]>
Commit | Line | Data |
---|---|---|
d9572179 | 1 | /* |
f70aedc4 | 2 | * Copyright (C) 1996-2021 The Squid Software Foundation and contributors |
d9572179 | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
d9572179 | 7 | */ |
8 | ||
bbc27441 AJ |
9 | /* DEBUG: section 82 External ACL */ |
10 | ||
582c2af2 | 11 | #include "squid.h" |
c0941a6a | 12 | #include "acl/Acl.h" |
582c2af2 | 13 | #include "acl/FilledChecklist.h" |
8a01b99e | 14 | #include "cache_cf.h" |
a46d2c0e | 15 | #include "client_side.h" |
4e56d7f6 | 16 | #include "client_side_request.h" |
5c336a3b | 17 | #include "comm/Connection.h" |
2eceb328 | 18 | #include "ConfigParser.h" |
582c2af2 | 19 | #include "ExternalACL.h" |
f9b6ff6e | 20 | #include "ExternalACLEntry.h" |
582c2af2 | 21 | #include "fde.h" |
4e56d7f6 | 22 | #include "format/Token.h" |
aa839030 | 23 | #include "helper.h" |
24438ec5 | 24 | #include "helper/Reply.h" |
d3dddfb5 | 25 | #include "http/Stream.h" |
a5bac1d2 | 26 | #include "HttpHeaderTools.h" |
582c2af2 FC |
27 | #include "HttpReply.h" |
28 | #include "HttpRequest.h" | |
29 | #include "ip/tools.h" | |
0eb49b6d | 30 | #include "MemBuf.h" |
582c2af2 | 31 | #include "mgr/Registration.h" |
1fa9b1a7 | 32 | #include "rfc1738.h" |
4d5904f7 | 33 | #include "SquidConfig.h" |
f9b6ff6e | 34 | #include "SquidString.h" |
582c2af2 FC |
35 | #include "SquidTime.h" |
36 | #include "Store.h" | |
4e540555 | 37 | #include "tools.h" |
d295d770 | 38 | #include "wordlist.h" |
cb4f4424 | 39 | #if USE_OPENSSL |
cedca6e7 | 40 | #include "ssl/ServerBump.h" |
4db984be CT |
41 | #include "ssl/support.h" |
42 | #endif | |
582c2af2 FC |
43 | #if USE_AUTH |
44 | #include "auth/Acl.h" | |
45 | #include "auth/Gadgets.h" | |
46 | #include "auth/UserRequest.h" | |
47 | #endif | |
48 | #if USE_IDENT | |
49 | #include "ident/AclIdent.h" | |
50 | #endif | |
d9572179 | 51 | |
52 | #ifndef DEFAULT_EXTERNAL_ACL_TTL | |
53 | #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60 | |
54 | #endif | |
d4f2f353 | 55 | #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN |
56 | #define DEFAULT_EXTERNAL_ACL_CHILDREN 5 | |
d9572179 | 57 | #endif |
58 | ||
c0941a6a | 59 | static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data); |
abdd93d0 AJ |
60 | static void external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry); |
61 | static int external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry); | |
62 | static int external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry); | |
63 | static void external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry); | |
64 | static ExternalACLEntryPointer external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data); | |
d9572179 | 65 | |
66 | /****************************************************************** | |
67 | * external_acl directive | |
68 | */ | |
62e76326 | 69 | |
1e5562e3 | 70 | class external_acl |
62e76326 | 71 | { |
9837567d | 72 | /* XXX: These are not really cbdata, but it is an easy way |
f205a92e | 73 | * to get them pooled, refcounted, accounted and freed properly... |
9837567d | 74 | * Use RefCountable MEMPROXY_CLASS instead |
f205a92e | 75 | */ |
f963b531 | 76 | CBDATA_CLASS(external_acl); |
1e5562e3 | 77 | |
78 | public: | |
f963b531 AJ |
79 | external_acl(); |
80 | ~external_acl(); | |
81 | ||
d9572179 | 82 | external_acl *next; |
1e5562e3 | 83 | |
abdd93d0 | 84 | void add(const ExternalACLEntryPointer &); |
1e5562e3 | 85 | |
86 | void trimCache(); | |
87 | ||
329c128c | 88 | bool maybeCacheable(const Acl::Answer &) const; |
194ccc9c | 89 | |
d9572179 | 90 | int ttl; |
1e5562e3 | 91 | |
d9572179 | 92 | int negative_ttl; |
1e5562e3 | 93 | |
47b0c1fa | 94 | int grace; |
95 | ||
d9572179 | 96 | char *name; |
1e5562e3 | 97 | |
4e56d7f6 | 98 | Format::Format format; |
1e5562e3 | 99 | |
d9572179 | 100 | wordlist *cmdline; |
1e5562e3 | 101 | |
76d9b994 | 102 | Helper::ChildConfig children; |
07eca7e0 | 103 | |
e6ccf245 | 104 | helper *theHelper; |
1e5562e3 | 105 | |
d9572179 | 106 | hash_table *cache; |
1e5562e3 | 107 | |
d9572179 | 108 | dlink_list lru_list; |
1e5562e3 | 109 | |
d9572179 | 110 | int cache_size; |
1e5562e3 | 111 | |
d9572179 | 112 | int cache_entries; |
1e5562e3 | 113 | |
d9572179 | 114 | dlink_list queue; |
1e5562e3 | 115 | |
2f1431ea | 116 | #if USE_AUTH |
3265364b AJ |
117 | /** |
118 | * Configuration flag. May only be altered by the configuration parser. | |
119 | * | |
120 | * Indicates that all uses of this external_acl_type helper require authentication | |
121 | * details to be processed. If none are available its a fail match. | |
122 | */ | |
e870b1f8 | 123 | bool require_auth; |
2f1431ea | 124 | #endif |
dc1af3cf | 125 | |
95d78f10 | 126 | Format::Quoting quote; // default quoting to use, set by protocol= parameter |
cc192b50 | 127 | |
b7ac5457 | 128 | Ip::Address local_addr; |
d9572179 | 129 | }; |
130 | ||
f963b531 AJ |
131 | CBDATA_CLASS_INIT(external_acl); |
132 | ||
133 | external_acl::external_acl() : | |
cc8c4af2 | 134 | next(NULL), |
f963b531 AJ |
135 | ttl(DEFAULT_EXTERNAL_ACL_TTL), |
136 | negative_ttl(-1), | |
137 | grace(1), | |
138 | name(NULL), | |
4e56d7f6 | 139 | format("external_acl_type"), |
f963b531 AJ |
140 | cmdline(NULL), |
141 | children(DEFAULT_EXTERNAL_ACL_CHILDREN), | |
142 | theHelper(NULL), | |
143 | cache(NULL), | |
144 | cache_size(256*1024), | |
145 | cache_entries(0), | |
146 | #if USE_AUTH | |
147 | require_auth(0), | |
148 | #endif | |
95d78f10 | 149 | quote(Format::LOG_QUOTE_URL) |
d9572179 | 150 | { |
f963b531 AJ |
151 | local_addr.setLocalhost(); |
152 | } | |
62e76326 | 153 | |
f963b531 AJ |
154 | external_acl::~external_acl() |
155 | { | |
156 | xfree(name); | |
f963b531 AJ |
157 | wordlistDestroy(&cmdline); |
158 | ||
159 | if (theHelper) { | |
160 | helperShutdown(theHelper); | |
161 | delete theHelper; | |
162 | theHelper = NULL; | |
d9572179 | 163 | } |
62e76326 | 164 | |
f963b531 AJ |
165 | while (lru_list.tail) { |
