]> git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/Acl.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Simplified MSNT basic auth helper
[thirdparty/squid.git] / src / acl / Acl.cc
1 /*
2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 28 Access Control */
10
11 #include "squid.h"
12 #include "acl/Acl.h"
13 #include "acl/Checklist.h"
14 #include "acl/Gadgets.h"
15 #include "anyp/PortCfg.h"
16 #include "cache_cf.h"
17 #include "ConfigParser.h"
18 #include "Debug.h"
19 #include "dlink.h"
20 #include "fatal.h"
21 #include "globals.h"
22 #include "profiler/Profiler.h"
23 #include "SquidConfig.h"
24
25 #include <vector>
26
27 const ACLFlag ACLFlags::NoFlags[1] = {ACL_F_END};
28
29 const char *AclMatchedName = NULL;
30
31 bool ACLFlags::supported(const ACLFlag f) const
32 {
33 if (f == ACL_F_REGEX_CASE)
34 return true;
35 return (supported_.find(f) != std::string::npos);
36 }
37
38 void
39 ACLFlags::parseFlags()
40 {
41 char *nextToken;
42 while ((nextToken = ConfigParser::PeekAtToken()) != NULL && nextToken[0] == '-') {
43 (void)ConfigParser::NextToken(); //Get token from cfg line
44 //if token is the "--" break flag
45 if (strcmp(nextToken, "--") == 0)
46 break;
47
48 for (const char *flg = nextToken+1; *flg!='\0'; flg++ ) {
49 if (supported(*flg)) {
50 makeSet(*flg);
51 } else {
52 debugs(28, 0, HERE << "Flag '" << *flg << "' not supported");
53 self_destruct();
54 }
55 }
56 }
57
58 /*Regex code needs to parse -i file*/
59 if ( isSet(ACL_F_REGEX_CASE))
60 ConfigParser::TokenPutBack("-i");
61 }
62
63 const char *
64 ACLFlags::flagsStr() const
65 {
66 static char buf[64];
67 if (flags_ == 0)
68 return "";
69
70 char *s = buf;
71 *s++ = '-';
72 for (ACLFlag f = 'A'; f <= 'z'; f++) {
73 // ACL_F_REGEX_CASE (-i) flag handled by ACLRegexData class, ignore
74 if (isSet(f) && f != ACL_F_REGEX_CASE)
75 *s++ = f;
76 }
77 *s = '\0';
78 return buf;
79 }
80
81 void *
82 ACL::operator new (size_t byteCount)
83 {
84 fatal ("unusable ACL::new");
85 return (void *)1;
86 }
87
88 void
89 ACL::operator delete (void *address)
90 {
91 fatal ("unusable ACL::delete");
92 }
93
94 ACL *
95 ACL::FindByName(const char *name)
96 {
97 ACL *a;
98 debugs(28, 9, "ACL::FindByName '" << name << "'");
99
100 for (a = Config.aclList; a; a = a->next)
101 if (!strcasecmp(a->name, name))
102 return a;
103
104 debugs(28, 9, "ACL::FindByName found no match");
105
106 return NULL;
107 }
108
109 ACL *
110 ACL::Factory (char const *type)
111 {
112 ACL *result = Prototype::Factory (type);
113
114 if (!result)
115 fatal ("Unknown acl type in ACL::Factory");
116
117 return result;
118 }
119
120 ACL::ACL() :
121 cfgline(NULL),
122 next(NULL),
123 registered(false)
124 {
125 *name = 0;
126 }
127
128 bool ACL::valid () const
129 {
130 return true;
131 }
132
133 bool
134 ACL::matches(ACLChecklist *checklist) const
135 {
136 PROF_start(ACL_matches);
137 debugs(28, 5, "checking " << name);
138
139 // XXX: AclMatchedName does not contain a matched ACL name when the acl
140 // does not match. It contains the last (usually leaf) ACL name checked
141 // (or is NULL if no ACLs were checked).
