]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/AclProxyAuth.cc
2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 28 Access Control */
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "http/StreamContext.h"
22 #include "HttpRequest.h"
24 ACLProxyAuth::~ACLProxyAuth()
29 ACLProxyAuth::ACLProxyAuth(ACLData
<char const *> *newData
, char const *theType
) :
34 ACLProxyAuth::ACLProxyAuth(ACLProxyAuth
const &old
) :
35 data(old
.data
->clone()),
40 ACLProxyAuth::operator=(ACLProxyAuth
const &rhs
)
42 data
= rhs
.data
->clone();
48 ACLProxyAuth::typeString() const
60 ACLProxyAuth::match(ACLChecklist
*checklist
)
62 allow_t answer
= AuthenticateAcl(checklist
);
64 // convert to tri-state ACL match 1,0,-1
68 return matchProxyAuth(checklist
);
71 return 0; // non-match
74 case ACCESS_AUTH_REQUIRED
:
76 // If the answer is not allowed or denied (matches/not matches) and
77 // async authentication is not in progress, then we are done.
78 if (checklist
->keepMatching())
79 checklist
->markFinished(answer
, "AuthenticateAcl exception");
85 ACLProxyAuth::dump() const
91 ACLProxyAuth::empty() const
97 ACLProxyAuth::valid() const
99 if (authenticateSchemeCount() == 0) {
100 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes were compiled.");
104 if (authenticateActiveSchemeCount() == 0) {
105 debugs(28, DBG_CRITICAL
, "Can't use proxy auth because no authentication schemes are fully configured.");
112 ProxyAuthLookup
ProxyAuthLookup::instance_
;
115 ProxyAuthLookup::Instance()
121 ProxyAuthLookup::checkForAsync(ACLChecklist
*cl
) const
123 ACLFilledChecklist
*checklist
= Filled(cl
);
125 debugs(28, 3, HERE
<< "checking password via authenticator");
127 /* make sure someone created auth_user_request for us */
128 assert(checklist
->auth_user_request
!= NULL
);
129 assert(checklist
->auth_user_request
->valid());
130 checklist
->auth_user_request
->start(checklist
->request
, checklist
->al
, LookupDone
, checklist
);
134 ProxyAuthLookup::LookupDone(void *data
)
136 ACLFilledChecklist
*checklist
= Filled(static_cast<ACLChecklist
*>(data
));
138 if (checklist
->auth_user_request
== NULL
|| !checklist
->auth_user_request
->valid() || checklist
->conn() == NULL
) {
139 /* credentials could not be checked either way
140 * restart the whole process */
141 /* OR the connection was closed, there's no way to continue */
142 checklist
->auth_user_request
= NULL
;
144 if (checklist
->conn() != NULL
) {
145 checklist
->conn()->setAuth(NULL
, "proxy_auth ACL failure");
149 checklist
->resumeNonBlockingCheck(ProxyAuthLookup::Instance());
153 ACLProxyAuth::clone() const
155 return new ACLProxyAuth(*this);
159 ACLProxyAuth::matchForCache(ACLChecklist
*cl
)
161 ACLFilledChecklist
*checklist
= Filled(cl
);
162 assert (checklist
->auth_user_request
!= NULL
);
163 return data
->match(checklist
->auth_user_request
->username());
166 /* aclMatchProxyAuth can return two exit codes:
167 * 0 : Authorisation for this ACL failed. (Did not match)
168 * 1 : Authorisation OK. (Matched)
171 ACLProxyAuth::matchProxyAuth(ACLChecklist
*cl
)
173 ACLFilledChecklist
*checklist
= Filled(cl
);
174 if (checklist
->request
->flags
.sslBumped
)
175 return 1; // AuthenticateAcl() already handled this bumped request
176 if (!authenticateUserAuthenticated(Filled(checklist
)->auth_user_request
)) {
179 /* check to see if we have matched the user-acl before */
180 int result
= cacheMatchAcl(&checklist
->auth_user_request
->user()->proxy_match_cache
, checklist
);
181 checklist
->auth_user_request
= NULL
;