[thirdparty/squid.git] / src / cache_manager.cc

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 16    Cache Manager Objects */

#include "squid.h"
#include "AccessLogEntry.h"
#include "base/TextException.h"
#include "CacheManager.h"
#include "comm/Connection.h"
#include "debug/Stream.h"
#include "error/ExceptionErrorDetail.h"
#include "errorpage.h"
#include "fde.h"
#include "HttpHdrCc.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Action.h"
#include "mgr/ActionCreator.h"
#include "mgr/ActionPasswordList.h"
#include "mgr/ActionProfile.h"
#include "mgr/BasicActions.h"
#include "mgr/Command.h"
#include "mgr/Forwarder.h"
#include "mgr/FunAction.h"
#include "mgr/QueryParams.h"
#include "parser/Tokenizer.h"
#include "protos.h"
#include "sbuf/Stream.h"
#include "sbuf/StringConvert.h"
#include "SquidConfig.h"
#include "Store.h"
#include "tools.h"
#include "wordlist.h"

#include <algorithm>
#include <memory>

/// \ingroup CacheManagerInternal
#define MGR_PASSWD_SZ 128

void
CacheManager::registerProfile(const Mgr::ActionProfile::Pointer &profile)
{
    Must(profile != nullptr);
    if (!CacheManager::findAction(profile->name)) {
        menu_.push_back(profile);
        debugs(16, 3, "registered profile: " << *profile);
    } else {
        debugs(16, 2, "skipped duplicate profile: " << *profile);
    }
}

/**
 \ingroup CacheManagerInternal
 * Locates an action in the actions registry ActionsList.
\retval NULL  if Action not found
\retval CacheManagerAction* if the action was found
 */
Mgr::ActionProfile::Pointer
CacheManager::findAction(char const * action) const
{
    Must(action != nullptr);
    Menu::const_iterator a;

    debugs(16, 5, "CacheManager::findAction: looking for action " << action);
    for (a = menu_.begin(); a != menu_.end(); ++a) {
        if (0 == strcmp((*a)->name, action)) {
            debugs(16, 6, " found");
            return *a;
        }
    }

    debugs(16, 6, "Action not found.");
    return Mgr::ActionProfilePointer();
}

Mgr::Action::Pointer
CacheManager::createNamedAction(const char *actionName)
{
    Must(actionName);

    Mgr::Command::Pointer cmd = new Mgr::Command;
    cmd->profile = findAction(actionName);
    cmd->params.actionName = actionName;

    Must(cmd->profile != nullptr);
    return cmd->profile->creator->create(cmd);
}

Mgr::Action::Pointer
CacheManager::createRequestedAction(const Mgr::ActionParams &params)
{
    Mgr::Command::Pointer cmd = new Mgr::Command;
    cmd->params = params;
    cmd->profile = findAction(params.actionName.termedBuf());
    Must(cmd->profile != nullptr);
    return cmd->profile->creator->create(cmd);
}

const SBuf &
CacheManager::WellKnownUrlPathPrefix()
{
    static const SBuf prefix("/squid-internal-mgr/");
    return prefix;
}

/**
 * Parses the action requested by the user and checks via
 * CacheManager::ActionProtection() that the item is accessible by the user.
 *
 * Syntax:
 *
 * [ scheme "://" authority ] '/squid-internal-mgr' path-absolute [ "?" query ] [ "#" fragment ]
 *
 * see RFC 3986 for definitions of scheme, authority, path-absolute, query
 *
 * \returns Mgr::Command object with action to perform and parameters it might use
 */
Mgr::Command::Pointer
CacheManager::ParseUrl(const AnyP::Uri &uri)
{
    Parser::Tokenizer tok(uri.path());

    Assure(tok.skip(WellKnownUrlPathPrefix()));

    Mgr::Command::Pointer cmd = new Mgr::Command();
    cmd->params.httpUri = SBufToString(uri.absolute());

    static const auto fieldChars = CharacterSet("mgr-field", "?#").complement();

