3 #include "acl/FilledChecklist.h"
4 #include "auth/UserRequest.h"
6 #include "auth/AclProxyAuth.h"
7 #include "HttpRequest.h"
10 * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
11 * \retval ACCESS_DENIED user not authenticated (authentication error?)
12 * \retval ACCESS_DUNNO user authentication is in progress
13 * \retval ACCESS_DENIED user not authorized
14 * \retval ACCESS_ALLOWED user authenticated and authorized
17 AuthenticateAcl(ACLChecklist
*ch
)
19 ACLFilledChecklist
*checklist
= Filled(ch
);
20 HttpRequest
*request
= checklist
->request
;
21 http_hdr_type headertype
;
23 if (NULL
== request
) {
24 fatal ("requiresRequest SHOULD have been true for this ACL!!");
26 } else if (request
->flags
.accelerated
) {
27 /* WWW authorization on accelerated requests */
28 headertype
= HDR_AUTHORIZATION
;
29 } else if (request
->flags
.intercepted
|| request
->flags
.spoof_client_ip
) {
30 debugs(28, DBG_IMPORTANT
, "NOTICE: Authentication not applicable on intercepted requests.");
33 /* Proxy authorization on proxy requests */
34 headertype
= HDR_PROXY_AUTHORIZATION
;
38 /* Note: this fills in auth_user_request when applicable */
39 const AuthAclState result
= AuthUserRequest::tryToAuthenticateAndSetAuthUser(
40 &checklist
->auth_user_request
, headertype
, request
,
41 checklist
->conn(), checklist
->src_addr
);
44 case AUTH_ACL_CANNOT_AUTHENTICATE
:
45 debugs(28, 4, HERE
<< "returning " << ACCESS_DENIED
<< " user authenticated but not authorised.");
48 case AUTH_AUTHENTICATED
:
49 return ACCESS_ALLOWED
;
53 debugs(28, 4, HERE
<< "returning " << ACCESS_DENIED
<< " sending credentials to helper.");
54 checklist
->changeState(ProxyAuthLookup::Instance());
55 return ACCESS_DUNNO
; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
57 case AUTH_ACL_CHALLENGE
:
58 debugs(28, 4, HERE
<< "returning " << ACCESS_DENIED
<< " sending authentication challenge.");
59 checklist
->changeState(ProxyAuthNeeded::Instance());
60 return ACCESS_AUTH_REQUIRED
;
63 fatal("unexpected authenticateAuthenticate reply\n");