]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/AclProxyAuth.cc
2 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "http/Stream.h"
22 #include "HttpRequest.h"
24 ACLProxyAuth::~ACLProxyAuth()
29 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) :
34 ACLProxyAuth::ACLProxyAuth(ACLProxyAuth
const &old
) :
35 data(old
.data
->clone()),
40 ACLProxyAuth::operator=(ACLProxyAuth
const &rhs
)
42 data
= rhs
.data
->clone();
48 ACLProxyAuth::typeString() const
54 ACLProxyAuth::parseFlags()
56 ParseFlags(Acl::NoOptions(), data
->supportedFlags());
66 ACLProxyAuth::match(ACLChecklist
*checklist
)
68 allow_t answer
= AuthenticateAcl(checklist
);
70 // convert to tri-state ACL match 1,0,-1
74 return matchProxyAuth(checklist
);
77 return 0; // non-match
80 case ACCESS_AUTH_REQUIRED
:
82 // If the answer is not allowed or denied (matches/not matches) and
83 // async authentication is not in progress, then we are done.
84 if (checklist
->keepMatching())
85 checklist
->markFinished(answer
, "AuthenticateAcl exception");
91 ACLProxyAuth::dump() const
97 ACLProxyAuth::empty() const
103 ACLProxyAuth::valid() const
105 if (authenticateSchemeCount() == 0) {
106 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes were compiled.");
110 if (authenticateActiveSchemeCount() == 0) {
111 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes are fully configured.");
118 ProxyAuthLookup
ProxyAuthLookup::instance_
;
121 ProxyAuthLookup::Instance()
127 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
) const
129 ACLFilledChecklist
*checklist
= Filled(cl
);
131 debugs(28, 3, HERE
<< "checking password via authenticator");
133 /* make sure someone created auth_user_request for us */
134 assert(checklist
->auth_user_request
!= NULL
);
135 assert(checklist
->auth_user_request
->valid());
136 checklist
->auth_user_request
->start(checklist
->request
, checklist
->al
, LookupDone
, checklist
);
140 ProxyAuthLookup::LookupDone(void *data
)
142 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
144 if (checklist
->auth_user_request
== NULL
|| !checklist
->auth_user_request
->valid() || checklist
->conn() == NULL
) {
145 /* credentials could not be checked either way
146 * restart the whole process */
147 /* OR the connection was closed, there's no way to continue */
148 checklist
->auth_user_request
= NULL
;
150 if (checklist
->conn() != NULL
) {
151 checklist
->conn()->setAuth(NULL
, "proxy_auth ACL failure");
155 checklist
->resumeNonBlockingCheck(ProxyAuthLookup::Instance());
159 ACLProxyAuth::clone() const
161 return new ACLProxyAuth(*this);
165 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
167 ACLFilledChecklist
*checklist
= Filled(cl
);
168 assert (checklist
->auth_user_request
!= NULL
);
169 return data
->match(checklist
->auth_user_request
->username());
172 /* aclMatchProxyAuth can return two exit codes:
173 * 0 : Authorisation for this ACL failed. (Did not match)
174 * 1 : Authorisation OK. (Matched)
177 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
179 ACLFilledChecklist
*checklist
= Filled(cl
);
180 if (checklist
->request
->flags
.sslBumped
)
181 return 1; // AuthenticateAcl() already handled this bumped request
182 if (!authenticateUserAuthenticated(Filled(checklist
)->auth_user_request
)) {
185 /* check to see if we have matched the user-acl before */
186 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
187 checklist
->auth_user_request
= NULL
;