]>
Commit | Line | Data |
---|---|---|
582c2af2 | 1 | #include "squid.h" |
6ada3123 AR |
2 | #include "acl/Acl.h" |
3 | #include "acl/FilledChecklist.h" | |
4 | #include "auth/UserRequest.h" | |
5 | #include "auth/Acl.h" | |
6 | #include "auth/AclProxyAuth.h" | |
582c2af2 | 7 | #include "client_side.h" |
6ada3123 AR |
8 | #include "HttpRequest.h" |
9 | ||
ccec22f9 AJ |
10 | /** |
11 | * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required. | |
12 | * \retval ACCESS_DENIED user not authenticated (authentication error?) | |
13 | * \retval ACCESS_DUNNO user authentication is in progress | |
14 | * \retval ACCESS_DENIED user not authorized | |
15 | * \retval ACCESS_ALLOWED user authenticated and authorized | |
16 | */ | |
17 | allow_t | |
6ada3123 AR |
18 | AuthenticateAcl(ACLChecklist *ch) |
19 | { | |
af6a12ee AJ |
20 | ACLFilledChecklist *checklist = Filled(ch); |
21 | HttpRequest *request = checklist->request; | |
6ada3123 AR |
22 | http_hdr_type headertype; |
23 | ||
24 | if (NULL == request) { | |
25 | fatal ("requiresRequest SHOULD have been true for this ACL!!"); | |
ccec22f9 | 26 | return ACCESS_DENIED; |
450fe1cb | 27 | } else if (request->flags.sslBumped) { |
21512911 | 28 | debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); |
cc1e110a | 29 | checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request; |
21512911 CT |
30 | if (checklist->auth_user_request != NULL) |
31 | return ACCESS_ALLOWED; | |
32 | else | |
33 | return ACCESS_DENIED; | |
45e5102d | 34 | } else if (request->flags.accelerated) { |
6ada3123 AR |
35 | /* WWW authorization on accelerated requests */ |
36 | headertype = HDR_AUTHORIZATION; | |
0d901ef4 | 37 | } else if (request->flags.intercepted || request->flags.interceptTproxy) { |
ccec22f9 AJ |
38 | debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); |
39 | return ACCESS_DENIED; | |
6ada3123 AR |
40 | } else { |
41 | /* Proxy authorization on proxy requests */ | |
42 | headertype = HDR_PROXY_AUTHORIZATION; | |
43 | } | |
44 | ||
45 | /* get authed here */ | |
46 | /* Note: this fills in auth_user_request when applicable */ | |
c7baff40 | 47 | const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser( |
ec5858ff A |
48 | &checklist->auth_user_request, headertype, request, |
49 | checklist->conn(), checklist->src_addr); | |
6ada3123 AR |
50 | switch (result) { |
51 | ||
52 | case AUTH_ACL_CANNOT_AUTHENTICATE: | |
ccec22f9 AJ |
53 | debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised."); |
54 | return ACCESS_DENIED; | |
6ada3123 AR |
55 | |
56 | case AUTH_AUTHENTICATED: | |
ccec22f9 | 57 | return ACCESS_ALLOWED; |
6ada3123 AR |
58 | break; |
59 | ||
60 | case AUTH_ACL_HELPER: | |
e0f7153c | 61 | debugs(28, 4, HERE << "returning " << ACCESS_DUNNO << " sending credentials to helper."); |
6ada3123 | 62 | checklist->changeState(ProxyAuthLookup::Instance()); |
ccec22f9 | 63 | return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states |
6ada3123 AR |
64 | |
65 | case AUTH_ACL_CHALLENGE: | |
e0f7153c AR |
66 | debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge."); |
67 | /* Client is required to resend the request with correct authentication | |
68 | * credentials. (This may be part of a stateful auth protocol.) | |
69 | * The request is denied. | |
70 | */ | |
ccec22f9 | 71 | return ACCESS_AUTH_REQUIRED; |
6ada3123 AR |
72 | |
73 | default: | |
74 | fatal("unexpected authenticateAuthenticate reply\n"); | |
ccec22f9 | 75 | return ACCESS_DENIED; |
6ada3123 AR |
76 | } |
77 | } |