5 * DEBUG: section 82 External ACL
6 * AUTHOR: Henrik Nordstrom, MARA Systems AB
8 * SQUID Web Proxy Cache http://www.squid-cache.org/
9 * ----------------------------------------------------------
11 * The contents of this file is Copyright (C) 2002 by MARA Systems AB,
12 * Sweden, unless otherwise is indicated in the specific function. The
13 * author gives his full permission to include this file into the Squid
14 * software product under the terms of the GNU General Public License as
15 * published by the Free Software Foundation; either version 2 of the
16 * License, or (at your option) any later version.
18 * Squid is the result of efforts by numerous individuals from
19 * the Internet community; see the CONTRIBUTORS file for full
20 * details. Many organizations have provided support for Squid's
21 * development; see the SPONSORS file for full details. Squid is
22 * Copyrighted (C) 2001 by the Regents of the University of
23 * California; see the COPYRIGHT file for full details. Squid
24 * incorporates software developed and/or copyrighted by other
25 * sources; see the CREDITS file for full details.
27 * This program is free software; you can redistribute it and/or modify
28 * it under the terms of the GNU General Public License as published by
29 * the Free Software Foundation; either version 2 of the License, or
30 * (at your option) any later version.
32 * This program is distributed in the hope that it will be useful,
33 * but WITHOUT ANY WARRANTY; without even the implied warranty of
34 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
35 * GNU General Public License for more details.
37 * You should have received a copy of the GNU General Public License
38 * along with this program; if not, write to the Free Software
39 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
44 #include "CacheManager.h"
45 #include "ExternalACL.h"
46 #include "ExternalACLEntry.h"
47 #include "auth/UserRequest.h"
48 #include "SquidTime.h"
51 #include "acl/FilledChecklist.h"
54 #include "ident/AclIdent.h"
56 #include "client_side.h"
57 #include "HttpRequest.h"
58 #include "HttpReply.h"
60 #include "auth/Gadgets.h"
64 #include "URLScheme.h"
67 #ifndef DEFAULT_EXTERNAL_ACL_TTL
68 #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
70 #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
71 #define DEFAULT_EXTERNAL_ACL_CHILDREN 5
74 typedef struct _external_acl_format external_acl_format
;
76 static char *makeExternalAclKey(ACLFilledChecklist
* ch
, external_acl_data
* acl_data
);
77 static void external_acl_cache_delete(external_acl
* def
, external_acl_entry
* entry
);
78 static int external_acl_entry_expired(external_acl
* def
, external_acl_entry
* entry
);
79 static int external_acl_grace_expired(external_acl
* def
, external_acl_entry
* entry
);
80 static void external_acl_cache_touch(external_acl
* def
, external_acl_entry
* entry
);
81 static external_acl_entry
*external_acl_cache_add(external_acl
* def
, const char *key
, ExternalACLEntryData
const &data
);
83 /******************************************************************
84 * external_acl directive
106 external_acl_format
*format
;
110 HelperChildConfig children
;
127 QUOTE_METHOD_SHELL
= 1,
131 IpAddress local_addr
;
134 struct _external_acl_format
{
156 EXT_ACL_HEADER_REQUEST
,
157 EXT_ACL_HEADER_REQUEST_MEMBER
,
158 EXT_ACL_HEADER_REQUEST_ID
,
159 EXT_ACL_HEADER_REQUEST_ID_MEMBER
,
161 EXT_ACL_HEADER_REPLY
,
162 EXT_ACL_HEADER_REPLY_MEMBER
,
163 EXT_ACL_HEADER_REPLY_ID
,
164 EXT_ACL_HEADER_REPLY_ID_MEMBER
,
169 EXT_ACL_USER_CERT_RAW
,
170 EXT_ACL_USER_CERTCHAIN_RAW
,
175 external_acl_format
*next
;
179 http_hdr_type header_id
;
182 /* FIXME: These are not really cbdata, but it is an easy way
183 * to get them pooled, refcounted, accounted and freed properly...
185 CBDATA_TYPE(external_acl
);
186 CBDATA_TYPE(external_acl_format
);
189 free_external_acl_format(void *data
)
191 external_acl_format
*p
= static_cast<external_acl_format
*>(data
);
192 safe_free(p
->header
);
196 free_external_acl(void *data
)
198 external_acl
*p
= static_cast<external_acl
*>(data
);
202 external_acl_format
*f
= p
->format
;
207 wordlistDestroy(&p
->cmdline
);
210 helperShutdown(p
->theHelper
);
215 while (p
->lru_list
.tail
)
216 external_acl_cache_delete(p
, static_cast<external_acl_entry
*>(p
->lru_list
.tail
->data
));
218 hashFreeMemory(p
->cache
);
222 * Parse the External ACL format %<{.*} and %>{.*} token(s) to pass a specific
223 * request or reply header to external helper.
225 \param header - the token being parsed (without the identifying prefix)
226 \param type - format enum identifier for this element, pulled from identifying prefix
227 \param format - structure to contain all the info about this format element.