142 AclMatchedName = name;
143
144 int result = 0;
145 if (!checklist->hasRequest() && requiresRequest()) {
146 debugs(28, DBG_IMPORTANT, "WARNING: " << name << " ACL is used in " <<
147 "context without an HTTP request. Assuming mismatch.");
148 } else if (!checklist->hasReply() && requiresReply()) {
149 debugs(28, DBG_IMPORTANT, "WARNING: " << name << " ACL is used in " <<
150 "context without an HTTP response. Assuming mismatch.");
151 } else {
152 // have to cast because old match() API is missing const
153 result = const_cast<ACL*>(this)->match(checklist);
154 }
155
156 const char *extra = checklist->asyncInProgress() ? " async" : "";
157 debugs(28, 3, "checked: " << name << " = " << result << extra);
158 PROF_stop(ACL_matches);
159 return result == 1; // true for match; false for everything else
160 }
161
162 void
163 ACL::context(const char *aName, const char *aCfgLine)
164 {
165 name[0] = '\0';
166 if (aName)
167 xstrncpy(name, aName, ACL_NAME_SZ-1);
168 safe_free(cfgline);
169 if (aCfgLine)
170 cfgline = xstrdup(aCfgLine);
171 }
172
173 void
174 ACL::ParseAclLine(ConfigParser &parser, ACL ** head)
175 {
176 /* we're already using strtok() to grok the line */
177 char *t = NULL;
178 ACL *A = NULL;
179 LOCAL_ARRAY(char, aclname, ACL_NAME_SZ);
180 int new_acl = 0;
181
182 /* snarf the ACL name */
183
184 if ((t = ConfigParser::NextToken()) == NULL) {
185 debugs(28, DBG_CRITICAL, "aclParseAclLine: missing ACL name.");
186 parser.destruct();
187 return;
188 }
189
190 if (strlen(t) >= ACL_NAME_SZ) {
191 debugs(28, DBG_CRITICAL, "aclParseAclLine: aclParseAclLine: ACL name '" << t <<
192 "' too long, max " << ACL_NAME_SZ - 1 << " characters supported");
193 parser.destruct();
194 return;
195 }
196
197 xstrncpy(aclname, t, ACL_NAME_SZ);
198 /* snarf the ACL type */
199 const char *theType;
200
201 if ((theType = ConfigParser::NextToken()) == NULL) {
202 debugs(28, DBG_CRITICAL, "aclParseAclLine: missing ACL type.");
203 parser.destruct();
204 return;
205 }
206
207 // Is this ACL going to work?
208 if (strcmp(theType, "myip") == 0) {
209 AnyP::PortCfgPointer p = HttpPortList;
210 while (p != NULL) {
211 // Bug 3239: not reliable when there is interception traffic coming
212 if (p->flags.natIntercept)
213 debugs(28, DBG_CRITICAL, "WARNING: 'myip' ACL is not reliable for interception proxies. Please use 'myportname' instead.");
214 p = p->next;
215 }
216 debugs(28, DBG_IMPORTANT, "UPGRADE: ACL 'myip' type is has been renamed to 'localip' and matches the IP the client connected to.");
217 theType = "localip";
218 } else if (strcmp(theType, "myport") == 0) {
219 AnyP::PortCfgPointer p = HttpPortList;
220 while (p != NULL) {
221 // Bug 3239: not reliable when there is interception traffic coming
222 // Bug 3239: myport - not reliable (yet) when there is interception traffic coming
223 if (p->flags.natIntercept)
224 debugs(28, DBG_CRITICAL, "WARNING: 'myport' ACL is not reliable for interception proxies. Please use 'myportname' instead.");
225 p = p->next;
226 }
227 theType = "localport";
228 debugs(28, DBG_IMPORTANT, "UPGRADE: ACL 'myport' type is has been renamed to 'localport' and matches the port the client connected to.");
229 }
230
231 if (!Prototype::Registered(theType)) {
232 debugs(28, DBG_CRITICAL, "FATAL: Invalid ACL type '" << theType << "'");
233 // XXX: make this an ERROR and skip the ACL creation. We *may* die later when its use is attempted. Or may not.
234 parser.destruct();
235 return;
236 }
237
238 if ((A = FindByName(aclname)) == NULL) {
239 debugs(28, 3, "aclParseAclLine: Creating ACL '" << aclname << "'");
240 A = ACL::Factory(theType);
241 A->context(aclname, config_input_line);
242 new_acl = 1;
243 } else {
244 if (strcmp (A->typeString(),theType) ) {
245 debugs(28, DBG_CRITICAL, "aclParseAclLine: ACL '" << A->name << "' already exists with different type.");
246 parser.destruct();
247 return;
248 }
249
250 debugs(28, 3, "aclParseAclLine: Appending to '" << aclname << "'");
251 new_acl = 0;
252 }
253
254 /*
255 * Here we set AclMatchedName in case we need to use it in a
256 * warning message in aclDomainCompare().
257 */
258 AclMatchedName = A->name; /* ugly */
259
260 A->flags.parseFlags();
261
262 /*split the function here */
263 A->parse();
264
265 /*
266 * Clear AclMatchedName from our temporary hack
267 */
268 AclMatchedName = NULL; /* ugly */
269
270 if (!new_acl)
271 return;
272
273 if (A->empty()) {
274 debugs(28, DBG_CRITICAL, "Warning: empty ACL: " << A->cfgline);
275 }
276
277 if (!A->valid()) {
278 fatalf("ERROR: Invalid ACL: %s\n",
279 A->cfgline);
280 }
281
282 // add to the global list for searching explicit ACLs by name
283 assert(head && *head == Config.aclList);
284 A->next = *head;
285 *head = A;
286
287 // register for centralized cleanup
288 aclRegister(A);
289 }
290
291 bool
292 ACL::isProxyAuth() const
293 {
294 return false;
295 }
296
297 /* ACL result caching routines */
298
299 int
300 ACL::matchForCache(ACLChecklist *checklist)
301 {
302 /* This is a fatal to ensure that cacheMatchAcl calls are _only_
303 * made for supported acl types */
304 fatal("aclCacheMatchAcl: unknown or unexpected ACL type");
305 return 0; /* NOTREACHED */
306 }
307
308 /*
309 * we lookup an acl's cached results, and if we cannot find the acl being
310 * checked we check it and cache the result. This function is a template
311 * method to support caching of multiple acl types.
