Acl.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/Acl.h"
13 #include "acl/Checklist.h"
14 #include "acl/Gadgets.h"
15 #include "acl/Options.h"
16 #include "anyp/PortCfg.h"
17 #include "cache_cf.h"
18 #include "ConfigParser.h"
19 #include "Debug.h"
20 #include "fatal.h"
21 #include "globals.h"
22 #include "profiler/Profiler.h"
23 #include "sbuf/List.h"
24 #include "sbuf/Stream.h"
25 #include "SquidConfig.h"
26 
27 #include <algorithm>
28 #include <map>
29 
30 const char *AclMatchedName = NULL;
31 
32 namespace Acl {
33 
35 class TypeNameCmp {
36 public:
37  bool operator()(TypeName a, TypeName b) const { return strcmp(a, b) < 0; }
38 };
39 
41 typedef std::map<TypeName, Maker, TypeNameCmp> Makers;
42 
44 static Makers &
46 {
47  static Makers Registry;
48  return Registry;
49 }
50 
52 static
53 ACL *
54 Make(TypeName typeName)
55 {
56  const auto pos = TheMakers().find(typeName);
57  if (pos == TheMakers().end()) {
58  debugs(28, DBG_CRITICAL, "FATAL: Invalid ACL type '" << typeName << "'");
59  self_destruct();
60  assert(false); // not reached
61  }
62 
63  ACL *result = (pos->second)(pos->first);
64  debugs(28, 4, typeName << '=' << result);
65  assert(result);
66  return result;
67 }
68 
69 } // namespace Acl
70 
71 void
73 {
74  assert(typeName);
75  assert(*typeName);
76  TheMakers().emplace(typeName, maker);
77 }
78 
79 void *
80 ACL::operator new (size_t)
81 {
82  fatal ("unusable ACL::new");
83  return (void *)1;
84 }
85 
86 void
87 ACL::operator delete (void *)
88 {
89  fatal ("unusable ACL::delete");
90 }
91 
92 ACL *
93 ACL::FindByName(const char *name)
94 {
95  ACL *a;
96  debugs(28, 9, "ACL::FindByName '" << name << "'");
97 
98  for (a = Config.aclList; a; a = a->next)
99  if (!strcasecmp(a->name, name))
100  return a;
101 
102  debugs(28, 9, "ACL::FindByName found no match");
103 
104  return NULL;
105 }
106 
108  cfgline(nullptr),
109  next(nullptr),
110  registered(false)
111 {
112  *name = 0;
113 }
114 
115 bool ACL::valid () const
116 {
117  return true;
118 }
119 
120 bool
121 ACL::matches(ACLChecklist *checklist) const
122 {
123  PROF_start(ACL_matches);
124  debugs(28, 5, "checking " << name);
125 
126  // XXX: AclMatchedName does not contain a matched ACL name when the acl
127  // does not match. It contains the last (usually leaf) ACL name checked
128  // (or is NULL if no ACLs were checked).
130 
131  int result = 0;
132  if (!checklist->hasAle() && requiresAle()) {
133  debugs(28, DBG_IMPORTANT, "WARNING: " << name << " ACL is used in " <<
134  "context without an ALE state. Assuming mismatch.");
135  } else if (!checklist->hasRequest() && requiresRequest()) {
136  debugs(28, DBG_IMPORTANT, "WARNING: " << name << " ACL is used in " <<
137  "context without an HTTP request. Assuming mismatch.");
138  } else if (!checklist->hasReply() && requiresReply()) {
139  debugs(28, DBG_IMPORTANT, "WARNING: " << name << " ACL is used in " <<
140  "context without an HTTP response. Assuming mismatch.");
141  } else {
142  // make sure the ALE has as much data as possible
143  if (requiresAle())
144  checklist->syncAle();
145 
146  // have to cast because old match() API is missing const
147  result = const_cast<ACL*>(this)->match(checklist);
148  }
149 
150  const char *extra = checklist->asyncInProgress() ? " async" : "";
151  debugs(28, 3, "checked: " << name << " = " << result << extra);
152  PROF_stop(ACL_matches);
153  return result == 1; // true for match; false for everything else
154 }
155 
156 void
157 ACL::context(const char *aName, const char *aCfgLine)
158 {
159  name[0] = '\0';
160  if (aName)
161  xstrncpy(name, aName, ACL_NAME_SZ-1);
163  if (aCfgLine)
164  cfgline = xstrdup(aCfgLine);
165 }
166 
167 void
169 {
170  /* we're already using strtok() to grok the line */
171  char *t = NULL;
172  ACL *A = NULL;
173  LOCAL_ARRAY(char, aclname, ACL_NAME_SZ);
174  int new_acl = 0;
175 
176  /* snarf the ACL name */
177 
178  if ((t = ConfigParser::NextToken()) == NULL) {
179  debugs(28, DBG_CRITICAL, "aclParseAclLine: missing ACL name.");
180  parser.destruct();
181  return;
182  }
183 
184  if (strlen(t) >= ACL_NAME_SZ) {
185  debugs(28, DBG_CRITICAL, "aclParseAclLine: aclParseAclLine: ACL name '" << t <<
186  "' too long, max " << ACL_NAME_SZ - 1 << " characters supported");
187  parser.destruct();
188  return;
189  }
190 
191  xstrncpy(aclname, t, ACL_NAME_SZ);
192  /* snarf the ACL type */
193  const char *theType;
194 
195  if ((theType = ConfigParser::NextToken()) == NULL) {
196  debugs(28, DBG_CRITICAL, "aclParseAclLine: missing ACL type.");
197  parser.destruct();
198  return;
199  }
200 
201  // Is this ACL going to work?
