src/auth/Acl.cc

   1 #include "squid.h"
   2 #include "acl/Acl.h"
   3 #include "acl/FilledChecklist.h"
   4 #include "auth/UserRequest.h"
   5 #include "auth/Acl.h"
   6 #include "auth/AclProxyAuth.h"
   7 #include "HttpRequest.h"
   8
   9 /**
  10  * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
  11  * \retval ACCESS_DENIED        user not authenticated (authentication error?)
  12  * \retval ACCESS_DUNNO         user authentication is in progress
  13  * \retval ACCESS_DENIED        user not authorized
  14  * \retval ACCESS_ALLOWED       user authenticated and authorized
  15  */
  16 allow_t
  17 AuthenticateAcl(ACLChecklist *ch)
  18 {
  19     ACLFilledChecklist *checklist = Filled(ch);
  20     HttpRequest *request = checklist->request;
  21     http_hdr_type headertype;
  22
  23     if (NULL == request) {
  24         fatal ("requiresRequest SHOULD have been true for this ACL!!");
  25         return ACCESS_DENIED;
  26     } else if (request->flags.accelerated) {
  27         /* WWW authorization on accelerated requests */
  28         headertype = HDR_AUTHORIZATION;
  29     } else if (request->flags.intercepted || request->flags.spoof_client_ip) {
  30         debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
  31         return ACCESS_DENIED;
  32     } else {
  33         /* Proxy authorization on proxy requests */
  34         headertype = HDR_PROXY_AUTHORIZATION;
  35     }
  36
  37     /* get authed here */
  38     /* Note: this fills in auth_user_request when applicable */
  39     const AuthAclState result = AuthUserRequest::tryToAuthenticateAndSetAuthUser(
  40                                     &checklist->auth_user_request, headertype, request,
  41                                     checklist->conn(), checklist->src_addr);
  42     switch (result) {
  43
  44     case AUTH_ACL_CANNOT_AUTHENTICATE:
  45         debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
  46         return ACCESS_DENIED;
  47
  48     case AUTH_AUTHENTICATED:
  49         return ACCESS_ALLOWED;
  50         break;
  51
  52     case AUTH_ACL_HELPER:
  53         debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending credentials to helper.");
  54         checklist->changeState(ProxyAuthLookup::Instance());
  55         return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
  56
  57     case AUTH_ACL_CHALLENGE:
  58         debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending authentication challenge.");
  59         checklist->changeState(ProxyAuthNeeded::Instance());
  60         return ACCESS_AUTH_REQUIRED;
  61
  62     default:
  63         fatal("unexpected authenticateAuthenticate reply\n");
  64         return ACCESS_DENIED;
  65     }
  66 }