From: Eduard Bagdasaryan Date: Sun, 2 Jun 2024 04:30:59 +0000 (+0000) Subject: Remove Ident protocol support (#1827) X-Git-Tag: SQUID_7_0_1~112 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e94ff5274ce05e6f06d7c789bb2c6452c7886584;p=thirdparty%2Fsquid.git Remove Ident protocol support (#1827) Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered seriously insecure and broken since at least 2009 when SANS issued an update recommending its removal from all networks. Squid Ident implementation suffered from assertions (since 2021 commit e227da8) and memory leaks (since 2015 commit fbbea66). Ident implementation design increased ACLChecklist::goAsync() design complexity. An external ACL helper can be written to perform Ident transactions. Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT external_acl_type format code, or ident_lookup_access/ident_timeout directives are now rejected, leading to fatal startup failures: FATAL: Invalid ACL type 'ident_regex' FATAL: Invalid ACL type 'ident' ERROR: configuration failure: Unsupported %code: '%ui' ERROR: configuration failure: Unsupported %code: '%IDENT' squid.conf(6): unrecognized: 'ident_lookup_access' squid.conf(7): unrecognized: 'ident_timeout' To avoid inconveniencing admins that do _not_ use Ident features, access logs with "common" and "combined" logformats now always receive a dash in the position of what used to be a %ui record field. Co-authored-by: Amos Jeffries --- diff --git a/configure.ac b/configure.ac index f429725822..285f05349e 100644 --- a/configure.ac +++ b/configure.ac @@ -1522,14 +1522,6 @@ AC_MSG_NOTICE([Support for X-Forwarded-For enabled: ${enable_follow_x_forwarded_ SQUID_DEFINE_BOOL(FOLLOW_X_FORWARDED_FOR,$enable_follow_x_forwarded_for, [Enable following X-Forwarded-For headers]) -AC_ARG_ENABLE(ident-lookups, - AS_HELP_STRING([--disable-ident-lookups], - [Remove code that supports performing Ident (RFC 931) lookups.]), [ - SQUID_YESNO([$enableval],[--enable-ident-lookups]) -]) -AC_MSG_NOTICE([Support for Ident lookups enabled: ${enable_ident_lookups:=yes}]) -SQUID_DEFINE_BOOL(USE_IDENT,$enable_ident_lookups,[Support for Ident (RFC 931) lookups]) - dnl Select Default hosts file location AC_ARG_ENABLE(default-hostsfile, AS_HELP_STRING([--enable-default-hostsfile=path], @@ -2608,7 +2600,6 @@ AC_CONFIG_FILES([ src/http/url_rewriters/fake/Makefile src/http/url_rewriters/LFS/Makefile src/icmp/Makefile - src/ident/Makefile src/ip/Makefile src/ipc/Makefile src/log/Makefile diff --git a/doc/Programming-Guide/03_MajorComponents.dox b/doc/Programming-Guide/03_MajorComponents.dox index 436a08be63..ce6a6606c9 100644 --- a/doc/Programming-Guide/03_MajorComponents.dox +++ b/doc/Programming-Guide/03_MajorComponents.dox @@ -289,14 +289,6 @@ TODO: get debugs() documenting as if it was a function. format. TODO: get RFCs linked from ietf -\section IdentLookups Ident Lookups -\par - These routines support RFC 931 (http://www.ietf.org/rfc/rfc931.txt) - "Ident" lookups. An ident - server running on a host will report the user name associated - with a connected TCP socket. Some sites use this facility for - access control and logging purposes. - \section MemoryManagement Memory Management \par These routines allocate and manage pools of memory for diff --git a/doc/debug-sections.txt b/doc/debug-sections.txt index b510f3f1f5..4ef6627bc9 100644 --- a/doc/debug-sections.txt +++ b/doc/debug-sections.txt @@ -66,7 +66,6 @@ section 28 Access Control section 29 Authenticator section 29 NTLM Authenticator section 29 Negotiate Authenticator -section 30 Ident (RFC 931) section 31 Hypertext Caching Protocol section 32 Asynchronous Disk I/O section 33 Client Request Pipeline diff --git a/doc/manuals/ar.po b/doc/manuals/ar.po index 42ba0f53e5..5bbd9c2e9e 100644 --- a/doc/manuals/ar.po +++ b/doc/manuals/ar.po @@ -2167,7 +2167,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<" +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<" "%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at https://wiki.squid-cache." "org/ConfigExamples." diff --git a/doc/manuals/cs.po b/doc/manuals/cs.po index eb7c2f7580..c24cd89f02 100644 --- a/doc/manuals/cs.po +++ b/doc/manuals/cs.po @@ -2153,7 +2153,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<" +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<" "%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at https://wiki.squid-cache." "org/ConfigExamples." diff --git a/doc/manuals/de.po b/doc/manuals/de.po index c2279f3240..5a3b88da92 100644 --- a/doc/manuals/de.po +++ b/doc/manuals/de.po @@ -2216,7 +2216,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<" +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<" "%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at https://wiki.squid-cache." "org/ConfigExamples." diff --git a/doc/manuals/en.po b/doc/manuals/en.po index e6acf718b3..3d112ba4c3 100644 --- a/doc/manuals/en.po +++ b/doc/manuals/en.po @@ -2382,7 +2382,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<" +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<" "%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at https://wiki.squid-cache." "org/ConfigExamples." diff --git a/doc/manuals/en_AU.po b/doc/manuals/en_AU.po index d7775385f3..4553136218 100644 --- a/doc/manuals/en_AU.po +++ b/doc/manuals/en_AU.po @@ -2295,7 +2295,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<" +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<" "%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at https://wiki.squid-cache." "org/ConfigExamples." diff --git a/doc/manuals/manuals.pot b/doc/manuals/manuals.pot index 4d4c1a0e8f..b330da2c94 100644 --- a/doc/manuals/manuals.pot +++ b/doc/manuals/manuals.pot @@ -1628,7 +1628,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<%SRC> " +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<%SRC> " ", B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at " "https://wiki.squid-cache.org/ConfigExamples." diff --git a/doc/manuals/ru.po b/doc/manuals/ru.po index ebddf49f9d..04a3b2866b 100644 --- a/doc/manuals/ru.po +++ b/doc/manuals/ru.po @@ -2226,7 +2226,7 @@ msgstr "" msgid "" "User is just a unique key value. The above example uses %LOGIN and the " "username but any of the B format tags can be substituted " -"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%IDENT> , B<%EXT_USER> , B<" +"in its place. B<%EXT_TAG> , B<%LOGIN> , B<%EXT_USER> , B<" "%SRC> , B<%SRCEUI48> , and B<%SRCEUI64> are all likely candidates for client " "identification. The Squid wiki has more examples at https://wiki.squid-cache." "org/ConfigExamples." diff --git a/doc/release-notes/release-7.sgml.in b/doc/release-notes/release-7.sgml.in index 971e5a36de..881ad8f141 100644 --- a/doc/release-notes/release-7.sgml.in +++ b/doc/release-notes/release-7.sgml.in @@ -33,6 +33,7 @@ The Squid-@SQUID_RELEASE@ change history can be See for the full ISO-639 list. HTTP uses the 2-letter (set 1) codes. +Removed Ident protocol support + +

Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered +seriously insecure and broken since at least 2009 when SANS issued an update +recommending its removal from all networks. Squid Ident implementation had its +own set of problems (that could not be addressed without significant code +refactoring). + +

Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT +external_acl_type format code, or ident_lookup_access/ident_timeout directives +are now rejected, leading to fatal startup failures. + +

To avoid inconveniencing admins that do not use Ident features, +access logs with "common" and "combined" logformats now always receive a dash +in the position of what used to be a %ui record field. + +

If necessary, an external ACL helper can be written to perform Ident transactions +and deliver the user identity to Squid through the **user=** annotation. Changes to squid.conf since Squid-@SQUID_RELEASE_OLD@

@@ -143,6 +162,8 @@ This section gives an account of those changes in three categories: necessary.

Changed http_status to detect and handle overlapping status and status-range values. Merging where necessary. +

Removed ident with Ident protocol support. +

Removed ident_regex with Ident protocol support. buffered_logs

Honor the off setting in 'udp' access_log module. @@ -151,6 +172,17 @@ This section gives an account of those changes in three categories:

Removed the non_peers action. See the Cache Manager for details. + access_log +

Built-in common and combined logformats now always + receive a dash character ("-") in the position of what used to be a + %ui record field. + + logformat +

Removed %ui format code with Ident protocol support. + + external_acl_type +

Removed %IDENT format code with Ident protocol support. + Removed directives

The corresponding code has not built for many years, indicating that the feature is unused. + ident_lookup_access +

Ident protocol is no longer supported natively. + + ident_timeout +

Ident protocol is no longer supported natively. + @@ -232,6 +270,9 @@ This section gives an account of those changes in three categories:

The code enabled by this preprocessor macro has not built for many years, indicating that the feature is unused. + --disable-ident-lookups +

