]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/Checklist.cc
4 * DEBUG: section 28 Access Control
5 * AUTHOR: Duane Wessels
7 * SQUID Web Proxy Cache http://www.squid-cache.org/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from
11 * the Internet community; see the CONTRIBUTORS file for full
12 * details. Many organizations have provided support for Squid's
13 * development; see the SPONSORS file for full details. Squid is
14 * Copyrighted (C) 2001 by the Regents of the University of
15 * California; see the COPYRIGHT file for full details. Squid
16 * incorporates software developed and/or copyrighted by other
17 * sources; see the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
36 #include "squid-old.h"
37 #include "acl/Checklist.h"
40 ACLChecklist::currentAnswer() const
46 ACLChecklist::currentAnswer(allow_t
const newAnswer
)
52 ACLChecklist::matchNonBlocking()
57 /** Deny if no rules present. */
58 currentAnswer(ACCESS_DENIED
);
61 checkCallback(currentAnswer());
65 /** The ACL List should NEVER be NULL when calling this method.
66 * Always caller should check for NULL and handle appropriate to its needs first.
67 * We cannot select a sensible default for all callers here. */
68 if (accessList
== NULL
) {
69 debugs(28, DBG_CRITICAL
, "SECURITY ERROR: ACL " << this << " checked with nothing to match against!!");
70 currentAnswer(ACCESS_DENIED
);
71 checkCallback(currentAnswer());
75 /* NOTE: This holds a cbdata reference to the current access_list
76 * entry, not the whole list.
78 while (accessList
!= NULL
) {
80 * If the _acl_access is no longer valid (i.e. its been
81 * freed because of a reconfigure), then bail on this
82 * access check. For now, return ACCESS_DENIED.
85 if (!cbdataReferenceValid(accessList
)) {
86 cbdataReferenceDone(accessList
);
87 debugs(28, 4, "ACLChecklist::check: " << this << " accessList is invalid");
95 if (asyncInProgress()) {
101 * Either the request is allowed, denied, requires authentication.
103 debugs(28, 3, "ACLChecklist::check: " << this << " match found, calling back with " << currentAnswer());
104 cbdataReferenceDone(accessList
); /* A */
105 checkCallback(currentAnswer());
106 /* From here on in, this may be invalid */
111 * Reference the next access entry
113 const acl_access
*A
= accessList
;
117 accessList
= cbdataReference(A
->next
);
119 cbdataReferenceDone(A
);
122 /** If dropped off the end of the list return inversion of last line allow/deny action. */
123 debugs(28, 3, HERE
<< this << " NO match found, returning " <<
124 (currentAnswer() != ACCESS_DENIED
? ACCESS_DENIED
: ACCESS_ALLOWED
));
126 checkCallback(currentAnswer() != ACCESS_DENIED
? ACCESS_DENIED
: ACCESS_ALLOWED
);
130 ACLChecklist::asyncInProgress() const
136 ACLChecklist::asyncInProgress(bool const newAsync
)
138 assert (!finished() && !(asyncInProgress() && newAsync
));
140 debugs(28, 3, "ACLChecklist::asyncInProgress: " << this <<
141 " async set to " << async_
);
145 ACLChecklist::finished() const
151 ACLChecklist::markFinished()
153 assert (!finished() && !asyncInProgress());
155 debugs(28, 3, "ACLChecklist::markFinished: " << this <<
156 " checklist processing finished");
160 ACLChecklist::preCheck()
162 debugs(28, 3, "ACLChecklist::preCheck: " << this << " checking '" << accessList
->cfgline
<< "'");
163 /* what is our result on a match? */
164 currentAnswer(accessList
->allow
);
168 ACLChecklist::checkAccessList()
171 /* does the current AND clause match */
172 matchAclList(accessList
->aclList
, false);
176 ACLChecklist::checkForAsync()
178 asyncState()->checkForAsync(this);
181 // ACLFilledChecklist overwrites this to unclock something before we
184 ACLChecklist::checkCallback(allow_t answer
)
188 debugs(28, 3, "ACLChecklist::checkCallback: " << this << " answer=" << answer
);
190 callback_
= callback
;
193 if (cbdataReferenceValidDone(callback_data
