]>
Commit | Line | Data |
---|---|---|
bbc27441 | 1 | /* |
ef57eb7b | 2 | * Copyright (C) 1996-2016 The Squid Software Foundation and contributors |
bbc27441 AJ |
3 | * |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
582c2af2 | 9 | #include "squid.h" |
6ada3123 AR |
10 | #include "acl/Acl.h" |
11 | #include "acl/FilledChecklist.h" | |
6ada3123 AR |
12 | #include "auth/Acl.h" |
13 | #include "auth/AclProxyAuth.h" | |
602d9612 | 14 | #include "auth/UserRequest.h" |
582c2af2 | 15 | #include "client_side.h" |
ed6e9fb9 | 16 | #include "fatal.h" |
8d664cb0 | 17 | #include "http/StreamContext.h" |
6ada3123 AR |
18 | #include "HttpRequest.h" |
19 | ||
ccec22f9 AJ |
20 | /** |
21 | * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required. | |
22 | * \retval ACCESS_DENIED user not authenticated (authentication error?) | |
23 | * \retval ACCESS_DUNNO user authentication is in progress | |
24 | * \retval ACCESS_DENIED user not authorized | |
25 | * \retval ACCESS_ALLOWED user authenticated and authorized | |
26 | */ | |
27 | allow_t | |
6ada3123 AR |
28 | AuthenticateAcl(ACLChecklist *ch) |
29 | { | |
af6a12ee AJ |
30 | ACLFilledChecklist *checklist = Filled(ch); |
31 | HttpRequest *request = checklist->request; | |
789217a2 | 32 | Http::HdrType headertype; |
6ada3123 AR |
33 | |
34 | if (NULL == request) { | |
35 | fatal ("requiresRequest SHOULD have been true for this ACL!!"); | |
ccec22f9 | 36 | return ACCESS_DENIED; |
450fe1cb | 37 | } else if (request->flags.sslBumped) { |
21512911 | 38 | debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate"); |
cc1e110a | 39 | checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request; |
21512911 CT |
40 | if (checklist->auth_user_request != NULL) |
41 | return ACCESS_ALLOWED; | |
42 | else | |
43 | return ACCESS_DENIED; | |
45e5102d | 44 | } else if (request->flags.accelerated) { |
6ada3123 | 45 | /* WWW authorization on accelerated requests */ |
789217a2 | 46 | headertype = Http::HdrType::AUTHORIZATION; |
0d901ef4 | 47 | } else if (request->flags.intercepted || request->flags.interceptTproxy) { |
ccec22f9 AJ |
48 | debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); |
49 | return ACCESS_DENIED; | |
6ada3123 AR |
50 | } else { |
51 | /* Proxy authorization on proxy requests */ | |
789217a2 | 52 | headertype = Http::HdrType::PROXY_AUTHORIZATION; |
6ada3123 AR |
53 | } |
54 | ||
55 | /* get authed here */ | |
56 | /* Note: this fills in auth_user_request when applicable */ | |
c7baff40 | 57 | const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser( |
ec5858ff | 58 | &checklist->auth_user_request, headertype, request, |
d4806c91 | 59 | checklist->conn(), checklist->src_addr, checklist->al); |
6ada3123 AR |
60 | switch (result) { |
61 | ||
62 | case AUTH_ACL_CANNOT_AUTHENTICATE: | |
ccec22f9 AJ |
63 | debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised."); |
64 | return ACCESS_DENIED; | |
6ada3123 AR |
65 | |
66 | case AUTH_AUTHENTICATED: | |
ccec22f9 | 67 | return ACCESS_ALLOWED; |
6ada3123 AR |
68 | break; |
69 | ||
70 | case AUTH_ACL_HELPER: | |
6f58d7d7 AR |
71 | if (checklist->goAsync(ProxyAuthLookup::Instance())) |
72 | debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper."); | |
73 | else | |
74 | debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO); | |
ccec22f9 | 75 | return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states |
6ada3123 AR |
76 | |
77 | case AUTH_ACL_CHALLENGE: | |
e0f7153c AR |
78 | debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge."); |
79 | /* Client is required to resend the request with correct authentication | |
80 | * credentials. (This may be part of a stateful auth protocol.) | |
81 | * The request is denied. | |
82 | */ | |
ccec22f9 | 83 | return ACCESS_AUTH_REQUIRED; |
6ada3123 AR |
84 | |
85 | default: | |
86 | fatal("unexpected authenticateAuthenticate reply\n"); | |
ccec22f9 | 87 | return ACCESS_DENIED; |
6ada3123 AR |
88 | } |
89 | } | |
f53969cc | 90 |