src/auth/Acl.cc

   1 #include "squid.h"
   2 #include "acl/Acl.h"
   3 #include "acl/FilledChecklist.h"
   4 #include "auth/UserRequest.h"
   5 #include "auth/Acl.h"
   6 #include "auth/AclProxyAuth.h"
   7 #include "client_side.h"
   8 #include "HttpRequest.h"
   9
  10 /**
  11  * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
  12  * \retval ACCESS_DENIED        user not authenticated (authentication error?)
  13  * \retval ACCESS_DUNNO         user authentication is in progress
  14  * \retval ACCESS_DENIED        user not authorized
  15  * \retval ACCESS_ALLOWED       user authenticated and authorized
  16  */
  17 allow_t
  18 AuthenticateAcl(ACLChecklist *ch)
  19 {
  20     ACLFilledChecklist *checklist = Filled(ch);
  21     HttpRequest *request = checklist->request;
  22     http_hdr_type headertype;
  23
  24     if (NULL == request) {
  25         fatal ("requiresRequest SHOULD have been true for this ACL!!");
  26         return ACCESS_DENIED;
  27     } else if (request->flags.sslBumped) {
  28         debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
  29         checklist->auth_user_request = checklist->conn() != NULL ? checklist->conn()->getAuth() : request->auth_user_request;
  30         if (checklist->auth_user_request != NULL)
  31             return ACCESS_ALLOWED;
  32         else
  33             return ACCESS_DENIED;
  34     } else if (request->flags.accelerated) {
  35         /* WWW authorization on accelerated requests */
  36         headertype = HDR_AUTHORIZATION;
  37     } else if (request->flags.intercepted || request->flags.interceptTproxy) {
  38         debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
  39         return ACCESS_DENIED;
  40     } else {
  41         /* Proxy authorization on proxy requests */
  42         headertype = HDR_PROXY_AUTHORIZATION;
  43     }
  44
  45     /* get authed here */
  46     /* Note: this fills in auth_user_request when applicable */
  47     const AuthAclState result = Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
  48                                     &checklist->auth_user_request, headertype, request,
  49                                     checklist->conn(), checklist->src_addr);
  50     switch (result) {
  51
  52     case AUTH_ACL_CANNOT_AUTHENTICATE:
  53         debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
  54         return ACCESS_DENIED;
  55
  56     case AUTH_AUTHENTICATED:
  57         return ACCESS_ALLOWED;
  58         break;
  59
  60     case AUTH_ACL_HELPER:
  61         if (checklist->goAsync(ProxyAuthLookup::Instance()))
  62             debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper.");
  63         else
  64             debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO);
  65         return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
  66
  67     case AUTH_ACL_CHALLENGE:
  68         debugs(28, 4, HERE << "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge.");
  69         /* Client is required to resend the request with correct authentication
  70          * credentials. (This may be part of a stateful auth protocol.)
  71          * The request is denied.
  72          */
  73         return ACCESS_AUTH_REQUIRED;
  74
  75     default:
  76         fatal("unexpected authenticateAuthenticate reply\n");
  77         return ACCESS_DENIED;
  78     }
  79 }