From 8bab93bda26c17b8cbc9706bafd26baaecd80ffe Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 13 Feb 2010 01:29:17 +1300
Subject: [PATCH] Add adapted_http_access option. Port of http_access2 from
 Squid-2

---
 doc/release-notes/release-3.1.sgml | 10 +++++++---
 src/ClientRequestContext.h         |  4 ++--
 src/cf.data.depend                 |  2 +-
 src/cf.data.pre                    | 14 ++++++++++++++
 src/client_side_request.cc         | 24 ++++++++++++++++++++++++
 src/structs.h                      |  1 +
 6 files changed, 49 insertions(+), 6 deletions(-)

diff --git a/doc/release-notes/release-3.1.sgml b/doc/release-notes/release-3.1.sgml
index 1e0dab420b..11d9b82e84 100644
--- a/doc/release-notes/release-3.1.sgml
+++ b/doc/release-notes/release-3.1.sgml
@@ -475,6 +475,10 @@ This section gives a thorough account of those changes in three categories:
 	matters.
 	</verb>
 
+	<tag>adapted_http_access</tag>
+	<p>New name for <em>http_access2</em>. This form includes access control
+	of ICAP and eCAP adaptations as well as the URL-rewriter alterations.
+
 	<tag>chunked_request_body_max_size</tag>
 	<p>New option to enable handing of broken HTTP/1.1 clients sending chunk requests.
 	<verb>
@@ -1437,6 +1441,9 @@ This section gives an account of those changes in three categories:
 	<tag>header_access</tag>
 	<p>Replaced by <em>request_header_access</em> and <em>reply_header_access</em>
 
+	<tag>http_access2</tag>
+	<p>Replaced by <em>adapted_http_access</em>
+
 	<tag>http_port</tag>
 	<p><em>no-connection-auth</em> replaced by <em>connection-auth=[on|off]</em>. Default is ON.
 	<p><em>transparent</em> option replaced by <em>intercept</em>
@@ -1589,9 +1596,6 @@ This section gives an account of those changes in three categories:
 	<tag>external_refresh_check</tag>
 	<p>Not yet ported from 2.7
 
-	<tag>http_access2</tag>
-	<p>Not yet ported from 2.6
-
 	<tag>http_port</tag>
 	<p><em>act-as-origin</em> not yet ported from 2.7
 	<p><em>http11</em> not yet ported from 2.7
diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h
index 430ac8319d..0b4dad40a1 100644
--- a/src/ClientRequestContext.h
+++ b/src/ClientRequestContext.h
@@ -26,6 +26,7 @@ public:
 
     bool httpStateIsValid();
     void clientAccessCheck();
+    void clientAccessCheck2();
     void clientAccessCheckDone(int answer);
     void clientRedirectStart();
     void clientRedirectDone(char *result);
@@ -42,11 +43,10 @@ public:
     int redirect_state;
 
     bool http_access_done;
+    bool adapted_http_access_done;
 #if USE_ADAPTATION
-
     bool adaptation_acl_check_done;
 #endif
-
     bool redirect_done;
     bool no_cache_done;
     bool interpreted_req_hdrs;
diff --git a/src/cf.data.depend b/src/cf.data.depend
index 54b54ae8d5..29dfb3b716 100644
--- a/src/cf.data.depend
+++ b/src/cf.data.depend
@@ -21,7 +21,7 @@ eol
 externalAclHelper	auth_param
 hostdomain		cache_peer
 hostdomaintype		cache_peer
-http_header_access
+http_header_access	acl
 http_header_replace
 http_port_list
 https_port_list
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 2b28fb76c7..5895af2f54 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -872,6 +872,20 @@ http_access deny all
 NOCOMMENT_END
 DOC_END
 
+NAME: adapted_http_access http_access2
+TYPE: acl_access
+LOC: Config.accessList.adapted_http
+DEFAULT: none
+DOC_START
+	Allowing or Denying access based on defined access lists
+
+	Essentially identical to http_access, but runs after redirectors
+	and ICAP/eCAP adaptation. Allowing access control based on their
+	output.
+
+	If not set then only http_access is used.
+DOC_END
+
 NAME: http_reply_access
 TYPE: acl_access
 LOC: Config.accessList.reply
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index afe80fe0d7..c65627a279 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -527,6 +527,23 @@ ClientRequestContext::clientAccessCheck()
     }
 }
 
+/**
+ * Identical in operation to clientAccessCheck() but performed later using different configured ACL list.
+ * The default here is to allow all. Since the earlier http_access should do a default deny all.
+ * This check is just for a last-minute denial based on adapted request headers.
+ */
+void
+ClientRequestContext::clientAccessCheck2()
+{
+    if (Config.accessList.adapted_http) {
+        acl_checklist = clientAclChecklistCreate(Config.accessList.adapted_http, http);
+        acl_checklist->nonBlockingCheck(clientAccessCheckDoneWrapper, this);
+    } else {
+        debugs(85, 2, HERE << "No adapted_http_access configuration.");
+        clientAccessCheckDone(ACCESS_ALLOWED);
+    }
+}
+
 void
 clientAccessCheckDoneWrapper(int answer, void *data)
 {
@@ -1276,6 +1293,13 @@ ClientHttpRequest::doCallouts()
         }
     }
 
+    if (!calloutContext->adapted_http_access_done) {
+        debugs(83, 3, HERE << "Doing calloutContext->clientAccessCheck2()");
+        calloutContext->adapted_http_access_done = true;
+        calloutContext->clientAccessCheck2();
+        return;
+    }
+
     if (!calloutContext->interpreted_req_hdrs) {
         debugs(83, 3, HERE << "Doing clientInterpretRequestHeaders()");
         calloutContext->interpreted_req_hdrs = 1;
diff --git a/src/structs.h b/src/structs.h
index 45476904ea..56cf55659e 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -454,6 +454,7 @@ struct SquidConfig {
 
     struct {
         acl_access *http;
+        acl_access *adapted_http;
         acl_access *icp;
         acl_access *miss;
         acl_access *NeverDirect;
-- 
2.47.3