#include <FilledChecklist.h>

Inheritance diagram for ACLFilledChecklist:
Collaboration diagram for ACLFilledChecklist:

Public Member Functions

 ACLFilledChecklist ()
 
 ACLFilledChecklist (const acl_access *, HttpRequest *, const char *ident=nullptr)
 
 ~ACLFilledChecklist () override
 
void setRequest (HttpRequest *)
 configure client request-related fields for the first time More...
 
void setIdent (const char *userIdentity)
 configure rfc931 user identity for the first time More...
 
ConnStateDataconn () const
 The client connection manager. More...
 
int fd () const
 The client side fd. It uses conn() if available. More...
 
void setConn (ConnStateData *)
 set either conn More...
 
void fd (int aDescriptor)
 set the client side FD More...
 
bool destinationDomainChecked () const
 
void markDestinationDomainChecked ()
 
bool sourceDomainChecked () const
 
void markSourceDomainChecked ()
 
bool hasRequest () const override
 
bool hasReply () const override
 
bool hasAle () const override
 
void syncAle (HttpRequest *adaptedRequest, const char *logUri) const override
 assigns uninitialized adapted_request and url ALE components More...
 
void verifyAle () const override
 warns if there are uninitialized ALE components and fills them More...
 
void nonBlockingCheck (ACLCB *callback, void *callback_data)
 
Acl::Answer const & fastCheck ()
 
Acl::Answer const & fastCheck (const Acl::Tree *list)
 
bool goAsync (AsyncState *)
 
bool matchChild (const Acl::InnerNode *parent, Acl::Nodes::const_iterator pos, const ACL *child)
 
bool keepMatching () const
 Whether we should continue to match tree nodes or stop/pause. More...
 
bool finished () const
 whether markFinished() was called More...
 
bool asyncInProgress () const
 async call has been started and has not finished (or failed) yet More...
 
void markFinished (const Acl::Answer &newAnswer, const char *reason)
 
const Acl::AnswercurrentAnswer () const
 
bool bannedAction (const Acl::Answer &action) const
 whether the action is banned or not More...
 
void banAction (const Acl::Answer &action)
 add action to the list of banned actions More...
 
const Acl::TreechangeAcl (const Acl::Tree *t)
 
void resumeNonBlockingCheck (AsyncState *state)
 

Public Attributes

Ip::Address src_addr
 
Ip::Address dst_addr
 
Ip::Address my_addr
 
SBuf dst_peer_name
 
char * dst_rdns
 
HttpRequest::Pointer request
 
HttpReplyreply
 
char rfc931 [USER_IDENT_SZ]
 
Auth::UserRequest::Pointer auth_user_request
 
char * snmp_community
 
CbcPointer< Security::CertErrorssslErrors
 
Security::CertPointer serverCert
 
AccessLogEntry::Pointer al
 info for the future access.log, and external ACL More...
 
ExternalACLEntryPointer extacl_entry
 
err_type requestErrorType
 
ACLCBcallback
 
void * callback_data
 

Private Types

enum  NodeMatchingResult {
  nmrMatch ,
  nmrMismatch ,
  nmrFinished ,
  nmrNeedsAsync
}
 possible outcomes when trying to match a single ACL node in a list More...
 
enum  AsyncStage {
  asyncNone ,
  asyncStarting ,
  asyncRunning ,
  asyncFailed
}
 

Private Member Functions

 CBDATA_CLASS (ACLFilledChecklist)
 
 ACLFilledChecklist (const ACLFilledChecklist &)
 not implemented; will cause link failures if used More...
 
