]> git.ipfire.org Git - thirdparty/squid.git/blob - src/external_acl.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
FilledCheclist::rfc931 is an array not a ptr
[thirdparty/squid.git] / src / external_acl.cc
1 /*
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 82 External ACL */
10
11 #include "squid.h"
12 #include "acl/Acl.h"
13 #include "acl/FilledChecklist.h"
14 #include "cache_cf.h"
15 #include "client_side.h"
16 #include "client_side_request.h"
17 #include "comm/Connection.h"
18 #include "ConfigParser.h"
19 #include "ExternalACL.h"
20 #include "ExternalACLEntry.h"
21 #include "fde.h"
22 #include "format/Token.h"
23 #include "helper.h"
24 #include "helper/Reply.h"
25 #include "HttpHeaderTools.h"
26 #include "HttpReply.h"
27 #include "HttpRequest.h"
28 #include "ip/tools.h"
29 #include "MemBuf.h"
30 #include "mgr/Registration.h"
31 #include "rfc1738.h"
32 #include "SquidConfig.h"
33 #include "SquidString.h"
34 #include "SquidTime.h"
35 #include "Store.h"
36 #include "tools.h"
37 #include "URL.h"
38 #include "wordlist.h"
39 #if USE_OPENSSL
40 #include "ssl/ServerBump.h"
41 #include "ssl/support.h"
42 #endif
43 #if USE_AUTH
44 #include "auth/Acl.h"
45 #include "auth/Gadgets.h"
46 #include "auth/UserRequest.h"
47 #endif
48 #if USE_IDENT
49 #include "ident/AclIdent.h"
50 #endif
51
52 #ifndef DEFAULT_EXTERNAL_ACL_TTL
53 #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60
54 #endif
55 #ifndef DEFAULT_EXTERNAL_ACL_CHILDREN
56 #define DEFAULT_EXTERNAL_ACL_CHILDREN 5
57 #endif
58
59 static char *makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data);
60 static void external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry);
61 static int external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry);
62 static int external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry);
63 static void external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry);
64 static ExternalACLEntryPointer external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const &data);
65
66 /******************************************************************
67 * external_acl directive
68 */
69
70 class external_acl
71 {
72 /* FIXME: These are not really cbdata, but it is an easy way
73 * to get them pooled, refcounted, accounted and freed properly...
74 */
75 CBDATA_CLASS(external_acl);
76
77 public:
78 external_acl();
79 ~external_acl();
80
81 external_acl *next;
82
83 void add(const ExternalACLEntryPointer &);
84
85 void trimCache();
86
87 int ttl;
88
89 int negative_ttl;
90
91 int grace;
92
93 char *name;
94
95 Format::Format format;
96
97 wordlist *cmdline;
98
99 Helper::ChildConfig children;
100
101 helper *theHelper;
102
103 hash_table *cache;
104
105 dlink_list lru_list;
106
107 int cache_size;
108
109 int cache_entries;
110
111 dlink_list queue;
112
113 #if USE_AUTH
114 /**
115 * Configuration flag. May only be altered by the configuration parser.
116 *
117 * Indicates that all uses of this external_acl_type helper require authentication
118 * details to be processed. If none are available its a fail match.
119 */
120 bool require_auth;
121 #endif
122
123 enum {
124 QUOTE_METHOD_SHELL = 1,
125 QUOTE_METHOD_URL
126 } quote;
127
128 Ip::Address local_addr;
129 };
130
131 CBDATA_CLASS_INIT(external_acl);
132
133 external_acl::external_acl() :
134 next(NULL),
135 ttl(DEFAULT_EXTERNAL_ACL_TTL),
136 negative_ttl(-1),
137 grace(1),
138 name(NULL),
139 format("external_acl_type"),
140 cmdline(NULL),
141 children(DEFAULT_EXTERNAL_ACL_CHILDREN),
142 theHelper(NULL),
143 cache(NULL),
144 cache_size(256*1024),
145 cache_entries(0),
146 #if USE_AUTH
147 require_auth(0),
148 #endif
149 quote(external_acl::QUOTE_METHOD_URL)
150 {
151 local_addr.setLocalhost();
152 }
153
154 external_acl::~external_acl()
155 {
156 xfree(name);
157 wordlistDestroy(&cmdline);
158
159 if (theHelper) {
160 helperShutdown(theHelper);
161 delete theHelper;
162 theHelper = NULL;
163 }
164
165 while (lru_list.tail) {
166 ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data));
167 external_acl_cache_delete(this, e);
168 }
169 if (cache)
170 hashFreeMemory(cache);
171
172 while (next) {
173 external_acl *node = next;
174 next = node->next;