    SBuf action;
    if (!tok.prefix(action, fieldChars)) {
        static const SBuf indexReport("index");
        action = indexReport;
    }
    cmd->params.actionName = SBufToString(action);

    const auto profile = findAction(action.c_str());
    if (!profile)
        throw TextException(ToSBuf("action '", action, "' not found"), Here());

    const char *prot = ActionProtection(profile);
    if (!strcmp(prot, "disabled") || !strcmp(prot, "hidden"))
        throw TextException(ToSBuf("action '", action, "' is ", prot), Here());
    cmd->profile = profile;

    // TODO: fix when AnyP::Uri::parse() separates path?query#fragment
    SBuf params;
    if (tok.skip('?')) {
        params = tok.remaining();
        Mgr::QueryParams::Parse(tok, cmd->params.queryParams);
    }

    if (!tok.skip('#') && !tok.atEnd())
        throw TextException("invalid characters in URL", Here());
    // else ignore #fragment (if any)

    debugs(16, 3, "MGR request: host=" << uri.host() << ", action=" << action << ", params=" << params);

    return cmd;
}

/// \ingroup CacheManagerInternal
/*
 \ingroup CacheManagerInternal
 * Decodes the headers needed to perform user authentication and fills
 * the details into the cachemgrStateData argument
 */
void
CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams &params)
{
    assert(request);

    params.httpMethod = request->method.id();
    params.httpFlags = request->flags;

#if HAVE_AUTH_MODULE_BASIC
    // TODO: use the authentication system decode to retrieve these details properly.

    /* base 64 _decoded_ user:passwd pair */
    const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));

    if (basic_cookie.isEmpty())
        return;

    const auto colonPos = basic_cookie.find(':');
    if (colonPos == SBuf::npos) {
        debugs(16, DBG_IMPORTANT, "ERROR: CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
        return;
    }

    /* found user:password pair, reset old values */
    params.userName = SBufToString(basic_cookie.substr(0, colonPos));
    params.password = SBufToString(basic_cookie.substr(colonPos+1));

    /* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
    debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
           params.userName << "' passwd: '" << params.password << "'");
#endif
}

/**
 \ingroup CacheManagerInternal
 *
 \retval 0  if mgr->password is good or "none"
 \retval 1  if mgr->password is "disable"
 \retval !0 if mgr->password does not match configured password
 */
int
CacheManager::CheckPassword(const Mgr::Command &cmd)
{
    assert(cmd.profile != nullptr);
    const char *action = cmd.profile->name;
    char *pwd = PasswdGet(Config.passwd_list, action);

    debugs(16, 4, "CacheManager::CheckPassword for action " << action);

    if (pwd == nullptr)
        return cmd.profile->isPwReq;

    if (strcmp(pwd, "disable") == 0)
        return 1;

    if (strcmp(pwd, "none") == 0)
        return 0;

    if (!cmd.params.password.size())
        return 1;

    return cmd.params.password != pwd;
}

/**
 \ingroup CacheManagerAPI
 * Main entry point in the Cache Manager's activity. Gets called as part
 * of the forward chain if the right URL is detected there. Initiates
 * all needed internal work and renders the response.
 */
void
CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest *request, StoreEntry *entry, const AccessLogEntry::Pointer &ale)
{
    debugs(16, 3, "request-url= '" << request->url << "', entry-url='" << entry->url() << "'");

    Mgr::Command::Pointer cmd;
    try {
        cmd = ParseUrl(request->url);

    } catch (...) {
        debugs(16, 2, "request URL error: " << CurrentException);
        const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request, ale);
        err->url = xstrdup(entry->url());
        err->detailError(new ExceptionErrorDetail(Here().id()));
        errorAppendEntry(entry, err);
        return;
    }

    const char *actionName = cmd->profile->name;

    entry->expires = squid_curtime;

    debugs(16, 5, "CacheManager: " << client << " requesting '" << actionName << "'");

    /* get additional info from request headers */
    ParseHeaders(request, cmd->params);

    const char *userName = cmd->params.userName.size() ?
                           cmd->params.userName.termedBuf() : "unknown";

    /* Check password */

    if (CheckPassword(*cmd) != 0) {
        /* build error message */
        ErrorState errState(ERR_CACHE_MGR_ACCESS_DENIED, Http::scUnauthorized, request, ale);
        /* warn if user specified incorrect password */

        if (cmd->params.password.size()) {
            debugs(16, DBG_IMPORTANT, "CacheManager: " <<
                   userName << "@" <<
                   client << ": incorrect password for '" <<
                   actionName << "'" );
        } else {
            debugs(16, DBG_IMPORTANT, "CacheManager: " <<
                   userName << "@" <<
                   client << ": password needed for '" <<
                   actionName << "'" );
        }

        HttpReply *rep = errState.BuildHttpReply();

#if HAVE_AUTH_MODULE_BASIC
        /*
         * add Authenticate header using action name as a realm because
         * password depends on the action
         */
        rep->header.putAuth("Basic", actionName);
#endif

        const auto originOrNil = request->header.getStr(Http::HdrType::ORIGIN);
        PutCommonResponseHeaders(*rep, originOrNil);

        /* store the reply */
        entry->replaceHttpReply(rep);

        entry->expires = squid_curtime;

        entry->complete();

        return;
    }

    if (request->header.has(Http::HdrType::ORIGIN)) {
        cmd->params.httpOrigin = request->header.getStr(Http::HdrType::ORIGIN);
    }

    debugs(16, 2, "CacheManager: " <<
           userName << "@" <<
           client << " requesting '" <<
           actionName << "'" );

    // special case: an index page
    if (!strcmp(cmd->profile->name, "index")) {
        ErrorState err(MGR_INDEX, Http::scOkay, request, ale);
        err.url = xstrdup(entry->url());
        HttpReply *rep = err.BuildHttpReply();
        if (strncmp(rep->body.content(),"Internal Error:", 15) == 0)
            rep->sline.set(Http::ProtocolVersion(1,1), Http::scNotFound);

        const auto originOrNil = request->header.getStr(Http::HdrType::ORIGIN);
        PutCommonResponseHeaders(*rep, originOrNil);

        entry->replaceHttpReply(rep);
        entry->complete();
        return;
    }

    if (UsingSmp() && IamWorkerProcess()) {
        // is client the right connection to pass here?
        AsyncJob::Start(new Mgr::Forwarder(client, cmd->params, request, entry, ale));
        return;
    }

    Mgr::Action::Pointer action = cmd->profile->creator->create(cmd);
    Must(action != nullptr);
    action->run(entry, true);
}

/*
 \ingroup CacheManagerInternal
 * Renders the protection level text for an action.
 * Also doubles as a check for the protection level.
 */
const char *
CacheManager::ActionProtection(const Mgr::ActionProfile::Pointer &profile)
{
    assert(profile != nullptr);
    const char *pwd = PasswdGet(Config.passwd_list, profile->name);

    if (!pwd)
        return profile->isPwReq ? "hidden" : "public";

    if (!strcmp(pwd, "disable"))
        return "disabled";

    if (strcmp(pwd, "none") == 0)
        return "public";

    return "protected";
}

/*
 * \ingroup CacheManagerInternal
 * gets from the global Config the password the user would need to supply
 * for the action she queried
 */
char *
CacheManager::PasswdGet(Mgr::ActionPasswordList * a, const char *action)
{
    while (a) {
        for (auto &w : a->actions) {
            if (w.cmp(action) == 0)
                return a->passwd;

            static const SBuf allAction("all");
            if (w == allAction)
                return a->passwd;
        }

        a = a->next;
    }

    return nullptr;
}

void
CacheManager::PutCommonResponseHeaders(HttpReply &response, const char *httpOrigin)
{
    // Allow cachemgr and other XHR scripts access to our version string
    if (httpOrigin) {
        response.header.putExt("Access-Control-Allow-Origin", httpOrigin);
#if HAVE_AUTH_MODULE_BASIC
        response.header.putExt("Access-Control-Allow-Credentials", "true");
#endif
        response.header.putExt("Access-Control-Expose-Headers", "Server");
    }