230 parse_header_token(external_acl_format
*format
, char *header
, const _external_acl_format::format_type type
)
235 /** Cut away the closing brace */
236 end
= strchr(header
, '}');
237 if (end
&& strlen(end
) == 1)
242 member
= strchr(header
, ':');
245 /* Split in header and member */
248 if (!xisalnum(*member
))
249 format
->separator
= *member
++;
251 format
->separator
= ',';
253 format
->member
= xstrdup(member
);
255 if (type
== _external_acl_format::EXT_ACL_HEADER_REQUEST
)
256 format
->type
= _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER
;
258 format
->type
= _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER
;
263 format
->header
= xstrdup(header
);
264 format
->header_id
= httpHeaderIdByNameDef(header
, strlen(header
));
266 if (format
->header_id
!= -1) {
268 if (type
== _external_acl_format::EXT_ACL_HEADER_REQUEST
)
269 format
->type
= _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER
;
271 format
->type
= _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER
;
273 if (type
== _external_acl_format::EXT_ACL_HEADER_REQUEST
)
274 format
->type
= _external_acl_format::EXT_ACL_HEADER_REQUEST_ID
;
276 format
->type
= _external_acl_format::EXT_ACL_HEADER_REPLY_ID
;
282 parse_externalAclHelper(external_acl
** list
)
286 external_acl_format
**p
;
288 CBDATA_INIT_TYPE_FREECB(external_acl
, free_external_acl
);
289 CBDATA_INIT_TYPE_FREECB(external_acl_format
, free_external_acl_format
);
291 a
= cbdataAlloc(external_acl
);
294 a
->ttl
= DEFAULT_EXTERNAL_ACL_TTL
;
295 a
->negative_ttl
= -1;
296 a
->cache_size
= 256*1024;
297 a
->children
.n_max
= DEFAULT_EXTERNAL_ACL_CHILDREN
;
298 a
->children
.n_startup
= a
->children
.n_max
;
299 a
->children
.n_idle
= 1;
300 a
->local_addr
.SetLocalhost();
301 a
->quote
= external_acl::QUOTE_METHOD_URL
;
303 token
= strtok(NULL
, w_space
);
308 a
->name
= xstrdup(token
);
310 token
= strtok(NULL
, w_space
);
314 if (strncmp(token
, "ttl=", 4) == 0) {
315 a
->ttl
= atoi(token
+ 4);
316 } else if (strncmp(token
, "negative_ttl=", 13) == 0) {
317 a
->negative_ttl
= atoi(token
+ 13);
318 } else if (strncmp(token
, "children=", 9) == 0) {
319 a
->children
.n_max
= atoi(token
+ 9);
320 debugs(0, 0, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
321 } else if (strncmp(token
, "children-max=", 13) == 0) {
322 a
->children
.n_max
= atoi(token
+ 13);
323 } else if (strncmp(token
, "children-startup=", 17) == 0) {
324 a
->children
.n_startup
= atoi(token
+ 17);
325 } else if (strncmp(token
, "children-idle=", 14) == 0) {
326 a
->children
.n_idle
= atoi(token
+ 14);
327 } else if (strncmp(token
, "concurrency=", 12) == 0) {
328 a
->children
.concurrency
= atoi(token
+ 12);
329 } else if (strncmp(token
, "cache=", 6) == 0) {
330 a
->cache_size
= atoi(token
+ 6);
331 } else if (strncmp(token
, "grace=", 6) == 0) {
332 a
->grace
= atoi(token
+ 6);
333 } else if (strcmp(token
, "protocol=2.5") == 0) {
334 a
->quote
= external_acl::QUOTE_METHOD_SHELL
;
335 } else if (strcmp(token
, "protocol=3.0") == 0) {
336 a
->quote
= external_acl::QUOTE_METHOD_URL
;
337 } else if (strcmp(token
, "quote=url") == 0) {
338 a
->quote
= external_acl::QUOTE_METHOD_URL
;
339 } else if (strcmp(token
, "quote=shell") == 0) {
340 a
->quote
= external_acl::QUOTE_METHOD_SHELL
;
342 /* INET6: allow admin to configure some helpers explicitly to
343 bind to IPv4/v6 localhost port. */
344 } else if (strcmp(token
, "ipv4") == 0) {
345 if ( !a
->local_addr
.SetIPv4() ) {
346 debugs(3, 0, "WARNING: Error converting " << a
->local_addr
<< " to IPv4 in " << a
->name
);
348 } else if (strcmp(token
, "ipv6") == 0) {
350 debugs(3, 0, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a
->name
);
358 token
= strtok(NULL
, w_space
);
361 /* check that child startup value is sane. */
362 if (a
->children
.n_startup
> a
->children
.n_max
)
363 a
->children
.n_startup
= a
->children
.n_max
;
365 /* check that child idle value is sane. */
366 if (a
->children
.n_idle
> a
->children
.n_max
)
367 a
->children
.n_idle
= a
->children
.n_max
;
368 if (a
->children
.n_idle
< 1)
369 a
->children
.n_idle
= 1;
371 if (a
->negative_ttl
== -1)
372 a
->negative_ttl
= a
->ttl
;
378 external_acl_format
*format
;
380 /* stop on first non-format token found */
385 format
= cbdataAlloc(external_acl_format
);
387 if (strncmp(token
, "%{", 2) == 0) {
388 // deprecated. but assume the old configs all referred to request headers.