166 | ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data)); | |
167 | external_acl_cache_delete(this, e); | |
168 | } | |
169 | if (cache) | |
170 | hashFreeMemory(cache); | |
171 | ||
172 | while (next) { | |
173 | external_acl *node = next; | |
174 | next = node->next; | |
175 | node->next = NULL; // prevent recursion | |
176 | delete node; | |
abdd93d0 | 177 | } |
d9572179 | 178 | } |
179 | ||
180 | void | |
181 | parse_externalAclHelper(external_acl ** list) | |
182 | { | |
f963b531 | 183 | char *token = ConfigParser::NextToken(); |
62e76326 | 184 | |
7b6ce1c0 | 185 | if (!token) { |
62e76326 | 186 | self_destruct(); |
7b6ce1c0 AJ |
187 | return; |
188 | } | |
62e76326 | 189 | |
7b6ce1c0 | 190 | external_acl *a = new external_acl; |
d9572179 | 191 | a->name = xstrdup(token); |
192 | ||
2eceb328 CT |
193 | // Allow supported %macros inside quoted tokens |
194 | ConfigParser::EnableMacros(); | |
195 | token = ConfigParser::NextToken(); | |
62e76326 | 196 | |
d9572179 | 197 | /* Parse options */ |
198 | while (token) { | |
62e76326 | 199 | if (strncmp(token, "ttl=", 4) == 0) { |
200 | a->ttl = atoi(token + 4); | |
201 | } else if (strncmp(token, "negative_ttl=", 13) == 0) { | |
202 | a->negative_ttl = atoi(token + 13); | |
07eca7e0 | 203 | } else if (strncmp(token, "children=", 9) == 0) { |
48d54e4d | 204 | a->children.n_max = atoi(token + 9); |
fa84c01d | 205 | debugs(0, DBG_CRITICAL, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N"); |
48d54e4d AJ |
206 | } else if (strncmp(token, "children-max=", 13) == 0) { |
207 | a->children.n_max = atoi(token + 13); | |
208 | } else if (strncmp(token, "children-startup=", 17) == 0) { | |
209 | a->children.n_startup = atoi(token + 17); | |
210 | } else if (strncmp(token, "children-idle=", 14) == 0) { | |
211 | a->children.n_idle = atoi(token + 14); | |
07eca7e0 | 212 | } else if (strncmp(token, "concurrency=", 12) == 0) { |
48d54e4d | 213 | a->children.concurrency = atoi(token + 12); |
6825b101 CT |
214 | } else if (strncmp(token, "queue-size=", 11) == 0) { |
215 | a->children.queue_size = atoi(token + 11); | |
216 | a->children.defaultQueueSize = false; | |
62e76326 | 217 | } else if (strncmp(token, "cache=", 6) == 0) { |
218 | a->cache_size = atoi(token + 6); | |
47b0c1fa | 219 | } else if (strncmp(token, "grace=", 6) == 0) { |
220 | a->grace = atoi(token + 6); | |
dc1af3cf | 221 | } else if (strcmp(token, "protocol=2.5") == 0) { |
95d78f10 | 222 | a->quote = Format::LOG_QUOTE_SHELL; |
dc1af3cf | 223 | } else if (strcmp(token, "protocol=3.0") == 0) { |
05e52854 | 224 | debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option protocol=3.0 is deprecated. Remove this from your config."); |
95d78f10 | 225 | a->quote = Format::LOG_QUOTE_URL; |
dc1af3cf | 226 | } else if (strcmp(token, "quote=url") == 0) { |
05e52854 | 227 | debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=url is deprecated. Remove this from your config."); |
95d78f10 | 228 | a->quote = Format::LOG_QUOTE_URL; |
dc1af3cf | 229 | } else if (strcmp(token, "quote=shell") == 0) { |
05e52854 | 230 | debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=shell is deprecated. Use protocol=2.5 if still needed."); |
95d78f10 | 231 | a->quote = Format::LOG_QUOTE_SHELL; |
cc192b50 | 232 | |
26ac0430 AJ |
233 | /* INET6: allow admin to configure some helpers explicitly to |
234 | bind to IPv4/v6 localhost port. */ | |
cc192b50 | 235 | } else if (strcmp(token, "ipv4") == 0) { |
4dd643d5 | 236 | if ( !a->local_addr.setIPv4() ) { |
fa84c01d | 237 | debugs(3, DBG_CRITICAL, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name ); |
cc192b50 | 238 | } |
239 | } else if (strcmp(token, "ipv6") == 0) { | |
055421ee | 240 | if (!Ip::EnableIpv6) |
fa84c01d | 241 | debugs(3, DBG_CRITICAL, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name ); |
055421ee | 242 | // else nothing to do. |
62e76326 | 243 | } else { |
244 | break; | |
245 | } | |
246 | ||
2eceb328 | 247 | token = ConfigParser::NextToken(); |
d9572179 | 248 | } |
2eceb328 | 249 | ConfigParser::DisableMacros(); |
62e76326 | 250 | |
6f78f0ed | 251 | /* check that child startup value is sane. */ |
a3cecd6c AJ |
252 | if (a->children.n_startup > a->children.n_max) |
253 | a->children.n_startup = a->children.n_max; | |
48d54e4d | 254 | |
6f78f0ed | 255 | /* check that child idle value is sane. */ |
a3cecd6c AJ |
256 | if (a->children.n_idle > a->children.n_max) |
257 | a->children.n_idle = a->children.n_max; | |
258 | if (a->children.n_idle < 1) | |
259 | a->children.n_idle = 1; | |
48d54e4d | 260 | |
d9572179 | 261 | if (a->negative_ttl == -1) |
62e76326 | 262 | a->negative_ttl = a->ttl; |
d9572179 | 263 | |
e44a3ec4 | 264 | if (a->children.defaultQueueSize) |
6825b101 CT |
265 | a->children.queue_size = 2 * a->children.n_max; |
266 | ||
4e56d7f6 AJ |
267 | /* Legacy external_acl_type format parser. |
268 | * Handles a series of %... tokens where any non-% means | |
269 | * the start of another parameter field (ie the path to binary). | |
270 | */ | |
271 | enum Format::Quoting quote = Format::LOG_QUOTE_NONE; | |
272 | Format::Token **fmt = &a->format.format; | |
712fa21e | 273 | bool data_used = false; |
d9572179 | 274 | while (token) { |
4e56d7f6 | 275 | /* stop on first non-% token found */ |
62e76326 | 276 | if (*token != '%') |
277 | break; | |
278 | ||
4e56d7f6 | 279 | *fmt = new Format::Token; |
09e34608 AJ |
280 | // these tokens are whitespace delimited |
281 | (*fmt)->space = true; | |
4e56d7f6 | 282 | |
3a80bdd7 | 283 | // set the default encoding to match the protocol= config |
95d78f10 AJ |
284 | // this will be overridden by explicit %macro attributes |
285 | (*fmt)->quote = a->quote; | |
286 | ||
4e56d7f6 | 287 | // compatibility for old tokens incompatible with Format::Token syntax |
61beade2 | 288 | #if USE_OPENSSL // do not bother unless we have to. |
4e56d7f6 AJ |
289 | if (strncmp(token, "%USER_CERT_", 11) == 0) { |
290 | (*fmt)->type = Format::LFT_EXT_ACL_USER_CERT; | |
291 | (*fmt)->data.string = xstrdup(token + 11); | |
292 | (*fmt)->data.header.header = (*fmt)->data.string; | |
f06585e0 | 293 | } else if (strncmp(token, "%USER_CA_CERT_", 14) == 0) { |
4e56d7f6 AJ |
294 | (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT; |
295 | (*fmt)->data.string = xstrdup(token + 14); | |
296 | (*fmt)->data.header.header = (*fmt)->data.string; | |
f06585e0 | 297 | } else if (strncmp(token, "%CA_CERT_", 9) == 0) { |
3650c90e | 298 | debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead"); |
4e56d7f6 AJ |
299 | (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT; |
300 | (*fmt)->data.string = xstrdup(token + 9); | |
301 | (*fmt)->data.header.header = (*fmt)->data.string; | |
302 | } else | |
a7ad6e4e | 303 | #endif |
62b9cc19 | 304 | if (strncmp(token,"%<{", 3) == 0) { |
305 | SBuf tmp("%<h"); | |
306 | tmp.append(token+2); | |
307 | debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type format %<{...} is deprecated. Use " << tmp); | |
308 | const size_t parsedLen = (*fmt)->parse(tmp.c_str(), "e); | |
309 | assert(parsedLen == tmp.length()); | |
310 | assert((*fmt)->type == Format::LFT_REPLY_HEADER || | |
311 | (*fmt)->type == Format::LFT_REPLY_HEADER_ELEM); | |
312 | ||
313 | } else if (strncmp(token,"%>{", 3) == 0) { | |
314 | SBuf tmp("%>ha"); | |
315 | tmp.append(token+2); | |
316 | debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type format %>{...} is deprecated. Use " << tmp); | |
317 | const size_t parsedLen = (*fmt)->parse(tmp.c_str(), "e); | |
318 | assert(parsedLen == tmp.length()); | |
319 | assert((*fmt)->type == Format::LFT_ADAPTED_REQUEST_HEADER || | |
320 | (*fmt)->type == Format::LFT_ADAPTED_REQUEST_HEADER_ELEM); | |
321 | ||
322 | } else { | |
323 | // we can use the Format::Token::parse() method since it | |
324 | // only pulls off one token. Since we already checked | |
325 | // for '%' prefix above this is guaranteed to be a token. | |
326 | const size_t len = (*fmt)->parse(token, "e); | |
327 | assert(len == strlen(token)); | |
328 | } | |
4e56d7f6 AJ |
329 | |
330 | // process special token-specific actions (only if necessary) | |
2f1431ea | 331 | #if USE_AUTH |
4e56d7f6 AJ |
332 | if ((*fmt)->type == Format::LFT_USER_LOGIN) |
333 | a->require_auth = true; | |
2f1431ea | 334 | #endif |
62e76326 | 335 | |
95d78f10 AJ |
336 | if ((*fmt)->type == Format::LFT_EXT_ACL_DATA) |
337 | data_used = true; | |
712fa21e | 338 | |
4e56d7f6 | 339 | fmt = &((*fmt)->next); |
2eceb328 | 340 | token = ConfigParser::NextToken(); |
d9572179 | 341 | } |
342 | ||
343 | /* There must be at least one format token */ | |
7b6ce1c0 AJ |
344 | if (!a->format.format) { |
345 | delete a; | |
62e76326 | 346 | self_destruct(); |
7b6ce1c0 AJ |
347 | return; |
348 | } | |
d9572179 | 349 | |
712fa21e AJ |
350 | // format has implicit %DATA on the end if not used explicitly |
351 | if (!data_used) { | |
352 | *fmt = new Format::Token; | |
353 | (*fmt)->type = Format::LFT_EXT_ACL_DATA; | |
262eaf9a | 354 | (*fmt)->quote = Format::LOG_QUOTE_NONE; |
712fa21e AJ |
355 | } |
356 | ||
d9572179 | 357 | /* helper */ |
7b6ce1c0 AJ |
358 | if (!token) { |
359 | delete a; | |
62e76326 | 360 | self_destruct(); |
7b6ce1c0 AJ |
361 | return; |
362 | } | |
62e76326 | 363 | |
d9572179 | 364 | wordlistAdd(&a->cmdline, token); |
365 | ||
366 | /* arguments */ | |
a336d130 | 367 | parse_wordlist(&a->cmdline); |
d9572179 | 368 | |
369 | while (*list) | |
62e76326 | 370 | list = &(*list)->next; |
371 | ||
d9572179 | 372 | *list = a; |
373 | } | |
374 | ||
375 | void | |
376 | dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list) | |
377 | { | |
378 | const external_acl *node; | |
d9572179 | 379 | const wordlist *word; |
62e76326 | 380 | |
d9572179 | 381 | for (node = list; node; node = node->next) { |
62e76326 | 382 | storeAppendPrintf(sentry, "%s %s", name, node->name); |
383 | ||
4dd643d5 | 384 | if (!node->local_addr.isIPv6()) |
cc192b50 | 385 | storeAppendPrintf(sentry, " ipv4"); |
386 | else | |
387 | storeAppendPrintf(sentry, " ipv6"); | |
388 | ||
62e76326 | 389 | if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL) |
390 | storeAppendPrintf(sentry, " ttl=%d", node->ttl); | |
391 | ||
392 | if (node->negative_ttl != node->ttl) | |
393 | storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl); | |
394 | ||
47b0c1fa | 395 | if (node->grace) |
396 | storeAppendPrintf(sentry, " grace=%d", node->grace); | |
397 | ||
48d54e4d AJ |
398 | if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN) |
399 | storeAppendPrintf(sentry, " children-max=%d", node->children.n_max); | |
62e76326 | 400 | |
2ccfb9a7 | 401 | if (node->children.n_startup != 0) // sync with helper/ChildConfig.cc default |
48d54e4d | 402 | storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup); |
62e76326 | 403 | |
2ccfb9a7 | 404 | if (node->children.n_idle != 1) // sync with helper/ChildConfig.cc default |
48d54e4d AJ |
405 | storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle); |
406 | ||
2ccfb9a7 | 407 | if (node->children.concurrency != 0) |
48d54e4d | 408 | storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency); |
07eca7e0 | 409 | |
47b0c1fa | 410 | if (node->cache) |
411 | storeAppendPrintf(sentry, " cache=%d", node->cache_size); | |
412 | ||
95d78f10 | 413 | if (node->quote == Format::LOG_QUOTE_SHELL) |
05e52854 AJ |
414 | storeAppendPrintf(sentry, " protocol=2.5"); |
415 | ||
4e56d7f6 | 416 | node->format.dump(sentry, NULL, false); |
62e76326 | 417 | |
418 | for (word = node->cmdline; word; word = word->next) | |
419 | storeAppendPrintf(sentry, " %s", word->key); | |
420 | ||
421 | storeAppendPrintf(sentry, "\n"); | |
d9572179 | 422 | } |
423 | } | |
424 | ||
425 | void | |
426 | free_externalAclHelper(external_acl ** list) | |
427 | { | |
f963b531 AJ |
428 | delete *list; |
429 | *list = NULL; | |
d9572179 | 430 | } |
431 | ||
432 | static external_acl * | |
433 | find_externalAclHelper(const char *name) | |
434 | { | |
435 | external_acl *node; | |
436 | ||
437 | for (node = Config.externalAclHelperList; node; node = node->next) { | |
62e76326 | 438 | if (strcmp(node->name, name) == 0) |
439 | return node; | |
d9572179 | 440 | } |
62e76326 | 441 | |
d9572179 | 442 | return NULL; |
443 | } | |
444 | ||
1e5562e3 | 445 | void |
abdd93d0 | 446 | external_acl::add(const ExternalACLEntryPointer &anEntry) |
1e5562e3 | 447 | { |
448 | trimCache(); | |
abdd93d0 | 449 | assert(anEntry != NULL); |
1e5562e3 | 450 | assert (anEntry->def == NULL); |
451 | anEntry->def = this; | |
abdd93d0 AJ |
452 | ExternalACLEntry *e = const_cast<ExternalACLEntry *>(anEntry.getRaw()); // XXX: make hash a std::map of Pointer. |
453 | hash_join(cache, e); | |
454 | dlinkAdd(e, &e->lru, &lru_list); | |
455 | e->lock(); //cbdataReference(e); // lock it on behalf of the hash | |
95dc7ff4 | 456 | ++cache_entries; |
1e5562e3 | 457 | } |
458 | ||
459 | void | |
460 | external_acl::trimCache() | |
461 | { | |
abdd93d0 AJ |
462 | if (cache_size && cache_entries >= cache_size) { |
463 | ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data)); | |
464 | external_acl_cache_delete(this, e); | |
465 | } | |
1e5562e3 | 466 | } |
467 | ||
194ccc9c | 468 | bool |
329c128c | 469 | external_acl::maybeCacheable(const Acl::Answer &result) const |
194ccc9c CT |
470 | { |
471 | if (cache_size <= 0) | |
472 | return false; // cache is disabled | |
473 | ||
474 | if (result == ACCESS_DUNNO) | |
475 | return false; // non-cacheable response | |
476 | ||
06bf5384 | 477 | if ((result.allowed() ? ttl : negative_ttl) <= 0) |
194ccc9c CT |
478 | return false; // not caching this type of response |
479 | ||
480 | return true; | |
481 | } | |
482 | ||
d9572179 | 483 | /****************************************************************** |
484 | * external acl type | |
485 | */ | |
486 | ||
f963b531 AJ |
487 | class external_acl_data |
488 | { | |
489 | CBDATA_CLASS(external_acl_data); | |
490 | ||
491 | public: | |
492 | explicit external_acl_data(external_acl *aDef) : def(cbdataReference(aDef)), name(NULL), arguments(NULL) {} | |
493 | ~external_acl_data(); | |
494 | ||
d9572179 | 495 | external_acl *def; |
ec2d5242 | 496 | const char *name; |
d9572179 | 497 | wordlist *arguments; |
498 | }; | |
499 | ||
f963b531 AJ |
500 | CBDATA_CLASS_INIT(external_acl_data); |
501 | ||
502 | external_acl_data::~external_acl_data() | |
d9572179 | 503 | { |
f963b531 AJ |
504 | xfree(name); |
505 | wordlistDestroy(&arguments); | |
506 | cbdataReferenceDone(def); | |
d9572179 | 507 | } |
508 | ||
509 | void | |
b0dd28ba | 510 | ACLExternal::parse() |
d9572179 | 511 | { |
7b6ce1c0 | 512 | if (data) { |
62e76326 | 513 | self_destruct(); |
7b6ce1c0 AJ |
514 | return; |
515 | } | |
62e76326 | 516 | |
16c5ad96 | 517 | char *token = ConfigParser::strtokFile(); |
62e76326 | 518 | |
7b6ce1c0 | 519 | if (!token) { |
62e76326 | 520 | self_destruct(); |
7b6ce1c0 AJ |
521 | return; |
522 | } | |
62e76326 | 523 | |
f963b531 | 524 | data = new external_acl_data(find_externalAclHelper(token)); |
62e76326 | 525 | |
7b6ce1c0 AJ |
526 | if (!data->def) { |
527 | delete data; | |
62e76326 | 528 | self_destruct(); |
7b6ce1c0 AJ |
529 | return; |
530 | } | |
62e76326 | 531 | |
ec2d5242 HN |
532 | // def->name is the name of the external_acl_type. |
533 | // this is the name of the 'acl' directive being tested | |
534 | data->name = xstrdup(AclMatchedName); | |
535 | ||
16c5ad96 | 536 | while ((token = ConfigParser::strtokFile())) { |
62e76326 | 537 | wordlistAdd(&data->arguments, token); |
d9572179 | 538 | } |
d9572179 | 539 | } |
540 | ||
4b0f5de8 | 541 | bool |
542 | ACLExternal::valid () const | |
543 | { | |
2f1431ea | 544 | #if USE_AUTH |
4b0f5de8 | 545 | if (data->def->require_auth) { |
546 | if (authenticateSchemeCount() == 0) { | |
fa84c01d | 547 | debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled."); |
4b0f5de8 | 548 | return false; |
549 | } | |
550 | ||
551 | if (authenticateActiveSchemeCount() == 0) { | |
fa84c01d | 552 | debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured."); |
4b0f5de8 | 553 | return false; |
554 | } | |
555 | } | |
2f1431ea | 556 | #endif |
4b0f5de8 | 557 | |
558 | return true; | |
559 | } | |
560 | ||
561 | bool | |
562 | ACLExternal::empty () const | |
563 | { | |
564 | return false; | |
565 | } | |
566 | ||
b0dd28ba | 567 | ACLExternal::~ACLExternal() |
d9572179 | 568 | { |
f963b531 AJ |
569 | delete data; |
570 | xfree(class_); | |
d9572179 | 571 | } |
572 | ||
1abe0161 | 573 | static void |
abdd93d0 | 574 | copyResultsFromEntry(HttpRequest *req, const ExternalACLEntryPointer &entry) |
1abe0161 AJ |
575 | { |
576 | if (req) { | |
577 | #if USE_AUTH | |
578 | if (entry->user.size()) | |
579 | req->extacl_user = entry->user; | |
580 | ||
581 | if (entry->password.size()) | |
582 | req->extacl_passwd = entry->password; | |
583 | #endif | |
584 | if (!req->tag.size()) | |
585 | req->tag = entry->tag; | |
586 | ||
587 | if (entry->log.size()) | |
588 | req->extacl_log = entry->log; | |
589 | ||
590 | if (entry->message.size()) | |
591 | req->extacl_message = entry->message; | |
a1df1417 NH |
592 | |
593 | // attach the helper kv-pair to the transaction | |
594 | UpdateRequestNotes(req->clientConnectionManager.get(), *req, entry->notes); | |
1abe0161 AJ |
595 | } |
596 | } | |
597 | ||
329c128c | 598 | static Acl::Answer |
c0941a6a | 599 | aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch) |
d9572179 | 600 | { |
c69ce640 | 601 | debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\""); |
abdd93d0 | 602 | ExternalACLEntryPointer entry = ch->extacl_entry; |
62e76326 | 603 | |
6f58d7d7 AR |
604 | external_acl_message = "MISSING REQUIRED INFORMATION"; |
605 | ||
abdd93d0 AJ |
606 | if (entry != NULL) { |
607 | if (entry->def == acl->def) { | |
ad06254e | 608 | /* Ours, use it.. if the key matches */ |
6f58d7d7 AR |
609 | const char *key = makeExternalAclKey(ch, acl); |
610 | if (!key) | |