    HttpHdrCc cc;
    // this is honored by more caches but allows pointless revalidation;
    // revalidation will always fail because we do not support it (yet?)
    cc.noCache(String());
    // this is honored by fewer caches but prohibits pointless revalidation
    cc.noStore(true);
    response.putCc(cc);
}

CacheManager*
CacheManager::GetInstance()
{
    static CacheManager *instance = nullptr;
    if (!instance) {
        debugs(16, 6, "starting cachemanager up");
        instance = new CacheManager;
        Mgr::RegisterBasics();
    }
    return instance;
}
Commit	Line	Data
	1	/*
	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	/* DEBUG: section 16 Cache Manager Objects */
	10
	11	#include "squid.h"
	12	#include "AccessLogEntry.h"
	13	#include "base/TextException.h"
	14	#include "CacheManager.h"
	15	#include "comm/Connection.h"
	16	#include "debug/Stream.h"
	17	#include "error/ExceptionErrorDetail.h"
	18	#include "errorpage.h"
	19	#include "fde.h"
	20	#include "HttpHdrCc.h"
	21	#include "HttpReply.h"
	22	#include "HttpRequest.h"
	23	#include "mgr/Action.h"
	24	#include "mgr/ActionCreator.h"
	25	#include "mgr/ActionPasswordList.h"
	26	#include "mgr/ActionProfile.h"
	27	#include "mgr/BasicActions.h"
	28	#include "mgr/Command.h"
	29	#include "mgr/Forwarder.h"
	30	#include "mgr/FunAction.h"
	31	#include "mgr/QueryParams.h"
	32	#include "parser/Tokenizer.h"
	33	#include "protos.h"
	34	#include "sbuf/Stream.h"
	35	#include "sbuf/StringConvert.h"
	36	#include "SquidConfig.h"
	37	#include "Store.h"
	38	#include "tools.h"
	39	#include "wordlist.h"
	40
	41	#include <algorithm>
	42	#include <memory>
	43
	44	/// \ingroup CacheManagerInternal
	45	#define MGR_PASSWD_SZ 128
	46
	47	void
	48	CacheManager::registerProfile(const Mgr::ActionProfile::Pointer &profile)
	49	{
	50	Must(profile != nullptr);
	51	if (!CacheManager::findAction(profile->name)) {
	52	menu_.push_back(profile);
	53	debugs(16, 3, "registered profile: " << *profile);
	54	} else {
	55	debugs(16, 2, "skipped duplicate profile: " << *profile);
	56	}
	57	}
	58
	59	/**
	60	\ingroup CacheManagerInternal
	61	* Locates an action in the actions registry ActionsList.
	62	\retval NULL if Action not found
	63	\retval CacheManagerAction* if the action was found
	64	*/
	65	Mgr::ActionProfile::Pointer
	66	CacheManager::findAction(char const * action) const
	67	{
	68	Must(action != nullptr);
	69	Menu::const_iterator a;
	70
	71	debugs(16, 5, "CacheManager::findAction: looking for action " << action);
	72	for (a = menu_.begin(); a != menu_.end(); ++a) {
	73	if (0 == strcmp((*a)->name, action)) {
	74	debugs(16, 6, " found");
	75	return *a;
	76	}
	77	}
	78
	79	debugs(16, 6, "Action not found.");
	80	return Mgr::ActionProfilePointer();
	81	}
	82
	83	Mgr::Action::Pointer
	84	CacheManager::createNamedAction(const char *actionName)
	85	{
	86	Must(actionName);
	87
	88	Mgr::Command::Pointer cmd = new Mgr::Command;
	89	cmd->profile = findAction(actionName);
	90	cmd->params.actionName = actionName;
	91
	92	Must(cmd->profile != nullptr);
	93	return cmd->profile->creator->create(cmd);
	94	}
	95
	96	Mgr::Action::Pointer
	97	CacheManager::createRequestedAction(const Mgr::ActionParams &params)
	98	{
	99	Mgr::Command::Pointer cmd = new Mgr::Command;
	100	cmd->params = params;
	101	cmd->profile = findAction(params.actionName.termedBuf());
	102	Must(cmd->profile != nullptr);
	103	return cmd->profile->creator->create(cmd);
	104	}
	105
	106	const SBuf &
	107	CacheManager::WellKnownUrlPathPrefix()
	108	{
	109	static const SBuf prefix("/squid-internal-mgr/");
	110	return prefix;
	111	}
	112
	113	/**
	114	* Parses the action requested by the user and checks via
	115	* CacheManager::ActionProtection() that the item is accessible by the user.
	116	*
	117	* Syntax:
	118	*
	119	* [ scheme "://" authority ] '/squid-internal-mgr' path-absolute [ "?" query ] [ "#" fragment ]
	120	*
	121	* see RFC 3986 for definitions of scheme, authority, path-absolute, query
	122	*
	123	* \returns Mgr::Command object with action to perform and parameters it might use
	124	*/
	125	Mgr::Command::Pointer
	126	CacheManager::ParseUrl(const AnyP::Uri &uri)
	127	{
	128	Parser::Tokenizer tok(uri.path());
	129
	130	Assure(tok.skip(WellKnownUrlPathPrefix()));
	131
	132	Mgr::Command::Pointer cmd = new Mgr::Command();
	133	cmd->params.httpUri = SBufToString(uri.absolute());
	134
	135	static const auto fieldChars = CharacterSet("mgr-field", "?#").complement();
	136
	137	SBuf action;
	138	if (!tok.prefix(action, fieldChars)) {
	139	static const SBuf indexReport("index");
	140	action = indexReport;
	141	}
	142	cmd->params.actionName = SBufToString(action);
	143
	144	const auto profile = findAction(action.c_str());
	145	if (!profile)
	146	throw TextException(ToSBuf("action '", action, "' not found"), Here());
	147
	148	const char *prot = ActionProtection(profile);
	149	if (!strcmp(prot, "disabled") \|\| !strcmp(prot, "hidden"))
	150	throw TextException(ToSBuf("action '", action, "' is ", prot), Here());
	151	cmd->profile = profile;
	152
	153	// TODO: fix when AnyP::Uri::parse() separates path?query#fragment
	154	SBuf params;
	155	if (tok.skip('?')) {
	156	params = tok.remaining();
	157	Mgr::QueryParams::Parse(tok, cmd->params.queryParams);
	158	}
	159
	160	if (!tok.skip('#') && !tok.atEnd())
	161	throw TextException("invalid characters in URL", Here());
	162	// else ignore #fragment (if any)
	163
	164	debugs(16, 3, "MGR request: host=" << uri.host() << ", action=" << action << ", params=" << params);
	165
	166	return cmd;
	167	}
	168
	169	/// \ingroup CacheManagerInternal
	170	/*
	171	\ingroup CacheManagerInternal
	172	* Decodes the headers needed to perform user authentication and fills
	173	* the details into the cachemgrStateData argument
	174	*/
	175	void
	176	CacheManager::ParseHeaders(const HttpRequest * request, Mgr::ActionParams &params)
	177	{
	178	assert(request);
	179
	180	params.httpMethod = request->method.id();
	181	params.httpFlags = request->flags;
	182
	183	#if HAVE_AUTH_MODULE_BASIC
	184	// TODO: use the authentication system decode to retrieve these details properly.
	185
	186	/* base 64 _decoded_ user:passwd pair */
	187	const auto basic_cookie(request->header.getAuthToken(Http::HdrType::AUTHORIZATION, "Basic"));
	188
	189	if (basic_cookie.isEmpty())
	190	return;
	191
	192	const auto colonPos = basic_cookie.find(':');
	193	if (colonPos == SBuf::npos) {
	194	debugs(16, DBG_IMPORTANT, "ERROR: CacheManager::ParseHeaders: unknown basic_cookie format '" << basic_cookie << "'");
	195	return;
	196	}
	197
	198	/* found user:password pair, reset old values */
	199	params.userName = SBufToString(basic_cookie.substr(0, colonPos));
	200	params.password = SBufToString(basic_cookie.substr(colonPos+1));
	201
	202	/* warning: this prints decoded password which maybe not be what you want to do @?@ @?@ */
	203	debugs(16, 9, "CacheManager::ParseHeaders: got user: '" <<
