client_side.h

Go to the documentation of this file.

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */
 
/* DEBUG: section 33    Client-side Routines */
 
#ifndef SQUID_CLIENTSIDE_H
#define SQUID_CLIENTSIDE_H
 
#include "acl/ChecklistFiller.h"
#include "base/RunnersRegistry.h"
#include "clientStreamForward.h"
#include "comm.h"
#include "error/Error.h"
#include "helper/forward.h"
#include "http/forward.h"
#include "HttpControlMsg.h"
#include "ipc/FdNotes.h"
#include "log/forward.h"
#include "proxyp/forward.h"
#include "sbuf/SBuf.h"
#include "servers/Server.h"
#if USE_AUTH
#include "auth/UserRequest.h"
#endif
#include "security/KeyLogger.h"
#if USE_OPENSSL
#include "security/forward.h"
#include "security/Handshake.h"
#include "ssl/support.h"
#endif
#if USE_DELAY_POOLS
#include "MessageBucket.h"
#endif
 
#include <iosfwd>
 
class ClientHttpRequest;
class HttpHdrRangeSpec;
 
class MasterXaction;
typedef RefCount<MasterXaction> MasterXactionPointer;
 
#if USE_OPENSSL
namespace Ssl
{
class ServerBump;
}
#endif
 
class ConnStateData:
    public Server,
    public HttpControlMsgSink,
    public Acl::ChecklistFiller,
    private IndependentRunner
{
 
public:
    explicit ConnStateData(const MasterXactionPointer &xact);
    ~ConnStateData() override;
 
    /* ::Server API */
    void receivedFirstByte() override;
    bool handleReadData() override;
    void afterClientRead() override;
    void afterClientWrite(size_t) override;
 
    /* HttpControlMsgSink API */
    void sendControlMsg(HttpControlMsg) override;
    void doneWithControlMsg() override;
 
    void readNextRequest();
 
    void kick();
 
    bool isOpen() const;
 
    Http1::TeChunkedParser *bodyParser = nullptr; 
 
    int64_t mayNeedToReadMoreBody() const;
 
#if USE_AUTH
    const Auth::UserRequest::Pointer &getAuth() const { return auth_; }
 
    void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause);
#endif
 
    Ip::Address log_addr;
 
    struct {
        bool readMore = true; 
        bool swanSang = false; // XXX: temporary flag to check proper cleanup
    } flags;
    struct {
        Comm::ConnectionPointer serverConnection; /* pinned server side connection */
        char *host = nullptr; 
        AnyP::Port port; 
        bool pinned = false; 
        bool auth = false; 
        bool reading = false; 
        bool zeroReply = false; 
        bool peerAccessDenied = false; 
        CachePeer *peer = nullptr; 
        AsyncCall::Pointer readHandler; 
        AsyncCall::Pointer closeHandler; 
    } pinning;
 
    bool transparent() const;
 
    const char *stoppedReceiving() const { return stoppedReceiving_; }
    const char *stoppedSending() const { return stoppedSending_; }
    void stopReceiving(const char *error);
    void stopSending(const char *error);
 
    void resetReadTimeout(time_t timeout);
    void extendLifetime();
 
    void expectNoForwarding(); 
 
    /* BodyPipe API */
    BodyPipe::Pointer expectRequestBody(int64_t size);
    void noteMoreBodySpaceAvailable(BodyPipe::Pointer) override = 0;
    void noteBodyConsumerAborted(BodyPipe::Pointer) override = 0;
 
    bool handleRequestBodyData();
 
    class PinnedIdleContext
    {
    public:
        PinnedIdleContext(const Comm::ConnectionPointer &conn, const HttpRequest::Pointer &req): connection(conn), request(req) {}
 
        Comm::ConnectionPointer connection; 
        HttpRequest::Pointer request; 
    };
 
    void notePinnedConnectionBecameIdle(PinnedIdleContext pic);
    void pinBusyConnection(const Comm::ConnectionPointer &pinServerConn, const HttpRequest::Pointer &request);
    void unpinConnection(const bool andClose);
 
    static Comm::ConnectionPointer BorrowPinnedConnection(HttpRequest *, const AccessLogEntryPointer &);
    CachePeer *pinnedPeer() const {return pinning.peer;}
    bool pinnedAuth() const {return pinning.auth;}
 
    virtual void notePeerConnection(Comm::ConnectionPointer) {}
 
    // pining related comm callbacks
    virtual void clientPinnedConnectionClosed(const CommCloseCbParams &io);
 
    class ServerConnectionContext {
    public:
        ServerConnectionContext(const Comm::ConnectionPointer &conn, const SBuf &post101Bytes) : preReadServerBytes(post101Bytes), conn_(conn) { conn_->enterOrphanage(); }
 
        Comm::ConnectionPointer connection() { conn_->leaveOrphanage(); return conn_; }
 
        SBuf preReadServerBytes; 
 
    private:
        friend std::ostream &operator <<(std::ostream &, const ServerConnectionContext &);
        Comm::ConnectionPointer conn_; 
    };
 
    virtual void noteTakeServerConnectionControl(ServerConnectionContext) {}
 
    // comm callbacks
    void clientReadFtpData(const CommIoCbParams &io);
    void connStateClosed(const CommCloseCbParams &io);
    void requestTimeout(const CommTimeoutCbParams &params);
    void lifetimeTimeout(const CommTimeoutCbParams &params);
 
    // AsyncJob API
    void start() override;
    bool doneAll() const override { return BodyProducer::doneAll() && false;}
    void swanSong() override;
    void callException(const std::exception &) override;
 
    void quitAfterError(HttpRequest *request); // meant to be private
 
    void stopPinnedConnectionMonitoring();
 
    Security::IoResult acceptTls();
 
    void postHttpsAccept();
 
#if USE_OPENSSL
    void startPeekAndSplice();
 
    void doPeekAndSpliceStep();
    void httpsPeeked(PinnedIdleContext pic);
 
    bool splice();
 
    void getSslContextStart();
 
    void getSslContextDone(Security::ContextPointer &);
 
    static void sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply);
    void sslCrtdHandleReply(const Helper::Reply &reply);
 
    void switchToHttps(ClientHttpRequest *, Ssl::BumpMode bumpServerMode);
    void parseTlsHandshake();
    bool switchedToHttps() const { return switchedToHttps_; }
    Ssl::ServerBump *serverBump() {return sslServerBump;}
    inline void setServerBump(Ssl::ServerBump *srvBump) {
        if (!sslServerBump)
            sslServerBump = srvBump;
        else
            assert(sslServerBump == srvBump);
    }
    const SBuf &sslCommonName() const {return sslCommonName_;}
    void resetSslCommonName(const char *name) {sslCommonName_ = name;}
    const SBuf &tlsClientSni() const { return tlsClientSni_; }
    void buildSslCertGenerationParams(Ssl::CertificateProperties &certProperties);
    bool serveDelayedError(Http::Stream *);
 
    Ssl::BumpMode sslBumpMode = Ssl::bumpEnd; 
 
    Security::HandshakeParser tlsParser;
#else
    bool switchedToHttps() const { return false; }
#endif
    char *prepareTlsSwitchingURL(const Http1::RequestParserPointer &hp);
 
    void add(const Http::StreamPointer &context);
 
    virtual bool writeControlMsgAndCall(HttpReply *rep, AsyncCall::Pointer &call) = 0;
 
    virtual void handleReply(HttpReply *header, StoreIOBuffer receivedData) = 0;
 
    void consumeInput(const size_t byteCount);
 
    /* TODO: Make the methods below (at least) non-public when possible. */
 
    Http::Stream *abortRequestParsing(const char *const errUri);
 
    bool fakeAConnectRequest(const char *reason, const SBuf &payload);
 
    bool initiateTunneledRequest(HttpRequest::Pointer const &cause, const char *reason, const SBuf &payload);
 
    bool shouldPreserveClientData() const;
 
    ClientHttpRequest *buildFakeRequest(SBuf &useHost, AnyP::KnownPort usePort, const SBuf &payload);
 
    SBuf preservedClientData;
 
    /* Registered Runner API */
    void startShutdown() override;
    void endingShutdown() override;
 
    NotePairs::Pointer notes();
    bool hasNotes() const { return bool(theNotes) && !theNotes->empty(); }
 
    const ProxyProtocol::HeaderPointer &proxyProtocolHeader() const { return proxyProtocolHeader_; }
 
    void updateError(const Error &);
 
    void updateError(const err_type c, const ErrorDetailPointer &d) { updateError(Error(c, d)); }
 
    /* Acl::ChecklistFiller API */
    void fillChecklist(ACLFilledChecklist &) const override;
 
    void fillConnectionLevelDetails(ACLFilledChecklist &) const;
 
    // Exposed to be accessible inside the ClientHttpRequest constructor.
    // TODO: Remove. Make sure there is always a suitable ALE instead.
    Error bareError;
 
    Security::KeyLogger keyLogger;
 
protected:
    void startDechunkingRequest();
    void finishDechunkingRequest(bool withSuccess);
    void abortChunkedRequestBody(const err_type error);
    err_type handleChunkedRequestBody();
 
    Comm::ConnectionPointer borrowPinnedConnection(HttpRequest *, const AccessLogEntryPointer &);
 
    void startPinnedConnectionMonitoring();
    void clientPinnedConnectionRead(const CommIoCbParams &io);
#if USE_OPENSSL
    bool handleIdleClientPinnedTlsRead();
#endif
 
    Http::Stream *parseHttpRequest(const Http1::RequestParserPointer &);
 
    virtual Http::Stream *parseOneRequest() = 0;
 
    virtual void processParsedRequest(Http::StreamPointer &) = 0;
 
    virtual int pipelinePrefetchMax() const;
 
    virtual time_t idleTimeout() const = 0;
 
    void whenClientIpKnown();
 
    BodyPipe::Pointer bodyPipe; 
 
    bool preservingClientData_ = false;
 
    bool tunnelOnError(const err_type);
 
private:
    /* ::Server API */
    void terminateAll(const Error &, const LogTagsErrors &) override;
    bool shouldCloseOnEof() const override;
 
    void checkLogging();
 
    void parseRequests();
    void clientAfterReadingRequests();
    bool concurrentRequestQueueFilled() const;
 
    void pinConnection(const Comm::ConnectionPointer &pinServerConn, const HttpRequest &request);
 
    /* PROXY protocol functionality */
    bool proxyProtocolValidateClient();
    bool parseProxyProtocolHeader();
    bool proxyProtocolError(const char *reason);
 
#if USE_OPENSSL
    Security::ContextPointer getTlsContextFromCache(const SBuf &cacheKey, const Ssl::CertificateProperties &certProperties);
 
    void storeTlsContextToCache(const SBuf &cacheKey, Security::ContextPointer &ctx);
    void handleSslBumpHandshakeError(const Security::IoResult &);
#endif
 
    bool needProxyProtocolHeader_ = false;
 
    ProxyProtocol::HeaderPointer proxyProtocolHeader_;
 
#if USE_AUTH
    Auth::UserRequest::Pointer auth_;
#endif
 
#if USE_OPENSSL
    bool switchedToHttps_ = false;
    bool parsingTlsHandshake = false; 
    uint64_t parsedBumpedRequestCount = 0;
 
    // TODO: Replace tlsConnectHostOrIp and tlsConnectPort with CONNECT request AnyP::Uri
    SBuf tlsConnectHostOrIp; 
    AnyP::Port tlsConnectPort; 
    SBuf sslCommonName_; 
 
    SBuf tlsClientSni_;
    SBuf sslBumpCertKey; 
 
    Ssl::ServerBump *sslServerBump = nullptr;
    Ssl::CertSignAlgorithm signAlgorithm = Ssl::algSignTrusted; 
#endif
 
    const char *stoppedSending_ = nullptr;
    const char *stoppedReceiving_ = nullptr;
    NotePairs::Pointer theNotes;
};
 
const char *findTrailingHTTPVersion(const char *uriAndHTTPVersion, const char *end = nullptr);
 
int varyEvaluateMatch(StoreEntry * entry, HttpRequest * req);
 
void clientStartListeningOn(AnyP::PortCfgPointer &port, const RefCount< CommCbFunPtrCallT<CommAcceptCbPtrFun> > &subCall, const Ipc::FdNoteId noteId);
 
void clientOpenListenSockets(void);
void clientConnectionsClose(void);
void httpRequestFree(void *);
 
void clientSetKeepaliveFlag(ClientHttpRequest *http);
 
void clientPackRangeHdr(const HttpReplyPointer &, const HttpHdrRangeSpec *, String boundary, MemBuf *);
 
void clientPackTermBound(String boundary, MemBuf *);
 
/* misplaced declaratrions of Stream callbacks provided/used by client side */
SQUIDCEXTERN CSR clientGetMoreData;
SQUIDCEXTERN CSS clientReplyStatus;
SQUIDCEXTERN CSD clientReplyDetach;
CSCB clientSocketRecipient;
CSD clientSocketDetach;
 
void clientProcessRequest(ConnStateData *, const Http1::RequestParserPointer &, Http::Stream *);
void clientProcessRequestFinished(ConnStateData *, const HttpRequest::Pointer &);
void clientPostHttpsAccept(ConnStateData *);
 
std::ostream &operator <<(std::ostream &os, const ConnStateData::PinnedIdleContext &pic);
std::ostream &operator <<(std::ostream &, const ConnStateData::ServerConnectionContext &);
 
#endif /* SQUID_CLIENTSIDE_H */