]> git.ipfire.org Git - thirdparty/squid.git/blob - src/external_acl.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merged from trunk (r12132, v3.2.0.17+)
[thirdparty/squid.git] / src / external_acl.cc
1
2 /*
3 * $Id$
4 *
5 * DEBUG: section 82 External ACL
6 * AUTHOR: Henrik Nordstrom, MARA Systems AB
7 *
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
10 *
11 * The contents of this file is Copyright (C) 2002 by MARA Systems AB,
12 * Sweden, unless otherwise is indicated in the specific function. The
13 * author gives his full permission to include this file into the Squid
14 * software product under the terms of the GNU General Public License as
15 * published by the Free Software Foundation; either version 2 of the
16 * License, or (at your option) any later version.
17 *
18 * Squid is the result of efforts by numerous individuals from
19 * the Internet community; see the CONTRIBUTORS file for full
20 * details. Many organizations have provided support for Squid's
21 * development; see the SPONSORS file for full details. Squid is
22 * Copyrighted (C) 2001 by the Regents of the University of
23 * California; see the COPYRIGHT file for full details. Squid
24 * incorporates software developed and/or copyrighted by other
25 * sources; see the CREDITS file for full details.
26 *
27 * This program is free software; you can redistribute it and/or modify
28 * it under the terms of the GNU General Public License as published by
29 * the Free Software Foundation; either version 2 of the License, or
30 * (at your option) any later version.
31 *
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
36 *
37 * You should have received a copy of the GNU General Public License
38 * along with this program; if not, write to the Free Software
39 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
40 *
41 */
42
43 #include "squid-old.h"
44 #include "mgr/Registration.h"
45 #include "ExternalACL.h"
46 #include "ExternalACLEntry.h"
47 #if USE_AUTH
48 #include "auth/Acl.h"
49 #include "auth/Gadgets.h"
50 #include "auth/UserRequest.h"
51 #endif
52 #include "SquidTime.h"
53 #include "Store.h"
54 #include "fde.h"
55 #include "acl/FilledChecklist.h"
56 #include "acl/Acl.h"
57 #if USE_IDENT
58 #include "ident/AclIdent.h"
59 #endif
60 #include "ip/tools.h"
61 #include "client_side.h"
62 #include "comm/Connection.h"
63 #include "HttpRequest.h"
64 #include "HttpReply.h"
65 #include "helper.h"
66 #include "MemBuf.h"
67 #include "rfc1738.h"
68 #include "URLScheme.h"
69 #include "wordlist.h"
70 #if USE_SSL
71 #include "ssl/support.h"
72 #endif
73
74 #ifndef DEFAULT_EXTERNAL_ACL_TTL
75 #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
76 #endif
77 #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
78 #define DEFAULT_EXTERNAL_ACL_CHILDREN 5
79 #endif
80
81 typedef struct _external_acl_format external_acl_format;
82
83 static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
84 static void external_acl_cache_delete(external_acl * def, external_acl_entry * entry);
85 static int external_acl_entry_expired(external_acl * def, external_acl_entry * entry);
86 static int external_acl_grace_expired(external_acl * def, external_acl_entry * entry);
87 static void external_acl_cache_touch(external_acl * def, external_acl_entry * entry);
88 static external_acl_entry *external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data);
89
90 /******************************************************************
91 * external_acl directive
92 */
93
94 class external_acl
95 {
96
97 public:
98 external_acl *next;
99
100 void add(ExternalACLEntry *);
101
102 void trimCache();
103
104 int ttl;
105
106 int negative_ttl;
107
108 int grace;
109
110 char *name;
111
112 external_acl_format *format;
113
114 wordlist *cmdline;
115
116 HelperChildConfig children;
117
118 helper *theHelper;
119
120 hash_table *cache;
121
122 dlink_list lru_list;
123
124 int cache_size;
125
126 int cache_entries;
127
128 dlink_list queue;
129
130 #if USE_AUTH
131 /**
132 * Configuration flag. May only be altered by the configuration parser.
133 *
134 * Indicates that all uses of this external_acl_type helper require authentication
135 * details to be processed. If none are available its a fail match.
136 */
137 bool require_auth;
138 #endif
139
140 enum {
141 QUOTE_METHOD_SHELL = 1,
142 QUOTE_METHOD_URL
143 } quote;
144
145 Ip::Address local_addr;
146 };
147
148 struct _external_acl_format {
149 enum format_type {
150 EXT_ACL_UNKNOWN,
151 #if USE_AUTH
152 EXT_ACL_LOGIN,
153 #endif
154 #if USE_IDENT
155 EXT_ACL_IDENT,
156 #endif
157 EXT_ACL_SRC,
158 EXT_ACL_SRCPORT,
159 #if USE_SQUID_EUI
160 EXT_ACL_SRCEUI48,
161 EXT_ACL_SRCEUI64,
162 #endif
163 EXT_ACL_MYADDR,
164 EXT_ACL_MYPORT,
165 EXT_ACL_URI,
166 EXT_ACL_DST,
167 EXT_ACL_PROTO,
168 EXT_ACL_PORT,
169 EXT_ACL_PATH,
170 EXT_ACL_METHOD,
171
172 EXT_ACL_HEADER_REQUEST,
173 EXT_ACL_HEADER_REQUEST_MEMBER,
174 EXT_ACL_HEADER_REQUEST_ID,
175 EXT_ACL_HEADER_REQUEST_ID_MEMBER,
176
177 EXT_ACL_HEADER_REPLY,
178 EXT_ACL_HEADER_REPLY_MEMBER,
179 EXT_ACL_HEADER_REPLY_ID,
180 EXT_ACL_HEADER_REPLY_ID_MEMBER,
181
182 #if USE_SSL
183 EXT_ACL_USER_CERT,
184 EXT_ACL_CA_CERT,
185 EXT_ACL_USER_CERT_RAW,
186 EXT_ACL_USER_CERTCHAIN_RAW,
187 #endif
188 #if USE_AUTH
189 EXT_ACL_EXT_USER,
190 #endif
191 EXT_ACL_EXT_LOG,
192 EXT_ACL_TAG,
193 EXT_ACL_PERCENT,
194 EXT_ACL_END
195 } type;
196 external_acl_format *next;
197 char *header;
198 char *member;
199 char separator;
200 http_hdr_type header_id;
201 };
202
203 /* FIXME: These are not really cbdata, but it is an easy way
204 * to get them pooled, refcounted, accounted and freed properly...
