]> git.ipfire.org Git - thirdparty/squid.git/blob - src/external_acl.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge from trunk rev.14346
[thirdparty/squid.git] / src / external_acl.cc
1 /*
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 82 External ACL */
10
11 #include "squid.h"
12 #include "acl/Acl.h"
13 #include "acl/FilledChecklist.h"
14 #include "cache_cf.h"
15 #include "client_side.h"
16 #include "client_side_request.h"
17 #include "comm/Connection.h"
18 #include "ConfigParser.h"
19 #include "ExternalACL.h"
20 #include "ExternalACLEntry.h"
21 #include "fde.h"
22 #include "format/Token.h"
23 #include "helper.h"
24 #include "helper/Reply.h"
25 #include "HttpHeaderTools.h"
26 #include "HttpReply.h"
27 #include "HttpRequest.h"
28 #include "ip/tools.h"
29 #include "MemBuf.h"
30 #include "mgr/Registration.h"
31 #include "rfc1738.h"
32 #include "SquidConfig.h"
33 #include "SquidString.h"
34 #include "SquidTime.h"
35 #include "Store.h"
36 #include "tools.h"
37 #include "URL.h"
38 #include "wordlist.h"
39 #if USE_OPENSSL
40 #include "ssl/ServerBump.h"
41 #include "ssl/support.h"
42 #endif
43 #if USE_AUTH
44 #include "auth/Acl.h"
45 #include "auth/Gadgets.h"
46 #include "auth/UserRequest.h"
47 #endif
48 #if USE_IDENT
49 #include "ident/AclIdent.h"
50 #endif
51
52 #ifndef DEFAULT_EXTERNAL_ACL_TTL
53 #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
54 #endif
55 #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
56 #define DEFAULT_EXTERNAL_ACL_CHILDREN 5
57 #endif
58
59 static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
60 static void external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry);
61 static int external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry);
62 static int external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry);
63 static void external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry);
64 static ExternalACLEntryPointer external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data);
65
66 /******************************************************************
67 * external_acl directive
68 */
69
70 class external_acl
71 {
72 /* FIXME: These are not really cbdata, but it is an easy way
73 * to get them pooled, refcounted, accounted and freed properly...
74 */
75 CBDATA_CLASS(external_acl);
76
77 public:
78 external_acl();
79 ~external_acl();
80
81 external_acl *next;
82
83 void add(const ExternalACLEntryPointer &);
84
85 void trimCache();
86
87 int ttl;
88
89 int negative_ttl;
90
91 int grace;
92
93 char *name;
94
95 Format::Format format;
96
97 wordlist *cmdline;
98
99 Helper::ChildConfig children;
100
101 helper *theHelper;
102
103 hash_table *cache;
104
105 dlink_list lru_list;
106
107 int cache_size;
108
109 int cache_entries;
110
111 dlink_list queue;
112
113 #if USE_AUTH
114 /**
115 * Configuration flag. May only be altered by the configuration parser.
116 *
117 * Indicates that all uses of this external_acl_type helper require authentication
118 * details to be processed. If none are available its a fail match.
119 */
120 bool require_auth;
121 #endif
122
123 Format::Quoting quote; // default quoting to use, set by protocol= parameter
124
125 Ip::Address local_addr;
126 };
127
128 CBDATA_CLASS_INIT(external_acl);
129
130 external_acl::external_acl() :
131 next(NULL),
132 ttl(DEFAULT_EXTERNAL_ACL_TTL),
133 negative_ttl(-1),
134 grace(1),
135 name(NULL),
136 format("external_acl_type"),
137 cmdline(NULL),
138 children(DEFAULT_EXTERNAL_ACL_CHILDREN),
139 theHelper(NULL),
140 cache(NULL),
141 cache_size(256*1024),
142 cache_entries(0),
143 #if USE_AUTH
144 require_auth(0),
145 #endif
146 quote(Format::LOG_QUOTE_URL)
147 {
148 local_addr.setLocalhost();
149 }
150
151 external_acl::~external_acl()
152 {
153 xfree(name);
154 wordlistDestroy(&cmdline);
155
156 if (theHelper) {
157 helperShutdown(theHelper);
158 delete theHelper;
159 theHelper = NULL;
160 }
161
162 while (lru_list.tail) {
163 ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data));
164 external_acl_cache_delete(this, e);
165 }
166 if (cache)
167 hashFreeMemory(cache);
168
169 while (next) {
170 external_acl *node = next;
171 next = node->next;
