]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/AclProxyAuth.cc
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "http/Stream.h"
22 #include "HttpRequest.h"
24 ACLProxyAuth::~ACLProxyAuth()
29 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) :
35 ACLProxyAuth::typeString() const
41 ACLProxyAuth::lineOptions()
43 return data
->lineOptions();
53 ACLProxyAuth::match(ACLChecklist
*checklist
)
55 auto answer
= AuthenticateAcl(checklist
);
57 // convert to tri-state ACL match 1,0,-1
61 return matchProxyAuth(checklist
);
64 return 0; // non-match
67 case ACCESS_AUTH_REQUIRED
:
69 // If the answer is not allowed or denied (matches/not matches) and
70 // async authentication is not in progress, then we are done.
71 if (checklist
->keepMatching())
72 checklist
->markFinished(answer
, "AuthenticateAcl exception");
78 ACLProxyAuth::dump() const
84 ACLProxyAuth::empty() const
90 ACLProxyAuth::valid() const
92 if (authenticateSchemeCount() == 0) {
93 debugs(28, DBG_CRITICAL
, "ERROR: Cannot use proxy auth because no authentication schemes were compiled.");
97 if (authenticateActiveSchemeCount() == 0) {
98 debugs(28, DBG_CRITICAL
, "ERROR: Cannot use proxy auth because no authentication schemes are fully configured.");
105 ProxyAuthLookup
ProxyAuthLookup::instance_
;
108 ProxyAuthLookup::Instance()
114 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
) const
116 ACLFilledChecklist
*checklist
= Filled(cl
);
118 debugs(28, 3, "checking password via authenticator");
120 /* make sure someone created auth_user_request for us */
121 assert(checklist
->auth_user_request
!= nullptr);
122 assert(checklist
->auth_user_request
->valid());
123 checklist
->auth_user_request
->start(checklist
->request
, checklist
->al
, LookupDone
, checklist
);
127 ProxyAuthLookup::LookupDone(void *data
)
129 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
131 if (checklist
->auth_user_request
== nullptr || !checklist
->auth_user_request
->valid() || checklist
->conn() == nullptr) {
132 /* credentials could not be checked either way
133 * restart the whole process */
134 /* OR the connection was closed, there's no way to continue */
135 checklist
->auth_user_request
= nullptr;
137 if (checklist
->conn() != nullptr) {
138 checklist
->conn()->setAuth(nullptr, "proxy_auth ACL failure");
142 checklist
->resumeNonBlockingCheck(ProxyAuthLookup::Instance());
146 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
148 ACLFilledChecklist
*checklist
= Filled(cl
);
149 assert (checklist
->auth_user_request
!= nullptr);
150 return data
->match(checklist
->auth_user_request
->username());
153 /* aclMatchProxyAuth can return two exit codes:
154 * 0 : Authorisation for this ACL failed. (Did not match)
155 * 1 : Authorisation OK. (Matched)
158 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
160 ACLFilledChecklist
*checklist
= Filled(cl
);
161 if (!checklist
->request
->flags
.sslBumped
) {
162 if (!authenticateUserAuthenticated(checklist
->auth_user_request
)) {
166 /* check to see if we have matched the user-acl before */
167 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
168 checklist
->auth_user_request
= nullptr;