312 * Note that caching of time based acl's is not
313 * wise in long lived caches (i.e. the auth_user proxy match cache)
314 * RBC
315 * TODO: does a dlink_list perform well enough? Kinkie
316 */
317 int
318 ACL::cacheMatchAcl(dlink_list * cache, ACLChecklist *checklist)
319 {
320 acl_proxy_auth_match_cache *auth_match;
321 dlink_node *link;
322 link = cache->head;
323
324 while (link) {
325 auth_match = (acl_proxy_auth_match_cache *)link->data;
326
327 if (auth_match->acl_data == this) {
328 debugs(28, 4, "ACL::cacheMatchAcl: cache hit on acl '" << name << "' (" << this << ")");
329 return auth_match->matchrv;
330 }
331
332 link = link->next;
333 }
334
335 auth_match = new acl_proxy_auth_match_cache();
336 auth_match->matchrv = matchForCache (checklist);
337 auth_match->acl_data = this;
338 dlinkAddTail(auth_match, &auth_match->link, cache);
339 debugs(28, 4, "ACL::cacheMatchAcl: miss for '" << name << "'. Adding result " << auth_match->matchrv);
340 return auth_match->matchrv;
341 }
342
343 void
344 aclCacheMatchFlush(dlink_list * cache)
345 {
346 acl_proxy_auth_match_cache *auth_match;
347 dlink_node *link, *tmplink;
348 link = cache->head;
349
350 debugs(28, 8, "aclCacheMatchFlush called for cache " << cache);
351
352 while (link) {
353 auth_match = (acl_proxy_auth_match_cache *)link->data;
354 tmplink = link;
355 link = link->next;
356 dlinkDelete(tmplink, cache);
357 delete auth_match;
358 }
359 }
360
361 bool
362 ACL::requiresReply() const
363 {
364 return false;
365 }
366
367 bool
368 ACL::requiresRequest() const
369 {
370 return false;
371 }
372
373 /*********************/
374 /* Destroy functions */
375 /*********************/
376
377 ACL::~ACL()
378 {
379 debugs(28, 3, "ACL::~ACL: '" << cfgline << "'");
380 safe_free(cfgline);
381 AclMatchedName = NULL; // in case it was pointing to our name
382 }
383
384 ACL::Prototype::Prototype() : prototype (NULL), typeString (NULL) {}
385
386 ACL::Prototype::Prototype (ACL const *aPrototype, char const *aType) : prototype (aPrototype), typeString (aType)
387 {
388 registerMe ();
389 }
390
391 std::vector<ACL::Prototype const *> * ACL::Prototype::Registry;
392 void *ACL::Prototype::Initialized;
393
394 bool
395 ACL::Prototype::Registered(char const *aType)
396 {
397 debugs(28, 7, "ACL::Prototype::Registered: invoked for type " << aType);
398
399 for (iterator i = Registry->begin(); i != Registry->end(); ++i)
400 if (!strcmp (aType, (*i)->typeString)) {
401 debugs(28, 7, "ACL::Prototype::Registered: yes");
402 return true;
403 }
404
405 debugs(28, 7, "ACL::Prototype::Registered: no");
406 return false;
407 }
408
409 void
410 ACL::Prototype::registerMe ()
411 {
412 if (!Registry || (Initialized != ((char *)Registry - 5)) ) {
413 /* TODO: extract this */
414 /* Not initialised */
415 Registry = new std::vector<ACL::Prototype const *>;
416 Initialized = (char *)Registry - 5;
417 }
418
419 if (Registered (typeString))
420 fatalf ("Attempt to register %s twice", typeString);
421
422 Registry->push_back (this);
423 }
424
425 ACL::Prototype::~Prototype()
426 {
427 // TODO: unregister me
428 }
429
430 ACL *
431 ACL::Prototype::Factory (char const *typeToClone)
432 {
433 debugs(28, 4, "ACL::Prototype::Factory: cloning an object for type '" << typeToClone << "'");
434
435 for (iterator i = Registry->begin(); i != Registry->end(); ++i)
436 if (!strcmp (typeToClone, (*i)->typeString)) {
437 ACL *A = (*i)->prototype->clone();
438 A->flags = (*i)->prototype->flags;
439 return A;
440 }
441
442 debugs(28, 4, "ACL::Prototype::Factory: cloning failed, no type '" << typeToClone << "' available");
443
444 return NULL;
445 }
446
447 void
448 ACL::Initialize()
449 {
450 ACL *a = Config.aclList;
451 debugs(53, 3, "ACL::Initialize");
452
453 while (a) {
454 a->prepareForUse();
455 a = a->next;
456 }
457 }
458
Mirror of https://github.com/squid-cache/squid.git