389 debugs(82, DBG_IMPORTANT
, "WARNING: external_acl_type format %{...} is being replaced by %>{...} for : " << token
);
390 parse_header_token(format
, (token
+2), _external_acl_format::EXT_ACL_HEADER_REQUEST
);
391 } else if (strncmp(token
, "%>{", 3) == 0) {
392 parse_header_token(format
, (token
+3), _external_acl_format::EXT_ACL_HEADER_REQUEST
);
393 } else if (strncmp(token
, "%<{", 3) == 0) {
394 parse_header_token(format
, (token
+3), _external_acl_format::EXT_ACL_HEADER_REPLY
);
395 } else if (strcmp(token
, "%LOGIN") == 0) {
396 format
->type
= _external_acl_format::EXT_ACL_LOGIN
;
397 a
->require_auth
= true;
401 else if (strcmp(token
, "%IDENT") == 0)
402 format
->type
= _external_acl_format::EXT_ACL_IDENT
;
406 else if (strcmp(token
, "%SRC") == 0)
407 format
->type
= _external_acl_format::EXT_ACL_SRC
;
408 else if (strcmp(token
, "%SRCPORT") == 0)
409 format
->type
= _external_acl_format::EXT_ACL_SRCPORT
;
411 else if (strcmp(token
, "%SRCEUI48") == 0)
412 format
->type
= _external_acl_format::EXT_ACL_SRCEUI48
;
413 else if (strcmp(token
, "%SRCEUI64") == 0)
414 format
->type
= _external_acl_format::EXT_ACL_SRCEUI64
;
416 else if (strcmp(token
, "%MYADDR") == 0)
417 format
->type
= _external_acl_format::EXT_ACL_MYADDR
;
418 else if (strcmp(token
, "%MYPORT") == 0)
419 format
->type
= _external_acl_format::EXT_ACL_MYPORT
;
420 else if (strcmp(token
, "%URI") == 0)
421 format
->type
= _external_acl_format::EXT_ACL_URI
;
422 else if (strcmp(token
, "%DST") == 0)
423 format
->type
= _external_acl_format::EXT_ACL_DST
;
424 else if (strcmp(token
, "%PROTO") == 0)
425 format
->type
= _external_acl_format::EXT_ACL_PROTO
;
426 else if (strcmp(token
, "%PORT") == 0)
427 format
->type
= _external_acl_format::EXT_ACL_PORT
;
428 else if (strcmp(token
, "%PATH") == 0)
429 format
->type
= _external_acl_format::EXT_ACL_PATH
;
430 else if (strcmp(token
, "%METHOD") == 0)
431 format
->type
= _external_acl_format::EXT_ACL_METHOD
;
434 else if (strcmp(token
, "%USER_CERT") == 0)
435 format
->type
= _external_acl_format::EXT_ACL_USER_CERT_RAW
;
436 else if (strcmp(token
, "%USER_CERTCHAIN") == 0)
437 format
->type
= _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW
;
438 else if (strncmp(token
, "%USER_CERT_", 11) == 0) {
439 format
->type
= _external_acl_format::EXT_ACL_USER_CERT
;
440 format
->header
= xstrdup(token
+ 11);
441 } else if (strncmp(token
, "%CA_CERT_", 11) == 0) {
442 format
->type
= _external_acl_format::EXT_ACL_USER_CERT
;
443 format
->header
= xstrdup(token
+ 11);
446 else if (strcmp(token
, "%EXT_USER") == 0)
447 format
->type
= _external_acl_format::EXT_ACL_EXT_USER
;
449 debugs(0,0, "ERROR: Unknown Format token " << token
);
455 token
= strtok(NULL
, w_space
);
458 /* There must be at least one format token */
466 wordlistAdd(&a
->cmdline
, token
);
469 parse_wordlist(&a
->cmdline
);
472 list
= &(*list
)->next
;
478 dump_externalAclHelper(StoreEntry
* sentry
, const char *name
, const external_acl
* list
)
480 const external_acl
*node
;
481 const external_acl_format
*format
;
482 const wordlist
*word
;
484 for (node
= list
; node
; node
= node
->next
) {
485 storeAppendPrintf(sentry
, "%s %s", name
, node
->name
);
487 if (!node
->local_addr
.IsIPv6())
488 storeAppendPrintf(sentry
, " ipv4");
490 storeAppendPrintf(sentry
, " ipv6");
492 if (node
->ttl
!= DEFAULT_EXTERNAL_ACL_TTL
)
493 storeAppendPrintf(sentry
, " ttl=%d", node
->ttl
);
495 if (node
->negative_ttl
!= node
->ttl
)
496 storeAppendPrintf(sentry
, " negative_ttl=%d", node
->negative_ttl
);
499 storeAppendPrintf(sentry
, " grace=%d", node
->grace
);
501 if (node
->children
.n_max
!= DEFAULT_EXTERNAL_ACL_CHILDREN
)
502 storeAppendPrintf(sentry
, " children-max=%d", node
->children
.n_max
);
504 if (node
->children
.n_startup
!= 1)
505 storeAppendPrintf(sentry
, " children-startup=%d", node
->children
.n_startup
);
507 if (node
->children
.n_idle
!= (node
->children
.n_max
+ node
->children
.n_startup
) )
508 storeAppendPrintf(sentry
, " children-idle=%d", node
->children
.n_idle
);
510 if (node
->children
.concurrency
)
511 storeAppendPrintf(sentry
, " concurrency=%d", node
->children
.concurrency
);
514 storeAppendPrintf(sentry
, " cache=%d", node
->cache_size
);
516 for (format
= node
->format
; format
; format
= format
->next
) {
517 switch (format
->type
) {
519 case _external_acl_format::EXT_ACL_HEADER_REQUEST
:
