Xaction.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 93 ICAP (RFC 3507) Client */
10 
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "adaptation/icap/Config.h"
14 #include "adaptation/icap/Launcher.h"
15 #include "adaptation/icap/Xaction.h"
16 #include "base/AsyncCallbacks.h"
17 #include "base/IoManip.h"
18 #include "base/JobWait.h"
19 #include "base/TextException.h"
20 #include "comm.h"
21 #include "comm/Connection.h"
22 #include "comm/ConnOpener.h"
23 #include "comm/Read.h"
24 #include "comm/Write.h"
25 #include "CommCalls.h"
26 #include "error/Detail.h"
27 #include "fde.h"
28 #include "FwdState.h"
29 #include "globals.h"
30 #include "HttpReply.h"
31 #include "icap_log.h"
32 #include "ipcache.h"
33 #include "pconn.h"
34 #include "security/PeerConnector.h"
35 #include "SquidConfig.h"
36 
37 #include <optional>
38 
39 namespace Ssl
40 {
42 class IcapPeerConnector: public Security::PeerConnector {
43  CBDATA_CHILD(IcapPeerConnector);
44 public:
45  IcapPeerConnector(
46  Adaptation::Icap::ServiceRep::Pointer &service,
47  const Comm::ConnectionPointer &aServerConn,
48  const AsyncCallback<Security::EncryptorAnswer> &aCallback,
49  AccessLogEntry::Pointer const &alp,
50  const time_t timeout = 0):
51  AsyncJob("Ssl::IcapPeerConnector"),
52  Security::PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {}
53 
54  /* Security::PeerConnector API */
55  bool initialize(Security::SessionPointer &) override;
56  void noteNegotiationDone(ErrorState *error) override;
57  Security::FuturePeerContext *peerContext() const override { return &icapService->tlsContext; }
58 
59 private:
60  /* Acl::ChecklistFiller API */
61  void fillChecklist(ACLFilledChecklist &) const override;
62 
63  Adaptation::Icap::ServiceRep::Pointer icapService;
64 };
65 } // namespace Ssl
66 
67 CBDATA_NAMESPACED_CLASS_INIT(Ssl, IcapPeerConnector);
68 
69 Adaptation::Icap::Xaction::Xaction(const char *aTypeName, Adaptation::Icap::ServiceRep::Pointer &aService):
70  AsyncJob(aTypeName),
71  Adaptation::Initiate(aTypeName),
72  icapRequest(nullptr),
73  icapReply(nullptr),
74  attempts(0),
75  theService(aService),
76  commEof(false),
77  reuseConnection(true),
78  isRetriable(true),
79  isRepeatable(true),
80  ignoreLastWrite(false),
81  waitingForDns(false),
82  alep(new AccessLogEntry),
83  al(*alep)
84 {
85  debugs(93,3, typeName << " constructed, this=" << this <<
86  " [icapx" << id << ']'); // we should not call virtual status() here
87  const auto mx = MasterXaction::MakePortless<XactionInitiator::initAdaptation>();
88  icapRequest = new HttpRequest(mx);
89  HTTPMSGLOCK(icapRequest);
90  icap_tr_start = current_time;
91  memset(&icap_tio_start, 0, sizeof(icap_tio_start));
92  memset(&icap_tio_finish, 0, sizeof(icap_tio_finish));
93 }
94 
95 Adaptation::Icap::Xaction::~Xaction()
96 {
97  debugs(93,3, typeName << " destructed, this=" << this <<
98  " [icapx" << id << ']'); // we should not call virtual status() here
99  HTTPMSGUNLOCK(icapRequest);
100 }
101 
102 AccessLogEntry::Pointer
103 Adaptation::Icap::Xaction::masterLogEntry()
104 {
105  AccessLogEntry::Pointer nil;
106  return nil;
107 }
108 
109 Adaptation::Icap::ServiceRep &
110 Adaptation::Icap::Xaction::service()
111 {
112  Must(theService != nullptr);
113  return *theService;
114 }
115 
116 void Adaptation::Icap::Xaction::disableRetries()
117 {
118  debugs(93,5, typeName << (isRetriable ? " from now on" : " still") <<
119  " cannot be retried " << status());
120  isRetriable = false;
121 }
122 
123 void Adaptation::Icap::Xaction::disableRepeats(const char *reason)
124 {
125  debugs(93,5, typeName << (isRepeatable ? " from now on" : " still") <<
126  " cannot be repeated because " << reason << status());
127  isRepeatable = false;
128 }
129 
130 void Adaptation::Icap::Xaction::start()
131 {
132  Adaptation::Initiate::start();
133 }
134 
135 // TODO: Make reusable by moving this (and the printing operator from
136 // ip/Address.h that this code is calling) into ip/print.h or similar.
