From: Francesco Chemolli Date: Wed, 12 Sep 2012 16:06:56 +0000 (+0200) Subject: Implemented more RequestFlags getters/setters X-Git-Tag: sourceformat-review-1~6^2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b58b5f777665d53aacea5a882dbc60a8025eaea7;p=thirdparty%2Fsquid.git Implemented more RequestFlags getters/setters --- diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc index e91c2240b3..95067ca56c 100644 --- a/src/HttpRequest.cc +++ b/src/HttpRequest.cc @@ -581,7 +581,7 @@ HttpRequest::cacheable() const // Because it failed verification, or someone bypassed the security tests // we cannot cache the reponse for sharing between clients. // TODO: update cache to store for particular clients only (going to same Host: and destination IP) - if (!flags.hostVerified && (flags.intercepted || flags.spoof_client_ip)) + if (!flags.hostVerified() && (flags.intercepted() || flags.spoofClientIp())) return false; if (protocol == AnyP::PROTO_HTTP) diff --git a/src/RequestFlags.h b/src/RequestFlags.h index 1ba2dc814f..c9a98e51f1 100644 --- a/src/RequestFlags.h +++ b/src/RequestFlags.h @@ -39,8 +39,8 @@ public: hierarchical(0), loopdetect(0), proxy_keepalive(0), proxying(0), refresh(0), redirected(0), need_validation(0), fail_on_validation_err(0), stale_if_hit(0), nocache_hack(0), accelerated(0), - ignore_cc(0), intercepted(0), hostVerified(0), spoof_client_ip(0), - internal(0), internalclient(false), must_keepalive(false), connection_auth_wanted(false), connection_auth_disabled(false), connection_proxy_auth(false), pinned_(false), + ignore_cc(false), intercepted_(false), hostVerified_(false), spoof_client_ip(false), + internal(false), internalclient(false), must_keepalive(false), connection_auth_wanted(false), connection_auth_disabled(false), connection_proxy_auth(false), pinned_(false), canRePin_(false), authSent_(false), noDirect_(false), chunkedReply_(false), streamError_(false), sslPeek_(false), doneFollowXForwardedFor(!FOLLOW_X_FORWARDED_FOR), @@ -64,11 +64,6 @@ public: /* for changing/ignoring no-cache requests. Unused unless USE_HTTP_VIOLATIONS */ unsigned int nocache_hack :1; unsigned int accelerated :1; - unsigned int ignore_cc :1; - unsigned int intercepted :1; ///< intercepted request - unsigned int hostVerified :1; ///< whether the Host: header passed verification - unsigned int spoof_client_ip :1; /**< spoof client ip if possible */ - unsigned int internal :1; // When adding new flags, please update cloneAdaptationImmune() as needed. bool resetTCP() const; @@ -122,21 +117,41 @@ public: bool pinned() const { return pinned_; } //XXX: oddly this is set in client_side_request.cc, but never checked. - bool wantConnectionProxyAuth() { return connection_proxy_auth; } + bool wantConnectionProxyAuth() const { return connection_proxy_auth; } void requestConnectionProxyAuth() { connection_proxy_auth=true; } void disableConnectionAuth() { connection_auth_disabled=true; } - bool connectionAuthDisabled() { return connection_auth_disabled; } + bool connectionAuthDisabled() const { return connection_auth_disabled; } void wantConnectionAuth() { connection_auth_wanted=true; } - bool connectionAuthWanted() { return connection_auth_wanted; } + bool connectionAuthWanted() const { return connection_auth_wanted; } void setMustKeepalive() { must_keepalive = true; } - bool mustKeepalive() { return must_keepalive; } + bool mustKeepalive() const { return must_keepalive; } //XXX: oddly this is set in client_side_request.cc but never checked. void setInternalClient() { internalclient=true;} + + void markInternal() { internal=true; } + bool isInternal() const { return internal; } + + bool spoofClientIp() const { return spoof_client_ip; } + void setSpoofClientIp() { spoof_client_ip = true; } + + bool hostVerified() const { return hostVerified_; } + void markHostVerified() { hostVerified_=true; } + + bool intercepted() const { return intercepted_; } + void markIntercepted() { intercepted_=true; } + + bool