175 node->next = NULL; // prevent recursion
176 delete node;
177 }
178 }
179
180 void
181 parse_externalAclHelper(external_acl ** list)
182 {
183 external_acl *a = new external_acl;
184 char *token = ConfigParser::NextToken();
185
186 if (!token)
187 self_destruct();
188
189 a->name = xstrdup(token);
190
191 // Allow supported %macros inside quoted tokens
192 ConfigParser::EnableMacros();
193 token = ConfigParser::NextToken();
194
195 /* Parse options */
196 while (token) {
197 if (strncmp(token, "ttl=", 4) == 0) {
198 a->ttl = atoi(token + 4);
199 } else if (strncmp(token, "negative_ttl=", 13) == 0) {
200 a->negative_ttl = atoi(token + 13);
201 } else if (strncmp(token, "children=", 9) == 0) {
202 a->children.n_max = atoi(token + 9);
203 debugs(0, DBG_CRITICAL, "WARNING: external_acl_type option children=N has been deprecated in favor of children-max=N and children-startup=N");
204 } else if (strncmp(token, "children-max=", 13) == 0) {
205 a->children.n_max = atoi(token + 13);
206 } else if (strncmp(token, "children-startup=", 17) == 0) {
207 a->children.n_startup = atoi(token + 17);
208 } else if (strncmp(token, "children-idle=", 14) == 0) {
209 a->children.n_idle = atoi(token + 14);
210 } else if (strncmp(token, "concurrency=", 12) == 0) {
211 a->children.concurrency = atoi(token + 12);
212 } else if (strncmp(token, "queue-size=", 11) == 0) {
213 a->children.queue_size = atoi(token + 11);
214 a->children.defaultQueueSize = false;
215 } else if (strncmp(token, "cache=", 6) == 0) {
216 a->cache_size = atoi(token + 6);
217 } else if (strncmp(token, "grace=", 6) == 0) {
218 a->grace = atoi(token + 6);
219 } else if (strcmp(token, "protocol=2.5") == 0) {
220 a->quote = external_acl::QUOTE_METHOD_SHELL;
221 } else if (strcmp(token, "protocol=3.0") == 0) {
222 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option protocol=3.0 is deprecated. Remove this from your config.");
223 a->quote = external_acl::QUOTE_METHOD_URL;
224 } else if (strcmp(token, "quote=url") == 0) {
225 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=url is deprecated. Remove this from your config.");
226 a->quote = external_acl::QUOTE_METHOD_URL;
227 } else if (strcmp(token, "quote=shell") == 0) {
228 debugs(3, DBG_PARSE_NOTE(2), "WARNING: external_acl_type option quote=shell is deprecated. Use protocol=2.5 if still needed.");
229 a->quote = external_acl::QUOTE_METHOD_SHELL;
230
231 /* INET6: allow admin to configure some helpers explicitly to
232 bind to IPv4/v6 localhost port. */
233 } else if (strcmp(token, "ipv4") == 0) {
234 if ( !a->local_addr.setIPv4() ) {
235 debugs(3, DBG_CRITICAL, "WARNING: Error converting " << a->local_addr << " to IPv4 in " << a->name );
236 }
237 } else if (strcmp(token, "ipv6") == 0) {
238 if (!Ip::EnableIpv6)
239 debugs(3, DBG_CRITICAL, "WARNING: --enable-ipv6 required for external ACL helpers to use IPv6: " << a->name );
240 // else nothing to do.
241 } else {
242 break;
243 }
244
245 token = ConfigParser::NextToken();
246 }
247 ConfigParser::DisableMacros();
248
249 /* check that child startup value is sane. */
250 if (a->children.n_startup > a->children.n_max)
251 a->children.n_startup = a->children.n_max;
252
253 /* check that child idle value is sane. */
254 if (a->children.n_idle > a->children.n_max)
255 a->children.n_idle = a->children.n_max;
256 if (a->children.n_idle < 1)
257 a->children.n_idle = 1;
258
259 if (a->negative_ttl == -1)
260 a->negative_ttl = a->ttl;
261
262 if (a->children.defaultQueueSize)
263 a->children.queue_size = 2 * a->children.n_max;
264
265 /* Legacy external_acl_type format parser.
266 * Handles a series of %... tokens where any non-% means
267 * the start of another parameter field (ie the path to binary).
268 */
269 enum Format::Quoting quote = Format::LOG_QUOTE_NONE;
270 Format::Token **fmt = &a->format.format;
271 bool data_used = false;
272 while (token) {
273 /* stop on first non-% token found */
274 if (*token != '%')
275 break;
276
277 *fmt = new Format::Token;
278 // these tokens are whitespace delimited
279 (*fmt)->space = true;
280
281 // compatibility for old tokens incompatible with Format::Token syntax
282 #if USE_OPENSSL // dont bother if we dont have to.
