AclRegs.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 #include "squid.h"
10 
11 #if USE_ADAPTATION
12 #include "acl/AdaptationService.h"
13 #include "acl/AdaptationServiceData.h"
14 #endif
15 #include "acl/AllOf.h"
16 #include "acl/AnnotateClient.h"
17 #include "acl/AnnotateTransaction.h"
18 #include "acl/AnnotationData.h"
19 #include "acl/AnyOf.h"
20 #if USE_SQUID_EUI
21 #include "acl/Arp.h"
22 #include "acl/Eui64.h"
23 #endif
24 #if USE_OPENSSL
25 #include "acl/AtStep.h"
26 #include "acl/AtStepData.h"
27 #endif
28 #include "acl/Asn.h"
29 #include "acl/Checklist.h"
30 #include "acl/ConnectionsEncrypted.h"
31 #include "acl/Data.h"
32 #include "acl/DestinationAsn.h"
33 #include "acl/DestinationDomain.h"
34 #include "acl/DestinationIp.h"
35 #include "acl/DomainData.h"
36 #if USE_LIBNETFILTERCONNTRACK
37 #include "acl/ConnMark.h"
38 #endif
39 #if USE_AUTH
40 #include "acl/ExtUser.h"
41 #endif
42 #include "acl/FilledChecklist.h"
43 #include "acl/forward.h"
44 #include "acl/Gadgets.h"
45 #include "acl/HasComponent.h"
46 #include "acl/HasComponentData.h"
47 #include "acl/HierCode.h"
48 #include "acl/HierCodeData.h"
49 #include "acl/HttpHeaderData.h"
50 #include "acl/HttpRepHeader.h"
51 #include "acl/HttpReqHeader.h"
52 #include "acl/HttpStatus.h"
53 #include "acl/IntRange.h"
54 #include "acl/Ip.h"
55 #include "acl/LocalIp.h"
56 #include "acl/LocalPort.h"
57 #include "acl/MaxConnection.h"
58 #include "acl/Method.h"
59 #include "acl/MethodData.h"
60 #include "acl/MyPortName.h"
61 #include "acl/Node.h"
62 #include "acl/Note.h"
63 #include "acl/NoteData.h"
64 #include "acl/PeerName.h"
65 #include "acl/Protocol.h"
66 #include "acl/ProtocolData.h"
67 #include "acl/Random.h"
68 #include "acl/RegexData.h"
69 #include "acl/ReplyHeaderStrategy.h"
70 #include "acl/ReplyMimeType.h"
71 #include "acl/RequestHeaderStrategy.h"
72 #include "acl/RequestMimeType.h"
73 #include "acl/SourceAsn.h"
74 #include "acl/SourceDomain.h"
75 #include "acl/SourceIp.h"
76 #include "acl/SquidError.h"
77 #include "acl/SquidErrorData.h"
78 #if USE_OPENSSL
79 #include "acl/Certificate.h"
80 #include "acl/CertificateData.h"
81 #include "acl/ServerName.h"
82 #include "acl/SslError.h"
83 #include "acl/SslErrorData.h"
84 #endif
85 #include "acl/StringData.h"
86 #if USE_OPENSSL
87 #include "acl/ServerCertificate.h"
88 #endif
89 #include "acl/Tag.h"
90 #include "acl/Time.h"
91 #include "acl/TimeData.h"
92 #include "acl/TransactionInitiator.h"
93 #include "acl/Url.h"
94 #include "acl/UrlLogin.h"
95 #include "acl/UrlPath.h"
96 #include "acl/UrlPort.h"
97 #include "acl/UserData.h"
98 #if USE_AUTH
99 #include "auth/AclMaxUserIp.h"
100 #include "auth/AclProxyAuth.h"
101 #endif
102 #include "base/RegexPattern.h"
103 #include "ExternalACL.h"
104 #if SQUID_SNMP
105 #include "snmp_core.h"
106 #endif
107 #include "sbuf/Stream.h"
108 
109 namespace Acl
110 {
111 
116 template <class Parent>
117 class FinalizedParameterizedNode: public Parent
118 {
119  MEMPROXY_CLASS(FinalizedParameterizedNode<Parent>);
120 
121 public:
122  using Parameters = typename Parent::Parameters;
123  using Parent::data;
124 
133  static void PreferAllocatorLabelPrefix(const char * const suffix)
134  {
135  assert(!PreferredAllocatorLabelSuffix); // must be called at most once
136  assert(!FinalPoolLabel); // must be called before the class constructor
137  assert(suffix);
138  PreferredAllocatorLabelSuffix = suffix;
139  }
140 
141  FinalizedParameterizedNode(TypeName typeName, Parameters * const params):
142  typeName_(typeName)
143  {
144  Assure(!data); // base classes never set this data member
145  data.reset(params);
146  Assure(data); // ... but we always do
147 
148  FinalizePoolLabel(typeName);
149  }
150 
151  ~FinalizedParameterizedNode() override = default;
152 
153  /* ACL API */
154  const char *typeString() const override { return typeName_; }
155 
156 private:
163  static void FinalizePoolLabel(const TypeName typeName)
164  {
165  if (FinalPoolLabel)
166  return; // the label has been finalized already
167 
168  assert(typeName);
169  const auto label = ToSBuf("acltype=", PreferredAllocatorLabelSuffix ? PreferredAllocatorLabelSuffix : typeName);
170  FinalPoolLabel = SBufToCstring(label);
171  Pool().relabel(FinalPoolLabel);
172  }
173 
175  inline static const char *PreferredAllocatorLabelSuffix = nullptr;
