Xaction.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 93 ICAP (RFC 3507) Client */
10 
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "adaptation/icap/Config.h"
14 #include "adaptation/icap/Launcher.h"
15 #include "adaptation/icap/Xaction.h"
16 #include "base/JobWait.h"
17 #include "base/TextException.h"
18 #include "comm.h"
19 #include "comm/Connection.h"
20 #include "comm/ConnOpener.h"
21 #include "comm/Read.h"
22 #include "comm/Write.h"
23 #include "CommCalls.h"
24 #include "error/Detail.h"
25 #include "fde.h"
26 #include "FwdState.h"
27 #include "globals.h"
28 #include "HttpReply.h"
29 #include "icap_log.h"
30 #include "ipcache.h"
31 #include "pconn.h"
32 #include "security/PeerConnector.h"
33 #include "SquidConfig.h"
34 
36 class MyIcapAnswerDialer: public UnaryMemFunT<Adaptation::Icap::Xaction, Security::EncryptorAnswer, Security::EncryptorAnswer&>,
37  public Security::PeerConnector::CbDialer
38 {
39 public:
40  MyIcapAnswerDialer(const JobPointer &aJob, Method aMethod):
41  UnaryMemFunT<Adaptation::Icap::Xaction, Security::EncryptorAnswer, Security::EncryptorAnswer&>(aJob, aMethod, Security::EncryptorAnswer()) {}
42 
43  /* Security::PeerConnector::CbDialer API */
44  virtual Security::EncryptorAnswer &answer() { return arg1; }
45 };
46 
47 namespace Ssl
48 {
50 class IcapPeerConnector: public Security::PeerConnector {
51  CBDATA_CLASS(IcapPeerConnector);
52 public:
53  IcapPeerConnector(
54  Adaptation::Icap::ServiceRep::Pointer &service,
55  const Comm::ConnectionPointer &aServerConn,
56  AsyncCall::Pointer &aCallback,
57  AccessLogEntry::Pointer const &alp,
58  const time_t timeout = 0):
59  AsyncJob("Ssl::IcapPeerConnector"),
60  Security::PeerConnector(aServerConn, aCallback, alp, timeout), icapService(service) {}
61 
62  /* Security::PeerConnector API */
63  virtual bool initialize(Security::SessionPointer &);
64  virtual void noteNegotiationDone(ErrorState *error);
65  virtual Security::ContextPointer getTlsContext() {
66  return icapService->sslContext;
67  }
68 
69 private:
70  /* Acl::ChecklistFiller API */
71  virtual void fillChecklist(ACLFilledChecklist &) const;
72 
73  Adaptation::Icap::ServiceRep::Pointer icapService;
74 };
75 } // namespace Ssl
76 
77 CBDATA_NAMESPACED_CLASS_INIT(Ssl, IcapPeerConnector);
78 
79 Adaptation::Icap::Xaction::Xaction(const char *aTypeName, Adaptation::Icap::ServiceRep::Pointer &aService):
80  AsyncJob(aTypeName),
81  Adaptation::Initiate(aTypeName),
82  icapRequest(NULL),
83  icapReply(NULL),
84  attempts(0),
85  theService(aService),
86  commEof(false),
87  reuseConnection(true),
88  isRetriable(true),
89  isRepeatable(true),
90  ignoreLastWrite(false),
91  waitingForDns(false),
92  alep(new AccessLogEntry),
93  al(*alep)
94 {
95  debugs(93,3, typeName << " constructed, this=" << this <<
96  " [icapx" << id << ']'); // we should not call virtual status() here
97  const auto mx = MasterXaction::MakePortless<XactionInitiator::initAdaptation>();
98  icapRequest = new HttpRequest(mx);
99  HTTPMSGLOCK(icapRequest);
100  icap_tr_start = current_time;
101  memset(&icap_tio_start, 0, sizeof(icap_tio_start));
102  memset(&icap_tio_finish, 0, sizeof(icap_tio_finish));
103 }
104 
105 Adaptation::Icap::Xaction::~Xaction()
106 {
107  debugs(93,3, typeName << " destructed, this=" << this <<
108  " [icapx" << id << ']'); // we should not call virtual status() here
109  HTTPMSGUNLOCK(icapRequest);
110 }
111 
112 AccessLogEntry::Pointer
113 Adaptation::Icap::Xaction::masterLogEntry()
114 {
115  AccessLogEntry::Pointer nil;
116  return nil;
117 }
118 
119 Adaptation::Icap::ServiceRep &
120 Adaptation::Icap::Xaction::service()
121 {
122  Must(theService != NULL);
123  return *theService;
124 }
125 
126 void Adaptation::Icap::Xaction::disableRetries()
127 {
128  debugs(93,5, typeName << (isRetriable ? " from now on" : " still") <<
129  " cannot be retried " << status());
130  isRetriable = false;
131 }
132 
133 void Adaptation::Icap::Xaction::disableRepeats(const char *reason)
134 {
135  debugs(93,5, typeName << (isRepeatable ? " from now on" : " still") <<
136  " cannot be repeated because " << reason << status());
137  isRepeatable = false;
138 }
139 
140 void Adaptation::Icap::Xaction::start()
141 {
142  Adaptation::Initiate::start();
143 }
144 
145 static void
146 icapLookupDnsResults(const ipcache_addrs *ia, const Dns::LookupDetails &, void *data)
147 {
148  Adaptation::Icap::Xaction *xa = static_cast<Adaptation::Icap::Xaction *>(data);
151  xa->dnsLookupDone(ia);
152 }
153 
154 // TODO: obey service-specific, OPTIONS-reported connection limit
155 void
156 Adaptation::Icap::Xaction::openConnection()
157 {
158  Must(!haveConnection());
159 
160  Adaptation::Icap::ServiceRep &s = service();
161 
162  if (!TheConfig.reuse_connections)
163  disableRetries(); // this will also safely drain pconn pool
164 
165  if (const auto pconn = s.getIdleConnection(isRetriable)) {
166  useTransportConnection(pconn);
167  return;
168  }
169 
170  disableRetries(); // we only retry pconn failures
171 
172  // Attempt to open a new connection...
