Retrieve client connection information for ACL checks from the related HttpRequest...

This patch enable SSL client certificate ACL checks (user_cert and ca_cert)
in all cases the client connection information can retrieved from the related
HttpRequest object, eg when making peering decisions (peer_cache_access ACL).

Discussed under the "Supply client connection and IDENT information to
peer_cache_access ACL check" thread on squid-dev.

This is a Measurement Factory project

diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc
index eea3fd96ea706a5664f067ffbc5a138b2f7de23b..8a03fc175a39fd0974d10d75892282b8f8f917f4 100644 (file)
--- a/src/acl/FilledChecklist.cc
+++ b/src/acl/FilledChecklist.cc
@@ -85,6 +85,8 @@ ACLFilledChecklist::conn() const
 void
 ACLFilledChecklist::conn(ConnStateData *aConn)
 {
+    if (conn() == aConn)
+        return;
     assert (conn() == NULL);
     conn_ = cbdataReference(aConn);
 }
@@ -180,6 +182,9 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_re
 #endif /* FOLLOW_X_FORWARDED_FOR */
             src_addr = request->client_addr;
         my_addr = request->my_addr;
+
+        if (request->clientConnectionManager.valid())
+            conn(request->clientConnectionManager.get()); 
     }
 
 #if USE_IDENT

diff --git a/src/client_side.cc b/src/client_side.cc
index 4a7bc3c90a4401308220281f4984366c9736d3ec..f3a68c26de53eec4a4b15d8cfe51d604ab5cd9ef 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3734,7 +3734,6 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer
 
         ACLFilledChecklist checklist(NULL, sslServerBump->request,
                                      clientConnection != NULL ? clientConnection->rfc931 : dash_str);
-        checklist.conn(this);
         checklist.sslErrors = cbdataReference(sslServerBump->sslErrors);
 
         for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) {
@@ -4240,16 +4239,6 @@ clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
      * the ident result on persistent connections...
      */
     /* connection oriented auth also needs these two lines for it's operation. */
-    /*
-     * Internal requests do not have a connection reference, because: A) their
-     * byte count may be transformed before being applied to an outbound
-     * connection B) they are internal - any limiting on them should be done on
-     * the server end.
-     */
-
-    if (conn != NULL)
-        ch->conn(conn);        /* unreferenced in FilledCheckList.cc */
-
     return ch;
 }
 

diff --git a/src/neighbors.cc b/src/neighbors.cc
index 373dc27ddfb211ed9b75fa83470bc2cbedc2ade2..a228a560bc0abc8ba07b08674094a0b6bf2b4cc6 100644 (file)
--- a/src/neighbors.cc
+++ b/src/neighbors.cc
@@ -199,17 +199,6 @@ peerAllowedToUse(const peer * p, HttpRequest * request)
     checklist.src_addr = request->client_addr;
     checklist.my_addr = request->my_addr;
 
-#if 0 && USE_IDENT
-    /*
-     * this is currently broken because 'request->user_ident' has been
-     * moved to conn->rfc931 and we don't have access to the parent
-     * ConnStateData here.
-     */
-    if (request->user_ident[0])
-        xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ);
-
-#endif
-
     return (checklist.fastCheck() == ACCESS_ALLOWED);
 }