2
* ACL management functions.
4
* Copyright 2000-2013 Willy Tarreau <w@1wt.eu>
6
* This program is free software; you can redistribute it and/or
7
* modify it under the terms of the GNU General Public License
8
* as published by the Free Software Foundation; either version
9
* 2 of the License, or (at your option) any later version.
17
#include <common/config.h>
18
#include <common/mini-clist.h>
19
#include <common/standard.h>
20
#include <common/uri_auth.h>
22
#include <types/global.h>
24
#include <proto/acl.h>
25
#include <proto/arg.h>
26
#include <proto/auth.h>
27
#include <proto/channel.h>
28
#include <proto/log.h>
29
#include <proto/pattern.h>
30
#include <proto/proxy.h>
31
#include <proto/sample.h>
32
#include <proto/stick_table.h>
36
/* List head of all known ACL keywords */
37
static struct acl_kw_list acl_keywords = {
38
.list = LIST_HEAD_INIT(acl_keywords.list)
41
/* input values are 0 or 3, output is the same */
42
static inline enum acl_test_res pat2acl(struct pattern *pat)
51
* Registers the ACL keyword list <kwl> as a list of valid keywords for next
54
void acl_register_keywords(struct acl_kw_list *kwl)
56
LIST_ADDQ(&acl_keywords.list, &kwl->list);
60
* Unregisters the ACL keyword list <kwl> from the list of valid keywords.
62
void acl_unregister_keywords(struct acl_kw_list *kwl)
65
LIST_INIT(&kwl->list);
68
/* Return a pointer to the ACL <name> within the list starting at <head>, or
71
struct acl *find_acl_by_name(const char *name, struct list *head)
74
list_for_each_entry(acl, head, list) {
75
if (strcmp(acl->name, name) == 0)
81
/* Return a pointer to the ACL keyword <kw>, or NULL if not found. Note that if
82
* <kw> contains an opening parenthesis or a comma, only the left part of it is
85
struct acl_keyword *find_acl_kw(const char *kw)
89
struct acl_kw_list *kwl;
92
while (*kwend && *kwend != '(' && *kwend != ',')
95
list_for_each_entry(kwl, &acl_keywords.list, list) {
96
for (index = 0; kwl->kw[index].kw != NULL; index++) {
97
if ((strncmp(kwl->kw[index].kw, kw, kwend - kw) == 0) &&
98
kwl->kw[index].kw[kwend-kw] == 0)
99
return &kwl->kw[index];
105
static struct acl_expr *prune_acl_expr(struct acl_expr *expr)
109
pattern_prune(&expr->pat);
111
for (arg = expr->smp->arg_p; arg; arg++) {
112
if (arg->type == ARGT_STOP)
114
if (arg->type == ARGT_STR || arg->unresolved) {
115
free(arg->data.str.str);
116
arg->data.str.str = NULL;
121
if (expr->smp->arg_p != empty_arg_list)
122
free(expr->smp->arg_p);
126
/* Parse an ACL expression starting at <args>[0], and return it. If <err> is
127
* not NULL, it will be filled with a pointer to an error message in case of
128
* error. This pointer must be freeable or NULL. <al> is an arg_list serving
129
* as a list head to report missing dependencies.
131
* Right now, the only accepted syntax is :
132
* <subject> [<value>...]
134
struct acl_expr *parse_acl_expr(const char **args, char **err, struct arg_list *al,
135
const char *file, int line)
137
__label__ out_return, out_free_expr;
138
struct acl_expr *expr;
139
struct acl_keyword *aclkw;
142
struct sample_expr *smp = NULL;
150
int operator = STD_OP_EQ;
152
int contain_colon, have_dot;
154
signed long long value, minor;
155
/* The following buffer contain two numbers, a ':' separator and the final \0. */
156
char buffer[NB_LLMAX_STR + 1 + NB_LLMAX_STR + 1];
161
struct pattern_expr *pattern_expr;
163
int acl_conv_found = 0;
165
/* First, we look for an ACL keyword. And if we don't find one, then
166
* we look for a sample fetch expression starting with a sample fetch
170
al->ctx = ARGC_ACL; // to report errors while resolving args late
174
aclkw = find_acl_kw(args[0]);
176
/* OK we have a real ACL keyword */
178
/* build new sample expression for this ACL */
179
smp = calloc(1, sizeof(struct sample_expr));
181
memprintf(err, "out of memory when parsing ACL expression");
184
LIST_INIT(&(smp->conv_exprs));
185
smp->fetch = aclkw->smp;
186
smp->arg_p = empty_arg_list;
188
/* look for the begining of the subject arguments */
189
for (arg = args[0]; *arg && *arg != '(' && *arg != ','; arg++);
193
/* look for the end of this term and skip the opening parenthesis */
195
while (*endt && *endt != ')')
198
memprintf(err, "missing closing ')' after arguments to ACL keyword '%s'", aclkw->kw);
203
/* At this point, we have :
204
* - args[0] : beginning of the keyword
205
* - arg : end of the keyword, first character not part of keyword
206
* nor the opening parenthesis (so first character of args
208
* - endt : end of the term (=arg or last parenthesis if args are present)
210
nbargs = make_arg_list(arg, endt - arg, smp->fetch->arg_mask, &smp->arg_p,
211
err, NULL, NULL, al);
213
/* note that make_arg_list will have set <err> here */
214
memprintf(err, "ACL keyword '%s' : %s", aclkw->kw, *err);
219
smp->arg_p = empty_arg_list;
221
else if (smp->fetch->val_args && !smp->fetch->val_args(smp->arg_p, err)) {
222
/* invalid keyword argument, error must have been
225
memprintf(err, "in argument to '%s', %s", aclkw->kw, *err);
230
/* look for the begining of the converters list. Those directly attached
231
* to the ACL keyword are found just after <arg> which points to the comma.