ignoringCacheControl() const { return ignore_cc; } + void ignoreCacheControl() { ignore_cc=true; } private: + bool ignore_cc :1; + bool intercepted_ :1; ///< intercepted request + bool hostVerified_ :1; ///< whether the Host: header passed verification + bool spoof_client_ip :1; /**< spoof client ip if possible */ + bool internal :1; bool internalclient :1; bool must_keepalive :1; bool connection_auth_wanted :1; /** Request wants connection oriented auth */ diff --git a/src/acl/DestinationIp.cc b/src/acl/DestinationIp.cc index 8826080472..f72929e476 100644 --- a/src/acl/DestinationIp.cc +++ b/src/acl/DestinationIp.cc @@ -56,7 +56,7 @@ ACLDestinationIP::match(ACLChecklist *cl) // To resolve this we will force DIRECT and only to the original client destination. // In which case, we also need this ACL to accurately match the destination if (Config.onoff.client_dst_passthru && checklist->request && - (checklist->request->flags.intercepted || checklist->request->flags.spoof_client_ip)) { + (checklist->request->flags.intercepted() || checklist->request->flags.spoofClientIp())) { assert(checklist->conn() && checklist->conn()->clientConnection != NULL); return ACLIP::match(checklist->conn()->clientConnection->local); } diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc index cc5de7b2c0..30229a8aa6 100644 --- a/src/auth/Acl.cc +++ b/src/auth/Acl.cc @@ -34,7 +34,7 @@ AuthenticateAcl(ACLChecklist *ch) } else if (request->flags.accelerated) { /* WWW authorization on accelerated requests */ headertype = HDR_AUTHORIZATION; - } else if (request->flags.intercepted || request->flags.spoof_client_ip) { + } else if (request->flags.intercepted() || request->flags.spoofClientIp()) { debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); return ACCESS_DENIED; } else { diff --git a/src/client_side.cc b/src/client_side.cc index a2e34fcb59..d47e2fb48b 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2656,7 +2656,8 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c request->flags.setSslBumped(conn->switchedToHttps()); if (request->flags.sslBumped() && conn->pinning.pinned) request->flags.allowRepinning(); - request->flags.ignore_cc = conn->port->ignore_cc; + if (conn->port->ignore_cc) + request->flags.ignoreCacheControl(); // TODO: decouple http->flags.accel from request->flags.sslBumped if (request->flags.accelerated && !request->flags.sslBumped()) if (!conn->port->allow_direct) @@ -2673,8 +2674,10 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c * from the port settings to the request. */ if (http->clientConnection != NULL) { - request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0); - request->flags.spoof_client_ip = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ; + if ((http->clientConnection->flags & COMM_INTERCEPTION) != 0) + request->flags.markIntercepted(); + if ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) + request->flags.setSpoofClientIp(); } if (internalCheck(request->urlpath.termedBuf())) { @@ -2693,7 +2696,8 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c request->login[0] = '\0'; } - request->flags.internal = http->flags.internal; + if (http->flags.internal) + request->flags.markInternal(); setLogUri (http, urlCanonicalClean(request)); request->client_addr = conn->clientConnection->remote; // XXX: remove reuest->client_addr member. #if FOLLOW_X_FORWARDED_FOR @@ -3583,8 +3587,10 @@ httpsEstablish(ConnStateData *connState, SSL_CTX *sslContext, Ssl::BumpMode bum fakeRequest->indirect_client_addr = connState->clientConnection->remote; #endif fakeRequest->my_addr = connState->clientConnection->local; - fakeRequest->flags.spoof_client_ip = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ; - fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0); + if ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0) + fakeRequest->flags.setSpoofClientIp(); + if ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0) + fakeRequest->flags.markIntercepted(); debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX"); connState->switchToHttps(fakeRequest, bumpMode); } diff --git a/src/client_side_reply.cc b/src/client_side_reply.cc index 62a9588198..7348f35a8b 100644 --- a/src/client_side_reply.cc +++ b/src/client_side_reply.cc @@ -1406,7 +1406,7 @@ clientReplyContext::buildReplyHeader() continue; } request->flags.setMustKeepalive(); - if (!request->flags.accelerated && !request->flags.intercepted) { + if (!request->flags.accelerated && !request->flags.intercepted()) { httpHeaderPutStrf(hdr, HDR_PROXY_SUPPORT, "Session-Based-Authentication"); /* We send "[Proxy-]Connection: Proxy-Support" header to mark @@ -1554,7 +1554,7 @@ clientReplyContext::identifyStoreObject() { HttpRequest *r = http->request; - if (r->flags.cachable || r->flags.internal) { + if (r->flags.cachable || r->flags.isInternal()) { lookingforstore = 5; StoreEntry::getPublicByRequest (this, r); } else { diff --git a/src/client_side_request.cc b/src/client_side_request.cc index b7d51f348b..453a7032b1 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -565,7 +565,7 @@ ClientRequestContext::hostHeaderIpVerify(const ipcache_addrs* ia, const DnsLooku for (int i = 0; i < ia->count; ++i) { if (clientConn->local.matchIPAddr(ia->in_addrs[i]) == 0) { debugs(85, 3, HERE << "validate IP " << clientConn->local << " possible from Host:"); - http->request->flags.hostVerified = 1; + http->request->flags.markHostVerified(); http->doCallouts(); return; } @@ -633,7 +633,7 @@ ClientRequestContext::hostHeaderVerify() return; } - if (http->request->flags.internal) { + if (http->request->flags.isInternal()) { // TODO: kill this when URL handling allows partial URLs out of accel mode // and we no longer screw with the URL just to add our internal host there debugs(85, 6, HERE << "validate skipped due to internal composite URL."); @@ -664,7 +664,7 @@ ClientRequestContext::hostHeaderVerify() } debugs(85, 3, HERE << "validate host=" << host << ", port=" << port << ", portStr=" << (portStr?portStr:"NULL")); - if (http->request->flags.intercepted || http->request->flags.spoof_client_ip) { + if (http->request->flags.intercepted() || http->request->flags.spoofClientIp()) { // verify the Host: port (if any) matches the apparent destination if (portStr && port != http->getConn()->clientConnection->local.GetPort()) { debugs(85, 3, HERE << "FAIL on validate port " << http->getConn()->clientConnection->local.GetPort() << @@ -699,7 +699,7 @@ ClientRequestContext::hostHeaderVerify() } else { // Okay no problem. debugs(85, 3, HERE << "validate passed."); - http->request->flags.hostVerified = 1; + http->request->flags.markHostVerified(); http->doCallouts(); } safe_free(hostB); @@ -924,7 +924,7 @@ clientHierarchical(ClientHttpRequest * http) const wordlist *p = NULL; // intercepted requests MUST NOT (yet) be sent to peers unless verified - if (!request->flags.hostVerified && (request->flags.intercepted || request->flags.spoof_client_ip)) + if (!request->flags.hostVerified() && (request->flags.intercepted() || request->flags.spoofClientIp())) return 0; /* @@ -1046,7 +1046,7 @@ clientInterpretRequestHeaders(ClientHttpRequest * http) if (request->ims > 0) request->flags.ims = 1; - if (!request->flags.ignore_cc) { + if (!request->flags.ignoringCacheControl()) { if (req_hdr->has(HDR_PRAGMA)) { String s = req_hdr->getList(HDR_PRAGMA); diff --git a/src/format/Format.cc b/src/format/Format.cc index aa88160bf2..5fb8c3403d 100644 --- a/src/format/Format.cc +++ b/src/format/Format.cc @@ -383,8 +383,8 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS case LFT_LOCAL_LISTENING_IP: { // avoid logging a dash if we have reliable info const bool interceptedAtKnownPort = al->request ? - (al->request->flags.spoof_client_ip || - al->request->flags.intercepted) && al->cache.port : + (al->request->flags.spoofClientIp() || + al->request->flags.intercepted()) && al->cache.port : false; if (interceptedAtKnownPort) { const bool portAddressConfigured = !al->cache.port->s.IsAnyAddr(); diff --git a/src/forward.cc b/src/forward.cc index 526986ba37..160dd74452 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -1397,7 +1397,7 @@ getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn) conn->local.SetIPv4(); // maybe use TPROXY client address - if (request && request->flags.spoof_client_ip) { + if (request && request->flags.spoofClientIp()) { if (!conn->getPeer() || !conn->getPeer()->options.no_tproxy) { #if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER if (Config.onoff.tproxy_uses_indirect_client) diff --git a/src/http.cc b/src/http.cc index dd98063827..7cf181c63d 100644 --- a/src/http.cc +++ b/src/http.cc @@ -1386,7 +1386,7 @@ HttpStateData::processReplyBody() closeHandler = NULL; fwd->unregister(serverConnection); - if (request->flags.spoof_client_ip) + if (request->flags.spoofClientIp()) client_addr = request->client_addr; if (request->flags.pinned()) { diff --git a/src/peer_select.cc b/src/peer_select.cc index f965ee2059..a3730daa77 100644 --- a/src/peer_select.cc +++ b/src/peer_select.cc @@ -234,8 +234,8 @@ peerSelectDnsPaths(ps_state *psstate) // on intercepted traffic which failed Host verification const HttpRequest *req = psstate->request; const bool isIntercepted = !req->flags.redirected && - (req->flags.intercepted || req->flags.spoof_client_ip); - const bool useOriginalDst = Config.onoff.client_dst_passthru || !req->flags.hostVerified; + (req->flags.intercepted() || req->flags.spoofClientIp()); + const bool useOriginalDst = Config.onoff.client_dst_passthru || !req->flags.hostVerified(); const bool choseDirect = fs && fs->code == HIER_DIRECT; if (isIntercepted && useOriginalDst && choseDirect) { // construct a "result" adding the ORIGINAL_DST to the set instead of DIRECT @@ -339,7 +339,7 @@ peerSelectDnsResults(const ipcache_addrs *ia, const DnsLookupDetails &details, v break; // for TPROXY we must skip unusable addresses. - if (psstate->request->flags.spoof_client_ip && !(fs->_peer && fs->_peer->options.no_tproxy) ) { + if (psstate->request->flags.spoofClientIp() && !(fs->_peer && fs->_peer->options.no_tproxy) ) { if (ia->in_addrs[n].IsIPv4() != psstate->request->client_addr.IsIPv4()) { // we CAN'T spoof the address on this link. find another. continue; diff --git a/src/refresh.cc b/src/refresh.cc index be36c73de3..df2e58c2a7 100644 --- a/src/refresh.cc +++ b/src/refresh.cc @@ -267,7 +267,7 @@ refreshCheck(const StoreEntry * entry, HttpRequest * request, time_t delta) debugs(22, 3, "\tentry->timestamp:\t" << mkrfc1123(entry->timestamp)); - if (request && !request->flags.ignore_cc) { + if (request && !request->flags.ignoringCacheControl()) { const HttpHdrCc *const cc = request->cache_control; if (cc && cc->hasMinFresh()) { const int32_t minFresh=cc->minFresh(); @@ -308,7 +308,7 @@ refreshCheck(const StoreEntry * entry, HttpRequest * request, time_t delta) } /* request-specific checks */ - if (request && !request->flags.ignore_cc) { + if (request && !request->flags.ignoringCacheControl()) { HttpHdrCc *cc = request->cache_control; if (request->flags.ims && (R->flags.refresh_ims || Config.onoff.refresh_all_ims)) { diff --git a/src/tunnel.cc b/src/tunnel.cc index 7ddf0df8f8..8bcee9a66c 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -531,7 +531,7 @@ tunnelConnected(const Comm::ConnectionPointer &server, void *data) TunnelStateData *tunnelState = (TunnelStateData *)data; debugs(26, 3, HERE << server << ", tunnelState=" << tunnelState); - if (tunnelState->request && (tunnelState->request->flags.spoof_client_ip || tunnelState->request->flags.intercepted)) + if (tunnelState->request && (tunnelState->request->flags.spoofClientIp() || tunnelState->request->flags.intercepted())) tunnelStartShoveling(tunnelState); // ssl-bumped connection, be quiet else { AsyncCall::Pointer call = commCbCall(5,5, "tunnelConnectedWriteDone",