From: Christos Tsantilas Date: Thu, 30 Aug 2012 09:02:06 +0000 (+0300) Subject: Retrieve client connection information for ACL checks from the related HttpRequest... X-Git-Tag: sourceformat-review-1~14^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=16a16ffe45c116f4e5925f2d4ceec46f88b58d75;p=thirdparty%2Fsquid.git Retrieve client connection information for ACL checks from the related HttpRequest object This patch enable SSL client certificate ACL checks (user_cert and ca_cert) in all cases the client connection information can retrieved from the related HttpRequest object, eg when making peering decisions (peer_cache_access ACL). Discussed under the "Supply client connection and IDENT information to peer_cache_access ACL check" thread on squid-dev. This is a Measurement Factory project --- diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc index eea3fd96ea..8a03fc175a 100644 --- a/src/acl/FilledChecklist.cc +++ b/src/acl/FilledChecklist.cc @@ -85,6 +85,8 @@ ACLFilledChecklist::conn() const void ACLFilledChecklist::conn(ConnStateData *aConn) { + if (conn() == aConn) + return; assert (conn() == NULL); conn_ = cbdataReference(aConn); } @@ -180,6 +182,9 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_re #endif /* FOLLOW_X_FORWARDED_FOR */ src_addr = request->client_addr; my_addr = request->my_addr; + + if (request->clientConnectionManager.valid()) + conn(request->clientConnectionManager.get()); } #if USE_IDENT diff --git a/src/client_side.cc b/src/client_side.cc index 4a7bc3c90a..f3a68c26de 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3734,7 +3734,6 @@ void ConnStateData::buildSslCertGenerationParams(Ssl::CertificateProperties &cer ACLFilledChecklist checklist(NULL, sslServerBump->request, clientConnection != NULL ? clientConnection->rfc931 : dash_str); - checklist.conn(this); checklist.sslErrors = cbdataReference(sslServerBump->sslErrors); for (sslproxy_cert_adapt *ca = Config.ssl_client.cert_adapt; ca != NULL; ca = ca->next) { @@ -4240,16 +4239,6 @@ clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http) * the ident result on persistent connections... */ /* connection oriented auth also needs these two lines for it's operation. */ - /* - * Internal requests do not have a connection reference, because: A) their - * byte count may be transformed before being applied to an outbound - * connection B) they are internal - any limiting on them should be done on - * the server end. - */ - - if (conn != NULL) - ch->conn(conn); /* unreferenced in FilledCheckList.cc */ - return ch; } diff --git a/src/neighbors.cc b/src/neighbors.cc index 373dc27ddf..a228a560bc 100644 --- a/src/neighbors.cc +++ b/src/neighbors.cc @@ -199,17 +199,6 @@ peerAllowedToUse(const peer * p, HttpRequest * request) checklist.src_addr = request->client_addr; checklist.my_addr = request->my_addr; -#if 0 && USE_IDENT - /* - * this is currently broken because 'request->user_ident' has been - * moved to conn->rfc931 and we don't have access to the parent - * ConnStateData here. - */ - if (request->user_ident[0]) - xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ); - -#endif - return (checklist.fastCheck() == ACCESS_ALLOWED); }