172 node->next = NULL; // prevent recursion
173 delete node;
174 }
175 }
176
177 void
178 parse_externalAclHelper(external_acl ** list)
179 {
180 external_acl *a = new external_acl;
181 char *token = ConfigParser::NextToken();
182
183 if (!token)
184 self_destruct();
185
186 a->name = xstrdup(token);
187
188 // Allow supported %macros inside quoted tokens
189 ConfigParser::EnableMacros();
190 token = ConfigParser::NextToken();
191
192 /* Parse options */
193 while (token) {
194 if (strncmp(token, "ttl=", 4) == 0) {
195 a->ttl = atoi(token + 4);
196 } else if (strncmp(token, "negative_ttl=", 13) == 0) {
197 a->negative_ttl = atoi(token + 13);
198 } else if (strncmp(token, "children=", 9) == 0) {
199 a->children.n_max = atoi(token + 9);
200 debugs(0, DBG_CRITICAL, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
201 } else if (strncmp(token, "children-max=", 13) == 0) {
202 a->children.n_max = atoi(token + 13);
203 } else if (strncmp(token, "children-startup=", 17) == 0) {
204 a->children.n_startup = atoi(token + 17);
205 } else if (strncmp(token, "children-idle=", 14) == 0) {
206 a->children.n_idle = atoi(token + 14);
207 } else if (strncmp(token, "concurrency=", 12) == 0) {
208 a->children.concurrency = atoi(token + 12);
209 } else if (strncmp(token, "queue-size=", 11) == 0) {
210 a->children.queue_size = atoi(token + 11);
211 a->children.defaultQueueSize = false;
212 } else if (strncmp(token, "cache=", 6) == 0) {
213 a->cache_size = atoi(token + 6);
214 } else if (strncmp(token, "grace=", 6) == 0) {
215 a->grace = atoi(token + 6);
216 } else if (strcmp(token, "protocol=2.5") == 0) {
217 a->quote = Format::LOG_QUOTE_SHELL;
218 } else if (strcmp(token, "protocol=3.0") == 0) {
219 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option protocol=3.0 is deprecated. Remove this from your config.");
220 a->quote = Format::LOG_QUOTE_URL;
221 } else if (strcmp(token, "quote=url") == 0) {
222 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=url is deprecated. Remove this from your config.");
223 a->quote = Format::LOG_QUOTE_URL;
224 } else if (strcmp(token, "quote=shell") == 0) {
225 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=shell is deprecated. Use protocol=2.5 if still needed.");
226 a->quote = Format::LOG_QUOTE_SHELL;
227
228 /* INET6: allow admin to configure some helpers explicitly to
229 bind to IPv4/v6 localhost port. */
230 } else if (strcmp(token, "ipv4") == 0) {
231 if ( !a->local_addr.setIPv4() ) {
232 debugs(3, DBG_CRITICAL, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name );
233 }
234 } else if (strcmp(token, "ipv6") == 0) {
235 if (!Ip::EnableIpv6)
236 debugs(3, DBG_CRITICAL, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name );
237 // else nothing to do.
238 } else {
239 break;
240 }
241
242 token = ConfigParser::NextToken();
243 }
244 ConfigParser::DisableMacros();
245
246 /* check that child startup value is sane. */
247 if (a->children.n_startup > a->children.n_max)
248 a->children.n_startup = a->children.n_max;
249
250 /* check that child idle value is sane. */
251 if (a->children.n_idle > a->children.n_max)
252 a->children.n_idle = a->children.n_max;
253 if (a->children.n_idle < 1)
254 a->children.n_idle = 1;
255
256 if (a->negative_ttl == -1)
257 a->negative_ttl = a->ttl;
258
259 if (a->children.defaultQueueSize)
260 a->children.queue_size = 2 * a->children.n_max;
261
262 /* Legacy external_acl_type format parser.
263 * Handles a series of %... tokens where any non-% means
264 * the start of another parameter field (ie the path to binary).
265 */
266 enum Format::Quoting quote = Format::LOG_QUOTE_NONE;
267 Format::Token **fmt = &a->format.format;
268 bool data_used = false;
269 while (token) {
270 /* stop on first non-% token found */
271 if (*token != '%')
272 break;
273
274 *fmt = new Format::Token;
275 // these tokens are whitespace delimited
276 (*fmt)->space = true;
277
278 // set the default encoding to match the protocol= config
279 // this will be overridden by explicit %macro attributes
280 (*fmt)->quote = a->quote;
281
282 // compatibility for old tokens incompatible with Format::Token syntax
283 #if USE_OPENSSL // dont bother if we dont have to.
