src/auth/Acl.cc

   1 /*
   2  * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 #include "squid.h"
  10 #include "acl/Acl.h"
  11 #include "acl/FilledChecklist.h"
  12 #include "auth/Acl.h"
  13 #include "auth/AclProxyAuth.h"
  14 #include "auth/UserRequest.h"
  15 #include "client_side.h"
  16 #include "fatal.h"
  17 #include "http/Stream.h"
  18 #include "HttpRequest.h"
  19
  20 /**
  21  * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
  22  * \retval ACCESS_DENIED        user not authenticated (authentication error?)
  23  * \retval ACCESS_DUNNO         user authentication is in progress
  24  * \retval ACCESS_DENIED        user not authorized
  25  * \retval ACCESS_ALLOWED       user authenticated and authorized
  26  */
  27 Acl::Answer
  28 AuthenticateAcl(ACLChecklist *ch)
  29 {
  30     ACLFilledChecklist *checklist = Filled(ch);
  31     HttpRequest *request = checklist->request;
  32     Http::HdrType headertype;
  33
  34     if (NULL == request) {
  35         fatal ("requiresRequest SHOULD have been true for this ACL!!");
  36         return ACCESS_DENIED;
  37     } else if (request->flags.sslBumped) {
  38         debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
  39         checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request;
  40         if (checklist->auth_user_request != NULL)
  41             return ACCESS_ALLOWED;
  42         else
  43             return ACCESS_DENIED;
  44     } else if (request->flags.accelerated) {
  45         /* WWW authorization on accelerated requests */
  46         headertype = Http::HdrType::AUTHORIZATION;
  47     } else if (request->flags.intercepted || request->flags.interceptTproxy) {
  48         debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
  49         return ACCESS_DENIED;
  50     } else {
  51         /* Proxy authorization on proxy requests */
  52         headertype = Http::HdrType::PROXY_AUTHORIZATION;
  53     }
  54
  55     /* get authed here */
  56     /* Note: this fills in auth_user_request when applicable */
  57     const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
  58                                     &checklist->auth_user_request, headertype, request,
  59                                     checklist->conn(), checklist->src_addr, checklist->al);
  60     switch (result) {
  61
  62     case AUTH_ACL_CANNOT_AUTHENTICATE:
  63         debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
  64         return ACCESS_DENIED;
  65
  66     case AUTH_AUTHENTICATED:
  67         return ACCESS_ALLOWED;
  68         break;
  69
  70     case AUTH_ACL_HELPER:
  71         if (checklist->goAsync(ProxyAuthLookup::Instance()))
  72             debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper.");
  73         else
  74             debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO);
  75         return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
  76
  77     case AUTH_ACL_CHALLENGE:
  78         debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge.");
  79         /* Client is required to resend the request with correct authentication
  80          * credentials. (This may be part of a stateful auth protocol.)
  81          * The request is denied.
  82          */
  83         return ACCESS_AUTH_REQUIRED;
  84
  85     default:
  86         fatal("unexpected authenticateAuthenticate reply\n");
  87         return ACCESS_DENIED;
  88     }
  89 }
  90