283 if (strncmp(token, "%USER_CERT_", 11) == 0) {
284 (*fmt)->type = Format::LFT_EXT_ACL_USER_CERT;
285 (*fmt)->data.string = xstrdup(token + 11);
286 (*fmt)->data.header.header = (*fmt)->data.string;
287 } else if (strncmp(token, "%USER_CA_CERT_", 14) == 0) {
288 (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT;
289 (*fmt)->data.string = xstrdup(token + 14);
290 (*fmt)->data.header.header = (*fmt)->data.string;
291 } else if (strncmp(token, "%CA_CERT_", 9) == 0) {
292 debugs(82, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: external_acl_type %CA_CERT_* code is obsolete. Use %USER_CA_CERT_* instead");
293 (*fmt)->type = Format::LFT_EXT_ACL_USER_CA_CERT;
294 (*fmt)->data.string = xstrdup(token + 9);
295 (*fmt)->data.header.header = (*fmt)->data.string;
296 } else
297 #endif
298 {
299 // we can use the Format::Token::parse() method since it
300 // only pulls off one token. Since we already checked
301 // for '%' prefix above this is guaranteed to be a token.
302 const size_t len = (*fmt)->parse(token, &quote);
303 assert(len == strlen(token));
304 }
305
306 // process special token-specific actions (only if necessary)
307 #if USE_AUTH
308 if ((*fmt)->type == Format::LFT_USER_LOGIN)
309 a->require_auth = true;
310 #endif
311
312 if ((*fmt)->type == Format::LFT_EXT_ACL_DATA)
313 data_used = true;
314
315 fmt = &((*fmt)->next);
316 token = ConfigParser::NextToken();
317 }
318
319 /* There must be at least one format token */
320 if (!a->format.format)
321 self_destruct();
322
323 // format has implicit %DATA on the end if not used explicitly
324 if (!data_used) {
325 *fmt = new Format::Token;
326 (*fmt)->type = Format::LFT_EXT_ACL_DATA;
327 }
328
329 /* helper */
330 if (!token)
331 self_destruct();
332
333 wordlistAdd(&a->cmdline, token);
334
335 /* arguments */
336 parse_wordlist(&a->cmdline);
337
338 while (*list)
339 list = &(*list)->next;
340
341 *list = a;
342 }
343
344 void
345 dump_externalAclHelper(StoreEntry * sentry, const char *name, const external_acl * list)
346 {
347 const external_acl *node;
348 const wordlist *word;
349
350 for (node = list; node; node = node->next) {
351 storeAppendPrintf(sentry, "%s %s", name, node->name);
352
353 if (!node->local_addr.isIPv6())
354 storeAppendPrintf(sentry, " ipv4");
355 else
356 storeAppendPrintf(sentry, " ipv6");
357
358 if (node->ttl != DEFAULT_EXTERNAL_ACL_TTL)
359 storeAppendPrintf(sentry, " ttl=%d", node->ttl);
360
361 if (node->negative_ttl != node->ttl)
362 storeAppendPrintf(sentry, " negative_ttl=%d", node->negative_ttl);
363
364 if (node->grace)
365 storeAppendPrintf(sentry, " grace=%d", node->grace);
366
367 if (node->children.n_max != DEFAULT_EXTERNAL_ACL_CHILDREN)
368 storeAppendPrintf(sentry, " children-max=%d", node->children.n_max);
369
370 if (node->children.n_startup != 1)
371 storeAppendPrintf(sentry, " children-startup=%d", node->children.n_startup);
372
373 if (node->children.n_idle != (node->children.n_max + node->children.n_startup) )
374 storeAppendPrintf(sentry, " children-idle=%d", node->children.n_idle);
375
376 if (node->children.concurrency)
377 storeAppendPrintf(sentry, " concurrency=%d", node->children.concurrency);
378
379 if (node->cache)
380 storeAppendPrintf(sentry, " cache=%d", node->cache_size);
381
382 if (node->quote == external_acl::QUOTE_METHOD_SHELL)
383 storeAppendPrintf(sentry, " protocol=2.5");
384
385 node->format.dump(sentry, NULL, false);
386
387 for (word = node->cmdline; word; word = word->next)
388 storeAppendPrintf(sentry, " %s", word->key);
389
390 storeAppendPrintf(sentry, "\n");
391 }
392 }
393
394 void
395 free_externalAclHelper(external_acl ** list)
396 {
397 delete *list;
398 *list = NULL;
399 }
400
401 static external_acl *
402 find_externalAclHelper(const char *name)
403 {
404 external_acl *node;
405
406 for (node = Config.externalAclHelperList; node; node = node->next) {
407 if (strcmp(node->name, name) == 0)
408 return node;
409 }
410
411 return NULL;
412 }
413
414 void
415 external_acl::add(const ExternalACLEntryPointer &anEntry)
416 {
417 trimCache();
418 assert(anEntry != NULL);
419 assert (anEntry->def == NULL);
420 anEntry->def = this;
421 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(anEntry.getRaw()); // XXX: make hash a std::map of Pointer.