202  if (strcmp(theType, "myip") == 0) {
204  while (p != NULL) {
205  // Bug 3239: not reliable when there is interception traffic coming
206  if (p->flags.natIntercept)
207  debugs(28, DBG_CRITICAL, "WARNING: 'myip' ACL is not reliable for interception proxies. Please use 'myportname' instead.");
208  p = p->next;
209  }
210  debugs(28, DBG_IMPORTANT, "UPGRADE: ACL 'myip' type is has been renamed to 'localip' and matches the IP the client connected to.");
211  theType = "localip";
212  } else if (strcmp(theType, "myport") == 0) {
214  while (p != NULL) {
215  // Bug 3239: not reliable when there is interception traffic coming
216  // Bug 3239: myport - not reliable (yet) when there is interception traffic coming
217  if (p->flags.natIntercept)
218  debugs(28, DBG_CRITICAL, "WARNING: 'myport' ACL is not reliable for interception proxies. Please use 'myportname' instead.");
219  p = p->next;
220  }
221  theType = "localport";
222  debugs(28, DBG_IMPORTANT, "UPGRADE: ACL 'myport' type is has been renamed to 'localport' and matches the port the client connected to.");
223  } else if (strcmp(theType, "proto") == 0 && strcmp(aclname, "manager") == 0) {
224  // ACL manager is now a built-in and has a different type.
225  debugs(28, DBG_PARSE_NOTE(DBG_IMPORTANT), "UPGRADE: ACL 'manager' is now a built-in ACL. Remove it from your config file.");
226  return; // ignore the line
227  }
228 
229  if ((A = FindByName(aclname)) == NULL) {
230  debugs(28, 3, "aclParseAclLine: Creating ACL '" << aclname << "'");
231  A = Acl::Make(theType);
232  A->context(aclname, config_input_line);
233  new_acl = 1;
234  } else {
235  if (strcmp (A->typeString(),theType) ) {
236  debugs(28, DBG_CRITICAL, "aclParseAclLine: ACL '" << A->name << "' already exists with different type.");
237  parser.destruct();
238  return;
239  }
240 
241  debugs(28, 3, "aclParseAclLine: Appending to '" << aclname << "'");
242  new_acl = 0;
243  }
244 
245  /*
246  * Here we set AclMatchedName in case we need to use it in a
247  * warning message in aclDomainCompare().
