4 * DEBUG: section 28 Access Control
5 * AUTHOR: Duane Wessels
7 * SQUID Web Proxy Cache http://www.squid-cache.org/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from
11 * the Internet community; see the CONTRIBUTORS file for full
12 * details. Many organizations have provided support for Squid's
13 * development; see the SPONSORS file for full details. Squid is
14 * Copyrighted (C) 2001 by the Regents of the University of
15 * California; see the COPYRIGHT file for full details. Squid
16 * incorporates software developed and/or copyrighted by other
17 * sources; see the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
34 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
38 #include "auth/AclProxyAuth.h"
39 #include "auth/Gadgets.h"
40 #include "acl/FilledChecklist.h"
41 #include "acl/UserData.h"
42 #include "acl/RegexData.h"
43 #include "client_side.h"
44 #include "HttpRequest.h"
46 #include "auth/User.h"
47 #include "auth/UserRequest.h"
49 ACLProxyAuth::~ACLProxyAuth()
54 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) : data (newData
), type_(theType
) {}
56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth
const &old
) : data (old
.data
->clone()), type_(old
.type_
)
60 ACLProxyAuth::operator= (ACLProxyAuth
const &rhs
)
62 data
= rhs
.data
->clone();
68 ACLProxyAuth::typeString() const
80 ACLProxyAuth::match(ACLChecklist
*checklist
)
84 if ((ti
= AuthenticateAcl(checklist
)) != 1)
87 ti
= matchProxyAuth(checklist
);
93 ACLProxyAuth::dump() const
99 ACLProxyAuth::empty () const
101 return data
->empty();
105 ACLProxyAuth::valid () const
107 if (authenticateSchemeCount() == 0) {
108 debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
112 if (authenticateActiveSchemeCount() == 0) {
113 debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
120 ProxyAuthNeeded
ProxyAuthNeeded::instance_
;
123 ProxyAuthNeeded::Instance()
128 ProxyAuthLookup
ProxyAuthLookup::instance_
;
131 ProxyAuthLookup::Instance()
137 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
)const
139 ACLFilledChecklist
*checklist
= Filled(cl
);
141 checklist
->asyncInProgress(true);
142 debugs(28, 3, "ACLChecklist::checkForAsync: checking password via authenticator");
144 AuthUserRequest::Pointer auth_user_request
;
145 /* make sure someone created auth_user_request for us */
146 assert(checklist
->auth_user_request
!= NULL
);
147 auth_user_request
= checklist
->auth_user_request
;
149 int validated
= authenticateValidateUser(auth_user_request
);
151 auth_user_request
->start(LookupDone
, checklist
);
155 ProxyAuthLookup::LookupDone(void *data
, char *result
)
157 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
159 assert (checklist
->asyncState() == ProxyAuthLookup::Instance());
162 fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
164 if (!authenticateValidateUser(checklist
->auth_user_request
) || checklist
->conn() == NULL
) {
165 /* credentials could not be checked either way
166 * restart the whole process */
167 /* OR the connection was closed, there's no way to continue */
168 checklist
->auth_user_request
= NULL
;
170 if (checklist
->conn() != NULL
) {
171 checklist
->conn()->auth_user_request
= NULL
;
172 checklist
->conn()->auth_type
= AUTH_BROKEN
;
176 checklist
->asyncInProgress(false);
177 checklist
->changeState (ACLChecklist::NullState::Instance());
182 ProxyAuthNeeded::checkForAsync(ACLChecklist
*checklist
) const
184 /* Client is required to resend the request with correct authentication
185 * credentials. (This may be part of a stateful auth protocol.)
186 * The request is denied.
188 debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
189 checklist
->currentAnswer(ACCESS_REQ_PROXY_AUTH
);
190 checklist
->changeState (ACLChecklist::NullState::Instance());
191 checklist
->markFinished();
195 ACLProxyAuth::clone() const
197 return new ACLProxyAuth(*this);
201 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
203 ACLFilledChecklist
*checklist
= Filled(cl
);
204 assert (checklist
->auth_user_request
!= NULL
);
205 return data
->match(checklist
->auth_user_request
->username());
208 /* aclMatchProxyAuth can return two exit codes:
209 * 0 : Authorisation for this ACL failed. (Did not match)
210 * 1 : Authorisation OK. (Matched)
213 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
215 ACLFilledChecklist
*checklist
= Filled(cl
);
216 checkAuthForCaching(checklist
);
217 /* check to see if we have matched the user-acl before */
218 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
219 checklist
->auth_user_request
= NULL
;
224 ACLProxyAuth::checkAuthForCaching(ACLChecklist
*checklist
)const
226 /* for completeness */
227 /* consistent parameters ? */
228 assert(authenticateUserAuthenticated(Filled(checklist
)->auth_user_request
));
229 /* this check completed */