[thirdparty/squid.git] / src / acl / FilledChecklist.h

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#ifndef SQUID_SRC_ACL_FILLEDCHECKLIST_H
#define SQUID_SRC_ACL_FILLEDCHECKLIST_H

#include "AccessLogEntry.h"
#include "acl/Acl.h"
#include "acl/Checklist.h"
#include "acl/forward.h"
#include "base/CbcPointer.h"
#include "error/forward.h"
#include "HttpRequest.h"
#include "ip/Address.h"
#if USE_AUTH
#include "auth/UserRequest.h"
#endif
#include "security/CertError.h"

class CachePeer;
class ConnStateData;

/** \ingroup ACLAPI
    ACLChecklist filled with specific data, representing Squid and transaction
    state for access checks along with some data-specific checking methods
 */
class ACLFilledChecklist: public ACLChecklist
{
    CBDATA_CLASS(ACLFilledChecklist);

public:
    ACLFilledChecklist();
    ACLFilledChecklist(const acl_access *, HttpRequest *, const char *ident = nullptr);
    ~ACLFilledChecklist() override;

    /// configure client request-related fields for the first time
    void setRequest(HttpRequest *);
    /// configure rfc931 user identity for the first time
    void setIdent(const char *userIdentity);

public:
    /// The client connection manager
    ConnStateData * conn() const;

    /// The client side fd. It uses conn() if available
    int fd() const;

    /// set either conn
    void setConn(ConnStateData *);
    /// set the client side FD
    void fd(int aDescriptor);

    //int authenticated();

    bool destinationDomainChecked() const;
    void markDestinationDomainChecked();
    bool sourceDomainChecked() const;
    void markSourceDomainChecked();

    // ACLChecklist API
    bool hasRequest() const override { return request != nullptr; }
    bool hasReply() const override { return reply != nullptr; }
    bool hasAle() const override { return al != nullptr; }
    void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override;
    void verifyAle() const override;

public:
    Ip::Address src_addr;
    Ip::Address dst_addr;
    Ip::Address my_addr;
    SBuf dst_peer_name;
    char *dst_rdns;

    HttpRequest::Pointer request;
    HttpReply *reply;

    char rfc931[USER_IDENT_SZ];
#if USE_AUTH
    Auth::UserRequest::Pointer auth_user_request;
#endif
#if SQUID_SNMP
    char *snmp_community;
#endif

    // TODO: RefCount errors; do not ignore them because their "owner" is gone!
    /// TLS server [certificate validation] errors, in undefined order.
    /// The errors are accumulated as Squid goes through validation steps
    /// and server certificates. They are cleared on connection retries.
    /// For sslproxy_cert_error checks, contains just the current/last error.
    CbcPointer<Security::CertErrors> sslErrors;

    /// Peer certificate being checked by ssl_verify_cb() and by
    /// Security::PeerConnector class. In other contexts, the peer
    /// certificate is retrieved via ALE or ConnStateData::serverBump.
    Security::CertPointer serverCert;

    AccessLogEntry::Pointer al; ///< info for the future access.log, and external ACL

    ExternalACLEntryPointer extacl_entry;

    err_type requestErrorType;

private:
    ConnStateData * conn_;          /**< hack for ident and NTLM */
    int fd_;                        /**< may be available when conn_ is not */
    bool destinationDomainChecked_;
    bool sourceDomainChecked_;
    /// not implemented; will cause link failures if used
    ACLFilledChecklist(const ACLFilledChecklist &);
    /// not implemented; will cause link failures if used
    ACLFilledChecklist &operator=(const ACLFilledChecklist &);
};

/// convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
inline
ACLFilledChecklist *Filled(ACLChecklist *checklist)
{
    // this should always be safe because ACLChecklist is an abstract class
    // and ACLFilledChecklist is its only [concrete] child
    return dynamic_cast<ACLFilledChecklist*>(checklist);
}

#endif /* SQUID_SRC_ACL_FILLEDCHECKLIST_H */
Commit	Line	Data
bbc27441	1	/*
b8ae064d	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
bbc27441 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
ff9d9458 FC	9	#ifndef SQUID_SRC_ACL_FILLEDCHECKLIST_H
ff9d9458 FC	10	#define SQUID_SRC_ACL_FILLEDCHECKLIST_H
351fe86d	11
d4806c91	12	#include "AccessLogEntry.h"
922513e5	13	#include "acl/Acl.h"
351fe86d	14	#include "acl/Checklist.h"
6f58d7d7	15	#include "acl/forward.h"
abdd93d0	16	#include "base/CbcPointer.h"
83b053a0	17	#include "error/forward.h"
f05e4f37	18	#include "HttpRequest.h"
d9c7489e	19	#include "ip/Address.h"
2f1431ea	20	#if USE_AUTH
a33a428a	21	#include "auth/UserRequest.h"
2f1431ea	22	#endif
92e3827b	23	#include "security/CertError.h"
351fe86d	24
a011edee	25	class CachePeer;
351fe86d AR	26	class ConnStateData;
	27
	28	/** \ingroup ACLAPI
	29	ACLChecklist filled with specific data, representing Squid and transaction
5c2f68b7 AJ	30	state for access checks along with some data-specific checking methods
5c2f68b7 AJ	31	*/
351fe86d AR	32	class ACLFilledChecklist: public ACLChecklist
351fe86d AR	33	{
5c2f68b7 AJ	34	CBDATA_CLASS(ACLFilledChecklist);
5c2f68b7 AJ	35
351fe86d	36	public:
351fe86d	37	ACLFilledChecklist();
3a3d4ba6	38	ACLFilledChecklist(const acl_access , HttpRequest , const char *ident = nullptr);
337b9aa4	39	~ACLFilledChecklist() override;
351fe86d	40
819be284 EB	41	/// configure client request-related fields for the first time
	42	void setRequest(HttpRequest *);
	43	/// configure rfc931 user identity for the first time
	44	void setIdent(const char *userIdentity);
	45
351fe86d	46	public:
233ead05	47	/// The client connection manager
351fe86d AR	48	ConnStateData * conn() const;
351fe86d AR	49
233ead05	50	/// The client side fd. It uses conn() if available
351fe86d AR	51	int fd() const;
	52
	53	/// set either conn
e227da8d	54	void setConn(ConnStateData *);
233ead05	55	/// set the client side FD
351fe86d AR	56	void fd(int aDescriptor);
	57
	58	//int authenticated();
	59
	60	bool destinationDomainChecked() const;
	61	void markDestinationDomainChecked();
	62	bool sourceDomainChecked() const;
	63	void markSourceDomainChecked();
	64
	65	// ACLChecklist API
337b9aa4 AR	66	bool hasRequest() const override { return request != nullptr; }
	67	bool hasReply() const override { return reply != nullptr; }
	68	bool hasAle() const override { return al != nullptr; }
	69	void syncAle(HttpRequest adaptedRequest, const char logUri) const override;
	70	void verifyAle() const override;
351fe86d AR	71
351fe86d AR	72	public:
b7ac5457 AJ	73	Ip::Address src_addr;
	74	Ip::Address dst_addr;
	75	Ip::Address my_addr;
1b091aec	76	SBuf dst_peer_name;
12ef783b	77	char *dst_rdns;
351fe86d	78
f05e4f37	79	HttpRequest::Pointer request;
351fe86d AR	80	HttpReply *reply;
	81
	82	char rfc931[USER_IDENT_SZ];
2f1431ea	83	#if USE_AUTH
c7baff40	84	Auth::UserRequest::Pointer auth_user_request;
2f1431ea	85	#endif
351fe86d AR	86	#if SQUID_SNMP
	87	char *snmp_community;
	88	#endif
	89
27a1c6de	90	// TODO: RefCount errors; do not ignore them because their "owner" is gone!
757a738c AR	91	/// TLS server [certificate validation] errors, in undefined order.
	92	/// The errors are accumulated as Squid goes through validation steps
	93	/// and server certificates. They are cleared on connection retries.
	94	/// For sslproxy_cert_error checks, contains just the current/last error.
27a1c6de	95	CbcPointer<Security::CertErrors> sslErrors;
fab3a825 CT	96
	97	/// Peer certificate being checked by ssl_verify_cb() and by
	98	/// Security::PeerConnector class. In other contexts, the peer
	99	/// certificate is retrieved via ALE or ConnStateData::serverBump.
f97700a0	100	Security::CertPointer serverCert;
351fe86d	101
4e56d7f6	102	AccessLogEntry::Pointer al; ///< info for the future access.log, and external ACL
d4806c91	103
abdd93d0	104	ExternalACLEntryPointer extacl_entry;
351fe86d	105
3248e962 CT	106	err_type requestErrorType;
3248e962 CT	107
351fe86d	108	private:
351fe86d AR	109	ConnStateData * conn_; /*< hack for ident and NTLM /
	110	int fd_; /*< may be available when conn_ is not /
	111	bool destinationDomainChecked_;
	112	bool sourceDomainChecked_;
351fe86d AR	113	/// not implemented; will cause link failures if used
	114	ACLFilledChecklist(const ACLFilledChecklist &);
	115	/// not implemented; will cause link failures if used
	116	ACLFilledChecklist &operator=(const ACLFilledChecklist &);
	117	};
	118
	119	/// convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
	120	inline
	121	ACLFilledChecklist Filled(ACLChecklist checklist)
	122	{
	123	// this should always be safe because ACLChecklist is an abstract class
	124	// and ACLFilledChecklist is its only [concrete] child
	125	return dynamic_cast<ACLFilledChecklist*>(checklist);
	126	}
	127
ff9d9458	128	#endif /* SQUID_SRC_ACL_FILLEDCHECKLIST_H */
f53969cc	129