]>
Commit | Line | Data |
---|---|---|
f7f3304a | 1 | #include "squid-old.h" |
6ada3123 AR |
2 | #include "acl/Acl.h" |
3 | #include "acl/FilledChecklist.h" | |
4 | #include "auth/UserRequest.h" | |
5 | #include "auth/Acl.h" | |
6 | #include "auth/AclProxyAuth.h" | |
7 | #include "HttpRequest.h" | |
8 | ||
ccec22f9 AJ |
9 | /** |
10 | * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required. | |
11 | * \retval ACCESS_DENIED user not authenticated (authentication error?) | |
12 | * \retval ACCESS_DUNNO user authentication is in progress | |
13 | * \retval ACCESS_DENIED user not authorized | |
14 | * \retval ACCESS_ALLOWED user authenticated and authorized | |
15 | */ | |
16 | allow_t | |
6ada3123 AR |
17 | AuthenticateAcl(ACLChecklist *ch) |
18 | { | |
af6a12ee AJ |
19 | ACLFilledChecklist *checklist = Filled(ch); |
20 | HttpRequest *request = checklist->request; | |
6ada3123 AR |
21 | http_hdr_type headertype; |
22 | ||
23 | if (NULL == request) { | |
24 | fatal ("requiresRequest SHOULD have been true for this ACL!!"); | |
ccec22f9 | 25 | return ACCESS_DENIED; |
21512911 CT |
26 | } else if (request->flags.sslBumped) { |
27 | debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); | |
28 | checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request; | |
29 | if (checklist->auth_user_request != NULL) | |
30 | return ACCESS_ALLOWED; | |
31 | else | |
32 | return ACCESS_DENIED; | |
6ada3123 AR |
33 | } else if (request->flags.accelerated) { |
34 | /* WWW authorization on accelerated requests */ | |
35 | headertype = HDR_AUTHORIZATION; | |
36 | } else if (request->flags.intercepted || request->flags.spoof_client_ip) { | |
ccec22f9 AJ |
37 | debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); |
38 | return ACCESS_DENIED; | |
6ada3123 AR |
39 | } else { |
40 | /* Proxy authorization on proxy requests */ | |
41 | headertype = HDR_PROXY_AUTHORIZATION; | |
42 | } | |
43 | ||
44 | /* get authed here */ | |
45 | /* Note: this fills in auth_user_request when applicable */ | |
c7baff40 | 46 | const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser( |
ec5858ff A |
47 | &checklist->auth_user_request, headertype, request, |
48 | checklist->conn(), checklist->src_addr); | |
6ada3123 AR |
49 | switch (result) { |
50 | ||
51 | case AUTH_ACL_CANNOT_AUTHENTICATE: | |
ccec22f9 AJ |
52 | debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised."); |
53 | return ACCESS_DENIED; | |
6ada3123 AR |
54 | |
55 | case AUTH_AUTHENTICATED: | |
ccec22f9 | 56 | return ACCESS_ALLOWED; |
6ada3123 AR |
57 | break; |
58 | ||
59 | case AUTH_ACL_HELPER: | |
e0f7153c | 60 | debugs(28, 4, HERE << "returning " << ACCESS_DUNNO << " sending credentials to helper."); |
6ada3123 | 61 | checklist->changeState(ProxyAuthLookup::Instance()); |
ccec22f9 | 62 | return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states |
6ada3123 AR |
63 | |
64 | case AUTH_ACL_CHALLENGE: | |
e0f7153c AR |
65 | debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge."); |
66 | /* Client is required to resend the request with correct authentication | |
67 | * credentials. (This may be part of a stateful auth protocol.) | |
68 | * The request is denied. | |
69 | */ | |
ccec22f9 | 70 | return ACCESS_AUTH_REQUIRED; |
6ada3123 AR |
71 | |
72 | default: | |
73 | fatal("unexpected authenticateAuthenticate reply\n"); | |
ccec22f9 | 74 | return ACCESS_DENIED; |
6ada3123 AR |
75 | } |
76 | } |