232
* If we find any converter, then we don't use the ACL keyword's match
233
* anymore but the one related to the converter's output type.
235
cur_type = smp->fetch->out_type;
237
struct sample_conv *conv;
238
struct sample_conv_expr *conv_expr;
240
if (*arg == ')') /* skip last closing parenthesis */
243
if (*arg && *arg != ',') {
245
memprintf(err, "ACL keyword '%s' : missing comma after conv keyword '%s'.",
248
memprintf(err, "ACL keyword '%s' : missing comma after fetch keyword.",
253
while (*arg == ',') /* then trailing commas */
256
begw = arg; /* start of conv keyword */
259
/* none ? end of converters */
262
for (endw = begw; *endw && *endw != '(' && *endw != ','; endw++);
265
ckw = my_strndup(begw, endw - begw);
267
conv = find_sample_conv(begw, endw - begw);
269
/* Unknown converter method */
270
memprintf(err, "ACL keyword '%s' : unknown conv method '%s'.",
277
/* look for the end of this term */
278
while (*arg && *arg != ')')
281
memprintf(err, "ACL keyword '%s' : syntax error: missing ')' after conv keyword '%s'.",
287
if (conv->in_type >= SMP_TYPES || conv->out_type >= SMP_TYPES) {
288
memprintf(err, "ACL keyword '%s' : returns type of conv method '%s' is unknown.",
293
/* If impossible type conversion */
294
if (!sample_casts[cur_type][conv->in_type]) {
295
memprintf(err, "ACL keyword '%s' : conv method '%s' cannot be applied.",
300
cur_type = conv->out_type;
301
conv_expr = calloc(1, sizeof(struct sample_conv_expr));
305
LIST_ADDQ(&(smp->conv_exprs), &(conv_expr->list));
306
conv_expr->conv = conv;
312
if (!conv->arg_mask) {
313
memprintf(err, "ACL keyword '%s' : conv method '%s' does not support any args.",
318
al->kw = smp->fetch->kw;
319
al->conv = conv_expr->conv->kw;
320
if (make_arg_list(endw + 1, arg - endw - 1, conv->arg_mask, &conv_expr->arg_p, err, NULL, &err_arg, al) < 0) {
321
memprintf(err, "ACL keyword '%s' : invalid arg %d in conv method '%s' : %s.",
322
aclkw->kw, err_arg+1, ckw, *err);
326
if (!conv_expr->arg_p)
327
conv_expr->arg_p = empty_arg_list;
329
if (conv->val_args && !conv->val_args(conv_expr->arg_p, conv, file, line, err)) {
330
memprintf(err, "ACL keyword '%s' : invalid args in conv method '%s' : %s.",
331
aclkw->kw, ckw, *err);
335
else if (ARGM(conv->arg_mask)) {
336
memprintf(err, "ACL keyword '%s' : missing args for conv method '%s'.",
343
/* This is not an ACL keyword, so we hope this is a sample fetch
344
* keyword that we're going to transparently use as an ACL. If
345
* so, we retrieve a completely parsed expression with args and
346
* convs already done.
348
smp = sample_parse_expr((char **)args, &idx, file, line, err, al);
350
memprintf(err, "%s in ACL expression '%s'", *err, *args);
353
cur_type = smp_expr_output_type(smp);
356
expr = (struct acl_expr *)calloc(1, sizeof(*expr));
358
memprintf(err, "out of memory when parsing ACL expression");
362
pattern_init_head(&expr->pat);
364
expr->pat.expect_type = cur_type;
366
expr->kw = smp->fetch->kw;
367
smp = NULL; /* don't free it anymore */
369
if (aclkw && !acl_conv_found) {
370
expr->kw = aclkw->kw;
371
expr->pat.parse = aclkw->parse ? aclkw->parse : pat_parse_fcts[aclkw->match_type];
372
expr->pat.index = aclkw->index ? aclkw->index : pat_index_fcts[aclkw->match_type];
373
expr->pat.match = aclkw->match ? aclkw->match : pat_match_fcts[aclkw->match_type];
374
expr->pat.delete = aclkw->delete ? aclkw->delete : pat_delete_fcts[aclkw->match_type];
375
expr->pat.prune = aclkw->prune ? aclkw->prune : pat_prune_fcts[aclkw->match_type];
378
if (!expr->pat.parse) {
379
/* Parse/index/match functions depend on the expression type,
380
* so we have to map them now. Some types can be automatically
385
expr->pat.parse = pat_parse_fcts[PAT_MATCH_BOOL];
386
expr->pat.index = pat_index_fcts[PAT_MATCH_BOOL];
387
expr->pat.match = pat_match_fcts[PAT_MATCH_BOOL];
388
expr->pat.delete = pat_delete_fcts[PAT_MATCH_BOOL];
389
expr->pat.prune = pat_prune_fcts[PAT_MATCH_BOOL];
390
expr->pat.expect_type = pat_match_types[PAT_MATCH_BOOL];
394
expr->pat.parse = pat_parse_fcts[PAT_MATCH_INT];
395
expr->pat.index = pat_index_fcts[PAT_MATCH_INT];
396
expr->pat.match = pat_match_fcts[PAT_MATCH_INT];
397
expr->pat.delete = pat_delete_fcts[PAT_MATCH_INT];
398
expr->pat.prune = pat_prune_fcts[PAT_MATCH_INT];
399
expr->pat.expect_type = pat_match_types[PAT_MATCH_INT];
403
expr->pat.parse = pat_parse_fcts[PAT_MATCH_IP];
404
expr->pat.index = pat_index_fcts[PAT_MATCH_IP];
405
expr->pat.match = pat_match_fcts[PAT_MATCH_IP];
406
expr->pat.delete = pat_delete_fcts[PAT_MATCH_IP];
407
expr->pat.prune = pat_prune_fcts[PAT_MATCH_IP];
408
expr->pat.expect_type = pat_match_types[PAT_MATCH_IP];
411
expr->pat.parse = pat_parse_fcts[PAT_MATCH_STR];
412
expr->pat.index = pat_index_fcts[PAT_MATCH_STR];
413
expr->pat.match = pat_match_fcts[PAT_MATCH_STR];
414
expr->pat.delete = pat_delete_fcts[PAT_MATCH_STR];
415
expr->pat.prune = pat_prune_fcts[PAT_MATCH_STR];
416
expr->pat.expect_type = pat_match_types[PAT_MATCH_STR];
421
/* Additional check to protect against common mistakes */
422
if (expr->pat.parse && cur_type != SMP_T_BOOL && !*args[1]) {
423
Warning("parsing acl keyword '%s' :\n"
424
" no pattern to match against were provided, so this ACL will never match.\n"
425
" If this is what you intended, please add '--' to get rid of this warning.\n"
426
" If you intended to match only for existence, please use '-m found'.\n"
427
" If you wanted to force an int to match as a bool, please use '-m bool'.\n"
434
/* check for options before patterns. Supported options are :
435
* -i : ignore case for all patterns by default
436
* -f : read patterns from those files
437
* -m : force matching method (must be used before -f)
438
* -M : load the file as map file
439
* -u : force the unique id of the acl
440
* -- : everything after this is not an option
445
while (**args == '-') {
446
if (strcmp(*args, "-i") == 0)
447
patflags |= PAT_MF_IGNORE_CASE;
448
else if (strcmp(*args, "-n") == 0)
449
patflags |= PAT_MF_NO_DNS;
450
else if (strcmp(*args, "-u") == 0) {
451
unique_id = strtol(args[1], &error, 10);
452
if (*error != '\0') {
453
memprintf(err, "the argument of -u must be an integer");
457
/* Check if this id is really unique. */
458
if (pat_ref_lookupid(unique_id)) {
459
memprintf(err, "the id is already used");
465
else if (strcmp(*args, "-f") == 0) {
466
if (!expr->pat.parse) {
467
memprintf(err, "matching method must be specified first (using '-m') when using a sample fetch of this type ('%s')", expr->kw);
471
if (!pattern_read_from_file(&expr->pat, PAT_REF_ACL, args[1], patflags, load_as_map, err, file, line))
476
else if (strcmp(*args, "-m") == 0) {
480
memprintf(err, "'-m' must only be specified before patterns and files in parsing ACL expression");
484
idx = pat_find_match_name(args[1]);
486
memprintf(err, "unknown matching method '%s' when parsing ACL expression", args[1]);
490
/* Note: -m found is always valid, bool/int are compatible, str/bin/reg/len are compatible */
491
if (!sample_casts[cur_type][pat_match_types[idx]]) {
492
memprintf(err, "matching method '%s' cannot be used with fetch keyword '%s'", args[1], expr->kw);
495
expr->pat.parse = pat_parse_fcts[idx];
496
expr->pat.index = pat_index_fcts[idx];