284 if (strncmp(token, "%USER_CERT_", 11) == 0) {
285 (*fmt)->type = Format::LFT_EXT_ACL_USER_CERT;
286 (*fmt)->data.string = xstrdup(token + 11);
287 (*fmt)->data.header.header = (*fmt)->data.string;
288 } else if (strncmp(token, "%USER_CA_CERT_", 14) == 0) {
289 (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT;
290 (*fmt)->data.string = xstrdup(token + 14);
291 (*fmt)->data.header.header = (*fmt)->data.string;
292 } else if (strncmp(token, "%CA_CERT_", 9) == 0) {
293 debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead");
294 (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT;
295 (*fmt)->data.string = xstrdup(token + 9);
296 (*fmt)->data.header.header = (*fmt)->data.string;
297 } else
298 #endif
299 {
300 // we can use the Format::Token::parse() method since it
301 // only pulls off one token. Since we already checked
302 // for '%' prefix above this is guaranteed to be a token.
303 const size_t len = (*fmt)->parse(token, &quote);
304 assert(len == strlen(token));
305 }
306
307 // process special token-specific actions (only if necessary)
308 #if USE_AUTH
309 if ((*fmt)->type == Format::LFT_USER_LOGIN)
310 a->require_auth = true;
311 #endif
312
313 if ((*fmt)->type == Format::LFT_EXT_ACL_DATA)
314 data_used = true;
315
316 fmt = &((*fmt)->next);
317 token = ConfigParser::NextToken();
318 }
319
320 /* There must be at least one format token */
321 if (!a->format.format)
322 self_destruct();
323
324 // format has implicit %DATA on the end if not used explicitly
325 if (!data_used) {
326 *fmt = new Format::Token;
327 (*fmt)->type = Format::LFT_EXT_ACL_DATA;
328 (*fmt)->quote = Format::LOG_QUOTE_URL;
329 }
330
331 /* helper */
332 if (!token)
333 self_destruct();
334
335 wordlistAdd(&a->cmdline, token);
336
337 /* arguments */
338 parse_wordlist(&a->cmdline);
339
340 while (*list)
341 list = &(*list)->next;
342
343 *list = a;
344 }
345
346 void
347 dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list)
348 {
349 const external_acl *node;
350 const wordlist *word;
351
352 for (node = list; node; node = node->next) {
353 storeAppendPrintf(sentry, "%s %s", name, node->name);
354
355 if (!node->local_addr.isIPv6())
356 storeAppendPrintf(sentry, " ipv4");
357 else
358 storeAppendPrintf(sentry, " ipv6");
359
360 if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL)
361 storeAppendPrintf(sentry, " ttl=%d", node->ttl);
362
363 if (node->negative_ttl != node->ttl)
364 storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl);
365
366 if (node->grace)
367 storeAppendPrintf(sentry, " grace=%d", node->grace);
368
369 if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
370 storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
371
372 if (node->children.n_startup != 1)
373 storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
374
375 if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
376 storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
377
378 if (node->children.concurrency)
379 storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
380
381 if (node->cache)
382 storeAppendPrintf(sentry, " cache=%d", node->cache_size);
383
384 if (node->quote == Format::LOG_QUOTE_SHELL)
385 storeAppendPrintf(sentry, " protocol=2.5");
386
387 node->format.dump(sentry, NULL, false);
388
389 for (word = node->cmdline; word; word = word->next)
390 storeAppendPrintf(sentry, " %s", word->key);
391
392 storeAppendPrintf(sentry, "\n");
393 }
394 }
395
396 void
397 free_externalAclHelper(external_acl ** list)
398 {
399 delete *list;
400 *list = NULL;
401 }
402
403 static external_acl *
404 find_externalAclHelper(const char *name)
405 {
406 external_acl *node;
407
408 for (node = Config.externalAclHelperList; node; node = node->next) {
409 if (strcmp(node->name, name) == 0)
410 return node;
411 }
412
413 return NULL;
414 }
415
416 void
417 external_acl::add(const ExternalACLEntryPointer &anEntry)
418 {
419 trimCache();
420 assert(anEntry != NULL);
421 assert (anEntry->def == NULL);
422 anEntry->def = this;
423 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(anEntry.getRaw()); // XXX: make hash a std::map of Pointer.
