acl_save.cgi

Unix下基于Web的管理工具

#!/usr/local/bin/perl
# acl_save.cgi
# Save or delete an ACL

require './squid-lib.pl';
&ReadParse();
$conf = &get_config();
$whatfailed = "Failed to save ACL";

@acls = &find_config("acl", $conf);
@denys = &find_config("deny_info", $conf);
if (defined($in{'index'})) {
	$acl = $conf->[$in{'index'}];
	}
if (defined($in{'dindex'})) {
	$deny = $conf->[$in{'dindex'}];
	}
if ($in{'delete'}) {
	# Is this ACL in use?
	$whatfailed = "Failed to delete ACL";
	$name = $acl->{'values'}->[0];
	foreach $h (&find_config("http_access", $conf)) {
		@v = @{$h->{'values'}};
		for($i=1; $i<@v;  $i++) {
			if ($v[$i] eq $name || $v[$i] eq "!$name") {
				&error("This ACL is being used by a ",
				       "proxy restriction");
				}
			}
		}
	foreach $h (&find_config("icp_access", $conf)) {
		@v = @{$h->{'values'}};
		for($i=1; $i<@v;  $i++) {
			if ($v[$i] eq $in{'name'} || $v[$i] eq "!$in{'name'}") {
				&error("This ACL is being used by an ",
				       "ICP restriction");
				}
			}
		}
	splice(@acls, &indexof($acl, @acls), 1);
	if ($deny) { splice(@denys, &indexof($deny, @denys), 1); }
	}
else {
	# Check ACL details
	$in{'name'} =~ /^\S+$/ || &error("Invalid ACL name");
	$changed++ if ($acl && $in{'name'} ne $acl->{'values'}->[0]);
	for($i=0; $i<@acls; $i++) {
		if ($changed && $acls[$i]->{'values'}->[0] eq $in{'name'}) {
			&error("An ACL called '$in{'name'}' already exists");
			}
		}

	if ($in{'type'} eq "src") {
		for($i=0; defined($from = $in{"from_$i"}); $i++) {
			$to = $in{"to_$i"}; $mask = $in{"mask_$i"};
			next if (!$from && !$to && !$mask);
			&check_ipaddress($from) ||
			       &error("'$from' is not a valid From IP address");
			!$to || &check_ipaddress($to) ||
			       &error("'$to' is not a valid To IP address");
			$mask =~ /^\d+$/ || &check_ipaddress($mask) ||
			       &error("'$mask' is not a valid netmask");
			if ($to) { push(@vals, "$from-$to/$mask"); }
			else { push(@vals, "$from/$mask"); }
			}
		}
	elsif ($in{'type'} eq "dst" || $in{'type'} eq "myip") {
		for($i=0; defined($ip = $in{"ip_$i"}); $i++) {
			$mask = $in{"mask_$i"};
			next if (!$mask || !$ip);
			&check_ipaddress($ip) ||
				&error("'$ip' is not a valid IP address");
			$mask =~ /^\d+$/ || &check_ipaddress($mask) ||
			       &error("'$mask' is not a valid netmask");
			push(@vals, "$ip/$mask");
			}
		}
	elsif ($in{'type'} eq "srcdomain") {
		push(@vals, split(/\s+/, $in{'vals'}));
		if (!@vals) { &error("No client domains given"); }
		}
	elsif ($in{'type'} eq "dstdomain") {
		push(@vals, split(/\s+/, $in{'vals'}));
		if (!@vals) { &error("No server domains given"); }
		}
	elsif ($in{'type'} eq "time") {
		if (!$in{'day_def'}) {
			push(@vals, join('', split(/\0/, $in{'day'})));
			}
		if (!$in{'hour_def'}) {
			$in{'h1'} =~ /^\d+$/ || &error("Invalid starting hour");
			$in{'h2'} =~ /^\d+$/ || &error("Invalid ending hour");
			$in{'m1'} =~ /^\d+$/ || &error("Invalid starting min");
			$in{'m2'} =~ /^\d+$/ || &error("Invalid ending min");
			push(@vals, "$in{'h1'}:$in{'m1'}-$in{'h2'}:$in{'m2'}");
			}
		}
	elsif ($in{'type'} eq "url_regex") {
		push(@vals, split(/\s+/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "urlpath_regex") {
		push(@vals, split(/\s+/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "port") {
		push(@vals, split(/\s+/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "proto") {
		push(@vals, split(/\0/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "method") {
		push(@vals, split(/\0/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "browser") {
		push(@vals, $in{'vals'});
		}
	elsif ($in{'type'} eq "user" || $in{'type'} eq "ident") {
		push(@vals, split(/\s+/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "src_as" || $in{'type'} eq "dst_as") {
		push(@vals, split(/\s+/, $in{'vals'}));
		}
	elsif ($in{'type'} eq "proxy_auth" && $in{'vals'} ne "") {
		push(@vals, $in{'vals'});
		}
	elsif ($in{'type'} eq "srcdom_regex" || $in{'type'} eq "dstdom_regex") {
		push(@vals, split(/\s+/, $in{'vals'}));
		}

	if ($in{'file'}) {
		open(FILE, ">$in{'file'}");
		foreach $v (@vals) {
			print FILE $v,"\n";
			}
		close(FILE);
		@vals = ( $in{'name'}, $in{'type'}, "\"$in{'file'}\"" );
		}
	else {
		@vals = ( $in{'name'}, $in{'type'}, @vals );
		}
	$newacl = { 'name' => 'acl', 'values' => \@vals };
	if ($acl) { splice(@acls, &indexof($acl, @acls), 1, $newacl); }
	else { push(@acls, $newacl); }

	$newdeny = { 'name' => 'deny_info',
		     'values' => [ $in{'deny'}, $vals[0] ] };
	$didx = &indexof($deny, @denys);
	if ($deny && $in{'deny'}) { $denys[$didx] = $newdeny; }
	elsif ($deny) { splice(@denys, $didx, 1); }
	elsif ($in{'deny'}) { push(@denys, $newdeny); }

	# Update http_access and icp_access directives if the ACL was renamed
	if ($changed) {
		@https = &find_config("http_access", $conf);
		@icps = &find_config("icp_access", $conf);
		$on = $acl->{'values'}->[0];
		foreach $c (@https, @icps) {
			for($j=1; $j<@{$c->{'values'}}; $j++) {
				if ($c->{'values'}->[$j] eq $on) {
					$c->{'values'}->[$j] = $in{'name'};
					}
				elsif ($c->{'values'}->[$j] eq "!$on") {
					$c->{'values'}->[$j] = "!$in{'name'}";
					}
				}
			}
		&save_directive($conf, "http_access", \@https);
		&save_directive($conf, "icp_access", \@icps);
		}
	}
&save_directive($conf, "acl", \@acls);
&save_directive($conf, "deny_info", \@denys);
&flush_file_lines();
&redirect("edit_acl.cgi");