AclRegs.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 
11 #if USE_ADAPTATION
12 #include "acl/AdaptationService.h"
13 #include "acl/AdaptationServiceData.h"
14 #endif
15 #include "acl/AllOf.h"
16 #include "acl/AnnotateClient.h"
17 #include "acl/AnnotateTransaction.h"
18 #include "acl/AnnotationData.h"
19 #include "acl/AnyOf.h"
20 #if USE_SQUID_EUI
21 #include "acl/Arp.h"
22 #include "acl/Eui64.h"
23 #endif
24 #if USE_OPENSSL
25 #include "acl/AtStep.h"
26 #include "acl/AtStepData.h"
27 #endif
28 #include "acl/Checklist.h"
29 #include "acl/ConnectionsEncrypted.h"
30 #include "acl/Data.h"
31 #include "acl/DestinationDomain.h"
32 #include "acl/DestinationIp.h"
33 #include "acl/DomainData.h"
34 #if USE_LIBNETFILTERCONNTRACK
35 #include "acl/ConnMark.h"
36 #endif
37 #if USE_AUTH
38 #include "acl/ExtUser.h"
39 #endif
40 #include "acl/FilledChecklist.h"
41 #include "acl/forward.h"
42 #include "acl/Gadgets.h"
43 #include "acl/HasComponent.h"
44 #include "acl/HasComponentData.h"
45 #include "acl/HierCode.h"
46 #include "acl/HierCodeData.h"
47 #include "acl/HttpHeaderData.h"
48 #include "acl/HttpRepHeader.h"
49 #include "acl/HttpReqHeader.h"
50 #include "acl/HttpStatus.h"
51 #include "acl/IntRange.h"
52 #include "acl/Ip.h"
53 #include "acl/LocalIp.h"
54 #include "acl/LocalPort.h"
55 #include "acl/MaxConnection.h"
56 #include "acl/Method.h"
57 #include "acl/MethodData.h"
58 #include "acl/MyPortName.h"
59 #include "acl/Node.h"
60 #include "acl/Note.h"
61 #include "acl/NoteData.h"
62 #include "acl/PeerName.h"
63 #include "acl/Protocol.h"
64 #include "acl/ProtocolData.h"
65 #include "acl/Random.h"
66 #include "acl/RegexData.h"
67 #include "acl/ReplyHeaderStrategy.h"
68 #include "acl/ReplyMimeType.h"
69 #include "acl/RequestHeaderStrategy.h"
70 #include "acl/RequestMimeType.h"
71 #include "acl/SourceDomain.h"
72 #include "acl/SourceIp.h"
73 #include "acl/SquidError.h"
74 #include "acl/SquidErrorData.h"
75 #if USE_OPENSSL
76 #include "acl/Certificate.h"
77 #include "acl/CertificateData.h"
78 #include "acl/ServerName.h"
79 #include "acl/SslError.h"
80 #include "acl/SslErrorData.h"
81 #endif
82 #include "acl/StringData.h"
83 #if USE_OPENSSL
84 #include "acl/ServerCertificate.h"
85 #endif
86 #include "acl/Tag.h"
87 #include "acl/Time.h"
88 #include "acl/TimeData.h"
89 #include "acl/TransactionInitiator.h"
90 #include "acl/Url.h"
91 #include "acl/UrlLogin.h"
92 #include "acl/UrlPath.h"
93 #include "acl/UrlPort.h"
94 #include "acl/UserData.h"
95 #if USE_AUTH
96 #include "auth/AclMaxUserIp.h"
97 #include "auth/AclProxyAuth.h"
98 #endif
99 #include "base/RegexPattern.h"
100 #include "ExternalACL.h"
101 #if SQUID_SNMP
102 #include "snmp_core.h"
103 #endif
104 #include "sbuf/Stream.h"
105 
106 namespace Acl
107 {
108 
113 template <class Parent>
114 class FinalizedParameterizedNode: public Parent
115 {
116  MEMPROXY_CLASS(FinalizedParameterizedNode<Parent>);
117 
118 public:
119  using Parameters = typename Parent::Parameters;
120  using Parent::data;
121 
130  static void PreferAllocatorLabelPrefix(const char * const suffix)
131  {
132  assert(!PreferredAllocatorLabelSuffix); // must be called at most once
133  assert(!FinalPoolLabel); // must be called before the class constructor
134  assert(suffix);
135  PreferredAllocatorLabelSuffix = suffix;
136  }
137 
138  FinalizedParameterizedNode(TypeName typeName, Parameters * const params):
139  typeName_(typeName)
140  {
141  Assure(!data); // base classes never set this data member
142  data.reset(params);
143  Assure(data); // ... but we always do
144 
145  FinalizePoolLabel(typeName);
146  }
147 
148  ~FinalizedParameterizedNode() override = default;
149 
150  /* ACL API */
151  const char *typeString() const override { return typeName_; }
152 
153 private:
160  static void FinalizePoolLabel(const TypeName typeName)
161  {
162  if (FinalPoolLabel)
163  return; // the label has been finalized already
164 
165  assert(typeName);
166  const auto label = ToSBuf("acltype=", PreferredAllocatorLabelSuffix ? PreferredAllocatorLabelSuffix : typeName);
167  FinalPoolLabel = SBufToCstring(label);
168  Pool().relabel(FinalPoolLabel);
169  }
170 
172  inline static const char *PreferredAllocatorLabelSuffix = nullptr;