ACLFilledChecklistoperator= (const ACLFilledChecklist &)
 not implemented; will cause link failures if used More...
 
void checkCallback (Acl::Answer answer)
 Calls non-blocking check callback with the answer and destroys self. More...
 
void matchAndFinish ()
 performs (or resumes) an ACL tree match and, if successful, sets the action More...
 
void changeState (AsyncState *)
 
AsyncStateasyncState () const
 
void preCheck (const char *what)
 prepare for checking ACLs; called once per check More...
 
bool prepNonBlocking ()
 common parts of nonBlockingCheck() and resumeNonBlockingCheck() More...
 
void completeNonBlocking ()
 
void calcImplicitAnswer ()
 
bool callerGone ()
 

Private Attributes

ConnStateDataconn_
 
int fd_
 
bool destinationDomainChecked_
 
bool sourceDomainChecked_
 
const Acl::TreeaccessList
 
bool asyncCaller_
 whether the caller supports async/slow ACLs More...
 
bool occupied_
 whether a check (fast or non-blocking) is in progress More...
 
bool finished_
 
Acl::Answer answer_
 
AsyncStage asyncStage_
 
AsyncStatestate_
 
Breadcrumb matchLoc_
 location of the node running matches() now More...
 
Breadcrumb asyncLoc_
 currentNode_ that called goAsync() More...
 
unsigned asyncLoopDepth_
 how many times the current async state has resumed More...
 
std::stack< BreadcrumbmatchPath
 suspended (due to an async lookup) matches() in the ACL tree More...
 
std::vector< Acl::AnswerbannedActions_
 the list of actions which must ignored during acl checks More...
 

Detailed Description

ACLChecklist filled with specific data, representing Squid and transaction state for access checks along with some data-specific checking methods

Definition at line 31 of file FilledChecklist.h.

Member Enumeration Documentation

◆ AsyncStage

enum ACLChecklist::AsyncStage
privateinherited
Enumerator
asyncNone 
asyncStarting 
asyncRunning 
asyncFailed 

Definition at line 233 of file Checklist.h.

◆ NodeMatchingResult

enum ACLChecklist::NodeMatchingResult
privateinherited
Enumerator
nmrMatch 
nmrMismatch 
nmrFinished 
nmrNeedsAsync 

Definition at line 219 of file Checklist.h.

Constructor & Destructor Documentation

◆ ACLFilledChecklist() [1/3]

ACLFilledChecklist::ACLFilledChecklist ( )

Definition at line 27 of file FilledChecklist.cc.

References dst_addr, my_addr, rfc931, Ip::Address::setEmpty(), and src_addr.

◆ ACLFilledChecklist() [2/3]

ACLFilledChecklist::ACLFilledChecklist ( const acl_access A,
HttpRequest http_request,
const char *  ident = nullptr 
)

◆ ~ACLFilledChecklist()

ACLFilledChecklist::~ACLFilledChecklist ( )
override

◆ ACLFilledChecklist() [3/3]

ACLFilledChecklist::ACLFilledChecklist ( const ACLFilledChecklist )
private

Member Function Documentation

◆ asyncInProgress()

◆ asyncState()

ACLChecklist::AsyncState * ACLChecklist::asyncState ( ) const
privateinherited

Definition at line 226 of file Checklist.cc.

References ACLChecklist::state_.

Referenced by ACLChecklist::resumeNonBlockingCheck().

◆ banAction()

void ACLChecklist::banAction ( const Acl::Answer action)
inherited

◆ bannedAction()

bool ACLChecklist::bannedAction ( const Acl::Answer action) const
inherited

Definition at line 387 of file Checklist.cc.

References action(), ACLChecklist::bannedActions_, and debugs.

Referenced by Acl::Tree::bannedAction().

◆ calcImplicitAnswer()

void ACLChecklist::calcImplicitAnswer ( )
privateinherited

When no rules matched, the answer is the inversion of the last rule action (or ACCESS_DUNNO if the reversal is not possible).

Definition at line 363 of file Checklist.cc.

References ACCESS_ALLOWED, ACCESS_DENIED, ACCESS_DUNNO, ACLChecklist::accessList, cbdataReferenceValid(), debugs, Acl::Tree::lastAction(), and ACLChecklist::markFinished().

Referenced by ACLChecklist::completeNonBlocking(), and ACLChecklist::fastCheck().

◆ callerGone()

bool ACLChecklist::callerGone ( )
privateinherited

Definition at line 381 of file Checklist.cc.

References ACLChecklist::callback_data, and cbdataReferenceValid().

