]> git.ipfire.org Git - thirdparty/squid.git/blame - src/external_acl.cc
projects / thirdparty / squid.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Source Format Enforcement (#763)
[thirdparty/squid.git] / src / external_acl.cc
CommitLineData
d9572179 1/*
f70aedc4 2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
d9572179 3 *
bbc27441
AJ		 4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
d9572179 7 */
8
bbc27441
AJ		 9/* DEBUG: section 82 External ACL */
10
582c2af2 11#include "squid.h"
c0941a6a 12#include "acl/Acl.h"
582c2af2 13#include "acl/FilledChecklist.h"
8a01b99e 14#include "cache_cf.h"
a46d2c0e 15#include "client_side.h"
4e56d7f6 16#include "client_side_request.h"
5c336a3b 17#include "comm/Connection.h"
2eceb328 18#include "ConfigParser.h"
582c2af2 19#include "ExternalACL.h"
f9b6ff6e 20#include "ExternalACLEntry.h"
582c2af2 21#include "fde.h"
4e56d7f6 22#include "format/Token.h"
aa839030 23#include "helper.h"
24438ec5 24#include "helper/Reply.h"
d3dddfb5 25#include "http/Stream.h"
a5bac1d2 26#include "HttpHeaderTools.h"
582c2af2
FC		 27#include "HttpReply.h"
28#include "HttpRequest.h"
29#include "ip/tools.h"
0eb49b6d 30#include "MemBuf.h"
582c2af2 31#include "mgr/Registration.h"
1fa9b1a7 32#include "rfc1738.h"
4d5904f7 33#include "SquidConfig.h"
f9b6ff6e 34#include "SquidString.h"
582c2af2
FC		 35#include "SquidTime.h"
36#include "Store.h"
4e540555 37#include "tools.h"
d295d770 38#include "wordlist.h"
cb4f4424 39#if USE_OPENSSL
cedca6e7 40#include "ssl/ServerBump.h"
4db984be
CT		 41#include "ssl/support.h"
42#endif
582c2af2
FC		 43#if USE_AUTH
44#include "auth/Acl.h"
45#include "auth/Gadgets.h"
46#include "auth/UserRequest.h"
47#endif
48#if USE_IDENT
49#include "ident/AclIdent.h"
50#endif
d9572179 51
52#ifndef DEFAULT_EXTERNAL_ACL_TTL
53#define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
54#endif
d4f2f353 55#ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
56#define DEFAULT_EXTERNAL_ACL_CHILDREN 5
d9572179 57#endif
58
c0941a6a 59static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
abdd93d0
AJ		 60static void external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry);
61static int external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry);
62static int external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry);
63static void external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry);
64static ExternalACLEntryPointer external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data);
d9572179 65
66/******************************************************************
67 * external_acl directive
68 */
62e76326 69
1e5562e3 70class external_acl
62e76326 71{
9837567d 72 /* XXX: These are not really cbdata, but it is an easy way
f205a92e 73 * to get them pooled, refcounted, accounted and freed properly...
9837567d 74 * Use RefCountable MEMPROXY_CLASS instead
f205a92e 75 */
f963b531 76 CBDATA_CLASS(external_acl);
1e5562e3 77
78public:
f963b531
AJ		 79 external_acl();
80 ~external_acl();
81
d9572179 82 external_acl *next;
1e5562e3 83
abdd93d0 84 void add(const ExternalACLEntryPointer &);
1e5562e3 85
86 void trimCache();
87
329c128c 88 bool maybeCacheable(const Acl::Answer &) const;
194ccc9c 89
d9572179 90 int ttl;
1e5562e3 91
d9572179 92 int negative_ttl;
1e5562e3 93
47b0c1fa 94 int grace;
95
d9572179 96 char *name;
1e5562e3 97
4e56d7f6 98 Format::Format format;
1e5562e3 99
d9572179 100 wordlist *cmdline;
1e5562e3 101
76d9b994 102 Helper::ChildConfig children;
07eca7e0 103
e6ccf245 104 helper *theHelper;
1e5562e3 105
d9572179 106 hash_table *cache;
1e5562e3 107
d9572179 108 dlink_list lru_list;
1e5562e3 109
d9572179 110 int cache_size;
1e5562e3 111
d9572179 112 int cache_entries;
1e5562e3 113
d9572179 114 dlink_list queue;
1e5562e3 115
2f1431ea 116#if USE_AUTH
3265364b
AJ		 117 /**
118 * Configuration flag. May only be altered by the configuration parser.
119 *
120 * Indicates that all uses of this external_acl_type helper require authentication
121 * details to be processed. If none are available its a fail match.
