]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/AclProxyAuth.cc
2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "HttpRequest.h"
23 ACLProxyAuth::~ACLProxyAuth()
28 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) : data(newData
), type_(theType
) {}
30 ACLProxyAuth::ACLProxyAuth(ACLProxyAuth
const &old
) : data(old
.data
->clone()), type_(old
.type_
)
34 ACLProxyAuth::operator=(ACLProxyAuth
const &rhs
)
36 data
= rhs
.data
->clone();
42 ACLProxyAuth::typeString() const
54 ACLProxyAuth::match(ACLChecklist
*checklist
)
56 allow_t answer
= AuthenticateAcl(checklist
);
58 // convert to tri-state ACL match 1,0,-1
62 return matchProxyAuth(checklist
);
65 return 0; // non-match
68 case ACCESS_AUTH_REQUIRED
:
70 // If the answer is not allowed or denied (matches/not matches) and
71 // async authentication is not in progress, then we are done.
72 if (checklist
->keepMatching())
73 checklist
->markFinished(answer
, "AuthenticateAcl exception");
79 ACLProxyAuth::dump() const
85 ACLProxyAuth::empty() const
91 ACLProxyAuth::valid() const
93 if (authenticateSchemeCount() == 0) {
94 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes were compiled.");
98 if (authenticateActiveSchemeCount() == 0) {
99 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes are fully configured.");
106 ProxyAuthLookup
ProxyAuthLookup::instance_
;
109 ProxyAuthLookup::Instance()
115 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
) const
117 ACLFilledChecklist
*checklist
= Filled(cl
);
119 debugs(28, 3, HERE
<< "checking password via authenticator");
121 /* make sure someone created auth_user_request for us */
122 assert(checklist
->auth_user_request
!= NULL
);
123 assert(checklist
->auth_user_request
->valid());
124 checklist
->auth_user_request
->start(checklist
->request
, checklist
->al
, LookupDone
, checklist
);
128 ProxyAuthLookup::LookupDone(void *data
)
130 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
132 if (checklist
->auth_user_request
== NULL
|| !checklist
->auth_user_request
->valid() || checklist
->conn() == NULL
) {
133 /* credentials could not be checked either way
134 * restart the whole process */
135 /* OR the connection was closed, there's no way to continue */
136 checklist
->auth_user_request
= NULL
;
138 if (checklist
->conn() != NULL
) {
139 checklist
->conn()->setAuth(NULL
, "proxy_auth ACL failure");
143 checklist
->resumeNonBlockingCheck(ProxyAuthLookup::Instance());
147 ACLProxyAuth::clone() const
149 return new ACLProxyAuth(*this);
153 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
155 ACLFilledChecklist
*checklist
= Filled(cl
);
156 assert (checklist
->auth_user_request
!= NULL
);
157 return data
->match(checklist
->auth_user_request
->username());
160 /* aclMatchProxyAuth can return two exit codes:
161 * 0 : Authorisation for this ACL failed. (Did not match)
162 * 1 : Authorisation OK. (Matched)
165 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
167 ACLFilledChecklist
*checklist
= Filled(cl
);
168 if (checklist
->request
->flags
.sslBumped
)
169 return 1; // AuthenticateAcl() already handled this bumped request
170 if (!authenticateUserAuthenticated(Filled(checklist
)->auth_user_request
)) {
173 /* check to see if we have matched the user-acl before */
174 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
175 checklist
->auth_user_request
= NULL
;