src/adaptation/AccessCheck.cc

   1 #include "squid.h"
   2 #include "acl/FilledChecklist.h"
   3 #include "adaptation/AccessCheck.h"
   4 #include "adaptation/AccessRule.h"
   5 #include "adaptation/Config.h"
   6 #include "adaptation/Initiator.h"
   7 #include "adaptation/Service.h"
   8 #include "adaptation/ServiceGroups.h"
   9 #include "base/AsyncJobCalls.h"
  10 #include "base/TextException.h"
  11 #include "ConfigParser.h"
  12 #include "globals.h"
  13 #include "HttpReply.h"
  14 #include "HttpRequest.h"
  15
  16 /** \cond AUTODOCS-IGNORE */
  17 cbdata_type Adaptation::AccessCheck::CBDATA_AccessCheck = CBDATA_UNKNOWN;
  18 /** \endcond */
  19
  20 bool
  21 Adaptation::AccessCheck::Start(Method method, VectPoint vp,
  22                                HttpRequest *req, HttpReply *rep, Adaptation::Initiator *initiator)
  23 {
  24
  25     if (Config::Enabled) {
  26         // the new check will call the callback and delete self, eventually
  27         AsyncJob::Start(new AccessCheck( // we do not store so not a CbcPointer
  28                             ServiceFilter(method, vp, req, rep), initiator));
  29         return true;
  30     }
  31
  32     debugs(83, 3, HERE << "adaptation off, skipping");
  33     return false;
  34 }
  35
  36 Adaptation::AccessCheck::AccessCheck(const ServiceFilter &aFilter,
  37                                      Adaptation::Initiator *initiator):
  38         AsyncJob("AccessCheck"), filter(aFilter),
  39         theInitiator(initiator),
  40         acl_checklist(NULL)
  41 {
  42 #if ICAP_CLIENT
  43     Adaptation::Icap::History::Pointer h = filter.request->icapHistory();
  44     if (h != NULL)
  45         h->start("ACL");
  46 #endif
  47
  48     debugs(93, 5, HERE << "AccessCheck constructed for " <<
  49            methodStr(filter.method) << " " << vectPointStr(filter.point));
  50 }
  51
  52 Adaptation::AccessCheck::~AccessCheck()
  53 {
  54 #if ICAP_CLIENT
  55     Adaptation::Icap::History::Pointer h = filter.request->icapHistory();
  56     if (h != NULL)
  57         h->stop("ACL");
  58 #endif
  59 }
  60
  61 void
  62 Adaptation::AccessCheck::start()
  63 {
  64     AsyncJob::start();
  65
  66     if (!usedDynamicRules())
  67         check();
  68 }
  69
  70 /// returns true if previous services configured dynamic chaining "rules"
  71 bool
  72 Adaptation::AccessCheck::usedDynamicRules()
  73 {
  74     Adaptation::History::Pointer ah = filter.request->adaptHistory();
  75     if (!ah)
  76         return false; // dynamic rules not enabled or not triggered
  77
  78     DynamicGroupCfg services;
  79     if (!ah->extractFutureServices(services)) { // clears history
  80         debugs(85,9, HERE << "no service-proposed rules stored");
  81         return false; // earlier service did not plan for the future
  82     }
  83
  84     debugs(85,3, HERE << "using stored service-proposed rules: " << services);
  85
  86     ServiceGroupPointer g = new DynamicServiceChain(services, filter);
  87     callBack(g);
  88     Must(done());
  89     return true;
  90 }
  91
  92 /// Walk the access rules list to find rules with applicable service groups
  93 void
  94 Adaptation::AccessCheck::check()
  95 {
  96     debugs(93, 4, HERE << "start checking");
  97
  98     typedef AccessRules::iterator ARI;
  99     for (ARI i = AllRules().begin(); i != AllRules().end(); ++i) {
 100         AccessRule *r = *i;
 101         if (isCandidate(*r)) {
 102             debugs(93, 5, HERE << "check: rule '" << r->id << "' is a candidate");
 103             candidates += r->id;
 104         }
 105     }
 106
 107     checkCandidates();
 108 }
 109
 110 // XXX: Here and everywhere we call FindRule(topCandidate()):
 111 // Once we identified the candidate, we should not just ignore it
 112 // if reconfigure changes rules. We should either lock the rule to
 113 // prevent reconfigure from stealing it or restart the check with
 114 // new rules. Throwing an exception may also be appropriate.