205 */
206 CBDATA_TYPE(external_acl);
207 CBDATA_TYPE(external_acl_format);
208
209 static void
210 free_external_acl_format(void *data)
211 {
212 external_acl_format *p = static_cast<external_acl_format *>(data);
213 safe_free(p->header);
214 }
215
216 static void
217 free_external_acl(void *data)
218 {
219 external_acl *p = static_cast<external_acl *>(data);
220 safe_free(p->name);
221
222 while (p->format) {
223 external_acl_format *f = p->format;
224 p->format = f->next;
225 cbdataFree(f);
226 }
227
228 wordlistDestroy(&p->cmdline);
229
230 if (p->theHelper) {
231 helperShutdown(p->theHelper);
232 delete p->theHelper;
233 p->theHelper = NULL;
234 }
235
236 while (p->lru_list.tail)
237 external_acl_cache_delete(p, static_cast<external_acl_entry *>(p->lru_list.tail->data));
238 if (p->cache)
239 hashFreeMemory(p->cache);
240 }
241
242 /**
243 * Parse the External ACL format %<{.*} and %>{.*} token(s) to pass a specific
244 * request or reply header to external helper.
245 *
246 \param header - the token being parsed (without the identifying prefix)
247 \param type - format enum identifier for this element, pulled from identifying prefix
248 \param format - structure to contain all the info about this format element.
249 */
250 void
251 parse_header_token(external_acl_format *format, char *header, const _external_acl_format::format_type type)
252 {
253 /* header format */
254 char *member, *end;
255
256 /** Cut away the closing brace */
257 end = strchr(header, '}');
258 if (end && strlen(end) == 1)
259 *end = '\0';
260 else
261 self_destruct();
262
263 member = strchr(header, ':');
264
265 if (member) {
266 /* Split in header and member */
267 *member++ = '\0';
268
269 if (!xisalnum(*member))
270 format->separator = *member++;
271 else
272 format->separator = ',';
273
274 format->member = xstrdup(member);
275
276 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
277 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER;
278 else
279 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER;
280 } else {
281 format->type = type;
282 }
283
284 format->header = xstrdup(header);
285 format->header_id = httpHeaderIdByNameDef(header, strlen(header));
286
287 if (format->header_id != -1) {
288 if (member) {
289 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
290 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER;
291 else
292 format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER;
293 } else {
294 if (type == _external_acl_format::EXT_ACL_HEADER_REQUEST)
295 format->type = _external_acl_format::EXT_ACL_HEADER_REQUEST_ID;
296 else
297 format->type = _external_acl_format::EXT_ACL_HEADER_REPLY_ID;
298 }
299 }
300 }
301
302 void
303 parse_externalAclHelper(external_acl ** list)
304 {
305 external_acl *a;
306 char *token;
307 external_acl_format **p;
308
309 CBDATA_INIT_TYPE_FREECB(external_acl, free_external_acl);
310 CBDATA_INIT_TYPE_FREECB(external_acl_format, free_external_acl_format);
311
312 a = cbdataAlloc(external_acl);
313
314 /* set defaults */
315 a->ttl = DEFAULT_EXTERNAL_ACL_TTL;
316 a->negative_ttl = -1;
317 a->cache_size = 256*1024;
318 a->children.n_max = DEFAULT_EXTERNAL_ACL_CHILDREN;
319 a->children.n_startup = a->children.n_max;
320 a->children.n_idle = 1;
321 a->local_addr.SetLocalhost();
322 a->quote = external_acl::QUOTE_METHOD_URL;
323
324 token = strtok(NULL, w_space);
325
326 if (!token)
327 self_destruct();
328
329 a->name = xstrdup(token);
330
331 token = strtok(NULL, w_space);
332
333 /* Parse options */
334 while (token) {
335 if (strncmp(token, "ttl=", 4) == 0) {
336 a->ttl = atoi(token + 4);
337 } else if (strncmp(token, "negative_ttl=", 13) == 0) {
338 a->negative_ttl = atoi(token + 13);
339 } else if (strncmp(token, "children=", 9) == 0) {
340 a->children.n_max = atoi(token + 9);
341 debugs(0, 0, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
342 } else if (strncmp(token, "children-max=", 13) == 0) {
343 a->children.n_max = atoi(token + 13);
344 } else if (strncmp(token, "children-startup=", 17) == 0) {
345 a->children.n_startup = atoi(token + 17);
346 } else if (strncmp(token, "children-idle=", 14) == 0) {
347 a->children.n_idle = atoi(token + 14);
348 } else if (strncmp(token, "concurrency=", 12) == 0) {
349 a->children.concurrency = atoi(token + 12);
350 } else if (strncmp(token, "cache=", 6) == 0) {
351 a->cache_size = atoi(token + 6);
352 } else if (strncmp(token, "grace=", 6) == 0) {
353 a->grace = atoi(token + 6);
354 } else if (strcmp(token, "protocol=2.5") == 0) {
355 a->quote = external_acl::QUOTE_METHOD_SHELL;
356 } else if (strcmp(token, "protocol=3.0") == 0) {
357 a->quote = external_acl::QUOTE_METHOD_URL;
358 } else if (strcmp(token, "quote=url") == 0) {
359 a->quote = external_acl::QUOTE_METHOD_URL;
360 } else if (strcmp(token, "quote=shell") == 0) {
361 a->quote = external_acl::QUOTE_METHOD_SHELL;
362
363 /* INET6: allow admin to configure some helpers explicitly to
364 bind to IPv4/v6 localhost port. */
365 } else if (strcmp(token, "ipv4") == 0) {
366 if ( !a->local_addr.SetIPv4() ) {
367 debugs(3, 0, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name );
368 }
369 } else if (strcmp(token, "ipv6") == 0) {
370 if (!Ip::EnableIpv6)
371 debugs(3, 0, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name );
372 // else nothing to do.
373 } else {
374 break;
375 }
376
377 token = strtok(NULL, w_space);
378 }
379
380 /* check that child startup value is sane. */
381 if (a->children.n_startup > a->children.n_max)
382 a->children.n_startup = a->children.n_max;
383
384 /* check that child idle value is sane. */
385 if (a->children.n_idle > a->children.n_max)
386 a->children.n_idle = a->children.n_max;
387 if (a->children.n_idle < 1)
388 a->children.n_idle = 1;
389
390 if (a->negative_ttl == -1)
391 a->negative_ttl = a->ttl;
392
393 /* Parse format */
394 p = &a->format;
395
396 while (token) {
397 external_acl_format *format;
398
399 /* stop on first non-format token found */
400
401 if (*token != '%')
402 break;
403
404 format = cbdataAlloc(external_acl_format);
405
406 if (strncmp(token, "%{", 2) == 0) {
407 // deprecated. but assume the old configs all referred to request headers.
408 debugs(82, DBG_IMPORTANT, "WARNING: external_acl_type format %{...} is being replaced by %>{...} for : " << token);
409 parse_header_token(format, (token+2), _external_acl_format::EXT_ACL_HEADER_REQUEST);
410 } else if (strncmp(token, "%>{", 3) == 0) {
411 parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REQUEST);
412 } else if (strncmp(token, "%<{", 3) == 0) {
413 parse_header_token(format, (token+3), _external_acl_format::EXT_ACL_HEADER_REPLY);
414 #if USE_AUTH
415 } else if (strcmp(token, "%LOGIN") == 0) {
416 format->type = _external_acl_format::EXT_ACL_LOGIN;
417 a->require_auth = true;
418 #endif
419 }
420
421 #if USE_IDENT
422 else if (strcmp(token, "%IDENT") == 0)
423 format->type = _external_acl_format::EXT_ACL_IDENT;
424
425 #endif
426
427 else if (strcmp(token, "%SRC") == 0)
428 format->type = _external_acl_format::EXT_ACL_SRC;
429 else if (strcmp(token, "%SRCPORT") == 0)
430 format->type = _external_acl_format::EXT_ACL_SRCPORT;
431 #if USE_SQUID_EUI
432 else if (strcmp(token, "%SRCEUI48") == 0)
433 format->type = _external_acl_format::EXT_ACL_SRCEUI48;
434 else if (strcmp(token, "%SRCEUI64") == 0)
435 format->type = _external_acl_format::EXT_ACL_SRCEUI64;
436 #endif
437 else if (strcmp(token, "%MYADDR") == 0)
438 format->type = _external_acl_format::EXT_ACL_MYADDR;
439 else if (strcmp(token, "%MYPORT") == 0)
440 format->type = _external_acl_format::EXT_ACL_MYPORT;
441 else if (strcmp(token, "%URI") == 0)
442 format->type = _external_acl_format::EXT_ACL_URI;
443 else if (strcmp(token, "%DST") == 0)
444 format->type = _external_acl_format::EXT_ACL_DST;
445 else if (strcmp(token, "%PROTO") == 0)
446 format->type = _external_acl_format::EXT_ACL_PROTO;
447 else if (strcmp(token, "%PORT") == 0)
448 format->type = _external_acl_format::EXT_ACL_PORT;
449 else if (strcmp(token, "%PATH") == 0)
450 format->type = _external_acl_format::EXT_ACL_PATH;
451 else if (strcmp(token, "%METHOD") == 0)
452 format->type = _external_acl_format::EXT_ACL_METHOD;
453
454 #if USE_SSL
455 else if (strcmp(token, "%USER_CERT") == 0)
456 format->type = _external_acl_format::EXT_ACL_USER_CERT_RAW;
457 else if (strcmp(token, "%USER_CERTCHAIN") == 0)
458 format->type = _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW;
459 else if (strncmp(token, "%USER_CERT_", 11) == 0) {
460 format->type = _external_acl_format::EXT_ACL_USER_CERT;
461 format->header = xstrdup(token + 11);
462 } else if (strncmp(token, "%CA_CERT_", 11) == 0) {
463 format->type = _external_acl_format::EXT_ACL_USER_CERT;
464 format->header = xstrdup(token + 11);
465 }
466 #endif
467 #if USE_AUTH
468 else if (strcmp(token, "%EXT_USER") == 0)
469 format->type = _external_acl_format::EXT_ACL_EXT_USER;
470 #endif
471 else if (strcmp(token, "%EXT_LOG") == 0)
472 format->type = _external_acl_format::EXT_ACL_EXT_LOG;
473 else if (strcmp(token, "%TAG") == 0)
474 format->type = _external_acl_format::EXT_ACL_TAG;
475 else if (strcmp(token, "%%") == 0)
476 format->type = _external_acl_format::EXT_ACL_PERCENT;
477 else {
478 debugs(0,0, "ERROR: Unknown Format token " << token);
479 self_destruct();
480 }
481
482 *p = format;
483 p = &format->next;
484 token = strtok(NULL, w_space);
485 }
486
487 /* There must be at least one format token */
488 if (!a->format)
489 self_destruct();
490
491 /* helper */
492 if (!token)
493 self_destruct();
494
495 wordlistAdd(&a->cmdline, token);
496
497 /* arguments */
498 parse_wordlist(&a->cmdline);
499
500 while (*list)
501 list = &(*list)->next;
502
503 *list = a;
504 }
505
506 void
507 dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list)
508 {
509 const external_acl *node;
510 const external_acl_format *format;
511 const wordlist *word;
512
513 for (node = list; node; node = node->next) {
514 storeAppendPrintf(sentry, "%s %s", name, node->name);
515
516 if (!node->local_addr.IsIPv6())
517 storeAppendPrintf(sentry, " ipv4");
518 else
519 storeAppendPrintf(sentry, " ipv6");
520
521 if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL)
522 storeAppendPrintf(sentry, " ttl=%d", node->ttl);
523
524 if (node->negative_ttl != node->ttl)
525 storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl);
526
527 if (node->grace)
528 storeAppendPrintf(sentry, " grace=%d", node->grace);
529
530 if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
531 storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
532
533 if (node->children.n_startup != 1)
534 storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
535
536 if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
537 storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
538
539 if (node->children.concurrency)
540 storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
541
542 if (node->cache)
543 storeAppendPrintf(sentry, " cache=%d", node->cache_size);
544
545 for (format = node->format; format; format = format->next) {
546 switch (format->type) {
547
548 case _external_acl_format::EXT_ACL_HEADER_REQUEST:
549 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID:
550 storeAppendPrintf(sentry, " %%>{%s}", format->header);
551 break;
552
553 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER:
554 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER:
555 storeAppendPrintf(sentry, " %%>{%s:%s}", format->header, format->member);
556 break;
557
558 case _external_acl_format::EXT_ACL_HEADER_REPLY:
559 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID:
