]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/AclProxyAuth.cc
2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "HttpRequest.h"
23 ACLProxyAuth::~ACLProxyAuth()
28 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) :
33 ACLProxyAuth::ACLProxyAuth(ACLProxyAuth
const &old
) :
34 data(old
.data
->clone()),
39 ACLProxyAuth::operator=(ACLProxyAuth
const &rhs
)
41 data
= rhs
.data
->clone();
47 ACLProxyAuth::typeString() const
59 ACLProxyAuth::match(ACLChecklist
*checklist
)
61 allow_t answer
= AuthenticateAcl(checklist
);
63 // convert to tri-state ACL match 1,0,-1
67 return matchProxyAuth(checklist
);
70 return 0; // non-match
73 case ACCESS_AUTH_REQUIRED
:
75 // If the answer is not allowed or denied (matches/not matches) and
76 // async authentication is not in progress, then we are done.
77 if (checklist
->keepMatching())
78 checklist
->markFinished(answer
, "AuthenticateAcl exception");
84 ACLProxyAuth::dump() const
90 ACLProxyAuth::empty() const
96 ACLProxyAuth::valid() const
98 if (authenticateSchemeCount() == 0) {
99 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes were compiled.");
103 if (authenticateActiveSchemeCount() == 0) {
104 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes are fully configured.");
111 ProxyAuthLookup
ProxyAuthLookup::instance_
;
114 ProxyAuthLookup::Instance()
120 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
) const
122 ACLFilledChecklist
*checklist
= Filled(cl
);
124 debugs(28, 3, HERE
<< "checking password via authenticator");
126 /* make sure someone created auth_user_request for us */
127 assert(checklist
->auth_user_request
!= NULL
);
128 assert(checklist
->auth_user_request
->valid());
129 checklist
->auth_user_request
->start(checklist
->request
, checklist
->al
, LookupDone
, checklist
);
133 ProxyAuthLookup::LookupDone(void *data
)
135 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
137 if (checklist
->auth_user_request
== NULL
|| !checklist
->auth_user_request
->valid() || checklist
->conn() == NULL
) {
138 /* credentials could not be checked either way
139 * restart the whole process */
140 /* OR the connection was closed, there's no way to continue */
141 checklist
->auth_user_request
= NULL
;
143 if (checklist
->conn() != NULL
) {
144 checklist
->conn()->setAuth(NULL
, "proxy_auth ACL failure");
148 checklist
->resumeNonBlockingCheck(ProxyAuthLookup::Instance());
152 ACLProxyAuth::clone() const
154 return new ACLProxyAuth(*this);
158 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
160 ACLFilledChecklist
*checklist
= Filled(cl
);
161 assert (checklist
->auth_user_request
!= NULL
);
162 return data
->match(checklist
->auth_user_request
->username());
165 /* aclMatchProxyAuth can return two exit codes:
166 * 0 : Authorisation for this ACL failed. (Did not match)
167 * 1 : Authorisation OK. (Matched)
170 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
172 ACLFilledChecklist
*checklist
= Filled(cl
);
173 if (checklist
->request
->flags
.sslBumped
)
174 return 1; // AuthenticateAcl() already handled this bumped request
175 if (!authenticateUserAuthenticated(Filled(checklist
)->auth_user_request
)) {
178 /* check to see if we have matched the user-acl before */
179 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
180 checklist
->auth_user_request
= NULL
;