422 hash_join(cache, e);
423 dlinkAdd(e, &e->lru, &lru_list);
424 e->lock(); //cbdataReference(e); // lock it on behalf of the hash
425 ++cache_entries;
426 }
427
428 void
429 external_acl::trimCache()
430 {
431 if (cache_size && cache_entries >= cache_size) {
432 ExternalACLEntryPointer e(static_cast<ExternalACLEntry *>(lru_list.tail->data));
433 external_acl_cache_delete(this, e);
434 }
435 }
436
437 /******************************************************************
438 * external acl type
439 */
440
441 class external_acl_data
442 {
443 CBDATA_CLASS(external_acl_data);
444
445 public:
446 explicit external_acl_data(external_acl *aDef) : def(cbdataReference(aDef)), name(NULL), arguments(NULL) {}
447 ~external_acl_data();
448
449 external_acl *def;
450 const char *name;
451 wordlist *arguments;
452 };
453
454 CBDATA_CLASS_INIT(external_acl_data);
455
456 external_acl_data::~external_acl_data()
457 {
458 xfree(name);
459 wordlistDestroy(&arguments);
460 cbdataReferenceDone(def);
461 }
462
463 void
464 ACLExternal::parse()
465 {
466 if (data)
467 self_destruct();
468
469 char *token = ConfigParser::strtokFile();
470
471 if (!token)
472 self_destruct();
473
474 data = new external_acl_data(find_externalAclHelper(token));
475
476 if (!data->def)
477 self_destruct();
478
479 // def->name is the name of the external_acl_type.
480 // this is the name of the 'acl' directive being tested
481 data->name = xstrdup(AclMatchedName);
482
483 while ((token = ConfigParser::strtokFile())) {
484 wordlistAdd(&data->arguments, token);
485 }
486 }
487
488 bool
489 ACLExternal::valid () const
490 {
491 #if USE_AUTH
492 if (data->def->require_auth) {
493 if (authenticateSchemeCount() == 0) {
494 debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled.");
495 return false;
496 }
497
498 if (authenticateActiveSchemeCount() == 0) {
499 debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured.");
500 return false;
501 }
502 }
503 #endif
504
505 return true;
506 }
507
508 bool
509 ACLExternal::empty () const
510 {
511 return false;
512 }
513
514 ACLExternal::~ACLExternal()
515 {
516 delete data;
517 xfree(class_);
518 }
519
520 static void
521 copyResultsFromEntry(HttpRequest *req, const ExternalACLEntryPointer &entry)
522 {
523 if (req) {
524 #if USE_AUTH
525 if (entry->user.size())
526 req->extacl_user = entry->user;
527
528 if (entry->password.size())
529 req->extacl_passwd = entry->password;
530 #endif
531 if (!req->tag.size())
532 req->tag = entry->tag;
533
534 if (entry->log.size())
535 req->extacl_log = entry->log;
536
537 if (entry->message.size())
538 req->extacl_message = entry->message;
539
540 // attach the helper kv-pair to the transaction
541 UpdateRequestNotes(req->clientConnectionManager.get(), *req, entry->notes);
542 }
543 }
544
545 static allow_t
546 aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
547 {
548 debugs(82, 9, HERE << "acl=\"" << acl->def->name << "\"");
549 ExternalACLEntryPointer entry = ch->extacl_entry;
550
551 external_acl_message = "MISSING REQUIRED INFORMATION";
552
553 if (entry != NULL) {
554 if (entry->def == acl->def) {
555 /* Ours, use it.. if the key matches */
556 const char *key = makeExternalAclKey(ch, acl);
557 if (!key)
558 return ACCESS_DUNNO; // insufficent data to continue
559 if (strcmp(key, (char*)entry->key) != 0) {
560 debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "' dont match. Discarded.");
561 // too bad. need a new lookup.