520 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID
:
521 storeAppendPrintf(sentry
, " %%>{%s}", format
->header
);
524 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER
:
525 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER
:
526 storeAppendPrintf(sentry
, " %%>{%s:%s}", format
->header
, format
->member
);
529 case _external_acl_format::EXT_ACL_HEADER_REPLY
:
530 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID
:
531 storeAppendPrintf(sentry
, " %%<{%s}", format
->header
);
534 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER
:
535 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER
:
536 storeAppendPrintf(sentry
, " %%<{%s:%s}", format
->header
, format
->member
);
538 #define DUMP_EXT_ACL_TYPE(a) \
539 case _external_acl_format::EXT_ACL_##a: \
540 storeAppendPrintf(sentry, " %%%s", #a); \
543 DUMP_EXT_ACL_TYPE(LOGIN
);
546 DUMP_EXT_ACL_TYPE(IDENT
);
549 DUMP_EXT_ACL_TYPE(SRC
);
550 DUMP_EXT_ACL_TYPE(SRCPORT
);
552 DUMP_EXT_ACL_TYPE(SRCEUI48
);
553 DUMP_EXT_ACL_TYPE(SRCEUI64
);
556 DUMP_EXT_ACL_TYPE(MYADDR
);
557 DUMP_EXT_ACL_TYPE(MYPORT
);
558 DUMP_EXT_ACL_TYPE(URI
);
559 DUMP_EXT_ACL_TYPE(DST
);
560 DUMP_EXT_ACL_TYPE(PROTO
);
561 DUMP_EXT_ACL_TYPE(PORT
);
562 DUMP_EXT_ACL_TYPE(PATH
);
563 DUMP_EXT_ACL_TYPE(METHOD
);
566 case _external_acl_format::EXT_ACL_USER_CERT_RAW
:
567 storeAppendPrintf(sentry
, " %%USER_CERT");
570 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW
:
571 storeAppendPrintf(sentry
, " %%USER_CERTCHAIN");
574 case _external_acl_format::EXT_ACL_USER_CERT
:
575 storeAppendPrintf(sentry
, " %%USER_CERT_%s", format
->header
);
578 case _external_acl_format::EXT_ACL_CA_CERT
:
579 storeAppendPrintf(sentry
, " %%USER_CERT_%s", format
->header
);
583 DUMP_EXT_ACL_TYPE(EXT_USER
);
586 fatal("unknown external_acl format error");
591 for (word
= node
->cmdline
; word
; word
= word
->next
)
592 storeAppendPrintf(sentry
, " %s", word
->key
);
594 storeAppendPrintf(sentry
, "\n");
599 free_externalAclHelper(external_acl
** list
)
602 external_acl
*node
= *list
;
609 static external_acl
*
610 find_externalAclHelper(const char *name
)
614 for (node
= Config
.externalAclHelperList
; node
; node
= node
->next
) {
615 if (strcmp(node
->name
, name
) == 0)
625 (ExternalACLEntry
*anEntry
)
628 assert (anEntry
->def
== NULL
);
630 hash_join(cache
, anEntry
);
631 dlinkAdd(anEntry
, &anEntry
->lru
, &lru_list
);
636 external_acl::trimCache()
638 if (cache_size
&& cache_entries
>= cache_size
)
639 external_acl_cache_delete(this, static_cast<external_acl_entry
*>(lru_list
.tail
->data
));
643 /******************************************************************
647 struct _external_acl_data
{
652 CBDATA_TYPE(external_acl_data
);
654 free_external_acl_data(void *data
)
656 external_acl_data
*p
= static_cast<external_acl_data
*>(data
);
657 wordlistDestroy(&p
->arguments
);
658 cbdataReferenceDone(p
->def
);
669 CBDATA_INIT_TYPE_FREECB(external_acl_data
, free_external_acl_data
);
671 data
= cbdataAlloc(external_acl_data
);
673 token
= strtok(NULL
, w_space
);
678 data
->def
= cbdataReference(find_externalAclHelper(token
));
683 while ((token
= strtokFile())) {
684 wordlistAdd(&data
->arguments
, token
);
689 ACLExternal::valid () const
691 if (data
->def
->require_auth
) {
692 if (authenticateSchemeCount() == 0) {
693 debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
697 if (authenticateActiveSchemeCount() == 0) {
698 debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
707 ACLExternal::empty () const
712 ACLExternal::~ACLExternal()
719 aclMatchExternal(external_acl_data
*acl
, ACLFilledChecklist
*ch
)
722 external_acl_entry
*entry
;
723 const char *key
= "";
724 debugs(82, 9, "aclMatchExternal: acl=\"" << acl
->def
->name
<< "\"");
725 entry
= ch
->extacl_entry
;
728 if (cbdataReferenceValid(entry
) && entry
->def
== acl
->def
&&
729 strcmp((char *)entry
->key
, key
) == 0) {
732 /* Not valid, or not ours.. get rid of it */
733 cbdataReferenceDone(ch
->extacl_entry
);
738 external_acl_message
= "MISSING REQUIRED INFORMATION";
741 if (acl
->def
->require_auth
) {
743 /* Make sure the user is authenticated */
745 if ((ti
= AuthenticateAcl(ch
)) != 1) {
746 debugs(82, 2, "aclMatchExternal: " << acl
->def
->name
<< " user not authenticated (" << ti
<< ")");
751 key
= makeExternalAclKey(ch
, acl
);
753 if (acl
->def
->require_auth
)
754 AUTHUSERREQUESTUNLOCK(ch
->auth_user_request