Referenced by ACLChecklist::prepNonBlocking().

◆ CBDATA_CLASS()

ACLFilledChecklist::CBDATA_CLASS ( ACLFilledChecklist  )
private

◆ changeAcl()

const Acl::Tree * ACLChecklist::changeAcl ( const Acl::Tree t)
inlineinherited

change the current ACL list

Returns
a pointer to the old list value (may be nullptr)

Definition at line 176 of file Checklist.h.

References ACLChecklist::accessList, cbdataReference, and cbdataReferenceDone.

Referenced by ACLFilledChecklist(), ACLChecklist::~ACLChecklist(), ACLChecklist::fastCheck(), HttpStateData::forwardUpgrade(), and ConnStateData::whenClientIpKnown().

◆ changeState()

void ACLChecklist::changeState ( AsyncState newState)
privateinherited

◆ checkCallback()

◆ completeNonBlocking()

◆ conn()

◆ currentAnswer()

const Acl::Answer & ACLChecklist::currentAnswer ( ) const
inlineinherited

Definition at line 156 of file Checklist.h.

References ACLChecklist::answer_.

Referenced by ACLChecklist::completeNonBlocking(), and ACLChecklist::fastCheck().

◆ destinationDomainChecked()

bool ACLFilledChecklist::destinationDomainChecked ( ) const

Definition at line 172 of file FilledChecklist.cc.

References destinationDomainChecked_.

Referenced by markDestinationDomainChecked().

◆ fastCheck() [1/2]

Acl::Answer const & ACLChecklist::fastCheck ( )
inherited

Perform a blocking (immediate) check for a list of allow/deny rules. Each rule comes with a list of ACLs.

The first rule where all ACLs match wins. If there is such a rule, the result becomes that rule keyword (ACCESS_ALLOWED or ACCESS_DENIED).

If there are rules but all ACL lists mismatch, an implicit rule is used Its result is the negation of the keyword of the last seen rule.

Some ACLs may stop the check prematurely by setting an exceptional check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a match or mismatch.

Some ACLs may require an async lookup which is prohibited by this method. In this case, the exceptional check result of ACCESS_DUNNO is immediately returned.

If there are no rules to check at all, the result becomes ACCESS_DUNNO.

Definition at line 332 of file Checklist.cc.

References ACLChecklist::accessList, ACLChecklist::asyncCaller_, ACLChecklist::calcImplicitAnswer(), cbdataReference, cbdataReferenceDone, cbdataReferenceValid(), ACLChecklist::currentAnswer(), debugs, ACLChecklist::finished(), ACLChecklist::matchAndFinish(), ACLChecklist::occupied_, and ACLChecklist::preCheck().

Referenced by accessLogLogTo(), aclFindNfMarkConfig(), aclMapTOS(), Client::blockCaching(), ConnStateData::buildSslCertGenerationParams(), HttpReply::calcMaxBodySize(), Adaptation::Icap::Launcher::canRepeat(), FwdState::connectStart(), DelayId::DelayClient(), HttpStateData::finishingBrokenPost(), HttpStateData::forwardUpgrade(), getOutgoingAddress(), HttpRequest::getRangeOffsetLimit(), HttpStateData::handle1xx(), Ftp::Server::handleUploadRequest(), htcpAccessAllowed(), httpHdrAdd(), httpHdrMangle(), icpAccessAllowed(), ClientHttpRequest::logRequest(), HttpRequest::manager(), Note::match(), StoreClient::onCollapsingPath(), peerAllowedToUse(), Http::One::Server::processParsedRequest(), ConnStateData::proxyProtocolValidateClient(), schemesConfig(), Ftp::Client::sendPassive(), ConnStateData::serveDelayedError(), Security::KeyLogger::shouldLog(), snmpDecodePacket(), ssl_verify_cb(), Security::PeerConnector::sslCrtvdCheckForErrors(), FwdState::Start(), ConnStateData::tunnelOnError(), tunnelStart(), and ConnStateData::whenClientIpKnown().