424 hash_join(cache, e);
425 dlinkAdd(e, &e->lru, &lru_list);
426 e->lock(); //cbdataReference(e); // lock it on behalf of the hash
427 ++cache_entries;
428 }
429
430 void
431 external_acl::trimCache()
432 {
433 if (cache_size && cache_entries >= cache_size) {
434 ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data));
435 external_acl_cache_delete(this, e);
436 }
437 }
438
439 /******************************************************************
440 * external acl type
441 */
442
443 class external_acl_data
444 {
445 CBDATA_CLASS(external_acl_data);
446
447 public:
448 explicit external_acl_data(external_acl *aDef) : def(cbdataReference(aDef)), name(NULL), arguments(NULL) {}
449 ~external_acl_data();
450
451 external_acl *def;
452 const char *name;
453 wordlist *arguments;
454 };
455
456 CBDATA_CLASS_INIT(external_acl_data);
457
458 external_acl_data::~external_acl_data()
459 {
460 xfree(name);
461 wordlistDestroy(&arguments);
462 cbdataReferenceDone(def);
463 }
464
465 void
466 ACLExternal::parse()
467 {
468 if (data)
469 self_destruct();
470
471 char *token = ConfigParser::strtokFile();
472
473 if (!token)
474 self_destruct();
475
476 data = new external_acl_data(find_externalAclHelper(token));
477
478 if (!data->def)
479 self_destruct();
480
481 // def->name is the name of the external_acl_type.
482 // this is the name of the 'acl' directive being tested
483 data->name = xstrdup(AclMatchedName);
484
485 while ((token = ConfigParser::strtokFile())) {
486 wordlistAdd(&data->arguments, token);
487 }
488 }
489
490 bool
491 ACLExternal::valid () const
492 {
493 #if USE_AUTH
494 if (data->def->require_auth) {
495 if (authenticateSchemeCount() == 0) {
496 debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled.");
497 return false;
498 }
499
500 if (authenticateActiveSchemeCount() == 0) {
501 debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured.");
502 return false;
503 }
504 }
505 #endif
506
507 return true;
508 }
509
510 bool
511 ACLExternal::empty () const
512 {
513 return false;
514 }
515
516 ACLExternal::~ACLExternal()
517 {
518 delete data;
519 xfree(class_);
520 }
521
522 static void
523 copyResultsFromEntry(HttpRequest *req, const ExternalACLEntryPointer &entry)
524 {
525 if (req) {
526 #if USE_AUTH
527 if (entry->user.size())
528 req->extacl_user = entry->user;
529
530 if (entry->password.size())
531 req->extacl_passwd = entry->password;
532 #endif
533 if (!req->tag.size())
534 req->tag = entry->tag;
535
536 if (entry->log.size())
537 req->extacl_log = entry->log;
538
539 if (entry->message.size())
540 req->extacl_message = entry->message;
541
542 // attach the helper kv-pair to the transaction
543 UpdateRequestNotes(req->clientConnectionManager.get(), *req, entry->notes);
544 }
545 }
546
547 static allow_t
548 aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
549 {
550 debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\"");
551 ExternalACLEntryPointer entry = ch->extacl_entry;
552
553 external_acl_message = "MISSING REQUIRED INFORMATION";
554
555 if (entry != NULL) {
556 if (entry->def == acl->def) {
557 /* Ours, use it.. if the key matches */
558 const char *key = makeExternalAclKey(ch, acl);
559 if (!key)
560 return ACCESS_DUNNO; // insufficent data to continue
561 if (strcmp(key, (char*)entry->key) != 0) {
562 debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "' dont match. Discarded.");
563 // too bad. need a new lookup.