176 
178  inline static const char *FinalPoolLabel = nullptr;
179 
180  // TODO: Consider storing the spelling used by the admin instead.
182  TypeName typeName_;
183 };
184 
185 } // namespace Acl
186 
187 // Not in src/acl/ because some of the ACLs it registers are not in src/acl/.
188 void
189 Acl::Init()
190 {
191  /* the registration order does not matter */
192 
193  // The explicit return type (Acl::Node*) for lambdas is needed because the type
194  // of the return expression inside lambda is not Node* but AclFoo* while
195  // Maker is defined to return Node*.
196 
197  RegisterMaker("all-of", [](TypeName)->Node* { return new AllOf; }); // XXX: Add name parameter to ctor
198  RegisterMaker("any-of", [](TypeName)->Node* { return new AnyOf; }); // XXX: Add name parameter to ctor
199  RegisterMaker("random", [](TypeName name)->Node* { return new ACLRandom(name); });
200  RegisterMaker("time", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CurrentTimeCheck>(name, new ACLTimeData); });
201  RegisterMaker("src_as", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceAsnCheck>(name, new ACLASN); });
202  RegisterMaker("dst_as", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationAsnCheck>(name, new ACLASN); });
203  RegisterMaker("browser", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::USER_AGENT> >(name, new ACLRegexData); });
204 
205  RegisterMaker("dstdomain", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationDomainCheck>(name, new ACLDomainData); });
206  RegisterMaker("dstdom_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationDomainCheck>(name, new ACLRegexData); });
207  FinalizedParameterizedNode<DestinationDomainCheck>::PreferAllocatorLabelPrefix("dstdomain+");
208 
209  RegisterMaker("dst", [](TypeName)->Node* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor
210  RegisterMaker("hier_code", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HierCodeCheck>(name, new ACLHierCodeData); });
211  RegisterMaker("rep_header", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HttpRepHeaderCheck>(name, new ACLHTTPHeaderData); });
212  RegisterMaker("req_header", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HttpReqHeaderCheck>(name, new ACLHTTPHeaderData); });
213  RegisterMaker("http_status", [](TypeName name)->Node* { return new ACLHTTPStatus(name); });
214  RegisterMaker("maxconn", [](TypeName name)->Node* { return new ACLMaxConnection(name); });
215  RegisterMaker("method", [](TypeName name)->Node* { return new FinalizedParameterizedNode<MethodCheck>(name, new ACLMethodData); });
216  RegisterMaker("localip", [](TypeName)->Node* { return new ACLLocalIP; }); // XXX: Add name parameter to ctor
217  RegisterMaker("localport", [](TypeName name)->Node* { return new FinalizedParameterizedNode<LocalPortCheck>(name, new ACLIntRange); });
218  RegisterMaker("myportname", [](TypeName name)->Node* { return new FinalizedParameterizedNode<MyPortNameCheck>(name, new ACLStringData); });
219 
220  RegisterMaker("peername", [](TypeName name)->Node* { return new FinalizedParameterizedNode<PeerNameCheck>(name, new ACLStringData); });
221  RegisterMaker("peername_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<PeerNameCheck>(name, new ACLRegexData); });
222  FinalizedParameterizedNode<PeerNameCheck>::PreferAllocatorLabelPrefix("peername+");
223 
224  RegisterMaker("proto", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ProtocolCheck>(name, new ACLProtocolData); });
225  RegisterMaker("referer_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::REFERER> >(name, new ACLRegexData); });
226  RegisterMaker("rep_mime_type", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ReplyHeaderCheck<Http::HdrType::CONTENT_TYPE> >(name, new ACLRegexData); });
227  RegisterMaker("req_mime_type", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::CONTENT_TYPE> >(name, new ACLRegexData); });
228 
229  RegisterMaker("srcdomain", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceDomainCheck>(name, new ACLDomainData); });
230  RegisterMaker("srcdom_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceDomainCheck>(name, new ACLRegexData); });
231  FinalizedParameterizedNode<SourceDomainCheck>::PreferAllocatorLabelPrefix("srcdomain+");
232 