173 
175  inline static const char *FinalPoolLabel = nullptr;
176 
177  // TODO: Consider storing the spelling used by the admin instead.
179  TypeName typeName_;
180 };
181 
182 } // namespace Acl
183 
184 // Not in src/acl/ because some of the ACLs it registers are not in src/acl/.
185 void
186 Acl::Init()
187 {
188  /* the registration order does not matter */
189 
190  // The explicit return type (Acl::Node*) for lambdas is needed because the type
191  // of the return expression inside lambda is not Node* but AclFoo* while
192  // Maker is defined to return Node*.
193 
194  RegisterMaker("all-of", [](TypeName)->Node* { return new AllOf; }); // XXX: Add name parameter to ctor
195  RegisterMaker("any-of", [](TypeName)->Node* { return new AnyOf; }); // XXX: Add name parameter to ctor
196  RegisterMaker("random", [](TypeName name)->Node* { return new ACLRandom(name); });
197  RegisterMaker("time", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CurrentTimeCheck>(name, new ACLTimeData); });
198  RegisterMaker("browser", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::USER_AGENT> >(name, new ACLRegexData); });
199 
200  RegisterMaker("dstdomain", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationDomainCheck>(name, new ACLDomainData); });
201  RegisterMaker("dstdom_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationDomainCheck>(name, new ACLRegexData); });
202  FinalizedParameterizedNode<DestinationDomainCheck>::PreferAllocatorLabelPrefix("dstdomain+");
203 
204  RegisterMaker("dst", [](TypeName)->Node* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor
205  RegisterMaker("hier_code", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HierCodeCheck>(name, new ACLHierCodeData); });
206  RegisterMaker("rep_header", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HttpRepHeaderCheck>(name, new ACLHTTPHeaderData); });
207  RegisterMaker("req_header", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HttpReqHeaderCheck>(name, new ACLHTTPHeaderData); });
208  RegisterMaker("http_status", [](TypeName name)->Node* { return new ACLHTTPStatus(name); });
209  RegisterMaker("maxconn", [](TypeName name)->Node* { return new ACLMaxConnection(name); });
210  RegisterMaker("method", [](TypeName name)->Node* { return new FinalizedParameterizedNode<MethodCheck>(name, new ACLMethodData); });
211  RegisterMaker("localip", [](TypeName)->Node* { return new ACLLocalIP; }); // XXX: Add name parameter to ctor
212  RegisterMaker("localport", [](TypeName name)->Node* { return new FinalizedParameterizedNode<LocalPortCheck>(name, new ACLIntRange); });
213  RegisterMaker("myportname", [](TypeName name)->Node* { return new FinalizedParameterizedNode<MyPortNameCheck>(name, new ACLStringData); });
214 
215  RegisterMaker("peername", [](TypeName name)->Node* { return new FinalizedParameterizedNode<PeerNameCheck>(name, new ACLStringData); });
216  RegisterMaker("peername_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<PeerNameCheck>(name, new ACLRegexData); });
217  FinalizedParameterizedNode<PeerNameCheck>::PreferAllocatorLabelPrefix("peername+");
218 
219  RegisterMaker("proto", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ProtocolCheck>(name, new ACLProtocolData); });
220  RegisterMaker("referer_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::REFERER> >(name, new ACLRegexData); });
221  RegisterMaker("rep_mime_type", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ReplyHeaderCheck<Http::HdrType::CONTENT_TYPE> >(name, new ACLRegexData); });
222  RegisterMaker("req_mime_type", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::CONTENT_TYPE> >(name, new ACLRegexData); });
223 
224  RegisterMaker("srcdomain", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceDomainCheck>(name, new ACLDomainData); });
225  RegisterMaker("srcdom_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceDomainCheck>(name, new ACLRegexData); });
226  FinalizedParameterizedNode<SourceDomainCheck>::PreferAllocatorLabelPrefix("srcdomain+");
227 
228  RegisterMaker("src", [](TypeName)->Node* { return new ACLSourceIP; }); // XXX: Add name parameter to ctor