122 */
e870b1f8 123 bool require_auth;
2f1431ea 124#endif
dc1af3cf 125
95d78f10 126 Format::Quoting quote; // default quoting to use, set by protocol= parameter
cc192b50 127
b7ac5457 128 Ip::Address local_addr;
d9572179 129};
130
f963b531
AJ		 131CBDATA_CLASS_INIT(external_acl);
132
133external_acl::external_acl() :
cc8c4af2 134 next(NULL),
f963b531
AJ		 135 ttl(DEFAULT_EXTERNAL_ACL_TTL),
136 negative_ttl(-1),
137 grace(1),
138 name(NULL),
4e56d7f6 139 format("external_acl_type"),
f963b531
AJ		 140 cmdline(NULL),
141 children(DEFAULT_EXTERNAL_ACL_CHILDREN),
142 theHelper(NULL),
143 cache(NULL),
144 cache_size(256*1024),
145 cache_entries(0),
146#if USE_AUTH
147 require_auth(0),
148#endif
95d78f10 149 quote(Format::LOG_QUOTE_URL)
d9572179 150{
f963b531
AJ		 151 local_addr.setLocalhost();
152}
62e76326 153
f963b531
AJ		 154external_acl::~external_acl()
155{
156 xfree(name);
f963b531
AJ		 157 wordlistDestroy(&cmdline);
158
159 if (theHelper) {
160 helperShutdown(theHelper);
161 delete theHelper;
162 theHelper = NULL;
d9572179 163 }
62e76326 164
f963b531
AJ		 165 while (lru_list.tail) {
166 ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data));
167 external_acl_cache_delete(this, e);
168 }
169 if (cache)
170 hashFreeMemory(cache);
171
172 while (next) {
173 external_acl *node = next;
174 next = node->next;
175 node->next = NULL; // prevent recursion
176 delete node;
abdd93d0 177 }
d9572179 178}
179
180void
181parse_externalAclHelper(external_acl ** list)
182{
f963b531 183 char *token = ConfigParser::NextToken();
62e76326 184
7b6ce1c0 185 if (!token) {
62e76326 186 self_destruct();
7b6ce1c0
AJ		 187 return;
188 }
62e76326 189
7b6ce1c0 190 external_acl *a = new external_acl;
d9572179 191 a->name = xstrdup(token);
192
2eceb328
CT		 193 // Allow supported %macros inside quoted tokens
194 ConfigParser::EnableMacros();
195 token = ConfigParser::NextToken();
62e76326 196
d9572179 197 /* Parse options */
198 while (token) {
62e76326 199 if (strncmp(token, "ttl=", 4) == 0) {
200 a->ttl = atoi(token + 4);
201 } else if (strncmp(token, "negative_ttl=", 13) == 0) {
202 a->negative_ttl = atoi(token + 13);
07eca7e0 203 } else if (strncmp(token, "children=", 9) == 0) {
48d54e4d 204 a->children.n_max = atoi(token + 9);
fa84c01d 205 debugs(0, DBG_CRITICAL, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
48d54e4d
AJ		 206 } else if (strncmp(token, "children-max=", 13) == 0) {
207 a->children.n_max = atoi(token + 13);
208 } else if (strncmp(token, "children-startup=", 17) == 0) {
209 a->children.n_startup = atoi(token + 17);
210 } else if (strncmp(token, "children-idle=", 14) == 0) {
211 a->children.n_idle = atoi(token + 14);
07eca7e0 212 } else if (strncmp(token, "concurrency=", 12) == 0) {
48d54e4d 213 a->children.concurrency = atoi(token + 12);
6825b101
CT		 214 } else if (strncmp(token, "queue-size=", 11) == 0) {
215 a->children.queue_size = atoi(token + 11);
216 a->children.defaultQueueSize = false;
62e76326 217 } else if (strncmp(token, "cache=", 6) == 0) {
218 a->cache_size = atoi(token + 6);
47b0c1fa 219 } else if (strncmp(token, "grace=", 6) == 0) {
220 a->grace = atoi(token + 6);
dc1af3cf 221 } else if (strcmp(token, "protocol=2.5") == 0) {
95d78f10 222 a->quote = Format::LOG_QUOTE_SHELL;
dc1af3cf 223 } else if (strcmp(token, "protocol=3.0") == 0) {
05e52854 224 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option protocol=3.0 is deprecated. Remove this from your config.");
95d78f10 225 a->quote = Format::LOG_QUOTE_URL;
dc1af3cf 226 } else if (strcmp(token, "quote=url") == 0) {
05e52854 227 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=url is deprecated. Remove this from your config.");
95d78f10 228 a->quote = Format::LOG_QUOTE_URL;
dc1af3cf 229 } else if (strcmp(token, "quote=shell") == 0) {
05e52854 230 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=shell is deprecated. Use protocol=2.5 if still needed.");
95d78f10 231 a->quote = Format::LOG_QUOTE_SHELL;
cc192b50 232
26ac0430
AJ		 233 /* INET6: allow admin to configure some helpers explicitly to
234 bind to IPv4/v6 localhost port. */
cc192b50 235 } else if (strcmp(token, "ipv4") == 0) {
4dd643d5 236 if ( !a->local_addr.setIPv4() ) {
fa84c01d 237 debugs(3, DBG_CRITICAL, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name );
cc192b50 238 }
239 } else if (strcmp(token, "ipv6") == 0) {
055421ee 240 if (!Ip::EnableIpv6)
fa84c01d 241 debugs(3, DBG_CRITICAL, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name );
055421ee 242 // else nothing to do.
62e76326 243 } else {
244 break;
245 }
246
2eceb328 247 token = ConfigParser::NextToken();
d9572179 248 }
2eceb328 249 ConfigParser::DisableMacros();
62e76326 250
6f78f0ed 251 /* check that child startup value is sane. */
a3cecd6c
AJ		 252 if (a->children.n_startup > a->children.n_max)
253 a->children.n_startup = a->children.n_max;
48d54e4d 254
6f78f0ed 255 /* check that child idle value is sane. */
a3cecd6c
AJ		 256 if (a->children.n_idle > a->children.n_max)
257 a->children.n_idle = a->children.n_max;
258 if (a->children.n_idle < 1)
259 a->children.n_idle = 1;
48d54e4d 260
d9572179 261 if (a->negative_ttl == -1)
62e76326 262 a->negative_ttl = a->ttl;
d9572179 263
e44a3ec4 264 if (a->children.defaultQueueSize)
6825b101
CT		 265 a->children.queue_size = 2 * a->children.n_max;
266
4e56d7f6
AJ		 267 /* Legacy external_acl_type format parser.
268 * Handles a series of %... tokens where any non-% means
269 * the start of another parameter field (ie the path to binary).
270 */
271 enum Format::Quoting quote = Format::LOG_QUOTE_NONE;
272 Format::Token **fmt = &a->format.format;
712fa21e 273 bool data_used = false;
d9572179 274 while (token) {
4e56d7f6 275 /* stop on first non-% token found */
62e76326 276 if (*token != '%')
277 break;
278
4e56d7f6 279 *fmt = new Format::Token;
09e34608
AJ		 280 // these tokens are whitespace delimited
281 (*fmt)->space = true;
4e56d7f6 282
3a80bdd7 283 // set the default encoding to match the protocol= config
95d78f10
AJ		 284 // this will be overridden by explicit %macro attributes
285 (*fmt)->quote = a->quote;
286
4e56d7f6 287 // compatibility for old tokens incompatible with Format::Token syntax
61beade2 288#if USE_OPENSSL // do not bother unless we have to.