173  debugs(93,3, typeName << " opens connection to " << s.cfg().host.termedBuf() << ":" << s.cfg().port);
174 
175  // Locate the Service IP(s) to open
176  assert(!waitingForDns);
177  waitingForDns = true; // before the possibly-synchronous ipcache_nbgethostbyname()
178  ipcache_nbgethostbyname(s.cfg().host.termedBuf(), icapLookupDnsResults, this);
179 }
180 
181 void
182 Adaptation::Icap::Xaction::dnsLookupDone(const ipcache_addrs *ia)
183 {
184  assert(waitingForDns);
185  waitingForDns = false;
186 
187  Adaptation::Icap::ServiceRep &s = service();
188 
189  if (ia == NULL) {
190  debugs(44, DBG_IMPORTANT, "ERROR: ICAP: Unknown service host: " << s.cfg().host);
191 
192 #if WHEN_IPCACHE_NBGETHOSTBYNAME_USES_ASYNC_CALLS
193  dieOnConnectionFailure(); // throws
194 #else // take a step back into protected Async call dialing.
195  CallJobHere(93, 3, this, Xaction, Xaction::dieOnConnectionFailure);
196 #endif
197  return;
198  }
199 
200  const Comm::ConnectionPointer conn = new Comm::Connection();
201  conn->remote = ia->current();
202  conn->remote.port(s.cfg().port);
203  getOutgoingAddress(nullptr, conn);
204 
205  // TODO: service bypass status may differ from that of a transaction
206  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommConnectCbParams> ConnectDialer;
207  AsyncCall::Pointer callback = JobCallback(93, 3, ConnectDialer, this, Adaptation::Icap::Xaction::noteCommConnected);
208  const auto cs = new Comm::ConnOpener(conn, callback, TheConfig.connect_timeout(service().cfg().bypass));
209  cs->setHost(s.cfg().host.termedBuf());
210  transportWait.start(cs, callback);
211 }
212 
213 void Adaptation::Icap::Xaction::closeConnection()
214 {
215  if (haveConnection()) {
216 
217  if (closer != NULL) {
218  comm_remove_close_handler(connection->fd, closer);
219  closer = NULL;
220  }
221 
222  commUnsetConnTimeout(connection);
223 
224  cancelRead(); // may not work
225 
226  if (reuseConnection && !doneWithIo()) {
227  //status() adds leading spaces.
228  debugs(93,5, "not reusing pconn due to pending I/O" << status());
229  reuseConnection = false;
230  }
231 
232  if (reuseConnection)
233  disableRetries();
234 
235  const bool reset = !reuseConnection &&
236  (al.icap.outcome == xoGone || al.icap.outcome == xoError);
237 
238  Adaptation::Icap::ServiceRep &s = service();
239  s.putConnection(connection, reuseConnection, reset, status());
240 
241  writer = NULL;
242  reader = NULL;
243  connection = NULL;
244  }
245 }
246 
248 void Adaptation::Icap::Xaction::noteCommConnected(const CommConnectCbParams &io)
249 {
250  transportWait.finish();
251 
252  if (io.flag != Comm::OK) {
253  dieOnConnectionFailure(); // throws
254  return;
255  }
256 
257  useTransportConnection(io.conn);
258 }
259 
262 void
263 Adaptation::Icap::Xaction::useTransportConnection(const Comm::ConnectionPointer &conn)
264 {
265  assert(Comm::IsConnOpen(conn));
266  assert(!connection);
267 
268  // If it is a reused connection and the TLS object is built
269  // we should not negotiate new TLS session
270  const auto &ssl = fd_table[conn->fd].ssl;
271  if (!ssl && service().cfg().secure.encryptTransport) {
272  // XXX: Exceptions orphan conn.
273  CbcPointer<Adaptation::Icap::Xaction> me(this);
274  AsyncCall::Pointer callback = asyncCall(93, 4, "Adaptation::Icap::Xaction::handleSecuredPeer",
275  MyIcapAnswerDialer(me, &Adaptation::Icap::Xaction::handleSecuredPeer));
276 
277  const auto sslConnector = new Ssl::IcapPeerConnector(theService, conn, callback, masterLogEntry(), TheConfig.connect_timeout(service().cfg().bypass));
278 
279  encryptionWait.start(sslConnector, callback);
280  return;
281  }
282 
283  useIcapConnection(conn);
284 }
285 
287 void
288 Adaptation::Icap::Xaction::useIcapConnection(const Comm::ConnectionPointer &conn)
289 {
290  assert(!connection);
291  assert(conn);
292  assert(Comm::IsConnOpen(conn));
293  connection = conn;
294  service().noteConnectionUse(connection);
295 
296  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommCloseCbParams> CloseDialer;
297  closer = asyncCall(93, 5, "Adaptation::Icap::Xaction::noteCommClosed",
298  CloseDialer(this,&Adaptation::Icap::Xaction::noteCommClosed));
299  comm_add_close_handler(connection->fd, closer);
300 
301  startShoveling();
302 }
303 
304 void Adaptation::Icap::Xaction::dieOnConnectionFailure()
305 {
306  debugs(93, 2, typeName <<
307  " failed to connect to " << service().cfg().uri);
308  service().noteConnectionFailed("failure");
309  static const auto d = MakeNamedErrorDetail("ICAP_XACT_START");
310  detailError(d);
311  throw TexcHere("cannot connect to the ICAP service");
312 }
313 
314 void Adaptation::Icap::Xaction::scheduleWrite(MemBuf &buf)
315 {
316  Must(haveConnection());
317 
318  // comm module will free the buffer
319  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommIoCbParams> Dialer;
320  writer = JobCallback(93, 3,
321  Dialer, this, Adaptation::Icap::Xaction::noteCommWrote);
322 
323  Comm::Write(connection, &buf, writer);
324  updateTimeout();
325 }
326 
327 void Adaptation::Icap::Xaction::noteCommWrote(const CommIoCbParams &io)
328 {
329  Must(writer != NULL);
330  writer = NULL;
331 
332  if (ignoreLastWrite) {
333  // a hack due to comm inability to cancel a pending write
334  ignoreLastWrite = false;
335  debugs(93, 7, "ignoring last write; status: " << io.flag);
336  } else {
337  Must(io.flag == Comm::OK);
338  al.icap.bytesSent += io.size;
339  updateTimeout();
340  handleCommWrote(io.size);
341  }
342 }
343 
344 // communication timeout with the ICAP service
345 void Adaptation::Icap::Xaction::noteCommTimedout(const CommTimeoutCbParams &)
346 {
347  debugs(93, 2, typeName << " failed: timeout with " <<
348  theService->cfg().methodStr() << " " <<
349  theService->cfg().uri << status());
350  reuseConnection = false;
351  assert(haveConnection());
352  closeConnection();
353  throw TextException("timed out while talking to the ICAP service", Here());
354 }
355 
356 // unexpected connection close while talking to the ICAP service
357 void Adaptation::Icap::Xaction::noteCommClosed(const CommCloseCbParams &)
358 {
359  if (connection) {
360  connection->noteClosure();
361  connection = nullptr;
362  }
363  closer = NULL;
364 
365  static const auto d = MakeNamedErrorDetail("ICAP_XACT_CLOSE");
366  detailError(d);
367  mustStop("ICAP service connection externally closed");
368 }
369 
370 void Adaptation::Icap::Xaction::callException(const std::exception &e)
371 {
372  setOutcome(xoError);
373  service().noteFailure();
374  Adaptation::Initiate::callException(e);
375 }
376 
377 void Adaptation::Icap::Xaction::callEnd()
378 {
379  if (doneWithIo()) {
380  debugs(93, 5, typeName << " done with I/O" << status());
381  closeConnection();
382  }
383  Adaptation::Initiate::callEnd(); // may destroy us
384 }
385 
386 bool Adaptation::Icap::Xaction::doneAll() const
387 {
388  return !waitingForDns && !transportWait && !encryptionWait &&
389  !reader && !writer &&
390  Adaptation::Initiate::doneAll();
391 }
392 
393 void Adaptation::Icap::Xaction::updateTimeout()
394 {
395  Must(haveConnection());
396 
397  if (reader != NULL || writer != NULL) {
398  // restart the timeout before each I/O
399  // XXX: why does Config.Timeout lacks a write timeout?
400  // TODO: service bypass status may differ from that of a transaction
401  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommTimeoutCbParams> TimeoutDialer;
402  AsyncCall::Pointer call = JobCallback(93, 5, TimeoutDialer, this, Adaptation::Icap::Xaction::noteCommTimedout);
403  commSetConnTimeout(connection, TheConfig.io_timeout(service().cfg().bypass), call);
404  } else {
405  // clear timeout when there is no I/O
406  // Do we need a lifetime timeout?
407  commUnsetConnTimeout(connection);
408  }
409 }
410 
411 void Adaptation::Icap::Xaction::scheduleRead()
412 {
413  Must(haveConnection());
414  Must(!reader);
415  Must(readBuf.length() < SQUID_TCP_SO_RCVBUF); // will expand later if needed
416 
417  typedef CommCbMemFunT<Adaptation::Icap::Xaction, CommIoCbParams> Dialer;
418  reader = JobCallback(93, 3, Dialer, this, Adaptation::Icap::Xaction::noteCommRead);
419  Comm::Read(connection, reader);
420  updateTimeout();
421 }
422 
423 // comm module read a portion of the ICAP response for us
424 void Adaptation::Icap::Xaction::noteCommRead(const CommIoCbParams &io)
425 {
426  Must(reader != NULL);
427  reader = NULL;
428 
429  Must(io.flag == Comm::OK);
430 
431  // TODO: tune this better to expected message sizes
432  readBuf.reserveCapacity(SQUID_TCP_SO_RCVBUF);
433  // we are not asked to grow beyond the allowed maximum
434  Must(readBuf.length() < SQUID_TCP_SO_RCVBUF);
435  // now we can ensure that there is space to read new data,
436  // even if readBuf.spaceSize() currently returns zero.
437  readBuf.rawAppendStart(1);
438 
439  CommIoCbParams rd(this); // will be expanded with ReadNow results
440  rd.conn = io.conn;
441 
442  switch (Comm::ReadNow(rd, readBuf)) {
443  case Comm::INPROGRESS:
444  if (readBuf.isEmpty())
445  debugs(33, 2, io.conn << ": no data to process, " << xstrerr(rd.xerrno));
446  scheduleRead();
447  return;
448 
449  case Comm::OK:
450  al.icap.bytesRead += rd.size;
451 
452  updateTimeout();
453 
454  debugs(93, 3, "read " << rd.size << " bytes");
455 
456  disableRetries(); // because pconn did not fail
457 
458  /* Continue to process previously read data */
459  break;
460 
461  case Comm::ENDFILE: // close detected by 0-byte read
462  commEof = true;
463  reuseConnection = false;
464 
465  // detect a pconn race condition: eof on the first pconn read
466  if (!al.icap.bytesRead && retriable()) {
467  setOutcome(xoRace);
468  mustStop("pconn race");
469  return;
470  }
471 
472  break;
473 
474  // case Comm::COMM_ERROR:
475  default: // no other flags should ever occur
476  debugs(11, 2, io.conn << ": read failure: " << xstrerr(rd.xerrno));
477  mustStop("unknown ICAP I/O read error");
478  return;
479  }
480 
481  handleCommRead(io.size);
482 }
483 
484 void Adaptation::Icap::Xaction::cancelRead()
485 {
486  if (reader != NULL) {
487  Must(haveConnection());
488  Comm::ReadCancel(connection->fd, reader);
489  reader = NULL;
490  }
491 }
492 
493 bool
494 Adaptation::Icap::Xaction::parseHttpMsg(Http::Message *msg)
495 {
496  debugs(93, 5, "have " << readBuf.length() << " head bytes to parse");
497 
498  Http::StatusCode error = Http::scNone;
499  // XXX: performance regression c_str() data copies
500  const char *buf = readBuf.c_str();
501  const bool parsed = msg->parse(buf, readBuf.length(), commEof, &error);
502  Must(parsed || !error); // success or need more data
503 
504  if (!parsed) { // need more data
505  Must(mayReadMore());
506  msg->reset();
507  return false;
508  }
509 
510  readBuf.consume(msg->hdr_sz);
511  return true;
512 }
513 
514 bool Adaptation::Icap::Xaction::mayReadMore() const
515 {
516  return !doneReading() && // will read more data
517  readBuf.length() < SQUID_TCP_SO_RCVBUF; // have space for more data
518 }
519 
520 bool Adaptation::Icap::Xaction::doneReading() const
521 {
522  return commEof;
523 }
524 
525 bool Adaptation::Icap::Xaction::doneWriting() const
526 {
527  return !writer;
528 }
529 
530 bool Adaptation::Icap::Xaction::doneWithIo() const
531 {
532  return haveConnection() &&
533  !transportWait && !reader && !writer && // fast checks, some redundant
534  doneReading() && doneWriting();
535 }
536 
537 bool Adaptation::Icap::Xaction::haveConnection() const
538 {
539  return connection != NULL && connection->isOpen();
540 }
541 
542 // initiator aborted
543 void Adaptation::Icap::Xaction::noteInitiatorAborted()
544 {
545 
546  if (theInitiator.set()) {
547  debugs(93,4, "Initiator gone before ICAP transaction ended");
548  clearInitiator();
549  static const auto d = MakeNamedErrorDetail("ICAP_INIT_GONE");
550  detailError(d);
551  setOutcome(xoGone);
552  mustStop("initiator aborted");
553  }
554 
555 }
556 
557 void Adaptation::Icap::Xaction::setOutcome(const Adaptation::Icap::XactOutcome &xo)
558 {
559  if (al.icap.outcome != xoUnknown) {
560  debugs(93, 3, "WARNING: resetting outcome: from " << al.icap.outcome << " to " << xo);
561  } else {
562  debugs(93, 4, xo);
563  }
564  al.icap.outcome = xo;
565 }
566 
567 // This 'last chance' method is called before a 'done' transaction is deleted.
568 // It is wrong to call virtual methods from a destructor. Besides, this call
569 // indicates that the transaction will terminate as planned.
570 void Adaptation::Icap::Xaction::swanSong()
571 {
572  // kids should sing first and then call the parent method.
573  if (transportWait || encryptionWait) {
574  service().noteConnectionFailed("abort");
575  }
576 
577  closeConnection(); // TODO: rename because we do not always close
578 
579  readBuf.clear();
580 
581  tellQueryAborted();
582 
583  maybeLog();
584 
585  Adaptation::Initiate::swanSong();
586 }
587 
588 void Adaptation::Icap::Xaction::tellQueryAborted()
589 {
590  if (theInitiator.set()) {
591  Adaptation::Icap::XactAbortInfo abortInfo(icapRequest, icapReply.getRaw(),
592  retriable(), repeatable());
593  Launcher *launcher = dynamic_cast<Launcher*>(theInitiator.get());
594  // launcher may be nil if initiator is invalid
595  CallJobHere1(91,5, CbcPointer<Launcher>(launcher),
596  Launcher, noteXactAbort, abortInfo);
597  clearInitiator();
598  }
599 }
600 
601 void Adaptation::Icap::Xaction::maybeLog()
602 {
603  if (IcapLogfileStatus == LOG_ENABLE) {
604  finalizeLogInfo();
605  icapLogLog(alep);
606  }
607 }
608 
609 void Adaptation::Icap::Xaction::finalizeLogInfo()
610 {
611  //prepare log data
612  al.icp.opcode = ICP_INVALID;
613 
614  const Adaptation::Icap::ServiceRep &s = service();
615  al.icap.hostAddr = s.cfg().host.termedBuf();
616  al.icap.serviceName = s.cfg().key;
617  al.icap.reqUri = s.cfg().uri;
618 
619  tvSub(al.icap.ioTime, icap_tio_start, icap_tio_finish);
620  tvSub(al.icap.trTime, icap_tr_start, current_time);
621 
622  al.icap.request = icapRequest;
623  HTTPMSGLOCK(al.icap.request);
624  if (icapReply != NULL) {
625  al.icap.reply = icapReply.getRaw();
626  HTTPMSGLOCK(al.icap.reply);
627  al.icap.resStatus = icapReply->sline.status();
628  }
629 }
630 
631 // returns a temporary string depicting transaction status, for debugging
632 const char *Adaptation::Icap::Xaction::status() const
633 {
634  static MemBuf buf;
635  buf.reset();
636  buf.append(" [", 2);
637  fillPendingStatus(buf);
638  buf.append("/", 1);
639  fillDoneStatus(buf);
640  buf.appendf(" %s%u]", id.prefix(), id.value);
641  buf.terminate();
642 
643  return buf.content();
644 }
645 
646 void Adaptation::Icap::Xaction::fillPendingStatus(MemBuf &buf) const
647 {
648  if (haveConnection()) {
649  buf.appendf("FD %d", connection->fd);
650 
651  if (writer != NULL)
652  buf.append("w", 1);
653 
654  if (reader != NULL)
655  buf.append("r", 1);
656 
657  buf.append(";", 1);
658  }
659 
660  if (waitingForDns)
661  buf.append("D", 1);
662 }
663 
664 void Adaptation::Icap::Xaction::fillDoneStatus(MemBuf &buf) const
665 {
666  if (haveConnection() && commEof)
667  buf.appendf("Comm(%d)", connection->fd);
668 
669  if (stopReason != NULL)
670  buf.append("Stopped", 7);
671 }
672 
673 bool Adaptation::Icap::Xaction::fillVirginHttpHeader(MemBuf &) const
674 {
675  return false;
676 }
677 
678 bool
679 Ssl::IcapPeerConnector::initialize(Security::SessionPointer &serverSession)
680 {
681  if (!Security::PeerConnector::initialize(serverSession))
682  return false;
683 
684  assert(!icapService->cfg().secure.sslDomain.isEmpty());
685 #if USE_OPENSSL
686  SBuf *host = new SBuf(icapService->cfg().secure.sslDomain);
687  SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host);
688  setClientSNI(serverSession.get(), host->c_str());
689 #endif
690 
691  Security::SetSessionResumeData(serverSession, icapService->sslSession);
692  return true;
693 }
694 
695 void
696 Ssl::IcapPeerConnector::fillChecklist(ACLFilledChecklist &checklist) const
697 {
698  Security::PeerConnector::fillChecklist(checklist);
699  if (checklist.dst_peer_name.isEmpty())
700  checklist.dst_peer_name = icapService->cfg().secure.sslDomain;
701 }
702 
703 void
704 Ssl::IcapPeerConnector::noteNegotiationDone(ErrorState *error)
705 {
706  if (error)
707  return;
708 
709  const int fd = serverConnection()->fd;
710  Security::MaybeGetSessionResumeData(fd_table[fd].ssl, icapService->sslSession);
711 }
712 
713 void
714 Adaptation::Icap::Xaction::handleSecuredPeer(Security::EncryptorAnswer &answer)
715 {
716  encryptionWait.finish();
717 
718  assert(!answer.tunneled);
719  if (answer.error.get()) {
720  assert(!answer.conn);
721  // TODO: Refactor dieOnConnectionFailure() to be usable here as well.
722  debugs(93, 2, typeName <<
723  " TLS negotiation to " << service().cfg().uri << " failed");
724  service().noteConnectionFailed("failure");
725  static const auto d = MakeNamedErrorDetail("ICAP_XACT_SSL_START");
726  detailError(d);
727  throw TexcHere("cannot connect to the TLS ICAP service");
728  }
729 
730  debugs(93, 5, "TLS negotiation to " << service().cfg().uri << " complete");
731 
732  assert(answer.conn);
733 
734  // The socket could get closed while our callback was queued. Sync
735  // Connection. XXX: Connection::fd may already be stale/invalid here.
736  if (answer.conn->isOpen() && fd_table[answer.conn->fd].closing()) {
737  answer.conn->noteClosure();
738  service().noteConnectionFailed("external TLS connection closure");
739  static const auto d = MakeNamedErrorDetail("ICAP_XACT_SSL_CLOSE");
740  detailError(d);
741  throw TexcHere("external closure of the TLS ICAP service connection");
742  }
743 
744  useIcapConnection(answer.conn);
745 }
746 
Comm::Read
void Read(const Comm::ConnectionPointer &conn, AsyncCall::Pointer &callback)
Definition: Read.cc:40
Http::Message::hdr_sz
int hdr_sz
Definition: Message.h:82
Security::PeerConnector::PeerConnector
PeerConnector(const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, const AccessLogEntryPointer &alp, const time_t timeout=0)
Definition: PeerConnector.cc:37
xstrerr
const char * xstrerr(int error)
Definition: xstrerror.cc:83
CbcPointer::get
Cbc * get() const
a temporary valid raw Cbc pointer or NULL
Definition: CbcPointer.h:162
comm_add_close_handler
AsyncCall::Pointer comm_add_close_handler(int fd, CLCB *handler, void *data)
Definition: comm.cc:921
Security::EncryptorAnswer::tunneled
bool tunneled
whether we spliced the connections instead of negotiating encryption
Definition: EncryptorAnswer.h:33
Adaptation::Icap::xoError
const XactOutcome xoError
all kinds of transaction errors
Definition: Elements.cc:21
Here
#define Here()
source code location of the caller
Definition: Here.h:15
MemBuf::terminate
void terminate()
Definition: MemBuf.cc:241
Packable::appendf
void appendf(const char *fmt,...) PRINTF_FORMAT_ARG2
Append operation with printf-style arguments.
Definition: Packable.h:61
Adaptation::Icap::Xaction::noteCommConnected
void noteCommConnected(const CommConnectCbParams &io)
called when the connection attempt to an ICAP service completes (successfully or not)
Definition: Xaction.cc:248
Http::Message
common parts of HttpRequest and HttpReply
Definition: Message.h:26
Ssl::IcapPeerConnector
A simple PeerConnector for Secure ICAP services. No SslBump capabilities.
Definition: Xaction.cc:50
Security::ContextPointer
std::shared_ptr< SSL_CTX > ContextPointer
Definition: Context.h:29
Security::PeerConnector::initialize
virtual bool initialize(Security::SessionPointer &)
Definition: PeerConnector.cc:137
Security::MaybeGetSessionResumeData
void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &data)
Definition: Session.cc:225
Adaptation::Icap::Xaction::fillDoneStatus
virtual void fillDoneStatus(MemBuf &buf) const
Definition: Xaction.cc:664
Adaptation::Icap::TheConfig
Config TheConfig
Definition: Config.cc:19
AsyncJob::callEnd
virtual void callEnd()
called right after the called job method
Definition: AsyncJob.cc:137
Http::scNone
@ scNone
Definition: StatusCode.h:21
Adaptation::Icap::xoUnknown
const XactOutcome xoUnknown
initial value: outcome was not set
Definition: Elements.cc:18
SBuf::isEmpty
bool isEmpty() const
Definition: SBuf.h:424
Security::EncryptorAnswer::error
CbcPointer< ErrorState > error
problem details (nil on success)
Definition: EncryptorAnswer.h:30
Adaptation::Icap::Xaction::dnsLookupDone
void dnsLookupDone(const ipcache_addrs *ia)
Definition: Xaction.cc:182
Comm::ReadNow
Comm::Flag ReadNow(CommIoCbParams &params, SBuf &buf)
Definition: Read.cc:81
Adaptation::Icap::Xaction::Xaction
Xaction(const char *aTypeName, ServiceRep::Pointer &aService)
Definition: Xaction.cc:79
error
void error(char *format,...)
Comm::INPROGRESS
@ INPROGRESS
Definition: Flag.h:22
SBuf
Definition: SBuf.h:87
Adaptation::Icap::Xaction::doneAll
virtual bool doneAll() const
whether positive goal has been reached
Definition: Xaction.cc:386
Adaptation::Icap::Xaction::service
ServiceRep & service()
Definition: Xaction.cc:120
Adaptation::Icap::Xaction::fillPendingStatus
virtual void fillPendingStatus(MemBuf &buf) const
Definition: Xaction.cc:646
commSetConnTimeout
int commSetConnTimeout(const Comm::ConnectionPointer &conn, int timeout, AsyncCall::Pointer &callback)
Definition: comm.cc:563
Adaptation::Icap::Xaction::setOutcome
void setOutcome(const XactOutcome &xo)
Definition: Xaction.cc:557
LOG_ENABLE
#define LOG_ENABLE
Definition: defines.h:62
Security::PeerConnector::fillChecklist
virtual void fillChecklist(ACLFilledChecklist &) const
configure the given checklist (to reflect the current transaction state)
Definition: PeerConnector.cc:91
Adaptation::Icap::Xaction::useTransportConnection
void useTransportConnection(const Comm::ConnectionPointer &)
Definition: Xaction.cc:263
MemBuf::append
virtual void append(const char *c, int sz)
Definition: MemBuf.cc:209
Comm::IsConnOpen
bool IsConnOpen(const Comm::ConnectionPointer &conn)
Definition: Connection.cc:27
Comm::OK
@ OK
Definition: Flag.h:16
Dns::CachedIps::current
const Ip::Address & current() const
Definition: ipcache.h:59
HTTPMSGUNLOCK
void HTTPMSGUNLOCK(M *&a)
Definition: Message.h:150
icapLookupDnsResults
static void icapLookupDnsResults(const ipcache_addrs *ia, const Dns::LookupDetails &, void *data)
Definition: Xaction.cc:146
Adaptation::Icap::Xaction::disableRepeats
void disableRepeats(const char *reason)
Definition: Xaction.cc:133
Comm::ENDFILE
@ ENDFILE
Definition: Flag.h:27
Http::StatusCode
StatusCode
Definition: StatusCode.h:20
Adaptation::Icap::Xaction::haveConnection
bool haveConnection() const
Definition: Xaction.cc:537
CommCommonCbParams::xerrno
int xerrno
The last errno to occur. non-zero if flag is Comm::COMM_ERROR.
Definition: CommCalls.h:88
icap_log.h
Adaptation::Icap::xoGone
const XactOutcome xoGone
initiator gone, will not continue
Definition: Elements.cc:19
Adaptation::Icap::Xaction::noteCommClosed
void noteCommClosed(const CommCloseCbParams &io)
Definition: Xaction.cc:357
Adaptation::Icap::Xaction::noteCommWrote
void noteCommWrote(const CommIoCbParams &io)
Definition: Xaction.cc:327
Adaptation::Icap::Config::connect_timeout
time_t connect_timeout(bool bypassable) const
Definition: Config.cc:41
TexcHere
#define TexcHere(msg)
legacy convenience macro; it is not difficult to type Here() now
Definition: TextException.h:59
Adaptation::Icap::xoRace
const XactOutcome xoRace
ICAP server closed pconn when we started.
Definition: Elements.cc:20
getOutgoingAddress
void getOutgoingAddress(HttpRequest *request, const Comm::ConnectionPointer &conn)
Definition: FwdState.cc:1524
Adaptation::Icap::Xaction::noteCommRead
void noteCommRead(const CommIoCbParams &io)
Definition: Xaction.cc:424
Comm::ReadCancel
void ReadCancel(int fd, AsyncCall::Pointer &callback)
Cancel the read pending on FD. No action if none pending.
Definition: Read.cc:219
ICP_INVALID
@ ICP_INVALID
Definition: icp_opcode.h:15
Security::EncryptorAnswer::conn
Comm::ConnectionPointer conn
peer connection (secured on success)
Definition: EncryptorAnswer.h:26
current_time
struct timeval current_time
the current UNIX time in timeval {seconds, microseconds} format
Definition: gadgets.cc:17
NULL
#define NULL
Definition: types.h:166
AsyncJob::doneAll
virtual bool doneAll() const
whether positive goal has been reached
Definition: AsyncJob.cc:97
Adaptation::Icap::ServiceRep::getIdleConnection
Comm::ConnectionPointer getIdleConnection(bool isRetriable)
Definition: ServiceRep.cc:117
Ssl::IcapPeerConnector::CBDATA_CLASS
CBDATA_CLASS(IcapPeerConnector)
icapLogLog
void icapLogLog(AccessLogEntry::Pointer &al)
Definition: icap_log.cc:60
Adaptation::Icap::Xaction::callEnd
virtual void callEnd()
called right after the called job method
Definition: Xaction.cc:377
Ssl::IcapPeerConnector::icapService
Adaptation::Icap::ServiceRep::Pointer icapService
Definition: Xaction.cc:73
true
#define true
Definition: GnuRegex.c:234
MemBuf
Definition: MemBuf.h:24
ipcache_nbgethostbyname
void ipcache_nbgethostbyname(const char *name, IPH *handler, void *handlerData)
Definition: ipcache.cc:599
Ssl
Definition: Xaction.cc:48
Adaptation::Icap::Xaction::useIcapConnection
void useIcapConnection(const Comm::ConnectionPointer &)
react to the availability of a fully-ready ICAP connection
Definition: Xaction.cc:288
Security::PeerConnector::CbDialer
Callback dialer API to allow PeerConnector to set the answer.
Definition: PeerConnector.h:57
Adaptation::Icap::Xaction::fillVirginHttpHeader
virtual bool fillVirginHttpHeader(MemBuf &) const
Definition: Xaction.cc:673
CallJobHere
#define CallJobHere(debugSection, debugLevel, job, Class, method)
Definition: AsyncJobCalls.h:58
Adaptation::Icap::Xaction::doneWithIo
bool doneWithIo() const
Definition: Xaction.cc:530
MyIcapAnswerDialer::answer
virtual Security::EncryptorAnswer & answer()
gives PeerConnector access to the in-dialer answer
Definition: Xaction.cc:44
CommCommonCbParams::conn
Comm::ConnectionPointer conn
Definition: CommCalls.h:85
conn
int conn
the current server connection FD
Definition: Transport.cc:26
assert
#define assert(EX)
Definition: assert.h:19
String::termedBuf
char const * termedBuf() const
Definition: SquidString.h:92
Security::Connection
SSL Connection
Definition: Session.h:45
MyIcapAnswerDialer::MyIcapAnswerDialer
MyIcapAnswerDialer(const JobPointer &aJob, Method aMethod)
Definition: Xaction.cc:40
HTTPMSGLOCK
void HTTPMSGLOCK(Http::Message *a)
Definition: Message.h:161
CommCommonCbParams::flag
Comm::Flag flag
comm layer result status.
Definition: CommCalls.h:87
Adaptation::Icap::Xaction::icapRequest
HttpRequest * icapRequest
sent (or at least created) ICAP request
Definition: Xaction.h:63
Dns::LookupDetails
encapsulates DNS lookup results
Definition: LookupDetails.h:21
JobCallback
#define JobCallback(dbgSection, dbgLevel, Dialer, job, method)
Convenience macro to create a Dialer-based job callback.
Definition: AsyncJobCalls.h:69
SBuf::c_str
const char * c_str()
Definition: SBuf.cc:516
Comm::Write
void Write(const Comm::ConnectionPointer &conn, const char *buf, int size, AsyncCall::Pointer &callback, FREE *free_func)
Definition: Write.cc:33
commUnsetConnTimeout
int commUnsetConnTimeout(const Comm::ConnectionPointer &conn)
Definition: comm.cc:589
IcapLogfileStatus
int IcapLogfileStatus
Definition: icap_log.cc:20
CBDATA_NAMESPACED_CLASS_INIT
CBDATA_NAMESPACED_CLASS_INIT(Ssl, IcapPeerConnector)
Adaptation::Icap::Xaction::callException
virtual void callException(const std::exception &e)
called when the job throws during an async call
Definition: Xaction.cc:370
AsyncJob::typeName
const char * typeName
kid (leaf) class name, for debugging
Definition: AsyncJob.h:80
Adaptation::Icap::Config::io_timeout
time_t io_timeout(bool bypassable) const
Definition: Config.cc:49
Http::Message::reset
virtual void reset()=0
ssl_ex_index_server
int ssl_ex_index_server
fd_table
#define fd_table
Definition: fde.h:189
Adaptation::Icap::Xaction::mayReadMore
bool mayReadMore() const
Definition: Xaction.cc:514
Adaptation::Icap::Xaction::finalizeLogInfo
virtual void finalizeLogInfo()
Definition: Xaction.cc:609
Adaptation::Icap::Xaction::noteInitiatorAborted
virtual void noteInitiatorAborted()
Definition: Xaction.cc:543
Security::SessionPointer
std::shared_ptr< SSL > SessionPointer
Definition: Session.h:49
Adaptation::Icap::Xaction::handleSecuredPeer
void handleSecuredPeer(Security::EncryptorAnswer &answer)
Definition: Xaction.cc:714
TextException
an std::runtime_error with thrower location info
Definition: TextException.h:21
MemBuf::content
char * content()
start of the added data
Definition: MemBuf.h:41
Adaptation::Initiate::swanSong
virtual void swanSong()
Definition: Initiate.cc:62
AsyncJob::start
virtual void start()
called by AsyncStart; do not call directly
Definition: AsyncJob.cc:44
Must
#define Must(condition)
Definition: TextException.h:71
DBG_IMPORTANT
#define DBG_IMPORTANT
Definition: Stream.h:41
Ssl::IcapPeerConnector::noteNegotiationDone
virtual void noteNegotiationDone(ErrorState *error)
Definition: Xaction.cc:704
asyncCall
AsyncCall * asyncCall(int aDebugSection, int aDebugLevel, const char *aName, const Dialer &aDialer)
Definition: AsyncCall.h:154
Store::nil
void Controller::create() STUB void Controller Controller nil
Definition: stub_libstore.cc:19
MemBuf::reset
void reset()
Definition: MemBuf.cc:129
Adaptation::Icap::Xaction::swanSong
virtual void swanSong()
Definition: Xaction.cc:570
Adaptation::Icap::Xaction::noteCommTimedout
void noteCommTimedout(const CommTimeoutCbParams &io)
Definition: Xaction.cc:345
Adaptation::Icap::Xaction::status
virtual const char * status() const
internal cleanup; do not call directly
Definition: Xaction.cc:632
Comm::Connection::isOpen
bool isOpen() const
Definition: Connection.h:99
Adaptation::Service::cfg
const ServiceConfig & cfg() const
Definition: Service.h:51
Adaptation::Icap::Xaction::scheduleWrite
void scheduleWrite(MemBuf &buf)
Definition: Xaction.cc:314
AsyncJob::callException
virtual void callException(const std::exception &e)
called when the job throws during an async call
Definition: AsyncJob.cc:128
MyIcapAnswerDialer
Gives Security::PeerConnector access to Answer in the PeerPoolMgr callback dialer.
Definition: Xaction.cc:38
Ssl::IcapPeerConnector::fillChecklist
virtual void fillChecklist(ACLFilledChecklist &) const
configure the given checklist (to reflect the current transaction state)
Definition: Xaction.cc:696
Ssl::IcapPeerConnector::IcapPeerConnector
IcapPeerConnector(Adaptation::Icap::ServiceRep::Pointer &service, const Comm::ConnectionPointer &aServerConn, AsyncCall::Pointer &aCallback, AccessLogEntry::Pointer const &alp, const time_t timeout=0)
Definition: Xaction.cc:53
Ssl::IcapPeerConnector::getTlsContext
virtual Security::ContextPointer getTlsContext()
Definition: Xaction.cc:65
false
#define false
Definition: GnuRegex.c:233
Security
Network/connection security abstraction layer.
Definition: Connection.h:34
Ssl::IcapPeerConnector::initialize
virtual bool initialize(Security::SessionPointer &)
Definition: Xaction.cc:679
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
Adaptation::Icap::Xaction::start
virtual void start()
called by AsyncStart; do not call directly
Definition: Xaction.cc:140
Adaptation::Icap::Xaction::masterLogEntry
virtual AccessLogEntry::Pointer masterLogEntry()
Definition: Xaction.cc:113
Adaptation::Icap::XactOutcome
const char * XactOutcome
transaction result for logging
Definition: Elements.h:39
comm_remove_close_handler
void comm_remove_close_handler(int fd, CLCB *handler, void *data)
Definition: comm.cc:950
Adaptation::Icap::Xaction::doneReading
virtual bool doneReading() const
Definition: Xaction.cc:520
Ssl::setClientSNI
void setClientSNI(SSL *ssl, const char *fqdn)
Definition: support.cc:1061
tvSub
void tvSub(struct timeval &res, struct timeval const &t1, struct timeval const &t2)
Definition: gadgets.cc:58
Adaptation::Icap::Xaction::parseHttpMsg
bool parseHttpMsg(Http::Message *msg)
Definition: Xaction.cc:494
MakeNamedErrorDetail
ErrorDetail::Pointer MakeNamedErrorDetail(const char *name)
Definition: Detail.cc:54
Adaptation::Icap::Xaction::doneWriting
virtual bool doneWriting() const
Definition: Xaction.cc:525
Security::SetSessionResumeData
void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &)
Definition: Session.cc:246
CallJobHere1
#define CallJobHere1(debugSection, debugLevel, job, Class, method, arg1)
Definition: AsyncJobCalls.h:63
Http::Message::parse
bool parse(const char *buf, const size_t sz, bool eol, Http::StatusCode *error)
Definition: Message.cc:79

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors