src/acl/Gadgets.cc

   1 /*
   2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /*
  10  * DEBUG: section 28    Access Control
  11  *
  12  * This file contains ACL routines that are not part of the
  13  * ACL class, nor any other class yet, and that need to be
  14  * factored into appropriate places. They are here to reduce
  15  * unneeded dependencies between the ACL class and the rest
  16  * of squid.
  17  */
  18
  19 #include "squid.h"
  20 #include "acl/Acl.h"
  21 #include "acl/AclDenyInfoList.h"
  22 #include "acl/Checklist.h"
  23 #include "acl/Gadgets.h"
  24 #include "acl/Strategised.h"
  25 #include "acl/Tree.h"
  26 #include "ConfigParser.h"
  27 #include "errorpage.h"
  28 #include "globals.h"
  29 #include "HttpRequest.h"
  30 #include "src/sbuf/Stream.h"
  31
  32 #include <set>
  33 #include <algorithm>
  34
  35 typedef std::set<ACL*> AclSet;
  36 /// Accumulates all ACLs to facilitate their clean deletion despite reuse.
  37 static AclSet *RegisteredAcls; // TODO: Remove when ACLs are refcounted
  38
  39 /* does name lookup, returns page_id */
  40 err_type
  41 aclGetDenyInfoPage(AclDenyInfoList ** head, const char *name, int redirect_allowed)
  42 {
  43     if (!name) {
  44         debugs(28, 3, "ERR_NONE due to a NULL name");
  45         return ERR_NONE;
  46     }
  47
  48     AclDenyInfoList *A = NULL;
  49
  50     debugs(28, 8, HERE << "got called for " << name);
  51
  52     for (A = *head; A; A = A->next) {
  53         if (!redirect_allowed && strchr(A->err_page_name, ':') ) {
  54             debugs(28, 8, HERE << "Skip '" << A->err_page_name << "' 30x redirects not allowed as response here.");
  55             continue;
  56         }
  57
  58         for (const auto &aclName: A->acl_list) {
  59             if (aclName.cmp(name) == 0) {
  60                 debugs(28, 8, "match on " << name);
  61                 return A->err_page_id;
  62             }
  63         }
  64     }
  65
  66     debugs(28, 8, "aclGetDenyInfoPage: no match");
  67     return ERR_NONE;
  68 }
  69
  70 /* does name lookup, returns if it is a proxy_auth acl */
  71 int
  72 aclIsProxyAuth(const char *name)
  73 {
  74     if (!name) {
  75         debugs(28, 3, "false due to a NULL name");
  76         return false;
  77     }
  78
  79     debugs(28, 5, "aclIsProxyAuth: called for " << name);
  80
  81     ACL *a;
  82
  83     if ((a = ACL::FindByName(name))) {
  84         debugs(28, 5, "aclIsProxyAuth: returning " << a->isProxyAuth());
  85         return a->isProxyAuth();
  86     }
  87
  88     debugs(28, 3, "aclIsProxyAuth: WARNING, called for nonexistent ACL");
  89     return false;
  90 }
  91
  92 /* maex@space.net (05.09.96)
  93  *    get the info for redirecting "access denied" to info pages
  94  *      TODO (probably ;-)
  95  *      currently there is no optimization for
  96  *      - more than one deny_info line with the same url
  97  *      - a check, whether the given acl really is defined
  98  *      - a check, whether an acl is added more than once for the same url
  99  */
 100
 101 void
 102 aclParseDenyInfoLine(AclDenyInfoList ** head)
 103 {
 104     char *t = NULL;
 105     AclDenyInfoList *B;
 106     AclDenyInfoList **T;
 107
 108     /* first expect a page name */
 109
 110     if ((t = ConfigParser::NextToken()) == NULL) {
 111         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
 112         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: missing 'error page' parameter.");
 113         return;
 114     }
 115
 116     const auto A = new AclDenyInfoList(t, ConfigParser::CurrentLocation());
 117
 118     /* next expect a list of ACL names */
 119     while ((t = ConfigParser::NextToken())) {
 120         A->acl_list.emplace_back(t);
 121     }
 122
 123     if (A->acl_list.empty()) {
 124         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
 125         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: deny_info line contains no ACL's, skipping");
 126         delete A;
 127         return;
 128     }
 129
 130     for (B = *head, T = head; B; T = &B->next, B = B->next)
 131
 132         ;   /* find the tail */
 133     *T = A;
 134 }
 135
 136 void
 137 aclParseAccessLine(const char *directive, ConfigParser &, acl_access **treep)
 138 {
 139     /* first expect either 'allow' or 'deny' */
 140     const char *t = ConfigParser::NextToken();
 141
 142     if (!t) {
 143         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
 144         debugs(28, DBG_CRITICAL, "aclParseAccessLine: missing 'allow' or 'deny'.");
 145         return;
 146     }
 147
 148     auto action = Acl::Answer(ACCESS_DUNNO);
 149     if (!strcmp(t, "allow"))
 150         action = Acl::Answer(ACCESS_ALLOWED);
 151     else if (!strcmp(t, "deny"))
 152         action = Acl::Answer(ACCESS_DENIED);
 153     else {
 154         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
 155         debugs(28, DBG_CRITICAL, "aclParseAccessLine: expecting 'allow' or 'deny', got '" << t << "'.");
 156         return;
 157     }
 158
 159     const int ruleId = ((treep && *treep) ? (*treep)->childrenCount() : 0) + 1;
 160     MemBuf ctxBuf;
 161     ctxBuf.init();
 162     ctxBuf.appendf("%s#%d", directive, ruleId);
 163     ctxBuf.terminate();
 164
 165     Acl::AndNode *rule = new Acl::AndNode;
 166     rule->context(ctxBuf.content(), config_input_line);
 167     rule->lineParse();
 168     if (rule->empty()) {
 169         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
 170         debugs(28, DBG_CRITICAL, "aclParseAccessLine: Access line contains no ACL's, skipping");
 171         delete rule;
 172         return;
 173     }
 174
 175     /* Append to the end of this list */
 176
 177     assert(treep);
 178     if (!*treep) {
 179         *treep = new Acl::Tree;
 180         (*treep)->context(directive, config_input_line);
 181     }
 182
 183     (*treep)->add(rule, action);
 184
 185     /* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */
 186 }
 187
 188 // aclParseAclList does not expect or set actions (cf. aclParseAccessLine)
 189 size_t
 190 aclParseAclList(ConfigParser &, Acl::Tree **treep, const char *label)
 191 {
 192     // accommodate callers unable to convert their ACL list context to string
 193     if (!label)
 194         label = "...";
 195
 196     MemBuf ctxLine;
 197     ctxLine.init();
 198     ctxLine.appendf("(%s %s line)", cfg_directive, label);
 199     ctxLine.terminate();
 200
 201     Acl::AndNode *rule = new Acl::AndNode;
 202     rule->context(ctxLine.content(), config_input_line);
 203     const auto aclCount = rule->lineParse();
 204
 205     MemBuf ctxTree;
 206     ctxTree.init();
 207     ctxTree.appendf("%s %s", cfg_directive, label);
 208     ctxTree.terminate();
 209
 210     // We want a cbdata-protected Tree (despite giving it only one child node).
 211     Acl::Tree *tree = new Acl::Tree;
 212     tree->add(rule);
 213     tree->context(ctxTree.content(), config_input_line);
 214
 215     assert(treep);
 216     assert(!*treep);
 217     *treep = tree;
 218
 219     return aclCount;
 220 }
 221
 222 void
 223 aclRegister(ACL *acl)
 224 {
 225     if (!acl->registered) {
 226         if (!RegisteredAcls)
 227             RegisteredAcls = new AclSet;
 228         RegisteredAcls->insert(acl);
 229         acl->registered = true;
 230     }
 231 }
 232
 233 /// remove registered acl from the centralized deletion set
 234 static
 235 void
 236 aclDeregister(ACL *acl)
 237 {
 238     if (acl->registered) {
 239         if (RegisteredAcls)
 240             RegisteredAcls->erase(acl);
 241         acl->registered = false;
 242     }
 243 }
 244
 245 /*********************/
 246 /* Destroy functions */
 247 /*********************/
 248
 249 /// called to delete ALL Acls.
 250 void
 251 aclDestroyAcls(ACL ** head)
 252 {
 253     *head = NULL; // Config.aclList
 254     if (AclSet *acls = RegisteredAcls) {
 255         debugs(28, 8, "deleting all " << acls->size() << " ACLs");
 256         while (!acls->empty()) {
 257             ACL *acl = *acls->begin();
 258             // We use centralized deletion (this function) so ~ACL should not
 259             // delete other ACLs, but we still deregister first to prevent any
 260             // accesses to the being-deleted ACL via RegisteredAcls.
 261             assert(acl->registered); // make sure we are making progress
 262             aclDeregister(acl);
 263             delete acl;
 264         }
 265     }
 266 }
 267
 268 void
 269 aclDestroyAclList(ACLList **list)
 270 {
 271     debugs(28, 8, "aclDestroyAclList: invoked");
 272     assert(list);
 273     delete *list;
 274     *list = NULL;
 275 }
 276
 277 void
 278 aclDestroyAccessList(acl_access ** list)
 279 {
 280     assert(list);
 281     if (*list)
 282         debugs(28, 3, "destroying: " << *list << ' ' << (*list)->name);
 283     delete *list;
 284     *list = NULL;
 285 }
 286
 287 /* maex@space.net (06.09.1996)
 288  *    destroy an AclDenyInfoList */
 289
 290 void
 291 aclDestroyDenyInfoList(AclDenyInfoList ** list)
 292 {
 293     AclDenyInfoList *a = NULL;
 294     AclDenyInfoList *a_next = NULL;
 295
 296     debugs(28, 8, "aclDestroyDenyInfoList: invoked");
 297
 298     for (a = *list; a; a = a_next) {
 299         a_next = a->next;
 300         delete a;
 301     }
 302
 303     *list = NULL;
 304 }
 305