137 namespace Ip {
138 
139 inline std::ostream &
140 operator <<(std::ostream &os, const std::optional<Address> &optional)
141 {
142  if (optional.has_value())
143  os << optional.value();
144  else
145  os << "[no IP]";
146  return os;
147 }
148 
149 }
150 
151 static void
152 icapLookupDnsResults(const ipcache_addrs *ia, const Dns::LookupDetails &, void *data)
153 {
154  Adaptation::Icap::Xaction *xa = static_cast<Adaptation::Icap::Xaction *>(data);
155  const auto &addr = ia ? std::optional<Ip::Address>(ia->current()) : std::optional<Ip::Address>();
156  CallJobHere1(93, 5, CbcPointer<Adaptation::Icap::Xaction>(xa), Adaptation::Icap::Xaction, dnsLookupDone, addr);
157 }
158 
159 // TODO: obey service-specific, OPTIONS-reported connection limit
160 void
161 Adaptation::Icap::Xaction::openConnection()
162 {
163  Must(!haveConnection());
164 
165  Adaptation::Icap::ServiceRep &s = service();
166 
167  if (!TheConfig.reuse_connections)
168  disableRetries(); // this will also safely drain pconn pool
169 
170  if (const auto pconn = s.getIdleConnection(isRetriable)) {
171  useTransportConnection(pconn);
172  return;
173  }
174 
175  disableRetries(); // we only retry pconn failures
176 
177  // Attempt to open a new connection...
178  debugs(93,3, typeName << " opens connection to " << s.cfg().host.termedBuf() << ":" << s.cfg().port);
179 
180  // Locate the Service IP(s) to open
181  assert(!waitingForDns);
182  waitingForDns = true; // before the possibly-synchronous ipcache_nbgethostbyname()
183  ipcache_nbgethostbyname(s.cfg().host.termedBuf(), icapLookupDnsResults, this);
184 }
185 
186 void
187 Adaptation::Icap::Xaction::dnsLookupDone(std::optional<Ip::Address> addr)
188 {
189  assert(waitingForDns);
190  waitingForDns = false;
191 
192  Adaptation::Icap::ServiceRep &s = service();
193 
194  if (!addr.has_value()) {
195  debugs(44, DBG_IMPORTANT, "ERROR: ICAP: Unknown service host: " << s.cfg().host);
196 
197 #if WHEN_IPCACHE_NBGETHOSTBYNAME_USES_ASYNC_CALLS
198  dieOnConnectionFailure(); // throws
199 #else // take a step back into protected Async call dialing.
200  CallJobHere(93, 3, this, Xaction, Xaction::dieOnConnectionFailure);
201 #endif
202  return;
203  }
204 
205  const Comm::ConnectionPointer conn = new Comm::Connection();
206  conn->remote = addr.value();
207  conn->remote.port(s.cfg().port);
208  getOutgoingAddress(nullptr, conn);
209 
210  // TODO: service bypass status may differ from that of a transaction
211  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommConnectCbParams> ConnectDialer;
212  AsyncCall::Pointer callback = JobCallback(93, 3, ConnectDialer, this, Adaptation::Icap::Xaction::noteCommConnected);
213  const auto cs = new Comm::ConnOpener(conn, callback, TheConfig.connect_timeout(service().cfg().bypass));
214  cs->setHost(s.cfg().host.termedBuf());
215  transportWait.start(cs, callback);
216 }
217 
218 void Adaptation::Icap::Xaction::closeConnection()
219 {
220  if (haveConnection()) {
221 
222  if (closer != nullptr) {
223  comm_remove_close_handler(connection->fd, closer);
224  closer = nullptr;
225  }
226 
227  commUnsetConnTimeout(connection);
228 
229  cancelRead(); // may not work
230 
231  if (reuseConnection && !doneWithIo()) {
232  //status() adds leading spaces.
233  debugs(93,5, "not reusing pconn due to pending I/O" << status());
234  reuseConnection = false;
235  }
236 
237  if (reuseConnection)
238  disableRetries();
239 
240  const bool reset = !reuseConnection &&
241  (al.icap.outcome == xoGone || al.icap.outcome == xoError);
242 
243  Adaptation::Icap::ServiceRep &s = service();
244  s.putConnection(connection, reuseConnection, reset, status());
245 
246  writer = nullptr;
247  reader = nullptr;
248  connection = nullptr;
249  }
250 }
251 
253 void Adaptation::Icap::Xaction::noteCommConnected(const CommConnectCbParams &io)
254 {
255  transportWait.finish();
256 
257  if (io.flag != Comm::OK) {
258  dieOnConnectionFailure(); // throws
259  return;
260  }
261 
262  useTransportConnection(io.conn);
263 }
264 
267 void
268 Adaptation::Icap::Xaction::useTransportConnection(const Comm::ConnectionPointer &conn)
269 {
270  assert(Comm::IsConnOpen(conn));
271  assert(!connection);
272 
273  // If it is a reused connection and the TLS object is built
274  // we should not negotiate new TLS session
275  const auto &ssl = fd_table[conn->fd].ssl;
276  if (!ssl && service().cfg().secure.encryptTransport) {
277  // XXX: Exceptions orphan conn.
