Gadgets.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/*
10 * DEBUG: section 28 Access Control
11 *
12 * This file contains ACL routines that are not part of the
13 * ACL class, nor any other class yet, and that need to be
14 * factored into appropriate places. They are here to reduce
15 * unneeded dependencies between the ACL class and the rest
16 * of squid.
17 */
18
19#include "squid.h"
20#include "acl/AclDenyInfoList.h"
21#include "acl/Gadgets.h"
22#include "acl/Tree.h"
23#include "cache_cf.h"
24#include "ConfigParser.h"
25#include "errorpage.h"
26#include "globals.h"
27#include "HttpRequest.h"
28#include "src/sbuf/Stream.h"
29
30#include <set>
31#include <algorithm>
32
33typedef std::set<ACL*> AclSet;
35static AclSet *RegisteredAcls; // TODO: Remove when ACLs are refcounted
36
37/* does name lookup, returns page_id */
38err_type
39aclGetDenyInfoPage(AclDenyInfoList ** head, const char *name, int redirect_allowed)
40{
41 if (!name) {
42 debugs(28, 3, "ERR_NONE due to a NULL name");
43 return ERR_NONE;
44 }
45
46 AclDenyInfoList *A = nullptr;
47
48 debugs(28, 8, "got called for " << name);
49
50 for (A = *head; A; A = A->next) {
51 if (!redirect_allowed && strchr(A->err_page_name, ':') ) {
52 debugs(28, 8, "Skip '" << A->err_page_name << "' 30x redirects not allowed as response here.");
53 continue;
54 }
55
56 for (const auto &aclName: A->acl_list) {
57 if (aclName.cmp(name) == 0) {
58 debugs(28, 8, "match on " << name);
59 return A->err_page_id;
60 }
61 }
62 }
63
64 debugs(28, 8, "aclGetDenyInfoPage: no match");
65 return ERR_NONE;
66}
67
68/* does name lookup, returns if it is a proxy_auth acl */
69int
70aclIsProxyAuth(const char *name)
71{
72 if (!name) {
73 debugs(28, 3, "false due to a NULL name");
74 return false;
75 }
76
77 debugs(28, 5, "aclIsProxyAuth: called for " << name);
78
79 ACL *a;
80
81 if ((a = ACL::FindByName(name))) {
82 debugs(28, 5, "aclIsProxyAuth: returning " << a->isProxyAuth());
83 return a->isProxyAuth();
84 }
85
86 debugs(28, 3, "aclIsProxyAuth: WARNING, called for nonexistent ACL");
87 return false;
88}
89
90/* maex@space.net (05.09.96)
91 * get the info for redirecting "access denied" to info pages
92 * TODO (probably ;-)
93 * currently there is no optimization for
94 * - more than one deny_info line with the same url
95 * - a check, whether the given acl really is defined
96 * - a check, whether an acl is added more than once for the same url
97 */
98
99void
100aclParseDenyInfoLine(AclDenyInfoList ** head)
101{
102 char *t = nullptr;
103 AclDenyInfoList *B;
104 AclDenyInfoList **T;
105
106 /* first expect a page name */
107
108 if ((t = ConfigParser::NextToken()) == nullptr) {
109 debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
110 debugs(28, DBG_CRITICAL, "ERROR: aclParseDenyInfoLine: missing 'error page' parameter.");
111 return;
112 }
113
114 const auto A = new AclDenyInfoList(t, ConfigParser::CurrentLocation());
115
116 /* next expect a list of ACL names */
117 while ((t = ConfigParser::NextToken())) {
118 A->acl_list.emplace_back(t);
119 }
120
121 if (A->acl_list.empty()) {
122 debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
123 debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: deny_info line contains no ACL's, skipping");
124 delete A;
125 return;
126 }
127
128 for (B = *head, T = head; B; T = &B->next, B = B->next)
129
130 ; /* find the tail */
131 *T = A;
132}
133
134void
135aclParseAccessLine(const char *directive, ConfigParser &, acl_access **treep)
136{
137 /* first expect either 'allow' or 'deny' */
138 const char *t = ConfigParser::NextToken();
139
140 if (!t) {
141 debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
142 debugs(28, DBG_CRITICAL, "ERROR: aclParseAccessLine: missing 'allow' or 'deny'.");
143 return;
144 }
145
146 auto action = Acl::Answer(ACCESS_DUNNO);
147 if (!strcmp(t, "allow"))
148 action = Acl::Answer(ACCESS_ALLOWED);
149 else if (!strcmp(t, "deny"))
150 action = Acl::Answer(ACCESS_DENIED);
151 else {
152 debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
153 debugs(28, DBG_CRITICAL, "aclParseAccessLine: expecting 'allow' or 'deny', got '" << t << "'.");
154 return;