560 storeAppendPrintf(sentry, " %%<{%s}", format->header);
561 break;
562
563 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER:
564 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER:
565 storeAppendPrintf(sentry, " %%<{%s:%s}", format->header, format->member);
566 break;
567 #define DUMP_EXT_ACL_TYPE(a) \
568 case _external_acl_format::EXT_ACL_##a: \
569 storeAppendPrintf(sentry, " %%%s", #a); \
570 break
571 #if USE_AUTH
572 DUMP_EXT_ACL_TYPE(LOGIN);
573 #endif
574 #if USE_IDENT
575
576 DUMP_EXT_ACL_TYPE(IDENT);
577 #endif
578
579 DUMP_EXT_ACL_TYPE(SRC);
580 DUMP_EXT_ACL_TYPE(SRCPORT);
581 #if USE_SQUID_EUI
582 DUMP_EXT_ACL_TYPE(SRCEUI48);
583 DUMP_EXT_ACL_TYPE(SRCEUI64);
584 #endif
585
586 DUMP_EXT_ACL_TYPE(MYADDR);
587 DUMP_EXT_ACL_TYPE(MYPORT);
588 DUMP_EXT_ACL_TYPE(URI);
589 DUMP_EXT_ACL_TYPE(DST);
590 DUMP_EXT_ACL_TYPE(PROTO);
591 DUMP_EXT_ACL_TYPE(PORT);
592 DUMP_EXT_ACL_TYPE(PATH);
593 DUMP_EXT_ACL_TYPE(METHOD);
594 #if USE_SSL
595
596 case _external_acl_format::EXT_ACL_USER_CERT_RAW:
597 storeAppendPrintf(sentry, " %%USER_CERT");
598 break;
599
600 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
601 storeAppendPrintf(sentry, " %%USER_CERTCHAIN");
602 break;
603
604 case _external_acl_format::EXT_ACL_USER_CERT:
605 storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
606 break;
607
608 case _external_acl_format::EXT_ACL_CA_CERT:
609 storeAppendPrintf(sentry, " %%USER_CERT_%s", format->header);
610 break;
611 #endif
612 #if USE_AUTH
613 DUMP_EXT_ACL_TYPE(EXT_USER);
614 #endif
615 DUMP_EXT_ACL_TYPE(EXT_LOG);
616 DUMP_EXT_ACL_TYPE(TAG);
617 default:
618 fatal("unknown external_acl format error");
619 break;
620 }
621 }
622
623 for (word = node->cmdline; word; word = word->next)
624 storeAppendPrintf(sentry, " %s", word->key);
625
626 storeAppendPrintf(sentry, "\n");
627 }
628 }
629
630 void
631 free_externalAclHelper(external_acl ** list)
632 {
633 while (*list) {
634 external_acl *node = *list;
635 *list = node->next;
636 node->next = NULL;
637 cbdataFree(node);
638 }
639 }
640
641 static external_acl *
642 find_externalAclHelper(const char *name)
643 {
644 external_acl *node;
645
646 for (node = Config.externalAclHelperList; node; node = node->next) {
647 if (strcmp(node->name, name) == 0)
648 return node;
649 }
650
651 return NULL;
652 }
653
654 void
655 external_acl::add(ExternalACLEntry *anEntry)
656 {
657 trimCache();
658 assert (anEntry->def == NULL);
659 anEntry->def = this;
660 hash_join(cache, anEntry);
661 dlinkAdd(anEntry, &anEntry->lru, &lru_list);
662 cache_entries++;
663 }
664
665 void
666 external_acl::trimCache()
667 {
668 if (cache_size && cache_entries >= cache_size)
669 external_acl_cache_delete(this, static_cast<external_acl_entry *>(lru_list.tail->data));
670 }
671
672
673 /******************************************************************
674 * external acl type
675 */
676
677 struct _external_acl_data {
678 external_acl *def;
679 wordlist *arguments;
680 };
681
682 CBDATA_TYPE(external_acl_data);
683 static void
684 free_external_acl_data(void *data)
685 {
686 external_acl_data *p = static_cast<external_acl_data *>(data);
687 wordlistDestroy(&p->arguments);
688 cbdataReferenceDone(p->def);
689 }
690
691 void
692 ACLExternal::parse()
693 {
694 char *token;
695
696 if (data)
697 self_destruct();
698
699 CBDATA_INIT_TYPE_FREECB(external_acl_data, free_external_acl_data);
700
701 data = cbdataAlloc(external_acl_data);
702
703 token = strtok(NULL, w_space);
704
705 if (!token)
706 self_destruct();
707
708 data->def = cbdataReference(find_externalAclHelper(token));
709
710 if (!data->def)
711 self_destruct();
712
713 while ((token = strtokFile())) {
714 wordlistAdd(&data->arguments, token);
715 }
716 }
717
718 bool
719 ACLExternal::valid () const
720 {
721 #if USE_AUTH
722 if (data->def->require_auth) {
723 if (authenticateSchemeCount() == 0) {
724 debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
725 return false;
726 }
727
728 if (authenticateActiveSchemeCount() == 0) {
729 debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
730 return false;
731 }
732 }
733 #endif
734
735 return true;
736 }
737
738 bool
739 ACLExternal::empty () const
740 {
741 return false;
742 }
743
744 ACLExternal::~ACLExternal()
745 {
746 cbdataFree(data);
747 safe_free (class_);
748 }
749
750 static void
751 copyResultsFromEntry(HttpRequest *req, external_acl_entry *entry)
752 {
753 if (req) {
754 #if USE_AUTH
755 if (entry->user.size())
756 req->extacl_user = entry->user;
757
758 if (entry->password.size())
759 req->extacl_passwd = entry->password;
760 #endif
761 if (!req->tag.size())
762 req->tag = entry->tag;
763
764 if (entry->log.size())
765 req->extacl_log = entry->log;
766
767 if (entry->message.size())
768 req->extacl_message = entry->message;
769 }
770 }
771
772 static allow_t
773 aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
774 {
775 const char *key = "";
776 debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\"");
777 external_acl_entry *entry = ch->extacl_entry;
778
779 if (entry) {
780 if (cbdataReferenceValid(entry) && entry->def == acl->def) {
781 /* Ours, use it.. if the key matches */
782 key = makeExternalAclKey(ch, acl);
783 if (strcmp(key, (char*)entry->key) != 0) {
784 debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "' dont match. Discarded.");
785 // too bad. need a new lookup.