The option was dropped during Ident protocol support removal. + Copyright diff --git a/squid.dox b/squid.dox index 6f6fce508f..add40573ed 100644 --- a/squid.dox +++ b/squid.dox @@ -2088,7 +2088,6 @@ PREDEFINED = __cplusplus \ USE_HTCP \ USE_HTTP_VIOLATIONS \ USE_ICMP \ - USE_IDENT \ USE_IPV6 \ USE_KQUEUE \ USE_LOADABLE_MODULES \ diff --git a/src/AccessLogEntry.cc b/src/AccessLogEntry.cc index 8481b37c80..4fd850b90a 100644 --- a/src/AccessLogEntry.cc +++ b/src/AccessLogEntry.cc @@ -96,18 +96,6 @@ AccessLogEntry::syncNotes(HttpRequest *req) assert(notes == req->notes()); } -const char * -AccessLogEntry::getClientIdent() const -{ - if (tcpClient) - return tcpClient->rfc931; - - if (cache.rfc931 && *cache.rfc931) - return cache.rfc931; - - return nullptr; -} - const char * AccessLogEntry::getExtUser() const { diff --git a/src/AccessLogEntry.h b/src/AccessLogEntry.h index cab6ae8b00..562372e15b 100644 --- a/src/AccessLogEntry.h +++ b/src/AccessLogEntry.h @@ -60,9 +60,6 @@ public: /// Side effect: Enables reverse DNS lookups of future client addresses. const char *getLogClientFqdn(char *buf, size_t bufSize) const; - /// Fetch the client IDENT string, or nil if none is available. - const char *getClientIdent() const; - /// Fetch the external ACL provided 'user=' string, or nil if none is available. const char *getExtUser() const; @@ -157,7 +154,6 @@ public: LogTags code; struct timeval start_time; ///< The time the master transaction started struct timeval trTime; ///< The response time - const char *rfc931 = nullptr; const char *extuser = nullptr; #if USE_OPENSSL const char *ssluser = nullptr; diff --git a/src/AclRegs.cc b/src/AclRegs.cc index 9da98804aa..8a5eaeba6d 100644 --- a/src/AclRegs.cc +++ b/src/AclRegs.cc @@ -101,9 +101,6 @@ #endif #include "base/RegexPattern.h" #include "ExternalACL.h" -#if USE_IDENT -#include "ident/AclIdent.h" -#endif #if SQUID_SNMP #include "snmp_core.h" #endif @@ -273,11 +270,6 @@ Acl::Init() RegisterMaker("eui64", [](TypeName name)->Node* { return new ACLEui64(name); }); #endif -#if USE_IDENT - RegisterMaker("ident", [](TypeName name)->Node* { return new ACLIdent(new ACLUserData, name); }); - RegisterMaker("ident_regex", [](TypeName name)->Node* { return new ACLIdent(new ACLRegexData, name); }); -#endif - #if USE_AUTH RegisterMaker("ext_user", [](TypeName name)->Node* { return new ACLExtUser(new ACLUserData, name); }); RegisterMaker("ext_user_regex", [](TypeName name)->Node* { return new ACLExtUser(new ACLRegexData, name); }); diff --git a/src/DelayId.cc b/src/DelayId.cc index c5837bb2d0..37c047e47e 100644 --- a/src/DelayId.cc +++ b/src/DelayId.cc @@ -86,7 +86,7 @@ DelayId::DelayClient(ClientHttpRequest * http, HttpReply *reply) continue; } - ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, nullptr); + ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r); clientAclChecklistFill(ch, http); ch.updateReply(reply); // overwrite ACLFilledChecklist acl_uses_indirect_client-based decision diff --git a/src/FwdState.cc b/src/FwdState.cc index 94d9610437..1e2eb30ae5 100644 --- a/src/FwdState.cc +++ b/src/FwdState.cc @@ -348,7 +348,7 @@ FwdState::Start(const Comm::ConnectionPointer &clientConn, StoreEntry *entry, Ht * Intentionally replace the src_addr automatically selected by the checklist code * we do NOT want the indirect client address to be tested here. */ - ACLFilledChecklist ch(Config.accessList.miss, request, nullptr); + ACLFilledChecklist ch(Config.accessList.miss, request); ch.al = al; ch.src_addr = request->client_addr; ch.syncAle(request, nullptr); @@ -1136,7 +1136,7 @@ FwdState::connectStart() cs->setHost(request->url.host()); bool retriable = checkRetriable(); if (!retriable && Config.accessList.serverPconnForNonretriable) { - ACLFilledChecklist ch(Config.accessList.serverPconnForNonretriable, request, nullptr); + ACLFilledChecklist ch(Config.accessList.serverPconnForNonretriable, request); ch.al = al; ch.syncAle(request, nullptr); retriable = ch.fastCheck().allowed(); @@ -1504,7 +1504,7 @@ getOutgoingAddress(HttpRequest * request, const Comm::ConnectionPointer &conn) return; // anything will do. } - ACLFilledChecklist ch(nullptr, request, nullptr); + ACLFilledChecklist ch(nullptr, request); ch.dst_peer_name = conn->getPeer() ? conn->getPeer()->name : nullptr; ch.dst_addr = conn->remote; @@ -1531,7 +1531,7 @@ GetTosToServer(HttpRequest * request, Comm::Connection &conn) if (!Ip::Qos::TheConfig.tosToServer) return 0; - ACLFilledChecklist ch(nullptr, request, nullptr); + ACLFilledChecklist ch(nullptr, request); ch.dst_peer_name = conn.getPeer() ? conn.getPeer()->name : nullptr; ch.dst_addr = conn.remote; return aclMapTOS(Ip::Qos::TheConfig.tosToServer, &ch); @@ -1544,7 +1544,7 @@ GetNfmarkToServer(HttpRequest * request, Comm::Connection &conn) if (!Ip::Qos::TheConfig.nfmarkToServer) return 0; - ACLFilledChecklist ch(nullptr, request, nullptr); + ACLFilledChecklist ch(nullptr, request); ch.dst_peer_name = conn.getPeer() ? conn.getPeer()->name : nullptr; ch.dst_addr = conn.remote; const auto mc = aclFindNfMarkConfig(Ip::Qos::TheConfig.nfmarkToServer, &ch); diff --git a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc index 64f58e779e..acf0237974 100644 --- a/src/HttpHeaderTools.cc +++ b/src/HttpHeaderTools.cc @@ -297,7 +297,7 @@ httpHdrMangle(HttpHeaderEntry * e, HttpRequest * request, HeaderManglers *hms, c return 1; } - ACLFilledChecklist checklist(hm->access_list, request, nullptr); + ACLFilledChecklist checklist(hm->access_list, request); checklist.updateAle(al); // XXX: The two "It was denied" clauses below mishandle cases with no @@ -492,7 +492,7 @@ HeaderManglers::find(const HttpHeaderEntry &e) const void httpHdrAdd(HttpHeader *heads, HttpRequest *request, const AccessLogEntryPointer &al, HeaderWithAclList &headersAdd) { - ACLFilledChecklist checklist(nullptr, request, nullptr); + ACLFilledChecklist checklist(nullptr, request); checklist.updateAle(al); for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) { diff --git a/src/HttpReply.cc b/src/HttpReply.cc index d03617d3a3..9257843d19 100644 --- a/src/HttpReply.cc +++ b/src/HttpReply.cc @@ -594,7 +594,7 @@ HttpReply::calcMaxBodySize(HttpRequest& request) const if (!Config.ReplyBodySize) return; - ACLFilledChecklist ch(nullptr, &request, nullptr); + ACLFilledChecklist ch(nullptr, &request); ch.updateReply(this); for (AclSizeLimit *l = Config.ReplyBodySize; l; l = l -> next) { /* if there is no ACL list or if the ACLs listed match use this size value */ diff --git a/src/HttpRequest.cc b/src/HttpRequest.cc index 8c1f4a25ae..a2dc68f9dd 100644 --- a/src/HttpRequest.cc +++ b/src/HttpRequest.cc @@ -601,7 +601,7 @@ HttpRequest::getRangeOffsetLimit() rangeOffsetLimit = 0; // default value for rangeOffsetLimit - ACLFilledChecklist ch(nullptr, this, nullptr); + ACLFilledChecklist ch(nullptr, this); ch.src_addr = client_addr; ch.my_addr = my_addr; @@ -798,7 +798,7 @@ HttpRequest::manager(const CbcPointer &aMgr, const AccessLogEntry const bool proxyProtocolPort = port ? port->flags.proxySurrogate : false; if (flags.interceptTproxy && !proxyProtocolPort) { if (Config.accessList.spoof_client_ip) { - ACLFilledChecklist *checklist = new ACLFilledChecklist(Config.accessList.spoof_client_ip, this, clientConnection->rfc931); + const auto checklist = new ACLFilledChecklist(Config.accessList.spoof_client_ip, this); checklist->al = al; checklist->syncAle(this, nullptr); flags.spoofClientIp = checklist->fastCheck().allowed(); diff --git a/src/Makefile.am b/src/Makefile.am index 32e17f827a..1ce047eed4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -24,7 +24,7 @@ AUTH_LIBS= auth/libauth.la AUTH_ACL_LIBS= auth/libacls.la endif -SUBDIRS += http ip icmp ident log ipc mgr +SUBDIRS += http ip icmp log ipc mgr SSL_LIBS= if ENABLE_SSL @@ -479,7 +479,6 @@ nodist_squid_SOURCES = \ squid_LDADD = \ $(AUTH_ACL_LIBS) \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ $(AUTH_LIBS) \ @@ -565,7 +564,6 @@ data_DATA = \ LDADD = \ $(AUTH_ACL_LIBS) \ - ident/libident.la \ acl/libacls.la \ eui/libeui.la \ acl/libstate.la \ @@ -1307,7 +1305,6 @@ tests_testUfs_LDADD = \ http/libhttp.la \ parser/libparser.la \ CommCalls.o \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ acl/libapi.la \ @@ -1477,7 +1474,6 @@ tests_testStore_LDADD= \ libsquid.la \ http/libhttp.la \ parser/libparser.la \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ acl/libapi.la \ @@ -1651,7 +1647,6 @@ tests_testDiskIO_LDADD = \ parser/libparser.la \ SquidConfig.o \ CommCalls.o \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ comm/libcomm.la \ @@ -1948,7 +1943,6 @@ tests_testHttpRange_LDADD = \ helper/libhelper.la \ http/libhttp.la \ parser/libparser.la \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ acl/libapi.la \ @@ -2336,7 +2330,6 @@ tests_testHttpRequest_LDADD = \ helper/libhelper.la \ ftp/libftp.la \ http/libhttp.la \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ acl/libapi.la \ @@ -2636,7 +2629,6 @@ tests_testCacheManager_LDADD = \ http/libhttp.la \ proxyp/libproxyp.la \ parser/libparser.la \ - ident/libident.la \ acl/libacls.la \ acl/libstate.la \ acl/libapi.la \ diff --git a/src/Notes.cc b/src/Notes.cc index a6149408bd..1f60d37f2e 100644 --- a/src/Notes.cc +++ b/src/Notes.cc @@ -69,7 +69,7 @@ Note::addValue(const char *value, const bool quoted, const char *descr, const Va bool Note::match(HttpRequest *request, HttpReply *reply, const AccessLogEntry::Pointer &al, SBuf &matched) { - ACLFilledChecklist ch(nullptr, request, nullptr); + ACLFilledChecklist ch(nullptr, request); ch.updateAle(al); ch.updateReply(reply); ch.syncAle(request, nullptr); diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc index 45dbc75e41..e52c941cd6 100644 --- a/src/acl/FilledChecklist.cc +++ b/src/acl/FilledChecklist.cc @@ -41,7 +41,6 @@ ACLFilledChecklist::ACLFilledChecklist() : my_addr.setEmpty(); src_addr.setEmpty(); dst_addr.setEmpty(); - rfc931[0] = '\0'; } ACLFilledChecklist::~ACLFilledChecklist() @@ -105,13 +104,6 @@ ACLFilledChecklist::verifyAle() const showDebugWarning("HttpReply object"); al->reply = reply_; } - -#if USE_IDENT - if (*rfc931 && !al->cache.rfc931) { - showDebugWarning("IDENT"); - al->cache.rfc931 = xstrdup(rfc931); - } -#endif } void @@ -205,7 +197,7 @@ ACLFilledChecklist::markSourceDomainChecked() * *not* delete the list. After the callback function returns, * checkCallback() will delete the list (i.e., self). */ -ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request, const char *ident): +ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request): dst_rdns(nullptr), #if USE_AUTH auth_user_request(nullptr), @@ -222,11 +214,9 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_re my_addr.setEmpty(); src_addr.setEmpty(); dst_addr.setEmpty(); - rfc931[0] = '\0'; changeAcl(A); setRequest(http_request); - setIdent(ident); } void ACLFilledChecklist::setRequest(HttpRequest *httpRequest) @@ -247,18 +237,6 @@ void ACLFilledChecklist::setRequest(HttpRequest *httpRequest) } } -void -ACLFilledChecklist::setIdent(const char *ident) -{ -#if USE_IDENT - assert(!rfc931[0]); - if (ident) - xstrncpy(rfc931, ident, USER_IDENT_SZ); -#else - (void)ident; -#endif -} - void ACLFilledChecklist::updateAle(const AccessLogEntry::Pointer &a) { diff --git a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h index 927a468f5f..358792a2ec 100644 --- a/src/acl/FilledChecklist.h +++ b/src/acl/FilledChecklist.h @@ -36,13 +36,11 @@ class ACLFilledChecklist: public ACLChecklist public: ACLFilledChecklist(); - ACLFilledChecklist(const acl_access *, HttpRequest *, const char *ident = nullptr); + ACLFilledChecklist(const acl_access *, HttpRequest *); ~ACLFilledChecklist() override; /// configure client request-related fields for the first time void setRequest(HttpRequest *); - /// configure rfc931 user identity for the first time - void setIdent(const char *userIdentity); /// Remembers the given ALE (if it is not nil) or does nothing (otherwise). /// When (and only when) remembering ALE, populates other still-unset fields @@ -90,7 +88,6 @@ public: HttpRequest::Pointer request; - char rfc931[USER_IDENT_SZ]; #if USE_AUTH Auth::UserRequest::Pointer auth_user_request; #endif @@ -117,7 +114,7 @@ public: err_type requestErrorType; private: - ConnStateData * conn_; /**< hack for ident and NTLM */ + ConnStateData *conn_; ///< hack: client-to-Squid connection manager (if any) int fd_; /**< may be available when conn_ is not */ HttpReply::Pointer reply_; ///< response added by updateReply() or nil diff --git a/src/acl/external/time_quota/ext_time_quota_acl.8 b/src/acl/external/time_quota/ext_time_quota_acl.8 index 896955a733..4abf99890e 100644 --- a/src/acl/external/time_quota/ext_time_quota_acl.8 +++ b/src/acl/external/time_quota/ext_time_quota_acl.8 @@ -128,8 +128,6 @@ format tags can be substituted in its place. , .B %LOGIN , -.B %IDENT -, .B %EXT_USER , .B %SRC diff --git a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc index a65fd81716..a28df6b236 100644 --- a/src/adaptation/AccessCheck.cc +++ b/src/adaptation/AccessCheck.cc @@ -129,8 +129,7 @@ Adaptation::AccessCheck::checkCandidates() while (!candidates.empty()) { if (AccessRule *r = FindRule(topCandidate())) { /* BUG 2526: what to do when r->acl is empty?? */ - // XXX: we do not have access to conn->rfc931 here. - acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str); + acl_checklist = new ACLFilledChecklist(r->acl, filter.request); acl_checklist->updateAle(filter.al); acl_checklist->updateReply(filter.reply); acl_checklist->syncAle(filter.request, nullptr); diff --git a/src/adaptation/icap/History.h b/src/adaptation/icap/History.h index 385f6d17bf..e3caa005ec 100644 --- a/src/adaptation/icap/History.h +++ b/src/adaptation/icap/History.h @@ -36,7 +36,6 @@ public: /// \param[out] total time taken for all ICAP processing void processingTime(struct timeval &total) const; - String rfc931; ///< the username from ident #if USE_OPENSSL String ssluser; ///< the username from SSL #endif diff --git a/src/adaptation/icap/Launcher.cc b/src/adaptation/icap/Launcher.cc index 71b881894d..8eb8c1e938 100644 --- a/src/adaptation/icap/Launcher.cc +++ b/src/adaptation/icap/Launcher.cc @@ -140,8 +140,7 @@ bool Adaptation::Icap::Launcher::canRepeat(Adaptation::Icap::XactAbortInfo &info if (info.icapReply->sline.status() == Http::scNone) // failed to parse the reply; I/O err return true; - ACLFilledChecklist *cl = - new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str); + const auto cl = new ACLFilledChecklist(TheConfig.repeat, info.icapRequest); cl->updateReply(info.icapReply); bool result = cl->fastCheck().allowed(); diff --git a/src/adaptation/icap/ModXact.cc b/src/adaptation/icap/ModXact.cc index 5c25b9ae24..95a2337cd9 100644 --- a/src/adaptation/icap/ModXact.cc +++ b/src/adaptation/icap/ModXact.cc @@ -1341,9 +1341,6 @@ void Adaptation::Icap::ModXact::finalizeLogInfo() // XXX: This reply (and other ALE members!) may have been needed earlier. al.reply = adapted_reply_; - if (h->rfc931.size()) - al.cache.rfc931 = h->rfc931.termedBuf(); - #if USE_OPENSSL if (h->ssluser.size()) al.cache.ssluser = h->ssluser.termedBuf(); diff --git a/src/adaptation/icap/icap_log.cc b/src/adaptation/icap/icap_log.cc index 1cb1039ea2..393d024b38 100644 --- a/src/adaptation/icap/icap_log.cc +++ b/src/adaptation/icap/icap_log.cc @@ -60,7 +60,7 @@ icapLogRotate() void icapLogLog(AccessLogEntry::Pointer &al) { if (IcapLogfileStatus == LOG_ENABLE) { - ACLFilledChecklist checklist(nullptr, al->adapted_request, nullptr); + ACLFilledChecklist checklist(nullptr, al->adapted_request); checklist.updateAle(al); accessLogLogTo(Config.Log.icaplogs, al, &checklist); } diff --git a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc index 9045dc87bf..a4f0686c37 100644 --- a/src/auth/UserRequest.cc +++ b/src/auth/UserRequest.cc @@ -478,7 +478,7 @@ static Auth::ConfigVector & schemesConfig(HttpRequest *request, HttpReply *rep) { if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) { - ACLFilledChecklist ch(nullptr, request, nullptr); + ACLFilledChecklist ch(nullptr, request); ch.updateReply(rep); const auto answer = ch.fastCheck(Auth::TheConfig.schemeAccess); if (answer.allowed()) diff --git a/src/cache_cf.cc b/src/cache_cf.cc index fafb9867b0..1ceb62564c 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -41,7 +41,6 @@ #include "HttpHeaderTools.h" #include "HttpUpgradeProtocolAccess.h" #include "icmp/IcmpConfig.h" -#include "ident/Config.h" #include "ip/Intercept.h" #include "ip/NfMarkConfig.h" #include "ip/QosConfig.h" diff --git a/src/cf.data.pre b/src/cf.data.pre index 1bea8612fa..4ebdf93a51 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -604,7 +604,7 @@ DOC_START A client with credentials is requested to re-authenticate if http_access or adapted_http_access denies its request _and_ the last evaluated ACL was - either proxy_auth, proxy_auth_regex, ident, ident_regex, or an external + either proxy_auth, proxy_auth_regex, or an external ACL with %ul or %LOGIN parameter (regardless of whether that last evaluated ACL matched the denied request). Note that a max_user_ip ACL does not have this effect: Requests denied after evaluating max_user_ip @@ -1274,16 +1274,6 @@ ENDIF # pattern match on Referer header [fast] # Referer is highly unreliable, so use with care - acl aclname ident [-i] username ... - # string match on ident output [slow] - # use REQUIRED to accept any non-null ident. - # - # See also: ident_regex. The two ACLs differ only in their parameter - # syntax and ident output matching algorithm. - - acl aclname ident_regex [-i] username_pattern ... - # regex match on ident output [slow] - acl aclname proxy_auth [-i] username ... # perform http authentication challenge to the client and match against # supplied credentials [slow] @@ -2107,35 +2097,6 @@ DOC_START See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details. DOC_END -NAME: ident_lookup_access -TYPE: acl_access -IFDEF: USE_IDENT -DEFAULT: none -DEFAULT_DOC: Unless rules exist in squid.conf, IDENT is not fetched. -LOC: Ident::TheConfig.identLookup -DOC_START - A list of ACL elements which, if matched, cause an ident - (RFC 931) lookup to be performed for this request. For - example, you might choose to always perform ident lookups - for your main multi-user Unix boxes, but not for your Macs - and PCs. By default, ident lookups are not performed for - any requests. - - To enable ident lookups for specific client addresses, you - can follow this example: - - acl ident_aware_hosts src 198.168.1.0/24 - ident_lookup_access allow ident_aware_hosts - ident_lookup_access deny all - - Only src type ACL checks are fully supported. A srcdomain - ACL might work at times, but it will not always provide - the correct result. - - This clause only supports fast acl types. - See https://wiki.squid-cache.org/SquidFaq/SquidAcl for details. -DOC_END - NAME: reply_body_max_size COMMENT: size [acl acl...] TYPE: acl_b_size_t @@ -3698,7 +3659,7 @@ DOC_START The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight. - userhash Load-balance parents based on the client proxy_auth or ident username. + userhash Load-balance parents based on the client proxy_auth username. sourcehash Load-balance parents based on the client source IP. @@ -4881,13 +4842,11 @@ DOC_START un User name (any available) ul User name from authentication ue User name from external acl helper - ui User name from ident un A user name. Expands to the first available name from the following list of information sources: - authenticated user name, like %ul - user name supplied by an external ACL, like %ue - SSL client name, like %us - - ident user name, like %ui credentials Client credentials. The exact meaning depends on the authentication scheme: For Basic authentication, it is the password; for Digest, the realm sent by the @@ -5211,8 +5170,8 @@ DOC_START The default formats available (which do not need re-defining) are: logformat squid %ts.%03tu %6tr %>a %Ss/%03>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a %[ui %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh +logformat common %>a - %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %a - %[un [%tl] "%rm %ru HTTP/%rv" %>Hs %h" "%{User-Agent}>h" %Ss:%Sh logformat referrer %ts.%03tu %>a %{Referer}>h %ru logformat useragent %>a [%tl] "%{User-Agent}>h" @@ -7483,19 +7442,6 @@ DOC_START proxies. DOC_END -NAME: ident_timeout -TYPE: time_t -IFDEF: USE_IDENT -LOC: Ident::TheConfig.timeout -DEFAULT: 10 seconds -DOC_START - Maximum time to wait for IDENT lookups to complete. - - If this is too high, and you enabled IDENT lookups from untrusted - users, you might be susceptible to denial-of-service by having - many ident requests going at once. -DOC_END - NAME: shutdown_lifetime COMMENT: time-units TYPE: time_t @@ -10470,7 +10416,7 @@ DOC_START are governed by forward_max_tries instead. See also: connect_timeout, forward_timeout, icap_connect_timeout, - ident_timeout, and forward_max_tries. + and forward_max_tries. DOC_END NAME: retry_on_error diff --git a/src/cf_gen_defines b/src/cf_gen_defines index 46a8dbd2c1..406159f59c 100644 --- a/src/cf_gen_defines +++ b/src/cf_gen_defines @@ -40,7 +40,6 @@ BEGIN { define["USE_HTCP"]="--enable-htcp" define["USE_HTTP_VIOLATIONS"]="--enable-http-violations" define["USE_ICMP"]="--enable-icmp" - define["USE_IDENT"]="--enable-ident-lookups" define["USE_LOADABLE_MODULES"]="--enable-shared" define["USE_OPENSSL"]="--with-openssl" define["USE_QOS_TOS"]="--enable-zph-qos" diff --git a/src/client_side.cc b/src/client_side.cc index 1ec0a8f4a5..21d0d85ba9 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -95,8 +95,6 @@ #include "HttpHeaderTools.h" #include "HttpReply.h" #include "HttpRequest.h" -#include "ident/Config.h" -#include "ident/Ident.h" #include "internal.h" #include "ipc/FdNotes.h" #include "ipc/StartListening.h" @@ -184,9 +182,6 @@ private: static void clientListenerConnectionOpened(AnyP::PortCfgPointer &s, const Ipc::FdNoteId portTypeNote, const Subscription::Pointer &sub); static IOACB httpAccept; -#if USE_IDENT -static IDCB clientIdentDone; -#endif static int clientIsRequestBodyTooLargeForPolicy(int64_t bodyLength); static void clientUpdateStatHistCounters(const LogTags &logType, int svc_time); @@ -198,15 +193,6 @@ static void ClientSocketContextPushDeferredIfNeeded(Http::StreamPointer deferred char *skipLeadingSpace(char *aString); -#if USE_IDENT -static void -clientIdentDone(const char *ident, void *data) -{ - ConnStateData *conn = (ConnStateData *)data; - xstrncpy(conn->clientConnection->rfc931, ident ? ident : dash_str, USER_IDENT_SZ); -} -#endif - void clientUpdateStatCounters(const LogTags &logType) { @@ -451,14 +437,14 @@ ClientHttpRequest::logRequest() HTTPMSGLOCK(al->adapted_request); } - ACLFilledChecklist checklist(nullptr, request, nullptr); + ACLFilledChecklist checklist(nullptr, request); checklist.updateAle(al); // no need checklist.syncAle(): already synced accessLogLog(al, &checklist); bool updatePerformanceCounters = true; if (Config.accessList.stats_collection) { - ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, nullptr); + ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request); statsCheck.updateAle(al); updatePerformanceCounters = statsCheck.fastCheck().allowed(); } @@ -1867,7 +1853,7 @@ ConnStateData::parseRequests() break; // we have been waiting for PROXY to provide client-IP - // for some lookups, ie rDNS and IDENT. + // for some lookups, ie rDNS whenClientIpKnown(); // Done with PROXY protocol which has cleared preservingClientData_. @@ -2179,15 +2165,6 @@ ConnStateData::whenClientIpKnown() if (Dns::ResolveClientAddressesAsap) fqdncache_gethostbyaddr(clientConnection->remote, FQDN_LOOKUP_IF_MISS); -#if USE_IDENT - if (Ident::TheConfig.identLookup) { - ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, nullptr, nullptr); - fillChecklist(identChecklist); - if (identChecklist.fastCheck().allowed()) - Ident::Start(clientConnection, clientIdentDone, this); - } -#endif - clientdbEstablished(clientConnection->remote, 1); #if USE_DELAY_POOLS @@ -2198,7 +2175,7 @@ ConnStateData::whenClientIpKnown() const auto &pools = ClientDelayPools::Instance()->pools; if (pools.size()) { - ACLFilledChecklist ch(nullptr, nullptr, nullptr); + ACLFilledChecklist ch(nullptr, nullptr); fillChecklist(ch); // TODO: we check early to limit error response bandwidth but we // should recheck when we can honor delay_pool_uses_indirect @@ -2507,7 +2484,7 @@ ConnStateData::postHttpsAccept() CodeContext::Reset(connectAle); // TODO: Use these request/ALE when waiting for new bumped transactions. - ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request, nullptr); + const auto acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, request); fillChecklist(*acl_checklist); // Build a local AccessLogEntry to allow requiresAle() acls work acl_checklist->al = connectAle; @@ -2990,7 +2967,7 @@ ConnStateData::startPeekAndSplice() sslServerBump->step = XactionStep::tlsBump2; // Run a accessList check to check if want to splice or continue bumping - ACLFilledChecklist *acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, sslServerBump->request.getRaw(), nullptr); + const auto acl_checklist = new ACLFilledChecklist(Config.accessList.ssl_bump, sslServerBump->request.getRaw()); acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpNone)); acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpClientFirst)); acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpServerFirst)); @@ -3474,7 +3451,7 @@ varyEvaluateMatch(StoreEntry * entry, HttpRequest * request) ACLFilledChecklist * clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http) { - const auto checklist = new ACLFilledChecklist(acl, nullptr, nullptr); + const auto checklist = new ACLFilledChecklist(acl, nullptr); clientAclChecklistFill(*checklist, http); return checklist; } @@ -3528,10 +3505,6 @@ ConnStateData::fillConnectionLevelDetails(ACLFilledChecklist &checklist) const if (!checklist.sslErrors && sslServerBump) checklist.sslErrors = sslServerBump->sslErrors(); #endif - - if (!checklist.rfc931[0]) // checklist creator may have supplied it already - checklist.setIdent(clientConnection->rfc931); - } bool diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 9ba7b182fc..09027b6cf9 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -794,7 +794,6 @@ ClientHttpRequest::noteAdaptationAclCheckDone(Adaptation::ServiceGroupPointer g) Adaptation::Icap::History::Pointer ih = request->icapHistory(); if (ih != nullptr) { if (getConn() != nullptr && getConn()->clientConnection != nullptr) { - ih->rfc931 = getConn()->clientConnection->rfc931; #if USE_OPENSSL if (getConn()->clientConnection->isOpen()) { ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl.get()); @@ -1802,7 +1801,7 @@ ClientHttpRequest::doCallouts() // Set appropriate MARKs and CONNMARKs if needed. if (getConn() && Comm::IsConnOpen(getConn()->clientConnection)) { - ACLFilledChecklist ch(nullptr, request, nullptr); + ACLFilledChecklist ch(nullptr, request); ch.al = calloutContext->http->al; ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; diff --git a/src/clients/FtpClient.cc b/src/clients/FtpClient.cc index 48c8b66f8b..15a20b4b10 100644 --- a/src/clients/FtpClient.cc +++ b/src/clients/FtpClient.cc @@ -720,7 +720,7 @@ Ftp::Client::sendPassive() default: { bool doEpsv = true; if (Config.accessList.ftp_epsv) { - ACLFilledChecklist checklist(Config.accessList.ftp_epsv, fwd->request, nullptr); + ACLFilledChecklist checklist(Config.accessList.ftp_epsv, fwd->request); doEpsv = checklist.fastCheck().allowed(); } if (!doEpsv) { diff --git a/src/clients/FtpGateway.cc b/src/clients/FtpGateway.cc index fc26c9d383..1ff69c9d21 100644 --- a/src/clients/FtpGateway.cc +++ b/src/clients/FtpGateway.cc @@ -1022,7 +1022,7 @@ Ftp::Gateway::processReplyBody() * Special Case: A username-only may be provided in the URL and password in the HTTP headers. * * TODO: we might be able to do something about locating username from other sources: - * ie, external ACL user=* tag or ident lookup + * ie, external ACL user=* tag * \retval 1 if we have everything needed to complete this request. \retval 0 if something is missing. diff --git a/src/comm/Connection.cc b/src/comm/Connection.cc index 47fa98a17b..4ab4b056ea 100644 --- a/src/comm/Connection.cc +++ b/src/comm/Connection.cc @@ -38,9 +38,7 @@ Comm::Connection::Connection() : peer_(nullptr), startTime_(squid_curtime), tlsHistory(nullptr) -{ - *rfc931 = 0; // quick init the head. the rest does not matter. -} +{} Comm::Connection::~Connection() { @@ -81,7 +79,6 @@ Comm::Connection::cloneProfile() const c.nfConnmark = nfConnmark; // COMM_ORPHANED is not a part of connection opening instructions c.flags = flags & ~COMM_ORPHANED; - // rfc931 is excused #if USE_SQUID_EUI // These are currently only set when accepting connections and never used @@ -205,10 +202,6 @@ Comm::operator << (std::ostream &os, const Connection &conn) os << " FD " << conn.fd; if (conn.flags != COMM_UNSET) os << " flags=" << conn.flags; -#if USE_IDENT - if (*conn.rfc931) - os << " IDENT::" << conn.rfc931; -#endif return os; } diff --git a/src/comm/Connection.h b/src/comm/Connection.h index 96701d226d..cb0a4a1f7d 100644 --- a/src/comm/Connection.h +++ b/src/comm/Connection.h @@ -173,8 +173,6 @@ public: /** COMM flags set on this connection */ int flags; - char rfc931[USER_IDENT_SZ]; - #if USE_SQUID_EUI Eui::Eui48 remoteEui48; Eui::Eui64 remoteEui64; diff --git a/src/comm/TcpAcceptor.cc b/src/comm/TcpAcceptor.cc index 50ad7dedd8..081761fc2a 100644 --- a/src/comm/TcpAcceptor.cc +++ b/src/comm/TcpAcceptor.cc @@ -253,7 +253,7 @@ Comm::TcpAcceptor::logAcceptError(const ConnectionPointer &tcpClient) const al->tcpClient = tcpClient; al->url = "error:accept-client-connection"; al->setVirginUrlForMissingRequest(al->url); - ACLFilledChecklist ch(nullptr, nullptr, nullptr); + ACLFilledChecklist ch(nullptr, nullptr); ch.src_addr = tcpClient->remote; ch.my_addr = tcpClient->local; ch.al = al; diff --git a/src/defines.h b/src/defines.h index 91bf9852dd..84d2139e48 100644 --- a/src/defines.h +++ b/src/defines.h @@ -34,8 +34,6 @@ #define FQDN_LOOKUP_IF_MISS 0x01 #define FQDN_MAX_NAMES 5 -#define USER_IDENT_SZ 64 - #define IP_LOOKUP_IF_MISS 0x01 #define ICP_FLAG_SRC_RTT 0x40000000ul diff --git a/src/external_acl.cc b/src/external_acl.cc index 84ddc3e549..87d60da86f 100644 --- a/src/external_acl.cc +++ b/src/external_acl.cc @@ -44,9 +44,6 @@ #include "auth/Gadgets.h" #include "auth/UserRequest.h" #endif -#if USE_IDENT -#include "ident/AclIdent.h" -#endif #ifndef DEFAULT_EXTERNAL_ACL_TTL #define DEFAULT_EXTERNAL_ACL_TTL 1 * 60 * 60 @@ -791,17 +788,6 @@ ACLExternal::makeExternalAclKey(ACLFilledChecklist * ch, external_acl_data * acl ch->al->lastAclData = sb; } - -#if USE_IDENT - if (t->type == Format::LFT_USER_IDENT) { - if (!*ch->rfc931) { - // if we fail to go async, we still return NULL and the caller - // will detect the failure in ACLExternal::match(). - (void)ch->goAsync(ACLIdent::StartLookup, *this); - return nullptr; - } - } -#endif } // assemble the full helper lookup string @@ -1026,7 +1012,7 @@ ACLExternal::startLookup(ACLFilledChecklist *ch, external_acl_data *acl, bool in external_acl *def = acl->def; const char *key = makeExternalAclKey(ch, acl); - assert(key); // XXX: will fail if EXT_ACL_IDENT case needs an async lookup + assert(key); debugs(82, 2, (inBackground ? "bg" : "fg") << " lookup in '" << def->name << "' for '" << key << "'"); diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h index f079851693..ca86fd74f3 100644 --- a/src/format/ByteCode.h +++ b/src/format/ByteCode.h @@ -150,7 +150,6 @@ typedef enum { /* client credentials */ LFT_USER_NAME, /* any source will do */ LFT_USER_LOGIN, - LFT_USER_IDENT, /*LFT_USER_REALM, */ /*LFT_USER_SCHEME, */ LFT_USER_EXTERNAL, diff --git a/src/format/Format.cc b/src/format/Format.cc index cdce6a75b4..7685ad319f 100644 --- a/src/format/Format.cc +++ b/src/format/Format.cc @@ -948,8 +948,6 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS if (!out) out = strOrNull(al->cache.ssluser); #endif - if (!out) - out = strOrNull(al->getClientIdent()); break; case LFT_USER_LOGIN: @@ -959,10 +957,6 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS #endif break; - case LFT_USER_IDENT: - out = strOrNull(al->getClientIdent()); - break; - case LFT_USER_EXTERNAL: out = strOrNull(al->getExtUser()); break; diff --git a/src/format/Token.cc b/src/format/Token.cc index 671cde55cc..8fc2048ccf 100644 --- a/src/format/Token.cc +++ b/src/format/Token.cc @@ -77,7 +77,6 @@ static TokenTableEntry TokenTable2C[] = { TokenTableEntry("ul", LFT_USER_LOGIN), /*TokenTableEntry( "ur", LFT_USER_REALM ), */ /*TokenTableEntry( "us", LFT_USER_SCHEME ), */ - TokenTableEntry("ui", LFT_USER_IDENT), TokenTableEntry("ue", LFT_USER_EXTERNAL), TokenTableEntry("Hs", LFT_HTTP_SENT_STATUS_CODE_OLD_30), @@ -162,7 +161,6 @@ static TokenTableEntry TokenTableMisc[] = { TokenTableEntry("EXT_LOG", LFT_EXT_LOG), TokenTableEntry("EXT_TAG", LFT_TAG), TokenTableEntry("EXT_USER", LFT_USER_EXTERNAL), - TokenTableEntry("IDENT", LFT_USER_IDENT), TokenTableEntry("LOGIN", LFT_USER_LOGIN), TokenTableEntry("METHOD", LFT_CLIENT_REQ_METHOD), TokenTableEntry("MYADDR", LFT_LOCAL_LISTENING_IP), diff --git a/src/htcp.cc b/src/htcp.cc index 21cdf43c6f..e91851aa28 100644 --- a/src/htcp.cc +++ b/src/htcp.cc @@ -802,7 +802,7 @@ htcpAccessAllowed(acl_access * acl, const htcpSpecifier::Pointer &s, Ip::Address if (!acl) return false; - ACLFilledChecklist checklist(acl, s->request.getRaw(), nullptr); + ACLFilledChecklist checklist(acl, s->request.getRaw()); checklist.src_addr = from; checklist.my_addr.setNoAddr(); return checklist.fastCheck().allowed(); diff --git a/src/icp_v2.cc b/src/icp_v2.cc index 6171358fa1..f759e89cb1 100644 --- a/src/icp_v2.cc +++ b/src/icp_v2.cc @@ -446,7 +446,7 @@ icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) return false; } - ACLFilledChecklist checklist(Config.accessList.icp, icp_request, nullptr); + ACLFilledChecklist checklist(Config.accessList.icp, icp_request); checklist.src_addr = from; checklist.my_addr.setNoAddr(); const auto &answer = checklist.fastCheck(); diff --git a/src/ident/AclIdent.cc b/src/ident/AclIdent.cc deleted file mode 100644 index b8bd57a6f0..0000000000 --- a/src/ident/AclIdent.cc +++ /dev/null @@ -1,122 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* DEBUG: section 28 Access Control */ - -#include "squid.h" - -#if USE_IDENT - -#include "acl/FilledChecklist.h" -#include "acl/RegexData.h" -#include "acl/UserData.h" -#include "client_side.h" -#include "comm/Connection.h" -#include "globals.h" -#include "http/Stream.h" -#include "ident/AclIdent.h" -#include "ident/Ident.h" - -ACLIdent::~ACLIdent() -{ - delete data; -} - -ACLIdent::ACLIdent(ACLData *newData, char const *newType) : data (newData), type_ (newType) {} - -char const * -ACLIdent::typeString() const -{ - return type_; -} - -const Acl::Options & -ACLIdent::lineOptions() -{ - return data->lineOptions(); -} - -void -ACLIdent::parse() -{ - if (!data) { - debugs(28, 3, "current is null. Creating"); - data = new ACLUserData; - } - - data->parse(); -} - -int -ACLIdent::match(ACLChecklist *cl) -{ - const auto checklist = Filled(cl); - if (checklist->rfc931[0]) { - return data->match(checklist->rfc931); - } else if (checklist->conn() != nullptr && checklist->conn()->clientConnection != nullptr && checklist->conn()->clientConnection->rfc931[0]) { - return data->match(checklist->conn()->clientConnection->rfc931); - } else if (checklist->conn() != nullptr && Comm::IsConnOpen(checklist->conn()->clientConnection)) { - if (checklist->goAsync(StartLookup, *this)) { - debugs(28, 3, "switching to ident lookup state"); - return -1; - } - // else fall through to ACCESS_DUNNO failure below - } else { - debugs(28, DBG_IMPORTANT, "ERROR: Cannot start ident lookup. No client connection" ); - // fall through to ACCESS_DUNNO failure below - } - - checklist->markFinished(ACCESS_DUNNO, "cannot start ident lookup"); - return -1; -} - -SBufList -ACLIdent::dump() const -{ - return data->dump(); -} - -bool -ACLIdent::empty () const -{ - return data->empty(); -} - -void -ACLIdent::StartLookup(ACLFilledChecklist &cl, const Acl::Node &) -{ - const ConnStateData *conn = cl.conn(); - // check that ACLIdent::match() tested this lookup precondition - assert(conn && Comm::IsConnOpen(conn->clientConnection)); - debugs(28, 3, "Doing ident lookup" ); - Ident::Start(cl.conn()->clientConnection, LookupDone, &cl); -} - -void -ACLIdent::LookupDone(const char *ident, void *data) -{ - ACLFilledChecklist *checklist = Filled(static_cast(data)); - - if (ident) { - xstrncpy(checklist->rfc931, ident, USER_IDENT_SZ); - } else { - xstrncpy(checklist->rfc931, dash_str, USER_IDENT_SZ); - } - - /* - * Cache the ident result in the connection, to avoid redoing ident lookup - * over and over on persistent connections - */ - if (checklist->conn() != nullptr && checklist->conn()->clientConnection != nullptr && !checklist->conn()->clientConnection->rfc931[0]) - xstrncpy(checklist->conn()->clientConnection->rfc931, checklist->rfc931, USER_IDENT_SZ); - - checklist->resumeNonBlockingCheck(); -} - -#endif /* USE_IDENT */ - diff --git a/src/ident/AclIdent.h b/src/ident/AclIdent.h deleted file mode 100644 index 5a917ff3b2..0000000000 --- a/src/ident/AclIdent.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef SQUID_SRC_IDENT_ACLIDENT_H -#define SQUID_SRC_IDENT_ACLIDENT_H - -#if USE_IDENT - -#include "acl/Acl.h" -#include "acl/Checklist.h" -#include "acl/Data.h" - -/// \ingroup ACLAPI -class ACLIdent : public Acl::Node -{ - MEMPROXY_CLASS(ACLIdent); - -public: - static void StartLookup(ACLFilledChecklist &, const Acl::Node &); - - ACLIdent(ACLData *newData, char const *); - ~ACLIdent() override; - - /* Acl::Node API */ - char const *typeString() const override; - void parse() override; - bool isProxyAuth() const override {return true;} - int match(ACLChecklist *checklist) override; - SBufList dump() const override; - bool empty () const override; - -private: - static void LookupDone(const char *ident, void *data); - - /* Acl::Node API */ - const Acl::Options &lineOptions() override; - - ACLData *data; - char const *type_; -}; - -#endif /* USE_IDENT */ -#endif /* SQUID_SRC_IDENT_ACLIDENT_H */ - diff --git a/src/ident/Config.h b/src/ident/Config.h deleted file mode 100644 index 1a3921c458..0000000000 --- a/src/ident/Config.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef SQUID_SRC_IDENT_CONFIG_H -#define SQUID_SRC_IDENT_CONFIG_H - -#if USE_IDENT - -#include "acl/Acl.h" - -namespace Ident -{ - -class IdentConfig -{ -public: - acl_access *identLookup; - time_t timeout; -}; - -extern IdentConfig TheConfig; - -} // namespace Ident - -#endif /* USE_IDENT */ -#endif /* SQUID_SRC_IDENT_CONFIG_H */ - diff --git a/src/ident/Ident.cc b/src/ident/Ident.cc deleted file mode 100644 index 2f4bd328c0..0000000000 --- a/src/ident/Ident.cc +++ /dev/null @@ -1,309 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -/* DEBUG: section 30 Ident (RFC 931) */ - -#include "squid.h" - -#if USE_IDENT -#include "base/JobWait.h" -#include "comm.h" -#include "comm/Connection.h" -#include "comm/ConnOpener.h" -#include "comm/Read.h" -#include "comm/Write.h" -#include "CommCalls.h" -#include "globals.h" -#include "ident/Config.h" -#include "ident/Ident.h" -#include "MemBuf.h" - -namespace Ident -{ - -#define IDENT_PORT 113 -#define IDENT_KEY_SZ 50 -#define IDENT_BUFSIZE 4096 - -typedef struct _IdentClient { - IDCB *callback; - void *callback_data; - - struct _IdentClient *next; -} IdentClient; - -class IdentStateData -{ -public: - hash_link hash; /* must be first */ -private: - CBDATA_CLASS(IdentStateData); - -public: - /* AsyncJob API emulated */ - void deleteThis(const char *aReason); - void swanSong(); - - /// notify all waiting IdentClient callbacks - void notify(const char *result); - - Comm::ConnectionPointer conn; - MemBuf queryMsg; ///< the lookup message sent to IDENT server - IdentClient *clients = nullptr; - char buf[IDENT_BUFSIZE]; - - /// waits for a connection to the IDENT server to be established/opened - JobWait connWait; - -private: - // use deleteThis() to destroy - ~IdentStateData(); -}; - -CBDATA_CLASS_INIT(IdentStateData); - -// TODO: make these all a series of Async job calls. They are self-contained callbacks now. -static IOCB ReadReply; -static IOCB WriteFeedback; -static CLCB Close; -static CTCB Timeout; -static CNCB ConnectDone; -static hash_table *ident_hash = nullptr; -static void ClientAdd(IdentStateData * state, IDCB * callback, void *callback_data); - -} // namespace Ident - -Ident::IdentConfig Ident::TheConfig; - -void -Ident::IdentStateData::deleteThis(const char *reason) -{ - debugs(30, 3, reason); - swanSong(); - delete this; -} - -void -Ident::IdentStateData::swanSong() -{ - if (clients != nullptr) - notify(nullptr); -} - -Ident::IdentStateData::~IdentStateData() { - assert(!clients); - - if (Comm::IsConnOpen(conn)) { - comm_remove_close_handler(conn->fd, Ident::Close, this); - conn->close(); - } - - hash_remove_link(ident_hash, (hash_link *) this); - xfree(hash.key); -} - -void -Ident::IdentStateData::notify(const char *result) -{ - while (IdentClient *client = clients) { - void *cbdata; - clients = client->next; - - if (cbdataReferenceValidDone(client->callback_data, &cbdata)) - client->callback(result, cbdata); - - xfree(client); - } -} - -void -Ident::Close(const CommCloseCbParams ¶ms) -{ - IdentStateData *state = (IdentStateData *)params.data; - if (state->conn) { - state->conn->noteClosure(); - state->conn = nullptr; - } - state->deleteThis("connection closed"); -} - -void -Ident::Timeout(const CommTimeoutCbParams &io) -{ - debugs(30, 3, io.conn); - IdentStateData *state = (IdentStateData *)io.data; - state->deleteThis("timeout"); -} - -void -Ident::ConnectDone(const Comm::ConnectionPointer &conn, Comm::Flag status, int, void *data) -{ - IdentStateData *state = (IdentStateData *)data; - state->connWait.finish(); - - // Start owning the supplied connection (so that it is not orphaned if this - // function bails early). As a (tiny) optimization or perhaps just diff - // minimization, the close handler is added later, when we know we are not - // bailing. This delay is safe because comm_remove_close_handler() forgives - // missing handlers. - assert(conn); // but may be closed - assert(!state->conn); - state->conn = conn; - - if (status != Comm::OK) { - if (status == Comm::TIMEOUT) - debugs(30, 3, "IDENT connection timeout to " << state->conn->remote); - state->deleteThis(status == Comm::TIMEOUT ? "connect timeout" : "connect error"); - return; - } - - /* - * see if any of our clients still care - */ - IdentClient *c; - for (c = state->clients; c; c = c->next) { - if (cbdataReferenceValid(c->callback_data)) - break; - } - - if (c == nullptr) { - state->deleteThis("client(s) aborted"); - return; - } - - assert(state->conn->isOpen()); - comm_add_close_handler(state->conn->fd, Ident::Close, state); - - AsyncCall::Pointer writeCall = commCbCall(5,4, "Ident::WriteFeedback", - CommIoCbPtrFun(Ident::WriteFeedback, state)); - Comm::Write(conn, &state->queryMsg, writeCall); - AsyncCall::Pointer readCall = commCbCall(5,4, "Ident::ReadReply", - CommIoCbPtrFun(Ident::ReadReply, state)); - comm_read(conn, state->buf, IDENT_BUFSIZE, readCall); - AsyncCall::Pointer timeoutCall = commCbCall(5,4, "Ident::Timeout", - CommTimeoutCbPtrFun(Ident::Timeout, state)); - commSetConnTimeout(conn, Ident::TheConfig.timeout, timeoutCall); -} - -void -Ident::WriteFeedback(const Comm::ConnectionPointer &conn, char *, size_t len, Comm::Flag flag, int xerrno, void *data) -{ - debugs(30, 5, conn << ": Wrote IDENT request " << len << " bytes."); - - // TODO handle write errors better. retry or abort? - if (flag != Comm::OK) { - debugs(30, 2, conn << " err-flags=" << flag << " IDENT write error: " << xstrerr(xerrno)); - IdentStateData *state = (IdentStateData *)data; - state->deleteThis("write error"); - } -} - -void -Ident::ReadReply(const Comm::ConnectionPointer &conn, char *buf, size_t len, Comm::Flag flag, int, void *data) -{ - IdentStateData *state = (IdentStateData *)data; - char *ident = nullptr; - char *t = nullptr; - - assert(buf == state->buf); - assert(conn->fd == state->conn->fd); - - if (flag != Comm::OK || len <= 0) { - state->deleteThis("read error"); - return; - } - - /* - * XXX This isn't really very tolerant. It should read until EOL - * or EOF and then decode the answer... If the reply is fragmented - * then this will fail - */ - buf[len] = '\0'; - - if ((t = strchr(buf, '\r'))) - *t = '\0'; - - if ((t = strchr(buf, '\n'))) - *t = '\0'; - - debugs(30, 5, conn << ": Read '" << buf << "'"); - - if (strstr(buf, "USERID")) { - if ((ident = strrchr(buf, ':'))) { - while (xisspace(*++ident)); - if (ident && *ident == '\0') - ident = nullptr; - state->notify(ident); - } - } - - state->deleteThis("completed"); -} - -void -Ident::ClientAdd(IdentStateData * state, IDCB * callback, void *callback_data) -{ - IdentClient *c = (IdentClient *)xcalloc(1, sizeof(*c)); - IdentClient **C; - c->callback = callback; - c->callback_data = cbdataReference(callback_data); - - for (C = &state->clients; *C; C = &(*C)->next); - *C = c; -} - -/* - * start a TCP connection to the peer host on port 113 - */ -void -Ident::Start(const Comm::ConnectionPointer &conn, IDCB * callback, void *data) -{ - IdentStateData *state; - char key1[IDENT_KEY_SZ]; - char key2[IDENT_KEY_SZ]; - char key[IDENT_KEY_SZ*2+2]; // key1 + ',' + key2 + terminator - - conn->local.toUrl(key1, IDENT_KEY_SZ); - conn->remote.toUrl(key2, IDENT_KEY_SZ); - int res = snprintf(key, sizeof(key), "%s,%s", key1, key2); - assert(res > 0); - assert(static_cast(res) < sizeof(key)); - - if (!ident_hash) { - ident_hash = hash_create((HASHCMP *) strcmp, - hashPrime(Squid_MaxFD / 8), - hash4); - } - if ((state = (IdentStateData *)hash_lookup(ident_hash, key)) != nullptr) { - ClientAdd(state, callback, data); - return; - } - - state = new IdentStateData; - state->hash.key = xstrdup(key); - - // copy the conn details. We do not want the original FD to be re-used by IDENT. - const auto identConn = conn->cloneProfile(); - // NP: use random port for secure outbound to IDENT_PORT - identConn->local.port(0); - identConn->remote.port(IDENT_PORT); - - // build our query from the original connection details - state->queryMsg.init(); - state->queryMsg.appendf("%d, %d\r\n", conn->remote.port(), conn->local.port()); - - ClientAdd(state, callback, data); - hash_join(ident_hash, &state->hash); - - AsyncCall::Pointer call = commCbCall(30,3, "Ident::ConnectDone", CommConnectCbPtrFun(Ident::ConnectDone, state)); - const auto connOpener = new Comm::ConnOpener(identConn, call, Ident::TheConfig.timeout); - state->connWait.start(connOpener, call); -} - -#endif /* USE_IDENT */ - diff --git a/src/ident/Ident.h b/src/ident/Ident.h deleted file mode 100644 index 3a54d90d68..0000000000 --- a/src/ident/Ident.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (C) 1996-2023 The Squid Software Foundation and contributors - * - * Squid software is distributed under GPLv2+ license and includes - * contributions from numerous individuals and organizations. - * Please see the COPYING and CONTRIBUTORS files for details. - */ - -#ifndef SQUID_SRC_IDENT_IDENT_H -#define SQUID_SRC_IDENT_IDENT_H - -#if USE_IDENT - -#include "cbdata.h" -#include "comm/forward.h" - -typedef void IDCB(const char *ident, void *data); - -/// Ident Lookup API -namespace Ident -{ - -/** - * Open a connection and request IDENT information from a peer machine. - * Callback will be called when the lookup is completed. - */ -void Start(const Comm::ConnectionPointer &conn, IDCB * callback, void *cbdata); - -} // namespace Ident - -#endif /* USE_IDENT */ -#endif /* SQUID_SRC_IDENT_IDENT_H */ - diff --git a/src/ident/Makefile.am b/src/ident/Makefile.am deleted file mode 100644 index 519cd6f719..0000000000 --- a/src/ident/Makefile.am +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 1996-2023 The Squid Software Foundation and contributors -## -## Squid software is distributed under GPLv2+ license and includes -## contributions from numerous individuals and organizations. -## Please see the COPYING and CONTRIBUTORS files for details. -## - -include $(top_srcdir)/src/Common.am - -noinst_LTLIBRARIES = libident.la - -libident_la_SOURCES = \ - AclIdent.cc \ - AclIdent.h \ - Config.h \ - Ident.cc \ - Ident.h diff --git a/src/log/FormatHttpdCombined.cc b/src/log/FormatHttpdCombined.cc index d2bad08325..9b151ded6f 100644 --- a/src/log/FormatHttpdCombined.cc +++ b/src/log/FormatHttpdCombined.cc @@ -21,7 +21,6 @@ void Log::Format::HttpdCombined(const AccessLogEntry::Pointer &al, Logfile * logfile) { - const char *user_ident = ::Format::QuoteUrlEncodeUsername(al->getClientIdent()); const char *user_auth = nullptr; const char *referer = nullptr; const char *agent = nullptr; @@ -48,7 +47,7 @@ Log::Format::HttpdCombined(const AccessLogEntry::Pointer &al, Logfile * logfile) logfilePrintf(logfile, "%s %s %s [%s] \"" SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\" %d %" PRId64 " \"%s\" \"%s\" %s:%s%s", clientip, - user_ident ? user_ident : dash_str, + dash_str, user_auth ? user_auth : dash_str, Time::FormatHttpd(squid_curtime), SQUIDSBUFPRINT(method), @@ -63,7 +62,6 @@ Log::Format::HttpdCombined(const AccessLogEntry::Pointer &al, Logfile * logfile) hier_code_str[al->hier.code], (Config.onoff.log_mime_hdrs?"":"\n")); - safe_free(user_ident); safe_free(user_auth); if (Config.onoff.log_mime_hdrs) { diff --git a/src/log/FormatHttpdCommon.cc b/src/log/FormatHttpdCommon.cc index d13b33ec1a..8f403f368a 100644 --- a/src/log/FormatHttpdCommon.cc +++ b/src/log/FormatHttpdCommon.cc @@ -26,7 +26,6 @@ Log::Format::HttpdCommon(const AccessLogEntry::Pointer &al, Logfile * logfile) if (al->request && al->request->auth_user_request != nullptr) user_auth = ::Format::QuoteUrlEncodeUsername(al->request->auth_user_request->username()); #endif - const char *user_ident = ::Format::QuoteUrlEncodeUsername(al->getClientIdent()); char clientip[MAX_IPSTRLEN]; al->getLogClientIp(clientip, MAX_IPSTRLEN); @@ -35,7 +34,7 @@ Log::Format::HttpdCommon(const AccessLogEntry::Pointer &al, Logfile * logfile) logfilePrintf(logfile, "%s %s %s [%s] \"" SQUIDSBUFPH " " SQUIDSBUFPH " %s/%d.%d\" %d %" PRId64 " %s:%s%s", clientip, - user_ident ? user_ident : dash_str, + dash_str, user_auth ? user_auth : dash_str, Time::FormatHttpd(squid_curtime), SQUIDSBUFPRINT(method), @@ -49,7 +48,6 @@ Log::Format::HttpdCommon(const AccessLogEntry::Pointer &al, Logfile * logfile) (Config.onoff.log_mime_hdrs?"":"\n")); safe_free(user_auth); - safe_free(user_ident); if (Config.onoff.log_mime_hdrs) { char *ereq = ::Format::QuoteMimeBlob(al->headers.request); diff --git a/src/log/FormatSquidIcap.cc b/src/log/FormatSquidIcap.cc index 2ca5c60ced..f933a7f9cf 100644 --- a/src/log/FormatSquidIcap.cc +++ b/src/log/FormatSquidIcap.cc @@ -40,9 +40,6 @@ Log::Format::SquidIcap(const AccessLogEntry::Pointer &al, Logfile * logfile) user = ::Format::QuoteUrlEncodeUsername(al->cache.ssluser); #endif - if (!user) - user = ::Format::QuoteUrlEncodeUsername(al->getClientIdent()); - if (user && !*user) safe_free(user); diff --git a/src/log/FormatSquidNative.cc b/src/log/FormatSquidNative.cc index 7651c5dce4..aacd4ca62b 100644 --- a/src/log/FormatSquidNative.cc +++ b/src/log/FormatSquidNative.cc @@ -38,9 +38,6 @@ Log::Format::SquidNative(const AccessLogEntry::Pointer &al, Logfile * logfile) user = ::Format::QuoteUrlEncodeUsername(al->cache.ssluser); #endif - if (!user) - user = ::Format::QuoteUrlEncodeUsername(al->getClientIdent()); - if (user && !