src/auth/AclProxyAuth.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid-old.h"
  38 #include "auth/AclProxyAuth.h"
  39 #include "auth/Gadgets.h"
  40 #include "acl/FilledChecklist.h"
  41 #include "acl/UserData.h"
  42 #include "acl/RegexData.h"
  43 #include "client_side.h"
  44 #include "HttpRequest.h"
  45 #include "auth/Acl.h"
  46 #include "auth/User.h"
  47 #include "auth/UserRequest.h"
  48
  49 ACLProxyAuth::~ACLProxyAuth()
  50 {
  51     delete data;
  52 }
  53
  54 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) : data (newData), type_(theType) {}
  55
  56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth const &old) : data (old.data->clone()), type_(old.type_)
  57 {}
  58
  59 ACLProxyAuth &
  60 ACLProxyAuth::operator= (ACLProxyAuth const &rhs)
  61 {
  62     data = rhs.data->clone();
  63     type_ = rhs.type_;
  64     return *this;
  65 }
  66
  67 char const *
  68 ACLProxyAuth::typeString() const
  69 {
  70     return type_;
  71 }
  72
  73 void
  74 ACLProxyAuth::parse()
  75 {
  76     data->parse();
  77 }
  78
  79 int
  80 ACLProxyAuth::match(ACLChecklist *checklist)
  81 {
  82     allow_t answer = AuthenticateAcl(checklist);
  83     checklist->currentAnswer(answer);
  84
  85     // convert to tri-state ACL match 1,0,-1
  86     switch (answer) {
  87     case ACCESS_ALLOWED:
  88     case ACCESS_AUTH_EXPIRED_OK:
  89         // check for a match
  90         return matchProxyAuth(checklist);
  91
  92     case ACCESS_DENIED:
  93     case ACCESS_AUTH_EXPIRED_BAD:
  94         return 0; // non-match
  95
  96     case ACCESS_DUNNO:
  97     case ACCESS_AUTH_REQUIRED:
  98     default:
  99         return -1; // other
 100     }
 101 }
 102
 103 wordlist *
 104 ACLProxyAuth::dump() const
 105 {
 106     return data->dump();
 107 }
 108
 109 bool
 110 ACLProxyAuth::empty () const
 111 {
 112     return data->empty();
 113 }
 114
 115 bool
 116 ACLProxyAuth::valid () const
 117 {
 118     if (authenticateSchemeCount() == 0) {
 119         debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
 120         return false;
 121     }
 122
 123     if (authenticateActiveSchemeCount() == 0) {
 124         debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
 125         return false;
 126     }
 127
 128     return true;
 129 }
 130
 131 ProxyAuthNeeded ProxyAuthNeeded::instance_;
 132
 133 ProxyAuthNeeded *
 134 ProxyAuthNeeded::Instance()
 135 {
 136     return &instance_;
 137 }
 138
 139 ProxyAuthLookup ProxyAuthLookup::instance_;
 140
 141 ProxyAuthLookup *
 142 ProxyAuthLookup::Instance()
 143 {
 144     return &instance_;
 145 }
 146
 147 void
 148 ProxyAuthLookup::checkForAsync(ACLChecklist *cl)const
 149 {
 150     ACLFilledChecklist *checklist = Filled(cl);
 151
 152     checklist->asyncInProgress(true);
 153     debugs(28, 3, HERE << "checking password via authenticator");
 154
 155     /* make sure someone created auth_user_request for us */
 156     assert(checklist->auth_user_request != NULL);
 157     assert(checklist->auth_user_request->valid());
 158     checklist->auth_user_request->start(LookupDone, checklist);
 159 }
 160
 161 void
 162 ProxyAuthLookup::LookupDone(void *data, char *result)
 163 {
 164     ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
 165
 166     assert (checklist->asyncState() == ProxyAuthLookup::Instance());
 167
 168     if (result != NULL)
 169         fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
 170
 171     if (checklist->auth_user_request == NULL || !checklist->auth_user_request->valid() || checklist->conn() == NULL) {
 172         /* credentials could not be checked either way
 173          * restart the whole process */
 174         /* OR the connection was closed, there's no way to continue */
 175         checklist->auth_user_request = NULL;
 176
 177         if (checklist->conn() != NULL) {
 178             checklist->conn()->auth_user_request = NULL;
 179         }
 180     }
 181
 182     checklist->asyncInProgress(false);
 183     checklist->changeState (ACLChecklist::NullState::Instance());
 184     checklist->matchNonBlocking();
 185 }
 186
 187 void
 188 ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const
 189 {
 190     /* Client is required to resend the request with correct authentication
 191      * credentials. (This may be part of a stateful auth protocol.)
 192      * The request is denied.
 193      */
 194     debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
 195     checklist->currentAnswer(ACCESS_AUTH_REQUIRED);
 196     checklist->changeState (ACLChecklist::NullState::Instance());
 197     checklist->markFinished();
 198 }
 199
 200 ACL *
 201 ACLProxyAuth::clone() const
 202 {
 203     return new ACLProxyAuth(*this);
 204 }
 205
 206 int
 207 ACLProxyAuth::matchForCache(ACLChecklist *cl)
 208 {
 209     ACLFilledChecklist *checklist = Filled(cl);
 210     assert (checklist->auth_user_request != NULL);
 211     return data->match(checklist->auth_user_request->username());
 212 }
 213
 214 /* aclMatchProxyAuth can return two exit codes:
 215  * 0 : Authorisation for this ACL failed. (Did not match)
 216  * 1 : Authorisation OK. (Matched)
 217  */
 218 int
 219 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 220 {
 221     ACLFilledChecklist *checklist = Filled(cl);
 222     if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
 223         return 0;
 224     }
 225     /* check to see if we have matched the user-acl before */
 226     int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
 227     checklist->auth_user_request = NULL;
 228     return result;
 229 }