786 cbdataReferenceDone(ch->extacl_entry);
787 entry = NULL;
788 }
789 } else {
790 /* Not valid, or not ours.. get rid of it */
791 debugs(82, 9, HERE << "entry " << entry << " not valid or not ours. Discarded.");
792 if (entry) {
793 debugs(82, 9, HERE << "entry def=" << entry->def << ", our def=" << acl->def);
794 key = makeExternalAclKey(ch, acl);
795 debugs(82, 9, HERE << "entry key='" << (char *)entry->key << "', our key='" << key << "'");
796 }
797 cbdataReferenceDone(ch->extacl_entry);
798 entry = NULL;
799 }
800 }
801
802 external_acl_message = "MISSING REQUIRED INFORMATION";
803
804 if (!entry) {
805 debugs(82, 9, HERE << "No helper entry available");
806 #if USE_AUTH
807 if (acl->def->require_auth) {
808 int ti = AuthenticateAcl(ch);
809 /* Make sure the user is authenticated */
810 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
811 if (ti != 1) {
812 debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")");
813 return ACCESS_AUTH_REQUIRED;
814 }
815 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
816 }
817 #endif
818 key = makeExternalAclKey(ch, acl);
819
820 if (!key) {
821 /* Not sufficient data to process */
822 return ACCESS_DUNNO;
823 }
824
825 entry = static_cast<external_acl_entry *>(hash_lookup(acl->def->cache, key));
826
827 if (!entry || external_acl_grace_expired(acl->def, entry)) {
828 debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed");
829 debugs(82, 2, HERE << "\"" << key << "\": entry=@" <<
830 entry << ", age=" << (entry ? (long int) squid_curtime - entry->date : 0));
831
832 if (acl->def->theHelper->stats.queue_size <= (int)acl->def->theHelper->childs.n_active) {
833 debugs(82, 2, HERE << "\"" << key << "\": queueing a call.");
834 ch->changeState(ExternalACLLookup::Instance());
835 debugs(82, 2, HERE << "\"" << key << "\": return -1.");
836 return ACCESS_DUNNO; // to get here we have to have an expired cache entry. MUST not use.
837 } else {
838 if (!entry) {
839 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
840 "' queue overload. Request rejected '" << key << "'.");
841 external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER";
842 return ACCESS_DUNNO;
843 } else {
844 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
845 "' queue overload. Using stale result. '" << key << "'.");
846 /* Fall thru to processing below */
847 }
848 }
849 }
850 }
851
852 external_acl_cache_touch(acl->def, entry);
853 external_acl_message = entry->message.termedBuf();
854
855 debugs(82, 2, HERE << acl->def->name << " = " << entry->result);
856 copyResultsFromEntry(ch->request, entry);
857 return entry->result;
858 }
859
860 int
861 ACLExternal::match(ACLChecklist *checklist)
862 {
863 allow_t answer = aclMatchExternal(data, Filled(checklist));
864 if (answer != ACCESS_DENIED && answer != ACCESS_ALLOWED) {
865 // If the answer is not allowed or denied (matches/not matches), requires
866 // authentication (ACCESS_AUTH_*) or the authentication is in progress (ACCESS_DUNNO)
867 // so change the state in the related checklist.
868 checklist->currentAnswer(answer);
869 }
870
871 // convert to tri-state ACL match 1,0,-1
872 switch (answer) {
873 case ACCESS_ALLOWED:
874 return 1; // match
875
876 case ACCESS_DENIED:
877 return 0; // non-match
878
879 case ACCESS_DUNNO:
880 case ACCESS_AUTH_REQUIRED:
881 default:
882 return -1; // other
883 }
884 }
885
886 wordlist *
887 ACLExternal::dump() const
888 {
889 external_acl_data const *acl = data;
890 wordlist *result = NULL;
891 wordlist *arg;
892 MemBuf mb;
893 mb.init();
894 mb.Printf("%s", acl->def->name);
895
896 for (arg = acl->arguments; arg; arg = arg->next) {
897 mb.Printf(" %s", arg->key);
898 }
899
900 wordlistAdd(&result, mb.buf);
901 mb.clean();
902 return result;
903 }
904
905 /******************************************************************
906 * external_acl cache
907 */
908
909 static void
910 external_acl_cache_touch(external_acl * def, external_acl_entry * entry)
911 {
912 // this must not be done when nothing is being cached.
913 if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1))
914 return;
915
916 dlinkDelete(&entry->lru, &def->lru_list);
917 dlinkAdd(entry, &entry->lru, &def->lru_list);
918 }
919
920 static char *
921 makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
922 {
923 static MemBuf mb;
924 char buf[256];
925 int first = 1;
926 wordlist *arg;
927 external_acl_format *format;
928 HttpRequest *request = ch->request;
929 HttpReply *reply = ch->reply;
930 mb.reset();
931
932 for (format = acl_data->def->format; format; format = format->next) {
933 const char *str = NULL;
934 String sb;
935
936 switch (format->type) {
937 #if USE_AUTH
938 case _external_acl_format::EXT_ACL_LOGIN:
939 // if this ACL line was the cause of credentials fetch
940 // they may not already be in the checklist
941 if (ch->auth_user_request == NULL && ch->request)
942 ch->auth_user_request = ch->request->auth_user_request;
943
944 if (ch->auth_user_request != NULL)
945 str = ch->auth_user_request->username();
946 break;
947 #endif
948 #if USE_IDENT
949 case _external_acl_format::EXT_ACL_IDENT:
950 str = ch->rfc931;
951
952 if (!str || !*str) {
953 ch->changeState(IdentLookup::Instance());
954 return NULL;
955 }
956
957 break;
958 #endif
959
960 case _external_acl_format::EXT_ACL_SRC:
961 str = ch->src_addr.NtoA(buf,sizeof(buf));
962 break;
963
964 case _external_acl_format::EXT_ACL_SRCPORT:
965 snprintf(buf, sizeof(buf), "%d", request->client_addr.GetPort());
966 str = buf;
967 break;
968
969 #if USE_SQUID_EUI
970 case _external_acl_format::EXT_ACL_SRCEUI48:
971 if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
972 request->clientConnectionManager->clientConnection->remoteEui48.encode(buf, sizeof(buf)))
973 str = buf;
974 break;
975
976 case _external_acl_format::EXT_ACL_SRCEUI64:
977 if (request->clientConnectionManager.valid() && request->clientConnectionManager->clientConnection != NULL &&
978 request->clientConnectionManager->clientConnection->remoteEui64.encode(buf, sizeof(buf)))
979 str = buf;
980 break;
981 #endif
982
983 case _external_acl_format::EXT_ACL_MYADDR:
984 str = request->my_addr.NtoA(buf, sizeof(buf));
985 break;
986
987 case _external_acl_format::EXT_ACL_MYPORT:
988 snprintf(buf, sizeof(buf), "%d", request->my_addr.GetPort());
989 str = buf;
990 break;
991
992 case _external_acl_format::EXT_ACL_URI:
993 str = urlCanonical(request);
994 break;
995
996 case _external_acl_format::EXT_ACL_DST:
997 str = request->GetHost();
998 break;
999
1000 case _external_acl_format::EXT_ACL_PROTO:
1001 str = AnyP::ProtocolType_str[request->protocol];
1002 break;
1003
1004 case _external_acl_format::EXT_ACL_PORT:
1005 snprintf(buf, sizeof(buf), "%d", request->port);
1006 str = buf;
1007 break;
1008
1009 case _external_acl_format::EXT_ACL_PATH:
1010 str = request->urlpath.termedBuf();
1011 break;
1012
1013 case _external_acl_format::EXT_ACL_METHOD:
