projects / thirdparty / squid.git / blame
| Commit | Line | Data |
|---|---|---|
| 582c2af2 | 1 | #include "squid.h" |
| 6ada3123 AR |
2 | #include "acl/Acl.h" |
| 3 | #include "acl/FilledChecklist.h" | |
| 6ada3123 AR |
4 | #include "auth/Acl.h" |
| 5 | #include "auth/AclProxyAuth.h" | |
| 602d9612 | 6 | #include "auth/UserRequest.h" |
| 582c2af2 | 7 | #include "client_side.h" |
| 6ada3123 AR |
8 | #include "HttpRequest.h" |
| 9 | ||
| ccec22f9 AJ |
10 | /** |
| 11 | * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required. | |
| 12 | * \retval ACCESS_DENIED user not authenticated (authentication error?) | |
| 13 | * \retval ACCESS_DUNNO user authentication is in progress | |
| 14 | * \retval ACCESS_DENIED user not authorized | |
| 15 | * \retval ACCESS_ALLOWED user authenticated and authorized | |
| 16 | */ | |
| 17 | allow_t | |
| 6ada3123 AR |
18 | AuthenticateAcl(ACLChecklist *ch) |
| 19 | { | |
| af6a12ee AJ |
20 | ACLFilledChecklist *checklist = Filled(ch); |
| 21 | HttpRequest *request = checklist->request; | |
| 6ada3123 AR |
22 | http_hdr_type headertype; |
| 23 | ||
| 24 | if (NULL == request) { | |
| 25 | fatal ("requiresRequest SHOULD have been true for this ACL!!"); | |
| ccec22f9 | 26 | return ACCESS_DENIED; |
| 450fe1cb | 27 | } else if (request->flags.sslBumped) { |
| 21512911 | 28 | debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); |
| cc1e110a | 29 | checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request; |
| 21512911 CT |
30 | if (checklist->auth_user_request != NULL) |
| 31 | return ACCESS_ALLOWED; | |
| 32 | else | |
| 33 | return ACCESS_DENIED; | |
| 45e5102d | 34 | } else if (request->flags.accelerated) { |
| 6ada3123 AR |
35 | /* WWW authorization on accelerated requests */ |
| 36 | headertype = HDR_AUTHORIZATION; | |
| 0d901ef4 | 37 | } else if (request->flags.intercepted || request->flags.interceptTproxy) { |
| ccec22f9 AJ |
38 | debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); |
| 39 | return ACCESS_DENIED; | |
| 6ada3123 AR |
40 | } else { |
| 41 | /* Proxy authorization on proxy requests */ | |
| 42 | headertype = HDR_PROXY_AUTHORIZATION; | |
| 43 | } | |
| 44 | ||
| 45 | /* get authed here */ | |
| 46 | /* Note: this fills in auth_user_request when applicable */ | |
| c7baff40 | 47 | const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser( |
| ec5858ff A |
48 | &checklist->auth_user_request, headertype, request, |
| 49 | checklist->conn(), checklist->src_addr); | |
| 6ada3123 AR |
50 | switch (result) { |
| 51 | ||
| 52 | case AUTH_ACL_CANNOT_AUTHENTICATE: | |
| ccec22f9 AJ |
53 | debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised."); |
| 54 | return ACCESS_DENIED; | |
| 6ada3123 AR |
55 | |
| 56 | case AUTH_AUTHENTICATED: | |
| ccec22f9 | 57 | return ACCESS_ALLOWED; |
| 6ada3123 AR |
58 | break; |
| 59 | ||
| 60 | case AUTH_ACL_HELPER: | |
| 6f58d7d7 AR |
61 | if (checklist->goAsync(ProxyAuthLookup::Instance())) |
| 62 | debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper."); | |
| 63 | else | |
| 64 | debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO); | |
| ccec22f9 | 65 | return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states |
| 6ada3123 AR |
66 | |
| 67 | case AUTH_ACL_CHALLENGE: | |
| e0f7153c AR |
68 | debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge."); |
| 69 | /* Client is required to resend the request with correct authentication | |
| 70 | * credentials. (This may be part of a stateful auth protocol.) | |
| 71 | * The request is denied. | |
| 72 | */ | |
| ccec22f9 | 73 | return ACCESS_AUTH_REQUIRED; |
| 6ada3123 AR |
74 | |
| 75 | default: | |
| 76 | fatal("unexpected authenticateAuthenticate reply\n"); | |
| ccec22f9 | 77 | return ACCESS_DENIED; |
| 6ada3123 AR |
78 | } |
| 79 | } |