229  RegisterMaker("url_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlCheck>(name, new ACLRegexData); });
230  RegisterMaker("urllogin", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlLoginCheck>(name, new ACLRegexData); });
231  RegisterMaker("urlpath_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlPathCheck>(name, new ACLRegexData); });
232  RegisterMaker("port", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlPortCheck>(name, new ACLIntRange); });
233  RegisterMaker("external", [](TypeName name)->Node* { return new ACLExternal(name); });
234  RegisterMaker("squid_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SquidErrorCheck>(name, new ACLSquidErrorData); });
235  RegisterMaker("connections_encrypted", [](TypeName name)->Node* { return new ConnectionsEncrypted(name); });
236  RegisterMaker("tag", [](TypeName name)->Node* { return new FinalizedParameterizedNode<TagCheck>(name, new ACLStringData); });
237  RegisterMaker("note", [](TypeName name)->Node* { return new FinalizedParameterizedNode<NoteCheck>(name, new ACLNoteData); });
238  RegisterMaker("annotate_client", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AnnotateClientCheck>(name, new ACLAnnotationData); });
239  RegisterMaker("annotate_transaction", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AnnotateTransactionCheck>(name, new ACLAnnotationData); });
240  RegisterMaker("has", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HasComponentCheck>(name, new ACLHasComponentData); });
241  RegisterMaker("transaction_initiator", [](TypeName name)->Node* {return new TransactionInitiator(name);});
242 
243 #if USE_LIBNETFILTERCONNTRACK
244  RegisterMaker("clientside_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
245  RegisterMaker("client_connection_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
246 #endif
247 
248 #if USE_OPENSSL
249  RegisterMaker("ssl_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CertificateErrorCheck>(name, new ACLSslErrorData); });
250 
251  RegisterMaker("user_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509UserAttribute, "*")); });
252  RegisterMaker("ca_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509CAAttribute, "*")); });
253  FinalizedParameterizedNode<ClientCertificateCheck>::PreferAllocatorLabelPrefix("user_cert+");
254 
255  RegisterMaker("server_cert_fingerprint", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509Fingerprint, nullptr, true)); });
256  RegisterMaker("at_step", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AtStepCheck>(name, new ACLAtStepData); });
257 
258  RegisterMaker("ssl::server_name", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerNameCheck>(name, new ACLServerNameData); });
259  RegisterMaker("ssl::server_name_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerNameCheck>(name, new ACLRegexData); });
260  FinalizedParameterizedNode<ServerNameCheck>::PreferAllocatorLabelPrefix("ssl::server_name+");
261 #endif
262 
263 #if USE_SQUID_EUI
264  RegisterMaker("arp", [](TypeName name)->Node* { return new ACLARP(name); });
265  RegisterMaker("eui64", [](TypeName name)->Node* { return new ACLEui64(name); });
266 #endif
267 
268 #if USE_AUTH
269  RegisterMaker("ext_user", [](TypeName name)->Node* { return new ACLExtUser(new ACLUserData, name); });
270  RegisterMaker("ext_user_regex", [](TypeName name)->Node* { return new ACLExtUser(new ACLRegexData, name); });
271  RegisterMaker("proxy_auth", [](TypeName name)->Node* { return new ACLProxyAuth(new ACLUserData, name); });
272  RegisterMaker("proxy_auth_regex", [](TypeName name)->Node* { return new ACLProxyAuth(new ACLRegexData, name); });
273  RegisterMaker("max_user_ip", [](TypeName name)->Node* { return new ACLMaxUserIP(name); });
274 #endif
275 
276 #if USE_ADAPTATION
277  RegisterMaker("adaptation_service", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AdaptationServiceCheck>(name, new ACLAdaptationServiceData); });
278 #endif
279 
280 #if SQUID_SNMP
281  RegisterMaker("snmp_community", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SnmpCommunityCheck>(name, new ACLStringData); });
282 #endif
283 }
284 
Acl::AnyOf
Configurable any-of ACL. Each ACL line is a disjuction of ACLs.
