src/auth/AclProxyAuth.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid.h"
  38 #include "auth/AclProxyAuth.h"
  39 #include "auth/Gadgets.h"
  40 #include "acl/FilledChecklist.h"
  41 #include "acl/UserData.h"
  42 #include "acl/RegexData.h"
  43 #include "client_side.h"
  44 #include "HttpRequest.h"
  45 #include "auth/Acl.h"
  46 #include "auth/User.h"
  47 #include "auth/UserRequest.h"
  48
  49 ACLProxyAuth::~ACLProxyAuth()
  50 {
  51     delete data;
  52 }
  53
  54 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) : data (newData), type_(theType) {}
  55
  56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth const &old) : data (old.data->clone()), type_(old.type_)
  57 {}
  58
  59 ACLProxyAuth &
  60 ACLProxyAuth::operator= (ACLProxyAuth const &rhs)
  61 {
  62     data = rhs.data->clone();
  63     type_ = rhs.type_;
  64     return *this;
  65 }
  66
  67 char const *
  68 ACLProxyAuth::typeString() const
  69 {
  70     return type_;
  71 }
  72
  73 void
  74 ACLProxyAuth::parse()
  75 {
  76     data->parse();
  77 }
  78
  79 int
  80 ACLProxyAuth::match(ACLChecklist *checklist)
  81 {
  82     int ti;
  83
  84     if ((ti = AuthenticateAcl(checklist)) != 1)
  85         return ti;
  86
  87     ti = matchProxyAuth(checklist);
  88
  89     return ti;
  90 }
  91
  92 wordlist *
  93 ACLProxyAuth::dump() const
  94 {
  95     return data->dump();
  96 }
  97
  98 bool
  99 ACLProxyAuth::empty () const
 100 {
 101     return data->empty();
 102 }
 103
 104 bool
 105 ACLProxyAuth::valid () const
 106 {
 107     if (authenticateSchemeCount() == 0) {
 108         debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
 109         return false;
 110     }
 111
 112     if (authenticateActiveSchemeCount() == 0) {
 113         debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
 114         return false;
 115     }
 116
 117     return true;
 118 }
 119
 120 ProxyAuthNeeded ProxyAuthNeeded::instance_;
 121
 122 ProxyAuthNeeded *
 123 ProxyAuthNeeded::Instance()
 124 {
 125     return &instance_;
 126 }
 127
 128 ProxyAuthLookup ProxyAuthLookup::instance_;
 129
 130 ProxyAuthLookup *
 131 ProxyAuthLookup::Instance()
 132 {
 133     return &instance_;
 134 }
 135
 136 void
 137 ProxyAuthLookup::checkForAsync(ACLChecklist *cl)const
 138 {
 139     ACLFilledChecklist *checklist = Filled(cl);
 140
 141     checklist->asyncInProgress(true);
 142     debugs(28, 3, "ACLChecklist::checkForAsync: checking password via authenticator");
 143
 144     AuthUserRequest::Pointer auth_user_request;
 145     /* make sure someone created auth_user_request for us */
 146     assert(checklist->auth_user_request != NULL);
 147     auth_user_request = checklist->auth_user_request;
 148
 149     int validated = authenticateValidateUser(auth_user_request);
 150     assert(validated);
 151     auth_user_request->start(LookupDone, checklist);
 152 }
 153
 154 void
 155 ProxyAuthLookup::LookupDone(void *data, char *result)
 156 {
 157     ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
 158
 159     assert (checklist->asyncState() == ProxyAuthLookup::Instance());
 160
 161     if (result != NULL)
 162         fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
 163
 164     if (!authenticateValidateUser(checklist->auth_user_request) || checklist->conn() == NULL) {
 165         /* credentials could not be checked either way
 166          * restart the whole process */
 167         /* OR the connection was closed, there's no way to continue */
 168         checklist->auth_user_request = NULL;
 169
 170         if (checklist->conn() != NULL) {
 171             checklist->conn()->auth_user_request = NULL;
 172             checklist->conn()->auth_type = AUTH_BROKEN;
 173         }
 174     }
 175
 176     checklist->asyncInProgress(false);
 177     checklist->changeState (ACLChecklist::NullState::Instance());
 178     checklist->check();
 179 }
 180
 181 void
 182 ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const
 183 {
 184     /* Client is required to resend the request with correct authentication
 185      * credentials. (This may be part of a stateful auth protocol.)
 186      * The request is denied.
 187      */
 188     debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
 189     checklist->currentAnswer(ACCESS_REQ_PROXY_AUTH);
 190     checklist->changeState (ACLChecklist::NullState::Instance());
 191     checklist->markFinished();
 192 }
 193
 194 ACL *
 195 ACLProxyAuth::clone() const
 196 {
 197     return new ACLProxyAuth(*this);
 198 }
 199
 200 int
 201 ACLProxyAuth::matchForCache(ACLChecklist *cl)
 202 {
 203     ACLFilledChecklist *checklist = Filled(cl);
 204     assert (checklist->auth_user_request != NULL);
 205     return data->match(checklist->auth_user_request->username());
 206 }
 207
 208 /* aclMatchProxyAuth can return two exit codes:
 209  * 0 : Authorisation for this ACL failed. (Did not match)
 210  * 1 : Authorisation OK. (Matched)
 211  */
 212 int
 213 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 214 {
 215     ACLFilledChecklist *checklist = Filled(cl);
 216     checkAuthForCaching(checklist);
 217     /* check to see if we have matched the user-acl before */
 218     int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
 219     checklist->auth_user_request = NULL;
 220     return result;
 221 }
 222
 223 void
 224 ACLProxyAuth::checkAuthForCaching(ACLChecklist *checklist)const
 225 {
 226     /* for completeness */
 227     /* consistent parameters ? */
 228     assert(authenticateUserAuthenticated(Filled(checklist)->auth_user_request));
 229     /* this check completed */
 230 }
 231