On 10/08/2012 6:54 a.m., Tsantilas Christos wrote:
> Supply client connection and IDENT information to peer_cache_access ACL
> check.
>
> Among other things, this enables SSL client certificate ACL checks
> (user_cert and ca_cert) when making peering decisions
>
It would be better to do this inside the FilledChecklist constructor.
That way all other access lists which pass in HttpRequest can make use
of the details and we can remove duplicate code setting conn() elsewhere.
I expect there will be complications from duplicate code with the
assert() that conn_ is only set once. Or places needlessly sending in
ident detail pulled explicitly from the HttpRequest by the caller.
Cleaning those out and using the below would be a good improvement.
=== modified file 'src/acl/FilledChecklist.cc'
--- src/acl/FilledChecklist.cc 2012-06-28 18:26:44 +0000
+++ src/acl/FilledChecklist.cc 2012-08-10 01:43:58 +0000
@@ -184,11 +184,19 @@
#endif /* FOLLOW_X_FORWARDED_FOR */
src_addr = request->client_addr;
my_addr = request->my_addr;
+
+ if (request->clientConnectionManager.valid())
+ conn(request->clientConnectionManager.get());
}
#if USE_IDENT
if (ident)
xstrncpy(rfc931, ident, USER_IDENT_SZ);
+ else if (conn() != NULL) {
+ // client connection data may have been provided via HttpRequest
+ if (conn_->clientConnection != NULL &&
conn_->clientConnection->rfc931[0])
+ xstrncpy(rfc931, conn_->clientConnection->rfc931,
USER_IDENT_SZ);
+ }
#endif
}
Amos
Received on Fri Aug 10 2012 - 03:02:55 MDT
This archive was generated by hypermail 2.2.0 : Fri Aug 10 2012 - 12:00:04 MDT