]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/AclProxyAuth.cc
4 * DEBUG: section 28 Access Control
5 * AUTHOR: Duane Wessels
7 * SQUID Web Proxy Cache http://www.squid-cache.org/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from
11 * the Internet community; see the CONTRIBUTORS file for full
12 * details. Many organizations have provided support for Squid's
13 * development; see the SPONSORS file for full details. Squid is
14 * Copyrighted (C) 2001 by the Regents of the University of
15 * California; see the COPYRIGHT file for full details. Squid
16 * incorporates software developed and/or copyrighted by other
17 * sources; see the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
34 * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
37 #include "squid-old.h"
38 #include "auth/AclProxyAuth.h"
39 #include "auth/Gadgets.h"
40 #include "acl/FilledChecklist.h"
41 #include "acl/UserData.h"
42 #include "acl/RegexData.h"
43 #include "client_side.h"
44 #include "HttpRequest.h"
46 #include "auth/User.h"
47 #include "auth/UserRequest.h"
49 ACLProxyAuth::~ACLProxyAuth()
54 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) : data (newData
), type_(theType
) {}
56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth
const &old
) : data (old
.data
->clone()), type_(old
.type_
)
60 ACLProxyAuth::operator= (ACLProxyAuth
const &rhs
)
62 data
= rhs
.data
->clone();
68 ACLProxyAuth::typeString() const
80 ACLProxyAuth::match(ACLChecklist
*checklist
)
82 allow_t answer
= AuthenticateAcl(checklist
);
83 checklist
->currentAnswer(answer
);
85 // convert to tri-state ACL match 1,0,-1
88 case ACCESS_AUTH_EXPIRED_OK
:
90 return matchProxyAuth(checklist
);
93 case ACCESS_AUTH_EXPIRED_BAD
:
94 return 0; // non-match
97 case ACCESS_AUTH_REQUIRED
:
104 ACLProxyAuth::dump() const
110 ACLProxyAuth::empty () const
112 return data
->empty();
116 ACLProxyAuth::valid () const
118 if (authenticateSchemeCount() == 0) {
119 debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
123 if (authenticateActiveSchemeCount() == 0) {
124 debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
131 ProxyAuthNeeded
ProxyAuthNeeded::instance_
;
134 ProxyAuthNeeded::Instance()
139 ProxyAuthLookup
ProxyAuthLookup::instance_
;
142 ProxyAuthLookup::Instance()
148 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
)const
150 ACLFilledChecklist
*checklist
= Filled(cl
);
152 checklist
->asyncInProgress(true);
153 debugs(28, 3, HERE
<< "checking password via authenticator");
155 /* make sure someone created auth_user_request for us */
156 assert(checklist
->auth_user_request
!= NULL
);
157 assert(checklist
->auth_user_request
->valid());
158 checklist
->auth_user_request
->start(LookupDone
, checklist
);
162 ProxyAuthLookup::LookupDone(void *data
, char *result
)
164 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
166 assert (checklist
->asyncState() == ProxyAuthLookup::Instance());
169 fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
171 if (checklist
->auth_user_request
== NULL
|| !checklist
->auth_user_request
->valid() || checklist
->conn() == NULL
) {
172 /* credentials could not be checked either way
173 * restart the whole process */
174 /* OR the connection was closed, there's no way to continue */
175 checklist
->auth_user_request
= NULL
;
177 if (checklist
->conn() != NULL
) {
178 checklist
->conn()->auth_user_request
= NULL
;
182 checklist
->asyncInProgress(false);
183 checklist
->changeState (ACLChecklist::NullState::Instance());
184 checklist
->matchNonBlocking();
188 ProxyAuthNeeded::checkForAsync(ACLChecklist
*checklist
) const
190 /* Client is required to resend the request with correct authentication
191 * credentials. (This may be part of a stateful auth protocol.)
192 * The request is denied.
194 debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
195 checklist
->currentAnswer(ACCESS_AUTH_REQUIRED
);
196 checklist
->changeState (ACLChecklist::NullState::Instance());
197 checklist
->markFinished();
201 ACLProxyAuth::clone() const
203 return new ACLProxyAuth(*this);
207 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
209 ACLFilledChecklist
*checklist
= Filled(cl
);
210 assert (checklist
->auth_user_request
!= NULL
);
211 return data
->match(checklist
->auth_user_request
->username());
214 /* aclMatchProxyAuth can return two exit codes:
215 * 0 : Authorisation for this ACL failed. (Did not match)
216 * 1 : Authorisation OK. (Matched)
219 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
221 ACLFilledChecklist
*checklist
= Filled(cl
);
222 if (!authenticateUserAuthenticated(Filled(checklist
)->auth_user_request
)) {
225 /* check to see if we have matched the user-acl before */
226 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
227 checklist
->auth_user_request
= NULL
;