278  const auto callback = asyncCallback(93, 4, Adaptation::Icap::Xaction::handleSecuredPeer, this);
279  const auto sslConnector = new Ssl::IcapPeerConnector(theService, conn, callback, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass));
280 
281  encryptionWait.start(sslConnector, callback);
282  return;
283  }
284 
285  useIcapConnection(conn);
286 }
287 
289 void
290 Adaptation::Icap::Xaction::useIcapConnection(const Comm::ConnectionPointer &conn)
291 {
292  assert(!connection);
293  assert(conn);
294  assert(Comm::IsConnOpen(conn));
295  connection = conn;
296  service().noteConnectionUse(connection);
297 
298  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommCloseCbParams> CloseDialer;
299  closer = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommClosed",
300  CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed));
301  comm_add_close_handler(connection->fd, closer);
302 
303  startShoveling();
304 }
305 
306 void Adaptation::Icap::Xaction::dieOnConnectionFailure()
307 {
308  debugs(93, 2, typeName <<
309  " failed to connect to " << service().cfg().uri);
310  service().noteConnectionFailed("failure");
311  static const auto d = MakeNamedErrorDetail("ICAP_XACT_START");
312  detailError(d);
313  throw TexcHere("cannot connect to the ICAP service");
314 }
315 
316 void Adaptation::Icap::Xaction::scheduleWrite(MemBuf &buf)
317 {
318  Must(haveConnection());
319 
320  // comm module will free the buffer
321  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommIoCbParams> Dialer;
322  writer = JobCallback(93, 3,
323  Dialer, this, Adaptation::Icap::Xaction::noteCommWrote);
324 
325  Comm::Write(connection, &buf, writer);
326  updateTimeout();
327 }
328 
329 void Adaptation::Icap::Xaction::noteCommWrote(const CommIoCbParams &io)
330 {
331  Must(writer != nullptr);
332  writer = nullptr;
333 
334  if (ignoreLastWrite) {
335  // a hack due to comm inability to cancel a pending write
336  ignoreLastWrite = false;
337  debugs(93, 7, "ignoring last write; status: " << io.flag);
338  } else {
339  Must(io.flag == Comm::OK);
340  al.icap.bytesSent += io.size;
341  updateTimeout();
342  handleCommWrote(io.size);
343  }
344 }
345 
346 // communication timeout with the ICAP service
347 void Adaptation::Icap::Xaction::noteCommTimedout(const CommTimeoutCbParams &)
348 {
349  debugs(93, 2, typeName << " failed: timeout with " <<
350  theService->cfg().methodStr() << " " <<
351  theService->cfg().uri << status());
352  reuseConnection = false;
353  assert(haveConnection());
354  closeConnection();
355  throw TextException("timed out while talking to the ICAP service", Here());
356 }
357 
358 // unexpected connection close while talking to the ICAP service
359 void Adaptation::Icap::Xaction::noteCommClosed(const CommCloseCbParams &)
360 {
361  if (connection) {
362  connection->noteClosure();
363  connection = nullptr;
364  }
365  closer = nullptr;
366 
367  static const auto d = MakeNamedErrorDetail("ICAP_XACT_CLOSE");
368  detailError(d);
369  mustStop("ICAP service connection externally closed");
370 }
371 
372 void Adaptation::Icap::Xaction::callException(const std::exception &e)
373 {
374  setOutcome(xoError);
375  service().noteFailure();
376  Adaptation::Initiate::callException(e);
377 }
378 
379 void Adaptation::Icap::Xaction::callEnd()
380 {
381  if (doneWithIo()) {
382  debugs(93, 5, typeName << " done with I/O" << status());
383  closeConnection();
384  }
385  Adaptation::Initiate::callEnd(); // may destroy us
386 }
387 
388 bool Adaptation::Icap::Xaction::doneAll() const
389 {
390  return !waitingForDns && !transportWait && !encryptionWait &&
391  !reader && !writer &&
392  Adaptation::Initiate::doneAll();
393 }
394 
395 void Adaptation::Icap::Xaction::updateTimeout()
396 {
397  Must(haveConnection());
398 
399  if (reader != nullptr || writer != nullptr) {
400  // restart the timeout before each I/O
401  // XXX: why does Config.Timeout lacks a write timeout?
402  // TODO: service bypass status may differ from that of a transaction
403  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommTimeoutCbParams> TimeoutDialer;
404  AsyncCall::Pointer call = JobCallback(93, 5, TimeoutDialer, this, Adaptation::Icap::Xaction::noteCommTimedout);
405  commSetConnTimeout(connection, TheConfig.io_timeout(service().cfg().bypass), call);
406  } else {
407  // clear timeout when there is no I/O
408  // Do we need a lifetime timeout?
409  commUnsetConnTimeout(connection);
410  }
411 }
412 
413 void Adaptation::Icap::Xaction::scheduleRead()
414 {
415  Must(haveConnection());
416  Must(!reader);
417  Must(readBuf.length() < SQUID_TCP_SO_RCVBUF); // will expand later if needed
418 
419  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommIoCbParams> Dialer;
420  reader = JobCallback(93, 3, Dialer, this, Adaptation::Icap::Xaction::noteCommRead);
421  Comm::Read(connection, reader);
422  updateTimeout();
423 }
424 
425 // comm module read a portion of the ICAP response for us
426 void Adaptation::Icap::Xaction::noteCommRead(const CommIoCbParams &io)
427 {
428  Must(reader != nullptr);
429  reader = nullptr;
430 
431  Must(io.flag == Comm::OK);
432 
433  // TODO: tune this better to expected message sizes
434  readBuf.reserveCapacity(SQUID_TCP_SO_RCVBUF);
435  // we are not asked to grow beyond the allowed maximum
436  Must(readBuf.length() < SQUID_TCP_SO_RCVBUF);
437  // now we can ensure that there is space to read new data,
438  // even if readBuf.spaceSize() currently returns zero.
