Shuffle auth_schemes config objects into Auth::Config

Also, move the directive definition down into "Access Controls" section
of squid.conf to avoid dependency issues with acl directive definitions
being done too late.

diff --git a/src/SquidConfig.h b/src/SquidConfig.h
index 5ff7e0795dea7d1db0da2d49e01a988d95afd2ac..416c386c48b893cc65f03c579852be8303b1a8c6 100644 (file)
--- a/src/SquidConfig.h
+++ b/src/SquidConfig.h
@@ -397,9 +397,6 @@ public:
 
         acl_access *forceRequestBodyContinuation;
         acl_access *serverPconnForNonretriable;
-#if USE_AUTH
-        acl_access *authSchemes;
-#endif
     } accessList;
     AclDenyInfoList *denyInfoList;
 

diff --git a/src/auth/Config.cc b/src/auth/Config.cc
index bdc30fc50787059903a8c590c97b072d3002fbe1..2760f08d652a1122aa0d567d391002559c182df5 100644 (file)
--- a/src/auth/Config.cc
+++ b/src/auth/Config.cc
@@ -9,6 +9,7 @@
 /* DEBUG: section 29    Authenticator */
 
 #include "squid.h"
+#include "acl/Tree.h"
 #include "auth/Config.h"
 
 Auth::Config Auth::TheConfig;

diff --git a/src/auth/Config.h b/src/auth/Config.h
index 23c074727f9b1a6d2230ce1504e2fca78da88f1d..665e5bd2b341ae1fa5d027bb7d92d460623c039e 100644 (file)
--- a/src/auth/Config.h
+++ b/src/auth/Config.h
@@ -11,6 +11,7 @@
 
 #if USE_AUTH
 
+#include "acl/forward.h"
 #include "auth/SchemeConfig.h"
 #include "auth/SchemesConfig.h"
 
@@ -24,7 +25,10 @@ public:
     Auth::ConfigVector schemes;
 
     /// set of auth_schemes directives
-    Auth::SchemesConfig *schemeLists = nullptr;
+    std::vector<Auth::SchemesConfig> schemeLists;
+
+    /// the ACL list for auth_schemes directives
+    acl_access *schemeAccess = nullptr;
 };
 
 extern Auth::Config TheConfig;

diff --git a/src/auth/SchemesConfig.cc b/src/auth/SchemesConfig.cc
index d21782158386f5451ff5a0d1dd0a0f76e84964da..ccd725331aad9480e335d8f6b41ddccd2d44948d 100644 (file)
--- a/src/auth/SchemesConfig.cc
+++ b/src/auth/SchemesConfig.cc
@@ -11,11 +11,6 @@
 #include "fatal.h"
 #include "parser/Tokenizer.h"
 
-namespace Auth
-{
-std::vector<Auth::SchemesConfig> SchemeListConfig;
-}
-
 static void
 addUnique(const SBuf &scheme, std::vector<SBuf> &vec)
 {

diff --git a/src/auth/SchemesConfig.h b/src/auth/SchemesConfig.h
index fb04bc5b3b576fc7caf0eb68020bf01ff1e3ade6..0ec456bcc221a9433b2e36e4ea553ca1ddbf8b5a 100644 (file)
--- a/src/auth/SchemesConfig.h
+++ b/src/auth/SchemesConfig.h
@@ -17,7 +17,6 @@ namespace Auth
 {
 
 /**
- * \ingroup AuthAPI
  * Stores authentication schemes list, configured by auth_schemes
  * directive.
  */
@@ -31,7 +30,7 @@ public:
 
 public:
     /// corresponding vector of Auth::Config objects
-    ConfigVector authConfigs;
+    Auth::ConfigVector authConfigs;
 
 private:
     /// raw auth schemes list (may have duplicates)
@@ -43,8 +42,6 @@ public:
     const char *rawSchemes;
 };
 
-extern std::vector<Auth::SchemesConfig> SchemeListConfig;
-
 } // namespace Auth
 
 #endif /* USE_AUTH */

diff --git a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc
index cd988df894986d896274c1887519a2d384c29fff..c899349913e126021eaab9901f0f806c3e813aa8 100644 (file)
--- a/src/auth/UserRequest.cc
+++ b/src/auth/UserRequest.cc
@@ -463,13 +463,13 @@ Auth::UserRequest::tryToAuthenticateAndSetAuthUser(Auth::UserRequest::Pointer *
 static Auth::ConfigVector &
 schemesConfig(HttpRequest *request, HttpReply *rep)
 {
-    if (!Auth::SchemeListConfig.empty()) {
+    if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) {
         ACLFilledChecklist ch(NULL, request, NULL);
         ch.reply = rep;
         HTTPMSGLOCK(ch.reply);
-        const allow_t answer = ch.fastCheck(::Config.accessList.authSchemes);
+        const allow_t answer = ch.fastCheck(Auth::TheConfig.schemeAccess);
         if (answer == ACCESS_ALLOWED)
-            return Auth::SchemeListConfig.at(answer.kind).authConfigs;
+            return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs;
     }
     return Auth::TheConfig.schemes;
 }