248  */
249  AclMatchedName = A->name; /* ugly */
250 
251  A->parseFlags();
252 
253  /*split the function here */
254  A->parse();
255 
256  /*
257  * Clear AclMatchedName from our temporary hack
258  */
259  AclMatchedName = NULL; /* ugly */
260 
261  if (!new_acl)
262  return;
263 
264  if (A->empty()) {
265  debugs(28, DBG_CRITICAL, "Warning: empty ACL: " << A->cfgline);
266  }
267 
268  if (!A->valid()) {
269  fatalf("ERROR: Invalid ACL: %s\n",
270  A->cfgline);
271  }
272 
273  // add to the global list for searching explicit ACLs by name
274  assert(head && *head == Config.aclList);
275  A->next = *head;
276  *head = A;
277 
278  // register for centralized cleanup
279  aclRegister(A);
280 }
281 
282 bool
284 {
285  return false;
286 }
287 
288 void
290 {
291  // ACL kids that carry ACLData which supports parameter flags override this
293 }
294 
295 SBufList
297 {
298  SBufList result;
299  const auto &myOptions = options();
300  // optimization: most ACLs do not have myOptions
301  // this check also works around dump_SBufList() adding ' ' after empty items
302  if (!myOptions.empty()) {
303  SBufStream stream;
304  stream << myOptions;
305  const SBuf optionsImage = stream.buf();
306  if (!optionsImage.isEmpty())
307  result.push_back(optionsImage);
308  }
309  return result;
310 }
311 
312 /* ACL result caching routines */
313 
314 int
316 {
317  /* This is a fatal to ensure that cacheMatchAcl calls are _only_
318  * made for supported acl types */
319  fatal("aclCacheMatchAcl: unknown or unexpected ACL type");
320  return 0; /* NOTREACHED */
321 }
322 
323 /*
324  * we lookup an acl's cached results, and if we cannot find the acl being
325  * checked we check it and cache the result. This function is a template
326  * method to support caching of multiple acl types.
327  * Note that caching of time based acl's is not
328  * wise in long lived caches (i.e. the auth_user proxy match cache)
329  * RBC
330  * TODO: does a dlink_list perform well enough? Kinkie
331  */
332 int
334 {
335  acl_proxy_auth_match_cache *auth_match;
336  dlink_node *link;
337  link = cache->head;
338 
339  while (link) {
340  auth_match = (acl_proxy_auth_match_cache *)link->data;
341 
342  if (auth_match->acl_data == this) {
343  debugs(28, 4, "ACL::cacheMatchAcl: cache hit on acl '" << name << "' (" << this << ")");
344  return auth_match->matchrv;
345  }
346 
347  link = link->next;
348  }
349 
350  auth_match = new acl_proxy_auth_match_cache(matchForCache(checklist), this);
351  dlinkAddTail(auth_match, &auth_match->link, cache);
352  debugs(28, 4, "ACL::cacheMatchAcl: miss for '" << name << "'. Adding result " << auth_match->matchrv);
353  return auth_match->matchrv;
354 }
355 
356 void
358 {
359  acl_proxy_auth_match_cache *auth_match;
360  dlink_node *link, *tmplink;
361  link = cache->head;
362 
363  debugs(28, 8, "aclCacheMatchFlush called for cache " << cache);
364 
365  while (link) {
366  auth_match = (acl_proxy_auth_match_cache *)link->data;
367  tmplink = link;
368  link = link->next;
369  dlinkDelete(tmplink, cache);
370  delete auth_match;
371  }
372 }
373 
374 bool
376 {
377  return false;
378 }
379 
380 bool
382 {
383  return false;
384 }
385 
386 bool
388 {
389  return false;
390 }
391 
392 /*********************/
393 /* Destroy functions */
394 /*********************/
395 
397 {
398  debugs(28, 3, "freeing ACL " << name);
400  AclMatchedName = NULL; // in case it was pointing to our name
401 }
402 
403 void
405 {
406  ACL *a = Config.aclList;
407  debugs(53, 3, "ACL::Initialize");
408 
409  while (a) {
410  a->prepareForUse();
411  a = a->next;
412  }
413 }
414 
bool asyncInProgress() const
async call has been started and has not finished (or failed) yet
Definition: Checklist.h:149
int cacheMatchAcl(dlink_list *cache, ACLChecklist *)
Definition: Acl.cc:333
#define assert(EX)
Definition: assert.h:17
virtual void syncAle() const =0
virtual const Acl::Options & options()
Definition: Acl.h:63
Definition: SBuf.h:87
void aclCacheMatchFlush(dlink_list *cache)
Definition: Acl.cc:357
void self_destruct(void)
Definition: cache_cf.cc:255
#define xstrdup
Definition: Acl.h:39
#define safe_free(x)
Definition: xalloc.h:73
virtual bool hasAle() const =0
ACL *(* Maker)(TypeName typeName)
a "factory" function for making ACL objects (of some ACL child type)
Definition: Acl.h:29
bool isEmpty() const
Definition: SBuf.h:422
#define DBG_CRITICAL
Definition: Debug.h:44
char * p
Definition: membanger.c:43
virtual ~ACL()
Definition: Acl.cc:396
#define DBG_PARSE_NOTE(x)
Definition: Debug.h:49
AnyP::PortCfgPointer HttpPortList
list of Squid http(s)_port configured
Definition: PortCfg.cc:21
std::map< TypeName, Maker, TypeNameCmp > Makers
ACL makers indexed by ACL type name.
