From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Sat, 8 Sep 2012 05:27:54 +0000 (-0600)
Subject: Bug 3616: Retrieve client connection for ACL checks from the related HttpRequest... 
X-Git-Tag: SQUID_3_2_2~22
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=939f8e2e38fc986c361877e5d486ec3922ab3b95;p=thirdparty%2Fsquid.git

Bug 3616: Retrieve client connection for ACL checks from the related HttpRequest object

This patch enable SSL client certificate ACL checks (user_cert and ca_cert)
in all cases the client connection information can retrieved from the related
HttpRequest object, eg when making peering decisions (peer_cache_access ACL).

Also fixes assertion failure caused by acl dst on transparent proxy.

Discussed under the "Supply client connection and IDENT information to
peer_cache_access ACL check" thread on squid-dev.

This is a Measurement Factory project
---

diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc
index 16d6f27660..5515debd73 100644
--- a/src/acl/FilledChecklist.cc
+++ b/src/acl/FilledChecklist.cc
@@ -110,6 +110,8 @@ ACLFilledChecklist::conn() const
 void
 ACLFilledChecklist::conn(ConnStateData *aConn)
 {
+    if (conn() == aConn)
+        return;
     assert (conn() == NULL);
     conn_ = cbdataReference(aConn);
 }
@@ -205,6 +207,9 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_re
 #endif /* FOLLOW_X_FORWARDED_FOR */
             src_addr = request->client_addr;
         my_addr = request->my_addr;
+
+        if (request->clientConnectionManager.valid())
+            conn(request->clientConnectionManager.get()); 
     }
 
 #if USE_IDENT
diff --git a/src/client_side.cc b/src/client_side.cc
index 14169ba4aa..9f375368a6 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3856,16 +3856,6 @@ clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
      * the ident result on persistent connections...
      */
     /* connection oriented auth also needs these two lines for it's operation. */
-    /*
-     * Internal requests do not have a connection reference, because: A) their
-     * byte count may be transformed before being applied to an outbound
-     * connection B) they are internal - any limiting on them should be done on
-     * the server end.
-     */
-
-    if (conn != NULL)
-        ch->conn(conn);	/* unreferenced in FilledCheckList.cc */
-
     return ch;
 }
 
diff --git a/src/neighbors.cc b/src/neighbors.cc
index cd98407319..ee3e961a37 100644
--- a/src/neighbors.cc
+++ b/src/neighbors.cc
@@ -194,17 +194,6 @@ peerAllowedToUse(const peer * p, HttpRequest * request)
     checklist.src_addr = request->client_addr;
     checklist.my_addr = request->my_addr;
 
-#if 0 && USE_IDENT
-    /*
-     * this is currently broken because 'request->user_ident' has been
-     * moved to conn->rfc931 and we don't have access to the parent
-     * ConnStateData here.
-     */
-    if (request->user_ident[0])
-        xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ);
-
-#endif
-
     return (checklist.fastCheck() == ACCESS_ALLOWED);
 }