155 }
156
157 const int ruleId = ((treep && *treep) ? (*treep)->childrenCount() : 0) + 1;
158 MemBuf ctxBuf;
159 ctxBuf.init();
160 ctxBuf.appendf("%s#%d", directive, ruleId);
161 ctxBuf.terminate();
162
163 Acl::AndNode *rule = new Acl::AndNode;
164 rule->context(ctxBuf.content(), config_input_line);
165 rule->lineParse();
166 if (rule->empty()) {
167 debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
168 debugs(28, DBG_CRITICAL, "aclParseAccessLine: Access line contains no ACL's, skipping");
169 delete rule;
170 return;
171 }
172
173 /* Append to the end of this list */
174
175 assert(treep);
176 if (!*treep) {
177 *treep = new Acl::Tree;
178 (*treep)->context(directive, config_input_line);
179 }
180
181 (*treep)->add(rule, action);
182
183 /* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */
184}
185
186// aclParseAclList does not expect or set actions (cf. aclParseAccessLine)
187size_t
188aclParseAclList(ConfigParser &, Acl::Tree **treep, const char *label)
189{
190 // accommodate callers unable to convert their ACL list context to string
191 if (!label)
192 label = "...";
193
194 MemBuf ctxLine;
195 ctxLine.init();
196 ctxLine.appendf("(%s %s line)", cfg_directive, label);
197 ctxLine.terminate();
198
199 Acl::AndNode *rule = new Acl::AndNode;
200 rule->context(ctxLine.content(), config_input_line);
201 const auto aclCount = rule->lineParse();
202
203 MemBuf ctxTree;
204 ctxTree.init();
205 ctxTree.appendf("%s %s", cfg_directive, label);
206 ctxTree.terminate();
207
208 // We want a cbdata-protected Tree (despite giving it only one child node).
209 Acl::Tree *tree = new Acl::Tree;
210 tree->add(rule);
211 tree->context(ctxTree.content(), config_input_line);
212
213 assert(treep);
214 assert(!*treep);
215 *treep = tree;
216
217 return aclCount;
218}
219
220void
221aclRegister(ACL *acl)
222{
223 if (!acl->registered) {
224 if (!RegisteredAcls)
225 RegisteredAcls = new AclSet;
226 RegisteredAcls->insert(acl);
227 acl->registered = true;
228 }
229}
230
232static
233void
234aclDeregister(ACL *acl)
235{
236 if (acl->registered) {
237 if (RegisteredAcls)
238 RegisteredAcls->erase(acl);
239 acl->registered = false;
240 }
241}
242
243/*********************/
244/* Destroy functions */
245/*********************/
246
248void
249aclDestroyAcls(ACL ** head)
250{
251 *head = nullptr; // Config.aclList
252 if (AclSet *acls = RegisteredAcls) {
253 debugs(28, 8, "deleting all " << acls->size() << " ACLs");
254 while (!acls->empty()) {
255 ACL *acl = *acls->begin();
256 // We use centralized deletion (this function) so ~ACL should not
257 // delete other ACLs, but we still deregister first to prevent any
258 // accesses to the being-deleted ACL via RegisteredAcls.
259 assert(acl->registered); // make sure we are making progress
260 aclDeregister(acl);
261 delete acl;
262 }
263 }
264}
265
266void
267aclDestroyAclList(ACLList **list)
268{
269 debugs(28, 8, "aclDestroyAclList: invoked");
270 assert(list);
271 delete *list;
272 *list = nullptr;
273}
274
275void
276aclDestroyAccessList(acl_access ** list)
277{
278 assert(list);
279 if (*list)
280 debugs(28, 3, "destroying: " << *list << ' ' << (*list)->name);
281 delete *list;
282 *list = nullptr;
283}
284
285/* maex@space.net (06.09.1996)
286 * destroy an AclDenyInfoList */
287
288void
289aclDestroyDenyInfoList(AclDenyInfoList ** list)
290{
291 AclDenyInfoList *a = nullptr;
292 AclDenyInfoList *a_next = nullptr;
293
294 debugs(28, 8, "aclDestroyDenyInfoList: invoked");
295
296 for (a = *list; a; a = a_next) {
297 a_next = a->next;
298 delete a;
299 }
300
301 *list = nullptr;
302}
303
aclParseAccessLine
void aclParseAccessLine(const char *directive, ConfigParser &, acl_access **treep)
Definition: Gadgets.cc:135
aclDeregister
static void aclDeregister(ACL *acl)
remove registered acl from the centralized deletion set
Definition: Gadgets.cc:234
aclParseAclList
size_t aclParseAclList(ConfigParser &, Acl::Tree **treep, const char *label)
Definition: Gadgets.cc:188
AclSet
std::set< ACL * > AclSet
Definition: Gadgets.cc:33
RegisteredAcls
static AclSet * RegisteredAcls
Accumulates all ACLs to facilitate their clean deletion despite reuse.
