From 939f8e2e38fc986c361877e5d486ec3922ab3b95 Mon Sep 17 00:00:00 2001
From: Christos Tsantilas <chtsanti@users.sourceforge.net>
Date: Fri, 7 Sep 2012 23:27:54 -0600
Subject: [PATCH] Bug 3616: Retrieve client connection for ACL checks from the
 related HttpRequest object

This patch enable SSL client certificate ACL checks (user_cert and ca_cert)
in all cases the client connection information can retrieved from the related
HttpRequest object, eg when making peering decisions (peer_cache_access ACL).

Also fixes assertion failure caused by acl dst on transparent proxy.

Discussed under the "Supply client connection and IDENT information to
peer_cache_access ACL check" thread on squid-dev.

This is a Measurement Factory project
---
 src/acl/FilledChecklist.cc |  5 +++++
 src/client_side.cc         | 10 ----------
 src/neighbors.cc           | 11 -----------
 3 files changed, 5 insertions(+), 21 deletions(-)

diff --git a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc
index 16d6f27660..5515debd73 100644
--- a/src/acl/FilledChecklist.cc
+++ b/src/acl/FilledChecklist.cc
@@ -110,6 +110,8 @@ ACLFilledChecklist::conn() const
 void
 ACLFilledChecklist::conn(ConnStateData *aConn)
 {
+    if (conn() == aConn)
+        return;
     assert (conn() == NULL);
     conn_ = cbdataReference(aConn);
 }
@@ -205,6 +207,9 @@ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_re
 #endif /* FOLLOW_X_FORWARDED_FOR */
             src_addr = request->client_addr;
         my_addr = request->my_addr;
+
+        if (request->clientConnectionManager.valid())
+            conn(request->clientConnectionManager.get()); 
     }
 
 #if USE_IDENT
diff --git a/src/client_side.cc b/src/client_side.cc
index 14169ba4aa..9f375368a6 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3856,16 +3856,6 @@ clientAclChecklistCreate(const acl_access * acl, ClientHttpRequest * http)
      * the ident result on persistent connections...
      */
     /* connection oriented auth also needs these two lines for it's operation. */
-    /*
-     * Internal requests do not have a connection reference, because: A) their
-     * byte count may be transformed before being applied to an outbound
-     * connection B) they are internal - any limiting on them should be done on
-     * the server end.
-     */
-
-    if (conn != NULL)
-        ch->conn(conn);	/* unreferenced in FilledCheckList.cc */
-
     return ch;
 }
 
diff --git a/src/neighbors.cc b/src/neighbors.cc
index cd98407319..ee3e961a37 100644
--- a/src/neighbors.cc
+++ b/src/neighbors.cc
@@ -194,17 +194,6 @@ peerAllowedToUse(const peer * p, HttpRequest * request)
     checklist.src_addr = request->client_addr;
     checklist.my_addr = request->my_addr;
 
-#if 0 && USE_IDENT
-    /*
-     * this is currently broken because 'request->user_ident' has been
-     * moved to conn->rfc931 and we don't have access to the parent
-     * ConnStateData here.
-     */
-    if (request->user_ident[0])
-        xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ);
-
-#endif
-
     return (checklist.fastCheck() == ACCESS_ALLOWED);
 }
 
-- 
2.47.2