src/auth/AclProxyAuth.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid.h"
  38 #include "auth/AclProxyAuth.h"
  39 #include "auth/Gadgets.h"
  40 #include "acl/FilledChecklist.h"
  41 #include "acl/UserData.h"
  42 #include "acl/RegexData.h"
  43 #include "client_side.h"
  44 #include "HttpRequest.h"
  45 #include "auth/Acl.h"
  46 #include "auth/User.h"
  47 #include "auth/UserRequest.h"
  48
  49 ACLProxyAuth::~ACLProxyAuth()
  50 {
  51     delete data;
  52 }
  53
  54 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) : data (newData), type_(theType) {}
  55
  56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth const &old) : data (old.data->clone()), type_(old.type_)
  57 {}
  58
  59 ACLProxyAuth &
  60 ACLProxyAuth::operator= (ACLProxyAuth const &rhs)
  61 {
  62     data = rhs.data->clone();
  63     type_ = rhs.type_;
  64     return *this;
  65 }
  66
  67 char const *
  68 ACLProxyAuth::typeString() const
  69 {
  70     return type_;
  71 }
  72
  73 void
  74 ACLProxyAuth::parse()
  75 {
  76     data->parse();
  77 }
  78
  79 int
  80 ACLProxyAuth::match(ACLChecklist *checklist)
  81 {
  82     allow_t answer = AuthenticateAcl(checklist);
  83     checklist->currentAnswer(answer);
  84
  85     // convert to tri-state ACL match 1,0,-1
  86     switch(answer)
  87     {
  88     case ACCESS_ALLOWED:
  89     case ACCESS_AUTH_EXPIRED_OK:
  90         // check for a match
  91         return matchProxyAuth(checklist);
  92
  93     case ACCESS_DENIED:
  94     case ACCESS_AUTH_EXPIRED_BAD:
  95         return 0; // non-match
  96
  97     case ACCESS_DUNNO:
  98     case ACCESS_AUTH_REQUIRED:
  99     default:
 100         return -1; // other
 101     }
 102 }
 103
 104 wordlist *
 105 ACLProxyAuth::dump() const
 106 {
 107     return data->dump();
 108 }
 109
 110 bool
 111 ACLProxyAuth::empty () const
 112 {
 113     return data->empty();
 114 }
 115
 116 bool
 117 ACLProxyAuth::valid () const
 118 {
 119     if (authenticateSchemeCount() == 0) {
 120         debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
 121         return false;
 122     }
 123
 124     if (authenticateActiveSchemeCount() == 0) {
 125         debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
 126         return false;
 127     }
 128
 129     return true;
 130 }
 131
 132 ProxyAuthNeeded ProxyAuthNeeded::instance_;
 133
 134 ProxyAuthNeeded *
 135 ProxyAuthNeeded::Instance()
 136 {
 137     return &instance_;
 138 }
 139
 140 ProxyAuthLookup ProxyAuthLookup::instance_;
 141
 142 ProxyAuthLookup *
 143 ProxyAuthLookup::Instance()
 144 {
 145     return &instance_;
 146 }
 147
 148 void
 149 ProxyAuthLookup::checkForAsync(ACLChecklist *cl)const
 150 {
 151     ACLFilledChecklist *checklist = Filled(cl);
 152
 153     checklist->asyncInProgress(true);
 154     debugs(28, 3, HERE << "checking password via authenticator");
 155
 156     /* make sure someone created auth_user_request for us */
 157     assert(checklist->auth_user_request != NULL);
 158     assert(checklist->auth_user_request->valid());
 159     checklist->auth_user_request->start(LookupDone, checklist);
 160 }
 161
 162 void
 163 ProxyAuthLookup::LookupDone(void *data, char *result)
 164 {
 165     ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
 166
 167     assert (checklist->asyncState() == ProxyAuthLookup::Instance());
 168
 169     if (result != NULL)
 170         fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
 171
 172     if (checklist->auth_user_request == NULL || !checklist->auth_user_request->valid() || checklist->conn() == NULL) {
 173         /* credentials could not be checked either way
 174          * restart the whole process */
 175         /* OR the connection was closed, there's no way to continue */
 176         checklist->auth_user_request = NULL;
 177
 178         if (checklist->conn() != NULL) {
 179             checklist->conn()->auth_user_request = NULL;
 180         }
 181     }
 182
 183     checklist->asyncInProgress(false);
 184     checklist->changeState (ACLChecklist::NullState::Instance());
 185     checklist->matchNonBlocking();
 186 }
 187
 188 void
 189 ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const
 190 {
 191     /* Client is required to resend the request with correct authentication
 192      * credentials. (This may be part of a stateful auth protocol.)
 193      * The request is denied.
 194      */
 195     debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
 196     checklist->currentAnswer(ACCESS_AUTH_REQUIRED);
 197     checklist->changeState (ACLChecklist::NullState::Instance());
 198     checklist->markFinished();
 199 }
 200
 201 ACL *
 202 ACLProxyAuth::clone() const
 203 {
 204     return new ACLProxyAuth(*this);
 205 }
 206
 207 int
 208 ACLProxyAuth::matchForCache(ACLChecklist *cl)
 209 {
 210     ACLFilledChecklist *checklist = Filled(cl);
 211     assert (checklist->auth_user_request != NULL);
 212     return data->match(checklist->auth_user_request->username());
 213 }
 214
 215 /* aclMatchProxyAuth can return two exit codes:
 216  * 0 : Authorisation for this ACL failed. (Did not match)
 217  * 1 : Authorisation OK. (Matched)
 218  */
 219 int
 220 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 221 {
 222     ACLFilledChecklist *checklist = Filled(cl);
 223     if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
 224         return 0;
 225     }
 226     /* check to see if we have matched the user-acl before */
 227     int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
 228     checklist->auth_user_request = NULL;
 229     return result;
 230 }