 115 void
 116 Adaptation::AccessCheck::checkCandidates()
 117 {
 118     debugs(93, 4, HERE << "has " << candidates.size() << " rules");
 119
 120     while (!candidates.empty()) {
 121         if (AccessRule *r = FindRule(topCandidate())) {
 122             /* BUG 2526: what to do when r->acl is empty?? */
 123             // XXX: we do not have access to conn->rfc931 here.
 124             acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str);
 125             acl_checklist->reply = filter.reply;
 126             HTTPMSGLOCK(acl_checklist->reply);
 127             acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this);
 128             return;
 129         }
 130
 131         candidates.shift(); // the rule apparently went away (reconfigure)
 132     }
 133
 134     debugs(93, 4, HERE << "NO candidates left");
 135     callBack(NULL);
 136     Must(done());
 137 }
 138
 139 void
 140 Adaptation::AccessCheck::AccessCheckCallbackWrapper(allow_t answer, void *data)
 141 {
 142     debugs(93, 8, HERE << "callback answer=" << answer);
 143     AccessCheck *ac = (AccessCheck*)data;
 144
 145     /** \todo AYJ 2008-06-12: If answer == ACCESS_AUTH_REQUIRED
 146      * we should be kicking off an authentication before continuing
 147      * with this request. see bug 2400 for details.
 148      */
 149
 150     // convert to async call to get async call protections and features
 151     typedef UnaryMemFunT<AccessCheck, allow_t> MyDialer;
 152     AsyncCall::Pointer call =
 153         asyncCall(93,7, "Adaptation::AccessCheck::noteAnswer",
 154                   MyDialer(ac, &Adaptation::AccessCheck::noteAnswer, answer));
 155     ScheduleCallHere(call);
 156
 157 }
 158
 159 /// process the results of the ACL check
 160 void
 161 Adaptation::AccessCheck::noteAnswer(allow_t answer)
 162 {
 163     Must(!candidates.empty()); // the candidate we were checking must be there
 164     debugs(93,5, HERE << topCandidate() << " answer=" << answer);
 165
 166     if (answer == ACCESS_ALLOWED) { // the rule matched
 167         ServiceGroupPointer g = topGroup();
 168         if (g != NULL) { // the corresponding group found
 169             callBack(g);
 170             Must(done());
 171             return;
 172         }
 173     }
 174
 175     // no match or the group disappeared during reconfiguration
 176     candidates.shift();
 177     checkCandidates();
 178 }
 179
 180 /// call back with a possibly nil group; the job ends here because all failures
 181 /// at this point are fatal to the access check process
 182 void
 183 Adaptation::AccessCheck::callBack(const ServiceGroupPointer &g)
 184 {
 185     debugs(93,3, HERE << g);
 186     CallJobHere1(93, 5, theInitiator, Adaptation::Initiator,
 187                  noteAdaptationAclCheckDone, g);
 188     mustStop("done"); // called back or will never be able to call back
 189 }
 190
 191 Adaptation::ServiceGroupPointer
 192 Adaptation::AccessCheck::topGroup() const
 193 {
 194     ServiceGroupPointer g;
 195     if (candidates.size()) {
 196         if (AccessRule *r = FindRule(topCandidate())) {
 197             g = FindGroup(r->groupId);
 198             debugs(93,5, HERE << "top group for " << r->id << " is " << g);
 199         } else {
 200             debugs(93,5, HERE << "no rule for " << topCandidate());
 201         }
 202     } else {
 203         debugs(93,5, HERE << "no candidates"); // should not happen
 204     }
 205
 206     return g;
 207 }
 208
 209 /** Returns true iff the rule's service group will be used after ACL matches.
 210     Used to detect rules worth ACl-checking. */
 211 bool
 212 Adaptation::AccessCheck::isCandidate(AccessRule &r)
 213 {
 214     debugs(93,7,HERE << "checking candidacy of " << r.id << ", group " <<
 215            r.groupId);
 216
 217     ServiceGroupPointer g = FindGroup(r.groupId);
 218
 219     if (!g) {
 220         debugs(93,7,HERE << "lost " << r.groupId << " group in rule" << r.id);
 221         return false;
 222     }
 223
 224     const bool wants = g->wants(filter);
 225     debugs(93,7,HERE << r.groupId << (wants ? " wants" : " ignores"));
 226     return wants;
 227 }