3 #include "acl/FilledChecklist.h"
4 #include "auth/UserRequest.h"
6 #include "auth/AclProxyAuth.h"
7 #include "client_side.h"
8 #include "HttpRequest.h"
11 * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
12 * \retval ACCESS_DENIED user not authenticated (authentication error?)
13 * \retval ACCESS_DUNNO user authentication is in progress
14 * \retval ACCESS_DENIED user not authorized
15 * \retval ACCESS_ALLOWED user authenticated and authorized
18 AuthenticateAcl(ACLChecklist
*ch
)
20 ACLFilledChecklist
*checklist
= Filled(ch
);
21 HttpRequest
*request
= checklist
->request
;
22 http_hdr_type headertype
;
24 if (NULL
== request
) {
25 fatal ("requiresRequest SHOULD have been true for this ACL!!");
27 } else if (request
->flags
.sslBumped
) {
28 debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
29 checklist
->auth_user_request
= checklist
->conn() != NULL
? checklist
->conn()->auth_user_request
: request
->auth_user_request
;
30 if (checklist
->auth_user_request
!= NULL
)
31 return ACCESS_ALLOWED
;
34 } else if (request
->flags
.accelerated
) {
35 /* WWW authorization on accelerated requests */
36 headertype
= HDR_AUTHORIZATION
;
37 } else if (request
->flags
.intercepted
|| request
->flags
.spoof_client_ip
) {
38 debugs(28, DBG_IMPORTANT
, "NOTICE: Authentication not applicable on intercepted requests.");
41 /* Proxy authorization on proxy requests */
42 headertype
= HDR_PROXY_AUTHORIZATION
;
46 /* Note: this fills in auth_user_request when applicable */
47 const AuthAclState result
= Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
48 &checklist
->auth_user_request
, headertype
, request
,
49 checklist
->conn(), checklist
->src_addr
);
52 case AUTH_ACL_CANNOT_AUTHENTICATE
:
53 debugs(28, 4, HERE
<< "returning " << ACCESS_DENIED
<< " user authenticated but not authorised.");
56 case AUTH_AUTHENTICATED
:
57 return ACCESS_ALLOWED
;
61 debugs(28, 4, HERE
<< "returning " << ACCESS_DUNNO
<< " sending credentials to helper.");
62 checklist
->changeState(ProxyAuthLookup::Instance());
63 return ACCESS_DUNNO
; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
65 case AUTH_ACL_CHALLENGE
:
66 debugs(28, 4, HERE
<< "returning " << ACCESS_AUTH_REQUIRED
<< " sending authentication challenge.");
67 /* Client is required to resend the request with correct authentication
68 * credentials. (This may be part of a stateful auth protocol.)
69 * The request is denied.
71 return ACCESS_AUTH_REQUIRED
;
74 fatal("unexpected authenticateAuthenticate reply\n");