1014 str = RequestMethodStr(request->method);
1015 break;
1016
1017 case _external_acl_format::EXT_ACL_HEADER_REQUEST:
1018 sb = request->header.getByName(format->header);
1019 str = sb.termedBuf();
1020 break;
1021
1022 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID:
1023 sb = request->header.getStrOrList(format->header_id);
1024 str = sb.termedBuf();
1025 break;
1026
1027 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER:
1028 sb = request->header.getByNameListMember(format->header, format->member, format->separator);
1029 str = sb.termedBuf();
1030 break;
1031
1032 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER:
1033 sb = request->header.getListMember(format->header_id, format->member, format->separator);
1034 str = sb.termedBuf();
1035 break;
1036
1037 case _external_acl_format::EXT_ACL_HEADER_REPLY:
1038 if (reply) {
1039 sb = reply->header.getByName(format->header);
1040 str = sb.termedBuf();
1041 }
1042 break;
1043
1044 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID:
1045 if (reply) {
1046 sb = reply->header.getStrOrList(format->header_id);
1047 str = sb.termedBuf();
1048 }
1049 break;
1050
1051 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER:
1052 if (reply) {
1053 sb = reply->header.getByNameListMember(format->header, format->member, format->separator);
1054 str = sb.termedBuf();
1055 }
1056 break;
1057
1058 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER:
1059 if (reply) {
1060 sb = reply->header.getListMember(format->header_id, format->member, format->separator);
1061 str = sb.termedBuf();
1062 }
1063 break;
1064 #if USE_SSL
1065
1066 case _external_acl_format::EXT_ACL_USER_CERT_RAW:
1067
1068 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1069 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1070
1071 if (ssl)
1072 str = sslGetUserCertificatePEM(ssl);
1073 }
1074
1075 break;
1076
1077 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW:
1078
1079 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1080 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1081
1082 if (ssl)
1083 str = sslGetUserCertificateChainPEM(ssl);
1084 }
1085
1086 break;
1087
1088 case _external_acl_format::EXT_ACL_USER_CERT:
1089
1090 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1091 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1092
1093 if (ssl)
1094 str = sslGetUserAttribute(ssl, format->header);
1095 }
1096
1097 break;
1098
1099 case _external_acl_format::EXT_ACL_CA_CERT:
1100
1101 if (ch->conn() != NULL && Comm::IsConnOpen(ch->conn()->clientConnection)) {
1102 SSL *ssl = fd_table[ch->conn()->clientConnection->fd].ssl;
1103
1104 if (ssl)
1105 str = sslGetCAAttribute(ssl, format->header);
1106 }
1107
1108 break;
1109 #endif
1110 #if USE_AUTH
1111 case _external_acl_format::EXT_ACL_EXT_USER:
1112 str = request->extacl_user.termedBuf();
1113 break;
1114 #endif
1115 case _external_acl_format::EXT_ACL_EXT_LOG:
1116 str = request->extacl_log.termedBuf();
1117 break;
1118 case _external_acl_format::EXT_ACL_TAG:
1119 str = request->tag.termedBuf();
1120 break;
1121 case _external_acl_format::EXT_ACL_PERCENT:
1122 str = "%";
1123 break;
1124 case _external_acl_format::EXT_ACL_UNKNOWN:
1125
1126 case _external_acl_format::EXT_ACL_END:
1127 fatal("unknown external_acl format error");
1128 break;
1129 }
1130
1131 if (str)
1132 if (!*str)
1133 str = NULL;
1134
1135 if (!str)
1136 str = "-";
1137
1138 if (!first)
1139 mb.append(" ", 1);
1140
1141 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
1142 const char *quoted = rfc1738_escape(str);
1143 mb.append(quoted, strlen(quoted));
1144 } else {
1145 strwordquote(&mb, str);
1146 }
1147
1148 sb.clean();
1149
1150 first = 0;
1151 }
1152
1153 for (arg = acl_data->arguments; arg; arg = arg->next) {
1154 if (!first)
1155 mb.append(" ", 1);
1156
1157 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
1158 const char *quoted = rfc1738_escape(arg->key);
1159 mb.append(quoted, strlen(quoted));
1160 } else {
1161 strwordquote(&mb, arg->key);
1162 }
1163
1164 first = 0;
1165 }
1166
1167 return mb.buf;
1168 }
1169
1170 static int
1171 external_acl_entry_expired(external_acl * def, external_acl_entry * entry)
1172 {
1173 if (def->cache_size <= 0)
1174 return 1;
1175
1176 if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime)
1177 return 1;
1178 else
1179 return 0;
1180 }
1181
1182 static int
1183 external_acl_grace_expired(external_acl * def, external_acl_entry * entry)
1184 {
1185 if (def->cache_size <= 0)
1186 return 1;
1187
1188 int ttl;
1189 ttl = entry->result == 1 ? def->ttl : def->negative_ttl;
1190 ttl = (ttl * (100 - def->grace)) / 100;
1191
1192 if (entry->date + ttl <= squid_curtime)
1193 return 1;
1194 else
1195 return 0;
1196 }
1197
1198 static external_acl_entry *
1199 external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data)
1200 {
1201 ExternalACLEntry *entry;
1202
1203 // do not bother caching this result if TTL is going to expire it immediately
1204 if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) {
1205 debugs(82,6, HERE);
1206 entry = new ExternalACLEntry;
1207 entry->key = xstrdup(key);
1208 entry->update(data);
1209 entry->def = def;
1210 return entry;
1211 }
1212
1213 entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key));
1214 debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result);
1215
1216 if (entry) {
1217 debugs(82, 3, "ExternalACLEntry::update: updating existing entry");
1218 entry->update(data);
1219 external_acl_cache_touch(def, entry);
1220
1221 return entry;
1222 }
1223
1224 entry = new ExternalACLEntry;
1225 entry->key = xstrdup(key);
1226 entry->update(data);
1227
1228 def->add(entry);
1229
1230 return entry;
1231 }
1232
1233 static void
1234 external_acl_cache_delete(external_acl * def, external_acl_entry * entry)
1235 {
1236 assert(def->cache_size > 0 && entry->def == def);
1237 hash_remove_link(def->cache, entry);
1238 dlinkDelete(&entry->lru, &def->lru_list);
1239 def->cache_entries -= 1;
1240 delete entry;
1241 }
1242
1243 /******************************************************************
1244 * external_acl helpers
1245 */
1246
1247 typedef struct _externalAclState externalAclState;
1248
1249 struct _externalAclState {
1250 EAH *callback;
1251 void *callback_data;
1252 char *key;
1253 external_acl *def;
1254 dlink_node list;
1255 externalAclState *queue;
1256 };
1257
1258 CBDATA_TYPE(externalAclState);
1259 static void
1260 free_externalAclState(void *data)
1261 {
1262 externalAclState *state = static_cast<externalAclState *>(data);
1263 safe_free(state->key);
1264 cbdataReferenceDone(state->callback_data);
1265 cbdataReferenceDone(state->def);
1266 }
1267
1268 /*
1269 * The helper program receives queries on stdin, one
1270 * per line, and must return the result on on stdout
1271 *
1272 * General result syntax:
1273 *
1274 * OK/ERR keyword=value ...
1275 *
1276 * Keywords:
1277 *
1278 * user= The users name (login)
1279 * message= Message describing the reason
1280 * tag= A string tag to be applied to the request that triggered the acl match.
1281 * applies to both OK and ERR responses.
1282 * Won't override existing request tags.
1283 * log= A string to be used in access logging
1284 *
1285 * Other keywords may be added to the protocol later
1286 *
1287 * value needs to be enclosed in quotes if it may contain whitespace, or
1288 * the whitespace escaped using \ (\ escaping obviously also applies to
1289 * any " characters)
1290 */
1291
1292 static void
1293 externalAclHandleReply(void *data, char *reply)
1294 {
1295 externalAclState *state = static_cast<externalAclState *>(data);
1296 externalAclState *next;
1297 char *status;
1298 char *token;
1299 char *value;
1300 char *t = NULL;
1301 ExternalACLEntryData entryData;
1302 entryData.result = ACCESS_DENIED;
1303 external_acl_entry *entry = NULL;
1304
1305 debugs(82, 2, "externalAclHandleReply: reply=\"" << reply << "\"");
1306
1307 if (reply) {
1308 status = strwordtok(reply, &t);
1309
1310 if (status && strcmp(status, "OK") == 0)
1311 entryData.result = ACCESS_ALLOWED;
1312
1313 while ((token = strwordtok(NULL, &t))) {
1314 value = strchr(token, '=');
1315
1316 if (value) {
1317 *value++ = '\0'; /* terminate the token, and move up to the value */
1318
1319 if (state->def->quote == external_acl::QUOTE_METHOD_URL)
1320 rfc1738_unescape(value);
1321
1322 if (strcmp(token, "message") == 0)
1323 entryData.message = value;
1324 else if (strcmp(token, "error") == 0)
1325 entryData.message = value;
1326 else if (strcmp(token, "tag") == 0)
1327 entryData.tag = value;
1328 else if (strcmp(token, "log") == 0)
1329 entryData.log = value;
1330 #if USE_AUTH
1331 else if (strcmp(token, "user") == 0)
1332 entryData.user = value;
1333 else if (strcmp(token, "password") == 0)
1334 entryData.password = value;
1335 else if (strcmp(token, "passwd") == 0)
1336 entryData.password = value;
1337 else if (strcmp(token, "login") == 0)
1338 entryData.user = value;
1339 #endif
1340 }
1341 }
1342 }
1343
1344 dlinkDelete(&state->list, &state->def->queue);
1345
1346 if (cbdataReferenceValid(state->def)) {
1347 if (reply)
1348 entry = external_acl_cache_add(state->def, state->key, entryData);
1349 else {
1350 external_acl_entry *oldentry = (external_acl_entry *)hash_lookup(state->def->cache, state->key);
1351
1352 if (oldentry)
1353 external_acl_cache_delete(state->def, oldentry);
1354 }
1355 }
1356
1357 do {
1358 void *cbdata;
1359 cbdataReferenceDone(state->def);
1360
1361 if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata))
1362 state->callback(cbdata, entry);
1363
1364 next = state->queue;
1365
1366 cbdataFree(state);
1367
1368 state = next;
1369 } while (state);
1370 }
1371
1372 void
1373 ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * callback, void *callback_data)
1374 {
1375 MemBuf buf;
1376 external_acl_data *acl = me->data;
1377 external_acl *def = acl->def;
1378 externalAclState *state;
1379 dlink_node *node;
1380 externalAclState *oldstate = NULL;
1381 bool graceful = 0;
1382
1383 ACLFilledChecklist *ch = Filled(checklist);
1384 #if USE_AUTH
1385 if (acl->def->require_auth) {
1386 int ti;
1387 /* Make sure the user is authenticated */
1388 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
1389
1390 if ((ti = AuthenticateAcl(ch)) != 1) {
1391 debugs(82, DBG_IMPORTANT, "WARNING: " << acl->def->name <<
1392 " user authentication failure (" << ti << ", ch=" << ch << ")");
1393 callback(callback_data, NULL);
1394 return;
1395 }
1396 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
1397 }
1398 #endif
1399
1400 const char *key = makeExternalAclKey(ch, acl);
1401
1402 if (!key) {
1403 debugs(82, 1, "externalAclLookup: lookup in '" << def->name <<
1404 "', prerequisit failure (ch=" << ch << ")");
1405 callback(callback_data, NULL);
1406 return;
1407 }
1408
1409 debugs(82, 2, "externalAclLookup: lookup in '" << def->name << "' for '" << key << "'");
1410
1411 external_acl_entry *entry = static_cast<external_acl_entry *>(hash_lookup(def->cache, key));
1412
1413 if (entry && external_acl_entry_expired(def, entry))
1414 entry = NULL;
1415
1416 /* Check for a pending lookup to hook into */
1417 // only possible if we are caching results.
1418 if (def->cache_size > 0) {
1419 for (node = def->queue.head; node; node = node->next) {
1420 externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data);
1421
1422 if (strcmp(key, oldstatetmp->key) == 0) {
1423 oldstate = oldstatetmp;
1424 break;
1425 }
1426 }
1427 }
1428
1429 if (entry && external_acl_grace_expired(def, entry)) {
1430 if (oldstate) {
1431 debugs(82, 4, "externalAclLookup: in grace period, but already pending lookup ('" << key << "', ch=" << ch << ")");
1432 callback(callback_data, entry);
1433 return;
1434 } else {
1435 graceful = 1; // grace expired, (neg)ttl did not, and we must start a new lookup.
1436 }
1437 }
1438
1439 // The entry is in the cache, grace_ttl did not expired.
