[thirdparty/squid.git] / src / auth / Acl.cc

#include "squid-old.h"
#include "acl/Acl.h"
#include "acl/FilledChecklist.h"
#include "auth/UserRequest.h"
#include "auth/Acl.h"
#include "auth/AclProxyAuth.h"
#include "HttpRequest.h"

/**
 * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
 * \retval ACCESS_DENIED        user not authenticated (authentication error?)
 * \retval ACCESS_DUNNO         user authentication is in progress
 * \retval ACCESS_DENIED        user not authorized
 * \retval ACCESS_ALLOWED       user authenticated and authorized
 */
allow_t
AuthenticateAcl(ACLChecklist *ch)
{
    ACLFilledChecklist *checklist = Filled(ch);
    HttpRequest *request = checklist->request;
    http_hdr_type headertype;

    if (NULL == request) {
        fatal ("requiresRequest SHOULD have been true for this ACL!!");
        return ACCESS_DENIED;
    } else if (request->flags.sslBumped) {
        debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
        checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request;
        if (checklist->auth_user_request != NULL)
            return ACCESS_ALLOWED;
        else
            return ACCESS_DENIED;
    } else if (request->flags.accelerated) {
        /* WWW authorization on accelerated requests */
        headertype = HDR_AUTHORIZATION;
    } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
        debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
        return ACCESS_DENIED;
    } else {
        /* Proxy authorization on proxy requests */
        headertype = HDR_PROXY_AUTHORIZATION;
    }

    /* get authed here */
    /* Note: this fills in auth_user_request when applicable */
    const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
                                    &checklist->auth_user_request, headertype, request,
                                    checklist->conn(), checklist->src_addr);
    switch (result) {

    case AUTH_ACL_CANNOT_AUTHENTICATE:
        debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
        return ACCESS_DENIED;

    case AUTH_AUTHENTICATED:
        return ACCESS_ALLOWED;
        break;

    case AUTH_ACL_HELPER:
        debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending credentials to helper.");
        checklist->changeState(ProxyAuthLookup::Instance());
        return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states

    case AUTH_ACL_CHALLENGE:
        debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending authentication challenge.");
        checklist->changeState(ProxyAuthNeeded::Instance());
        return ACCESS_AUTH_REQUIRED;

    default:
        fatal("unexpected authenticateAuthenticate reply\n");
        return ACCESS_DENIED;
    }
}
Commit	Line	Data
f7f3304a	1	#include "squid-old.h"
6ada3123 AR	2	#include "acl/Acl.h"
	3	#include "acl/FilledChecklist.h"
	4	#include "auth/UserRequest.h"
	5	#include "auth/Acl.h"
	6	#include "auth/AclProxyAuth.h"
	7	#include "HttpRequest.h"
	8
ccec22f9 AJ	9	/**
	10	* \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
	11	* \retval ACCESS_DENIED user not authenticated (authentication error?)
	12	* \retval ACCESS_DUNNO user authentication is in progress
	13	* \retval ACCESS_DENIED user not authorized
	14	* \retval ACCESS_ALLOWED user authenticated and authorized
	15	*/
	16	allow_t
6ada3123 AR	17	AuthenticateAcl(ACLChecklist *ch)
6ada3123 AR	18	{
af6a12ee AJ	19	ACLFilledChecklist *checklist = Filled(ch);
af6a12ee AJ	20	HttpRequest *request = checklist->request;
6ada3123 AR	21	http_hdr_type headertype;
	22
	23	if (NULL == request) {
	24	fatal ("requiresRequest SHOULD have been true for this ACL!!");
ccec22f9	25	return ACCESS_DENIED;
21512911 CT	26	} else if (request->flags.sslBumped) {
	27	debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
	28	checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->auth_user_request : request->auth_user_request;
	29	if (checklist->auth_user_request != NULL)
	30	return ACCESS_ALLOWED;
	31	else
	32	return ACCESS_DENIED;
6ada3123 AR	33	} else if (request->flags.accelerated) {
	34	/* WWW authorization on accelerated requests */
	35	headertype = HDR_AUTHORIZATION;
	36	} else if (request->flags.intercepted \|\| request->flags.spoof_client_ip) {
ccec22f9 AJ	37	debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
ccec22f9 AJ	38	return ACCESS_DENIED;
6ada3123 AR	39	} else {
	40	/* Proxy authorization on proxy requests */
	41	headertype = HDR_PROXY_AUTHORIZATION;
	42	}
	43
	44	/* get authed here */
	45	/* Note: this fills in auth_user_request when applicable */
c7baff40	46	const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
ec5858ff A	47	&checklist->auth_user_request, headertype, request,
ec5858ff A	48	checklist->conn(), checklist->src_addr);
6ada3123 AR	49	switch (result) {
	50
	51	case AUTH_ACL_CANNOT_AUTHENTICATE:
ccec22f9 AJ	52	debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
ccec22f9 AJ	53	return ACCESS_DENIED;
6ada3123 AR	54
6ada3123 AR	55	case AUTH_AUTHENTICATED:
ccec22f9	56	return ACCESS_ALLOWED;
6ada3123 AR	57	break;
	58
	59	case AUTH_ACL_HELPER:
ccec22f9	60	debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending credentials to helper.");
6ada3123	61	checklist->changeState(ProxyAuthLookup::Instance());
ccec22f9	62	return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
6ada3123 AR	63
6ada3123 AR	64	case AUTH_ACL_CHALLENGE:
ccec22f9 AJ	65	debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending authentication challenge.");
	66	checklist->changeState(ProxyAuthNeeded::Instance());
	67	return ACCESS_AUTH_REQUIRED;
6ada3123 AR	68
	69	default:
	70	fatal("unexpected authenticateAuthenticate reply\n");
ccec22f9	71	return ACCESS_DENIED;
6ada3123 AR	72	}
6ada3123 AR	73	}