Supply client connection and IDENT information to peer_cache_access ACL
check.
Among other things, this enables SSL client certificate ACL checks
(user_cert and ca_cert) when making peering decisions
Supply client connection and IDENT information to peer_cache_access ACL check.
Among other things, this enables SSL client certificate ACL checks (user_cert
and ca_cert) when making peering decisions
=== modified file 'src/neighbors.cc'
--- src/neighbors.cc 2012-07-20 15:31:04 +0000
+++ src/neighbors.cc 2012-08-03 09:55:28 +0000
@@ -177,50 +177,48 @@
bool do_ping = false;
for (d = p->peer_domain; d; d = d->next) {
if (0 == matchDomainName(request->GetHost(), d->domain)) {
do_ping = d->do_ping;
break;
}
do_ping = !d->do_ping;
}
if (p->peer_domain && !do_ping)
return false;
if (p->access == NULL)
return do_ping;
ACLFilledChecklist checklist(p->access, request, NULL);
checklist.src_addr = request->client_addr;
checklist.my_addr = request->my_addr;
-#if 0 && USE_IDENT
- /*
- * this is currently broken because 'request->user_ident' has been
- * moved to conn->rfc931 and we don't have access to the parent
- * ConnStateData here.
- */
- if (request->user_ident[0])
- xstrncpy(checklist.rfc931, request->user_ident, USER_IDENT_SZ);
-
+ if (request->clientConnectionManager.valid()) {
+ checklist.conn(request->clientConnectionManager.get());
+#if USE_IDENT
+ if (request->clientConnectionManager->clientConnection != NULL
+ && request->clientConnectionManager->clientConnection->rfc931[0])
+ xstrncpy(checklist.rfc931, request->clientConnectionManager->clientConnection->rfc931, USER_IDENT_SZ);
#endif
+ }
return (checklist.fastCheck() == ACCESS_ALLOWED);
}
/* Return TRUE if it is okay to send an ICP request to this peer. */
static int
peerWouldBePinged(const peer * p, HttpRequest * request)
{
if (p->icp.port == 0)
return 0;
if (p->options.no_query)
return 0;
if (p->options.mcast_responder)
return 0;
if (p->n_addresses == 0)
return 0;