Definition: Acl.cc:41
void fatalf(const char *fmt,...)
Definition: fatal.cc:79
const char * TypeName
the ACL type name known to admins
Definition: Acl.h:27
virtual bool requiresAle() const
whether our (i.e. shallow) match() requires checklist to have a AccessLogEntry
Definition: Acl.cc:375
const ParameterFlags & NoFlags()
Definition: Options.cc:254
SBufList dumpOptions()
Definition: Acl.cc:296
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
#define DBG_IMPORTANT
Definition: Debug.h:45
ACL * next
Definition: Acl.h:85
bool matches(ACLChecklist *checklist) const
Definition: Acl.cc:121
#define ACL_NAME_SZ
Definition: forward.h:40
virtual bool hasRequest() const =0
void ParseFlags(const Options &options, const ParameterFlags &flags)
Definition: Options.cc:240
bool operator()(TypeName a, TypeName b) const
Definition: Acl.cc:37
static ACL * FindByName(const char *name)
Definition: Acl.cc:93
static char * NextToken()
char * xstrncpy(char *dst, const char *src, size_t n)
Definition: xstring.cc:37
void fatal(const char *message)
Definition: fatal.cc:39
virtual int match(ACLChecklist *checklist)=0
Matches the actual data in checklist against this ACL.
class ACL * aclList
Definition: SquidConfig.h:352
static ACL * Make(TypeName typeName)
creates an ACL object of the named (and already registered) ACL child type
Definition: Acl.cc:54
const char * AclMatchedName
Definition: Acl.cc:30
#define LOCAL_ARRAY(type, name, size)
Definition: leakcheck.h:18
ACL()
Definition: Acl.cc:107
static void Initialize()
Definition: Acl.cc:404
std::list< SBuf > SBufList
Definition: forward.h:26
static void ParseAclLine(ConfigParser &parser, ACL **head)
Definition: Acl.cc:168
virtual bool valid() const
Definition: Acl.cc:115
char * cfgline
Definition: Acl.h:84
static uint32 A
Definition: md4.c:43
void aclRegister(ACL *acl)
Definition: Gadgets.cc:229
char config_input_line[BUFSIZ]
virtual bool hasReply() const =0
#define PROF_start(probename)
Definition: Profiler.h:62
ACL type name comparison functor.
Definition: Acl.cc:35
void RegisterMaker(TypeName typeName, Maker maker)
use the given ACL Maker for all ACLs of the named type
Definition: Acl.cc:72
void destruct()
Definition: ConfigParser.cc:34
int const char size_t
Definition: stub_liblog.cc:84
virtual void parse()=0
parses node represenation in squid.conf; dies on failures
int a
Definition: membanger.c:50
char name[ACL_NAME_SZ]
Definition: Acl.h:83
#define PROF_stop(probename)
Definition: Profiler.h:63
virtual bool isProxyAuth() const
Definition: Acl.cc:283
virtual bool requiresRequest() const
whether our (i.e. shallow) match() requires checklist to have a request
Definition: Acl.cc:387
virtual int matchForCache(ACLChecklist *checklist)
Definition: Acl.cc:315
static Makers & TheMakers()
registered ACL Makers
Definition: Acl.cc:45
virtual void prepareForUse()
Definition: Acl.h:79
virtual char const * typeString() const =0
virtual bool empty() const =0
SBuf buf()
Retrieve a copy of the current stream status.
Definition: Stream.h:105
void context(const char *name, const char *configuration)
sets user-specified ACL name and squid.conf context
Definition: Acl.cc:157
virtual bool requiresReply() const
whether our (i.e. shallow) match() requires checklist to have a reply
Definition: Acl.cc:381
class SquidConfig Config
Definition: SquidConfig.cc:12
squidaio_request_t * head
Definition: aiops.cc:127
#define NULL
Definition: types.h:166
virtual void parseFlags()
configures ACL options, throwing on configuration errors
Definition: Acl.cc:289
#define false
Definition: GnuRegex.c:233

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors