src/adaptation/AccessCheck.cc

   1 #include "squid.h"
   2 #include "structs.h"
   3
   4 #include "ConfigParser.h"
   5 #include "HttpRequest.h"
   6 #include "HttpReply.h"
   7 #include "acl/FilledChecklist.h"
   8 #include "adaptation/Service.h"
   9 #include "adaptation/ServiceGroups.h"
  10 #include "adaptation/AccessRule.h"
  11 #include "adaptation/Config.h"
  12 #include "adaptation/AccessCheck.h"
  13 #include "base/TextException.h"
  14
  15 /** \cond AUTODOCS-IGNORE */
  16 cbdata_type Adaptation::AccessCheck::CBDATA_AccessCheck = CBDATA_UNKNOWN;
  17 /** \endcond */
  18
  19 bool
  20 Adaptation::AccessCheck::Start(Method method, VectPoint vp,
  21                                HttpRequest *req, HttpReply *rep, AccessCheckCallback *cb, void *cbdata)
  22 {
  23
  24     if (Config::Enabled) {
  25         // the new check will call the callback and delete self, eventually
  26         AsyncJob::Start(new AccessCheck( // we do not store so not a CbcPointer
  27                             ServiceFilter(method, vp, req, rep), cb, cbdata));
  28         return true;
  29     }
  30
  31     debugs(83, 3, HERE << "adaptation off, skipping");
  32     return false;
  33 }
  34
  35 Adaptation::AccessCheck::AccessCheck(const ServiceFilter &aFilter,
  36                                      AccessCheckCallback *aCallback,
  37                                      void *aCallbackData):
  38         AsyncJob("AccessCheck"), filter(aFilter),
  39         callback(aCallback),
  40         callback_data(cbdataReference(aCallbackData)),
  41         acl_checklist(NULL)
  42 {
  43 #if ICAP_CLIENT
  44     Adaptation::Icap::History::Pointer h = filter.request->icapHistory();
  45     if (h != NULL)
  46         h->start("ACL");
  47 #endif
  48
  49     debugs(93, 5, HERE << "AccessCheck constructed for " <<
  50            methodStr(filter.method) << " " << vectPointStr(filter.point));
  51 }
  52
  53 Adaptation::AccessCheck::~AccessCheck()
  54 {
  55 #if ICAP_CLIENT
  56     Adaptation::Icap::History::Pointer h = filter.request->icapHistory();
  57     if (h != NULL)
  58         h->stop("ACL");
  59 #endif
  60     if (callback_data)
  61         cbdataReferenceDone(callback_data);
  62 }
  63
  64 void
  65 Adaptation::AccessCheck::start()
  66 {
  67     AsyncJob::start();
  68     check();
  69 }
  70
  71 /// Walk the access rules list to find rules with applicable service groups
  72 void
  73 Adaptation::AccessCheck::check()
  74 {
  75     debugs(93, 4, HERE << "start checking");
  76
  77     typedef AccessRules::iterator ARI;
  78     for (ARI i = AllRules().begin(); i != AllRules().end(); ++i) {
  79         AccessRule *r = *i;
  80         if (isCandidate(*r)) {
  81             debugs(93, 5, HERE << "check: rule '" << r->id << "' is a candidate");
  82             candidates += r->id;
  83         }
  84     }
  85
  86     checkCandidates();
  87 }
  88
  89 // XXX: Here and everywhere we call FindRule(topCandidate()):
  90 // Once we identified the candidate, we should not just ignore it
  91 // if reconfigure changes rules. We should either lock the rule to
  92 // prevent reconfigure from stealing it or restart the check with
  93 // new rules. Throwing an exception may also be appropriate.
  94 void
  95 Adaptation::AccessCheck::checkCandidates()
  96 {
  97     debugs(93, 4, HERE << "has " << candidates.size() << " rules");
  98
  99     while (!candidates.empty()) {
 100         if (AccessRule *r = FindRule(topCandidate())) {
 101             /* BUG 2526: what to do when r->acl is empty?? */
 102             // XXX: we do not have access to conn->rfc931 here.
 103             acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str);
 104             acl_checklist->reply = filter.reply ? HTTPMSGLOCK(filter.reply) : NULL;
 105             acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this);
 106             return;
 107         }
 108
 109         candidates.shift(); // the rule apparently went away (reconfigure)
 110     }
 111
 112     debugs(93, 4, HERE << "NO candidates left");
 113     callBack(NULL);
 114     Must(done());
 115 }
 116
 117 void
 118 Adaptation::AccessCheck::AccessCheckCallbackWrapper(int answer, void *data)
 119 {
 120     debugs(93, 8, HERE << "callback answer=" << answer);
 121     AccessCheck *ac = (AccessCheck*)data;
 122
 123     /** \todo AYJ 2008-06-12: If answer == ACCESS_REQ_PROXY_AUTH
 124      * we should be kicking off an authentication before continuing
 125      * with this request. see bug 2400 for details.
 126      */
 127
 128     // convert to async call to get async call protections and features
 129     typedef UnaryMemFunT<AccessCheck, int> MyDialer;
 130     AsyncCall::Pointer call =
 131         asyncCall(93,7, "Adaptation::AccessCheck::noteAnswer",
 132                   MyDialer(ac, &Adaptation::AccessCheck::noteAnswer,
 133                            answer==ACCESS_ALLOWED));
 134     ScheduleCallHere(call);
 135
 136 }
 137
 138 /// process the results of the ACL check
 139 void
 140 Adaptation::AccessCheck::noteAnswer(int answer)
 141 {
 142     Must(!candidates.empty()); // the candidate we were checking must be there
 143     debugs(93,5, HERE << topCandidate() << " answer=" << answer);
 144
 145     if (answer) { // the rule matched
 146         ServiceGroupPointer g = topGroup();
 147         if (g != NULL) { // the corresponding group found
 148             callBack(g);
 149             Must(done());
 150             return;
 151         }
 152     }
 153
 154     // no match or the group disappeared during reconfiguration
 155     candidates.shift();
 156     checkCandidates();
 157 }
 158
 159 /// call back with a possibly nil group; the job ends here because all failures
 160 /// at this point are fatal to the access check process
 161 void
 162 Adaptation::AccessCheck::callBack(const ServiceGroupPointer &g)
 163 {
 164     debugs(93,3, HERE << g);
 165
 166     void *validated_cbdata;
 167     if (cbdataReferenceValidDone(callback_data, &validated_cbdata)) {
 168         callback(g, validated_cbdata);
 169     }
 170     mustStop("done"); // called back or will never be able to call back
 171 }
 172
 173 Adaptation::ServiceGroupPointer
 174 Adaptation::AccessCheck::topGroup() const
 175 {
 176     ServiceGroupPointer g;
 177     if (candidates.size()) {
 178         if (AccessRule *r = FindRule(topCandidate())) {
 179             g = FindGroup(r->groupId);
 180             debugs(93,5, HERE << "top group for " << r->id << " is " << g);
 181         } else {
 182             debugs(93,5, HERE << "no rule for " << topCandidate());
 183         }
 184     } else {
 185         debugs(93,5, HERE << "no candidates"); // should not happen
 186     }
 187
 188     return g;
 189 }
 190
 191 /** Returns true iff the rule's service group will be used after ACL matches.
 192     Used to detect rules worth ACl-checking. */
 193 bool
 194 Adaptation::AccessCheck::isCandidate(AccessRule &r)
 195 {
 196     debugs(93,7,HERE << "checking candidacy of " << r.id << ", group " <<
 197            r.groupId);
 198
 199     ServiceGroupPointer g = FindGroup(r.groupId);
 200
 201     if (!g) {
 202         debugs(93,7,HERE << "lost " << r.groupId << " group in rule" << r.id);
 203         return false;
 204     }
 205
 206     const bool wants = g->wants(filter);
 207     debugs(93,7,HERE << r.groupId << (wants ? " wants" : " ignores"));
 208     return wants;
 209 }