/*
+ * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
*
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
- *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
*/
#ifndef SQUID_ACLCHECKLIST_H
#include "acl/InnerNode.h"
#include <stack>
+#include <vector>
/// ACL checklist callback
typedef void ACLCB(allow_t, void *);
/** \ingroup ACLAPI
Base class for maintaining Squid and transaction state for access checks.
- Provides basic ACL checking methods. Its only child, ACLFilledChecklist,
- keeps the actual state data. The split is necessary to avoid exposing
+ Provides basic ACL checking methods. Its only child, ACLFilledChecklist,
+ keeps the actual state data. The split is necessary to avoid exposing
all ACL-related code to virtually Squid data types. */
class ACLChecklist
{
const allow_t ¤tAnswer() const { return allow_; }
+ /// whether the action is banned or not
+ bool bannedAction(const allow_t &action) const;
+ /// add action to the list of banned actions
+ void banAction(const allow_t &action);
+
// XXX: ACLs that need request or reply have to use ACLFilledChecklist and
// should do their own checks so that we do not have to povide these two
// for ACL::checklistMatches to use
virtual bool hasRequest() const = 0;
virtual bool hasReply() const = 0;
+ virtual bool hasAle() const = 0;
+ virtual void syncAle() const = 0;
+
+ /// change the current ACL list
+ /// \return a pointer to the old list value (may be nullptr)
+ const Acl::Tree *changeAcl(const Acl::Tree *t) {
+ const Acl::Tree *old = accessList;
+ if (t != accessList) {
+ cbdataReferenceDone(accessList);
+ accessList = cbdataReference(t);
+ }
+ return old;
+ }
private:
/// Calls non-blocking check callback with the answer and destroys self.
void changeState(AsyncState *);
AsyncState *asyncState() const;
-public:
const Acl::Tree *accessList;
+public:
ACLCB *callback;
void *callback_data;
void calcImplicitAnswer();
bool asyncCaller_; ///< whether the caller supports async/slow ACLs
+ bool occupied_; ///< whether a check (fast or non-blocking) is in progress
bool finished_;
allow_t allow_;
AsyncState *state_;
Breadcrumb matchLoc_; ///< location of the node running matches() now
Breadcrumb asyncLoc_; ///< currentNode_ that called goAsync()
+ unsigned asyncLoopDepth_; ///< how many times the current async state has resumed
bool callerGone();
/// suspended (due to an async lookup) matches() in the ACL tree
std::stack<Breadcrumb> matchPath;
+ /// the list of actions which must ignored during acl checks
+ std::vector<allow_t> bannedActions_;
};
#endif /* SQUID_ACLCHECKLIST_H */
+