564 entry = ch->extacl_entry = NULL;
565 }
566 } else {
567 /* Not ours.. get rid of it */
568 debugs(82, 9, "entry " << entry << " not valid or not ours. Discarded.");
569 if (entry != NULL) {
570 debugs(82, 9, "entry def=" << entry->def << ", our def=" << acl->def);
571 const char *key = makeExternalAclKey(ch, acl); // may be nil
572 debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "'");
573 }
574 entry = ch->extacl_entry = NULL;
575 }
576 }
577
578 if (!entry) {
579 debugs(82, 9, HERE << "No helper entry available");
580 #if USE_AUTH
581 if (acl->def->require_auth) {
582 /* Make sure the user is authenticated */
583 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
584 const allow_t ti = AuthenticateAcl(ch);
585 if (ti != ACCESS_ALLOWED) {
586 debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")");
587 return ti;
588 }
589 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
590 }
591 #endif
592 const char *key = makeExternalAclKey(ch, acl);
593
594 if (!key) {
595 /* Not sufficient data to process */
596 return ACCESS_DUNNO;
597 }
598
599 entry = static_cast<ExternalACLEntry *>(hash_lookup(acl->def->cache, key));
600
601 const ExternalACLEntryPointer staleEntry = entry;
602 if (entry != NULL && external_acl_entry_expired(acl->def, entry))
603 entry = NULL;
604
605 if (entry != NULL && external_acl_grace_expired(acl->def, entry)) {
606 // refresh in the background
607 ExternalACLLookup::Start(ch, acl, true);
608 debugs(82, 4, HERE << "no need to wait for the refresh of '" <<
609 key << "' in '" << acl->def->name << "' (ch=" << ch << ").");
610 }
611
612 if (!entry) {
613 debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed");
614
615 if (!acl->def->theHelper->queueFull()) {
616 debugs(82, 2, HERE << "\"" << key << "\": queueing a call.");
617 if (!ch->goAsync(ExternalACLLookup::Instance()))
618 debugs(82, 2, "\"" << key << "\": no async support!");
619 debugs(82, 2, HERE << "\"" << key << "\": return -1.");
620 return ACCESS_DUNNO; // expired cached or simply absent entry
621 } else {
622 if (!staleEntry) {
623 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
624 "' queue overload. Request rejected '" << key << "'.");
625 external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER";
626 return ACCESS_DUNNO;
627 } else {
628 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
629 "' queue overload. Using stale result. '" << key << "'.");
630 entry = staleEntry;
631 /* Fall thru to processing below */
632 }
633 }
634 }
635 }
636
637 debugs(82, 4, HERE << "entry = { date=" <<
638 (long unsigned int) entry->date <<
639 ", result=" << entry->result <<
640 " tag=" << entry->tag <<
641 " log=" << entry->log << " }");
642 #if USE_AUTH
643 debugs(82, 4, HERE << "entry user=" << entry->user);
644 #endif
645
646 external_acl_cache_touch(acl->def, entry);
647 external_acl_message = entry->message.termedBuf();
648
649 debugs(82, 2, HERE << acl->def->name << " = " << entry->result);
650 copyResultsFromEntry(ch->request, entry);
651 return entry->result;
652 }
653
654 int
655 ACLExternal::match(ACLChecklist *checklist)
656 {
657 allow_t answer = aclMatchExternal(data, Filled(checklist));
658
659 // convert to tri-state ACL match 1,0,-1
660 switch (answer) {
661 case ACCESS_ALLOWED:
662 return 1; // match
663
664 case ACCESS_DENIED:
665 return 0; // non-match
666
667 case ACCESS_DUNNO:
668 case ACCESS_AUTH_REQUIRED:
669 default:
670 // If the answer is not allowed or denied (matches/not matches) and
671 // async authentication is not in progress, then we are done.
672 if (checklist->keepMatching())
673 checklist->markFinished(answer, "aclMatchExternal exception");
674 return -1; // other
675 }
676 }
677
678 SBufList
679 ACLExternal::dump() const
680 {
681 external_acl_data const *acl = data;
682 SBufList rv;
683 rv.push_back(SBuf(acl->def->name));
684
685 for (wordlist *arg = acl->arguments; arg; arg = arg->next) {
686 SBuf s;
687 s.Printf(" %s", arg->key);
688 rv.push_back(s);
689 }
690
691 return rv;
692 }
693
694 /******************************************************************
695 * external_acl cache
696 */
697
698 static void
699 external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry)
700 {
701 // this must not be done when nothing is being cached.
702 if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1))
703 return;
704
705 dlinkDelete(&entry->lru, &def->lru_list);
706 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer.