◆ fastCheck() [2/2]

Acl::Answer const & ACLChecklist::fastCheck ( const Acl::Tree list)
inherited

Perform a blocking (immediate) check whether a list of ACLs matches. This method is meant to be used with squid.conf ACL-driven options that lack allow/deny keywords and are tested one ACL list at a time. Whether the checks for other occurrences of the same option continue after this call is up to the caller and option semantics.

If all ACLs match, the result becomes ACCESS_ALLOWED.

If all ACLs mismatch, the result becomes ACCESS_DENIED.

Some ACLs may stop the check prematurely by setting an exceptional check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a match or mismatch.

Some ACLs may require an async lookup which is prohibited by this method. In this case, the exceptional check result of ACCESS_DUNNO is immediately returned.

If there are no ACLs to check at all, the result becomes ACCESS_ALLOWED.

Definition at line 307 of file Checklist.cc.

References ACCESS_DENIED, ACLChecklist::accessList, ACLChecklist::asyncCaller_, cbdataReferenceValid(), ACLChecklist::changeAcl(), ACLChecklist::currentAnswer(), ACLChecklist::finished(), ACLChecklist::markFinished(), ACLChecklist::matchAndFinish(), ACLChecklist::occupied_, and ACLChecklist::preCheck().

◆ fd() [1/2]

int ACLFilledChecklist::fd ( ) const

Definition at line 157 of file FilledChecklist.cc.

References conn(), and fd_.

◆ fd() [2/2]

void ACLFilledChecklist::fd ( int  aDescriptor)

Definition at line 164 of file FilledChecklist.cc.

References assert, conn(), and fd_.

◆ finished()

◆ goAsync()

◆ hasAle()

bool ACLFilledChecklist::hasAle ( ) const
inlineoverridevirtual

Implements ACLChecklist.

Definition at line 67 of file FilledChecklist.h.

References al.

◆ hasReply()

bool ACLFilledChecklist::hasReply ( ) const
inlineoverridevirtual

Implements ACLChecklist.

Definition at line 66 of file FilledChecklist.h.

References reply.

◆ hasRequest()

bool ACLFilledChecklist::hasRequest ( ) const
inlineoverridevirtual

Implements ACLChecklist.

Definition at line 65 of file FilledChecklist.h.

References request.

◆ keepMatching()

◆ markDestinationDomainChecked()

void ACLFilledChecklist::markDestinationDomainChecked ( )

◆ markFinished()

void ACLChecklist::markFinished ( const Acl::Answer newAnswer,
const char *  reason 
)
inherited

called when no more ACLs should be checked; sets the final answer and prints a debugging message explaining the reason for that answer

Definition at line 57 of file Checklist.cc.

References ACLChecklist::answer_, assert, ACLChecklist::asyncInProgress(), debugs, ACLChecklist::finished(), and ACLChecklist::finished_.

Referenced by ACLChecklist::calcImplicitAnswer(), ACLChecklist::fastCheck(), ACLProxyAuth::match(), ACLExternal::match(), ACLIdent::match(), ACLMaxUserIP::match(), and ACLChecklist::matchAndFinish().

◆ markSourceDomainChecked()

void ACLFilledChecklist::markSourceDomainChecked ( )

◆ matchAndFinish()

◆ matchChild()

bool ACLChecklist::matchChild ( const Acl::InnerNode parent,
Acl::Nodes::const_iterator  pos,
const ACL child 
)
inherited

◆ nonBlockingCheck()

void ACLChecklist::nonBlockingCheck ( ACLCB callback_,
void *  callback_data_ 
)
inherited

Start a non-blocking (async) check for a list of allow/deny rules. Each rule comes with a list of ACLs.

The callback specified will be called with the result of the check.

The first rule where all ACLs match wins. If there is such a rule, the result becomes that rule keyword (ACCESS_ALLOWED or ACCESS_DENIED).

If there are rules but all ACL lists mismatch, an implicit rule is used. Its result is the negation of the keyword of the last seen rule.

Some ACLs may stop the check prematurely by setting an exceptional check result (e.g., ACCESS_AUTH_REQUIRED) instead of declaring a match or mismatch.