562 entry = ch->extacl_entry = NULL;
563 }
564 } else {
565 /* Not ours.. get rid of it */
566 debugs(82, 9, "entry " << entry << " not valid or not ours. Discarded.");
567 if (entry != NULL) {
568 debugs(82, 9, "entry def=" << entry->def << ", our def=" << acl->def);
569 const char *key = makeExternalAclKey(ch, acl); // may be nil
570 debugs(82, 9, "entry key='" << (char *)entry->key << "', our key='" << key << "'");
571 }
572 entry = ch->extacl_entry = NULL;
573 }
574 }
575
576 if (!entry) {
577 debugs(82, 9, HERE << "No helper entry available");
578 #if USE_AUTH
579 if (acl->def->require_auth) {
580 /* Make sure the user is authenticated */
581 debugs(82, 3, HERE << acl->def->name << " check user authenticated.");
582 const allow_t ti = AuthenticateAcl(ch);
583 if (ti != ACCESS_ALLOWED) {
584 debugs(82, 2, HERE << acl->def->name << " user not authenticated (" << ti << ")");
585 return ti;
586 }
587 debugs(82, 3, HERE << acl->def->name << " user is authenticated.");
588 }
589 #endif
590 const char *key = makeExternalAclKey(ch, acl);
591
592 if (!key) {
593 /* Not sufficient data to process */
594 return ACCESS_DUNNO;
595 }
596
597 entry = static_cast<ExternalACLEntry *>(hash_lookup(acl->def->cache, key));
598
599 const ExternalACLEntryPointer staleEntry = entry;
600 if (entry != NULL && external_acl_entry_expired(acl->def, entry))
601 entry = NULL;
602
603 if (entry != NULL && external_acl_grace_expired(acl->def, entry)) {
604 // refresh in the background
605 ExternalACLLookup::Start(ch, acl, true);
606 debugs(82, 4, HERE << "no need to wait for the refresh of '" <<
607 key << "' in '" << acl->def->name << "' (ch=" << ch << ").");
608 }
609
610 if (!entry) {
611 debugs(82, 2, HERE << acl->def->name << "(\"" << key << "\") = lookup needed");
612
613 if (!acl->def->theHelper->queueFull()) {
614 debugs(82, 2, HERE << "\"" << key << "\": queueing a call.");
615 if (!ch->goAsync(ExternalACLLookup::Instance()))
616 debugs(82, 2, "\"" << key << "\": no async support!");
617 debugs(82, 2, HERE << "\"" << key << "\": return -1.");
618 return ACCESS_DUNNO; // expired cached or simply absent entry
619 } else {
620 if (!staleEntry) {
621 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
622 "' queue overload. Request rejected '" << key << "'.");
623 external_acl_message = "SYSTEM TOO BUSY, TRY AGAIN LATER";
624 return ACCESS_DUNNO;
625 } else {
626 debugs(82, DBG_IMPORTANT, "WARNING: external ACL '" << acl->def->name <<
627 "' queue overload. Using stale result. '" << key << "'.");
628 entry = staleEntry;
629 /* Fall thru to processing below */
630 }
631 }
632 }
633 }
634
635 debugs(82, 4, HERE << "entry = { date=" <<
636 (long unsigned int) entry->date <<
637 ", result=" << entry->result <<
638 " tag=" << entry->tag <<
639 " log=" << entry->log << " }");
640 #if USE_AUTH
641 debugs(82, 4, HERE << "entry user=" << entry->user);
642 #endif
643
644 external_acl_cache_touch(acl->def, entry);
645 external_acl_message = entry->message.termedBuf();
646
647 debugs(82, 2, HERE << acl->def->name << " = " << entry->result);
648 copyResultsFromEntry(ch->request, entry);
649 return entry->result;
650 }
651
652 int
653 ACLExternal::match(ACLChecklist *checklist)
654 {
655 allow_t answer = aclMatchExternal(data, Filled(checklist));
656
657 // convert to tri-state ACL match 1,0,-1
658 switch (answer) {
659 case ACCESS_ALLOWED:
660 return 1; // match
661
662 case ACCESS_DENIED:
663 return 0; // non-match
664
665 case ACCESS_DUNNO:
666 case ACCESS_AUTH_REQUIRED:
667 default:
668 // If the answer is not allowed or denied (matches/not matches) and
669 // async authentication is not in progress, then we are done.
670 if (checklist->keepMatching())
671 checklist->markFinished(answer, "aclMatchExternal exception");
672 return -1; // other
673 }
674 }
675
676 SBufList
677 ACLExternal::dump() const
678 {
679 external_acl_data const *acl = data;
680 SBufList rv;
681 rv.push_back(SBuf(acl->def->name));
682
683 for (wordlist *arg = acl->arguments; arg; arg = arg->next) {
684 SBuf s;
685 s.Printf(" %s", arg->key);
686 rv.push_back(s);
687 }
688
689 return rv;
690 }
691
692 /******************************************************************
693 * external_acl cache
694 */
695
696 static void
697 external_acl_cache_touch(external_acl * def, const ExternalACLEntryPointer &entry)
698 {
699 // this must not be done when nothing is being cached.
700 if (def->cache_size <= 0 || (def->ttl <= 0 && entry->result == 1) || (def->negative_ttl <= 0 && entry->result != 1))
701 return;
702
703 dlinkDelete(&entry->lru, &def->lru_list);
704 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer.
705 dlinkAdd(e, &entry->lru, &def->lru_list);
706 }
707
708 static char *
709 makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl_data)
710 {
711 static MemBuf mb;
712 mb.reset();
713
714 // check for special case tokens in the format
715 for (Format::Token *t = acl_data->def->format.format; t ; t = t->next) {
716
717 if (t->type == Format::LFT_EXT_ACL_NAME) {
718 // setup for %ACL
719 safe_free(ch->al->_private.lastAclName);
720 ch->al->_private.lastAclName = xstrdup(acl_data->name);
721 }
722
723 if (t->type == Format::LFT_EXT_ACL_NAME) {
724 // setup string for %DATA
725 SBuf sb;
726 bool first = true;
727 for (auto arg = acl_data->arguments; arg; arg = arg->next) {
728 if (!first)
729 sb.append(" ", 1);
730
731 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
732 const char *quoted = rfc1738_escape(arg->key);
733 sb.append(quoted, strlen(quoted));
734 } else {
735 static MemBuf mb2;
736 mb2.init();
737 strwordquote(&mb2, arg->key);
738 sb.append(mb2.buf, mb2.size);
739 mb2.clean();
740 }
741
742 first = false;
743 }
744 }
745
746 if (t->type == Format::LFT_USER_IDENT) {
747 if (!*ch->rfc931) {
748 // if we fail to go async, we still return NULL and the caller
749 // will detect the failure in ACLExternal::match().