*user) safe_free(user); diff --git a/src/neighbors.cc b/src/neighbors.cc index 63bd0fb831..988dd48d88 100644 --- a/src/neighbors.cc +++ b/src/neighbors.cc @@ -167,7 +167,7 @@ peerAllowedToUse(const CachePeer * p, PeerSelector * ps) if (p->access == nullptr) return true; - ACLFilledChecklist checklist(p->access, request, nullptr); + ACLFilledChecklist checklist(p->access, request); checklist.updateAle(ps->al); checklist.syncAle(request, nullptr); return checklist.fastCheck().allowed(); diff --git a/src/peer_select.cc b/src/peer_select.cc index c1e0d89612..988fe60bbb 100644 --- a/src/peer_select.cc +++ b/src/peer_select.cc @@ -620,7 +620,7 @@ PeerSelector::selectMore() if (always_direct == ACCESS_DUNNO) { debugs(44, 3, "direct = " << DirectStr[direct] << " (always_direct to be checked)"); /** check always_direct; */ - ACLFilledChecklist *ch = new ACLFilledChecklist(Config.accessList.AlwaysDirect, request, nullptr); + const auto ch = new ACLFilledChecklist(Config.accessList.AlwaysDirect, request); ch->al = al; acl_checklist = ch; acl_checklist->syncAle(request, nullptr); @@ -629,7 +629,7 @@ PeerSelector::selectMore() } else if (never_direct == ACCESS_DUNNO) { debugs(44, 3, "direct = " << DirectStr[direct] << " (never_direct to be checked)"); /** check never_direct; */ - ACLFilledChecklist *ch = new ACLFilledChecklist(Config.accessList.NeverDirect, request, nullptr); + const auto ch = new ACLFilledChecklist(Config.accessList.NeverDirect, request); ch->al = al; acl_checklist = ch; acl_checklist->syncAle(request, nullptr); diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc index 96c2f0ed34..d23c0b3d53 100644 --- a/src/security/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -167,7 +167,7 @@ Security::PeerConnector::initialize(Security::SessionPointer &serverSession) // TODO: Remove ACLFilledChecklist::sslErrors and other pre-computed // state in favor of the ACLs accessing current/fresh info directly. if (acl_access *acl = ::Config.ssl_client.cert_error) { - ACLFilledChecklist *check = new ACLFilledChecklist(acl, request.getRaw(), dash_str); + const auto check = new ACLFilledChecklist(acl, request.getRaw()); fillChecklist(*check); SSL_set_ex_data(serverSession.get(), ssl_ex_index_cert_error_check, check); } @@ -388,7 +388,7 @@ Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse cons Security::SessionPointer session(fd_table[serverConnection()->fd].ssl); if (acl_access *acl = ::Config.ssl_client.cert_error) { - check = new ACLFilledChecklist(acl, request.getRaw(), dash_str); + check = new ACLFilledChecklist(acl, request.getRaw()); fillChecklist(*check); } diff --git a/src/servers/FtpServer.cc b/src/servers/FtpServer.cc index 976fe4e1f1..5b6cd63b34 100644 --- a/src/servers/FtpServer.cc +++ b/src/servers/FtpServer.cc @@ -1539,7 +1539,7 @@ Ftp::Server::handleUploadRequest(String &, String &) if (Config.accessList.forceRequestBodyContinuation) { ClientHttpRequest *http = pipeline.front()->http; HttpRequest *request = http->request; - ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request, nullptr); + ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request); bodyContinuationCheck.al = http->al; bodyContinuationCheck.syncAle(request, http->log_uri); if (bodyContinuationCheck.fastCheck().allowed()) { diff --git a/src/servers/Http1Server.cc b/src/servers/Http1Server.cc index e409cf54bf..05151a339c 100644 --- a/src/servers/Http1Server.cc +++ b/src/servers/Http1Server.cc @@ -264,7 +264,7 @@ Http::One::Server::processParsedRequest(Http::StreamPointer &context) } if (Config.accessList.forceRequestBodyContinuation) { - ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request.getRaw(), nullptr); + ACLFilledChecklist bodyContinuationCheck(Config.accessList.forceRequestBodyContinuation, request.getRaw()); bodyContinuationCheck.al = http->al; bodyContinuationCheck.syncAle(request.getRaw(), http->log_uri); if (bodyContinuationCheck.fastCheck().allowed()) { diff --git a/src/snmp_core.cc b/src/snmp_core.cc index 2c13bdb6c3..8d7ae55459 100644 --- a/src/snmp_core.cc +++ b/src/snmp_core.cc @@ -402,7 +402,7 @@ snmpDecodePacket(SnmpRequest * rq) /* Check if we have explicit permission to access SNMP data. * default (set above) is to deny all */ if (Community) { - ACLFilledChecklist checklist(Config.accessList.snmp, nullptr, nullptr); + ACLFilledChecklist checklist(Config.accessList.snmp, nullptr); checklist.src_addr = rq->from; checklist.snmp_community = (char *) Community; diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index 6098b5ae90..2f08736812 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -69,9 +69,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSplice() { handleServerCertificate(); - ACLFilledChecklist *acl_checklist = new ACLFilledChecklist( - ::Config.accessList.ssl_bump, - request.getRaw(), nullptr); + const auto acl_checklist = new ACLFilledChecklist(::Config.accessList.ssl_bump, request.getRaw()); acl_checklist->al = al; acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpNone)); acl_checklist->banAction(Acl::Answer(ACCESS_ALLOWED, Ssl::bumpPeek)); diff --git a/src/stat.cc b/src/stat.cc index e26360930d..2e8e6a451c 100644 --- a/src/stat.cc +++ b/src/stat.cc @@ -1815,9 +1815,6 @@ statClientRequests(StoreEntry * s) p = http->request->extacl_user.termedBuf(); } - if (!p && conn != nullptr && conn->clientConnection->rfc931[0]) - p = conn->clientConnection->rfc931; - #if USE_OPENSSL if (!p && conn != nullptr && Comm::IsConnOpen(conn->clientConnection)) p = sslGetUserEmail(fd_table[conn->clientConnection->fd].ssl.get()); diff --git a/src/store_client.cc b/src/store_client.cc index 6abd7b8124..6288b0dcbf 100644 --- a/src/store_client.cc +++ b/src/store_client.cc @@ -57,7 +57,7 @@ StoreClient::onCollapsingPath() const if (!Config.accessList.collapsedForwardingAccess) return true; - ACLFilledChecklist checklist(Config.accessList.collapsedForwardingAccess, nullptr, nullptr); + ACLFilledChecklist checklist(Config.accessList.collapsedForwardingAccess, nullptr); fillChecklist(checklist); return checklist.fastCheck().allowed(); } diff --git a/src/tunnel.cc b/src/tunnel.cc index 81cd72cbb7..2f52720049 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -1188,7 +1188,7 @@ tunnelStart(ClientHttpRequest * http) * Check if this host is allowed to fetch MISSES from us (miss_access) * default is to allow. */ - ACLFilledChecklist ch(Config.accessList.miss, request, nullptr); + ACLFilledChecklist ch(Config.accessList.miss, request); ch.al = http->al; ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; diff --git a/test-suite/buildtests/layer-01-minimal.opts b/test-suite/buildtests/layer-01-minimal.opts index 9ca734dc11..22ddf38fec 100644 --- a/test-suite/buildtests/layer-01-minimal.opts +++ b/test-suite/buildtests/layer-01-minimal.opts @@ -67,7 +67,6 @@ DISTCHECK_CONFIGURE_FLAGS=" \ --disable-linux-netfilter \ --disable-linux-tproxy \ --disable-follow-x-forwarded-for \ - --disable-ident-lookups \ --disable-default-hostsfile \ --disable-auth \ --disable-basic-auth-helpers \ diff --git a/test-suite/buildtests/layer-02-maximus.opts b/test-suite/buildtests/layer-02-maximus.opts index 03277b2642..a9c8aa4770 100644 --- a/test-suite/buildtests/layer-02-maximus.opts +++ b/test-suite/buildtests/layer-02-maximus.opts @@ -81,7 +81,6 @@ DISTCHECK_CONFIGURE_FLAGS=" \ --enable-http-violations \ --enable-ipfw-transparent \ --enable-follow-x-forwarded-for \ - --enable-ident-lookups \ --enable-default-hostsfile=/etc/hosts \ --enable-auth \ --enable-basic-auth-helpers \ diff --git a/test-suite/buildtests/layer-04-noauth-everything.opts b/test-suite/buildtests/layer-04-noauth-everything.opts index 9119a2a90e..b79d2cdf4e 100644 --- a/test-suite/buildtests/layer-04-noauth-everything.opts +++ b/test-suite/buildtests/layer-04-noauth-everything.opts @@ -82,7 +82,6 @@ DISTCHECK_CONFIGURE_FLAGS=" \ --enable-http-violations \ --enable-ipfw-transparent \ --enable-follow-x-forwarded-for \ - --enable-ident-lookups \ --enable-internal-dns \ --enable-default-hostsfile \ --disable-auth \ diff --git a/test-suite/squidconf/external_acl_type.conf b/test-suite/squidconf/external_acl_type.conf index ced80113d6..383f8f416e 100644 --- a/test-suite/squidconf/external_acl_type.conf +++ b/test-suite/squidconf/external_acl_type.conf @@ -12,7 +12,6 @@ external_acl_type foo \ %EXT_USER \ %EXT_LOG \ %EXT_TAG \ - %IDENT \ %SRC \ %SRCPORT \ %URI \