Re: [PATCH] port of http_access2 from 2.6

2010-01-22 Thread Alex Rousskov 
On 01/20/2010 04:02 PM, Amos Jeffries wrote:
 On Wed, 20 Jan 2010 09:58:01 -0700, Alex Rousskov
 rouss...@measurement-factory.com wrote:

 Should the documentation mention that redirects are performed before the
 second access check?
 
 I think so. That being one of the two differences between this and
 http_access.
 Or did you mean the cf.data.pre changes were not descriptive/clear enough?

It is the latter. I think the option documentation blob in cf.data.pre
should mention the redirection in addition to adaptation.

 I am not a big fan of fooN names. Is using something more specific like
 post_adaptation_access be better long-term?
 
 Does adapted_http_access seem clearer?
 Being that it's a variant of http_access, always done and only useful when
 checking for adapted things.

adapted_http_access sounds good to me.

Thank you,

Alex.

Re: [PATCH] port of http_access2 from 2.6

2010-01-20 Thread Amos Jeffries 
On Wed, 20 Jan 2010 09:58:01 -0700, Alex Rousskov
rouss...@measurement-factory.com wrote:
 On 01/19/2010 07:16 PM, Amos Jeffries wrote:
 I think this is right. Anyone able to double-check me though?
 
 Should the documentation mention that redirects are performed before the
 second access check?

I think so. That being one of the two differences between this and
http_access.
Or did you mean the cf.data.pre changes were not descriptive/clear enough?

 
 I am not a big fan of fooN names. Is using something more specific like
 post_adaptation_access be better long-term?

Does adapted_http_access seem clearer?
Being that it's a variant of http_access, always done and only useful when
checking for adapted things.

 
 Is this going to conflict with the log virgin HTTP request headers
 patch already under review?

I don't think so. It drops in later in the callbacks function, which is
the only overlap AFAIK.

Amos

[PATCH] port of http_access2 from 2.6

2010-01-19 Thread Amos Jeffries 

I think this is right. Anyone able to double-check me though?

Amos
=== modified file 'src/ClientRequestContext.h'
--- src/ClientRequestContext.h  2009-07-13 01:20:26 +
+++ src/ClientRequestContext.h  2010-01-20 02:07:17 +
@@ -26,6 +26,7 @@
 
 bool httpStateIsValid();
 void clientAccessCheck();
+void clientAccessCheck2();
 void clientAccessCheckDone(int answer);
 void clientRedirectStart();
 void clientRedirectDone(char *result);
@@ -42,11 +43,10 @@
 int redirect_state;
 
 bool http_access_done;
+bool http_access2_done;
 #if USE_ADAPTATION
-
 bool adaptation_acl_check_done;
 #endif
-
 bool redirect_done;
 bool no_cache_done;
 bool interpreted_req_hdrs;

=== modified file 'src/cf.data.depend'
--- src/cf.data.depend  2009-12-16 03:46:59 +
+++ src/cf.data.depend  2010-01-20 02:03:45 +
@@ -22,7 +22,7 @@
 HelperChildConfig
 hostdomain cache_peer
 hostdomaintype cache_peer
-http_header_access
+http_header_access acl
 http_header_replace
 http_port_list
 https_port_list

=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2010-01-02 04:32:46 +
+++ src/cf.data.pre 2010-01-20 02:03:13 +
@@ -922,6 +922,18 @@
 NOCOMMENT_END
 DOC_END
 
+NAME: http_access2
+TYPE: acl_access
+LOC: Config.accessList.http2
+DEFAULT: none
+DOC_START
+   Allowing or Denying access based on defined access lists
+
+   Essentially identical to http_access, but runs after redirectors
+   and ICAP/eCAP adatpation.
+   If not set then only http_access is used.
+DOC_END
+
 NAME: http_reply_access
 TYPE: acl_access
 LOC: Config.accessList.reply

=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc  2009-12-11 23:37:30 +
+++ src/client_side_request.cc  2010-01-20 02:01:22 +
@@ -525,6 +525,23 @@
 }
 }
 
+/**
+ * Identical in operation to clientAccessCheck() but performed later using 
different configured ACL list.
+ * The default here is to allow all. Since the earlier http_access should do a 
default deny all.
+ * This check is just for a last-minute denial based on adapted request 
headers.
+ */
+void
+ClientRequestContext::clientAccessCheck2()
+{
+if (Config.accessList.http2) {
+acl_checklist = clientAclChecklistCreate(Config.accessList.http2, 
http);
+acl_checklist-nonBlockingCheck(clientAccessCheckDoneWrapper, this);
+} else {
+debugs(85, 2, HERE  No http_access2 configuration.);
+clientAccessCheckDone(ACCESS_ALLOWED);
+}
+}
+
 void
 clientAccessCheckDoneWrapper(int answer, void *data)
 {
@@ -1283,6 +1300,13 @@
 }
 }
 
+if (!calloutContext-http_access2_done) {
+debugs(83, 3, HERE  Doing calloutContext-clientAccessCheck2());
+calloutContext-http_access2_done = true;
+calloutContext-clientAccessCheck2();
+return;
+}
+
 if (!calloutContext-interpreted_req_hdrs) {
 debugs(83, 3, HERE  Doing clientInterpretRequestHeaders());
 calloutContext-interpreted_req_hdrs = 1;

=== modified file 'src/structs.h'
--- src/structs.h   2010-01-02 04:32:46 +
+++ src/structs.h   2010-01-20 02:04:46 +
@@ -459,6 +459,7 @@
 
 struct {
 acl_access *http;
+acl_access *http2;
 acl_access *icp;
 acl_access *miss;
 acl_access *NeverDirect;