From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 7 May 2021 12:25:01 +0000 (+0200)
Subject: MINOR: action: implement experimental actions
X-Git-Tag: v2.4-dev19~94
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=03517735346bc3e46e9fea855dd48c6576996f63;p=thirdparty%2Fhaproxy.git

MINOR: action: implement experimental actions

Support experimental actions. It is mandatory to use
'expose-experimental-directives' before to be able to use them.

If such action is present in the config file, the tainted status of the
process is updated. Another tainted status is set when an experimental
action is executed.
---

diff --git a/include/haproxy/global.h b/include/haproxy/global.h
index fb7b62b6c8..c69955c81b 100644
--- a/include/haproxy/global.h
+++ b/include/haproxy/global.h
@@ -99,6 +99,7 @@ static inline unsigned long thread_mask(unsigned long mask)
 /* handle 'tainted' status */
 enum tainted_flags {
 	TAINTED_CONFIG_EXP_KW_DECLARED = 0x1,
+	TAINTED_ACTION_EXP_EXECUTED    = 0x2,
 };
 void mark_tainted(const enum tainted_flags flag);
 unsigned int get_tainted();
diff --git a/src/http_ana.c b/src/http_ana.c
index b35664645d..a3618b9043 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -16,6 +16,7 @@
 #include <haproxy/backend.h>
 #include <haproxy/base64.h>
 #include <haproxy/capture-t.h>
+#include <haproxy/cfgparse.h>
 #include <haproxy/channel.h>
 #include <haproxy/check.h>
 #include <haproxy/connection.h>
@@ -2798,6 +2799,9 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis
 
 		act_opts |= ACT_OPT_FIRST;
   resume_execution:
+		if (rule->kw->flags & KWF_EXPERIMENTAL)
+			mark_tainted(TAINTED_ACTION_EXP_EXECUTED);
+
 		/* Always call the action function if defined */
 		if (rule->action_ptr) {
 			if ((s->req.flags & CF_READ_ERROR) ||
@@ -2943,6 +2947,8 @@ static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct lis
 
 		act_opts |= ACT_OPT_FIRST;
 resume_execution:
+		if (rule->kw->flags & KWF_EXPERIMENTAL)
+			mark_tainted(TAINTED_ACTION_EXP_EXECUTED);
 
 		/* Always call the action function if defined */
 		if (rule->action_ptr) {
diff --git a/src/http_rules.c b/src/http_rules.c
index a34c560950..54fa0e9f0b 100644
--- a/src/http_rules.c
+++ b/src/http_rules.c
@@ -92,6 +92,16 @@ struct act_rule *parse_http_req_cond(const char **args, const char *file, int li
 		cur_arg = 1;
 		/* try in the module list */
 		rule->kw = custom;
+
+		if (custom->flags & KWF_EXPERIMENTAL) {
+			if (!experimental_directives_allowed) {
+				ha_alert("parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+				         file, linenum, custom->kw);
+				goto out_err;
+			}
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+		}
+
 		if (custom->parse(args, &cur_arg, proxy, rule, &errmsg) == ACT_RET_PRS_ERR) {
 			ha_alert("parsing [%s:%d] : error detected in %s '%s' while parsing 'http-request %s' rule : %s.\n",
 				 file, linenum, proxy_type_str(proxy), proxy->id, args[0], errmsg);
@@ -161,6 +171,16 @@ struct act_rule *parse_http_res_cond(const char **args, const char *file, int li
 		cur_arg = 1;
 		/* try in the module list */
 		rule->kw = custom;
+
+		if (custom->flags & KWF_EXPERIMENTAL) {
+			if (!experimental_directives_allowed) {
+				ha_alert("parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+				         file, linenum, custom->kw);
+				goto out_err;
+			}
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+		}
+
 		if (custom->parse(args, &cur_arg, proxy, rule, &errmsg) == ACT_RET_PRS_ERR) {
 			ha_alert("parsing [%s:%d] : error detected in %s '%s' while parsing 'http-response %s' rule : %s.\n",
 				 file, linenum, proxy_type_str(proxy), proxy->id, args[0], errmsg);