squid : Optimising Web Delivery

Go to the documentation of this file.

 /*
  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
  
 /*
  * DEBUG: section 28    Access Control
  *
  * This file contains ACL routines that are not part of the
  * Acl::Node class, nor any other class yet, and that need to be
  * factored into appropriate places. They are here to reduce
  * unneeded dependencies between the Acl::Node class and the rest
  * of squid.
  */
  
 #include "squid.h"
 #include "acl/AclDenyInfoList.h"
 #include "acl/Gadgets.h"
 #include "acl/Tree.h"
 #include "cache_cf.h"
 #include "ConfigParser.h"
 #include "errorpage.h"
 #include "globals.h"
 #include "HttpRequest.h"
 #include "SquidConfig.h"
 #include "src/sbuf/Stream.h"
  
 #include <algorithm>
  
 err_type
 FindDenyInfoPage(const Acl::Answer &answer, const bool redirect_allowed)
 {
     if (!answer.lastCheckedName) {
         debugs(28, 3, "ERR_NONE because access was denied without evaluating ACLs");
         return ERR_NONE;
     }
  
     const auto &name = *answer.lastCheckedName;
  
     for (auto A = Config.denyInfoList; A; A = A->next) {
         if (!redirect_allowed && strchr(A->err_page_name, ':') ) {
             debugs(28, 8, "Skip '" << A->err_page_name << "' 30x redirects not allowed as response here.");
             continue;
         }
  
         for (const auto &aclName: A->acl_list) {
             if (aclName.cmp(name) == 0) {
                 debugs(28, 8, "matched " << name << "; returning " << A->err_page_id << ' ' << A->err_page_name);
                 return A->err_page_id;
             }
         }
     }
  
     debugs(28, 8, "no match for " << name << (Config.denyInfoList ? "" : "; no deny_info rules"));
     return ERR_NONE;
 }
  
 bool
 aclIsProxyAuth(const std::optional<SBuf> &name)
 {
     if (!name) {
         debugs(28, 3, "no; caller did not supply an ACL name");
         return false;
     }
  
     if (const auto a = Acl::Node::FindByName(*name)) {
         debugs(28, 5, "returning " << a->isProxyAuth() << " for ACL " << *name);
         return a->isProxyAuth();
     }
  
     debugs(28, 3, "WARNING: Called for nonexistent ACL " << *name);
     return false;
 }
  
 /* maex@space.net (05.09.96)
  *    get the info for redirecting "access denied" to info pages
  *      TODO (probably ;-)
  *      currently there is no optimization for
  *      - more than one deny_info line with the same url
  *      - a check, whether the given acl really is defined
  *      - a check, whether an acl is added more than once for the same url
  */
  
 void
 aclParseDenyInfoLine(AclDenyInfoList ** head)
 {
     char *t = nullptr;
     AclDenyInfoList *B;
     AclDenyInfoList **T;
  
     /* first expect a page name */
  
     if ((t = ConfigParser::NextToken()) == nullptr) {
         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(28, DBG_CRITICAL, "ERROR: aclParseDenyInfoLine: missing 'error page' parameter.");
         return;
     }
  
     const auto A = new AclDenyInfoList(t, ConfigParser::CurrentLocation());
  
     /* next expect a list of ACL names */
     while ((t = ConfigParser::NextToken())) {
         A->acl_list.emplace_back(t);
     }
  
     if (A->acl_list.empty()) {
         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(28, DBG_CRITICAL, "aclParseDenyInfoLine: deny_info line contains no ACL's, skipping");
         delete A;
         return;
     }
  
     for (B = *head, T = head; B; T = &B->next, B = B->next)
  
         ;   /* find the tail */
     *T = A;
 }
  
 const Acl::Tree &
 Acl::ToTree(const TreePointer * const config)
 {
     Assure(config);
     const auto &treePtr = *config;
     Assure(treePtr);
     return *treePtr;
 }
  
 void
 aclParseAccessLine(const char *directive, ConfigParser &, acl_access **config)
 {
     /* first expect either 'allow' or 'deny' */
     const char *t = ConfigParser::NextToken();
  
     if (!t) {
         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(28, DBG_CRITICAL, "ERROR: aclParseAccessLine: missing 'allow' or 'deny'.");
         return;
     }
  
     auto action = Acl::Answer(ACCESS_DUNNO);
     if (!strcmp(t, "allow"))
         action = Acl::Answer(ACCESS_ALLOWED);
     else if (!strcmp(t, "deny"))
         action = Acl::Answer(ACCESS_DENIED);
     else {
         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(28, DBG_CRITICAL, "aclParseAccessLine: expecting 'allow' or 'deny', got '" << t << "'.");
         return;
     }
  
     const int ruleId = ((config && *config) ? ToTree(*config).childrenCount() : 0) + 1;
  
     Acl::AndNode *rule = new Acl::AndNode;
     rule->context(ToSBuf(directive, '#', ruleId), config_input_line);
     rule->lineParse();
     if (rule->empty()) {
         debugs(28, DBG_CRITICAL, "aclParseAccessLine: " << cfg_filename << " line " << config_lineno << ": " << config_input_line);
         debugs(28, DBG_CRITICAL, "aclParseAccessLine: Access line contains no ACL's, skipping");
         delete rule;
         return;
     }
  
     /* Append to the end of this list */
  
     assert(config);
     if (!*config)
         *config = new acl_access();
     const auto treep = *config;
  
     assert(treep);
     if (!*treep) {
         *treep = new Acl::Tree;
         (*treep)->context(SBuf(directive), config_input_line);
     }
  
     (*treep)->add(rule, action);
 }
  
 // aclParseAclList does not expect or set actions (cf. aclParseAccessLine)
 size_t
 aclParseAclList(ConfigParser &, ACLList **config, const char *label)
 {
     // accommodate callers unable to convert their ACL list context to string
     if (!label)
         label = "...";
  
     Acl::AndNode *rule = new Acl::AndNode;
     rule->context(ToSBuf('(', cfg_directive, ' ', label, " line)"), config_input_line);
     const auto aclCount = rule->lineParse();
  
     // XXX: We have created only one node, and our callers do not support
     // actions, but we now have to create an action-supporting Acl::Tree because
     // Checklist needs actions support. TODO: Add actions methods to Acl::Node,
     // so that Checklist can be satisfied with Acl::AndNode created above.
     Acl::Tree *tree = new Acl::Tree;
     tree->add(rule);
     tree->context(ToSBuf(cfg_directive, ' ', label), config_input_line);
  
     assert(config);
     assert(!*config);
     *config = new acl_access(tree);
  
     return aclCount;
 }
  
 /*********************/
 /* Destroy functions */
 /*********************/
  
 void
 aclDestroyAclList(ACLList **list)
 {
     debugs(28, 8, "aclDestroyAclList: invoked");
     assert(list);
     delete *list;
     *list = nullptr;
 }
  
 void
 aclDestroyAccessList(acl_access ** list)
 {
     assert(list);
     if (*list)
         debugs(28, 3, "destroying: " << *list << ' ' << ToTree(*list).name);
     delete *list;
     *list = nullptr;
 }
  
 /* maex@space.net (06.09.1996)
  *    destroy an AclDenyInfoList */
  
 void
 aclDestroyDenyInfoList(AclDenyInfoList ** list)
 {
     AclDenyInfoList *a = nullptr;
     AclDenyInfoList *a_next = nullptr;
  
     debugs(28, 8, "aclDestroyDenyInfoList: invoked");
  
     for (a = *list; a; a = a_next) {
         a_next = a->next;
         delete a;
     }
  
     *list = nullptr;
 }
  