blob: 229ea6335fff2f3a423ce2649238ae63aa742cc2 [file] [log] [blame]
Willy Tarreaua84d3742007-05-07 00:36:48 +02001/*
2 include/types/acl.h
3 This file provides structures and types for ACLs.
4
5 Copyright (C) 2000-2007 Willy Tarreau - w@1wt.eu
6
7 This library is free software; you can redistribute it and/or
8 modify it under the terms of the GNU Lesser General Public
9 License as published by the Free Software Foundation, version 2.1
10 exclusively.
11
12 This library is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 Lesser General Public License for more details.
16
17 You should have received a copy of the GNU Lesser General Public
18 License along with this library; if not, write to the Free Software
19 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20*/
21
22#ifndef _TYPES_ACL_H
23#define _TYPES_ACL_H
24
25#include <common/compat.h>
26#include <common/config.h>
27#include <common/mini-clist.h>
28
29#include <types/proxy.h>
30#include <types/session.h>
31
32
33/* pattern matching function result */
34enum {
35 ACL_PAT_FAIL = 0, /* test failed */
36 ACL_PAT_PASS = (1 << 0), /* test passed */
37 ACL_PAT_MISS = (1 << 1), /* failed because of missing info (do not cache) */
38};
39
40/* Condition polarity. It makes it easier for any option to choose between
41 * IF/UNLESS if it can store that information within the condition itself.
42 */
43enum {
44 ACL_COND_NONE, /* no polarity set yet */
45 ACL_COND_IF, /* positive condition (after 'if') */
46 ACL_COND_UNLESS, /* negative condition (after 'unless') */
47};
48
49/* possible flags for intermediate test values. The flags are maintained
50 * across consecutive fetches for a same entry (eg: parse all req lines).
51 */
52enum {
53 ACL_TEST_F_READ_ONLY = 1 << 0, /* test data are read-only */
54 ACL_TEST_F_MUST_FREE = 1 << 1, /* test data must be freed after end of evaluation */
55 ACL_TEST_F_VOL_TEST = 1 << 2, /* result must not survive longer than the test (eg: time) */
56 ACL_TEST_F_VOL_HDR = 1 << 3, /* result sensitive to changes in headers */
57 ACL_TEST_F_VOL_1ST = 1 << 4, /* result sensitive to changes in first line (eg: URI) */
58 ACL_TEST_F_VOL_TXN = 1 << 5, /* result sensitive to new transaction (eg: persist) */
59 ACL_TEST_F_VOL_SESS = 1 << 6, /* result sensitive to new session (eg: IP) */
60 ACL_TEST_F_VOLATILE = (1<<2)|(1<<3)|(1<<4)|(1<<5)|(1<<6),
61 ACL_TEST_F_FETCH_MORE = 1 << 7, /* if test does not match, retry with next entry */
62};
63
64/* How to store a time range and the valid days in 29 bits */
65struct acl_time {
66 int dow:7; /* 1 bit per day of week: 0-6 */
67 int h1:5, m1:6; /* 0..24:0..60. Use 0:0 for all day. */
68 int h2:5, m2:6; /* 0..24:0..60. Use 24:0 for all day. */
69};
70
71/* The acl will be linked to from the proxy where it is declared */
72struct acl_pattern {
73 struct list list; /* chaining */
74 union {
75 int i; /* integer value */
76 struct { int min, max; } range; /* integer range */
77 struct sockaddr_in ipv4; /* IPv4 address */
78 struct acl_time time; /* valid hours and days */
79 } val; /* direct value */
80 union {
81 void *ptr; /* any data */
82 char *str; /* any string */
83 regex_t *reg; /* a compiled regex */
84 } ptr; /* indirect values, allocated */
85 int len; /* data length when required */
86};
87
88/* The structure exchanged between an acl_fetch_* function responsible for
89 * retrieving a value, and an acl_match_* function responsible for testing it.
90 */
91struct acl_test {
92 int i; /* integer value */
93 char *ptr; /* pointer to beginning of value */
94 int len; /* length of value at ptr, otherwise ignored */
95 int flags; /* ACL_TEST_F_* set to 0 on first call */
96 union { /* fetch_* functions context for any purpose */
97 void *p;
98 int i;
99 } ctx;
100};
101
102
103/*
104 * ACL keyword: Associates keywords with parsers, methods to retrieve the value and testers.
105 */
106
107/* some dummy declarations to silent the compiler */
108struct proxy;
109struct session;
110
111struct acl_keyword {
112 const char *kw;
113 int (*parse)(const char *text, struct acl_pattern *pattern);
114 int (*fetch)(struct proxy *px, struct session *l4, void *l7, void *arg, struct acl_test *test);
115 int (*match)(struct acl_test *test, struct acl_pattern *pattern);
116 int use_cnt;
117};
118
119/*
120 * A keyword list. It is a NULL-terminated array of keywords. It embeds a
121 * struct list in order to be linked to other lists, allowing it to easily
122 * be declared where it is needed, and linked without duplicating data nor
123 * allocating memory.
124 */
125struct acl_kw_list {
126 struct list list;
127 struct acl_keyword kw[VAR_ARRAY];
128};
129
130/*
131 * Description of an ACL expression.
132 * It contains a subject and a set of patterns to test against it.
133 * - the function get() is called to retrieve the subject from the
134 * current session or transaction and build a test.
135 * - the function test() is called to evaluate the test based on the
136 * available patterns and return ACL_PAT_*
137 * Both of those functions are available through the keyword.
138 */
139struct acl_expr {
140 struct list list; /* chaining */
141 struct acl_keyword *kw; /* back-reference to the keyword */
142 union { /* optional argument of the subject (eg: header or cookie name) */
143 char *str;
144 } arg;
145 struct list patterns; /* list of acl_patterns */
146};
147
148struct acl {
149 struct list list; /* chaining */
150 char *name; /* acl name */
151 struct list expr; /* list of acl_exprs */
152 int cache_idx; /* ACL index in cache */
153};
154
155/* the condition will be linked to from an action in a proxy */
156struct acl_term {
157 struct list list; /* chaining */
158 struct acl *acl; /* acl pointed to by this term */
159 int neg; /* 1 if the ACL result must be negated */
160};
161
162struct acl_term_suite {
163 struct list list; /* chaining of term suites */
164 struct list terms; /* list of acl_terms */
165};
166
167struct acl_cond {
168 struct list list; /* Some specific tests may use multiple conditions */
169 struct list suites; /* list of acl_term_suites */
170 int pol; /* polarity: ACL_COND_IF / ACL_COND_UNLESS */
171};
172
173
174#endif /* _TYPES_ACL_H */
175
176/*
177 * Local variables:
178 * c-indent-level: 8
179 * c-basic-offset: 8
180 * End:
181 */