, "ACLChecklist via aclMatchExternal");
757 /* Not sufficient data to process */
761 entry
= static_cast<external_acl_entry
*>(hash_lookup(acl
->def
->cache
, key
));
763 if (!entry
|| external_acl_grace_expired(acl
->def
, entry
)) {
764 debugs(82, 2, "aclMatchExternal: " << acl
->def
->name
<< "(\"" << key
<< "\") = lookup needed");
765 debugs(82, 2, "aclMatchExternal: \"" << key
<< "\": entry=@" <<
766 entry
<< ", age=" << (entry
? (long int) squid_curtime
- entry
->date
: 0));
768 if (acl
->def
->theHelper
->stats
.queue_size
<= (int)acl
->def
->theHelper
->childs
.n_active
) {
769 debugs(82, 2, "aclMatchExternal: \"" << key
<< "\": queueing a call.");
770 ch
->changeState (ExternalACLLookup::Instance());
773 debugs(82, 2, "aclMatchExternal: \"" << key
<< "\": return -1.");
778 debugs(82, 1, "aclMatchExternal: '" << acl
->def
->name
<<
779 "' queue overload. Request rejected '" << key
<< "'.");
780 external_acl_message
= "SYSTEM TOO BUSY, TRY AGAIN LATER";
783 debugs(82, 1, "aclMatchExternal: '" << acl
->def
->name
<<
784 "' queue overload. Using stale result. '" << key
<< "'.");
785 /* Fall thru to processing below */
791 external_acl_cache_touch(acl
->def
, entry
);
792 result
= entry
->result
;
793 external_acl_message
= entry
->message
.termedBuf();
795 debugs(82, 2, "aclMatchExternal: " << acl
->def
->name
<< " = " << result
);
798 if (entry
->user
.size())
799 ch
->request
->extacl_user
= entry
->user
;
801 if (entry
->password
.size())
802 ch
->request
->extacl_passwd
= entry
->password
;
804 if (!ch
->request
->tag
.size())
805 ch
->request
->tag
= entry
->tag
;
807 if (entry
->log
.size())
808 ch
->request
->extacl_log
= entry
->log
;
815 ACLExternal::match(ACLChecklist
*checklist
)
817 return aclMatchExternal (data
, Filled(checklist
));
821 ACLExternal::dump() const
823 external_acl_data
const *acl
= data
;
824 wordlist
*result
= NULL
;
828 mb
.Printf("%s", acl
->def
->name
);
830 for (arg
= acl
->arguments
; arg
; arg
= arg
->next
) {
831 mb
.Printf(" %s", arg
->key
);
834 wordlistAdd(&result
, mb
.buf
);
839 /******************************************************************
844 external_acl_cache_touch(external_acl
* def
, external_acl_entry
* entry
)
846 dlinkDelete(&entry
->lru
, &def
->lru_list
);
847 dlinkAdd(entry
, &entry
->lru
, &def
->lru_list
);
851 makeExternalAclKey(ACLFilledChecklist
* ch
, external_acl_data
* acl_data
)
857 external_acl_format
*format
;
858 HttpRequest
*request
= ch
->request
;
859 HttpReply
*reply
= ch
->reply
;
862 for (format
= acl_data
->def
->format
; format
; format
= format
->next
) {
863 const char *str
= NULL
;
866 switch (format
->type
) {
868 case _external_acl_format::EXT_ACL_LOGIN
:
869 assert (ch
->auth_user_request
);
870 str
= ch
->auth_user_request
->username();
874 case _external_acl_format::EXT_ACL_IDENT
:
878 ch
->changeState(IdentLookup::Instance());
885 case _external_acl_format::EXT_ACL_SRC
:
886 str
= ch
->src_addr
.NtoA(buf
,sizeof(buf
));
889 case _external_acl_format::EXT_ACL_SRCPORT
:
890 snprintf(buf
, sizeof(buf
), "%d", request
->client_addr
.GetPort());
895 case _external_acl_format::EXT_ACL_SRCEUI48
:
896 if (request
->client_eui48
.encode(buf
, sizeof(buf
)))
900 case _external_acl_format::EXT_ACL_SRCEUI64
:
901 if (request
->client_eui64
.encode(buf
, sizeof(buf
)))
906 case _external_acl_format::EXT_ACL_MYADDR
:
907 str
= request
->my_addr
.NtoA(buf
, sizeof(buf
));
910 case _external_acl_format::EXT_ACL_MYPORT
:
911 snprintf(buf
, sizeof(buf
), "%d", request
->my_addr
.GetPort());
915 case _external_acl_format::EXT_ACL_URI
:
916 str
= urlCanonical(request
);
919 case _external_acl_format::EXT_ACL_DST
:
920 str
= request
->GetHost();
923 case _external_acl_format::EXT_ACL_PROTO
:
924 str
= ProtocolStr
[request
->protocol
];
927 case _external_acl_format::EXT_ACL_PORT
:
928 snprintf(buf
, sizeof(buf
), "%d", request
->port
);
932 case _external_acl_format::EXT_ACL_PATH
:
933 str
= request
->urlpath
.termedBuf();
936 case _external_acl_format::EXT_ACL_METHOD
:
937 str
= RequestMethodStr(request
->method
);
940 case _external_acl_format::EXT_ACL_HEADER_REQUEST
:
941 sb
= request
->header
.getByName(format
->header
);
942 str
= sb
.termedBuf();
945 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID
:
946 sb
= request
->header
.getStrOrList(format
->header_id
);
947 str
= sb
.termedBuf();
950 case _external_acl_format::EXT_ACL_HEADER_REQUEST_MEMBER
:
951 sb
= request
->header
.getByNameListMember(format
->header
, format
->member
, format
->separator
);
952 str
= sb
.termedBuf();
955 case _external_acl_format::EXT_ACL_HEADER_REQUEST_ID_MEMBER
:
956 sb
= request
->header
.getListMember(format
->header_id
, format
->member
, format
->separator
);
957 str
= sb
.termedBuf();
960 case _external_acl_format::EXT_ACL_HEADER_REPLY
:
962 sb
= reply
->header
.getByName(format
->header
);
963 str
= sb
.termedBuf();
967 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID
:
969 sb
= reply
->header
.getStrOrList(format
->header_id
);
970 str
= sb
.termedBuf();
974 case _external_acl_format::EXT_ACL_HEADER_REPLY_MEMBER
:
976 sb
= reply
->header
.getByNameListMember(format
->header
, format
->member
, format
->separator
);
977 str
= sb
.termedBuf();
981 case _external_acl_format::EXT_ACL_HEADER_REPLY_ID_MEMBER
:
983 sb
= reply
->header
.getListMember(format
->header_id
, format
->member
, format
->separator
);
984 str
= sb
.termedBuf();
989 case _external_acl_format::EXT_ACL_USER_CERT_RAW
:
991 if (ch
->conn() != NULL
) {
992 SSL
*ssl
= fd_table
[ch
->conn()->fd
].ssl
;
995 str
= sslGetUserCertificatePEM(ssl
);
1000 case _external_acl_format::EXT_ACL_USER_CERTCHAIN_RAW
:
1002 if (ch
->conn() != NULL
) {
1003 SSL
*ssl
= fd_table
[ch
->conn()->fd
].ssl
;
1006 str
= sslGetUserCertificateChainPEM(ssl
);
1011 case _external_acl_format::EXT_ACL_USER_CERT
:
1013 if (ch
->conn() != NULL
) {
1014 SSL
*ssl
= fd_table
[ch
->conn()->fd
].ssl
;
1017 str
= sslGetUserAttribute(ssl
, format
->header
);
1022 case _external_acl_format::EXT_ACL_CA_CERT
:
1024 if (ch
->conn() != NULL
) {
1025 SSL
*ssl
= fd_table
[ch
->conn()->fd
].ssl
;
1028 str
= sslGetCAAttribute(ssl
, format
->header
);
1034 case _external_acl_format::EXT_ACL_EXT_USER
:
1035 str
= request
->extacl_user
.termedBuf();
1038 case _external_acl_format::EXT_ACL_UNKNOWN
:
1040 case _external_acl_format::EXT_ACL_END
:
1041 fatal("unknown external_acl format error");
1055 if (acl_data
->def
->quote
== external_acl::QUOTE_METHOD_URL
) {
1056 const char *quoted
= rfc1738_escape(str
);
1057 mb
.append(quoted
, strlen(quoted
));
1059 strwordquote(&mb
, str
);
1067 for (arg
= acl_data
->arguments
; arg
; arg
= arg
->next
) {
1071 if (acl_data
->def
->quote
== external_acl::QUOTE_METHOD_URL
) {
1072 const char *quoted
= rfc1738_escape(arg
->key
);
1073 mb
.append(quoted
, strlen(quoted
));
1075 strwordquote(&mb
, arg
->key
);
1085 external_acl_entry_expired(external_acl
* def
, external_acl_entry
* entry
)
1087 if (entry
->date
+ (entry
->result
== 1 ? def
->ttl
: def
->negative_ttl
) < squid_curtime
)
1094 external_acl_grace_expired(external_acl
* def
, external_acl_entry
* entry
)
1097 ttl
= entry
->result
== 1 ? def
->ttl
: def
->negative_ttl
;
1098 ttl
= (ttl
* (100 - def
->grace
)) / 100;
1100 if (entry
->date
+ ttl
< squid_curtime
)
1106 static external_acl_entry
*
1107 external_acl_cache_add(external_acl
* def
, const char *key
, ExternalACLEntryData
const & data
)
1109 ExternalACLEntry
*entry
= static_cast<ExternalACLEntry
*>(hash_lookup(def
->cache
, key
));
1110 debugs(82, 2, "external_acl_cache_add: Adding '" << key
<< "' = " << data
.result
);
1113 debugs(82, 3, "ExternalACLEntry::update: updating existing entry");
1114 entry
->update (data
);
1115 external_acl_cache_touch(def
, entry
);
1120 entry
= new ExternalACLEntry
;
1121 entry
->key
= xstrdup(key
);
1122 entry
->update (data
);
1131 external_acl_cache_delete(external_acl
* def
, external_acl_entry
* entry
)
1133 assert (entry
->def
== def
);
1134 hash_remove_link(def
->cache
, entry
);
1135 dlinkDelete(&entry
->lru
, &def
->lru_list
);
1136 def
->cache_entries
-= 1;
1140 /******************************************************************
1141 * external_acl helpers
1144 typedef struct _externalAclState externalAclState
;
1146 struct _externalAclState
{
1148 void *callback_data
;
1152 externalAclState
*queue
;
1155 CBDATA_TYPE(externalAclState
);
1157 free_externalAclState(void *data
)
1159 externalAclState
*state
= static_cast<externalAclState
*>(data
);
1160 safe_free(state
->key
);
1161 cbdataReferenceDone(state
->callback_data
);
1162 cbdataReferenceDone(state
->def
);
1166 * The helper program receives queries on stdin, one
1167 * per line, and must return the result on on stdout
1169 * General result syntax:
1171 * OK/ERR keyword=value ...
