Address review notes, and make it work when cache is not enabled.

When cache is not enabled but cache_purge directive is enabled, then PURGE requests are still handled correctly and return HTTP 403 error. Related to #501.
tempesta-tech · Jun 20, 2016 · e4f8c7e · e4f8c7e
1 parent fade20e
commit e4f8c7e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 16 deletions.
diff --git a/tempesta_fw/cache.c b/tempesta_fw/cache.c
@@ -833,10 +833,10 @@ tfw_cache_process(TfwHttpReq *req, TfwHttpResp *resp,
 	TfwWorkTasklet *ct;
 	TfwCWork cw;
 
-	if (!cache_cfg.cache)
-		goto dont_cache;
 	if (req->method == TFW_HTTP_METH_PURGE)
 		goto do_cache;
+	if (!cache_cfg.cache)
+		goto dont_cache;
 	if (!tfw_cache_msg_cacheable(req))
 		goto dont_cache;
 	if (!resp && !tfw_cache_employ_req(req))
@@ -1143,10 +1143,8 @@ tfw_cache_purge_set_expired(TfwHttpReq *req, unsigned long key)
 	TDB *db = node_db();
 	TfwCacheEntry *ce = NULL;
 
-	if (!(ce = tfw_cache_dbce_get(db, &iter, req, key))) {
-		tfw_cache_dbce_put(ce);
+	if (!(ce = tfw_cache_dbce_get(db, &iter, req, key)))
 		return -ENOENT;
-	}
 
 	/* ce->lifetime = 0; */
 
@@ -1160,17 +1158,17 @@ tfw_cache_purge_set_expired(TfwHttpReq *req, unsigned long key)
 static int
 tfw_cache_purge_method(TfwHttpReq *req, unsigned long key)
 {
+	TfwAddr saddr;
 	TfwVhost *vhost = tfw_vhost_get_default();
 
-	if (!vhost->cache_purge)
+	/* Deny PURGE requests by default. */
+	if (!(cache_cfg.cache && vhost->cache_purge && vhost->cache_purge_acl))
 		return tfw_http_send_403((TfwHttpMsg *)req);
 
-	if (vhost->cache_purge_acl) {
-		TfwAddr saddr;
-		tfw_addr_get_sk_saddr(req->conn->sk, &saddr);
-		if (!tfw_capuacl_match(vhost, &saddr))
-			return tfw_http_send_403((TfwHttpMsg *)req);
-	}
+	/* Accept requests from configured hosts only. */
+	tfw_addr_get_sk_saddr(req->conn->sk, &saddr);
+	if (!tfw_capuacl_match(vhost, &saddr))
+		return tfw_http_send_403((TfwHttpMsg *)req);
 
 	if (tfw_cache_purge_set_expired(req, key))
 		return tfw_http_send_404((TfwHttpMsg *)req);
@@ -1224,8 +1222,9 @@ static int
 tfw_cache_start(void)
 {
 	int i, r = 1;
+	TfwVhost *vhost = tfw_vhost_get_default();
 
-	if (!cache_cfg.cache)
+	if (!(cache_cfg.cache || vhost->cache_purge))
 		return 0;
 
 	for_each_node_with_cpus(i) {

diff --git a/tempesta_fw/vhost.c b/tempesta_fw/vhost.c
@@ -765,8 +765,8 @@ tfw_handle_cache_purge(TfwCfgSpec *cs, TfwCfgEntry *ce)
 	TFW_CFG_ENTRY_FOR_EACH_VAL(ce, i, val) {
 		if (!strcasecmp(val, "invalidate")) {
 			vhost->cache_purge_mode = TFW_D_CACHE_PURGE_INVALIDATE;
-		} else if (!strcasecmp(val, "purge")) {
-			vhost->cache_purge_mode = TFW_D_CACHE_PURGE_PURGE;
+		} else if (!strcasecmp(val, "delete")) {
+			vhost->cache_purge_mode = TFW_D_CACHE_PURGE_DELETE;
 		} else {
 			TFW_ERR("%s: unsupported argument: '%s'\n",
 				cs->name, val);
@@ -782,6 +782,9 @@ tfw_handle_cache_purge(TfwCfgSpec *cs, TfwCfgEntry *ce)
 static int
 tfw_vhost_cfg_start(void)
 {
+	if (tfw_vhost_dflt.cache_purge && !tfw_vhost_dflt.cache_purge_acl)
+		TFW_WARN("cache_purge directive works only in combination"
+			 " with cache_purge_acl directive.\n");
 	tfw_vhost_dflt.loc_sz = tfw_location_sz;
 	return 0;
 }

diff --git a/tempesta_fw/vhost.h b/tempesta_fw/vhost.h
@@ -64,7 +64,7 @@ typedef struct {
 /* Cache purge configuration modes. */
 enum {
 	TFW_D_CACHE_PURGE_INVALIDATE,
-	TFW_D_CACHE_PURGE_PURGE,
+	TFW_D_CACHE_PURGE_DELETE,
 };
 
 /*