	204	params.userName << "' passwd: '" << params.password << "'");
	205	#endif
	206	}
	207
	208	/**
	209	\ingroup CacheManagerInternal
	210	*
	211	\retval 0 if mgr->password is good or "none"
	212	\retval 1 if mgr->password is "disable"
	213	\retval !0 if mgr->password does not match configured password
	214	*/
	215	int
	216	CacheManager::CheckPassword(const Mgr::Command &cmd)
	217	{
	218	assert(cmd.profile != nullptr);
	219	const char *action = cmd.profile->name;
	220	char *pwd = PasswdGet(Config.passwd_list, action);
	221
	222	debugs(16, 4, "CacheManager::CheckPassword for action " << action);
	223
	224	if (pwd == nullptr)
	225	return cmd.profile->isPwReq;
	226
	227	if (strcmp(pwd, "disable") == 0)
	228	return 1;
	229
	230	if (strcmp(pwd, "none") == 0)
	231	return 0;
	232
	233	if (!cmd.params.password.size())
	234	return 1;
	235
	236	return cmd.params.password != pwd;
	237	}
	238
	239	/**
	240	\ingroup CacheManagerAPI
	241	* Main entry point in the Cache Manager's activity. Gets called as part
	242	* of the forward chain if the right URL is detected there. Initiates
	243	* all needed internal work and renders the response.
	244	*/
	245	void
	246	CacheManager::start(const Comm::ConnectionPointer &client, HttpRequest request, StoreEntry entry, const AccessLogEntry::Pointer &ale)
	247	{
	248	debugs(16, 3, "request-url= '" << request->url << "', entry-url='" << entry->url() << "'");
	249
	250	Mgr::Command::Pointer cmd;
	251	try {
	252	cmd = ParseUrl(request->url);
	253
	254	} catch (...) {
	255	debugs(16, 2, "request URL error: " << CurrentException);
	256	const auto err = new ErrorState(ERR_INVALID_URL, Http::scNotFound, request, ale);
	257	err->url = xstrdup(entry->url());
	258	err->detailError(new ExceptionErrorDetail(Here().id()));
	259	errorAppendEntry(entry, err);
	260	return;
	261	}
	262
	263	const char *actionName = cmd->profile->name;
	264
	265	entry->expires = squid_curtime;
	266
	267	debugs(16, 5, "CacheManager: " << client << " requesting '" << actionName << "'");
	268
	269	/* get additional info from request headers */
	270	ParseHeaders(request, cmd->params);
	271
	272	const char *userName = cmd->params.userName.size() ?
	273	cmd->params.userName.termedBuf() : "unknown";
	274
	275	/* Check password */
	276
	277	if (CheckPassword(*cmd) != 0) {
	278	/* build error message */
	279	ErrorState errState(ERR_CACHE_MGR_ACCESS_DENIED, Http::scUnauthorized, request, ale);
	280	/* warn if user specified incorrect password */
	281
	282	if (cmd->params.password.size()) {
	283	debugs(16, DBG_IMPORTANT, "CacheManager: " <<
	284	userName << "@" <<
	285	client << ": incorrect password for '" <<
	286	actionName << "'" );
	287	} else {
	288	debugs(16, DBG_IMPORTANT, "CacheManager: " <<
	289	userName << "@" <<
	290	client << ": password needed for '" <<
	291	actionName << "'" );
	292	}
	293
	294	HttpReply *rep = errState.BuildHttpReply();
	295
	296	#if HAVE_AUTH_MODULE_BASIC
	297	/*
	298	* add Authenticate header using action name as a realm because
	299	* password depends on the action
	300	*/
	301	rep->header.putAuth("Basic", actionName);
	302	#endif
	303
	304	const auto originOrNil = request->header.getStr(Http::HdrType::ORIGIN);
	305	PutCommonResponseHeaders(*rep, originOrNil);
	306
	307	/* store the reply */
	308	entry->replaceHttpReply(rep);
	309
	310	entry->expires = squid_curtime;
	311
	312	entry->complete();
	313
	314	return;
	315	}
	316