1175 * user= The users name (login)
1176 * message= Message describing the reason
1177 * tag= A string tag to be applied to the request that triggered the acl match.
1178 * applies to both OK and ERR responses.
1179 * Won't override existing request tags.
1180 * log= A string to be used in access logging
1182 * Other keywords may be added to the protocol later
1184 * value needs to be enclosed in quotes if it may contain whitespace, or
1185 * the whitespace escaped using \ (\ escaping obviously also applies to
1190 externalAclHandleReply(void *data
, char *reply
)
1192 externalAclState
*state
= static_cast<externalAclState
*>(data
);
1193 externalAclState
*next
;
1198 ExternalACLEntryData entryData
;
1199 entryData
.result
= 0;
1200 external_acl_entry
*entry
= NULL
;
1202 debugs(82, 2, "externalAclHandleReply: reply=\"" << reply
<< "\"");
1205 status
= strwordtok(reply
, &t
);
1207 if (status
&& strcmp(status
, "OK") == 0)
1208 entryData
.result
= 1;
1210 while ((token
= strwordtok(NULL
, &t
))) {
1211 value
= strchr(token
, '=');
1214 *value
++ = '\0'; /* terminate the token, and move up to the value */
1216 if (state
->def
->quote
== external_acl::QUOTE_METHOD_URL
)
1217 rfc1738_unescape(value
);
1219 if (strcmp(token
, "user") == 0)
1220 entryData
.user
= value
;
1221 else if (strcmp(token
, "message") == 0)
1222 entryData
.message
= value
;
1223 else if (strcmp(token
, "error") == 0)
1224 entryData
.message
= value
;
1225 else if (strcmp(token
, "tag") == 0)
1226 entryData
.tag
= value
;
1227 else if (strcmp(token
, "log") == 0)
1228 entryData
.log
= value
;
1229 else if (strcmp(token
, "password") == 0)
1230 entryData
.password
= value
;
1231 else if (strcmp(token
, "passwd") == 0)
1232 entryData
.password
= value
;
1233 else if (strcmp(token
, "login") == 0)
1234 entryData
.user
= value
;
1239 dlinkDelete(&state
->list
, &state
->def
->queue
);
1241 if (cbdataReferenceValid(state
->def
)) {
1243 entry
= external_acl_cache_add(state
->def
, state
->key
, entryData
);
1245 external_acl_entry
*oldentry
= (external_acl_entry
*)hash_lookup(state
->def
->cache
, state
->key
);
1248 external_acl_cache_delete(state
->def
, oldentry
);
1254 cbdataReferenceDone(state
->def
);
1256 if (state
->callback
&& cbdataReferenceValidDone(state
->callback_data
, &cbdata
))
1257 state
->callback(cbdata
, entry
);
1259 next
= state
->queue
;
1268 ACLExternal::ExternalAclLookup(ACLChecklist
*checklist
, ACLExternal
* me
, EAH
* callback
, void *callback_data
)
1271 external_acl_data
*acl
= me
->data
;
1272 external_acl
*def
= acl
->def
;
1273 externalAclState
*state
;
1275 externalAclState
*oldstate
= NULL
;
1278 ACLFilledChecklist
*ch
= Filled(checklist
);
1279 if (acl
->def
->require_auth
) {
1281 /* Make sure the user is authenticated */
1283 if ((ti
= AuthenticateAcl(ch
)) != 1) {
1284 debugs(82, 1, "externalAclLookup: " << acl
->def
->name
<<
1285 " user authentication failure (" << ti
<< ", ch=" << ch
<< ")");
1286 callback(callback_data
, NULL
);
1291 const char *key
= makeExternalAclKey(ch
, acl
);
1294 debugs(82, 1, "externalAclLookup: lookup in '" << def
->name
<<
1295 "', prerequisit failure (ch=" << ch
<< ")");
1296 callback(callback_data
, NULL
);
1300 debugs(82, 2, "externalAclLookup: lookup in '" << def
->name
<< "' for '" << key
<< "'");
1302 external_acl_entry
*entry
= static_cast<external_acl_entry
*>(hash_lookup(def
->cache
, key
));
1304 if (entry
&& external_acl_entry_expired(def
, entry
))
1307 /* Check for a pending lookup to hook into */
1308 for (node
= def
->queue
.head
; node
; node
= node
->next
) {
1309 externalAclState
*oldstatetmp
= static_cast<externalAclState
*>(node
->data
);
1311 if (strcmp(key
, oldstatetmp
->key
) == 0) {
1312 oldstate
= oldstatetmp
;
1317 if (entry
&& external_acl_grace_expired(def
, entry
)) {
1319 debugs(82, 4, "externalAclLookup: in grace period, but already pending lookup ('" << key
<< "', ch=" << ch
<< ")");
1320 callback(callback_data
, entry
);
1323 graceful
= 1; // grace expired, (neg)ttl did not, and we must start a new lookup.
1327 // The entry is in the cache, grace_ttl did not expired.