707 dlinkAdd(e, &entry->lru, &def->lru_list);
708 }
709
710 static char *
711 makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
712 {
713 static MemBuf mb;
714 mb.reset();
715
716 // check for special case tokens in the format
717 for (Format::Token *t = acl_data->def->format.format; t ; t = t->next) {
718
719 if (t->type == Format::LFT_EXT_ACL_NAME) {
720 // setup for %ACL
721 safe_free(ch->al->lastAclName);
722 ch->al->lastAclName = xstrdup(acl_data->name);
723 }
724
725 if (t->type == Format::LFT_EXT_ACL_DATA) {
726 // setup string for %DATA
727 SBuf sb;
728 for (auto arg = acl_data->arguments; arg; arg = arg->next) {
729 if (sb.length())
730 sb.append(" ", 1);
731
732 if (acl_data->def->quote == Format::LOG_QUOTE_URL) {
733 const char *quoted = rfc1738_escape(arg->key);
734 sb.append(quoted, strlen(quoted));
735 } else {
736 static MemBuf mb2;
737 mb2.init();
738 strwordquote(&mb2, arg->key);
739 sb.append(mb2.buf, mb2.size);
740 mb2.clean();
741 }
742 }
743
744 ch->al->lastAclData = xstrdup(sb.c_str());
745 }
746
747 #if USE_IDENT
748 if (t->type == Format::LFT_USER_IDENT) {
749 if (!*ch->rfc931) {
750 // if we fail to go async, we still return NULL and the caller
751 // will detect the failure in ACLExternal::match().
752 (void)ch->goAsync(IdentLookup::Instance());
753 return NULL;
754 }
755 }
756 #endif
757 }
758
759 // assemble the full helper lookup string
760 acl_data->def->format.assemble(mb, ch->al, 0);
761
762 return mb.buf;
763 }
764
765 static int
766 external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry)
767 {
768 if (def->cache_size <= 0)
769 return 1;
770
771 if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime)
772 return 1;
773 else
774 return 0;
775 }
776
777 static int
778 external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry)
779 {
780 if (def->cache_size <= 0)
781 return 1;
782
783 int ttl;
784 ttl = entry->result == 1 ? def->ttl : def->negative_ttl;
785 ttl = (ttl * (100 - def->grace)) / 100;
786
787 if (entry->date + ttl <= squid_curtime)
788 return 1;
789 else
790 return 0;
791 }
792
793 static ExternalACLEntryPointer
794 external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data)
795 {
796 ExternalACLEntryPointer entry;
797
798 // do not bother caching this result if TTL is going to expire it immediately
799 if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) {
800 debugs(82,6, HERE);
801 entry = new ExternalACLEntry;
802 entry->key = xstrdup(key);
803 entry->update(data);
804 entry->def = def;
805 return entry;
806 }
807
808 entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key));
809 debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result);
810
811 if (entry != NULL) {
812 debugs(82, 3, "updating existing entry");
813 entry->update(data);
814 external_acl_cache_touch(def, entry);
815 return entry;
816 }
817
818 entry = new ExternalACLEntry;
819 entry->key = xstrdup(key);
820 entry->update(data);
821
822 def->add(entry);
823
824 return entry;
825 }
826
827 static void
828 external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry)
829 {
830 assert(entry != NULL);
831 assert(def->cache_size > 0 && entry->def == def);
832 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer.
833 hash_remove_link(def->cache, e);
834 dlinkDelete(&e->lru, &def->lru_list);
835 e->unlock(); // unlock on behalf of the hash
836 def->cache_entries -= 1;
837 }
838
839 /******************************************************************
840 * external_acl helpers
841 */
842
843 class externalAclState
844 {
845 CBDATA_CLASS(externalAclState);
846
847 public:
848 externalAclState(external_acl* aDef, const char *aKey) :
849 callback(NULL),
850 callback_data(NULL),
851 key(xstrdup(aKey)),
852 def(cbdataReference(aDef)),
853 queue(NULL)
854 {}
855 ~externalAclState();
856
857 EAH *callback;
858 void *callback_data;
859 char *key;
860 external_acl *def;
861 dlink_node list;
862 externalAclState *queue;
863 };
864
865 CBDATA_CLASS_INIT(externalAclState);
866
867 externalAclState::~externalAclState()
868 {
869 xfree(key);
870 cbdataReferenceDone(callback_data);
871 cbdataReferenceDone(def);
872 }
873
874 /*
875 * The helper program receives queries on stdin, one
876 * per line, and must return the result on on stdout
877 *
878 * General result syntax:
879 *
880 * OK/ERR keyword=value ...
881 *
882 * Keywords:
883 *
884 * user= The users name (login)
885 * message= Message describing the reason
886 * tag= A string tag to be applied to the request that triggered the acl match.
887 * applies to both OK and ERR responses.
888 * Won't override existing request tags.