, &cbdata_
))
194 callback_(answer
, cbdata_
);
200 ACLChecklist::matchAclList(const ACLList
* head
, bool const fast
)
202 PROF_start(aclMatchAclList
);
203 const ACLList
*node
= head
;
208 bool nodeMatched
= node
->matches(this);
211 changeState(NullState::Instance());
214 PROF_stop(aclMatchAclList
);
218 if (!nodeMatched
|| state_
!= NullState::Instance()) {
220 bool async
= state_
!= NullState::Instance();
224 bool async_in_progress
= asyncInProgress();
225 debugs(28, 3, "aclmatchAclList: async=" << (async
? 1 : 0) <<
226 " nodeMatched=" << (nodeMatched
? 1 : 0) <<
227 " async_in_progress=" << (async_in_progress
? 1 : 0) <<
228 " lastACLResult() = " << (lastACLResult() ? 1 : 0) <<
229 " finished() = " << finished());
232 debugs(28, 3, "aclmatchAclList: " << this << " returning (AND list entry failed to match)");
233 PROF_stop(aclMatchAclList
);
237 if (async
&& nodeMatched
&& !asyncInProgress() && lastACLResult()) {
238 // async acl, but using cached response, and it was a match
243 debugs(28, 3, "aclmatchAclList: " << this << " returning (AND list entry awaiting an async lookup)");
244 PROF_stop(aclMatchAclList
);
251 debugs(28, 3, "aclmatchAclList: " << this << " returning true (AND list satisfied)");
254 PROF_stop(aclMatchAclList
);
257 ACLChecklist::ACLChecklist() :
260 callback_data (NULL
),
263 allow_(ACCESS_DENIED
),
264 state_(NullState::Instance()),
265 lastACLResult_(false)
269 ACLChecklist::~ACLChecklist()
271 assert (!asyncInProgress());
273 cbdataReferenceDone(accessList
);
275 debugs(28, 4, "ACLChecklist::~ACLChecklist: destroyed " << this);
280 ACLChecklist::AsyncState::changeState (ACLChecklist
*checklist
, AsyncState
*newState
) const
282 checklist
->changeState(newState
);
285 ACLChecklist::NullState
*
286 ACLChecklist::NullState::Instance()
292 ACLChecklist::NullState::checkForAsync(ACLChecklist
*) const
295 ACLChecklist::NullState
ACLChecklist::NullState::_instance
;
298 ACLChecklist::changeState (AsyncState
*newState
)
300 /* only change from null to active and back again,
301 * not active to active.
302 * relax this once conversion to states is complete
305 assert (state_
== NullState::Instance() || newState
== NullState::Instance());
309 ACLChecklist::AsyncState
*
310 ACLChecklist::asyncState() const
316 * Kick off a non-blocking (slow) ACL access list test
318 * NP: this should probably be made Async now.
321 ACLChecklist::nonBlockingCheck(ACLCB
* callback_
, void *callback_data_
)
323 callback
= callback_
;
324 callback_data
= cbdataReference(callback_data_
);
329 ACLChecklist::fastCheck(const ACLList
* list
)
331 PROF_start(aclCheckFast
);
332 currentAnswer(ACCESS_DUNNO
);
333 matchAclList(list
, true);
334 // assume ALLOWED on matches due to not having an acl_access object
336 currentAnswer(ACCESS_ALLOWED
);
337 PROF_stop(aclCheckFast
);
338 return currentAnswer();
341 /* Warning: do not cbdata lock this here - it
342 * may be static or on the stack
345 ACLChecklist::fastCheck()
347 PROF_start(aclCheckFast
);
348 currentAnswer(ACCESS_DUNNO
);
350 debugs(28, 5, "aclCheckFast: list: " << accessList
);
351 const acl_access
*acl
= cbdataReference(accessList
);
352 while (acl
!= NULL
&& cbdataReferenceValid(acl
)) {
353 matchAclList(acl
->aclList
, true);
355 currentAnswer(acl
->allow
);
356 PROF_stop(aclCheckFast
);
357 cbdataReferenceDone(acl
);
358 return currentAnswer();
362 * Reference the next access entry
364 const acl_access
*A
= acl
;
365 acl
= cbdataReference(acl
->next
);
366 cbdataReferenceDone(A
);
369 debugs(28, 5, "aclCheckFast: no matches, returning: " << currentAnswer());
370 PROF_stop(aclCheckFast
);
372 return currentAnswer();
377 ACLChecklist::checking() const
383 ACLChecklist::checking (bool const newValue
)
385 checking_
= newValue
;
389 ACLChecklist::callerGone()
391 return !cbdataReferenceValid(callback_data
);