2f8abb64 | 611 | return ACCESS_DUNNO; // insufficient data to continue |
ad06254e | 612 | if (strcmp(key, (char*)entry->key) != 0) { |
61beade2 | 613 | debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "' do not match. Discarded."); |
ad06254e | 614 | // too bad. need a new lookup. |
abdd93d0 | 615 | entry = ch->extacl_entry = NULL; |
ad06254e | 616 | } |
62e76326 | 617 | } else { |
abdd93d0 AJ |
618 | /* Not ours.. get rid of it */ |
619 | debugs(82, 9, "entry " << entry << " not valid or not ours. Discarded."); | |
620 | if (entry != NULL) { | |
621 | debugs(82, 9, "entry def=" << entry->def << ", our def=" << acl->def); | |
6f58d7d7 | 622 | const char *key = makeExternalAclKey(ch, acl); // may be nil |
abdd93d0 | 623 | debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "'"); |
c69ce640 | 624 | } |
abdd93d0 | 625 | entry = ch->extacl_entry = NULL; |
62e76326 | 626 | } |
d9572179 | 627 | } |
62e76326 | 628 | |
d9572179 | 629 | if (!entry) { |
c69ce640 | 630 | debugs(82, 9, HERE << "No helper entry available"); |
2f1431ea | 631 | #if USE_AUTH |
62e76326 | 632 | if (acl->def->require_auth) { |
62e76326 | 633 | /* Make sure the user is authenticated */ |
e5f825ea | 634 | debugs(82, 3, HERE << acl->def->name << " check user authenticated."); |
329c128c | 635 | const auto ti = AuthenticateAcl(ch); |
06bf5384 | 636 | if (!ti.allowed()) { |
e5f825ea | 637 | debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")"); |
e0f7153c | 638 | return ti; |
62e76326 | 639 | } |
e5f825ea | 640 | debugs(82, 3, HERE << acl->def->name << " user is authenticated."); |
62e76326 | 641 | } |
2f1431ea | 642 | #endif |
6f58d7d7 | 643 | const char *key = makeExternalAclKey(ch, acl); |
41218131 | 644 | |
645 | if (!key) { | |
646 | /* Not sufficient data to process */ | |
e5f825ea | 647 | return ACCESS_DUNNO; |
41218131 | 648 | } |
649 | ||
abdd93d0 | 650 | entry = static_cast<ExternalACLEntry *>(hash_lookup(acl->def->cache, key)); |
62e76326 | 651 | |
abdd93d0 AJ |
652 | const ExternalACLEntryPointer staleEntry = entry; |
653 | if (entry != NULL && external_acl_entry_expired(acl->def, entry)) | |
e0f7153c AR |
654 | entry = NULL; |
655 | ||
abdd93d0 | 656 | if (entry != NULL && external_acl_grace_expired(acl->def, entry)) { |
e0f7153c AR |
657 | // refresh in the background |
658 | ExternalACLLookup::Start(ch, acl, true); | |
659 | debugs(82, 4, HERE << "no need to wait for the refresh of '" << | |
660 | key << "' in '" << acl->def->name << "' (ch=" << ch << ")."); | |
661 | } | |
662 | ||
663 | if (!entry) { | |
e5f825ea | 664 | debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed"); |
95a83c22 | 665 | |
6082a0e2 EB |
666 | // TODO: All other helpers allow temporary overload. Should not we? |
667 | if (!acl->def->theHelper->willOverload()) { | |
e5f825ea | 668 | debugs(82, 2, HERE << "\"" << key << "\": queueing a call."); |
6f58d7d7 AR |
669 | if (!ch->goAsync(ExternalACLLookup::Instance())) |
670 | debugs(82, 2, "\"" << key << "\": no async support!"); | |
e5f825ea | 671 | debugs(82, 2, HERE << "\"" << key << "\": return -1."); |
e0f7153c | 672 | return ACCESS_DUNNO; // expired cached or simply absent entry |
47b0c1fa | 673 | } else { |
e0f7153c | 674 | if (!staleEntry) { |
e5f825ea | 675 | debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name << |
6082a0e2 | 676 | "' queue full. Request rejected '" << key << "'."); |
4a972fa2 | 677 | external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER"; |
e5f825ea | 678 | return ACCESS_DUNNO; |
47b0c1fa | 679 | } else { |
e5f825ea | 680 | debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name << |
6082a0e2 | 681 | "' queue full. Using stale result. '" << key << "'."); |
e0f7153c | 682 | entry = staleEntry; |
47b0c1fa | 683 | /* Fall thru to processing below */ |
684 | } | |
685 | } | |
686 | } | |
d9572179 | 687 | } |
62e76326 | 688 | |
e0f7153c AR |
689 | debugs(82, 4, HERE << "entry = { date=" << |
690 | (long unsigned int) entry->date << | |
691 | ", result=" << entry->result << | |
692 | " tag=" << entry->tag << | |
693 | " log=" << entry->log << " }"); | |
694 | #if USE_AUTH | |
695 | debugs(82, 4, HERE << "entry user=" << entry->user); | |
696 | #endif | |
697 | ||
d9572179 | 698 | external_acl_cache_touch(acl->def, entry); |
a7a42b14 | 699 | external_acl_message = entry->message.termedBuf(); |
4a972fa2 | 700 | |
e5f825ea | 701 | debugs(82, 2, HERE << acl->def->name << " = " << entry->result); |
1abe0161 | 702 | copyResultsFromEntry(ch->request, entry); |
e5f825ea | 703 | return entry->result; |
d9572179 | 704 | } |
705 | ||
b0dd28ba | 706 | int |
707 | ACLExternal::match(ACLChecklist *checklist) | |
708 | { | |
329c128c | 709 | auto answer = aclMatchExternal(data, Filled(checklist)); |
e5f825ea AJ |
710 | |
711 | // convert to tri-state ACL match 1,0,-1 | |
9b831d57 | 712 | switch (answer) { |
e5f825ea | 713 | case ACCESS_ALLOWED: |
e5f825ea AJ |
714 | return 1; // match |
715 | ||
716 | case ACCESS_DENIED: | |
e5f825ea AJ |
717 | return 0; // non-match |
718 | ||
719 | case ACCESS_DUNNO: | |
720 | case ACCESS_AUTH_REQUIRED: | |
721 | default: | |
e0f7153c | 722 | // If the answer is not allowed or denied (matches/not matches) and |
6f58d7d7 AR |
723 | // async authentication is not in progress, then we are done. |
724 | if (checklist->keepMatching()) | |
e0f7153c | 725 | checklist->markFinished(answer, "aclMatchExternal exception"); |
e5f825ea AJ |
726 | return -1; // other |
727 | } | |
b0dd28ba | 728 | } |
729 | ||
dfad5100 | 730 | SBufList |
b0dd28ba | 731 | ACLExternal::dump() const |
d9572179 | 732 | { |
b0dd28ba | 733 | external_acl_data const *acl = data; |
dfad5100 FC |
734 | SBufList rv; |
735 | rv.push_back(SBuf(acl->def->name)); | |
62e76326 | 736 | |
dfad5100 FC |
737 | for (wordlist *arg = acl->arguments; arg; arg = arg->next) { |
738 | SBuf s; | |
739 | s.Printf(" %s", arg->key); | |
740 | rv.push_back(s); | |
d9572179 | 741 | } |
62e76326 | 742 | |
dfad5100 | 743 | return rv; |
d9572179 | 744 | } |
745 | ||
746 | /****************************************************************** | |
747 | * external_acl cache | |
748 | */ | |
749 | ||
d9572179 | 750 | static void |
abdd93d0 | 751 | external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry) |
d9572179 | 752 | { |
c69ce640 | 753 | // this must not be done when nothing is being cached. |
194ccc9c | 754 | if (!def->maybeCacheable(entry->result)) |
c69ce640 AJ |
755 | return; |
756 | ||
d9572179 | 757 | dlinkDelete(&entry->lru, &def->lru_list); |
abdd93d0 AJ |
758 | ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer. |
759 | dlinkAdd(e, &entry->lru, &def->lru_list); | |
d9572179 | 760 | } |
761 | ||
762 | static char * | |
c0941a6a | 763 | makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data) |
d9572179 | 764 | { |
032785bf | 765 | static MemBuf mb; |
09e34608 | 766 | mb.reset(); |
62e76326 | 767 | |
4e56d7f6 AJ |
768 | // check for special case tokens in the format |
769 | for (Format::Token *t = acl_data->def->format.format; t ; t = t->next) { | |
62e76326 | 770 | |
4e56d7f6 AJ |
771 | if (t->type == Format::LFT_EXT_ACL_NAME) { |
772 | // setup for %ACL | |
4ff6370b AJ |
773 | safe_free(ch->al->lastAclName); |
774 | ch->al->lastAclName = xstrdup(acl_data->name); | |
789dda8d CT |
775 | } |
776 | ||
778647be | 777 | if (t->type == Format::LFT_EXT_ACL_DATA) { |
4e56d7f6 AJ |
778 | // setup string for %DATA |
779 | SBuf sb; | |
4e56d7f6 | 780 | for (auto arg = acl_data->arguments; arg; arg = arg->next) { |
778647be | 781 | if (sb.length()) |
ec2d5242 HN |
782 | sb.append(" ", 1); |
783 | ||
95d78f10 | 784 | if (acl_data->def->quote == Format::LOG_QUOTE_URL) { |
ec2d5242 HN |
785 | const char *quoted = rfc1738_escape(arg->key); |
786 | sb.append(quoted, strlen(quoted)); | |
787 | } else { | |
788 | static MemBuf mb2; | |
789 | mb2.init(); | |
790 | strwordquote(&mb2, arg->key); | |
791 | sb.append(mb2.buf, mb2.size); | |
792 | mb2.clean(); | |
793 | } | |
ec2d5242 | 794 | } |
778647be | 795 | |
b0e14ce2 | 796 | ch->al->lastAclData = sb; |
dc1af3cf | 797 | } |
62e76326 | 798 | |
33c2eb4d | 799 | #if USE_IDENT |
4e56d7f6 | 800 | if (t->type == Format::LFT_USER_IDENT) { |
a51ed963 | 801 | if (!*ch->rfc931) { |
4e56d7f6 AJ |
802 | // if we fail to go async, we still return NULL and the caller |
803 | // will detect the failure in ACLExternal::match(). | |
804 | (void)ch->goAsync(IdentLookup::Instance()); | |
805 | return NULL; | |
ec2d5242 | 806 | } |
ec2d5242 | 807 | } |
33c2eb4d | 808 | #endif |
d9572179 | 809 | } |
62e76326 | 810 | |
712fa21e | 811 | // assemble the full helper lookup string |
4e56d7f6 AJ |
812 | acl_data->def->format.assemble(mb, ch->al, 0); |
813 | ||
d9572179 | 814 | return mb.buf; |
d9572179 | 815 | } |
816 | ||
817 | static int | |
abdd93d0 | 818 | external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry) |
d9572179 | 819 | { |
194ccc9c | 820 | if (def->cache_size <= 0 || entry->result == ACCESS_DUNNO) |
c69ce640 AJ |
821 | return 1; |
822 | ||
06bf5384 | 823 | if (entry->date + (entry->result.allowed() ? def->ttl : def->negative_ttl) < squid_curtime) |
62e76326 | 824 | return 1; |
d9572179 | 825 | else |
62e76326 | 826 | return 0; |
d9572179 | 827 | } |
62e76326 | 828 | |
47b0c1fa | 829 | static int |
abdd93d0 | 830 | external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry) |
47b0c1fa | 831 | { |
194ccc9c | 832 | if (def->cache_size <= 0 || entry->result == ACCESS_DUNNO) |
c69ce640 AJ |
833 | return 1; |
834 | ||
47b0c1fa | 835 | int ttl; |
06bf5384 | 836 | ttl = entry->result.allowed() ? def->ttl : def->negative_ttl; |
47b0c1fa | 837 | ttl = (ttl * (100 - def->grace)) / 100; |
838 | ||
98b70eff | 839 | if (entry->date + ttl <= squid_curtime) |
47b0c1fa | 840 | return 1; |
841 | else | |
842 | return 0; | |
843 | } | |
844 | ||
abdd93d0 | 845 | static ExternalACLEntryPointer |
1e5562e3 | 846 | external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data) |
d9572179 | 847 | { |
abdd93d0 | 848 | ExternalACLEntryPointer entry; |
c69ce640 | 849 | |
194ccc9c | 850 | if (!def->maybeCacheable(data.result)) { |
c69ce640 | 851 | debugs(82,6, HERE); |
194ccc9c CT |
852 | |
853 | if (data.result == ACCESS_DUNNO) { | |
854 | if (const ExternalACLEntryPointer oldentry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key))) | |
855 | external_acl_cache_delete(def, oldentry); | |
856 | } | |
c69ce640 AJ |
857 | entry = new ExternalACLEntry; |
858 | entry->key = xstrdup(key); | |
859 | entry->update(data); | |
860 | entry->def = def; | |
861 | return entry; | |
862 | } | |
863 | ||
864 | entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key)); | |
bf8fe701 | 865 | debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result); |
62e76326 | 866 | |
abdd93d0 AJ |
867 | if (entry != NULL) { |
868 | debugs(82, 3, "updating existing entry"); | |
c69ce640 | 869 | entry->update(data); |
62e76326 | 870 | external_acl_cache_touch(def, entry); |
62e76326 | 871 | return entry; |
d9572179 | 872 | } |
62e76326 | 873 | |
1e5562e3 | 874 | entry = new ExternalACLEntry; |
4a8b20e8 | 875 | entry->key = xstrdup(key); |
c69ce640 | 876 | entry->update(data); |
1e5562e3 | 877 | |
6ca34f6f | 878 | def->add(entry); |
1e5562e3 | 879 | |
d9572179 | 880 | return entry; |
881 | } | |
882 | ||
883 | static void | |
abdd93d0 | 884 | external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry) |
d9572179 | 885 | { |
abdd93d0 | 886 | assert(entry != NULL); |
c69ce640 | 887 | assert(def->cache_size > 0 && entry->def == def); |
abdd93d0 AJ |
888 | ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer. |
889 | hash_remove_link(def->cache, e); | |
890 | dlinkDelete(&e->lru, &def->lru_list); | |
891 | e->unlock(); // unlock on behalf of the hash | |
d9572179 | 892 | def->cache_entries -= 1; |
d9572179 | 893 | } |
894 | ||
895 | /****************************************************************** | |
896 | * external_acl helpers | |
897 | */ | |
898 | ||
f963b531 AJ |
899 | class externalAclState |
900 | { | |
901 | CBDATA_CLASS(externalAclState); | |
902 | ||
903 | public: | |
904 | externalAclState(external_acl* aDef, const char *aKey) : | |
905 | callback(NULL), | |
906 | callback_data(NULL), | |
907 | key(xstrdup(aKey)), | |
908 | def(cbdataReference(aDef)), | |
909 | queue(NULL) | |
910 | {} | |
911 | ~externalAclState(); | |
62e76326 | 912 | |
d9572179 | 913 | EAH *callback; |
914 | void *callback_data; | |
915 | char *key; | |
916 | external_acl *def; | |
917 | dlink_node list; | |
918 | externalAclState *queue; | |
919 | }; | |
920 | ||
f963b531 AJ |
921 | CBDATA_CLASS_INIT(externalAclState); |
922 | ||
923 | externalAclState::~externalAclState() | |
d9572179 | 924 | { |
f963b531 AJ |
925 | xfree(key); |
926 | cbdataReferenceDone(callback_data); | |
927 | cbdataReferenceDone(def); | |
d9572179 | 928 | } |
929 | ||
d9572179 | 930 | /* |
931 | * The helper program receives queries on stdin, one | |
07eca7e0 | 932 | * per line, and must return the result on on stdout |
d9572179 | 933 | * |
934 | * General result syntax: | |
935 | * | |
936 | * OK/ERR keyword=value ... | |
937 | * | |
938 | * Keywords: | |
939 | * | |
4a972fa2 | 940 | * user= The users name (login) |
941 | * message= Message describing the reason | |
f53969cc SM |
942 | * tag= A string tag to be applied to the request that triggered the acl match. |
943 | * applies to both OK and ERR responses. | |
944 | * Won't override existing request tags. | |
945 | * log= A string to be used in access logging | |
d9572179 | 946 | * |
947 | * Other keywords may be added to the protocol later | |
948 | * | |
05e52854 AJ |
949 | * value needs to be URL-encoded or enclosed in double quotes (") |
950 | * with \-escaping on any whitespace, quotes, or slashes (\). | |
d9572179 | 951 | */ |
d9572179 | 952 | static void |
24438ec5 | 953 | externalAclHandleReply(void *data, const Helper::Reply &reply) |
d9572179 | 954 | { |
e6ccf245 | 955 | externalAclState *state = static_cast<externalAclState *>(data); |
d9572179 | 956 | externalAclState *next; |
1e5562e3 | 957 | ExternalACLEntryData entryData; |
d9572179 | 958 | |
0272dd08 | 959 | debugs(82, 2, HERE << "reply=" << reply); |
d9572179 | 960 | |
2428ce02 | 961 | if (reply.result == Helper::Okay) |
0272dd08 | 962 | entryData.result = ACCESS_ALLOWED; |
194ccc9c CT |
963 | else if (reply.result == Helper::Error) |
964 | entryData.result = ACCESS_DENIED; | |
965 | else //BrokenHelper,TimedOut or Unknown. Should not cached. | |
966 | entryData.result = ACCESS_DUNNO; | |
62e76326 | 967 | |
24438ec5 | 968 | // XXX: make entryData store a proper Helper::Reply object instead of copying. |
ab332e27 | 969 | |
a0592634 AJ |
970 | entryData.notes.append(&reply.notes); |
971 | ||
cf9f0261 CT |
972 | const char *label = reply.notes.findFirst("tag"); |
973 | if (label != NULL && *label != '\0') | |
974 | entryData.tag = label; | |
62e76326 | 975 | |
cf9f0261 CT |
976 | label = reply.notes.findFirst("message"); |
977 | if (label != NULL && *label != '\0') | |
978 | entryData.message = label; | |
62e76326 | 979 | |
cf9f0261 CT |
980 | label = reply.notes.findFirst("log"); |
981 | if (label != NULL && *label != '\0') | |
982 | entryData.log = label; | |
62e76326 | 983 | |
2f1431ea | 984 | #if USE_AUTH |
cf9f0261 CT |
985 | label = reply.notes.findFirst("user"); |
986 | if (label != NULL && *label != '\0') | |
987 | entryData.user = label; | |
7bbefa01 | 988 | |
cf9f0261 CT |
989 | label = reply.notes.findFirst("password"); |
990 | if (label != NULL && *label != '\0') | |
991 | entryData.password = label; | |
2f1431ea | 992 | #endif |
62e76326 | 993 | |
23da195f CT |
994 | // XXX: This state->def access conflicts with the cbdata validity check |
995 | // below. | |
d9572179 | 996 | dlinkDelete(&state->list, &state->def->queue); |
62e76326 | 997 | |
abdd93d0 | 998 | ExternalACLEntryPointer entry; |
194ccc9c CT |
999 | if (cbdataReferenceValid(state->def)) |
1000 | entry = external_acl_cache_add(state->def, state->key, entryData); | |
d9572179 | 1001 | |
1002 | do { | |
62e76326 | 1003 | void *cbdata; |
47b0c1fa | 1004 | if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata)) |
62e76326 | 1005 | state->callback(cbdata, entry); |
1006 | ||
1007 | next = state->queue; | |
f963b531 | 1008 | state->queue = NULL; |
d9572179 | 1009 | |
f963b531 | 1010 | delete state; |
d9572179 | 1011 | |
62e76326 | 1012 | state = next; |
d9572179 | 1013 | } while (state); |
1014 | } | |
1015 | ||
1016 | void | |
e0f7153c | 1017 | ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me) |
d9572179 | 1018 | { |
e0f7153c AR |
1019 | ExternalACLLookup::Start(checklist, me->data, false); |
1020 | } | |
c8e7608c | 1021 | |
e0f7153c AR |
1022 | void |
1023 | ExternalACLLookup::Start(ACLChecklist *checklist, external_acl_data *acl, bool inBackground) | |
1024 | { | |
1025 | external_acl *def = acl->def; | |
c0f81932 | 1026 | |
c0941a6a | 1027 | ACLFilledChecklist *ch = Filled(checklist); |
c8e7608c | 1028 | const char *key = makeExternalAclKey(ch, acl); |
6f58d7d7 | 1029 | assert(key); // XXX: will fail if EXT_ACL_IDENT case needs an async lookup |
62e76326 | 1030 | |
e0f7153c AR |
1031 | debugs(82, 2, HERE << (inBackground ? "bg" : "fg") << " lookup in '" << |
1032 | def->name << "' for '" << key << "'"); | |
62e76326 | 1033 | |
47b0c1fa | 1034 | /* Check for a pending lookup to hook into */ |
c69ce640 | 1035 | // only possible if we are caching results. |
e0f7153c | 1036 | externalAclState *oldstate = NULL; |
c69ce640 | 1037 | if (def->cache_size > 0) { |
e0f7153c | 1038 | for (dlink_node *node = def->queue.head; node; node = node->next) { |
c69ce640 | 1039 | externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data); |
62e76326 | 1040 | |
c69ce640 AJ |
1041 | if (strcmp(key, oldstatetmp->key) == 0) { |
1042 | oldstate = oldstatetmp; | |
1043 | break; | |
1044 | } | |
47b0c1fa | 1045 | } |
1046 | } | |
62e76326 | 1047 | |
e0f7153c AR |
