Remove Ident protocol support #1827
Conversation
and other fixes.
There was a problem hiding this comment.
@yadij, I asked Eduard to list you as this PR co-author (see current PR description footer) because this PR is using your justification for Ident support removal. Beyond that justification, this PR bugs are not your responsibility, of course.
src/acl/FilledChecklist.h
Outdated
| @@ -117,7 +114,7 @@ class ACLFilledChecklist: public ACLChecklist | |||
| err_type requestErrorType; | |||
|
|
|||
| private: | |||
| ConnStateData * conn_; /**< hack for ident and NTLM */ | |||
| ConnStateData * conn_; ///< client-to-Squid connection manager (if any) | |||
There was a problem hiding this comment.
Per @rousskov guidelines about AsyncJob usage we should not retain pointers to them. Please preserve the comment clarifying that this is a hack
| ConnStateData * conn_; ///< client-to-Squid connection manager (if any) | |
| ConnStateData * conn_; ///< client-to-Squid connection manager (if any). hack for NTLM |
There was a problem hiding this comment.
we should not retain pointers to them
But what should we retain? A CbcPointer to that job instead? Could you please provide a direct link to those guidelines? I do not mind adjusting this comment but would prefer something more meaningful than keeping that vague 'hack for...' phrasing.
There was a problem hiding this comment.
Amos: Per @rousskov guidelines about AsyncJob usage we should not retain pointers to them.
There is no such guideline -- it would make communicating with a job impossible.
One of the actual guidelines is not to communicate with a started AsyncJob using synchronous means. This guideline is primarily targeting use cases where we want to change that started job state. Such changes should be done via asynchronous calls. Extracting information from a running job using a weak job pointer is a bit of a gray area -- ideally, it should be avoided, but the true risks/problems are much lower there.
Amos: Please preserve the comment clarifying that this is a hack
I hope my branch commit a0f1b74 addresses your concern. Please keep in mind that this hack is used for a lot more than NTLM these days.
Eduard: I ... would prefer something more meaningful than keeping that vague 'hack for...' phrasing.
Let's not block on polishing that wording in this PR. Preserving out-of-scope difficult-to-fix problems is fine!
There was a problem hiding this comment.
My understanding is that a) state that needs to be shared outside the Job itself is to be stored in a separate RefCounted object, and b) Job actions that need to be triggered or responses to pass back to a Job should use AsyncCall with a Pointer (or Subscription). Why? because the AsyncJob may self-delete/deallocate at any time due to its own reasons.
There was a problem hiding this comment.
I do not insist on a change of the raw-pointer here. Just to keep the "hack" wording. Which is done. Thank you.
There was a problem hiding this comment.
My understanding is that a) state that needs to be shared outside the Job itself is to be stored in a separate
RefCountedobject
Yes, RefCount is one way to do that, but not the only one. Depending on the state and sharing needs, other information sharing mechanisms may be appropriate (e.g., copying or cbdata). There are too many different use cases to cover everything with RefCount.
and b) Job actions that need to be triggered or responses to pass back to a Job should use AsyncCall
Yes, and to call a job, one needs to store a pointer1 to that job. This is why there cannot be a "should not retain pointers to jobs" guideline.
with a
Pointer(orSubscription).
Yes (or other proper means). Again, there are too many different use cases to cover everything with one approach (or two).
Why? because the
AsyncJobmay self-delete/deallocate at any time due to its own reasons.
Indeed. Moreover, a job might be destroyed for reasons outside job's direct control -- we already have examples of jobs killing other (unsuspecting) jobs.
Someday, this conn_ hack (that violates several guidelines!) will be gone because the information we extract via conn_ today will be available in MasterXaction and ALE.
Thank you for updating your review and clearing this PR!
Footnotes
-
That job pointer may be hidden inside a stored AsyncCall, but there are other possibilities as well. ↩
yadij
added
the
S-waiting-for-author
src/acl/FilledChecklist.h
Outdated
| @@ -117,7 +114,7 @@ class ACLFilledChecklist: public ACLChecklist | |||
| err_type requestErrorType; | |||
|
|
|||
| private: | |||
| ConnStateData * conn_; /**< hack for ident and NTLM */ | |||
| ConnStateData * conn_; ///< client-to-Squid connection manager (if any) | |||
There was a problem hiding this comment.
we should not retain pointers to them
But what should we retain? A CbcPointer to that job instead? Could you please provide a direct link to those guidelines? I do not mind adjusting this comment but would prefer something more meaningful than keeping that vague 'hack for...' phrasing.
src/acl/FilledChecklist.h
Outdated
| @@ -117,7 +114,7 @@ class ACLFilledChecklist: public ACLChecklist | |||
| err_type requestErrorType; | |||
|
|
|||
| private: | |||
| ConnStateData * conn_; /**< hack for ident and NTLM */ | |||
| ConnStateData * conn_; ///< client-to-Squid connection manager (if any) | |||
There was a problem hiding this comment.
Amos: Per @rousskov guidelines about AsyncJob usage we should not retain pointers to them.
There is no such guideline -- it would make communicating with a job impossible.
One of the actual guidelines is not to communicate with a started AsyncJob using synchronous means. This guideline is primarily targeting use cases where we want to change that started job state. Such changes should be done via asynchronous calls. Extracting information from a running job using a weak job pointer is a bit of a gray area -- ideally, it should be avoided, but the true risks/problems are much lower there.
Amos: Please preserve the comment clarifying that this is a hack
I hope my branch commit a0f1b74 addresses your concern. Please keep in mind that this hack is used for a lot more than NTLM these days.
Eduard: I ... would prefer something more meaningful than keeping that vague 'hack for...' phrasing.
Let's not block on polishing that wording in this PR. Preserving out-of-scope difficult-to-fix problems is fine!
rousskov
added
S-waiting-for-reviewer
|
Looks good enough to me; approving so it can be fast-landed as soon as @yadij has a chance to review |
yadij
added
M-cleared-for-merge
Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered seriously insecure and broken since at least 2009 when SANS issued an update recommending its removal from all networks. Squid Ident implementation suffered from assertions (since 2021 commit e227da8) and memory leaks (since 2015 commit fbbea66). Ident implementation design increased ACLChecklist::goAsync() design complexity. An external ACL helper can be written to perform Ident transactions. Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT external_acl_type format code, or ident_lookup_access/ident_timeout directives are now rejected, leading to fatal startup failures: FATAL: Invalid ACL type 'ident_regex' FATAL: Invalid ACL type 'ident' ERROR: configuration failure: Unsupported %code: '%ui' ERROR: configuration failure: Unsupported %code: '%IDENT' squid.conf(6): unrecognized: 'ident_lookup_access' squid.conf(7): unrecognized: 'ident_timeout' To avoid inconveniencing admins that do _not_ use Ident features, access logs with "common" and "combined" logformats now always receive a dash in the position of what used to be a %ui record field. Co-authored-by: Amos Jeffries <squid3@treenet.co.nz>
squid-anubis
added
the
M-waiting-staging-checks
squid-anubis
added
M-merged
Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered seriously insecure and broken since at least 2009 when SANS issued an update recommending its removal from all networks. Squid Ident implementation suffered from assertions (since 2021 commit e227da8) and memory leaks (since 2015 commit fbbea66). Ident implementation design increased ACLChecklist::goAsync() design complexity. An external ACL helper can be written to perform Ident transactions. Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT external_acl_type format code, or ident_lookup_access/ident_timeout directives are now rejected, leading to fatal startup failures: FATAL: Invalid ACL type 'ident_regex' FATAL: Invalid ACL type 'ident' ERROR: configuration failure: Unsupported %code: '%ui' ERROR: configuration failure: Unsupported %code: '%IDENT' squid.conf(6): unrecognized: 'ident_lookup_access' squid.conf(7): unrecognized: 'ident_timeout' To avoid inconveniencing admins that do _not_ use Ident features, access logs with "common" and "combined" logformats now always receive a dash in the position of what used to be a %ui record field. Co-authored-by: Amos Jeffries <squid3@treenet.co.nz>
Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered seriously insecure and broken since at least 2009 when SANS issued an update recommending its removal from all networks. Squid Ident implementation suffered from assertions (since 2021 commit e227da8) and memory leaks (since 2015 commit fbbea66). Ident implementation design increased ACLChecklist::goAsync() design complexity. An external ACL helper can be written to perform Ident transactions. Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT external_acl_type format code, or ident_lookup_access/ident_timeout directives are now rejected, leading to fatal startup failures: FATAL: Invalid ACL type 'ident_regex' FATAL: Invalid ACL type 'ident' ERROR: configuration failure: Unsupported %code: '%ui' ERROR: configuration failure: Unsupported %code: '%IDENT' squid.conf(6): unrecognized: 'ident_lookup_access' squid.conf(7): unrecognized: 'ident_timeout' To avoid inconveniencing admins that do _not_ use Ident features, access logs with "common" and "combined" logformats now always receive a dash in the position of what used to be a %ui record field. Co-authored-by: Amos Jeffries <squid3@treenet.co.nz>
Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered seriously insecure and broken since at least 2009 when SANS issued an update recommending its removal from all networks. Squid Ident implementation suffered from assertions (since 2021 commit e227da8) and memory leaks (since 2015 commit fbbea66). Ident implementation design increased ACLChecklist::goAsync() design complexity. An external ACL helper can be written to perform Ident transactions. Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT external_acl_type format code, or ident_lookup_access/ident_timeout directives are now rejected, leading to fatal startup failures: FATAL: Invalid ACL type 'ident_regex' FATAL: Invalid ACL type 'ident' ERROR: configuration failure: Unsupported %code: '%ui' ERROR: configuration failure: Unsupported %code: '%IDENT' squid.conf(6): unrecognized: 'ident_lookup_access' squid.conf(7): unrecognized: 'ident_timeout' To avoid inconveniencing admins that do _not_ use Ident features, access logs with "common" and "combined" logformats now always receive a dash in the position of what used to be a %ui record field. Co-authored-by: Amos Jeffries <squid3@treenet.co.nz>
Ident protocol (RFC 931 obsoleted by RFC 1413) has been considered
seriously insecure and broken since at least 2009 when SANS issued an
update recommending its removal from all networks. Squid Ident
implementation suffered from assertions (since 2021 commit e227da8) and
memory leaks (since 2015 commit fbbea66). Ident implementation design
increased ACLChecklist::goAsync() design complexity.
An external ACL helper can be written to perform Ident transactions.
Configurations using ident/ident_regex ACLs, %ui logformat codes, %IDENT
external_acl_type format code, or ident_lookup_access/ident_timeout
directives are now rejected, leading to fatal startup failures:
To avoid inconveniencing admins that do not use Ident features, access
logs with "common" and "combined" logformats now always receive a dash
in the position of what used to be a %ui record field.
Co-authored-by: Amos Jeffries squid3@treenet.co.nz