1328 if (!graceful
&& entry
&& !external_acl_grace_expired(def
, entry
)) {
1329 /* Should not really happen, but why not.. */
1330 callback(callback_data
, entry
);
1331 debugs(82, 4, "externalAclLookup: no lookup pending for '" << key
<< "', and grace not expired");
1332 debugs(82, 4, "externalAclLookup: (what tha' hell?)");
1336 /* No pending lookup found. Sumbit to helper */
1337 state
= cbdataAlloc(externalAclState
);
1339 state
->def
= cbdataReference(def
);
1341 state
->key
= xstrdup(key
);
1344 state
->callback
= callback
;
1345 state
->callback_data
= cbdataReference(callback_data
);
1349 /* Hook into pending lookup */
1350 state
->queue
= oldstate
->queue
;
1351 oldstate
->queue
= state
;
1353 /* Check for queue overload */
1355 if (def
->theHelper
->stats
.queue_size
>= (int)def
->theHelper
->childs
.n_running
) {
1356 debugs(82, 1, "externalAclLookup: '" << def
->name
<< "' queue overload (ch=" << ch
<< ")");
1358 callback(callback_data
, entry
);
1362 /* Send it off to the helper */
1365 buf
.Printf("%s\n", key
);
1367 debugs(82, 4, "externalAclLookup: looking up for '" << key
<< "' in '" << def
->name
<< "'.");
1369 helperSubmit(def
->theHelper
, buf
.buf
, externalAclHandleReply
, state
);
1371 dlinkAdd(state
, &state
->list
, &def
->queue
);
1377 /* No need to wait during grace period */
1378 debugs(82, 4, "externalAclLookup: no need to wait for the result of '" <<
1379 key
<< "' in '" << def
->name
<< "' (ch=" << ch
<< ").");
1380 debugs(82, 4, "externalAclLookup: using cached entry " << entry
);
1382 if (entry
!= NULL
) {
1383 debugs(82, 4, "externalAclLookup: entry = { date=" <<
1384 (long unsigned int) entry
->date
<< ", result=" <<
1385 entry
->result
<< ", user=" << entry
->user
<< " tag=" <<
1386 entry
->tag
<< " log=" << entry
->log
<< " }");
1390 callback(callback_data
, entry
);
1394 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key
<<
1395 "' in '" << def
->name
<< "' (ch=" << ch
<< ").");
1399 externalAclStats(StoreEntry
* sentry
)
1403 for (p
= Config
.externalAclHelperList
; p
; p
= p
->next
) {
1404 storeAppendPrintf(sentry
, "External ACL Statistics: %s\n", p
->name
);
1405 storeAppendPrintf(sentry
, "Cache size: %d\n", p
->cache
->count
);
1406 helperStats(sentry
, p
->theHelper
);
1407 storeAppendPrintf(sentry
, "\n");
1412 externalAclRegisterWithCacheManager(void)
1414 CacheManager::GetInstance()->
1415 registerAction("external_acl",
1416 "External ACL stats",
1417 externalAclStats
, 0, 1);
1421 externalAclInit(void)
1423 static int firstTimeInit
= 1;
1426 for (p
= Config
.externalAclHelperList
; p
; p
= p
->next
) {
1428 p
->cache
= hash_create((HASHCMP
*) strcmp
, hashPrime(1024), hash4
);
1431 p
->theHelper
= new helper(p
->name
);
1433 p
->theHelper
->cmdline
= p
->cmdline
;
1435 p
->theHelper
->childs
= p
->children
;
1437 p
->theHelper
->ipc_type
= IPC_TCP_SOCKET
;
1439 p
->theHelper
->addr
= p
->local_addr
;
1441 helperOpenServers(p
->theHelper
);
1444 if (firstTimeInit
) {
1446 CBDATA_INIT_TYPE_FREECB(externalAclState
, free_externalAclState
);
1449 externalAclRegisterWithCacheManager();
1453 externalAclShutdown(void)
1457 for (p
= Config
.externalAclHelperList
; p
; p
= p
->next
) {
1458 helperShutdown(p
->theHelper
);
1462 ExternalACLLookup
ExternalACLLookup::instance_
;
1464 ExternalACLLookup::Instance()
1470 ExternalACLLookup::checkForAsync(ACLChecklist
*checklist
)const
1472 /* TODO: optimise this - we probably have a pointer to this
1473 * around somewhere */
1474 ACL
*acl
= ACL::FindByName(AclMatchedName
);
1476 ACLExternal
*me
= dynamic_cast<ACLExternal
*> (acl
);
1478 checklist
->asyncInProgress(true);
1479 ACLExternal::ExternalAclLookup(checklist
, me
, LookupDone
, checklist
);
1483 ExternalACLLookup::LookupDone(void *data
, void *result
)
1485 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
1486 checklist
->extacl_entry
= cbdataReference((external_acl_entry
*)result
);
1487 checklist
->asyncInProgress(false);
1488 checklist
->changeState (ACLChecklist::NullState::Instance());
1492 /* This registers "external" in the registry. To do dynamic definitions
1493 * of external ACL's, rather than a static prototype, have a Prototype instance
1494 * prototype in the class that defines each external acl 'class'.
1495 * Then, then the external acl instance is created, it self registers under
1497 * Be sure that clone is fully functional for that acl class though!
1499 ACL::Prototype
ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_
, "external");
1501 ACLExternal
ACLExternal::RegistryEntry_("external");
1504 ACLExternal::clone() const
1506 return new ACLExternal(*this);
1509 ACLExternal::ACLExternal (char const *theClass
) : data (NULL
), class_ (xstrdup (theClass
))
1512 ACLExternal::ACLExternal (ACLExternal
const & old
) : data (NULL
), class_ (old
.class_
? xstrdup (old
.class_
) : NULL
)
1514 /* we don't have copy constructors for the data yet */
1519 ACLExternal::typeString() const
1525 ACLExternal::isProxyAuth() const
1527 return data
->def
->require_auth
;