src/auth/AclProxyAuth.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid.h"
  38 #include "auth/AclProxyAuth.h"
  39 #include "auth/Gadgets.h"
  40 #include "acl/FilledChecklist.h"
  41 #include "acl/UserData.h"
  42 #include "acl/RegexData.h"
  43 #include "client_side.h"
  44 #include "HttpRequest.h"
  45 #include "auth/Acl.h"
  46 #include "auth/User.h"
  47 #include "auth/UserRequest.h"
  48
  49 ACLProxyAuth::~ACLProxyAuth()
  50 {
  51     delete data;
  52 }
  53
  54 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) : data (newData), type_(theType) {}
  55
  56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth const &old) : data (old.data->clone()), type_(old.type_)
  57 {}
  58
  59 ACLProxyAuth &
  60 ACLProxyAuth::operator= (ACLProxyAuth const &rhs)
  61 {
  62     data = rhs.data->clone();
  63     type_ = rhs.type_;
  64     return *this;
  65 }
  66
  67 char const *
  68 ACLProxyAuth::typeString() const
  69 {
  70     return type_;
  71 }
  72
  73 void
  74 ACLProxyAuth::parse()
  75 {
  76     data->parse();
  77 }
  78
  79 int
  80 ACLProxyAuth::match(ACLChecklist *checklist)
  81 {
  82     int ti;
  83
  84     if ((ti = AuthenticateAcl(checklist)) != 1)
  85         return ti;
  86
  87     ti = matchProxyAuth(checklist);
  88
  89     return ti;
  90 }
  91
  92 wordlist *
  93 ACLProxyAuth::dump() const
  94 {
  95     return data->dump();
  96 }
  97
  98 bool
  99 ACLProxyAuth::empty () const
 100 {
 101     return data->empty();
 102 }
 103
 104 bool
 105 ACLProxyAuth::valid () const
 106 {
 107     if (authenticateSchemeCount() == 0) {
 108         debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
 109         return false;
 110     }
 111
 112     if (authenticateActiveSchemeCount() == 0) {
 113         debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
 114         return false;
 115     }
 116
 117     return true;
 118 }
 119
 120 ProxyAuthNeeded ProxyAuthNeeded::instance_;
 121
 122 ProxyAuthNeeded *
 123 ProxyAuthNeeded::Instance()
 124 {
 125     return &instance_;
 126 }
 127
 128 ProxyAuthLookup ProxyAuthLookup::instance_;
 129
 130 ProxyAuthLookup *
 131 ProxyAuthLookup::Instance()
 132 {
 133     return &instance_;
 134 }
 135
 136 void
 137 ProxyAuthLookup::checkForAsync(ACLChecklist *cl)const
 138 {
 139     ACLFilledChecklist *checklist = Filled(cl);
 140
 141     checklist->asyncInProgress(true);
 142     debugs(28, 3, HERE << "checking password via authenticator");
 143
 144     /* make sure someone created auth_user_request for us */
 145     assert(checklist->auth_user_request != NULL);
 146     assert(checklist->auth_user_request->valid());
 147     checklist->auth_user_request->start(LookupDone, checklist);
 148 }
 149
 150 void
 151 ProxyAuthLookup::LookupDone(void *data, char *result)
 152 {
 153     ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
 154
 155     assert (checklist->asyncState() == ProxyAuthLookup::Instance());
 156
 157     if (result != NULL)
 158         fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
 159
 160     if (checklist->auth_user_request == NULL || !checklist->auth_user_request->valid() || checklist->conn() == NULL) {
 161         /* credentials could not be checked either way
 162          * restart the whole process */
 163         /* OR the connection was closed, there's no way to continue */
 164         checklist->auth_user_request = NULL;
 165
 166         if (checklist->conn() != NULL) {
 167             checklist->conn()->auth_user_request = NULL;
 168         }
 169     }
 170
 171     checklist->asyncInProgress(false);
 172     checklist->changeState (ACLChecklist::NullState::Instance());
 173     checklist->check();
 174 }
 175
 176 void
 177 ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const
 178 {
 179     /* Client is required to resend the request with correct authentication
 180      * credentials. (This may be part of a stateful auth protocol.)
 181      * The request is denied.
 182      */
 183     debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
 184     checklist->currentAnswer(ACCESS_REQ_PROXY_AUTH);
 185     checklist->changeState (ACLChecklist::NullState::Instance());
 186     checklist->markFinished();
 187 }
 188
 189 ACL *
 190 ACLProxyAuth::clone() const
 191 {
 192     return new ACLProxyAuth(*this);
 193 }
 194
 195 int
 196 ACLProxyAuth::matchForCache(ACLChecklist *cl)
 197 {
 198     ACLFilledChecklist *checklist = Filled(cl);
 199     assert (checklist->auth_user_request != NULL);
 200     return data->match(checklist->auth_user_request->username());
 201 }
 202
 203 /* aclMatchProxyAuth can return two exit codes:
 204  * 0 : Authorisation for this ACL failed. (Did not match)
 205  * 1 : Authorisation OK. (Matched)
 206  */
 207 int
 208 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 209 {
 210     ACLFilledChecklist *checklist = Filled(cl);
 211     if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
 212         return 0;
 213     }
 214     /* check to see if we have matched the user-acl before */
 215     int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
 216     checklist->auth_user_request = NULL;
 217     return result;
 218 }