750 (void)ch->goAsync(IdentLookup::Instance());
751 return NULL;
752 }
753 }
754 }
755
756 // generate %DATA token value of this acl lookup
757 SBuf sb;
758 for (auto arg = acl_data->arguments; arg; arg = arg->next) {
759 if (sb.length())
760 sb.append(" ", 1);
761
762 if (acl_data->def->quote == external_acl::QUOTE_METHOD_URL) {
763 const char *quoted = rfc1738_escape(arg->key);
764 sb.append(quoted, strlen(quoted));
765 } else {
766 static MemBuf mb2;
767 mb2.init();
768 strwordquote(&mb2, arg->key);
769 sb.append(mb2.buf, mb2.size);
770 mb2.clean();
771 }
772 }
773 ch->al->_private.lastAclData = sb.c_str();
774
775 // assemble the full helper lookup string
776 acl_data->def->format.assemble(mb, ch->al, 0);
777
778 return mb.buf;
779 }
780
781 static int
782 external_acl_entry_expired(external_acl * def, const ExternalACLEntryPointer &entry)
783 {
784 if (def->cache_size <= 0)
785 return 1;
786
787 if (entry->date + (entry->result == 1 ? def->ttl : def->negative_ttl) < squid_curtime)
788 return 1;
789 else
790 return 0;
791 }
792
793 static int
794 external_acl_grace_expired(external_acl * def, const ExternalACLEntryPointer &entry)
795 {
796 if (def->cache_size <= 0)
797 return 1;
798
799 int ttl;
800 ttl = entry->result == 1 ? def->ttl : def->negative_ttl;
801 ttl = (ttl * (100 - def->grace)) / 100;
802
803 if (entry->date + ttl <= squid_curtime)
804 return 1;
805 else
806 return 0;
807 }
808
809 static ExternalACLEntryPointer
810 external_acl_cache_add(external_acl * def, const char *key, ExternalACLEntryData const & data)
811 {
812 ExternalACLEntryPointer entry;
813
814 // do not bother caching this result if TTL is going to expire it immediately
815 if (def->cache_size <= 0 || (def->ttl <= 0 && data.result == 1) || (def->negative_ttl <= 0 && data.result != 1)) {
816 debugs(82,6, HERE);
817 entry = new ExternalACLEntry;
818 entry->key = xstrdup(key);
819 entry->update(data);
820 entry->def = def;
821 return entry;
822 }
823
824 entry = static_cast<ExternalACLEntry *>(hash_lookup(def->cache, key));
825 debugs(82, 2, "external_acl_cache_add: Adding '" << key << "' = " << data.result);
826
827 if (entry != NULL) {
828 debugs(82, 3, "updating existing entry");
829 entry->update(data);
830 external_acl_cache_touch(def, entry);
831 return entry;
832 }
833
834 entry = new ExternalACLEntry;
835 entry->key = xstrdup(key);
836 entry->update(data);
837
838 def->add(entry);
839
840 return entry;
841 }
842
843 static void
844 external_acl_cache_delete(external_acl * def, const ExternalACLEntryPointer &entry)
845 {
846 assert(entry != NULL);
847 assert(def->cache_size > 0 && entry->def == def);
848 ExternalACLEntry *e = const_cast<ExternalACLEntry *>(entry.getRaw()); // XXX: make hash a std::map of Pointer.
849 hash_remove_link(def->cache, e);
850 dlinkDelete(&e->lru, &def->lru_list);
851 e->unlock(); // unlock on behalf of the hash
852 def->cache_entries -= 1;
853 }
854
855 /******************************************************************
856 * external_acl helpers
857 */
858
859 class externalAclState
860 {
861 CBDATA_CLASS(externalAclState);
862
863 public:
864 externalAclState(external_acl* aDef, const char *aKey) :
865 callback(NULL),
866 callback_data(NULL),
867 key(xstrdup(aKey)),
868 def(cbdataReference(aDef)),
869 queue(NULL)
870 {}
871 ~externalAclState();
872
873 EAH *callback;
874 void *callback_data;
875 char *key;
876 external_acl *def;
877 dlink_node list;
878 externalAclState *queue;
879 };
880
881 CBDATA_CLASS_INIT(externalAclState);
882
883 externalAclState::~externalAclState()
884 {
885 xfree(key);
886 cbdataReferenceDone(callback_data);
887 cbdataReferenceDone(def);
888 }
889
890 /*
891 * The helper program receives queries on stdin, one
892 * per line, and must return the result on on stdout
893 *
894 * General result syntax:
895 *
896 * OK/ERR keyword=value ...