439  readBuf.rawAppendStart(1);
440 
441  CommIoCbParams rd(this); // will be expanded with ReadNow results
442  rd.conn = io.conn;
443  rd.size = SQUID_TCP_SO_RCVBUF - readBuf.length();
444 
445  switch (Comm::ReadNow(rd, readBuf)) {
446  case Comm::INPROGRESS:
447  if (readBuf.isEmpty())
448  debugs(33, 2, io.conn << ": no data to process, " << xstrerr(rd.xerrno));
449  scheduleRead();
450  return;
451 
452  case Comm::OK:
453  al.icap.bytesRead += rd.size;
454 
455  updateTimeout();
456 
457  debugs(93, 3, "read " << rd.size << " bytes");
458 
459  disableRetries(); // because pconn did not fail
460 
461  /* Continue to process previously read data */
462  break;
463 
464  case Comm::ENDFILE: // close detected by 0-byte read
465  commEof = true;
466  reuseConnection = false;
467 
468  // detect a pconn race condition: eof on the first pconn read
469  if (!al.icap.bytesRead && retriable()) {
470  setOutcome(xoRace);
471  mustStop("pconn race");
472  return;
473  }
474 
475  break;
476 
477  // case Comm::COMM_ERROR:
478  default: // no other flags should ever occur
479  debugs(11, 2, io.conn << ": read failure: " << xstrerr(rd.xerrno));
480  mustStop("unknown ICAP I/O read error");
481  return;
482  }
483 
484  handleCommRead(io.size);
485 }
486 
487 void Adaptation::Icap::Xaction::cancelRead()
488 {
489  if (reader != nullptr) {
490  Must(haveConnection());
491  Comm::ReadCancel(connection->fd, reader);
492  reader = nullptr;
493  }
494 }
495 
496 bool
497 Adaptation::Icap::Xaction::parseHttpMsg(Http::Message *msg)
498 {
499  debugs(93, 5, "have " << readBuf.length() << " head bytes to parse");
500 
501  Http::StatusCode error = Http::scNone;
502  // XXX: performance regression c_str() data copies
503  const char *buf = readBuf.c_str();
504  const bool parsed = msg->parse(buf, readBuf.length(), commEof, &error);
505  Must(parsed || !error); // success or need more data
506 
507  if (!parsed) { // need more data
508  Must(mayReadMore());
509  msg->reset();
510  return false;
511  }
512 
513  readBuf.consume(msg->hdr_sz);
514  return true;
515 }
516 
517 bool Adaptation::Icap::Xaction::mayReadMore() const
518 {
519  return !doneReading() && // will read more data
520  readBuf.length() < SQUID_TCP_SO_RCVBUF; // have space for more data
521 }
522 
523 bool Adaptation::Icap::Xaction::doneReading() const
524 {
525  return commEof;
526 }
527 
528 bool Adaptation::Icap::Xaction::doneWriting() const
529 {
530  return !writer;
531 }
532 
533 bool Adaptation::Icap::Xaction::doneWithIo() const
534 {
535  return haveConnection() &&
536  !transportWait && !reader && !writer && // fast checks, some redundant
537  doneReading() && doneWriting();
538 }
539 
540 bool Adaptation::Icap::Xaction::haveConnection() const
541 {
542  return connection != nullptr && connection->isOpen();
543 }
544 
545 // initiator aborted
546 void Adaptation::Icap::Xaction::noteInitiatorAborted()
547 {
548 
549  if (theInitiator.set()) {
550  debugs(93,4, "Initiator gone before ICAP transaction ended");
551  clearInitiator();
552  static const auto d = MakeNamedErrorDetail("ICAP_INIT_GONE");
553  detailError(d);
554  setOutcome(xoGone);
555  mustStop("initiator aborted");
556  }
557 
558 }
559 
560 void Adaptation::Icap::Xaction::setOutcome(const Adaptation::Icap::XactOutcome &xo)
561 {
562  if (al.icap.outcome != xoUnknown) {
563  debugs(93, 3, "WARNING: resetting outcome: from " << al.icap.outcome << " to " << xo);
564  } else {
565  debugs(93, 4, xo);
566  }
567  al.icap.outcome = xo;
568 }
569 
570 // This 'last chance' method is called before a 'done' transaction is deleted.
571 // It is wrong to call virtual methods from a destructor. Besides, this call
572 // indicates that the transaction will terminate as planned.
573 void Adaptation::Icap::Xaction::swanSong()
574 {
575  // kids should sing first and then call the parent method.