4e56d7f6
AJ		 289 if (strncmp(token, "%USER_CERT_", 11) == 0) {
290 (*fmt)->type = Format::LFT_EXT_ACL_USER_CERT;
291 (*fmt)->data.string = xstrdup(token + 11);
292 (*fmt)->data.header.header = (*fmt)->data.string;
f06585e0 293 } else if (strncmp(token, "%USER_CA_CERT_", 14) == 0) {
4e56d7f6
AJ		 294 (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT;
295 (*fmt)->data.string = xstrdup(token + 14);
296 (*fmt)->data.header.header = (*fmt)->data.string;
f06585e0 297 } else if (strncmp(token, "%CA_CERT_", 9) == 0) {
3650c90e 298 debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead");
4e56d7f6
AJ		 299 (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT;
300 (*fmt)->data.string = xstrdup(token + 9);
301 (*fmt)->data.header.header = (*fmt)->data.string;
302 } else
a7ad6e4e 303#endif
62b9cc19 304 if (strncmp(token,"%<{", 3) == 0) {
305 SBuf tmp("%<h");
306 tmp.append(token+2);
307 debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type format %<{...} is deprecated. Use " << tmp);
308 const size_t parsedLen = (*fmt)->parse(tmp.c_str(), &quote);
309 assert(parsedLen == tmp.length());
310 assert((*fmt)->type == Format::LFT_REPLY_HEADER ||
311 (*fmt)->type == Format::LFT_REPLY_HEADER_ELEM);
312
313 } else if (strncmp(token,"%>{", 3) == 0) {
314 SBuf tmp("%>ha");
315 tmp.append(token+2);
316 debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type format %>{...} is deprecated. Use " << tmp);
317 const size_t parsedLen = (*fmt)->parse(tmp.c_str(), &quote);
318 assert(parsedLen == tmp.length());
319 assert((*fmt)->type == Format::LFT_ADAPTED_REQUEST_HEADER ||
320 (*fmt)->type == Format::LFT_ADAPTED_REQUEST_HEADER_ELEM);
321
322 } else {
323 // we can use the Format::Token::parse() method since it
324 // only pulls off one token. Since we already checked
325 // for '%' prefix above this is guaranteed to be a token.
326 const size_t len = (*fmt)->parse(token, &quote);
327 assert(len == strlen(token));
328 }
4e56d7f6
AJ		 329
330 // process special token-specific actions (only if necessary)
2f1431ea 331#if USE_AUTH
4e56d7f6
AJ		 332 if ((*fmt)->type == Format::LFT_USER_LOGIN)
333 a->require_auth = true;
2f1431ea 334#endif
62e76326 335
95d78f10
AJ		 336 if ((*fmt)->type == Format::LFT_EXT_ACL_DATA)
337 data_used = true;
712fa21e 338
4e56d7f6 339 fmt = &((*fmt)->next);
2eceb328 340 token = ConfigParser::NextToken();
d9572179 341 }
342
343 /* There must be at least one format token */
7b6ce1c0
AJ		 344 if (!a->format.format) {
345 delete a;
62e76326 346 self_destruct();
7b6ce1c0
AJ		 347 return;
348 }
d9572179 349
712fa21e
AJ		 350 // format has implicit %DATA on the end if not used explicitly
351 if (!data_used) {
352 *fmt = new Format::Token;
353 (*fmt)->type = Format::LFT_EXT_ACL_DATA;
262eaf9a 354 (*fmt)->quote = Format::LOG_QUOTE_NONE;
712fa21e
AJ		 355 }
356
d9572179 357 /* helper */
7b6ce1c0
AJ		 358 if (!token) {
359 delete a;
62e76326 360 self_destruct();
7b6ce1c0
AJ		 361 return;
362 }
62e76326 363
d9572179 364 wordlistAdd(&a->cmdline, token);
365
366 /* arguments */
a336d130 367 parse_wordlist(&a->cmdline);
d9572179 368
369 while (*list)
62e76326 370 list = &(*list)->next;
371
d9572179 372 *list = a;
373}
374
375void
376dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list)
377{
378 const external_acl *node;
d9572179 379 const wordlist *word;
62e76326 380
d9572179 381 for (node = list; node; node = node->next) {
62e76326 382 storeAppendPrintf(sentry, "%s %s", name, node->name);
383
4dd643d5 384 if (!node->local_addr.isIPv6())
cc192b50 385 storeAppendPrintf(sentry, " ipv4");
386 else
387 storeAppendPrintf(sentry, " ipv6");
388
62e76326 389 if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL)
390 storeAppendPrintf(sentry, " ttl=%d", node->ttl);
391
392 if (node->negative_ttl != node->ttl)
393 storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl);
394
47b0c1fa 395 if (node->grace)
396 storeAppendPrintf(sentry, " grace=%d", node->grace);
397
48d54e4d
AJ		 398 if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
399 storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
62e76326 400
2ccfb9a7 401 if (node->children.n_startup != 0) // sync with helper/ChildConfig.cc default
48d54e4d 402 storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
62e76326 403
2ccfb9a7 404 if (node->children.n_idle != 1) // sync with helper/ChildConfig.cc default
48d54e4d
AJ		 405 storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
406
2ccfb9a7 407 if (node->children.concurrency != 0)
48d54e4d 408 storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
07eca7e0 409
47b0c1fa 410 if (node->cache)
411 storeAppendPrintf(sentry, " cache=%d", node->cache_size);
412
95d78f10 413 if (node->quote == Format::LOG_QUOTE_SHELL)
05e52854
AJ		 414 storeAppendPrintf(sentry, " protocol=2.5");
415
4e56d7f6 416 node->format.dump(sentry, NULL, false);
62e76326 417
418 for (word = node->cmdline; word; word = word->next)
419 storeAppendPrintf(sentry, " %s", word->key);
420
421 storeAppendPrintf(sentry, "\n");
d9572179 422 }
423}
424
425void
426free_externalAclHelper(external_acl ** list)
427{
f963b531
AJ		 428 delete *list;
429 *list = NULL;
d9572179 430}
431
432static external_acl *
433find_externalAclHelper(const char *name)
434{
435 external_acl *node;
436
437 for (node = Config.externalAclHelperList; node; node = node->next) {
62e76326 438 if (strcmp(node->name, name) == 0)
439 return node;
d9572179 440 }
62e76326 441
d9572179 442 return NULL;
443}
444
1e5562e3 445void
abdd93d0 446external_acl::add(const ExternalACLEntryPointer &anEntry)
1e5562e3 447{
448 trimCache();
abdd93d0 449 assert(anEntry != NULL);
1e5562e3 450 assert (anEntry->def == NULL);
451 anEntry->def = this;
abdd93d0
AJ		 452 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(anEntry.getRaw()); // XXX: make hash a std::map of Pointer.