233  RegisterMaker("src", [](TypeName)->Node* { return new ACLSourceIP; }); // XXX: Add name parameter to ctor
234  RegisterMaker("url_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlCheck>(name, new ACLRegexData); });
235  RegisterMaker("urllogin", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlLoginCheck>(name, new ACLRegexData); });
236  RegisterMaker("urlpath_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlPathCheck>(name, new ACLRegexData); });
237  RegisterMaker("port", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlPortCheck>(name, new ACLIntRange); });
238  RegisterMaker("external", [](TypeName name)->Node* { return new ACLExternal(name); });
239  RegisterMaker("squid_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SquidErrorCheck>(name, new ACLSquidErrorData); });
240  RegisterMaker("connections_encrypted", [](TypeName name)->Node* { return new ConnectionsEncrypted(name); });
241  RegisterMaker("tag", [](TypeName name)->Node* { return new FinalizedParameterizedNode<TagCheck>(name, new ACLStringData); });
242  RegisterMaker("note", [](TypeName name)->Node* { return new FinalizedParameterizedNode<NoteCheck>(name, new ACLNoteData); });
243  RegisterMaker("annotate_client", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AnnotateClientCheck>(name, new ACLAnnotationData); });
244  RegisterMaker("annotate_transaction", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AnnotateTransactionCheck>(name, new ACLAnnotationData); });
245  RegisterMaker("has", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HasComponentCheck>(name, new ACLHasComponentData); });
246  RegisterMaker("transaction_initiator", [](TypeName name)->Node* {return new TransactionInitiator(name);});
247 
248 #if USE_LIBNETFILTERCONNTRACK
249  RegisterMaker("clientside_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
250  RegisterMaker("client_connection_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
251 #endif
252 
253 #if USE_OPENSSL
254  RegisterMaker("ssl_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CertificateErrorCheck>(name, new ACLSslErrorData); });
255 
256  RegisterMaker("user_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509UserAttribute, "*")); });
257  RegisterMaker("ca_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509CAAttribute, "*")); });
258  FinalizedParameterizedNode<ClientCertificateCheck>::PreferAllocatorLabelPrefix("user_cert+");
259 
260  RegisterMaker("server_cert_fingerprint", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509Fingerprint, nullptr, true)); });
261  RegisterMaker("at_step", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AtStepCheck>(name, new ACLAtStepData); });
262 
263  RegisterMaker("ssl::server_name", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerNameCheck>(name, new ACLServerNameData); });
264  RegisterMaker("ssl::server_name_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerNameCheck>(name, new ACLRegexData); });
265  FinalizedParameterizedNode<ServerNameCheck>::PreferAllocatorLabelPrefix("ssl::server_name+");
266 #endif
267 
268 #if USE_SQUID_EUI
269  RegisterMaker("arp", [](TypeName name)->Node* { return new ACLARP(name); });
270  RegisterMaker("eui64", [](TypeName name)->Node* { return new ACLEui64(name); });
271 #endif
272 
273 #if USE_AUTH
274  RegisterMaker("ext_user", [](TypeName name)->Node* { return new ACLExtUser(new ACLUserData, name); });
275  RegisterMaker("ext_user_regex", [](TypeName name)->Node* { return new ACLExtUser(new ACLRegexData, name); });
276  RegisterMaker("proxy_auth", [](TypeName name)->Node* { return new ACLProxyAuth(new ACLUserData, name); });
277  RegisterMaker("proxy_auth_regex", [](TypeName name)->Node* { return new ACLProxyAuth(new ACLRegexData, name); });
278  RegisterMaker("max_user_ip", [](TypeName name)->Node* { return new ACLMaxUserIP(name); });
279 #endif
280 
281 #if USE_ADAPTATION
282  RegisterMaker("adaptation_service", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AdaptationServiceCheck>(name, new ACLAdaptationServiceData); });
283 #endif
284 
285 #if SQUID_SNMP
286  RegisterMaker("snmp_community", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SnmpCommunityCheck>(name, new ACLStringData); });
287 #endif
288 }
289 
Acl::AnyOf
Configurable any-of ACL. Each ACL line is a disjuction of ACLs.
Definition: AnyOf.h:18
Acl::FinalizedParameterizedNode::typeString
const char * typeString() const override
Definition: AclRegs.cc:154
snmp_core.h
Acl::FinalizedParameterizedNode::PreferredAllocatorLabelSuffix
static const char * PreferredAllocatorLabelSuffix
if set, overrules FinalizePoolLabel() argument
Definition: AclRegs.cc:175
Acl::RegisterMaker
void RegisterMaker(TypeName typeName, Maker maker)
use the given Acl::Node Maker for all ACLs of the named type
Definition: Acl.cc:92
Acl::TransactionInitiator
transaction_initiator ACL
Definition: TransactionInitiator.h:20
Acl::FinalizedParameterizedNode::FinalizePoolLabel
static void FinalizePoolLabel(const TypeName typeName)
Definition: AclRegs.cc:163
Ssl::GetX509Fingerprint
GETX509ATTRIBUTE GetX509Fingerprint
Definition: support.h:124
SBufToCstring
void SBufToCstring(char *d, const SBuf &s)
Definition: SBuf.h:756
Ssl::GetX509CAAttribute
GETX509ATTRIBUTE GetX509CAAttribute
Definition: support.h:118
Acl
Definition: Acl.cc:33
Acl::FinalizedParameterizedNode::PreferAllocatorLabelPrefix
static void PreferAllocatorLabelPrefix(const char *const suffix)
Definition: AclRegs.cc:133
ACLASN
Definition: Asn.h:25
ACLEui64
Definition: Eui64.h:17
assert
#define assert(EX)
Definition: assert.h:17
Acl::FinalizedParameterizedNode::Parameters
typename Parent::Parameters Parameters
Definition: AclRegs.cc:122
Assure
#define Assure(condition)
Definition: Assure.h:35
ACLARP
Definition: Arp.h:18
Acl::FinalizedParameterizedNode::FinalPoolLabel
static const char * FinalPoolLabel
custom allocator label set by FinalizePoolLabel()
Definition: AclRegs.cc:178
Acl::Node
Definition: Node.h:25
Ssl::GetX509UserAttribute
GETX509ATTRIBUTE GetX509UserAttribute
Definition: support.h:115
Acl::TypeName
const char * TypeName
the ACL type name known to admins
Definition: Acl.h:24
ToSBuf
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition: Stream.h:63
Acl::FinalizedParameterizedNode::typeName_
TypeName typeName_
the "acltype" name in its canonical spelling
Definition: AclRegs.cc:182
Acl::FinalizedParameterizedNode::MEMPROXY_CLASS
MEMPROXY_CLASS(FinalizedParameterizedNode< Parent >)
Acl::FinalizedParameterizedNode::FinalizedParameterizedNode
FinalizedParameterizedNode(TypeName typeName, Parameters *const params)
Definition: AclRegs.cc:141
Acl::FinalizedParameterizedNode::~FinalizedParameterizedNode
~FinalizedParameterizedNode() override=default
Acl::Init
void Init(void)
prepares to parse ACLs configuration
Definition: AclRegs.cc:189

 

Introduction

Documentation

Support

Miscellaneous