497
expr->pat.match = pat_match_fcts[idx];
498
expr->pat.delete = pat_delete_fcts[idx];
499
expr->pat.prune = pat_prune_fcts[idx];
500
expr->pat.expect_type = pat_match_types[idx];
503
else if (strcmp(*args, "-M") == 0) {
506
else if (strcmp(*args, "--") == 0) {
511
memprintf(err, "'%s' is not a valid ACL option. Please use '--' before any pattern beginning with a '-'", args[0]);
518
if (!expr->pat.parse) {
519
memprintf(err, "matching method must be specified first (using '-m') when using a sample fetch of this type ('%s')", expr->kw);
523
/* Create displayed reference */
524
snprintf(trash.str, trash.size, "acl '%s' file '%s' line %d", expr->kw, file, line);
525
trash.str[trash.size - 1] = '\0';
527
/* Create new patern reference. */
528
ref = pat_ref_newid(unique_id, trash.str, PAT_REF_ACL);
530
memprintf(err, "memory error");
534
/* Create new pattern expression associated to this reference. */
535
pattern_expr = pattern_new_expr(&expr->pat, ref, err);
539
/* Copy the pattern matching and indexing flags. */
540
pattern_expr->mflags = patflags;
542
/* now parse all patterns */
546
/* Compatibility layer. Each pattern can parse only one string per pattern,
547
* but the pat_parser_int() and pat_parse_dotted_ver() parsers were need
548
* optionnaly two operators. The first operator is the match method: eq,
549
* le, lt, ge and gt. pat_parse_int() and pat_parse_dotted_ver() functions
550
* can have a compatibility syntax based on ranges:
554
* "eq x" -> "x" or "x:x"
556
* "lt x" -> ":y" (with y = x - 1)
558
* "gt x" -> "y:" (with y = x + 1)
560
* pat_parse_dotted_ver():
562
* "eq x.y" -> "x.y" or "x.y:x.y"
564
* "lt x.y" -> ":w.z" (with w.z = x.y - 1)
566
* "gt x.y" -> "w.z:" (with w.z = x.y + 1)
568
* If y is not present, assume that is "0".
570
* The syntax eq, le, lt, ge and gt are proper to the acl syntax. The
571
* following block of code detect the operator, and rewrite each value
572
* in parsable string.
574
if (expr->pat.parse == pat_parse_int ||
575
expr->pat.parse == pat_parse_dotted_ver) {
576
/* Check for operator. If the argument is operator, memorise it and
577
* continue to the next argument.
579
op = get_std_op(arg);
586
/* Check if the pattern contain ':' or '-' character. */
587
contain_colon = (strchr(arg, ':') || strchr(arg, '-'));
589
/* If the pattern contain ':' or '-' character, give it to the parser as is.
590
* If no contain ':' and operator is STD_OP_EQ, give it to the parser as is.
591
* In other case, try to convert the value according with the operator.
593
if (!contain_colon && operator != STD_OP_EQ) {
594
/* Search '.' separator. */
595
dot = strchr(arg, '.');
599
dot = arg + strlen(arg);
604
/* convert the integer minor part for the pat_parse_dotted_ver() function. */
605
if (expr->pat.parse == pat_parse_dotted_ver && have_dot) {
606
if (strl2llrc(dot+1, strlen(dot+1), &minor) != 0) {
607
memprintf(err, "'%s' is neither a number nor a supported operator", arg);
610
if (minor >= 65536) {
611
memprintf(err, "'%s' contains too large a minor value", arg);
616
/* convert the integer value for the pat_parse_int() function, and the
617
* integer major part for the pat_parse_dotted_ver() function.
619
if (strl2llrc(arg, dot - arg, &value) != 0) {
620
memprintf(err, "'%s' is neither a number nor a supported operator", arg);
623
if (expr->pat.parse == pat_parse_dotted_ver) {
624
if (value >= 65536) {
625
memprintf(err, "'%s' contains too large a major value", arg);
628
value = (value << 16) | (minor & 0xffff);
633
case STD_OP_EQ: /* this case is not possible. */
634
memprintf(err, "internal error");
638
value++; /* gt = ge + 1 */
641
if (expr->pat.parse == pat_parse_int)
642
snprintf(buffer, NB_LLMAX_STR+NB_LLMAX_STR+2, "%lld:", value);
644
snprintf(buffer, NB_LLMAX_STR+NB_LLMAX_STR+2, "%lld.%lld:",
645
value >> 16, value & 0xffff);
650
value--; /* lt = le - 1 */
653
if (expr->pat.parse == pat_parse_int)
654
snprintf(buffer, NB_LLMAX_STR+NB_LLMAX_STR+2, ":%lld", value);
656
snprintf(buffer, NB_LLMAX_STR+NB_LLMAX_STR+2, ":%lld.%lld",
657
value >> 16, value & 0xffff);
664
/* Add sample to the reference, and try to compile it fior each pattern
667
if (!pat_ref_add(ref, arg, NULL, err))
675
prune_acl_expr(expr);
684
/* Purge everything in the acl <acl>, then return <acl>. */
685
struct acl *prune_acl(struct acl *acl) {
687
struct acl_expr *expr, *exprb;
691
list_for_each_entry_safe(expr, exprb, &acl->expr, list) {
692
LIST_DEL(&expr->list);
693
prune_acl_expr(expr);
700
/* Parse an ACL with the name starting at <args>[0], and with a list of already
701
* known ACLs in <acl>. If the ACL was not in the list, it will be added.
