2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
11 #include "acl/FilledChecklist.h"
13 #include "auth/AclProxyAuth.h"
14 #include "auth/UserRequest.h"
15 #include "client_side.h"
17 #include "http/Stream.h"
18 #include "HttpRequest.h"
21 * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
22 * \retval ACCESS_DENIED user not authenticated (authentication error?)
23 * \retval ACCESS_DUNNO user authentication is in progress
24 * \retval ACCESS_DENIED user not authorized
25 * \retval ACCESS_ALLOWED user authenticated and authorized
28 AuthenticateAcl(ACLChecklist
*ch
)
30 ACLFilledChecklist
*checklist
= Filled(ch
);
31 HttpRequest
*request
= checklist
->request
;
32 Http::HdrType headertype
;
34 if (NULL
== request
) {
35 fatal ("requiresRequest SHOULD have been true for this ACL!!");
37 } else if (request
->flags
.sslBumped
) {
38 debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
39 checklist
->auth_user_request
= checklist
->conn() != NULL
? checklist
->conn()->getAuth() : request
->auth_user_request
;
40 if (checklist
->auth_user_request
!= NULL
)
41 return ACCESS_ALLOWED
;
44 } else if (request
->flags
.accelerated
) {
45 /* WWW authorization on accelerated requests */
46 headertype
= Http::HdrType::AUTHORIZATION
;
47 } else if (request
->flags
.intercepted
|| request
->flags
.interceptTproxy
) {
48 debugs(28, DBG_IMPORTANT
, "NOTICE: Authentication not applicable on intercepted requests.");
51 /* Proxy authorization on proxy requests */
52 headertype
= Http::HdrType::PROXY_AUTHORIZATION
;
56 /* Note: this fills in auth_user_request when applicable */
57 const AuthAclState result
= Auth::UserRequest::tryToAuthenticateAndSetAuthUser(
58 &checklist
->auth_user_request
, headertype
, request
,
59 checklist
->conn(), checklist
->src_addr
, checklist
->al
);
62 case AUTH_ACL_CANNOT_AUTHENTICATE
:
63 debugs(28, 4, HERE
<< "returning " << ACCESS_DENIED
<< " user authenticated but not authorised.");
66 case AUTH_AUTHENTICATED
:
67 return ACCESS_ALLOWED
;
71 if (checklist
->goAsync(ProxyAuthLookup::Instance()))
72 debugs(28, 4, "returning " << ACCESS_DUNNO
<< " sending credentials to helper.");
74 debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO
);
75 return ACCESS_DUNNO
; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
77 case AUTH_ACL_CHALLENGE
:
78 debugs(28, 4, HERE
<< "returning " << ACCESS_AUTH_REQUIRED
<< " sending authentication challenge.");
79 /* Client is required to resend the request with correct authentication
80 * credentials. (This may be part of a stateful auth protocol.)
81 * The request is denied.
83 return ACCESS_AUTH_REQUIRED
;
86 fatal("unexpected authenticateAuthenticate reply\n");