MINOR: action: implement experimental actions

Support experimental actions. It is mandatory to use 'expose-experimental-directives' before to be able to use them. If such action is present in the config file, the tainted status of the process is updated. Another tainted status is set when an experimental action is executed.
2024-12-18 17:34:45 +00:00 · 2021-05-07 14:25:01 +02:00 · 2021-05-07 14:25:01 +02:00 · 0351773534
commit 0351773534
parent e4a617c931
3 changed files with 27 additions and 0 deletions
--- a/include/haproxy/global.h
+++ b/include/haproxy/global.h
@ -99,6 +99,7 @@ static inline unsigned long thread_mask(unsigned long mask)
 /* handle 'tainted' status */
 enum tainted_flags {
 	TAINTED_CONFIG_EXP_KW_DECLARED = 0x1,
+	TAINTED_ACTION_EXP_EXECUTED    = 0x2,
 };
 void mark_tainted(const enum tainted_flags flag);
 unsigned int get_tainted();
--- a/src/http_ana.c
+++ b/src/http_ana.c
@ -16,6 +16,7 @@
 #include <haproxy/backend.h>
 #include <haproxy/base64.h>
 #include <haproxy/capture-t.h>
+#include <haproxy/cfgparse.h>
 #include <haproxy/channel.h>
 #include <haproxy/check.h>
 #include <haproxy/connection.h>
@ -2798,6 +2799,9 @@ static enum rule_result http_req_get_intercept_rule(struct proxy *px, struct lis

 		act_opts |= ACT_OPT_FIRST;
  resume_execution:
+		if (rule->kw->flags & KWF_EXPERIMENTAL)
+			mark_tainted(TAINTED_ACTION_EXP_EXECUTED);
+
 		/* Always call the action function if defined */
 		if (rule->action_ptr) {
 			if ((s->req.flags & CF_READ_ERROR) ||
@ -2943,6 +2947,8 @@ static enum rule_result http_res_get_intercept_rule(struct proxy *px, struct lis

 		act_opts |= ACT_OPT_FIRST;
 resume_execution:
+		if (rule->kw->flags & KWF_EXPERIMENTAL)
+			mark_tainted(TAINTED_ACTION_EXP_EXECUTED);

 		/* Always call the action function if defined */
 		if (rule->action_ptr) {
--- a/src/http_rules.c
+++ b/src/http_rules.c
@ -92,6 +92,16 @@ struct act_rule *parse_http_req_cond(const char **args, const char *file, int li
 		cur_arg = 1;
 		/* try in the module list */
 		rule->kw = custom;
+
+		if (custom->flags & KWF_EXPERIMENTAL) {
+			if (!experimental_directives_allowed) {
+				ha_alert("parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+				         file, linenum, custom->kw);
+				goto out_err;
+			}
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+		}
+
 		if (custom->parse(args, &cur_arg, proxy, rule, &errmsg) == ACT_RET_PRS_ERR) {
 			ha_alert("parsing [%s:%d] : error detected in %s '%s' while parsing 'http-request %s' rule : %s.\n",
 				 file, linenum, proxy_type_str(proxy), proxy->id, args[0], errmsg);
@ -161,6 +171,16 @@ struct act_rule *parse_http_res_cond(const char **args, const char *file, int li
 		cur_arg = 1;
 		/* try in the module list */
 		rule->kw = custom;
+
+		if (custom->flags & KWF_EXPERIMENTAL) {
+			if (!experimental_directives_allowed) {
+				ha_alert("parsing [%s:%d] : '%s' action is experimental, must be allowed via a global 'expose-experimental-directives'\n",
+				         file, linenum, custom->kw);
+				goto out_err;
+			}
+			mark_tainted(TAINTED_CONFIG_EXP_KW_DECLARED);
+		}
+
 		if (custom->parse(args, &cur_arg, proxy, rule, &errmsg) == ACT_RET_PRS_ERR) {
 			ha_alert("parsing [%s:%d] : error detected in %s '%s' while parsing 'http-response %s' rule : %s.\n",
 				 file, linenum, proxy_type_str(proxy), proxy->id, args[0], errmsg);