Definition: AnyOf.h:18
Acl::FinalizedParameterizedNode::typeString
const char * typeString() const override
Definition: AclRegs.cc:151
snmp_core.h
Acl::FinalizedParameterizedNode::PreferredAllocatorLabelSuffix
static const char * PreferredAllocatorLabelSuffix
if set, overrules FinalizePoolLabel() argument
Definition: AclRegs.cc:172
Acl::RegisterMaker
void RegisterMaker(TypeName typeName, Maker maker)
use the given Acl::Node Maker for all ACLs of the named type
Definition: Acl.cc:92
Acl::TransactionInitiator
transaction_initiator ACL
Definition: TransactionInitiator.h:20
Acl::FinalizedParameterizedNode::FinalizePoolLabel
static void FinalizePoolLabel(const TypeName typeName)
Definition: AclRegs.cc:160
Ssl::GetX509Fingerprint
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:124
SBufToCstring
void SBufToCstring(char *d, const SBuf &s)
Definition: SBuf.h:756
Ssl::GetX509CAAttribute
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:118
Acl
Definition: Acl.cc:33
Acl::FinalizedParameterizedNode::PreferAllocatorLabelPrefix
static void PreferAllocatorLabelPrefix(const char *const suffix)
Definition: AclRegs.cc:130
ACLEui64
Definition: Eui64.h:17
assert
#define assert(EX)
Definition: assert.h:17
Acl::FinalizedParameterizedNode::Parameters
typename Parent::Parameters Parameters
Definition: AclRegs.cc:119
Assure
#define Assure(condition)
Definition: Assure.h:35
ACLARP
Definition: Arp.h:18
Acl::FinalizedParameterizedNode::FinalPoolLabel
static const char * FinalPoolLabel
custom allocator label set by FinalizePoolLabel()
Definition: AclRegs.cc:175
Acl::Node
Definition: Node.h:25
Ssl::GetX509UserAttribute
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:115
Acl::TypeName
const char * TypeName
the ACL type name known to admins
Definition: Acl.h:24
ToSBuf
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition: Stream.h:63
Acl::FinalizedParameterizedNode::typeName_
TypeName typeName_
the "acltype" name in its canonical spelling
Definition: AclRegs.cc:179
Acl::FinalizedParameterizedNode::MEMPROXY_CLASS
MEMPROXY_CLASS(FinalizedParameterizedNode< Parent >)
Acl::FinalizedParameterizedNode::FinalizedParameterizedNode
FinalizedParameterizedNode(TypeName typeName, Parameters *const params)
Definition: AclRegs.cc:138
Acl::FinalizedParameterizedNode::~FinalizedParameterizedNode
~FinalizedParameterizedNode() override=default
Acl::Init
void Init(void)
prepares to parse ACLs configuration
Definition: AclRegs.cc:186

 

Introduction

Documentation

Support

Miscellaneous