453 hash_join(cache, e);
454 dlinkAdd(e, &e->lru, &lru_list);
455 e->lock(); //cbdataReference(e); // lock it on behalf of the hash
95dc7ff4 456 ++cache_entries;
1e5562e3 457}
458
459void
460external_acl::trimCache()
461{
abdd93d0
AJ		 462 if (cache_size && cache_entries >= cache_size) {
463 ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data));
464 external_acl_cache_delete(this, e);
465 }
1e5562e3 466}
467
194ccc9c 468bool
329c128c 469external_acl::maybeCacheable(const Acl::Answer &result) const
194ccc9c
CT		 470{
471 if (cache_size <= 0)
472 return false; // cache is disabled
473
474 if (result == ACCESS_DUNNO)
475 return false; // non-cacheable response
476
06bf5384 477 if ((result.allowed() ? ttl : negative_ttl) <= 0)
194ccc9c
CT		 478 return false; // not caching this type of response
479
480 return true;
481}
482
d9572179 483/******************************************************************
484 * external acl type
485 */
486
f963b531
AJ		 487class external_acl_data
488{
489 CBDATA_CLASS(external_acl_data);
490
491public:
492 explicit external_acl_data(external_acl *aDef) : def(cbdataReference(aDef)), name(NULL), arguments(NULL) {}
493 ~external_acl_data();
494
d9572179 495 external_acl *def;
ec2d5242 496 const char *name;
d9572179 497 wordlist *arguments;
498};
499
f963b531
AJ		 500CBDATA_CLASS_INIT(external_acl_data);
501
502external_acl_data::~external_acl_data()
d9572179 503{
f963b531
AJ		 504 xfree(name);
505 wordlistDestroy(&arguments);
506 cbdataReferenceDone(def);
d9572179 507}
508
509void
b0dd28ba 510ACLExternal::parse()
d9572179 511{
7b6ce1c0 512 if (data) {
62e76326 513 self_destruct();
7b6ce1c0
AJ		 514 return;
515 }
62e76326 516
16c5ad96 517 char *token = ConfigParser::strtokFile();
62e76326 518
7b6ce1c0 519 if (!token) {
62e76326 520 self_destruct();
7b6ce1c0
AJ		 521 return;
522 }
62e76326 523
f963b531 524 data = new external_acl_data(find_externalAclHelper(token));
62e76326 525
7b6ce1c0
AJ		 526 if (!data->def) {
527 delete data;
62e76326 528 self_destruct();
7b6ce1c0
AJ		 529 return;
530 }
62e76326 531
ec2d5242
HN		 532 // def->name is the name of the external_acl_type.
533 // this is the name of the 'acl' directive being tested
534 data->name = xstrdup(AclMatchedName);
535
16c5ad96 536 while ((token = ConfigParser::strtokFile())) {
62e76326 537 wordlistAdd(&data->arguments, token);
d9572179 538 }
d9572179 539}
540
4b0f5de8 541bool
542ACLExternal::valid () const
543{
2f1431ea 544#if USE_AUTH
4b0f5de8 545 if (data->def->require_auth) {
546 if (authenticateSchemeCount() == 0) {
fa84c01d 547 debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled.");
4b0f5de8 548 return false;
549 }
550
551 if (authenticateActiveSchemeCount() == 0) {
fa84c01d 552 debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured.");
4b0f5de8 553 return false;
554 }
555 }
2f1431ea 556#endif
4b0f5de8 557
558 return true;
559}
560
561bool
562ACLExternal::empty () const
563{
564 return false;
565}
566
b0dd28ba 567ACLExternal::~ACLExternal()
d9572179 568{
f963b531
AJ		 569 delete data;
570 xfree(class_);
d9572179 571}
572
1abe0161 573static void
abdd93d0 574copyResultsFromEntry(HttpRequest *req, const ExternalACLEntryPointer &entry)
1abe0161
AJ		 575{
576 if (req) {
577#if USE_AUTH
578 if (entry->user.size())
579 req->extacl_user = entry->user;
580
581 if (entry->password.size())
582 req->extacl_passwd = entry->password;
583#endif
584 if (!req->tag.size())
585 req->tag = entry->tag;
586
587 if (entry->log.size())
588 req->extacl_log = entry->log;
589
590 if (entry->message.size())
591 req->extacl_message = entry->message;
a1df1417
NH		 592
593 // attach the helper kv-pair to the transaction
594 UpdateRequestNotes(req->clientConnectionManager.get(), *req, entry->notes);
1abe0161
AJ		 595 }
596}
597
329c128c 598static Acl::Answer
c0941a6a 599aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
d9572179 600{
c69ce640 601 debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\"");
abdd93d0 602 ExternalACLEntryPointer entry = ch->extacl_entry;
62e76326 603
6f58d7d7
AR		 604 external_acl_message = "MISSING REQUIRED INFORMATION";
605
abdd93d0
AJ		 606 if (entry != NULL) {
607 if (entry->def == acl->def) {
ad06254e 608 /* Ours, use it.. if the key matches */
6f58d7d7
AR		 609 const char *key = makeExternalAclKey(ch, acl);
610 if (!key)
2f8abb64 611 return ACCESS_DUNNO; // insufficient data to continue
ad06254e 612 if (strcmp(key, (char*)entry->key) != 0) {
61beade2 613 debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "' do not match. Discarded.");
ad06254e 614 // too bad. need a new lookup.
