Squid Web Cache master
Loading...
Searching...
No Matches
AclRegs.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#include "squid.h"
10
11#if USE_ADAPTATION
12#include "acl/AdaptationService.h"
13#include "acl/AdaptationServiceData.h"
14#endif
15#include "acl/AllOf.h"
16#include "acl/AnnotateClient.h"
17#include "acl/AnnotateTransaction.h"
18#include "acl/AnnotationData.h"
19#include "acl/AnyOf.h"
20#if USE_SQUID_EUI
21#include "acl/Arp.h"
22#include "acl/Eui64.h"
23#endif
24#if USE_OPENSSL
25#include "acl/AtStep.h"
26#include "acl/AtStepData.h"
27#endif
28#include "acl/Checklist.h"
29#include "acl/ConnectionsEncrypted.h"
30#include "acl/Data.h"
31#include "acl/DestinationDomain.h"
32#include "acl/DestinationIp.h"
33#include "acl/DomainData.h"
34#if USE_LIBNETFILTERCONNTRACK
35#include "acl/ConnMark.h"
36#endif
37#if USE_AUTH
38#include "acl/ExtUser.h"
39#endif
40#include "acl/FilledChecklist.h"
41#include "acl/forward.h"
42#include "acl/Gadgets.h"
43#include "acl/HasComponent.h"
44#include "acl/HasComponentData.h"
45#include "acl/HierCode.h"
46#include "acl/HierCodeData.h"
47#include "acl/HttpHeaderData.h"
48#include "acl/HttpRepHeader.h"
49#include "acl/HttpReqHeader.h"
50#include "acl/HttpStatus.h"
51#include "acl/IntRange.h"
52#include "acl/Ip.h"
53#include "acl/LocalIp.h"
54#include "acl/LocalPort.h"
55#include "acl/MaxConnection.h"
56#include "acl/Method.h"
57#include "acl/MethodData.h"
58#include "acl/MyPortName.h"
59#include "acl/Node.h"
60#include "acl/Note.h"
61#include "acl/NoteData.h"
62#include "acl/PeerName.h"
63#include "acl/Protocol.h"
64#include "acl/ProtocolData.h"
65#include "acl/Random.h"
66#include "acl/RegexData.h"
67#include "acl/ReplyHeaderStrategy.h"
68#include "acl/ReplyMimeType.h"
69#include "acl/RequestHeaderStrategy.h"
70#include "acl/RequestMimeType.h"
71#include "acl/SourceDomain.h"
72#include "acl/SourceIp.h"
73#include "acl/SquidError.h"
74#include "acl/SquidErrorData.h"
75#if USE_OPENSSL
76#include "acl/Certificate.h"
77#include "acl/CertificateData.h"
78#include "acl/ServerName.h"
79#include "acl/SslError.h"
80#include "acl/SslErrorData.h"
81#endif
82#include "acl/StringData.h"
83#if USE_OPENSSL
84#include "acl/ServerCertificate.h"
85#endif
86#include "acl/Tag.h"
87#include "acl/Time.h"
88#include "acl/TimeData.h"
89#include "acl/TransactionInitiator.h"
90#include "acl/Url.h"
91#include "acl/UrlLogin.h"
92#include "acl/UrlPath.h"
93#include "acl/UrlPort.h"
94#include "acl/UserData.h"
95#if USE_AUTH
96#include "auth/AclMaxUserIp.h"
97#include "auth/AclProxyAuth.h"
98#endif
99#include "base/RegexPattern.h"
100#include "ExternalACL.h"
101#if SQUID_SNMP
102#include "snmp_core.h"
103#endif
104#include "sbuf/Stream.h"
105
106namespace Acl
107{
108
113template <class Parent>
114class FinalizedParameterizedNode: public Parent
115{
116 MEMPROXY_CLASS(FinalizedParameterizedNode<Parent>);
117
118public:
119 using Parameters = typename Parent::Parameters;
120 using Parent::data;
121
130 static void PreferAllocatorLabelPrefix(const char * const suffix)
131 {
132 assert(!PreferredAllocatorLabelSuffix); // must be called at most once
133 assert(!FinalPoolLabel); // must be called before the class constructor
134 assert(suffix);
135 PreferredAllocatorLabelSuffix = suffix;
136 }
137
138 FinalizedParameterizedNode(TypeName typeName, Parameters * const params):
139 typeName_(typeName)
140 {
141 Assure(!data); // base classes never set this data member
142 data.reset(params);
143 Assure(data); // ... but we always do
144
145 FinalizePoolLabel(typeName);
146 }
147
148 ~FinalizedParameterizedNode() override = default;
149
150 /* ACL API */
151 const char *typeString() const override { return typeName_; }
152
153private:
160 static void FinalizePoolLabel(const TypeName typeName)
161 {
162 if (FinalPoolLabel)
163 return; // the label has been finalized already
164
165 assert(typeName);
166 const auto label = ToSBuf("acltype=", PreferredAllocatorLabelSuffix ? PreferredAllocatorLabelSuffix : typeName);
167 FinalPoolLabel = SBufToCstring(label);
168 Pool().relabel(FinalPoolLabel);
169 }
170
172 inline static const char *PreferredAllocatorLabelSuffix = nullptr;
173
175 inline static const char *FinalPoolLabel = nullptr;
176
177 // TODO: Consider storing the spelling used by the admin instead.
179 TypeName typeName_;
180};
181
182} // namespace Acl
183
184// Not in src/acl/ because some of the ACLs it registers are not in src/acl/.
185void
186Acl::Init()
187{
188 /* the registration order does not matter */
189
190 // The explicit return type (Acl::Node*) for lambdas is needed because the type
191 // of the return expression inside lambda is not Node* but AclFoo* while
192 // Maker is defined to return Node*.
193
194 RegisterMaker("all-of", [](TypeName)->Node* { return new AllOf; }); // XXX: Add name parameter to ctor
195 RegisterMaker("any-of", [](TypeName)->Node* { return new AnyOf; }); // XXX: Add name parameter to ctor
196 RegisterMaker("random", [](TypeName name)->Node* { return new ACLRandom(name); });
197 RegisterMaker("time", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CurrentTimeCheck>(name, new ACLTimeData); });
198 RegisterMaker("browser", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::USER_AGENT> >(name, new ACLRegexData); });
199
200 RegisterMaker("dstdomain", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationDomainCheck>(name, new ACLDomainData); });
201 RegisterMaker("dstdom_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<DestinationDomainCheck>(name, new ACLRegexData); });
202 FinalizedParameterizedNode<DestinationDomainCheck>::PreferAllocatorLabelPrefix("dstdomain+");
203
204 RegisterMaker("dst", [](TypeName)->Node* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor
205 RegisterMaker("hier_code", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HierCodeCheck>(name, new ACLHierCodeData); });
206 RegisterMaker("rep_header", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HttpRepHeaderCheck>(name, new ACLHTTPHeaderData); });
207 RegisterMaker("req_header", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HttpReqHeaderCheck>(name, new ACLHTTPHeaderData); });
208 RegisterMaker("http_status", [](TypeName name)->Node* { return new ACLHTTPStatus(name); });
209 RegisterMaker("maxconn", [](TypeName name)->Node* { return new ACLMaxConnection(name); });
210 RegisterMaker("method", [](TypeName name)->Node* { return new FinalizedParameterizedNode<MethodCheck>(name, new ACLMethodData); });
211 RegisterMaker("localip", [](TypeName)->Node* { return new ACLLocalIP; }); // XXX: Add name parameter to ctor
212 RegisterMaker("localport", [](TypeName name)->Node* { return new FinalizedParameterizedNode<LocalPortCheck>(name, new ACLIntRange); });
213 RegisterMaker("myportname", [](TypeName name)->Node* { return new FinalizedParameterizedNode<MyPortNameCheck>(name, new ACLStringData); });
214
215 RegisterMaker("peername", [](TypeName name)->Node* { return new FinalizedParameterizedNode<PeerNameCheck>(name, new ACLStringData); });
216 RegisterMaker("peername_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<PeerNameCheck>(name, new ACLRegexData); });
217 FinalizedParameterizedNode<PeerNameCheck>::PreferAllocatorLabelPrefix("peername+");
218
219 RegisterMaker("proto", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ProtocolCheck>(name, new ACLProtocolData); });
220 RegisterMaker("referer_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::REFERER> >(name, new ACLRegexData); });
221 RegisterMaker("rep_mime_type", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ReplyHeaderCheck<Http::HdrType::CONTENT_TYPE> >(name, new ACLRegexData); });
222 RegisterMaker("req_mime_type", [](TypeName name)->Node* { return new FinalizedParameterizedNode<RequestHeaderCheck<Http::HdrType::CONTENT_TYPE> >(name, new ACLRegexData); });
223
224 RegisterMaker("srcdomain", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceDomainCheck>(name, new ACLDomainData); });
225 RegisterMaker("srcdom_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SourceDomainCheck>(name, new ACLRegexData); });
226 FinalizedParameterizedNode<SourceDomainCheck>::PreferAllocatorLabelPrefix("srcdomain+");
227
228 RegisterMaker("src", [](TypeName)->Node* { return new ACLSourceIP; }); // XXX: Add name parameter to ctor
229 RegisterMaker("url_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlCheck>(name, new ACLRegexData); });
230 RegisterMaker("urllogin", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlLoginCheck>(name, new ACLRegexData); });
231 RegisterMaker("urlpath_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlPathCheck>(name, new ACLRegexData); });
232 RegisterMaker("port", [](TypeName name)->Node* { return new FinalizedParameterizedNode<UrlPortCheck>(name, new ACLIntRange); });
233 RegisterMaker("external", [](TypeName name)->Node* { return new ACLExternal(name); });
234 RegisterMaker("squid_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SquidErrorCheck>(name, new ACLSquidErrorData); });
235 RegisterMaker("connections_encrypted", [](TypeName name)->Node* { return new ConnectionsEncrypted(name); });
236 RegisterMaker("tag", [](TypeName name)->Node* { return new FinalizedParameterizedNode<TagCheck>(name, new ACLStringData); });
237 RegisterMaker("note", [](TypeName name)->Node* { return new FinalizedParameterizedNode<NoteCheck>(name, new ACLNoteData); });
238 RegisterMaker("annotate_client", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AnnotateClientCheck>(name, new ACLAnnotationData); });
239 RegisterMaker("annotate_transaction", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AnnotateTransactionCheck>(name, new ACLAnnotationData); });
240 RegisterMaker("has", [](TypeName name)->Node* { return new FinalizedParameterizedNode<HasComponentCheck>(name, new ACLHasComponentData); });
241 RegisterMaker("transaction_initiator", [](TypeName name)->Node* {return new TransactionInitiator(name);});
242
243#if USE_LIBNETFILTERCONNTRACK
244 RegisterMaker("clientside_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
245 RegisterMaker("client_connection_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor
246#endif
247
248#if USE_OPENSSL
249 RegisterMaker("ssl_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode<CertificateErrorCheck>(name, new ACLSslErrorData); });
250
251 RegisterMaker("user_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509UserAttribute, "*")); });
252 RegisterMaker("ca_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ClientCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509CAAttribute, "*")); });
253 FinalizedParameterizedNode<ClientCertificateCheck>::PreferAllocatorLabelPrefix("user_cert+");
254
255 RegisterMaker("server_cert_fingerprint", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerCertificateCheck>(name, new ACLCertificateData(Ssl::GetX509Fingerprint, nullptr, true)); });
256 RegisterMaker("at_step", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AtStepCheck>(name, new ACLAtStepData); });
257
258 RegisterMaker("ssl::server_name", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerNameCheck>(name, new ACLServerNameData); });
259 RegisterMaker("ssl::server_name_regex", [](TypeName name)->Node* { return new FinalizedParameterizedNode<ServerNameCheck>(name, new ACLRegexData); });
260 FinalizedParameterizedNode<ServerNameCheck>::PreferAllocatorLabelPrefix("ssl::server_name+");
261#endif
262
263#if USE_SQUID_EUI
264 RegisterMaker("arp", [](TypeName name)->Node* { return new ACLARP(name); });
265 RegisterMaker("eui64", [](TypeName name)->Node* { return new ACLEui64(name); });
266#endif
267
268#if USE_AUTH
269 RegisterMaker("ext_user", [](TypeName name)->Node* { return new ACLExtUser(new ACLUserData, name); });
270 RegisterMaker("ext_user_regex", [](TypeName name)->Node* { return new ACLExtUser(new ACLRegexData, name); });
271 RegisterMaker("proxy_auth", [](TypeName name)->Node* { return new ACLProxyAuth(new ACLUserData, name); });
272 RegisterMaker("proxy_auth_regex", [](TypeName name)->Node* { return new ACLProxyAuth(new ACLRegexData, name); });
273 RegisterMaker("max_user_ip", [](TypeName name)->Node* { return new ACLMaxUserIP(name); });
274#endif
275
276#if USE_ADAPTATION
277 RegisterMaker("adaptation_service", [](TypeName name)->Node* { return new FinalizedParameterizedNode<AdaptationServiceCheck>(name, new ACLAdaptationServiceData); });
278#endif
279
280#if SQUID_SNMP
281 RegisterMaker("snmp_community", [](TypeName name)->Node* { return new FinalizedParameterizedNode<SnmpCommunityCheck>(name, new ACLStringData); });
282#endif
283}
284
Assure
#define Assure(condition)
Definition Assure.h:35
SBufToCstring
void SBufToCstring(char *d, const SBuf &s)
Definition SBuf.h:756
assert
#define assert(EX)
Definition assert.h:17
ACLARP
Definition Arp.h:19
Acl::AnyOf
Configurable any-of ACL. Each ACL line is a disjuction of ACLs.
Definition AnyOf.h:19
Acl::FinalizedParameterizedNode::~FinalizedParameterizedNode
~FinalizedParameterizedNode() override=default
Acl::FinalizedParameterizedNode::MEMPROXY_CLASS
MEMPROXY_CLASS(FinalizedParameterizedNode< Parent >)
Acl::FinalizedParameterizedNode::PreferredAllocatorLabelSuffix
static const char * PreferredAllocatorLabelSuffix
if set, overrules FinalizePoolLabel() argument
Definition AclRegs.cc:172
Acl::FinalizedParameterizedNode::Parameters
typename Parent::Parameters Parameters
Definition AclRegs.cc:119
Acl::FinalizedParameterizedNode::FinalizePoolLabel
static void FinalizePoolLabel(const TypeName typeName)
Definition AclRegs.cc:160
Acl::FinalizedParameterizedNode::FinalPoolLabel
static const char * FinalPoolLabel
custom allocator label set by FinalizePoolLabel()
Definition AclRegs.cc:175
Acl::FinalizedParameterizedNode::typeString
const char * typeString() const override
Definition AclRegs.cc:151
Acl::FinalizedParameterizedNode::FinalizedParameterizedNode
FinalizedParameterizedNode(TypeName typeName, Parameters *const params)
Definition AclRegs.cc:138
Acl::FinalizedParameterizedNode::PreferAllocatorLabelPrefix
static void PreferAllocatorLabelPrefix(const char *const suffix)
Definition AclRegs.cc:130
Acl::FinalizedParameterizedNode::typeName_
TypeName typeName_
the "acltype" name in its canonical spelling
Definition AclRegs.cc:179
Acl::TransactionInitiator
transaction_initiator ACL
Definition TransactionInitiator.h:21
Ssl::GetX509Fingerprint
GETX509ATTRIBUTE GetX509Fingerprint
Definition support.h:124
Ssl::GetX509UserAttribute
GETX509ATTRIBUTE GetX509UserAttribute
Definition support.h:115
Ssl::GetX509CAAttribute
GETX509ATTRIBUTE GetX509CAAttribute
Definition support.h:118
Parent
#define Parent(x)
Definition heap.c:57
Acl
Definition Acl.cc:33
Acl::Init
void Init(void)
prepares to parse ACLs configuration
Definition AclRegs.cc:186
Acl::RegisterMaker
void RegisterMaker(TypeName typeName, Maker maker)
use the given Acl::Node Maker for all ACLs of the named type
Definition Acl.cc:92
Acl::TypeName
const char * TypeName
the ACL type name known to admins
Definition Acl.h:24
ToSBuf
SBuf ToSBuf(Args &&... args)
slowly stream-prints all arguments into a freshly allocated SBuf
Definition Stream.h:63
snmp_core.h