576  if (transportWait || encryptionWait) {
577  service().noteConnectionFailed("abort");
578  }
579 
580  closeConnection(); // TODO: rename because we do not always close
581 
582  readBuf.clear();
583 
584  tellQueryAborted();
585 
586  maybeLog();
587 
588  Adaptation::Initiate::swanSong();
589 }
590 
591 void Adaptation::Icap::Xaction::tellQueryAborted()
592 {
593  if (theInitiator.set()) {
594  Adaptation::Icap::XactAbortInfo abortInfo(icapRequest, icapReply.getRaw(),
595  retriable(), repeatable());
596  Launcher *launcher = dynamic_cast<Launcher*>(theInitiator.get());
597  // launcher may be nil if initiator is invalid
598  CallJobHere1(91,5, CbcPointer<Launcher>(launcher),
599  Launcher, noteXactAbort, abortInfo);
600  clearInitiator();
601  }
602 }
603 
604 void Adaptation::Icap::Xaction::maybeLog()
605 {
606  if (IcapLogfileStatus == LOG_ENABLE) {
607  finalizeLogInfo();
608  icapLogLog(alep);
609  }
610 }
611 
612 void Adaptation::Icap::Xaction::finalizeLogInfo()
613 {
614  //prepare log data
615  al.icp.opcode = ICP_INVALID;
616 
617  const Adaptation::Icap::ServiceRep &s = service();
618  al.icap.hostAddr = s.cfg().host.termedBuf();
619  al.icap.serviceName = s.cfg().key;
620  al.icap.reqUri = s.cfg().uri;
621 
622  tvSub(al.icap.ioTime, icap_tio_start, icap_tio_finish);
623  tvSub(al.icap.trTime, icap_tr_start, current_time);
624 
625  al.icap.request = icapRequest;
626  HTTPMSGLOCK(al.icap.request);
627  if (icapReply != nullptr) {
628  al.icap.reply = icapReply.getRaw();
629  HTTPMSGLOCK(al.icap.reply);
630  al.icap.resStatus = icapReply->sline.status();
631  }
632 }
633 
634 // returns a temporary string depicting transaction status, for debugging
635 const char *Adaptation::Icap::Xaction::status() const
636 {
637  static MemBuf buf;
638  buf.reset();
639  buf.append(" [", 2);
640  fillPendingStatus(buf);
641  buf.append("/", 1);
642  fillDoneStatus(buf);
643  buf.appendf(" %s%u]", id.prefix(), id.value);
644  buf.terminate();
645 
646  return buf.content();
647 }
648 
649 void Adaptation::Icap::Xaction::fillPendingStatus(MemBuf &buf) const
650 {
651  if (haveConnection()) {
652  buf.appendf("FD %d", connection->fd);
653 
654  if (writer != nullptr)
655  buf.append("w", 1);
656 
657  if (reader != nullptr)
658  buf.append("r", 1);
659 
660  buf.append(";", 1);
661  }
662 
663  if (waitingForDns)
664  buf.append("D", 1);
665 }
666 
667 void Adaptation::Icap::Xaction::fillDoneStatus(MemBuf &buf) const
668 {
669  if (haveConnection() && commEof)
670  buf.appendf("Comm(%d)", connection->fd);
671 
672  if (stopReason != nullptr)
673  buf.append("Stopped", 7);
674 }
675 
676 bool Adaptation::Icap::Xaction::fillVirginHttpHeader(MemBuf &) const
677 {
678  return false;
679 }
680 
681 bool
682 Ssl::IcapPeerConnector::initialize(Security::SessionPointer &serverSession)
683 {
684  if (!Security::PeerConnector::initialize(serverSession))
685  return false;
686 
687  assert(!icapService->cfg().secure.sslDomain.isEmpty());
688 #if USE_OPENSSL
689  SBuf *host = new SBuf(icapService->cfg().secure.sslDomain);
690  SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
691  setClientSNI(serverSession.get(), host->c_str());
692 #endif
693 
694  Security::SetSessionResumeData(serverSession, icapService->sslSession);
695  return true;
696 }
697 
698 void
699 Ssl::IcapPeerConnector::fillChecklist(ACLFilledChecklist &checklist) const
700 {
701  Security::PeerConnector::fillChecklist(checklist);
702  if (checklist.dst_peer_name.isEmpty())
703  checklist.dst_peer_name = icapService->cfg().secure.sslDomain;
704 }
705 
706 void
707 Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error)
708 {
709  if (error)
710  return;
711 
712  const int fd = serverConnection()->fd;
713  Security::MaybeGetSessionResumeData(fd_table[fd].ssl, icapService->sslSession);
714 }
715 
716 void
717 Adaptation::Icap::Xaction::handleSecuredPeer(Security::EncryptorAnswer &answer)
718 {
719  encryptionWait.finish();
720 
721  assert(!answer.tunneled);
722  if (answer.error.get()) {
723  assert(!answer.conn);
724  // TODO: Refactor dieOnConnectionFailure() to be usable here as well.
725  debugs(93, 2, typeName <<
726  " TLS negotiation to " << service().cfg().uri << " failed");
727  service().noteConnectionFailed("failure");
728  static const auto d = MakeNamedErrorDetail("ICAP_XACT_SSL_START");
729  detailError(d);
730  throw TexcHere("cannot connect to the TLS ICAP service");
731  }
732 
733  debugs(93, 5, "TLS negotiation to " << service().cfg().uri << " complete");
734 
735  assert(answer.conn);
736 
737  // The socket could get closed while our callback was queued. Sync
738  // Connection. XXX: Connection::fd may already be stale/invalid here.
739  if (answer.conn->isOpen() && fd_table[answer.conn->fd].closing()) {
740  answer.conn->noteClosure();
741  service().noteConnectionFailed("external TLS connection closure");
742  static const auto d = MakeNamedErrorDetail("ICAP_XACT_SSL_CLOSE");
743  detailError(d);
744  throw TexcHere("external closure of the TLS ICAP service connection");
745  }
746 
747  useIcapConnection(answer.conn);
748 }
749 
Comm::Read
void Read(const Comm::ConnectionPointer &conn, AsyncCall::Pointer &callback)
Definition: Read.cc:40
Http::Message::hdr_sz
int hdr_sz
Definition: Message.h:81
xstrerr
const char * xstrerr(int error)
Definition: xstrerror.cc:83
CbcPointer::get
Cbc * get() const
a temporary valid raw Cbc pointer or NULL
Definition: CbcPointer.h:159
comm_add_close_handler
AsyncCall::Pointer comm_add_close_handler(int fd, CLCB *handler, void *data)
Definition: comm.cc:952
Security::EncryptorAnswer::tunneled
bool tunneled
whether we spliced the connections instead of negotiating encryption
Definition: EncryptorAnswer.h:33
Adaptation::Icap::xoError
const XactOutcome xoError
all kinds of transaction errors
Definition: Elements.cc:21
Here
#define Here()
source code location of the caller
Definition: Here.h:15
commUnsetConnTimeout
void commUnsetConnTimeout(const Comm::ConnectionPointer &conn)
Definition: comm.cc:616
MemBuf::terminate
void terminate()
Definition: MemBuf.cc:241
Adaptation::Icap::operator<<
std::ostream & operator<<(std::ostream &os, const XactAbortInfo &xai)
Definition: Launcher.h:105
Packable::appendf
void appendf(const char *fmt,...) PRINTF_FORMAT_ARG2
Append operation with printf-style arguments.
Definition: Packable.h:61
Adaptation::Icap::Xaction::noteCommConnected
void noteCommConnected(const CommConnectCbParams &io)
called when the connection attempt to an ICAP service completes (successfully or not)
Definition: Xaction.cc:253
Http::Message
common parts of HttpRequest and HttpReply
Definition: Message.h:25
Ssl::IcapPeerConnector
A simple PeerConnector for Secure ICAP services. No SslBump capabilities.
Definition: Xaction.cc:42
Adaptation::Initiate::swanSong
void swanSong() override
Definition: Initiate.cc:62
Security::PeerConnector::initialize
virtual bool initialize(Security::SessionPointer &)
Definition: PeerConnector.cc:139
Ssl::IcapPeerConnector::CBDATA_CHILD
CBDATA_CHILD(IcapPeerConnector)
Security::MaybeGetSessionResumeData
void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &data)
Definition: Session.cc:226
Adaptation::Icap::Xaction::fillDoneStatus
virtual void fillDoneStatus(MemBuf &buf) const
Definition: Xaction.cc:667
Adaptation::Icap::TheConfig
Config TheConfig
Definition: Config.cc:19
Security::PeerConnector::PeerConnector
PeerConnector(const Comm::ConnectionPointer &aServerConn, const AsyncCallback< EncryptorAnswer > &, const AccessLogEntryPointer &alp, const time_t timeout=0)
Definition: PeerConnector.cc:40
AsyncJob::callEnd
virtual void callEnd()
called right after the called job method
Definition: AsyncJob.cc:152
Http::scNone
@ scNone
Definition: StatusCode.h:21
Adaptation::Icap::xoUnknown
const XactOutcome xoUnknown
initial value: outcome was not set
Definition: Elements.cc:18
SBuf::isEmpty
bool isEmpty() const
Definition: SBuf.h:435
Security::EncryptorAnswer::error
CbcPointer< ErrorState > error
problem details (nil on success)
Definition: EncryptorAnswer.h:30
Comm::ReadNow
Comm::Flag ReadNow(CommIoCbParams &params, SBuf &buf)
Definition: Read.cc:81
Adaptation::Icap::Xaction::Xaction
Xaction(const char *aTypeName, ServiceRep::Pointer &aService)
Definition: Xaction.cc:69
error
void error(char *format,...)
Comm::INPROGRESS
@ INPROGRESS
Definition: Flag.h:21
SBuf
Definition: SBuf.h:93
Adaptation::Icap::Xaction::service
ServiceRep & service()
Definition: Xaction.cc:110
Adaptation::Icap::Xaction::fillPendingStatus
virtual void fillPendingStatus(MemBuf &buf) const
Definition: Xaction.cc:649
Adaptation::Icap::Xaction::noteInitiatorAborted
void noteInitiatorAborted() override
Definition: Xaction.cc:546
Adaptation::Icap::Xaction::setOutcome
void setOutcome(const XactOutcome &xo)
Definition: Xaction.cc:560
LOG_ENABLE
#define LOG_ENABLE
Definition: defines.h:60
Adaptation::Icap::Xaction::useTransportConnection
void useTransportConnection(const Comm::ConnectionPointer &)
Definition: Xaction.cc:268
Comm::IsConnOpen
bool IsConnOpen(const Comm::ConnectionPointer &conn)
Definition: Connection.cc:27
Comm::OK
@ OK
Definition: Flag.h:16
Adaptation::Icap::Xaction::dnsLookupDone
void dnsLookupDone(std::optional< Ip::Address >)
Definition: Xaction.cc:187
Dns::CachedIps::current
const Ip::Address & current() const
Definition: ipcache.h:59
HTTPMSGUNLOCK
void HTTPMSGUNLOCK(M *&a)
Definition: Message.h:150
icapLookupDnsResults
static void icapLookupDnsResults(const ipcache_addrs *ia, const Dns::LookupDetails &, void *data)
Definition: Xaction.cc:152
Adaptation::Icap::Xaction::disableRepeats
void disableRepeats(const char *reason)
Definition: Xaction.cc:123
Comm::ENDFILE
@ ENDFILE
Definition: Flag.h:26
Security::FuturePeerContext
A combination of PeerOptions and the corresponding Context.
Definition: PeerOptions.h:154
Http::StatusCode
StatusCode
Definition: StatusCode.h:20
Adaptation::Icap::Xaction::haveConnection
bool haveConnection() const
Definition: Xaction.cc:540
CommCommonCbParams::xerrno
int xerrno
The last errno to occur. non-zero if flag is Comm::COMM_ERROR.
Definition: CommCalls.h:83
asyncCall
RefCount< AsyncCallT< Dialer > > asyncCall(int aDebugSection, int aDebugLevel, const char *aName, const Dialer &aDialer)
Definition: AsyncCall.h:156
icap_log.h
Adaptation::Icap::xoGone
const XactOutcome xoGone
initiator gone, will not continue
Definition: Elements.cc:19
Adaptation::Icap::Xaction::noteCommClosed
void noteCommClosed(const CommCloseCbParams &io)
Definition: Xaction.cc:359
Adaptation::Icap::Xaction::noteCommWrote
void noteCommWrote(const CommIoCbParams &io)
Definition: Xaction.cc:329
Adaptation::Icap::Config::connect_timeout
time_t connect_timeout(bool bypassable) const
Definition: Config.cc:41
TexcHere
#define TexcHere(msg)
legacy convenience macro; it is not difficult to type Here() now
Definition: TextException.h:63
Adaptation::Icap::xoRace
const XactOutcome xoRace
ICAP server closed pconn when we started.
Definition: Elements.cc:20
getOutgoingAddress
void getOutgoingAddress(HttpRequest *request, const Comm::ConnectionPointer &conn)
Definition: FwdState.cc:1481
Adaptation::Icap::Xaction::noteCommRead
void noteCommRead(const CommIoCbParams &io)
Definition: Xaction.cc:426
Comm::ReadCancel
void ReadCancel(int fd, AsyncCall::Pointer &callback)
Cancel the read pending on FD. No action if none pending.
Definition: Read.cc:219
ICP_INVALID
@ ICP_INVALID
Definition: icp_opcode.h:15
Security::EncryptorAnswer::conn
Comm::ConnectionPointer conn
peer connection (secured on success)
Definition: EncryptorAnswer.h:26
current_time
struct timeval current_time
the current UNIX time in timeval {seconds, microseconds} format
Definition: gadgets.cc:18
MemBuf::append
void append(const char *c, int sz) override
Definition: MemBuf.cc:209
AsyncJob::doneAll
virtual bool doneAll() const
whether positive goal has been reached
Definition: AsyncJob.cc:112
Adaptation::Icap::ServiceRep::getIdleConnection
Comm::ConnectionPointer getIdleConnection(bool isRetriable)
Definition: ServiceRep.cc:118
icapLogLog
void icapLogLog(AccessLogEntry::Pointer &al)
Definition: icap_log.cc:60
Ssl::IcapPeerConnector::icapService
Adaptation::Icap::ServiceRep::Pointer icapService
Definition: Xaction.cc:63
Ssl::IcapPeerConnector::noteNegotiationDone
void noteNegotiationDone(ErrorState *error) override
Definition: Xaction.cc:707
Adaptation::Icap::Xaction::start
void start() override
called by AsyncStart; do not call directly
Definition: Xaction.cc:130
Ip::Address::port
unsigned short port() const
Definition: Address.cc:798
MemBuf
Definition: MemBuf.h:23
ipcache_nbgethostbyname
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:609
Adaptation::Icap::Xaction::status
const char * status() const override
internal cleanup; do not call directly
Definition: Xaction.cc:635
Ssl
Definition: Xaction.cc:39
Adaptation::Icap::Xaction::swanSong
void swanSong() override
Definition: Xaction.cc:573
Ssl::IcapPeerConnector::peerContext
Security::FuturePeerContext * peerContext() const override
Definition: Xaction.cc:57
Adaptation::Icap::Xaction::useIcapConnection
void useIcapConnection(const Comm::ConnectionPointer &)
react to the availability of a fully-ready ICAP connection
Definition: Xaction.cc:290
Adaptation::Icap::Xaction::fillVirginHttpHeader
virtual bool fillVirginHttpHeader(MemBuf &) const
Definition: Xaction.cc:676
CallJobHere
#define CallJobHere(debugSection, debugLevel, job, Class, method)
Definition: AsyncJobCalls.h:59
Adaptation::Icap::Xaction::doneWithIo
bool doneWithIo() const
Definition: Xaction.cc:533
CommCommonCbParams::conn
Comm::ConnectionPointer conn
Definition: CommCalls.h:80
Ssl::IcapPeerConnector::fillChecklist
void fillChecklist(ACLFilledChecklist &) const override
configure the given checklist (to reflect the current transaction state)
Definition: Xaction.cc:699
Comm::Connection::remote
Ip::Address remote
Definition: Connection.h:149
assert
#define assert(EX)
Definition: assert.h:17
Security::Connection
SSL Connection
Definition: Session.h:49
Ssl::IcapPeerConnector::IcapPeerConnector
IcapPeerConnector(Adaptation::Icap::ServiceRep::Pointer &service, const Comm::ConnectionPointer &aServerConn, const AsyncCallback< Security::EncryptorAnswer > &aCallback, AccessLogEntry::Pointer const &alp, const time_t timeout=0)
Definition: Xaction.cc:45
HTTPMSGLOCK
void HTTPMSGLOCK(Http::Message *a)
Definition: Message.h:161
CommCommonCbParams::flag
Comm::Flag flag
comm layer result status.
Definition: CommCalls.h:82
Adaptation::Icap::Xaction::icapRequest
HttpRequest * icapRequest
sent (or at least created) ICAP request
Definition: Xaction.h:63
Dns::LookupDetails
encapsulates DNS lookup results
Definition: LookupDetails.h:22
JobCallback
#define JobCallback(dbgSection, dbgLevel, Dialer, job, method)
Convenience macro to create a Dialer-based job callback.
Definition: AsyncJobCalls.h:70
Ssl::IcapPeerConnector::initialize
bool initialize(Security::SessionPointer &) override
Definition: Xaction.cc:682
SBuf::c_str
const char * c_str()
Definition: SBuf.cc:516
Comm::Write
void Write(const Comm::ConnectionPointer &conn, const char *buf, int size, AsyncCall::Pointer &callback, FREE *free_func)
Definition: Write.cc:33
IcapLogfileStatus
int IcapLogfileStatus
Definition: icap_log.cc:20
asyncCallback
#define asyncCallback(dbgSection, dbgLevel, method, object)
Definition: AsyncCallbacks.h:195
CBDATA_NAMESPACED_CLASS_INIT
CBDATA_NAMESPACED_CLASS_INIT(Ssl, IcapPeerConnector)
AsyncJob::typeName
const char * typeName
kid (leaf) class name, for debugging
Definition: AsyncJob.h:85
Adaptation::Icap::Config::io_timeout
time_t io_timeout(bool bypassable) const
Definition: Config.cc:49
Http::Message::reset
virtual void reset()=0
Ip
Definition: Xaction.cc:137
ssl_ex_index_server
int ssl_ex_index_server
Adaptation::Icap::Xaction::callException
void callException(const std::exception &e) override
called when the job throws during an async call
Definition: Xaction.cc:372
fd_table
#define fd_table
Definition: fde.h:189
Adaptation::Icap::Xaction::mayReadMore
bool mayReadMore() const
Definition: Xaction.cc:517
Adaptation::Icap::Xaction::finalizeLogInfo
virtual void finalizeLogInfo()
Definition: Xaction.cc:612
Security::SessionPointer
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:53
commSetConnTimeout
void commSetConnTimeout(const Comm::ConnectionPointer &conn, time_t timeout, AsyncCall::Pointer &callback)
Definition: comm.cc:592
String::termedBuf
const char * termedBuf() const
Definition: SquidString.h:92
Adaptation::Icap::XactOutcome
const typedef char * XactOutcome
transaction result for logging
Definition: Elements.h:39
Adaptation::Icap::Xaction::handleSecuredPeer
void handleSecuredPeer(Security::EncryptorAnswer &answer)
Definition: Xaction.cc:717
TextException
an std::runtime_error with thrower location info
Definition: TextException.h:20
MemBuf::content
char * content()
start of the added data
Definition: MemBuf.h:41
Security::PeerConnector::fillChecklist
void fillChecklist(ACLFilledChecklist &) const override
configure the given checklist (to reflect the current transaction state)
Definition: PeerConnector.cc:91
AsyncJob::start
virtual void start()
called by AsyncStart; do not call directly
Definition: AsyncJob.cc:59
Must
#define Must(condition)
Definition: TextException.h:75
Adaptation::Icap::Xaction::callEnd
void callEnd() override
called right after the called job method
Definition: Xaction.cc:379
DBG_IMPORTANT
#define DBG_IMPORTANT
Definition: Stream.h:38
MemBuf::reset
void reset()
Definition: MemBuf.cc:129
Adaptation::Icap::Xaction::doneAll
bool doneAll() const override
whether positive goal has been reached
Definition: Xaction.cc:388
Adaptation::Icap::Xaction::noteCommTimedout
void noteCommTimedout(const CommTimeoutCbParams &io)
Definition: Xaction.cc:347
Comm::Connection::isOpen
bool isOpen() const
Definition: Connection.h:101
Adaptation::Service::cfg
const ServiceConfig & cfg() const
Definition: Service.h:51
Adaptation::Icap::Xaction::scheduleWrite
void scheduleWrite(MemBuf &buf)
Definition: Xaction.cc:316
AsyncJob::callException
virtual void callException(const std::exception &e)
called when the job throws during an async call
Definition: AsyncJob.cc:143
Security
Network/connection security abstraction layer.
Definition: Connection.h:33
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:192
Adaptation::Icap::Xaction::masterLogEntry
virtual AccessLogEntry::Pointer masterLogEntry()
Definition: Xaction.cc:103
comm_remove_close_handler
void comm_remove_close_handler(int fd, CLCB *handler, void *data)
Definition: comm.cc:981
Adaptation::Icap::Xaction::doneReading
virtual bool doneReading() const
Definition: Xaction.cc:523
Ssl::setClientSNI
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1161
tvSub
void tvSub(struct timeval &res, struct timeval const &t1, struct timeval const &t2)
Definition: gadgets.cc:58
Adaptation::Icap::Xaction::parseHttpMsg
bool parseHttpMsg(Http::Message *msg)
Definition: Xaction.cc:497
MakeNamedErrorDetail
ErrorDetail::Pointer MakeNamedErrorDetail(const char *name)
Definition: Detail.cc:54
Adaptation::Icap::Xaction::doneWriting
virtual bool doneWriting() const
Definition: Xaction.cc:528
Security::SetSessionResumeData
void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &)
Definition: Session.cc:247
CallJobHere1
#define CallJobHere1(debugSection, debugLevel, job, Class, method, arg1)
Definition: AsyncJobCalls.h:64
Http::Message::parse
bool parse(const char *buf, const size_t sz, bool eol, Http::StatusCode *error)
Definition: Message.cc:68

 

Introduction

Documentation

Support

Miscellaneous