abdd93d0 615 entry = ch->extacl_entry = NULL;
ad06254e 616 }
62e76326 617 } else {
abdd93d0
AJ		 618 /* Not ours.. get rid of it */
619 debugs(82, 9, "entry " << entry << " not valid or not ours. Discarded.");
620 if (entry != NULL) {
621 debugs(82, 9, "entry def=" << entry->def << ", our def=" << acl->def);
6f58d7d7 622 const char *key = makeExternalAclKey(ch, acl); // may be nil
abdd93d0 623 debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "'");
c69ce640 624 }
abdd93d0 625 entry = ch->extacl_entry = NULL;
62e76326 626 }
d9572179 627 }
62e76326 628
d9572179 629 if (!entry) {
c69ce640 630 debugs(82, 9, HERE << "No helper entry available");
2f1431ea 631#if USE_AUTH
62e76326 632 if (acl->def->require_auth) {
62e76326 633 /* Make sure the user is authenticated */
e5f825ea 634 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
329c128c 635 const auto ti = AuthenticateAcl(ch);
06bf5384 636 if (!ti.allowed()) {
e5f825ea 637 debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")");
e0f7153c 638 return ti;
62e76326 639 }
e5f825ea 640 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
62e76326 641 }
2f1431ea 642#endif
6f58d7d7 643 const char *key = makeExternalAclKey(ch, acl);
41218131 644
645 if (!key) {
646 /* Not sufficient data to process */
e5f825ea 647 return ACCESS_DUNNO;
41218131 648 }
649
abdd93d0 650 entry = static_cast<ExternalACLEntry *>(hash_lookup(acl->def->cache, key));
62e76326 651
abdd93d0
AJ		 652 const ExternalACLEntryPointer staleEntry = entry;
653 if (entry != NULL && external_acl_entry_expired(acl->def, entry))
e0f7153c
AR		 654 entry = NULL;
655
abdd93d0 656 if (entry != NULL && external_acl_grace_expired(acl->def, entry)) {
e0f7153c
AR		 657 // refresh in the background
658 ExternalACLLookup::Start(ch, acl, true);
659 debugs(82, 4, HERE << "no need to wait for the refresh of '" <<
660 key << "' in '" << acl->def->name << "' (ch=" << ch << ").");
661 }
662
663 if (!entry) {
e5f825ea 664 debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed");
95a83c22 665
6082a0e2
EB		 666 // TODO: All other helpers allow temporary overload. Should not we?
667 if (!acl->def->theHelper->willOverload()) {
e5f825ea 668 debugs(82, 2, HERE << "\"" << key << "\": queueing a call.");
6f58d7d7
AR		 669 if (!ch->goAsync(ExternalACLLookup::Instance()))
670 debugs(82, 2, "\"" << key << "\": no async support!");
e5f825ea 671 debugs(82, 2, HERE << "\"" << key << "\": return -1.");
e0f7153c 672 return ACCESS_DUNNO; // expired cached or simply absent entry
47b0c1fa 673 } else {
e0f7153c 674 if (!staleEntry) {
e5f825ea 675 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
6082a0e2 676 "' queue full. Request rejected '" << key << "'.");
4a972fa2 677 external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER";
e5f825ea 678 return ACCESS_DUNNO;
47b0c1fa 679 } else {
e5f825ea 680 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
6082a0e2 681 "' queue full. Using stale result. '" << key << "'.");
e0f7153c 682 entry = staleEntry;
47b0c1fa 683 /* Fall thru to processing below */
684 }
685 }
686 }
d9572179 687 }
62e76326 688
e0f7153c
AR		 689 debugs(82, 4, HERE << "entry = { date=" <<
690 (long unsigned int) entry->date <<
691 ", result=" << entry->result <<
692 " tag=" << entry->tag <<
693 " log=" << entry->log << " }");
694#if USE_AUTH
695 debugs(82, 4, HERE << "entry user=" << entry->user);
696#endif
697
d9572179 698 external_acl_cache_touch(acl->def, entry);
a7a42b14 699 external_acl_message = entry->message.termedBuf();
4a972fa2 700
e5f825ea 701 debugs(82, 2, HERE << acl->def->name << " = " << entry->result);
1abe0161 702 copyResultsFromEntry(ch->request, entry);
e5f825ea 703 return entry->result;
d9572179 704}
705
b0dd28ba 706int
707ACLExternal::match(ACLChecklist *checklist)
708{
329c128c 709 auto answer = aclMatchExternal(data, Filled(checklist));
e5f825ea
AJ		 710
711 // convert to tri-state ACL match 1,0,-1
9b831d57 712 switch (answer) {
e5f825ea 713 case ACCESS_ALLOWED:
e5f825ea
AJ		 714 return 1; // match
715
716 case ACCESS_DENIED:
e5f825ea
AJ		 717 return 0; // non-match
718
719 case ACCESS_DUNNO:
720 case ACCESS_AUTH_REQUIRED:
721 default:
e0f7153c 722 // If the answer is not allowed or denied (matches/not matches) and
6f58d7d7
AR		 723 // async authentication is not in progress, then we are done.
724 if (checklist->keepMatching())
e0f7153c 725 checklist->markFinished(answer, "aclMatchExternal exception");
e5f825ea
AJ		 726 return -1; // other
727 }
b0dd28ba 728}
729
dfad5100 730SBufList
b0dd28ba 731ACLExternal::dump() const
d9572179 732{
b0dd28ba 733 external_acl_data const *acl = data;
dfad5100
FC		 734 SBufList rv;
735 rv.push_back(SBuf(acl->def->name));
62e76326 736
dfad5100
FC		 737 for (wordlist *arg = acl->arguments; arg; arg = arg->next) {
738 SBuf s;
739 s.Printf(" %s", arg->key);
740 rv.push_back(s);
d9572179 741 }
62e76326 742
dfad5100 743 return rv;
d9572179 744}
745
746/******************************************************************
747 * external_acl cache
748 */
749
d9572179 750static void
abdd93d0 751external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry)
d9572179 752{
c69ce640 753 // this must not be done when nothing is being cached.
