#include "auth/AclProxyAuth.h"
#include "HttpRequest.h"
-/** retval -1 user not authenticated (authentication error?)
- retval 0 user not authorized OR user authentication is in pgrogress
- retval +1 user authenticated and authorized */
-int
+/**
+ * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required.
+ * \retval ACCESS_DENIED user not authenticated (authentication error?)
+ * \retval ACCESS_DUNNO user authentication is in progress
+ * \retval ACCESS_DENIED user not authorized
+ * \retval ACCESS_ALLOWED user authenticated and authorized
+ */
+allow_t
AuthenticateAcl(ACLChecklist *ch)
{
ACLFilledChecklist *checklist = Filled(ch);
if (NULL == request) {
fatal ("requiresRequest SHOULD have been true for this ACL!!");
- return 0;
+ return ACCESS_DENIED;
} else if (request->flags.accelerated) {
/* WWW authorization on accelerated requests */
headertype = HDR_AUTHORIZATION;
} else if (request->flags.intercepted || request->flags.spoof_client_ip) {
- debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests.");
- return -1;
+ debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests.");
+ return ACCESS_DENIED;
} else {
/* Proxy authorization on proxy requests */
headertype = HDR_PROXY_AUTHORIZATION;
switch (result) {
case AUTH_ACL_CANNOT_AUTHENTICATE:
- debugs(28, 4, HERE << "returning 0 user authenticated but not authorised.");
- return 0;
+ debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
+ return ACCESS_DENIED;
case AUTH_AUTHENTICATED:
- return 1;
+ return ACCESS_ALLOWED;
break;
case AUTH_ACL_HELPER:
- debugs(28, 4, HERE << "returning 0 sending credentials to helper.");
+ debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending credentials to helper.");
checklist->changeState(ProxyAuthLookup::Instance());
- return 0;
+ return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
case AUTH_ACL_CHALLENGE:
- debugs(28, 4, HERE << "returning 0 sending authentication challenge.");
- checklist->changeState (ProxyAuthNeeded::Instance());
- return 0;
+ debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending authentication challenge.");
+ checklist->changeState(ProxyAuthNeeded::Instance());
+ return ACCESS_AUTH_REQUIRED;
default:
fatal("unexpected authenticateAuthenticate reply\n");
- return 0;
+ return ACCESS_DENIED;
}
}
ACLMaxUserIP::match(ACLChecklist *cl)
{
ACLFilledChecklist *checklist = Filled(cl);
+ allow_t answer = AuthenticateAcl(checklist);
+ checklist->currentAnswer(answer);
int ti;
- if ((ti = AuthenticateAcl(checklist)) != 1)
+ // convert to tri-state ACL match 1,0,-1
+ switch(answer)
+ {
+ case ACCESS_ALLOWED:
+ case ACCESS_AUTH_EXPIRED_OK:
+ // check for a match
+ ti = match(checklist->auth_user_request, checklist->src_addr);
+ checklist->auth_user_request = NULL;
return ti;
- ti = match(checklist->auth_user_request, checklist->src_addr);
+ case ACCESS_DENIED:
+ case ACCESS_AUTH_EXPIRED_BAD:
+ return 0; // non-match
- checklist->auth_user_request = NULL;
-
- return ti;
+ case ACCESS_DUNNO:
+ case ACCESS_AUTH_REQUIRED:
+ default:
+ return -1; // other
+ }
}
wordlist *
int
ACLProxyAuth::match(ACLChecklist *checklist)
{
- int ti;
-
- if ((ti = AuthenticateAcl(checklist)) != 1)
- return ti;
-
- ti = matchProxyAuth(checklist);
-
- return ti;
+ allow_t answer = AuthenticateAcl(checklist);
+ checklist->currentAnswer(answer);
+
+ // convert to tri-state ACL match 1,0,-1
+ switch(answer)
+ {
+ case ACCESS_ALLOWED:
+ case ACCESS_AUTH_EXPIRED_OK:
+ // check for a match
+ return matchProxyAuth(checklist);
+
+ case ACCESS_DENIED:
+ case ACCESS_AUTH_EXPIRED_BAD:
+ return 0; // non-match
+
+ case ACCESS_DUNNO:
+ case ACCESS_AUTH_REQUIRED:
+ default:
+ return -1; // other
+ }
}
wordlist *
projects / thirdparty / squid.git / commitdiff