889 * log= A string to be used in access logging
890 *
891 * Other keywords may be added to the protocol later
892 *
893 * value needs to be URL-encoded or enclosed in double quotes (")
894 * with \-escaping on any whitespace, quotes, or slashes (\).
895 */
896 static void
897 externalAclHandleReply(void *data, const Helper::Reply &reply)
898 {
899 externalAclState *state = static_cast<externalAclState *>(data);
900 externalAclState *next;
901 ExternalACLEntryData entryData;
902 entryData.result = ACCESS_DENIED;
903
904 debugs(82, 2, HERE << "reply=" << reply);
905
906 if (reply.result == Helper::Okay)
907 entryData.result = ACCESS_ALLOWED;
908 // XXX: handle other non-DENIED results better
909
910 // XXX: make entryData store a proper Helper::Reply object instead of copying.
911
912 entryData.notes.append(&reply.notes);
913
914 const char *label = reply.notes.findFirst("tag");
915 if (label != NULL && *label != '\0')
916 entryData.tag = label;
917
918 label = reply.notes.findFirst("message");
919 if (label != NULL && *label != '\0')
920 entryData.message = label;
921
922 label = reply.notes.findFirst("log");
923 if (label != NULL && *label != '\0')
924 entryData.log = label;
925
926 #if USE_AUTH
927 label = reply.notes.findFirst("user");
928 if (label != NULL && *label != '\0')
929 entryData.user = label;
930
931 label = reply.notes.findFirst("password");
932 if (label != NULL && *label != '\0')
933 entryData.password = label;
934 #endif
935
936 dlinkDelete(&state->list, &state->def->queue);
937
938 ExternalACLEntryPointer entry;
939 if (cbdataReferenceValid(state->def)) {
940 // only cache OK and ERR results.
941 if (reply.result == Helper::Okay || reply.result == Helper::Error)
942 entry = external_acl_cache_add(state->def, state->key, entryData);
943 else {
944 const ExternalACLEntryPointer oldentry = static_cast<ExternalACLEntry *>(hash_lookup(state->def->cache, state->key));
945
946 if (oldentry != NULL)
947 external_acl_cache_delete(state->def, oldentry);
948 }
949 }
950
951 do {
952 void *cbdata;
953 if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata))
954 state->callback(cbdata, entry);
955
956 next = state->queue;
957 state->queue = NULL;
958
959 delete state;
960
961 state = next;
962 } while (state);
963 }
964
965 void
966 ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me)
967 {
968 ExternalACLLookup::Start(checklist, me->data, false);
969 }
970
971 void
972 ExternalACLLookup::Start(ACLChecklist *checklist, external_acl_data *acl, bool inBackground)
973 {
974 external_acl *def = acl->def;
975
976 ACLFilledChecklist *ch = Filled(checklist);
977 const char *key = makeExternalAclKey(ch, acl);
978 assert(key); // XXX: will fail if EXT_ACL_IDENT case needs an async lookup
979
980 debugs(82, 2, HERE << (inBackground ? "bg" : "fg") << " lookup in '" <<
981 def->name << "' for '" << key << "'");
982
983 /* Check for a pending lookup to hook into */
984 // only possible if we are caching results.
985 externalAclState *oldstate = NULL;
986 if (def->cache_size > 0) {
987 for (dlink_node *node = def->queue.head; node; node = node->next) {
988 externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data);
989
990 if (strcmp(key, oldstatetmp->key) == 0) {
991 oldstate = oldstatetmp;
992 break;
993 }
994 }
995 }
996
997 // A background refresh has no need to piggiback on a pending request:
998 // When the pending request completes, the cache will be refreshed anyway.