194ccc9c 754 if (!def->maybeCacheable(entry->result))
c69ce640
AJ		 755 return;
756
d9572179 757 dlinkDelete(&entry->lru, &def->lru_list);
abdd93d0
AJ		 758 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer.
759 dlinkAdd(e, &entry->lru, &def->lru_list);
d9572179 760}
761
762static char *
c0941a6a 763makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
d9572179 764{
032785bf 765 static MemBuf mb;
09e34608 766 mb.reset();
62e76326 767
4e56d7f6
AJ		 768 // check for special case tokens in the format
769 for (Format::Token *t = acl_data->def->format.format; t ; t = t->next) {
62e76326 770
4e56d7f6
AJ		 771 if (t->type == Format::LFT_EXT_ACL_NAME) {
772 // setup for %ACL
4ff6370b
AJ		 773 safe_free(ch->al->lastAclName);
774 ch->al->lastAclName = xstrdup(acl_data->name);
789dda8d
CT		 775 }
776
778647be 777 if (t->type == Format::LFT_EXT_ACL_DATA) {
4e56d7f6
AJ		 778 // setup string for %DATA
779 SBuf sb;
4e56d7f6 780 for (auto arg = acl_data->arguments; arg; arg = arg->next) {
778647be 781 if (sb.length())
ec2d5242
HN		 782 sb.append(" ", 1);
783
95d78f10 784 if (acl_data->def->quote == Format::LOG_QUOTE_URL) {
ec2d5242
HN		 785 const char *quoted = rfc1738_escape(arg->key);
786 sb.append(quoted, strlen(quoted));
787 } else {
788 static MemBuf mb2;
789 mb2.init();
790 strwordquote(&mb2, arg->key);
791 sb.append(mb2.buf, mb2.size);
792 mb2.clean();
793 }
ec2d5242 794 }
778647be 795
b0e14ce2 796 ch->al->lastAclData = sb;
dc1af3cf 797 }
62e76326 798
33c2eb4d 799#if USE_IDENT
4e56d7f6 800 if (t->type == Format::LFT_USER_IDENT) {
a51ed963 801 if (!*ch->rfc931) {
4e56d7f6
AJ		 802 // if we fail to go async, we still return NULL and the caller
803 // will detect the failure in ACLExternal::match().
804 (void)ch->goAsync(IdentLookup::Instance());
805 return NULL;
ec2d5242 806 }
ec2d5242 807 }
33c2eb4d 808#endif
d9572179 809 }
62e76326 810
712fa21e 811 // assemble the full helper lookup string
4e56d7f6
AJ		 812 acl_data->def->format.assemble(mb, ch->al, 0);
813
d9572179 814 return mb.buf;
d9572179 815}
816
817static int
abdd93d0 818external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry)
d9572179 819{
194ccc9c 820 if (def->cache_size <= 0 || entry->result == ACCESS_DUNNO)
c69ce640
AJ		 821 return 1;
822
06bf5384 823 if (entry->date + (entry->result.allowed() ? def->ttl : def->negative_ttl) < squid_curtime)
62e76326 824 return 1;
d9572179 825 else
62e76326 826 return 0;
d9572179 827}
62e76326 828
47b0c1fa 829static int
abdd93d0 830external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry)
47b0c1fa 831{
194ccc9c 832 if (def->cache_size <= 0 || entry->result == ACCESS_DUNNO)
c69ce640
AJ		 833 return 1;
834
47b0c1fa 835 int ttl;
06bf5384 836 ttl = entry->result.allowed() ? def->ttl : def->negative_ttl;
47b0c1fa 837 ttl = (ttl * (100 - def->grace)) / 100;
838
98b70eff 839 if (entry->date + ttl <= squid_curtime)
47b0c1fa 840 return 1;
841 else
842 return 0;
843}
844
abdd93d0 845static ExternalACLEntryPointer
1e5562e3 846external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data)
d9572179 847{
abdd93d0 848 ExternalACLEntryPointer entry;
c69ce640 849
194ccc9c 850 if (!def->maybeCacheable(data.result)) {
c69ce640 851 debugs(82,6, HERE);
194ccc9c
CT		 852
853 if (data.result == ACCESS_DUNNO) {
854 if (const ExternalACLEntryPointer oldentry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key)))
855 external_acl_cache_delete(def, oldentry);
856 }
c69ce640
AJ		 857 entry = new ExternalACLEntry;
858 entry->key = xstrdup(key);
859 entry->update(data);
860 entry->def = def;
861 return entry;
862 }
863
864 entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key));
bf8fe701 865 debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result);
62e76326 866
abdd93d0
AJ		 867 if (entry != NULL) {
868 debugs(82, 3, "updating existing entry");
c69ce640 869 entry->update(data);
62e76326 870 external_acl_cache_touch(def, entry);
62e76326 871 return entry;
d9572179 872 }
62e76326 873
1e5562e3 874 entry = new ExternalACLEntry;
4a8b20e8 875 entry->key = xstrdup(key);
c69ce640 876 entry->update(data);
1e5562e3 877
6ca34f6f 878 def->add(entry);
1e5562e3 879
d9572179 880 return entry;
881}
882
883static void
abdd93d0 884external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry)
d9572179 885{
abdd93d0 886 assert(entry != NULL);
c69ce640 887 assert(def->cache_size > 0 && entry->def == def);
abdd93d0
AJ		 888 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer.