897 *
898 * Keywords:
899 *
900 * user= The users name (login)
901 * message= Message describing the reason
902 * tag= A string tag to be applied to the request that triggered the acl match.
903 * applies to both OK and ERR responses.
904 * Won't override existing request tags.
905 * log= A string to be used in access logging
906 *
907 * Other keywords may be added to the protocol later
908 *
909 * value needs to be URL-encoded or enclosed in double quotes (")
910 * with \-escaping on any whitespace, quotes, or slashes (\).
911 */
912 static void
913 externalAclHandleReply(void *data, const Helper::Reply &reply)
914 {
915 externalAclState *state = static_cast<externalAclState *>(data);
916 externalAclState *next;
917 ExternalACLEntryData entryData;
918 entryData.result = ACCESS_DENIED;
919
920 debugs(82, 2, HERE << "reply=" << reply);
921
922 if (reply.result == Helper::Okay)
923 entryData.result = ACCESS_ALLOWED;
924 // XXX: handle other non-DENIED results better
925
926 // XXX: make entryData store a proper Helper::Reply object instead of copying.
927
928 entryData.notes.append(&reply.notes);
929
930 const char *label = reply.notes.findFirst("tag");
931 if (label != NULL && *label != '\0')
932 entryData.tag = label;
933
934 label = reply.notes.findFirst("message");
935 if (label != NULL && *label != '\0')
936 entryData.message = label;
937
938 label = reply.notes.findFirst("log");
939 if (label != NULL && *label != '\0')
940 entryData.log = label;
941
942 #if USE_AUTH
943 label = reply.notes.findFirst("user");
944 if (label != NULL && *label != '\0')
945 entryData.user = label;
946
947 label = reply.notes.findFirst("password");
948 if (label != NULL && *label != '\0')
949 entryData.password = label;
950 #endif
951
952 dlinkDelete(&state->list, &state->def->queue);
953
954 ExternalACLEntryPointer entry;
955 if (cbdataReferenceValid(state->def)) {
956 // only cache OK and ERR results.
957 if (reply.result == Helper::Okay || reply.result == Helper::Error)
958 entry = external_acl_cache_add(state->def, state->key, entryData);
959 else {
960 const ExternalACLEntryPointer oldentry = static_cast<ExternalACLEntry *>(hash_lookup(state->def->cache, state->key));
961
962 if (oldentry != NULL)
963 external_acl_cache_delete(state->def, oldentry);
964 }
965 }
966
967 do {
968 void *cbdata;
969 if (state->callback && cbdataReferenceValidDone(state->callback_data, &cbdata))
970 state->callback(cbdata, entry);
971
972 next = state->queue;
973 state->queue = NULL;
974
975 delete state;
976
977 state = next;
978 } while (state);
979 }
980
981 void
982 ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me)
983 {
984 ExternalACLLookup::Start(checklist, me->data, false);
985 }
986
987 void
988 ExternalACLLookup::Start(ACLChecklist *checklist, external_acl_data *acl, bool inBackground)
989 {
990 external_acl *def = acl->def;
991
992 ACLFilledChecklist *ch = Filled(checklist);
993 const char *key = makeExternalAclKey(ch, acl);
994 assert(key); // XXX: will fail if EXT_ACL_IDENT case needs an async lookup
995
996 debugs(82, 2, HERE << (inBackground ? "bg" : "fg") << " lookup in '" <<
997 def->name << "' for '" << key << "'");
998
999 /* Check for a pending lookup to hook into */
1000 // only possible if we are caching results.
1001 externalAclState *oldstate = NULL;
1002 if (def->cache_size > 0) {
1003 for (dlink_node *node = def->queue.head; node; node = node->next) {
1004 externalAclState *oldstatetmp = static_cast<externalAclState *>(node->data);
1005
1006 if (strcmp(key, oldstatetmp->key) == 0) {
1007 oldstate = oldstatetmp;
1008 break;
1009 }
1010 }
1011 }
1012
1013 // A background refresh has no need to piggiback on a pending request:
1014 // When the pending request completes, the cache will be refreshed anyway.
