[squid-dev] [PATCH] Note ACL substrings matching

Christos Tsantilas christos at chtsanti.net
Mon Dec 14 10:58:10 UTC 2015 

On 12/13/2015 11:31 AM, Amos Jeffries wrote:
> On 9/12/2015 10:56 p.m., Christos Tsantilas wrote:
>> There are several use cases where an annotation may contain a list of
>> values for a single key. Today it is only possible to match the full
>> annotation value.
>>
>> This patch investigates the -m flag which can be used to enable
>> delimiter separated substrings matching on annotations:
>>
>>     acl aclname note [-m[=delimiters]] name value ...
>>
>> The '-m' flag by default matches comma separated substrings. The
>> optional  "delimiters" parameter is a list of non-alphanumeric
>> characters, which can be used as alternate delimiters.
>>
>> E.g. if an external ACL sets an annotation like:
>>     "applications=http,facebook,facebook-chat"
>> the following ACLs can be used to block access to certain applications:
>>
>> acl fb_chat      note -m applications facebook-chat
>> acl db_upload    note -m  applications dropbox-upload
>> http_access      deny fb_chat
>> http_access      deny db_upload
>>
>> This is a Measurement Factory project
>
>
> Annotations from the helper are kv-pair. By definition that means
> singular value per key on helper responses. Values are also stored
> internally separate, and matched individually agaist the ACL values.

Yes, but a simple value may consists by a string which include spaces or 
comas, like those in your following examples

>
> Any concatenation of values that would need this delimiting is solely an
> artifact of the reporting method (logformat, header sets, etc).
>
>    So where is the need for this coming from?

Imagine cases where an ICAP/ECAP meta header which include a list, for 
example:
  "X-Meta-Applications: http;facebook;facebook-chat"

This is stored as one key value pair.

>
> Also;
>
> How does this interact with helpers that return multiple kv-pairs ?
>   eg. OK user=foo group=Group1 group=Group2 group=group3

the acl:
   acl GROUP1 note -m group Group1

still matches.



>
> How does it interact with kv-pair which contain the delimiter characters
> internally?
>   eg OK group=Group,1 group=Group2

To match the following kv pairs:
OK group=Group1;subgroupTesters group=Group2

Should use acls in the form:
  acl SUBGROUPTESTERS  note -m=; group subgroupTesters
  acl GROUP1 note -m; group Group1
  acl GROUP2 note -m; group Group2


>
> What about when those delimiters are escaped?
>   eg. OK group="Group\,One" group=Group%2cTwo

Well, this patch does not handle all these cases, someone has to:
   1) Fix  helper to use always at least escaped coma
   2) Use both '\' and ',' as delimiters to -m option (accepts more than 
one delimiters):
         acl GROUP2 note -m,\ group Two




>
>
> Amos
>
> _______________________________________________
> squid-dev mailing list
> squid-dev at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-dev
>

More information about the squid-dev mailing list