889 hash_remove_link(def->cache, e);
890 dlinkDelete(&e->lru, &def->lru_list);
891 e->unlock(); // unlock on behalf of the hash
d9572179 892 def->cache_entries -= 1;
d9572179 893}
894
895/******************************************************************
896 * external_acl helpers
897 */
898
f963b531
AJ		 899class externalAclState
900{
901 CBDATA_CLASS(externalAclState);
902
903public:
904 externalAclState(external_acl* aDef, const char *aKey) :
905 callback(NULL),
906 callback_data(NULL),
907 key(xstrdup(aKey)),
908 def(cbdataReference(aDef)),
909 queue(NULL)
910 {}
911 ~externalAclState();
62e76326 912
d9572179 913 EAH *callback;
914 void *callback_data;
915 char *key;
916 external_acl *def;
917 dlink_node list;
918 externalAclState *queue;
919};
920
f963b531
AJ		 921CBDATA_CLASS_INIT(externalAclState);
922
923externalAclState::~externalAclState()
d9572179 924{
f963b531
AJ		 925 xfree(key);
926 cbdataReferenceDone(callback_data);
927 cbdataReferenceDone(def);
d9572179 928}
929
d9572179 930/*
931 * The helper program receives queries on stdin, one
07eca7e0 932 * per line, and must return the result on on stdout
d9572179 933 *
934 * General result syntax:
935 *
936 * OK/ERR keyword=value ...
937 *
938 * Keywords:
939 *
4a972fa2 940 * user= The users name (login)
941 * message= Message describing the reason
f53969cc
SM		 942 * tag= A string tag to be applied to the request that triggered the acl match.
943 * applies to both OK and ERR responses.
944 * Won't override existing request tags.
945 * log= A string to be used in access logging
d9572179 946 *
947 * Other keywords may be added to the protocol later
948 *
05e52854
AJ		 949 * value needs to be URL-encoded or enclosed in double quotes (")
950 * with \-escaping on any whitespace, quotes, or slashes (\).
d9572179 951 */
d9572179 952static void
24438ec5 953externalAclHandleReply(void *data, const Helper::Reply &reply)
d9572179 954{
e6ccf245 955 externalAclState *state = static_cast<externalAclState *>(data);
d9572179 956 externalAclState *next;
1e5562e3 957 ExternalACLEntryData entryData;
d9572179 958
0272dd08 959 debugs(82, 2, HERE << "reply=" << reply);
d9572179 960
2428ce02 961 if (reply.result == Helper::Okay)
0272dd08 962 entryData.result = ACCESS_ALLOWED;
194ccc9c
CT		 963 else if (reply.result == Helper::Error)
964 entryData.result = ACCESS_DENIED;
965 else //BrokenHelper,TimedOut or Unknown. Should not cached.
966 entryData.result = ACCESS_DUNNO;
62e76326 967
24438ec5 968 // XXX: make entryData store a proper Helper::Reply object instead of copying.
ab332e27 969
a0592634
AJ		 970 entryData.notes.append(&reply.notes);
971
cf9f0261
CT		 972 const char *label = reply.notes.findFirst("tag");
973 if (label != NULL && *label != '\0')
974 entryData.tag = label;
62e76326 975
cf9f0261
CT		 976 label = reply.notes.findFirst("message");
977 if (label != NULL && *label != '\0')
978 entryData.message = label;
62e76326 979
cf9f0261
CT		 980 label = reply.notes.findFirst("log");
981 if (label != NULL && *label != '\0')
982 entryData.log = label;
62e76326 983
2f1431ea 984#if USE_AUTH
cf9f0261
CT		 985 label = reply.notes.findFirst("user");
986 if (label != NULL && *label != '\0')
987 entryData.user = label;
7bbefa01 988
cf9f0261
CT		 989 label = reply.notes.findFirst("password");
990 if (label != NULL && *label != '\0')
991 entryData.password = label;
2f1431ea 992#endif
62e76326 993
23da195f
CT		 994 // XXX: This state->def access conflicts with the cbdata validity check
995 // below.
d9572179 996 dlinkDelete(&state->list, &state->def->queue);
62e76326 997
abdd93d0 998 ExternalACLEntryPointer entry;
194ccc9c
CT		 999 if (cbdataReferenceValid(state->def))
1000 entry = external_acl_cache_add(state->def, state->key, entryData);
d9572179 1001
1002 do {
62e76326 1003 void *cbdata;
47b0c1fa 1004 if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata))
62e76326 1005 state->callback(cbdata, entry);
1006
1007 next = state->queue;
f963b531 1008 state->queue = NULL;
d9572179 1009
f963b531 1010 delete state;
d9572179 1011
62e76326 1012 state = next;
d9572179 1013 } while (state);
1014}
1015
1016void
e0f7153c 1017ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me)
d9572179 1018{
e0f7153c
AR		 1019 ExternalACLLookup::Start(checklist, me->data, false);
1020}
c8e7608c 1021
e0f7153c
AR		 1022void
1023ExternalACLLookup::Start(ACLChecklist *checklist, external_acl_data *acl, bool inBackground)
1024{
1025 external_acl *def = acl->def;
c0f81932 1026
c0941a6a 1027 ACLFilledChecklist *ch = Filled(checklist);
c8e7608c 1028 const char *key = makeExternalAclKey(ch, acl);
6f58d7d7 1029 assert(key); // XXX: will fail if EXT_ACL_IDENT case needs an async lookup
62e76326 1030
e0f7153c
AR		 1031 debugs(82, 2, HERE << (inBackground ? "bg" : "fg") << " lookup in '" <<
1032 def->name << "' for '" << key << "'");
62e76326 1033
47b0c1fa 1034 /* Check for a pending lookup to hook into */
c69ce640 1035 // only possible if we are caching results.
e0f7153c 1036 externalAclState *oldstate = NULL;
c69ce640 1037 if (def->cache_size > 0) {
e0f7153c 1038 for (dlink_node *node = def->queue.head; node; node = node->next) {
c69ce640 1039 externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data);
62e76326 1040
c69ce640
AJ		 1041 if (strcmp(key, oldstatetmp->key) == 0) {
1042 oldstate = oldstatetmp;
1043 break;
1044 }
47b0c1fa 1045 }
1046 }
62e76326 1047
e0f7153c
AR		 1048 // A background refresh has no need to piggiback on a pending request:
1049 // When the pending request completes, the cache will be refreshed anyway.
1050 if (oldstate && inBackground) {
1051 debugs(82, 7, HERE << "'" << def->name << "' queue is already being refreshed (ch=" << ch << ")");
47b0c1fa 1052 return;
1053 }
62e76326 1054
f963b531 1055 externalAclState *state = new externalAclState(def, key);
62e76326 1056
e0f7153c
AR		 1057 if (!inBackground) {
1058 state->callback = &ExternalACLLookup::LookupDone;
1059 state->callback_data = cbdataReference(checklist);
d9572179 1060 }
62e76326 1061
47b0c1fa 1062 if (oldstate) {
1063 /* Hook into pending lookup */
1064 state->queue = oldstate->queue;
1065 oldstate->queue = state;
1066 } else {
e0f7153c
AR		 1067 /* No pending lookup found. Sumbit to helper */
1068
e0f7153c 1069 MemBuf buf;
2fe7eff9 1070 buf.init();
4391cd15 1071 buf.appendf("%s\n", key);
bf8fe701 1072 debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'.");
ab321f4b 1073
6825b101
CT		 1074 if (!def->theHelper->trySubmit(buf.buf, externalAclHandleReply, state)) {
1075 debugs(82, 7, HERE << "'" << def->name << "' submit to helper failed");
1076 assert(inBackground); // or the caller should have checked
f963b531 1077 delete state;
6825b101
CT		 1078 return;
1079 }
62e76326 1080
47b0c1fa 1081 dlinkAdd(state, &state->list, &def->queue);
62e76326 1082
2fe7eff9 1083 buf.clean();
47b0c1fa 1084 }
62e76326 1085
bf8fe701 1086 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key <<
1087 "' in '" << def->name << "' (ch=" << ch << ").");
d9572179 1088}
1089
1090static void
1091externalAclStats(StoreEntry * sentry)
1092{
f963b531 1093 for (external_acl *p = Config.externalAclHelperList; p; p = p->next) {
62e76326 1094 storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name);
1095 storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count);
bf3e8d5a
AJ		 1096 assert(p->theHelper);
1097 p->theHelper->packStatsInto(sentry);
62e76326 1098 storeAppendPrintf(sentry, "\n");
d9572179 1099 }
1100}
1101
6b7d87bb
FC		 1102static void
1103externalAclRegisterWithCacheManager(void)
1104{
8822ebee 1105 Mgr::RegisterAction("external_acl",
d9fc6862
A		 1106 "External ACL stats",
1107 externalAclStats, 0, 1);
6b7d87bb
FC		 1108}
1109
d9572179 1110void
1111externalAclInit(void)
1112{
f963b531 1113 for (external_acl *p = Config.externalAclHelperList; p; p = p->next) {
62e76326 1114 if (!p->cache)
30abd221 1115 p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4);
62e76326 1116
1117 if (!p->theHelper)
48d54e4d 1118 p->theHelper = new helper(p->name);
62e76326 1119
1120 p->theHelper->cmdline = p->cmdline;
1121
1af735c7 1122 p->theHelper->childs.updateLimits(p->children);
07eca7e0 1123
62e76326 1124 p->theHelper->ipc_type = IPC_TCP_SOCKET;
1125
cc192b50 1126 p->theHelper->addr = p->local_addr;
1127
62e76326 1128 helperOpenServers(p->theHelper);
d9572179 1129 }
62e76326 1130
ea391f18 1131 externalAclRegisterWithCacheManager();
d9572179 1132}
1133
1134void
1135externalAclShutdown(void)
1136{
1137 external_acl *p;
62e76326 1138
d9572179 1139 for (p = Config.externalAclHelperList; p; p = p->next) {
62e76326 1140 helperShutdown(p->theHelper);
d9572179 1141 }
1142}
225b7b10 1143
1144ExternalACLLookup ExternalACLLookup::instance_;
1145ExternalACLLookup *
1146ExternalACLLookup::Instance()
1147{
1148 return &instance_;
1149}
1150
1151void
1152ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const
1153{
b0dd28ba 1154 /* TODO: optimise this - we probably have a pointer to this
1155 * around somewhere */
97427e90 1156 ACL *acl = ACL::FindByName(AclMatchedName);
ab321f4b 1157 assert(acl);
b0dd28ba 1158 ACLExternal *me = dynamic_cast<ACLExternal *> (acl);
1159 assert (me);
e0f7153c 1160 ACLExternal::ExternalAclLookup(checklist, me);
225b7b10 1161}
1162
e0f7153c 1163/// Called when an async lookup returns
225b7b10 1164void
abdd93d0 1165ExternalACLLookup::LookupDone(void *data, const ExternalACLEntryPointer &result)
225b7b10 1166{
c0941a6a 1167 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
abdd93d0 1168 checklist->extacl_entry = result;
6f58d7d7 1169 checklist->resumeNonBlockingCheck(ExternalACLLookup::Instance());
225b7b10 1170}
b0dd28ba 1171
b0dd28ba 1172ACL *
1173ACLExternal::clone() const
1174{
1175 return new ACLExternal(*this);
1176}
1177
86c63190 1178ACLExternal::ACLExternal(char const *theClass) : data(NULL), class_(xstrdup(theClass))
b0dd28ba 1179{}
1180
86c63190 1181ACLExternal::ACLExternal(ACLExternal const & old) : data(NULL), class_(old.class_ ? xstrdup(old.class_) : NULL)
b0dd28ba 1182{
1183 /* we don't have copy constructors for the data yet */
86c63190 1184 assert(!old.data);
b0dd28ba 1185}
1186
b0dd28ba 1187char const *
1188ACLExternal::typeString() const
1189{
1190 return class_;
1191}
1192
e870b1f8 1193bool
1194ACLExternal::isProxyAuth() const
1195{
2f1431ea 1196#if USE_AUTH
e870b1f8 1197 return data->def->require_auth;
2f1431ea
AJ		 1198#else
1199 return false;
1200#endif
e870b1f8 1201}
f53969cc 1202
Mirror of https://github.com/squid-cache/squid.git