to this |
1557 | * around somewhere */ | |
97427e90 | 1558 | ACL *acl = ACL::FindByName(AclMatchedName); |
ab321f4b | 1559 | assert(acl); |
b0dd28ba | 1560 | ACLExternal *me = dynamic_cast<ACLExternal *> (acl); |
1561 | assert (me); | |
225b7b10 | 1562 | checklist->asyncInProgress(true); |
e0f7153c | 1563 | ACLExternal::ExternalAclLookup(checklist, me); |
225b7b10 | 1564 | } |
1565 | ||
e0f7153c | 1566 | /// Called when an async lookup returns |
225b7b10 | 1567 | void |
1568 | ExternalACLLookup::LookupDone(void *data, void *result) | |
1569 | { | |
c0941a6a | 1570 | ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data)); |
225b7b10 | 1571 | checklist->extacl_entry = cbdataReference((external_acl_entry *)result); |
1572 | checklist->asyncInProgress(false); | |
c059ed04 | 1573 | checklist->changeState (ACLChecklist::NullState::Instance()); |
2efeb0b7 | 1574 | checklist->matchNonBlocking(); |
225b7b10 | 1575 | } |
b0dd28ba | 1576 | |
1577 | /* This registers "external" in the registry. To do dynamic definitions | |
1578 | * of external ACL's, rather than a static prototype, have a Prototype instance | |
1579 | * prototype in the class that defines each external acl 'class'. | |
1580 | * Then, then the external acl instance is created, it self registers under | |
1581 | * it's name. | |
1582 | * Be sure that clone is fully functional for that acl class though! | |
1583 | */ | |
1584 | ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external"); | |
1585 | ||
1586 | ACLExternal ACLExternal::RegistryEntry_("external"); | |
1587 | ||
1588 | ACL * | |
1589 | ACLExternal::clone() const | |
1590 | { | |
1591 | return new ACLExternal(*this); | |
1592 | } | |
1593 | ||
1594 | ACLExternal::ACLExternal (char const *theClass) : data (NULL), class_ (xstrdup (theClass)) | |
1595 | {} | |
1596 | ||
1597 | ACLExternal::ACLExternal (ACLExternal const & old) : data (NULL), class_ (old.class_ ? xstrdup (old.class_) : NULL) | |
1598 | { | |
1599 | /* we don't have copy constructors for the data yet */ | |
1600 | assert (!old.data); | |
1601 | } | |
1602 | ||
b0dd28ba | 1603 | char const * |
1604 | ACLExternal::typeString() const | |
1605 | { | |
1606 | return class_; | |
1607 | } | |
1608 | ||
e870b1f8 | 1609 | bool |
1610 | ACLExternal::isProxyAuth() const | |
1611 | { | |
2f1431ea | 1612 | #if USE_AUTH |
e870b1f8 | 1613 | return data->def->require_auth; |
2f1431ea AJ |
1614 | #else |
1615 | return false; | |
1616 | #endif | |
e870b1f8 | 1617 | } |