src/auth/Acl.cc

   1 #include "squid.h"
   2 #include "acl/Acl.h"
   3 #include "acl/FilledChecklist.h"
   4 #include "auth/UserRequest.h"
   5 #include "auth/Acl.h"
   6 #include "auth/AclProxyAuth.h"
   7 #include "HttpRequest.h"
   8
   9 /**
  10  * \retval -1 user not authenticated (authentication error?)
  11  * \retval  0 user not authorized OR user authentication is in progress
  12  * \retval +1 user authenticated and authorized
  13  */
  14 int
  15 AuthenticateAcl(ACLChecklist *ch)
  16 {
  17     ACLFilledChecklist *checklist = Filled(ch);
  18     HttpRequest *request = checklist->request;
  19     http_hdr_type headertype;
  20
  21     if (NULL == request) {
  22         fatal ("requiresRequest SHOULD have been true for this ACL!!");
  23         return 0;
  24     } else if (request->flags.accelerated) {
  25         /* WWW authorization on accelerated requests */
  26         headertype = HDR_AUTHORIZATION;
  27     } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
  28         debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests.");
  29         return -1;
  30     } else {
  31         /* Proxy authorization on proxy requests */
  32         headertype = HDR_PROXY_AUTHORIZATION;
  33     }
  34
  35     /* get authed here */
  36     /* Note: this fills in auth_user_request when applicable */
  37     /*
  38      * DPW 2007-05-08
  39      * tryToAuthenticateAndSetAuthUser used to try to lock and
  40      * unlock auth_user_request on our behalf, but it was too
  41      * ugly and hard to follow.  Now we do our own locking here.
  42      *
  43      * AYJ 2009-07-15:
  44      * tryToAuthenticateAndSetAuthUser now only produces the auth_user_request object
  45      * for use here. Will try to authenticate if missing. And fix-up request pointer if unset.
  46      */
  47     const auth_acl_t result = AuthUserRequest::tryToAuthenticateAndSetAuthUser(
  48                                   &checklist->auth_user_request, headertype, request,
  49                                   checklist->conn(), checklist->src_addr);
  50     if (checklist->auth_user_request)
  51         AUTHUSERREQUESTLOCK(checklist->auth_user_request, "ACLAuth::authenticated");
  52
  53     switch (result) {
  54
  55     case AUTH_ACL_CANNOT_AUTHENTICATE:
  56         debugs(28, 4, HERE << "returning  0 user authenticated but not authorised.");
  57         return 0;
  58
  59     case AUTH_AUTHENTICATED:
  60         return 1;
  61         break;
  62
  63     case AUTH_ACL_HELPER:
  64         debugs(28, 4, HERE << "returning 0 sending credentials to helper.");
  65         checklist->changeState(ProxyAuthLookup::Instance());
  66         return 0;
  67
  68     case AUTH_ACL_CHALLENGE:
  69         debugs(28, 4, HERE << "returning 0 sending authentication challenge.");
  70         checklist->changeState (ProxyAuthNeeded::Instance());
  71         return 0;
  72
  73     default:
  74         fatal("unexpected authenticateAuthenticate reply\n");
  75         return 0;
  76     }
  77 }