702
* A pointer to that ACL is returned. If the ACL has an empty name, then it's
703
* an anonymous one and it won't be merged with any other one. If <err> is not
704
* NULL, it will be filled with an appropriate error. This pointer must be
705
* freeable or NULL. <al> is the arg_list serving as a head for unresolved
708
* args syntax: <aclname> <acl_expr>
710
struct acl *parse_acl(const char **args, struct list *known_acl, char **err, struct arg_list *al,
711
const char *file, int line)
713
__label__ out_return, out_free_acl_expr, out_free_name;
715
struct acl_expr *acl_expr;
719
if (**args && (pos = invalid_char(*args))) {
720
memprintf(err, "invalid character in ACL name : '%c'", *pos);
724
acl_expr = parse_acl_expr(args + 1, err, al, file, line);
726
/* parse_acl_expr will have filled <err> here */
730
/* Check for args beginning with an opening parenthesis just after the
731
* subject, as this is almost certainly a typo. Right now we can only
732
* emit a warning, so let's do so.
734
if (!strchr(args[1], '(') && *args[2] == '(')
735
Warning("parsing acl '%s' :\n"
736
" matching '%s' for pattern '%s' is likely a mistake and probably\n"
737
" not what you want. Maybe you need to remove the extraneous space before '('.\n"
738
" If you are really sure this is not an error, please insert '--' between the\n"
739
" match and the pattern to make this warning message disappear.\n",
740
args[0], args[1], args[2]);
743
cur_acl = find_acl_by_name(args[0], known_acl);
748
name = strdup(args[0]);
750
memprintf(err, "out of memory when parsing ACL");
751
goto out_free_acl_expr;
753
cur_acl = (struct acl *)calloc(1, sizeof(*cur_acl));
754
if (cur_acl == NULL) {
755
memprintf(err, "out of memory when parsing ACL");
759
LIST_INIT(&cur_acl->expr);
760
LIST_ADDQ(known_acl, &cur_acl->list);
761
cur_acl->name = name;
764
/* We want to know what features the ACL needs (typically HTTP parsing),
765
* and where it may be used. If an ACL relies on multiple matches, it is
766
* OK if at least one of them may match in the context where it is used.
768
cur_acl->use |= acl_expr->smp->fetch->use;
769
cur_acl->val |= acl_expr->smp->fetch->val;
770
LIST_ADDQ(&cur_acl->expr, &acl_expr->list);
776
prune_acl_expr(acl_expr);
782
/* Some useful ACLs provided by default. Only those used are allocated. */
786
const char *expr[4]; /* put enough for longest expression */
787
} default_acl_list[] = {
788
{ .name = "TRUE", .expr = {"always_true",""}},
789
{ .name = "FALSE", .expr = {"always_false",""}},
790
{ .name = "LOCALHOST", .expr = {"src","127.0.0.1/8",""}},
791
{ .name = "HTTP", .expr = {"req_proto_http",""}},
792
{ .name = "HTTP_1.0", .expr = {"req_ver","1.0",""}},
793
{ .name = "HTTP_1.1", .expr = {"req_ver","1.1",""}},
794
{ .name = "METH_CONNECT", .expr = {"method","CONNECT",""}},
795
{ .name = "METH_GET", .expr = {"method","GET","HEAD",""}},
796
{ .name = "METH_HEAD", .expr = {"method","HEAD",""}},
797
{ .name = "METH_OPTIONS", .expr = {"method","OPTIONS",""}},
798
{ .name = "METH_POST", .expr = {"method","POST",""}},
799
{ .name = "METH_TRACE", .expr = {"method","TRACE",""}},
800
{ .name = "HTTP_URL_ABS", .expr = {"url_reg","^[^/:]*://",""}},
801
{ .name = "HTTP_URL_SLASH", .expr = {"url_beg","/",""}},
802
{ .name = "HTTP_URL_STAR", .expr = {"url","*",""}},
803
{ .name = "HTTP_CONTENT", .expr = {"hdr_val(content-length)","gt","0",""}},
804
{ .name = "RDP_COOKIE", .expr = {"req_rdp_cookie_cnt","gt","0",""}},
805
{ .name = "REQ_CONTENT", .expr = {"req_len","gt","0",""}},
806
{ .name = "WAIT_END", .expr = {"wait_end",""}},
807
{ .name = NULL, .expr = {""}}
810
/* Find a default ACL from the default_acl list, compile it and return it.
811
* If the ACL is not found, NULL is returned. In theory, it cannot fail,
812
* except when default ACLs are broken, in which case it will return NULL.
813
* If <known_acl> is not NULL, the ACL will be queued at its tail. If <err> is
814
* not NULL, it will be filled with an error message if an error occurs. This
815
* pointer must be freeable or NULL. <al> is an arg_list serving as a list head
816
* to report missing dependencies.
818
static struct acl *find_acl_default(const char *acl_name, struct list *known_acl,
819
char **err, struct arg_list *al,
820
const char *file, int line)
822
__label__ out_return, out_free_acl_expr, out_free_name;
824
struct acl_expr *acl_expr;
828
for (index = 0; default_acl_list[index].name != NULL; index++) {
829
if (strcmp(acl_name, default_acl_list[index].name) == 0)
833
if (default_acl_list[index].name == NULL) {
834
memprintf(err, "no such ACL : '%s'", acl_name);
838
acl_expr = parse_acl_expr((const char **)default_acl_list[index].expr, err, al, file, line);
840
/* parse_acl_expr must have filled err here */
844
name = strdup(acl_name);
846
memprintf(err, "out of memory when building default ACL '%s'", acl_name);
847
goto out_free_acl_expr;
850
cur_acl = (struct acl *)calloc(1, sizeof(*cur_acl));
851
if (cur_acl == NULL) {
852
memprintf(err, "out of memory when building default ACL '%s'", acl_name);
856
cur_acl->name = name;
857
cur_acl->use |= acl_expr->smp->fetch->use;
858
cur_acl->val |= acl_expr->smp->fetch->val;
859
LIST_INIT(&cur_acl->expr);
860
LIST_ADDQ(&cur_acl->expr, &acl_expr->list);
862
LIST_ADDQ(known_acl, &cur_acl->list);
869
prune_acl_expr(acl_expr);
875
/* Purge everything in the acl_cond <cond>, then return <cond>. */
876
struct acl_cond *prune_acl_cond(struct acl_cond *cond)
878
struct acl_term_suite *suite, *tmp_suite;
879
struct acl_term *term, *tmp_term;
881
/* iterate through all term suites and free all terms and all suites */
882
list_for_each_entry_safe(suite, tmp_suite, &cond->suites, list) {
883
list_for_each_entry_safe(term, tmp_term, &suite->terms, list)
890
/* Parse an ACL condition starting at <args>[0], relying on a list of already
891
* known ACLs passed in <known_acl>. The new condition is returned (or NULL in
892
* case of low memory). Supports multiple conditions separated by "or". If
893
* <err> is not NULL, it will be filled with a pointer to an error message in
894
* case of error, that the caller is responsible for freeing. The initial
895
* location must either be freeable or NULL. The list <al> serves as a list head
896
* for unresolved dependencies.
898
struct acl_cond *parse_acl_cond(const char **args, struct list *known_acl,
899
enum acl_cond_pol pol, char **err, struct arg_list *al,
900
const char *file, int line)
902
__label__ out_return, out_free_suite, out_free_term;
906
struct acl_term *cur_term;
907
struct acl_term_suite *cur_suite;
908
struct acl_cond *cond;
909
unsigned int suite_val;
911
cond = (struct acl_cond *)calloc(1, sizeof(*cond));
913
memprintf(err, "out of memory when parsing condition");
917
LIST_INIT(&cond->list);
918
LIST_INIT(&cond->suites);
925
for (arg = 0; *args[arg]; arg++) {
928
/* remove as many exclamation marks as we can */
929
while (*word == '!') {
934
/* an empty word is allowed because we cannot force the user to
935
* always think about not leaving exclamation marks alone.
940
if (strcasecmp(word, "or") == 0 || strcmp(word, "||") == 0) {
942
cond->val |= suite_val;
949
if (strcmp(word, "{") == 0) {
950
/* we may have a complete ACL expression between two braces,
953
int arg_end = arg + 1;
954
const char **args_new;
956
while (*args[arg_end] && strcmp(args[arg_end], "}") != 0)
959
if (!*args[arg_end]) {
960
memprintf(err, "missing closing '}' in condition");
964
args_new = calloc(1, (arg_end - arg + 1) * sizeof(*args_new));
966
memprintf(err, "out of memory when parsing condition");
971
memcpy(args_new + 1, args + arg + 1, (arg_end - arg) * sizeof(*args_new));
972
args_new[arg_end - arg] = "";
973
cur_acl = parse_acl(args_new, known_acl, err, al, file, line);
977
/* note that parse_acl() must have filled <err> here */
980
word = args[arg + 1];
984
/* search for <word> in the known ACL names. If we do not find
985
* it, let's look for it in the default ACLs, and if found, add
986
* it to the list of ACLs of this proxy. This makes it possible
989
cur_acl = find_acl_by_name(word, known_acl);
990
if (cur_acl == NULL) {
991
cur_acl = find_acl_default(word, known_acl, err, al, file, line);
992
if (cur_acl == NULL) {
993
/* note that find_acl_default() must have filled <err> here */
999
cur_term = (struct acl_term *)calloc(1, sizeof(*cur_term));
1000
if (cur_term == NULL) {
1001
memprintf(err, "out of memory when parsing condition");
1002
goto out_free_suite;
1005
cur_term->acl = cur_acl;
1006
cur_term->neg = neg;
1008
/* Here it is a bit complex. The acl_term_suite is a conjunction
1009
* of many terms. It may only be used if all of its terms are
1010
* usable at the same time. So the suite's validity domain is an
1011
* AND between all ACL keywords' ones. But, the global condition
1012
* is valid if at least one term suite is OK. So it's an OR between
1013
* all of their validity domains. We could emit a warning as soon
1014
* as suite_val is null because it means that the last ACL is not
1015
* compatible with the previous ones. Let's remain simple for now.
1017
cond->use |= cur_acl->use;
1018
suite_val &= cur_acl->val;
1021
cur_suite = (struct acl_term_suite *)calloc(1, sizeof(*cur_suite));
1022
if (cur_suite == NULL) {
1023
memprintf(err, "out of memory when parsing condition");
1026
LIST_INIT(&cur_suite->terms);
1027
LIST_ADDQ(&cond->suites, &cur_suite->list);
1029
LIST_ADDQ(&cur_suite->terms, &cur_term->list);
1033
cond->val |= suite_val;
1039
prune_acl_cond(cond);
1045
/* Builds an ACL condition starting at the if/unless keyword. The complete
1046
* condition is returned. NULL is returned in case of error or if the first
1047
* word is neither "if" nor "unless". It automatically sets the file name and
1048
* the line number in the condition for better error reporting, and sets the
1049
* HTTP intiailization requirements in the proxy. If <err> is not NULL, it will
1050
* be filled with a pointer to an error message in case of error, that the
1051
* caller is responsible for freeing. The initial location must either be
1054
struct acl_cond *build_acl_cond(const char *file, int line, struct proxy *px, const char **args, char **err)
1056
enum acl_cond_pol pol = ACL_COND_NONE;
1057
struct acl_cond *cond = NULL;
1062
if (!strcmp(*args, "if")) {
1066
else if (!strcmp(*args, "unless")) {
1067
pol = ACL_COND_UNLESS;
1071
memprintf(err, "conditions must start with either 'if' or 'unless'");
1075
cond = parse_acl_cond(args, &px->acl, pol, err, &px->conf.args, file, line);
1077
/* note that parse_acl_cond must have filled <err> here */
1083
px->http_needed |= !!(cond->use & SMP_USE_HTTP_ANY);
1087
/* Execute condition <cond> and return either ACL_TEST_FAIL, ACL_TEST_MISS or
1088
* ACL_TEST_PASS depending on the test results. ACL_TEST_MISS may only be
1089
* returned if <opt> does not contain SMP_OPT_FINAL, indicating that incomplete
1090
* data is being examined. The function automatically sets SMP_OPT_ITERATE. This
1091
* function only computes the condition, it does not apply the polarity required
1092
* by IF/UNLESS, it's up to the caller to do this using something like this :
1094
* res = acl_pass(res);
1095
* if (res == ACL_TEST_MISS)
1097
* if (cond->pol == ACL_COND_UNLESS)
1100
enum acl_test_res acl_exec_cond(struct acl_cond *cond, struct proxy *px, struct session *l4, void *l7, unsigned int opt)
1102
__label__ fetch_next;
1103
struct acl_term_suite *suite;
1104
struct acl_term *term;
1105
struct acl_expr *expr;
1108
enum acl_test_res acl_res, suite_res, cond_res;
1110
/* ACLs are iterated over all values, so let's always set the flag to
1111
* indicate this to the fetch functions.
1113
opt |= SMP_OPT_ITERATE;
1115
/* We're doing a logical OR between conditions so we initialize to FAIL.
1116
* The MISS status is propagated down from the suites.
1118
cond_res = ACL_TEST_FAIL;
1119
list_for_each_entry(suite, &cond->suites, list) {
1120
/* Evaluate condition suite <suite>. We stop at the first term
1121
* which returns ACL_TEST_FAIL. The MISS status is still propagated
1122
* in case of uncertainty in the result.
1125
/* we're doing a logical AND between terms, so we must set the
1126
* initial value to PASS.
1128
suite_res = ACL_TEST_PASS;
1129
list_for_each_entry(term, &suite->terms, list) {
1132
/* FIXME: use cache !
1133
* check acl->cache_idx for this.
1136
/* ACL result not cached. Let's scan all the expressions
1137
* and use the first one to match.
1139
acl_res = ACL_TEST_FAIL;
1140
list_for_each_entry(expr, &acl->expr, list) {
1141
/* we need to reset context and flags */
1142
memset(&smp, 0, sizeof(smp));
1144
if (!sample_process(px, l4, l7, opt, expr->smp, &smp)) {
1145
/* maybe we could not fetch because of missing data */
1146
if (smp.flags & SMP_F_MAY_CHANGE && !(opt & SMP_OPT_FINAL))
1147
acl_res |= ACL_TEST_MISS;
1151
acl_res |= pat2acl(pattern_exec_match(&expr->pat, &smp, 0));
1153
* OK now acl_res holds the result of this expression
1154
* as one of ACL_TEST_FAIL, ACL_TEST_MISS or ACL_TEST_PASS.
1156
* Then if (!MISS) we can cache the result, and put
1157
* (smp.flags & SMP_F_VOLATILE) in the cache flags.
1159
* FIXME: implement cache.
1163
/* we're ORing these terms, so a single PASS is enough */
1164
if (acl_res == ACL_TEST_PASS)
1167
if (smp.flags & SMP_F_NOT_LAST)
1170
/* sometimes we know the fetched data is subject to change
1171
* later and give another chance for a new match (eg: request
1174
if (smp.flags & SMP_F_MAY_CHANGE && !(opt & SMP_OPT_FINAL))
1175
acl_res |= ACL_TEST_MISS;
1178
* Here we have the result of an ACL (cached or not).
1179
* ACLs are combined, negated or not, to form conditions.
1183
acl_res = acl_neg(acl_res);
1185
suite_res &= acl_res;
1187
/* we're ANDing these terms, so a single FAIL or MISS is enough */
1188
if (suite_res != ACL_TEST_PASS)
1191
cond_res |= suite_res;
1193
/* we're ORing these terms, so a single PASS is enough */
1194
if (cond_res == ACL_TEST_PASS)
1200
/* Returns a pointer to the first ACL conflicting with usage at place <where>
1201
* which is one of the SMP_VAL_* bits indicating a check place, or NULL if
1202
* no conflict is found. Only full conflicts are detected (ACL is not usable).
1203
* Use the next function to check for useless keywords.
1205
const struct acl *acl_cond_conflicts(const struct acl_cond *cond, unsigned int where)
1207
struct acl_term_suite *suite;
1208
struct acl_term *term;
1211
list_for_each_entry(suite, &cond->suites, list) {
1212
list_for_each_entry(term, &suite->terms, list) {
1214
if (!(acl->val & where))
1221
/* Returns a pointer to the first ACL and its first keyword to conflict with
1222
* usage at place <where> which is one of the SMP_VAL_* bits indicating a check
1223
* place. Returns true if a conflict is found, with <acl> and <kw> set (if non
1224
* null), or false if not conflict is found. The first useless keyword is
1227
int acl_cond_kw_conflicts(const struct acl_cond *cond, unsigned int where, struct acl const **acl, char const **kw)
1229
struct acl_term_suite *suite;
1230
struct acl_term *term;
1231
struct acl_expr *expr;
1233
list_for_each_entry(suite, &cond->suites, list) {
1234
list_for_each_entry(term, &suite->terms, list) {
1235
list_for_each_entry(expr, &term->acl->expr, list) {
1236
if (!(expr->smp->fetch->val & where)) {
1250
* Find targets for userlist and groups in acl. Function returns the number
1251
* of errors or OK if everything is fine. It must be called only once sample
1252
* fetch arguments have been resolved (after smp_resolve_args()).
1254
int acl_find_targets(struct proxy *p)
1258
struct acl_expr *expr;
1259
struct pattern_list *pattern;
1261
struct pattern_expr_list *pexp;
1263
list_for_each_entry(acl, &p->acl, list) {
1264
list_for_each_entry(expr, &acl->expr, list) {
1265
if (!strcmp(expr->kw, "http_auth_group")) {
1266
/* Note: the ARGT_USR argument may only have been resolved earlier
1267
* by smp_resolve_args().
1269
if (expr->smp->arg_p->unresolved) {
1270
Alert("Internal bug in proxy %s: %sacl %s %s() makes use of unresolved userlist '%s'. Please report this.\n",
1271
p->id, *acl->name ? "" : "anonymous ", acl->name, expr->kw, expr->smp->arg_p->data.str.str);
1276
if (LIST_ISEMPTY(&expr->pat.head)) {
1277
Alert("proxy %s: acl %s %s(): no groups specified.\n",
1278
p->id, acl->name, expr->kw);
1283
/* For each pattern, check if the group exists. */
1284
list_for_each_entry(pexp, &expr->pat.head, list) {
1285
if (LIST_ISEMPTY(&pexp->expr->patterns)) {
1286
Alert("proxy %s: acl %s %s(): no groups specified.\n",
1287
p->id, acl->name, expr->kw);
1292
list_for_each_entry(pattern, &pexp->expr->patterns, list) {
1293
/* this keyword only has one argument */
1294
if (!check_group(expr->smp->arg_p->data.usr, pattern->pat.ptr.str)) {
1295
Alert("proxy %s: acl %s %s(): invalid group '%s'.\n",
1296
p->id, acl->name, expr->kw, pattern->pat.ptr.str);
1308
/* initializes ACLs by resolving the sample fetch names they rely upon.
1309
* Returns 0 on success, otherwise an error.
1316
struct acl_kw_list *kwl;
1317
struct sample_fetch *smp;
1319
list_for_each_entry(kwl, &acl_keywords.list, list) {
1320
for (index = 0; kwl->kw[index].kw != NULL; index++) {
1321
name = kwl->kw[index].fetch_kw;
1323
name = kwl->kw[index].kw;
1325
smp = find_sample_fetch(name, strlen(name));
1327
Alert("Critical internal error: ACL keyword '%s' relies on sample fetch '%s' which was not registered!\n",
1328
kwl->kw[index].kw, name);
1332
kwl->kw[index].smp = smp;
1338
/************************************************************************/
1339
/* All supported sample and ACL keywords must be declared here. */
1340
/************************************************************************/
1342
/* Note: must not be declared <const> as its list will be overwritten.
1343
* Please take care of keeping this list alphabetically sorted.
1345
static struct acl_kw_list acl_kws = {ILH, {
1349
__attribute__((constructor))
1350
static void __acl_init(void)
1352
acl_register_keywords(&acl_kws);