src/auth/AclProxyAuth.cc

   1 /*
   2  * $Id$
   3  *
   4  * DEBUG: section 28    Access Control
   5  * AUTHOR: Duane Wessels
   6  *
   7  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   8  * ----------------------------------------------------------
   9  *
  10  *  Squid is the result of efforts by numerous individuals from
  11  *  the Internet community; see the CONTRIBUTORS file for full
  12  *  details.   Many organizations have provided support for Squid's
  13  *  development; see the SPONSORS file for full details.  Squid is
  14  *  Copyrighted (C) 2001 by the Regents of the University of
  15  *  California; see the COPYRIGHT file for full details.  Squid
  16  *  incorporates software developed and/or copyrighted by other
  17  *  sources; see the CREDITS file for full details.
  18  *
  19  *  This program is free software; you can redistribute it and/or modify
  20  *  it under the terms of the GNU General Public License as published by
  21  *  the Free Software Foundation; either version 2 of the License, or
  22  *  (at your option) any later version.
  23  *
  24  *  This program is distributed in the hope that it will be useful,
  25  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  26  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  27  *  GNU General Public License for more details.
  28  *
  29  *  You should have received a copy of the GNU General Public License
  30  *  along with this program; if not, write to the Free Software
  31  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  32  *
  33  *
  34  * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
  35  */
  36
  37 #include "squid-old.h"
  38 #include "auth/AclProxyAuth.h"
  39 #include "auth/Gadgets.h"
  40 #include "acl/FilledChecklist.h"
  41 #include "acl/UserData.h"
  42 #include "acl/RegexData.h"
  43 #include "client_side.h"
  44 #include "HttpRequest.h"
  45 #include "auth/Acl.h"
  46 #include "auth/User.h"
  47 #include "auth/UserRequest.h"
  48
  49 ACLProxyAuth::~ACLProxyAuth()
  50 {
  51     delete data;
  52 }
  53
  54 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) : data (newData), type_(theType) {}
  55
  56 ACLProxyAuth::ACLProxyAuth (ACLProxyAuth const &old) : data (old.data->clone()), type_(old.type_)
  57 {}
  58
  59 ACLProxyAuth &
  60 ACLProxyAuth::operator= (ACLProxyAuth const &rhs)
  61 {
  62     data = rhs.data->clone();
  63     type_ = rhs.type_;
  64     return *this;
  65 }
  66
  67 char const *
  68 ACLProxyAuth::typeString() const
  69 {
  70     return type_;
  71 }
  72
  73 void
  74 ACLProxyAuth::parse()
  75 {
  76     data->parse();
  77 }
  78
  79 int
  80 ACLProxyAuth::match(ACLChecklist *checklist)
  81 {
  82     allow_t answer = AuthenticateAcl(checklist);
  83     // convert to tri-state ACL match 1,0,-1
  84     switch (answer) {
  85     case ACCESS_ALLOWED:
  86         // check for a match
  87         return matchProxyAuth(checklist);
  88
  89     case ACCESS_DENIED:
  90         return 0; // non-match
  91
  92     case ACCESS_DUNNO:
  93     case ACCESS_AUTH_REQUIRED:
  94     default:
  95         // If the answer is not allowed or denied (matches/not matches) and
  96         // async authentication is not needed (asyncNeeded), then we are done.
  97         if (!checklist->asyncNeeded())
  98             checklist->markFinished(answer, "AuthenticateAcl exception");
  99         return -1; // other
 100     }
 101 }
 102
 103 wordlist *
 104 ACLProxyAuth::dump() const
 105 {
 106     return data->dump();
 107 }
 108
 109 bool
 110 ACLProxyAuth::empty () const
 111 {
 112     return data->empty();
 113 }
 114
 115 bool
 116 ACLProxyAuth::valid () const
 117 {
 118     if (authenticateSchemeCount() == 0) {
 119         debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
 120         return false;
 121     }
 122
 123     if (authenticateActiveSchemeCount() == 0) {
 124         debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
 125         return false;
 126     }
 127
 128     return true;
 129 }
 130
 131 ProxyAuthLookup ProxyAuthLookup::instance_;
 132
 133 ProxyAuthLookup *
 134 ProxyAuthLookup::Instance()
 135 {
 136     return &instance_;
 137 }
 138
 139 void
 140 ProxyAuthLookup::checkForAsync(ACLChecklist *cl)const
 141 {
 142     ACLFilledChecklist *checklist = Filled(cl);
 143
 144     checklist->asyncInProgress(true);
 145     debugs(28, 3, HERE << "checking password via authenticator");
 146
 147     /* make sure someone created auth_user_request for us */
 148     assert(checklist->auth_user_request != NULL);
 149     assert(checklist->auth_user_request->valid());
 150     checklist->auth_user_request->start(LookupDone, checklist);
 151 }
 152
 153 void
 154 ProxyAuthLookup::LookupDone(void *data, char *result)
 155 {
 156     ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
 157
 158     assert (checklist->asyncState() == ProxyAuthLookup::Instance());
 159
 160     if (result != NULL)
 161         fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
 162
 163     if (checklist->auth_user_request == NULL || !checklist->auth_user_request->valid() || checklist->conn() == NULL) {
 164         /* credentials could not be checked either way
 165          * restart the whole process */
 166         /* OR the connection was closed, there's no way to continue */
 167         checklist->auth_user_request = NULL;
 168
 169         if (checklist->conn() != NULL) {
 170             checklist->conn()->auth_user_request = NULL;
 171         }
 172     }
 173
 174     checklist->asyncInProgress(false);
 175     checklist->changeState (ACLChecklist::NullState::Instance());
 176     checklist->matchNonBlocking();
 177 }
 178
 179 ACL *
 180 ACLProxyAuth::clone() const
 181 {
 182     return new ACLProxyAuth(*this);
 183 }
 184
 185 int
 186 ACLProxyAuth::matchForCache(ACLChecklist *cl)
 187 {
 188     ACLFilledChecklist *checklist = Filled(cl);
 189     assert (checklist->auth_user_request != NULL);
 190     return data->match(checklist->auth_user_request->username());
 191 }
 192
 193 /* aclMatchProxyAuth can return two exit codes:
 194  * 0 : Authorisation for this ACL failed. (Did not match)
 195  * 1 : Authorisation OK. (Matched)
 196  */
 197 int
 198 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 199 {
 200     ACLFilledChecklist *checklist = Filled(cl);
 201     if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
 202         return 0;
 203     }
 204     /* check to see if we have matched the user-acl before */
 205     int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
 206     checklist->auth_user_request = NULL;
 207     return result;
 208 }