Definition: Gadgets.cc:35
acl_access
#define acl_access
Definition: forward.h:45
ACLList
#define ACLList
Definition: forward.h:46
head
squidaio_request_t * head
Definition: aiops.cc:127
assert
#define assert(EX)
Definition: assert.h:17
cfg_directive
const char * cfg_directive
During parsing, the name of the current squid.conf directive being parsed.
Definition: cache_cf.cc:271
config_input_line
char config_input_line[BUFSIZ]
Definition: cache_cf.cc:274
cfg_filename
const char * cfg_filename
Definition: cache_cf.cc:272
config_lineno
int config_lineno
Definition: cache_cf.cc:273
cache_cf.h
ACL
Definition: Acl.h:46
ACL::context
void context(const char *name, const char *configuration)
sets user-specified ACL name and squid.conf context
Definition: Acl.cc:180
ACL::FindByName
static ACL * FindByName(const char *name)
Definition: Acl.cc:118
ACL::isProxyAuth
virtual bool isProxyAuth() const
Definition: Acl.cc:309
ACL::registered
bool registered
added to the global list of ACLs via aclRegister()
Definition: Acl.h:90
AclDenyInfoList
deny_info representation. Currently a POD.
Definition: AclDenyInfoList.h:20
AclDenyInfoList::next
AclDenyInfoList * next
Definition: AclDenyInfoList.h:40
Acl::InnerNode::empty
bool empty() const override
Definition: InnerNode.cc:29
Acl::InnerNode::lineParse
size_t lineParse()
Definition: InnerNode.cc:44
Acl::Tree
Definition: Tree.h:21
Acl::Tree::add
void add(ACL *rule, const Answer &action)
appends and takes control over the rule with a given action
Definition: Tree.cc:44
ConfigParser::CurrentLocation
static SBuf CurrentLocation()
Definition: ConfigParser.cc:216
ConfigParser::NextToken
static char * NextToken()
Definition: ConfigParser.cc:333
MemBuf
Definition: MemBuf.h:24
MemBuf::init
void init(mb_size_t szInit, mb_size_t szMax)
Definition: MemBuf.cc:93
MemBuf::content
char * content()
start of the added data
Definition: MemBuf.h:41
MemBuf::terminate
void terminate()
Definition: MemBuf.cc:241
Packable::appendf
void appendf(const char *fmt,...) PRINTF_FORMAT_ARG2
Append operation with printf-style arguments.
Definition: Packable.h:61
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
DBG_CRITICAL
#define DBG_CRITICAL
Definition: Stream.h:37
err_type
err_type
Definition: forward.h:14
ERR_NONE
@ ERR_NONE
Definition: forward.h:15
aclDestroyAccessList
void aclDestroyAccessList(acl_access **list)
Definition: Gadgets.cc:276
aclDestroyAcls
void aclDestroyAcls(ACL **head)
called to delete ALL Acls.
Definition: Gadgets.cc:249
aclDestroyDenyInfoList
void aclDestroyDenyInfoList(AclDenyInfoList **list)
Definition: Gadgets.cc:289
aclGetDenyInfoPage
err_type aclGetDenyInfoPage(AclDenyInfoList **head, const char *name, int redirect_allowed)
Definition: Gadgets.cc:39
aclIsProxyAuth
int aclIsProxyAuth(const char *name)
Definition: Gadgets.cc:70
aclDestroyAclList
void aclDestroyAclList(ACLList **list)
Definition: Gadgets.cc:267
aclRegister
void aclRegister(ACL *acl)
Definition: Gadgets.cc:221
aclParseDenyInfoLine
void aclParseDenyInfoLine(AclDenyInfoList **head)
Definition: Gadgets.cc:100
ACCESS_DENIED
@ ACCESS_DENIED
Definition: Acl.h:115
ACCESS_ALLOWED
@ ACCESS_ALLOWED
Definition: Acl.h:116
ACCESS_DUNNO
@ ACCESS_DUNNO
Definition: Acl.h:117
A
static uint32 A
Definition: md4.c:43
B
static uint32 B
Definition: md4.c:43
action
static bool action(int fd, size_t metasize, const char *fn, const char *url, const SquidMetaList &meta)
Definition: purge.cc:315

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors