]>
Commit | Line | Data |
---|---|---|
bbc27441 | 1 | /* |
b8ae064d | 2 | * Copyright (C) 1996-2023 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
ff9d9458 FC |
9 | #ifndef SQUID_SRC_ACL_FILLEDCHECKLIST_H |
10 | #define SQUID_SRC_ACL_FILLEDCHECKLIST_H | |
351fe86d | 11 | |
d4806c91 | 12 | #include "AccessLogEntry.h" |
922513e5 | 13 | #include "acl/Acl.h" |
351fe86d | 14 | #include "acl/Checklist.h" |
6f58d7d7 | 15 | #include "acl/forward.h" |
abdd93d0 | 16 | #include "base/CbcPointer.h" |
83b053a0 | 17 | #include "error/forward.h" |
f05e4f37 | 18 | #include "HttpRequest.h" |
d9c7489e | 19 | #include "ip/Address.h" |
2f1431ea | 20 | #if USE_AUTH |
a33a428a | 21 | #include "auth/UserRequest.h" |
2f1431ea | 22 | #endif |
92e3827b | 23 | #include "security/CertError.h" |
351fe86d | 24 | |
a011edee | 25 | class CachePeer; |
351fe86d AR |
26 | class ConnStateData; |
27 | ||
28 | /** \ingroup ACLAPI | |
29 | ACLChecklist filled with specific data, representing Squid and transaction | |
5c2f68b7 AJ |
30 | state for access checks along with some data-specific checking methods |
31 | */ | |
351fe86d AR |
32 | class ACLFilledChecklist: public ACLChecklist |
33 | { | |
5c2f68b7 AJ |
34 | CBDATA_CLASS(ACLFilledChecklist); |
35 | ||
351fe86d | 36 | public: |
351fe86d | 37 | ACLFilledChecklist(); |
3a3d4ba6 | 38 | ACLFilledChecklist(const acl_access *, HttpRequest *, const char *ident = nullptr); |
337b9aa4 | 39 | ~ACLFilledChecklist() override; |
351fe86d | 40 | |
819be284 EB |
41 | /// configure client request-related fields for the first time |
42 | void setRequest(HttpRequest *); | |
43 | /// configure rfc931 user identity for the first time | |
44 | void setIdent(const char *userIdentity); | |
45 | ||
351fe86d | 46 | public: |
233ead05 | 47 | /// The client connection manager |
351fe86d AR |
48 | ConnStateData * conn() const; |
49 | ||
233ead05 | 50 | /// The client side fd. It uses conn() if available |
351fe86d AR |
51 | int fd() const; |
52 | ||
53 | /// set either conn | |
e227da8d | 54 | void setConn(ConnStateData *); |
233ead05 | 55 | /// set the client side FD |
351fe86d AR |
56 | void fd(int aDescriptor); |
57 | ||
58 | //int authenticated(); | |
59 | ||
60 | bool destinationDomainChecked() const; | |
61 | void markDestinationDomainChecked(); | |
62 | bool sourceDomainChecked() const; | |
63 | void markSourceDomainChecked(); | |
64 | ||
65 | // ACLChecklist API | |
337b9aa4 AR |
66 | bool hasRequest() const override { return request != nullptr; } |
67 | bool hasReply() const override { return reply != nullptr; } | |
68 | bool hasAle() const override { return al != nullptr; } | |
69 | void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override; | |
70 | void verifyAle() const override; | |
351fe86d AR |
71 | |
72 | public: | |
b7ac5457 AJ |
73 | Ip::Address src_addr; |
74 | Ip::Address dst_addr; | |
75 | Ip::Address my_addr; | |
1b091aec | 76 | SBuf dst_peer_name; |
12ef783b | 77 | char *dst_rdns; |
351fe86d | 78 | |
f05e4f37 | 79 | HttpRequest::Pointer request; |
351fe86d AR |
80 | HttpReply *reply; |
81 | ||
82 | char rfc931[USER_IDENT_SZ]; | |
2f1431ea | 83 | #if USE_AUTH |
c7baff40 | 84 | Auth::UserRequest::Pointer auth_user_request; |
2f1431ea | 85 | #endif |
351fe86d AR |
86 | #if SQUID_SNMP |
87 | char *snmp_community; | |
88 | #endif | |
89 | ||
27a1c6de | 90 | // TODO: RefCount errors; do not ignore them because their "owner" is gone! |
757a738c AR |
91 | /// TLS server [certificate validation] errors, in undefined order. |
92 | /// The errors are accumulated as Squid goes through validation steps | |
93 | /// and server certificates. They are cleared on connection retries. | |
94 | /// For sslproxy_cert_error checks, contains just the current/last error. | |
27a1c6de | 95 | CbcPointer<Security::CertErrors> sslErrors; |
fab3a825 CT |
96 | |
97 | /// Peer certificate being checked by ssl_verify_cb() and by | |
98 | /// Security::PeerConnector class. In other contexts, the peer | |
99 | /// certificate is retrieved via ALE or ConnStateData::serverBump. | |
f97700a0 | 100 | Security::CertPointer serverCert; |
351fe86d | 101 | |
4e56d7f6 | 102 | AccessLogEntry::Pointer al; ///< info for the future access.log, and external ACL |
d4806c91 | 103 | |
abdd93d0 | 104 | ExternalACLEntryPointer extacl_entry; |
351fe86d | 105 | |
3248e962 CT |
106 | err_type requestErrorType; |
107 | ||
351fe86d | 108 | private: |
351fe86d AR |
109 | ConnStateData * conn_; /**< hack for ident and NTLM */ |
110 | int fd_; /**< may be available when conn_ is not */ | |
111 | bool destinationDomainChecked_; | |
112 | bool sourceDomainChecked_; | |
351fe86d AR |
113 | /// not implemented; will cause link failures if used |
114 | ACLFilledChecklist(const ACLFilledChecklist &); | |
115 | /// not implemented; will cause link failures if used | |
116 | ACLFilledChecklist &operator=(const ACLFilledChecklist &); | |
117 | }; | |
118 | ||
119 | /// convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*> | |
120 | inline | |
121 | ACLFilledChecklist *Filled(ACLChecklist *checklist) | |
122 | { | |
123 | // this should always be safe because ACLChecklist is an abstract class | |
124 | // and ACLFilledChecklist is its only [concrete] child | |
125 | return dynamic_cast<ACLFilledChecklist*>(checklist); | |
126 | } | |
127 | ||
ff9d9458 | 128 | #endif /* SQUID_SRC_ACL_FILLEDCHECKLIST_H */ |
f53969cc | 129 |