1440 if (!graceful && entry && !external_acl_grace_expired(def, entry)) {
1441 /* Should not really happen, but why not.. */
1442 callback(callback_data, entry);
1443 debugs(82, 4, "externalAclLookup: no lookup pending for '" << key << "', and grace not expired");
1444 debugs(82, 4, "externalAclLookup: (what tha' hell?)");
1445 return;
1446 }
1447
1448 /* No pending lookup found. Sumbit to helper */
1449 state = cbdataAlloc(externalAclState);
1450
1451 state->def = cbdataReference(def);
1452
1453 state->key = xstrdup(key);
1454
1455 if (!graceful) {
1456 state->callback = callback;
1457 state->callback_data = cbdataReference(callback_data);
1458 }
1459
1460 if (oldstate) {
1461 /* Hook into pending lookup */
1462 state->queue = oldstate->queue;
1463 oldstate->queue = state;
1464 } else {
1465 /* Check for queue overload */
1466
1467 if (def->theHelper->stats.queue_size >= (int)def->theHelper->childs.n_running) {
1468 debugs(82, 1, "externalAclLookup: '" << def->name << "' queue overload (ch=" << ch << ")");
1469 cbdataFree(state);
1470 callback(callback_data, entry);
1471 return;
1472 }
1473
1474 /* Send it off to the helper */
1475 buf.init();
1476
1477 buf.Printf("%s\n", key);
1478
1479 debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'.");
1480
1481 helperSubmit(def->theHelper, buf.buf, externalAclHandleReply, state);
1482
1483 dlinkAdd(state, &state->list, &def->queue);
1484
1485 buf.clean();
1486 }
1487
1488 if (graceful) {
1489 /* No need to wait during grace period */
1490 debugs(82, 4, "externalAclLookup: no need to wait for the result of '" <<
1491 key << "' in '" << def->name << "' (ch=" << ch << ").");
1492 debugs(82, 4, "externalAclLookup: using cached entry " << entry);
1493
1494 if (entry != NULL) {
1495 debugs(82, 4, "externalAclLookup: entry = { date=" <<
1496 (long unsigned int) entry->date <<
1497 ", result=" << entry->result <<
1498 " tag=" << entry->tag <<
1499 " log=" << entry->log << " }");
1500 #if USE_AUTH
1501 debugs(82, 4, "externalAclLookup: user=" << entry->user);
1502 #endif
1503 copyResultsFromEntry(ch->request, entry);
1504 }
1505
1506 callback(callback_data, entry);
1507 return;
1508 }
1509
1510 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key <<
1511 "' in '" << def->name << "' (ch=" << ch << ").");
1512 }
1513
1514 static void
1515 externalAclStats(StoreEntry * sentry)
1516 {
1517 external_acl *p;
1518
1519 for (p = Config.externalAclHelperList; p; p = p->next) {
1520 storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name);
1521 storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count);
1522 helperStats(sentry, p->theHelper);
1523 storeAppendPrintf(sentry, "\n");
1524 }
1525 }
1526
1527 static void
1528 externalAclRegisterWithCacheManager(void)
1529 {
1530 Mgr::RegisterAction("external_acl",
1531 "External ACL stats",
1532 externalAclStats, 0, 1);
1533 }
1534
1535 void
1536 externalAclInit(void)
1537 {
1538 static int firstTimeInit = 1;
1539 external_acl *p;
1540
1541 for (p = Config.externalAclHelperList; p; p = p->next) {
1542 if (!p->cache)
1543 p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4);
1544
1545 if (!p->theHelper)
1546 p->theHelper = new helper(p->name);
1547
1548 p->theHelper->cmdline = p->cmdline;
1549
1550 p->theHelper->childs.updateLimits(p->children);
1551
1552 p->theHelper->ipc_type = IPC_TCP_SOCKET;
1553
1554 p->theHelper->addr = p->local_addr;
1555
1556 helperOpenServers(p->theHelper);
1557 }
1558
1559 if (firstTimeInit) {
1560 firstTimeInit = 0;
1561 CBDATA_INIT_TYPE_FREECB(externalAclState, free_externalAclState);
1562 }
1563
1564 externalAclRegisterWithCacheManager();
1565 }
1566
1567 void
1568 externalAclShutdown(void)
1569 {
1570 external_acl *p;
1571
1572 for (p = Config.externalAclHelperList; p; p = p->next) {
1573 helperShutdown(p->theHelper);
1574 }
1575 }
1576
1577 ExternalACLLookup ExternalACLLookup::instance_;
1578 ExternalACLLookup *
1579 ExternalACLLookup::Instance()
1580 {
1581 return &instance_;
1582 }
1583
1584 void
1585 ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const
1586 {
1587 /* TODO: optimise this - we probably have a pointer to this
1588 * around somewhere */
1589 ACL *acl = ACL::FindByName(AclMatchedName);
1590 assert(acl);
1591 ACLExternal *me = dynamic_cast<ACLExternal *> (acl);
1592 assert (me);
1593 checklist->asyncInProgress(true);
1594 ACLExternal::ExternalAclLookup(checklist, me, LookupDone, checklist);
1595 }
1596
1597 void
1598 ExternalACLLookup::LookupDone(void *data, void *result)
1599 {
1600 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
1601 checklist->extacl_entry = cbdataReference((external_acl_entry *)result);
1602 checklist->asyncInProgress(false);
1603 checklist->changeState (ACLChecklist::NullState::Instance());
1604 checklist->matchNonBlocking();
1605 }
1606
1607 /* This registers "external" in the registry. To do dynamic definitions
1608 * of external ACL's, rather than a static prototype, have a Prototype instance
1609 * prototype in the class that defines each external acl 'class'.
1610 * Then, then the external acl instance is created, it self registers under
1611 * it's name.
1612 * Be sure that clone is fully functional for that acl class though!
1613 */
1614 ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external");
1615
1616 ACLExternal ACLExternal::RegistryEntry_("external");
1617
1618 ACL *
1619 ACLExternal::clone() const
1620 {
1621 return new ACLExternal(*this);
1622 }
1623
1624 ACLExternal::ACLExternal (char const *theClass) : data (NULL), class_ (xstrdup (theClass))
1625 {}
1626
1627 ACLExternal::ACLExternal (ACLExternal const & old) : data (NULL), class_ (old.class_ ? xstrdup (old.class_) : NULL)
1628 {
1629 /* we don't have copy constructors for the data yet */
1630 assert (!old.data);
1631 }
1632
1633 char const *
1634 ACLExternal::typeString() const
1635 {
1636 return class_;
1637 }
1638
1639 bool
1640 ACLExternal::isProxyAuth() const
1641 {
1642 #if USE_AUTH
1643 return data->def->require_auth;
1644 #else
1645 return false;
1646 #endif
1647 }
Mirror of https://github.com/squid-cache/squid.git