If there are no rules to check at all, the result becomes ACCESS_DUNNO. Calling this method with no rules to check wastes a lot of CPU cycles and will result in a DBG_CRITICAL debugging message.

Kick off a non-blocking (slow) ACL access list test

NP: this should probably be made Async now.

The ACL List should NEVER be NULL when calling this method. Always caller should check for NULL and handle appropriate to its needs first. We cannot select a sensible default for all callers here.

Definition at line 237 of file Checklist.cc.

References ACCESS_DUNNO, ACLChecklist::accessList, ACLChecklist::asyncCaller_, ACLChecklist::asyncInProgress(), ACLChecklist::callback, ACLChecklist::callback_data, cbdataReference, ACLChecklist::checkCallback(), ACLChecklist::completeNonBlocking(), DBG_CRITICAL, debugs, ACLChecklist::matchAndFinish(), ACLChecklist::preCheck(), and ACLChecklist::prepNonBlocking().

Referenced by Ssl::PeekingPeerConnector::checkForPeekAndSplice(), ClientRequestContext::checkNoCache(), ClientRequestContext::clientAccessCheck(), ClientRequestContext::clientAccessCheck2(), clientFollowXForwardedForCheck(), ClientRequestContext::clientRedirectStart(), ClientRequestContext::clientStoreIdStart(), ConnStateData::postHttpsAccept(), clientReplyContext::processReplyAccess(), PeerSelector::selectMore(), ClientRequestContext::sslBumpAccessCheck(), and ConnStateData::startPeekAndSplice().

◆ operator=()

ACLFilledChecklist & ACLFilledChecklist::operator= ( const ACLFilledChecklist )
private

◆ preCheck()

void ACLChecklist::preCheck ( const char *  what)
privateinherited

Called first (and once) by all checks to initialize their state.

Definition at line 67 of file Checklist.cc.

References AclMatchedName, assert, ACLChecklist::asyncLoopDepth_, debugs, ACLChecklist::finished_, and ACLChecklist::occupied_.

Referenced by ACLChecklist::fastCheck(), and ACLChecklist::nonBlockingCheck().

◆ prepNonBlocking()

bool ACLChecklist::prepNonBlocking ( )
privateinherited
If the accessList is no longer valid (i.e. its been freed because of a reconfigure), then bail with ACCESS_DUNNO.

Definition at line 20 of file Checklist.cc.

References ACCESS_DUNNO, ACLChecklist::accessList, assert, ACLChecklist::callerGone(), cbdataReferenceDone, cbdataReferenceValid(), ACLChecklist::checkCallback(), and debugs.

Referenced by ACLChecklist::nonBlockingCheck(), and ACLChecklist::resumeNonBlockingCheck().

◆ resumeNonBlockingCheck()

◆ setConn()

void ACLFilledChecklist::setConn ( ConnStateData aConn)

◆ setIdent()

void ACLFilledChecklist::setIdent ( const char *  userIdentity)

◆ setRequest()

◆ sourceDomainChecked()

bool ACLFilledChecklist::sourceDomainChecked ( ) const

Definition at line 185 of file FilledChecklist.cc.

References sourceDomainChecked_.

Referenced by markSourceDomainChecked().

◆ syncAle()

◆ verifyAle()

Member Data Documentation

◆ accessList

◆ al

◆ answer_

Acl::Answer ACLChecklist::answer_
privateinherited

Definition at line 231 of file Checklist.h.

Referenced by ACLChecklist::currentAnswer(), and ACLChecklist::markFinished().

◆ asyncCaller_

bool ACLChecklist::asyncCaller_
privateinherited

◆ asyncLoc_

Breadcrumb ACLChecklist::asyncLoc_
privateinherited

Definition at line 237 of file Checklist.h.

Referenced by ACLChecklist::goAsync(), and ACLChecklist::matchChild().

