[squid-dev] [PATCH] Note ACL substrings matching

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 14 16:04:06 UTC 2015 

On 14/12/2015 11:58 p.m., Christos Tsantilas wrote:
> On 12/13/2015 11:31 AM, Amos Jeffries wrote:
>> On 9/12/2015 10:56 p.m., Christos Tsantilas wrote:
>>> There are several use cases where an annotation may contain a list of
>>> values for a single key. Today it is only possible to match the full
>>> annotation value.
>>>
>>> This patch investigates the -m flag which can be used to enable
>>> delimiter separated substrings matching on annotations:
>>>
>>>     acl aclname note [-m[=delimiters]] name value ...
>>>
>>> The '-m' flag by default matches comma separated substrings. The
>>> optional  "delimiters" parameter is a list of non-alphanumeric
>>> characters, which can be used as alternate delimiters.
>>>
>>> E.g. if an external ACL sets an annotation like:
>>>     "applications=http,facebook,facebook-chat"
>>> the following ACLs can be used to block access to certain applications:
>>>
>>> acl fb_chat      note -m applications facebook-chat
>>> acl db_upload    note -m  applications dropbox-upload
>>> http_access      deny fb_chat
>>> http_access      deny db_upload
>>>
>>> This is a Measurement Factory project
>>
>>
>> Annotations from the helper are kv-pair. By definition that means
>> singular value per key on helper responses. Values are also stored
>> internally separate, and matched individually agaist the ACL values.
> 
> Yes, but a simple value may consists by a string which include spaces or
> comas, like those in your following examples
> 
>>
>> Any concatenation of values that would need this delimiting is solely an
>> artifact of the reporting method (logformat, header sets, etc).
>>
>>    So where is the need for this coming from?
> 
> Imagine cases where an ICAP/ECAP meta header which include a list, for
> example:
>  "X-Meta-Applications: http;facebook;facebook-chat"
> 
> This is stored as one key value pair.
> 
>>
>> Also;
>>
>> How does this interact with helpers that return multiple kv-pairs ?
>>   eg. OK user=foo group=Group1 group=Group2 group=group3
> 
> the acl:
>   acl GROUP1 note -m group Group1
> 
> still matches.
> 
> 
> 
>>
>> How does it interact with kv-pair which contain the delimiter characters
>> internally?
>>   eg OK group=Group,1 group=Group2
> 
> To match the following kv pairs:
> OK group=Group1;subgroupTesters group=Group2
> 
> Should use acls in the form:
>  acl SUBGROUPTESTERS  note -m=; group subgroupTesters
>  acl GROUP1 note -m; group Group1
>  acl GROUP2 note -m; group Group2
> 
> 
>>
>> What about when those delimiters are escaped?
>>   eg. OK group="Group\,One" group=Group%2cTwo
> 
> Well, this patch does not handle all these cases, someone has to:
>   1) Fix  helper to use always at least escaped coma
>   2) Use both '\' and ',' as delimiters to -m option (accepts more than
> one delimiters):
>         acl GROUP2 note -m,\ group Two
> 
> 

Okay. fair enough.


Last queston:
* why m?
 - the others are all initials for something; (i)nsensitive, (s)trict,
(r)egex, (m)???
 - maybe this should be the exemplar case for '--' options by
implementing --delim=XYZ

Amos

More information about the squid-dev mailing list