999 if (oldstate && inBackground) {
1000 debugs(82, 7, HERE << "'" << def->name << "' queue is already being refreshed (ch=" << ch << ")");
1001 return;
1002 }
1003
1004 externalAclState *state = new externalAclState(def, key);
1005
1006 if (!inBackground) {
1007 state->callback = &ExternalACLLookup::LookupDone;
1008 state->callback_data = cbdataReference(checklist);
1009 }
1010
1011 if (oldstate) {
1012 /* Hook into pending lookup */
1013 state->queue = oldstate->queue;
1014 oldstate->queue = state;
1015 } else {
1016 /* No pending lookup found. Sumbit to helper */
1017
1018 MemBuf buf;
1019 buf.init();
1020 buf.appendf("%s\n", key);
1021 debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'.");
1022
1023 if (!def->theHelper->trySubmit(buf.buf, externalAclHandleReply, state)) {
1024 debugs(82, 7, HERE << "'" << def->name << "' submit to helper failed");
1025 assert(inBackground); // or the caller should have checked
1026 delete state;
1027 return;
1028 }
1029
1030 dlinkAdd(state, &state->list, &def->queue);
1031
1032 buf.clean();
1033 }
1034
1035 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key <<
1036 "' in '" << def->name << "' (ch=" << ch << ").");
1037 }
1038
1039 static void
1040 externalAclStats(StoreEntry * sentry)
1041 {
1042 for (external_acl *p = Config.externalAclHelperList; p; p = p->next) {
1043 storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name);
1044 storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count);
1045 assert(p->theHelper);
1046 p->theHelper->packStatsInto(sentry);
1047 storeAppendPrintf(sentry, "\n");
1048 }
1049 }
1050
1051 static void
1052 externalAclRegisterWithCacheManager(void)
1053 {
1054 Mgr::RegisterAction("external_acl",
1055 "External ACL stats",
1056 externalAclStats, 0, 1);
1057 }
1058
1059 void
1060 externalAclInit(void)
1061 {
1062 for (external_acl *p = Config.externalAclHelperList; p; p = p->next) {
1063 if (!p->cache)
1064 p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4);
1065
1066 if (!p->theHelper)
1067 p->theHelper = new helper(p->name);
1068
1069 p->theHelper->cmdline = p->cmdline;
1070
1071 p->theHelper->childs.updateLimits(p->children);
1072
1073 p->theHelper->ipc_type = IPC_TCP_SOCKET;
1074
1075 p->theHelper->addr = p->local_addr;
1076
1077 helperOpenServers(p->theHelper);
1078 }
1079
1080 externalAclRegisterWithCacheManager();
1081 }
1082
1083 void
1084 externalAclShutdown(void)
1085 {
1086 external_acl *p;
1087
1088 for (p = Config.externalAclHelperList; p; p = p->next) {
1089 helperShutdown(p->theHelper);
1090 }
1091 }
1092
1093 ExternalACLLookup ExternalACLLookup::instance_;
1094 ExternalACLLookup *
1095 ExternalACLLookup::Instance()
1096 {
1097 return &instance_;
1098 }
1099
1100 void
1101 ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const
1102 {
1103 /* TODO: optimise this - we probably have a pointer to this
1104 * around somewhere */
1105 ACL *acl = ACL::FindByName(AclMatchedName);
1106 assert(acl);
1107 ACLExternal *me = dynamic_cast<ACLExternal *> (acl);
1108 assert (me);
1109 ACLExternal::ExternalAclLookup(checklist, me);
1110 }
1111
1112 /// Called when an async lookup returns
1113 void
1114 ExternalACLLookup::LookupDone(void *data, const ExternalACLEntryPointer &result)
1115 {
1116 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
1117 checklist->extacl_entry = result;
1118 checklist->resumeNonBlockingCheck(ExternalACLLookup::Instance());
1119 }
1120
1121 /* This registers "external" in the registry. To do dynamic definitions
1122 * of external ACL's, rather than a static prototype, have a Prototype instance
1123 * prototype in the class that defines each external acl 'class'.
1124 * Then, then the external acl instance is created, it self registers under
1125 * it's name.
1126 * Be sure that clone is fully functional for that acl class though!
1127 */
1128 ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external");
1129
1130 ACLExternal ACLExternal::RegistryEntry_("external");
1131
1132 ACL *
1133 ACLExternal::clone() const
1134 {
1135 return new ACLExternal(*this);
1136 }
1137
1138 ACLExternal::ACLExternal(char const *theClass) : data(NULL), class_(xstrdup(theClass))
1139 {}
1140
1141 ACLExternal::ACLExternal(ACLExternal const & old) : data(NULL), class_(old.class_ ? xstrdup(old.class_) : NULL)
1142 {
1143 /* we don't have copy constructors for the data yet */
1144 assert(!old.data);
1145 }
1146
1147 char const *
1148 ACLExternal::typeString() const
1149 {
1150 return class_;
1151 }
1152
1153 bool
1154 ACLExternal::isProxyAuth() const
1155 {
1156 #if USE_AUTH
1157 return data->def->require_auth;
1158 #else
1159 return false;
1160 #endif
1161 }
1162
Mirror of https://github.com/squid-cache/squid.git