1048 | // A background refresh has no need to piggiback on a pending request: |
1049 | // When the pending request completes, the cache will be refreshed anyway. | |
1050 | if (oldstate && inBackground) { | |
1051 | debugs(82, 7, HERE << "'" << def->name << "' queue is already being refreshed (ch=" << ch << ")"); | |
47b0c1fa | 1052 | return; |
1053 | } | |
62e76326 | 1054 | |
f963b531 | 1055 | externalAclState *state = new externalAclState(def, key); |
62e76326 | 1056 | |
e0f7153c AR |
1057 | if (!inBackground) { |
1058 | state->callback = &ExternalACLLookup::LookupDone; | |
1059 | state->callback_data = cbdataReference(checklist); | |
d9572179 | 1060 | } |
62e76326 | 1061 | |
47b0c1fa | 1062 | if (oldstate) { |
1063 | /* Hook into pending lookup */ | |
1064 | state->queue = oldstate->queue; | |
1065 | oldstate->queue = state; | |
1066 | } else { | |
e0f7153c AR |
1067 | /* No pending lookup found. Sumbit to helper */ |
1068 | ||
e0f7153c | 1069 | MemBuf buf; |
2fe7eff9 | 1070 | buf.init(); |
4391cd15 | 1071 | buf.appendf("%s\n", key); |
bf8fe701 | 1072 | debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'."); |
ab321f4b | 1073 | |
6825b101 CT |
1074 | if (!def->theHelper->trySubmit(buf.buf, externalAclHandleReply, state)) { |
1075 | debugs(82, 7, HERE << "'" << def->name << "' submit to helper failed"); | |
1076 | assert(inBackground); // or the caller should have checked | |
f963b531 | 1077 | delete state; |
6825b101 CT |
1078 | return; |
1079 | } | |
62e76326 | 1080 | |
47b0c1fa | 1081 | dlinkAdd(state, &state->list, &def->queue); |
62e76326 | 1082 | |
2fe7eff9 | 1083 | buf.clean(); |
47b0c1fa | 1084 | } |
62e76326 | 1085 | |
bf8fe701 | 1086 | debugs(82, 4, "externalAclLookup: will wait for the result of '" << key << |
1087 | "' in '" << def->name << "' (ch=" << ch << ")."); | |
d9572179 | 1088 | } |
1089 | ||
1090 | static void | |
1091 | externalAclStats(StoreEntry * sentry) | |
1092 | { | |
f963b531 | 1093 | for (external_acl *p = Config.externalAclHelperList; p; p = p->next) { |
62e76326 | 1094 | storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name); |
1095 | storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count); | |
bf3e8d5a AJ |
1096 | assert(p->theHelper); |
1097 | p->theHelper->packStatsInto(sentry); | |
62e76326 | 1098 | storeAppendPrintf(sentry, "\n"); |
d9572179 | 1099 | } |
1100 | } | |
1101 | ||
6b7d87bb FC |
1102 | static void |
1103 | externalAclRegisterWithCacheManager(void) | |
1104 | { | |
8822ebee | 1105 | Mgr::RegisterAction("external_acl", |
d9fc6862 A |
1106 | "External ACL stats", |
1107 | externalAclStats, 0, 1); | |
6b7d87bb FC |
1108 | } |
1109 | ||
d9572179 | 1110 | void |
1111 | externalAclInit(void) | |
1112 | { | |
f963b531 | 1113 | for (external_acl *p = Config.externalAclHelperList; p; p = p->next) { |
62e76326 | 1114 | if (!p->cache) |
30abd221 | 1115 | p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4); |
62e76326 | 1116 | |
1117 | if (!p->theHelper) | |
48d54e4d | 1118 | p->theHelper = new helper(p->name); |
62e76326 | 1119 | |
1120 | p->theHelper->cmdline = p->cmdline; | |
1121 | ||
1af735c7 | 1122 | p->theHelper->childs.updateLimits(p->children); |
07eca7e0 | 1123 | |
62e76326 | 1124 | p->theHelper->ipc_type = IPC_TCP_SOCKET; |
1125 | ||
cc192b50 | 1126 | p->theHelper->addr = p->local_addr; |
1127 | ||
62e76326 | 1128 | helperOpenServers(p->theHelper); |
d9572179 | 1129 | } |
62e76326 | 1130 | |
ea391f18 | 1131 | externalAclRegisterWithCacheManager(); |
d9572179 | 1132 | } |
1133 | ||
1134 | void | |
1135 | externalAclShutdown(void) | |
1136 | { | |
1137 | external_acl *p; | |
62e76326 | 1138 | |
d9572179 | 1139 | for (p = Config.externalAclHelperList; p; p = p->next) { |
62e76326 | 1140 | helperShutdown(p->theHelper); |
d9572179 | 1141 | } |
1142 | } | |
225b7b10 | 1143 | |
1144 | ExternalACLLookup ExternalACLLookup::instance_; | |
1145 | ExternalACLLookup * | |
1146 | ExternalACLLookup::Instance() | |
1147 | { | |
1148 | return &instance_; | |
1149 | } | |
1150 | ||
1151 | void | |
1152 | ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const | |
1153 | { | |
b0dd28ba | 1154 | /* TODO: optimise this - we probably have a pointer to this |
1155 | * around somewhere */ | |
97427e90 | 1156 | ACL *acl = ACL::FindByName(AclMatchedName); |
ab321f4b | 1157 | assert(acl); |
b0dd28ba | 1158 | ACLExternal *me = dynamic_cast<ACLExternal *> (acl); |
1159 | assert (me); | |
e0f7153c | 1160 | ACLExternal::ExternalAclLookup(checklist, me); |
225b7b10 | 1161 | } |
1162 | ||
e0f7153c | 1163 | /// Called when an async lookup returns |
225b7b10 | 1164 | void |
abdd93d0 | 1165 | ExternalACLLookup::LookupDone(void *data, const ExternalACLEntryPointer &result) |
225b7b10 | 1166 | { |
c0941a6a | 1167 | ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data)); |
abdd93d0 | 1168 | checklist->extacl_entry = result; |
6f58d7d7 | 1169 | checklist->resumeNonBlockingCheck(ExternalACLLookup::Instance()); |
225b7b10 | 1170 | } |
b0dd28ba | 1171 | |
b0dd28ba | 1172 | ACL * |
1173 | ACLExternal::clone() const | |
1174 | { | |
1175 | return new ACLExternal(*this); | |
1176 | } | |
1177 | ||
86c63190 | 1178 | ACLExternal::ACLExternal(char const *theClass) : data(NULL), class_(xstrdup(theClass)) |
b0dd28ba | 1179 | {} |
1180 | ||
86c63190 | 1181 | ACLExternal::ACLExternal(ACLExternal const & old) : data(NULL), class_(old.class_ ? xstrdup(old.class_) : NULL) |
b0dd28ba | 1182 | { |
1183 | /* we don't have copy constructors for the data yet */ | |
86c63190 | 1184 | assert(!old.data); |
b0dd28ba | 1185 | } |
1186 | ||
b0dd28ba | 1187 | char const * |
1188 | ACLExternal::typeString() const | |
1189 | { | |
1190 | return class_; | |
1191 | } | |
1192 | ||
e870b1f8 | 1193 | bool |
1194 | ACLExternal::isProxyAuth() const | |
1195 | { | |
2f1431ea | 1196 | #if USE_AUTH |
e870b1f8 | 1197 | return data->def->require_auth; |
2f1431ea AJ |
1198 | #else |
1199 | return false; | |
1200 | #endif | |
e870b1f8 | 1201 | } |
f53969cc | 1202 |