◆ asyncLoopDepth_

unsigned ACLChecklist::asyncLoopDepth_
privateinherited

◆ asyncStage_

AsyncStage ACLChecklist::asyncStage_
privateinherited

◆ auth_user_request

◆ bannedActions_

std::vector<Acl::Answer> ACLChecklist::bannedActions_
privateinherited

Definition at line 245 of file Checklist.h.

Referenced by ACLChecklist::banAction(), and ACLChecklist::bannedAction().

◆ callback

ACLCB* ACLChecklist::callback
inherited

Definition at line 197 of file Checklist.h.

Referenced by ACLChecklist::checkCallback(), and ACLChecklist::nonBlockingCheck().

◆ callback_data

void* ACLChecklist::callback_data
inherited

◆ conn_

ConnStateData* ACLFilledChecklist::conn_
private

hack for ident and NTLM

Definition at line 108 of file FilledChecklist.h.

Referenced by ~ACLFilledChecklist(), conn(), and setConn().

◆ destinationDomainChecked_

bool ACLFilledChecklist::destinationDomainChecked_
private

Definition at line 110 of file FilledChecklist.h.

Referenced by destinationDomainChecked(), and markDestinationDomainChecked().

◆ dst_addr

◆ dst_peer_name

SBuf ACLFilledChecklist::dst_peer_name

◆ dst_rdns

char* ACLFilledChecklist::dst_rdns

Definition at line 76 of file FilledChecklist.h.

Referenced by ~ACLFilledChecklist().

◆ extacl_entry

ExternalACLEntryPointer ACLFilledChecklist::extacl_entry

Definition at line 103 of file FilledChecklist.h.

Referenced by aclMatchExternal(), and ExternalACLLookup::LookupDone().

◆ fd_

int ACLFilledChecklist::fd_
private

may be available when conn_ is not

Definition at line 109 of file FilledChecklist.h.

Referenced by fd().

◆ finished_

bool ACLChecklist::finished_
privateinherited

◆ matchLoc_

Breadcrumb ACLChecklist::matchLoc_
privateinherited

Definition at line 236 of file Checklist.h.

Referenced by ACLChecklist::goAsync(), and ACLChecklist::matchChild().

◆ matchPath

std::stack<Breadcrumb> ACLChecklist::matchPath
privateinherited

◆ my_addr

◆ occupied_

bool ACLChecklist::occupied_
privateinherited

◆ reply

◆ request

◆ requestErrorType

err_type ACLFilledChecklist::requestErrorType

Definition at line 105 of file FilledChecklist.h.

Referenced by ConnStateData::tunnelOnError().

◆ rfc931

◆ serverCert

Security::CertPointer ACLFilledChecklist::serverCert

Peer certificate being checked by ssl_verify_cb() and by Security::PeerConnector class. In other contexts, the peer certificate is retrieved via ALE or ConnStateData::serverBump.

Definition at line 99 of file FilledChecklist.h.

Referenced by Security::PeerConnector::fillChecklist(), and ssl_verify_cb().

◆ snmp_community

char* ACLFilledChecklist::snmp_community

Definition at line 86 of file FilledChecklist.h.

Referenced by snmpDecodePacket().

◆ sourceDomainChecked_

bool ACLFilledChecklist::sourceDomainChecked_
private

Definition at line 111 of file FilledChecklist.h.

Referenced by markSourceDomainChecked(), and sourceDomainChecked().

◆ src_addr

◆ sslErrors

CbcPointer<Security::CertErrors> ACLFilledChecklist::sslErrors

TLS server [certificate validation] errors, in undefined order. The errors are accumulated as Squid goes through validation steps and server certificates. They are cleared on connection retries. For sslproxy_cert_error checks, contains just the current/last error.

Definition at line 94 of file FilledChecklist.h.

Referenced by ConnStateData::fillConnectionLevelDetails(), ConnStateData::serveDelayedError(), ssl_verify_cb(), and Security::PeerConnector::sslCrtvdCheckForErrors().

◆ state_

AsyncState* ACLChecklist::state_
privateinherited

Definition at line 235 of file Checklist.h.

Referenced by ACLChecklist::asyncState(), and ACLChecklist::changeState().


The documentation for this class was generated from the following files:

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors