[thirdparty/squid.git] / src / auth / Acl.cc

/*
 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "acl/Acl.h"
#include "acl/FilledChecklist.h"
#include "auth/Acl.h"
#include "auth/AclProxyAuth.h"
#include "auth/UserRequest.h"
#include "client_side.h"
#include "fatal.h"
#include "http/Stream.h"
#include "HttpRequest.h"

/**
 * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
 * \retval ACCESS_DENIED        user not authenticated (authentication error?)
 * \retval ACCESS_DUNNO         user authentication is in progress
 * \retval ACCESS_DENIED        user not authorized
 * \retval ACCESS_ALLOWED       user authenticated and authorized
 */
allow_t
AuthenticateAcl(ACLChecklist *ch)
{
    ACLFilledChecklist *checklist = Filled(ch);
    HttpRequest *request = checklist->request;
    Http::HdrType headertype;

    if (NULL == request) {
        fatal ("requiresRequest SHOULD have been true for this ACL!!");
        return ACCESS_DENIED;
    } else if (request->flags.sslBumped) {
        debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
        checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request;
        if (checklist->auth_user_request != NULL)
            return ACCESS_ALLOWED;
        else
            return ACCESS_DENIED;
    } else if (request->flags.accelerated) {
        /* WWW authorization on accelerated requests */
        headertype = Http::HdrType::AUTHORIZATION;
    } else if (request->flags.intercepted || request->flags.interceptTproxy) {
        debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
        return ACCESS_DENIED;
    } else {
        /* Proxy authorization on proxy requests */
        headertype = Http::HdrType::PROXY_AUTHORIZATION;
    }

    /* get authed here */
    /* Note: this fills in auth_user_request when applicable */
    const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
                                    &checklist->auth_user_request, headertype, request,
                                    checklist->conn(), checklist->src_addr, checklist->al);
    switch (result) {

    case AUTH_ACL_CANNOT_AUTHENTICATE:
        debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
        return ACCESS_DENIED;

    case AUTH_AUTHENTICATED:
        return ACCESS_ALLOWED;
        break;

    case AUTH_ACL_HELPER:
        if (checklist->goAsync(ProxyAuthLookup::Instance()))
            debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper.");
        else
            debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO);
        return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states

    case AUTH_ACL_CHALLENGE:
        debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge.");
        /* Client is required to resend the request with correct authentication
         * credentials. (This may be part of a stateful auth protocol.)
         * The request is denied.
         */
        return ACCESS_AUTH_REQUIRED;

    default:
        fatal("unexpected authenticateAuthenticate reply\n");
        return ACCESS_DENIED;
    }
}
Commit	Line	Data
bbc27441	1	/*
5b74111a	2	* Copyright (C) 1996-2018 The Squid Software Foundation and contributors
bbc27441 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
582c2af2	9	#include "squid.h"
6ada3123 AR	10	#include "acl/Acl.h"
6ada3123 AR	11	#include "acl/FilledChecklist.h"
6ada3123 AR	12	#include "auth/Acl.h"
6ada3123 AR	13	#include "auth/AclProxyAuth.h"
602d9612	14	#include "auth/UserRequest.h"
582c2af2	15	#include "client_side.h"
ed6e9fb9	16	#include "fatal.h"
d3dddfb5	17	#include "http/Stream.h"
6ada3123 AR	18	#include "HttpRequest.h"
6ada3123 AR	19
ccec22f9 AJ	20	/**
	21	* \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
	22	* \retval ACCESS_DENIED user not authenticated (authentication error?)
	23	* \retval ACCESS_DUNNO user authentication is in progress
	24	* \retval ACCESS_DENIED user not authorized
	25	* \retval ACCESS_ALLOWED user authenticated and authorized
	26	*/
	27	allow_t
6ada3123 AR	28	AuthenticateAcl(ACLChecklist *ch)
6ada3123 AR	29	{
af6a12ee AJ	30	ACLFilledChecklist *checklist = Filled(ch);
af6a12ee AJ	31	HttpRequest *request = checklist->request;
789217a2	32	Http::HdrType headertype;
6ada3123 AR	33
	34	if (NULL == request) {
	35	fatal ("requiresRequest SHOULD have been true for this ACL!!");
ccec22f9	36	return ACCESS_DENIED;
450fe1cb	37	} else if (request->flags.sslBumped) {
21512911	38	debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
cc1e110a	39	checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request;
21512911 CT	40	if (checklist->auth_user_request != NULL)
	41	return ACCESS_ALLOWED;
	42	else
	43	return ACCESS_DENIED;
45e5102d	44	} else if (request->flags.accelerated) {
6ada3123	45	/* WWW authorization on accelerated requests */
789217a2	46	headertype = Http::HdrType::AUTHORIZATION;
0d901ef4	47	} else if (request->flags.intercepted \|\| request->flags.interceptTproxy) {
ccec22f9 AJ	48	debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
ccec22f9 AJ	49	return ACCESS_DENIED;
6ada3123 AR	50	} else {
6ada3123 AR	51	/* Proxy authorization on proxy requests */
789217a2	52	headertype = Http::HdrType::PROXY_AUTHORIZATION;
6ada3123 AR	53	}
	54
	55	/* get authed here */
	56	/* Note: this fills in auth_user_request when applicable */
c7baff40	57	const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
ec5858ff	58	&checklist->auth_user_request, headertype, request,
d4806c91	59	checklist->conn(), checklist->src_addr, checklist->al);
6ada3123 AR	60	switch (result) {
	61
	62	case AUTH_ACL_CANNOT_AUTHENTICATE:
ccec22f9 AJ	63	debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
ccec22f9 AJ	64	return ACCESS_DENIED;
6ada3123 AR	65
6ada3123 AR	66	case AUTH_AUTHENTICATED:
ccec22f9	67	return ACCESS_ALLOWED;
6ada3123 AR	68	break;
	69
	70	case AUTH_ACL_HELPER:
6f58d7d7 AR	71	if (checklist->goAsync(ProxyAuthLookup::Instance()))
	72	debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper.");
	73	else
	74	debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO);
ccec22f9	75	return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
6ada3123 AR	76
6ada3123 AR	77	case AUTH_ACL_CHALLENGE:
e0f7153c AR	78	debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge.");
	79	/* Client is required to resend the request with correct authentication
	80	* credentials. (This may be part of a stateful auth protocol.)
	81	* The request is denied.
	82	*/
ccec22f9	83	return ACCESS_AUTH_REQUIRED;
6ada3123 AR	84
	85	default:
	86	fatal("unexpected authenticateAuthenticate reply\n");
ccec22f9	87	return ACCESS_DENIED;
6ada3123 AR	88	}
6ada3123 AR	89	}
f53969cc	90