2 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
13 #include "acl/Checklist.h"
14 #include "acl/Gadgets.h"
15 #include "acl/Options.h"
16 #include "anyp/PortCfg.h"
18 #include "ConfigParser.h"
22 #include "profiler/Profiler.h"
23 #include "sbuf/List.h"
24 #include "sbuf/Stream.h"
25 #include "SquidConfig.h"
30 const char *AclMatchedName
= NULL
;
34 /// ACL type name comparison functor
37 bool operator()(TypeName a
, TypeName b
) const { return strcmp(a
, b
) < 0; }
40 /// ACL makers indexed by ACL type name
41 typedef std::map
<TypeName
, Maker
, TypeNameCmp
> Makers
;
43 /// registered ACL Makers
47 static Makers Registry
;
51 /// creates an ACL object of the named (and already registered) ACL child type
54 Make(TypeName typeName
)
56 const auto pos
= TheMakers().find(typeName
);
57 if (pos
== TheMakers().end()) {
58 debugs(28, DBG_CRITICAL
, "FATAL: Invalid ACL type '" << typeName
<< "'");
60 assert(false); // not reached
63 ACL
*result
= (pos
->second
)(pos
->first
);
64 debugs(28, 4, typeName
<< '=' << result
);
72 Acl::RegisterMaker(TypeName typeName
, Maker maker
)
76 TheMakers().emplace(typeName
, maker
);
80 ACL::operator new (size_t)
82 fatal ("unusable ACL::new");
87 ACL::operator delete (void *)
89 fatal ("unusable ACL::delete");
93 ACL::FindByName(const char *name
)
96 debugs(28, 9, "ACL::FindByName '" << name
<< "'");
98 for (a
= Config
.aclList
; a
; a
= a
->next
)
99 if (!strcasecmp(a
->name
, name
))
102 debugs(28, 9, "ACL::FindByName found no match");
115 bool ACL::valid () const
121 ACL::matches(ACLChecklist
*checklist
) const
123 PROF_start(ACL_matches
);
124 debugs(28, 5, "checking " << name
);
126 // XXX: AclMatchedName does not contain a matched ACL name when the acl
127 // does not match. It contains the last (usually leaf) ACL name checked
128 // (or is NULL if no ACLs were checked).
129 AclMatchedName
= name
;
132 if (!checklist
->hasAle() && requiresAle()) {
133 debugs(28, DBG_IMPORTANT
, "WARNING: " << name
<< " ACL is used in " <<
134 "context without an ALE state. Assuming mismatch.");
135 } else if (!checklist
->hasRequest() && requiresRequest()) {
136 debugs(28, DBG_IMPORTANT
, "WARNING: " << name
<< " ACL is used in " <<
137 "context without an HTTP request. Assuming mismatch.");
138 } else if (!checklist
->hasReply() && requiresReply()) {
139 debugs(28, DBG_IMPORTANT
, "WARNING: " << name
<< " ACL is used in " <<
140 "context without an HTTP response. Assuming mismatch.");
142 // make sure the ALE has as much data as possible
144 checklist
->syncAle();
146 // have to cast because old match() API is missing const
147 result
= const_cast<ACL
*>(this)->match(checklist
);
150 const char *extra
= checklist
->asyncInProgress() ? " async" : "";
151 debugs(28, 3, "checked: " << name
<< " = " << result
<< extra
);
152 PROF_stop(ACL_matches
);
153 return result
== 1; // true for match; false for everything else
157 ACL::context(const char *aName
, const char *aCfgLine
)
161 xstrncpy(name
, aName
, ACL_NAME_SZ
-1);
164 cfgline
= xstrdup(aCfgLine
);
168 ACL::ParseAclLine(ConfigParser
&parser
, ACL
** head
)
170 /* we're already using strtok() to grok the line */
173 LOCAL_ARRAY(char, aclname
, ACL_NAME_SZ
);
176 /* snarf the ACL name */
178 if ((t
= ConfigParser::NextToken()) == NULL
) {
179 debugs(28, DBG_CRITICAL
, "aclParseAclLine: missing ACL name.");
184 if (strlen(t
) >= ACL_NAME_SZ
) {
185 debugs(28, DBG_CRITICAL
, "aclParseAclLine: aclParseAclLine: ACL name '" << t
<<
186 "' too long, max " << ACL_NAME_SZ
- 1 << " characters supported");
191 xstrncpy(aclname
, t
, ACL_NAME_SZ
);
192 /* snarf the ACL type */
195 if ((theType
= ConfigParser::NextToken()) == NULL
) {
196 debugs(28, DBG_CRITICAL
, "aclParseAclLine: missing ACL type.");
201 // Is this ACL going to work?
202 if (strcmp(theType
, "myip") == 0) {
203 AnyP::PortCfgPointer p
= HttpPortList
;
205 // Bug 3239: not reliable when there is interception traffic coming
206 if (p
->flags
.natIntercept
)
207 debugs(28, DBG_CRITICAL
, "WARNING: 'myip' ACL is not reliable for interception proxies. Please use 'myportname' instead.");
210 debugs(28, DBG_IMPORTANT
, "UPGRADE: ACL 'myip' type is has been renamed to 'localip' and matches the IP the client connected to.");
212 } else if (strcmp(theType
, "myport") == 0) {
213 AnyP::PortCfgPointer p
= HttpPortList
;
215 // Bug 3239: not reliable when there is interception traffic coming
216 // Bug 3239: myport - not reliable (yet) when there is interception traffic coming
217 if (p
->flags
.natIntercept
)
218 debugs(28, DBG_CRITICAL
, "WARNING: 'myport' ACL is not reliable for interception proxies. Please use 'myportname' instead.");
221 theType
= "localport";
222 debugs(28, DBG_IMPORTANT
, "UPGRADE: ACL 'myport' type is has been renamed to 'localport' and matches the port the client connected to.");
223 } else if (strcmp(theType
, "proto") == 0 && strcmp(aclname
, "manager") == 0) {
224 // ACL manager is now a built-in and has a different type.
225 debugs(28, DBG_PARSE_NOTE(DBG_IMPORTANT
), "UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.");
226 return; // ignore the line
229 if ((A
= FindByName(aclname
)) == NULL
) {
230 debugs(28, 3, "aclParseAclLine: Creating ACL '" << aclname
<< "'");
231 A
= Acl::Make(theType
);
232 A
->context(aclname
, config_input_line
);
235 if (strcmp (A
->typeString(),theType
) ) {
236 debugs(28, DBG_CRITICAL
, "aclParseAclLine: ACL '" << A
->name
<< "' already exists with different type.");
241 debugs(28, 3, "aclParseAclLine: Appending to '" << aclname
<< "'");
246 * Here we set AclMatchedName in case we need to use it in a
247 * warning message in aclDomainCompare().
249 AclMatchedName
= A
->name
; /* ugly */
253 /*split the function here */
257 * Clear AclMatchedName from our temporary hack
259 AclMatchedName
= NULL
; /* ugly */
265 debugs(28, DBG_CRITICAL
, "Warning: empty ACL: " << A
->cfgline
);
269 fatalf("ERROR: Invalid ACL: %s\n",
273 // add to the global list for searching explicit ACLs by name
274 assert(head
&& *head
== Config
.aclList
);
278 // register for centralized cleanup
283 ACL::isProxyAuth() const
291 // ACL kids that carry ACLData which supports parameter flags override this
292 Acl::ParseFlags(options(), Acl::NoFlags());
299 const auto &myOptions
= options();
300 // optimization: most ACLs do not have myOptions
301 // this check also works around dump_SBufList() adding ' ' after empty items
302 if (!myOptions
.empty()) {
305 const SBuf optionsImage
= stream
.buf();
306 if (!optionsImage
.isEmpty())
307 result
.push_back(optionsImage
);
312 /* ACL result caching routines */
315 ACL::matchForCache(ACLChecklist
*)
317 /* This is a fatal to ensure that cacheMatchAcl calls are _only_
318 * made for supported acl types */
319 fatal("aclCacheMatchAcl: unknown or unexpected ACL type");
320 return 0; /* NOTREACHED */
324 * we lookup an acl's cached results, and if we cannot find the acl being
325 * checked we check it and cache the result. This function is a template
326 * method to support caching of multiple acl types.
327 * Note that caching of time based acl's is not
328 * wise in long lived caches (i.e. the auth_user proxy match cache)
330 * TODO: does a dlink_list perform well enough? Kinkie
333 ACL::cacheMatchAcl(dlink_list
* cache
, ACLChecklist
*checklist
)
335 acl_proxy_auth_match_cache
*auth_match
;
340 auth_match
= (acl_proxy_auth_match_cache
*)link
->data
;
342 if (auth_match
->acl_data
== this) {
343 debugs(28, 4, "ACL::cacheMatchAcl: cache hit on acl '" << name
<< "' (" << this << ")");
344 return auth_match
->matchrv
;
350 auth_match
= new acl_proxy_auth_match_cache(matchForCache(checklist
), this);
351 dlinkAddTail(auth_match
, &auth_match
->link
, cache
);
352 debugs(28, 4, "ACL::cacheMatchAcl: miss for '" << name
<< "'. Adding result " << auth_match
->matchrv
);
353 return auth_match
->matchrv
;
357 aclCacheMatchFlush(dlink_list
* cache
)
359 acl_proxy_auth_match_cache
*auth_match
;
360 dlink_node
*link
, *tmplink
;
363 debugs(28, 8, "aclCacheMatchFlush called for cache " << cache
);
366 auth_match
= (acl_proxy_auth_match_cache
*)link
->data
;
369 dlinkDelete(tmplink
, cache
);
375 ACL::requiresAle() const
381 ACL::requiresReply() const
387 ACL::requiresRequest() const
392 /*********************/
393 /* Destroy functions */
394 /*********************/
398 debugs(28, 3, "freeing ACL " << name
);
400 AclMatchedName
= NULL
; // in case it was pointing to our name
406 ACL
*a
= Config
.aclList
;
407 debugs(53, 3, "ACL::Initialize");