	317	if (request->header.has(Http::HdrType::ORIGIN)) {
	318	cmd->params.httpOrigin = request->header.getStr(Http::HdrType::ORIGIN);
	319	}
	320
	321	debugs(16, 2, "CacheManager: " <<
	322	userName << "@" <<
	323	client << " requesting '" <<
	324	actionName << "'" );
	325
	326	// special case: an index page
	327	if (!strcmp(cmd->profile->name, "index")) {
	328	ErrorState err(MGR_INDEX, Http::scOkay, request, ale);
	329	err.url = xstrdup(entry->url());
	330	HttpReply *rep = err.BuildHttpReply();
	331	if (strncmp(rep->body.content(),"Internal Error:", 15) == 0)
	332	rep->sline.set(Http::ProtocolVersion(1,1), Http::scNotFound);
	333
	334	const auto originOrNil = request->header.getStr(Http::HdrType::ORIGIN);
	335	PutCommonResponseHeaders(*rep, originOrNil);
	336
	337	entry->replaceHttpReply(rep);
	338	entry->complete();
	339	return;
	340	}
	341
	342	if (UsingSmp() && IamWorkerProcess()) {
	343	// is client the right connection to pass here?
	344	AsyncJob::Start(new Mgr::Forwarder(client, cmd->params, request, entry, ale));
	345	return;
	346	}
	347
	348	Mgr::Action::Pointer action = cmd->profile->creator->create(cmd);
	349	Must(action != nullptr);
	350	action->run(entry, true);
	351	}
	352
	353	/*
	354	\ingroup CacheManagerInternal
	355	* Renders the protection level text for an action.
	356	* Also doubles as a check for the protection level.
	357	*/
	358	const char *
	359	CacheManager::ActionProtection(const Mgr::ActionProfile::Pointer &profile)
	360	{
	361	assert(profile != nullptr);
	362	const char *pwd = PasswdGet(Config.passwd_list, profile->name);
	363
	364	if (!pwd)
	365	return profile->isPwReq ? "hidden" : "public";
	366
	367	if (!strcmp(pwd, "disable"))
	368	return "disabled";
	369
	370	if (strcmp(pwd, "none") == 0)
	371	return "public";
	372
	373	return "protected";
	374	}
	375
	376	/*
	377	* \ingroup CacheManagerInternal
	378	* gets from the global Config the password the user would need to supply
	379	* for the action she queried
	380	*/
	381	char *
	382	CacheManager::PasswdGet(Mgr::ActionPasswordList * a, const char *action)
	383	{
	384	while (a) {
	385	for (auto &w : a->actions) {
	386	if (w.cmp(action) == 0)
	387	return a->passwd;
	388
	389	static const SBuf allAction("all");
	390	if (w == allAction)
	391	return a->passwd;
	392	}
	393
	394	a = a->next;
	395	}
	396
	397	return nullptr;
	398	}
	399
	400	void
	401	CacheManager::PutCommonResponseHeaders(HttpReply &response, const char *httpOrigin)
	402	{
	403	// Allow cachemgr and other XHR scripts access to our version string
	404	if (httpOrigin) {
	405	response.header.putExt("Access-Control-Allow-Origin", httpOrigin);
	406	#if HAVE_AUTH_MODULE_BASIC
	407	response.header.putExt("Access-Control-Allow-Credentials", "true");
	408	#endif
	409	response.header.putExt("Access-Control-Expose-Headers", "Server");
	410	}
	411
	412	HttpHdrCc cc;
	413	// this is honored by more caches but allows pointless revalidation;
	414	// revalidation will always fail because we do not support it (yet?)
	415	cc.noCache(String());
	416	// this is honored by fewer caches but prohibits pointless revalidation
	417	cc.noStore(true);
	418	response.putCc(cc);
	419	}
	420
	421	CacheManager*
	422	CacheManager::GetInstance()
	423	{
	424	static CacheManager *instance = nullptr;
	425	if (!instance) {
	426	debugs(16, 6, "starting cachemanager up");
	427	instance = new CacheManager;
	428	Mgr::RegisterBasics();
	429	}
	430	return instance;
	431	}
	432