1015 if (oldstate && inBackground) {
1016 debugs(82, 7, HERE << "'" << def->name << "' queue is already being refreshed (ch=" << ch << ")");
1017 return;
1018 }
1019
1020 externalAclState *state = new externalAclState(def, key);
1021
1022 if (!inBackground) {
1023 state->callback = &ExternalACLLookup::LookupDone;
1024 state->callback_data = cbdataReference(checklist);
1025 }
1026
1027 if (oldstate) {
1028 /* Hook into pending lookup */
1029 state->queue = oldstate->queue;
1030 oldstate->queue = state;
1031 } else {
1032 /* No pending lookup found. Sumbit to helper */
1033
1034 MemBuf buf;
1035 buf.init();
1036 buf.appendf("%s\n", key);
1037 debugs(82, 4, "externalAclLookup: looking up for '" << key << "' in '" << def->name << "'.");
1038
1039 if (!def->theHelper->trySubmit(buf.buf, externalAclHandleReply, state)) {
1040 debugs(82, 7, HERE << "'" << def->name << "' submit to helper failed");
1041 assert(inBackground); // or the caller should have checked
1042 delete state;
1043 return;
1044 }
1045
1046 dlinkAdd(state, &state->list, &def->queue);
1047
1048 buf.clean();
1049 }
1050
1051 debugs(82, 4, "externalAclLookup: will wait for the result of '" << key <<
1052 "' in '" << def->name << "' (ch=" << ch << ").");
1053 }
1054
1055 static void
1056 externalAclStats(StoreEntry * sentry)
1057 {
1058 for (external_acl *p = Config.externalAclHelperList; p; p = p->next) {
1059 storeAppendPrintf(sentry, "External ACL Statistics: %s\n", p->name);
1060 storeAppendPrintf(sentry, "Cache size: %d\n", p->cache->count);
1061 assert(p->theHelper);
1062 p->theHelper->packStatsInto(sentry);
1063 storeAppendPrintf(sentry, "\n");
1064 }
1065 }
1066
1067 static void
1068 externalAclRegisterWithCacheManager(void)
1069 {
1070 Mgr::RegisterAction("external_acl",
1071 "External ACL stats",
1072 externalAclStats, 0, 1);
1073 }
1074
1075 void
1076 externalAclInit(void)
1077 {
1078 for (external_acl *p = Config.externalAclHelperList; p; p = p->next) {
1079 if (!p->cache)
1080 p->cache = hash_create((HASHCMP *) strcmp, hashPrime(1024), hash4);
1081
1082 if (!p->theHelper)
1083 p->theHelper = new helper(p->name);
1084
1085 p->theHelper->cmdline = p->cmdline;
1086
1087 p->theHelper->childs.updateLimits(p->children);
1088
1089 p->theHelper->ipc_type = IPC_TCP_SOCKET;
1090
1091 p->theHelper->addr = p->local_addr;
1092
1093 helperOpenServers(p->theHelper);
1094 }
1095
1096 externalAclRegisterWithCacheManager();
1097 }
1098
1099 void
1100 externalAclShutdown(void)
1101 {
1102 external_acl *p;
1103
1104 for (p = Config.externalAclHelperList; p; p = p->next) {
1105 helperShutdown(p->theHelper);
1106 }
1107 }
1108
1109 ExternalACLLookup ExternalACLLookup::instance_;
1110 ExternalACLLookup *
1111 ExternalACLLookup::Instance()
1112 {
1113 return &instance_;
1114 }
1115
1116 void
1117 ExternalACLLookup::checkForAsync(ACLChecklist *checklist)const
1118 {
1119 /* TODO: optimise this - we probably have a pointer to this
1120 * around somewhere */
1121 ACL *acl = ACL::FindByName(AclMatchedName);
1122 assert(acl);
1123 ACLExternal *me = dynamic_cast<ACLExternal *> (acl);
1124 assert (me);
1125 ACLExternal::ExternalAclLookup(checklist, me);
1126 }
1127
1128 /// Called when an async lookup returns
1129 void
1130 ExternalACLLookup::LookupDone(void *data, const ExternalACLEntryPointer &result)
1131 {
1132 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
1133 checklist->extacl_entry = result;
1134 checklist->resumeNonBlockingCheck(ExternalACLLookup::Instance());
1135 }
1136
1137 /* This registers "external" in the registry. To do dynamic definitions
1138 * of external ACL's, rather than a static prototype, have a Prototype instance
1139 * prototype in the class that defines each external acl 'class'.
1140 * Then, then the external acl instance is created, it self registers under
1141 * it's name.
1142 * Be sure that clone is fully functional for that acl class though!
1143 */
1144 ACL::Prototype ACLExternal::RegistryProtoype(&ACLExternal::RegistryEntry_, "external");
1145
1146 ACLExternal ACLExternal::RegistryEntry_("external");
1147
1148 ACL *
1149 ACLExternal::clone() const
1150 {
1151 return new ACLExternal(*this);
1152 }
1153
1154 ACLExternal::ACLExternal(char const *theClass) : data(NULL), class_(xstrdup(theClass))
1155 {}
1156
1157 ACLExternal::ACLExternal(ACLExternal const & old) : data(NULL), class_(old.class_ ? xstrdup(old.class_) : NULL)
1158 {
1159 /* we don't have copy constructors for the data yet */
1160 assert(!old.data);
1161 }
1162
1163 char const *
1164 ACLExternal::typeString() const
1165 {
1166 return class_;
1167 }
1168
1169 bool
1170 ACLExternal::isProxyAuth() const
1171 {
1172 #if USE_AUTH
1173 return data->def->require_auth;
1174 #else
1175 return false;
1176 #endif
1177 }
1178
Mirror of https://github.com/squid-cache/squid.git