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index 75236de293087b28de89a292f0139462bb083ed2..d3f508eb6ba6d24f4f8e570872f98bf896338b9d 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -943,7 +943,7 @@ configDoConfigure(void)
         }
     }
 
-    for (auto &authSchemes : Auth::SchemeListConfig) {
+    for (auto &authSchemes : Auth::TheConfig.schemeLists) {
         authSchemes.expand();
         if (authSchemes.authConfigs.empty()) {
             debugs(3, DBG_CRITICAL, "auth_schemes: at least one scheme name is required; got: " << authSchemes.rawSchemes);
@@ -1841,15 +1841,15 @@ parse_AuthSchemes(acl_access **authSchemes)
         self_destruct();
         return;
     }
-    Auth::SchemeListConfig.emplace_back(tok, ConfigParser::LastTokenWasQuoted());
-    const allow_t action = allow_t(ACCESS_ALLOWED, Auth::SchemeListConfig.size() - 1);
+    Auth::TheConfig.schemeLists.emplace_back(tok, ConfigParser::LastTokenWasQuoted());
+    const allow_t action = allow_t(ACCESS_ALLOWED, Auth::TheConfig.schemeLists.size() - 1);
     ParseAclWithAction(authSchemes, action, "auth_schemes");
 }
 
 static void
 free_AuthSchemes(acl_access **authSchemes)
 {
-    Auth::SchemeListConfig.clear();
+    Auth::TheConfig.schemeLists.clear();
     free_acl_access(authSchemes);
 }
 
@@ -1858,7 +1858,7 @@ dump_AuthSchemes(StoreEntry *entry, const char *name, acl_access *authSchemes)
 {
     if (authSchemes)
         dump_SBufList(entry, authSchemes->treeDump(name, [](const allow_t &action) {
-        return Auth::SchemeListConfig.at(action.kind).rawSchemes;
+        return Auth::TheConfig.schemeLists.at(action.kind).rawSchemes;
     }));
 }
 

diff --git a/src/cf.data.pre b/src/cf.data.pre
index 62a2e4c408d9c5282363dd40c0d1655c1da2f3b8..525a2e9ff33df31d476b4abb9a2b2fbb16c235b7 100644 (file)
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -771,51 +771,6 @@ DOC_START
        environment with relatively static address assignments.
 DOC_END
 
-NAME: auth_schemes
-TYPE: AuthSchemes
-IFDEF: USE_AUTH
-LOC: Config.accessList.authSchemes
-DEFAULT: none
-DEFAULT_DOC: use all auth_param schemes in their configuration order
-DOC_START
-       Use this directive to customize authentication schemes presence and
-       order in Squid's Unauthorized and Authentication Required responses.
-
-               auth_schemes scheme1,scheme2,... [!]aclname ...
-
-       where schemeN is the name of one of the authentication schemes
-       configured using auth_param directives. At least one scheme name is
-       required. Multiple scheme names are separated by commas. Either
-       avoid whitespace or quote the entire schemes list.
-
-       A special "ALL" scheme name expands to all auth_param-configured
-       schemes in their configuration order. This directive cannot be used
-       to configure Squid to offer no authentication schemes at all.
-
-       The first matching auth_schemes rule determines the schemes order
-       for the current Authentication Required transaction. Note that the
-       future response is not yet available during auth_schemes evaluation.
-
-       If this directive is not used or none of its rules match, then Squid
-       responds with all configured authentication schemes in the order of
-       auth_param directives in the configuration file.
-
-       This directive does not determine when authentication is used or
-       how each authentication scheme authenticates clients.
-
-       The following example sends basic and negotiate authentication
-       schemes, in that order, when requesting authentication of HTTP
-       requests matching the isIE ACL (not shown) while sending all
-       auth_param schemes in their configuration order to other clients:
-
-               auth_schemes basic,negotiate isIE
-               auth_schemes ALL all # explicit default
-
-       This directive supports fast ACLs only.
-
-       See also: auth_param.
-DOC_END
-
 COMMENT_START
  ACCESS CONTROLS
  -----------------------------------------------------------------------------
@@ -1931,6 +1886,51 @@ DOC_START
        See also: squid_error ACL
 DOC_END
 
+NAME: auth_schemes
+TYPE: AuthSchemes
+IFDEF: USE_AUTH
+LOC: Auth::TheConfig.schemeAccess
+DEFAULT: none
+DEFAULT_DOC: use all auth_param schemes in their configuration order
+DOC_START
+       Use this directive to customize authentication schemes presence and
+       order in Squid's Unauthorized and Authentication Required responses.
+
+               auth_schemes scheme1,scheme2,... [!]aclname ...
+
+       where schemeN is the name of one of the authentication schemes
+       configured using auth_param directives. At least one scheme name is
+       required. Multiple scheme names are separated by commas. Either
+       avoid whitespace or quote the entire schemes list.
+
+       A special "ALL" scheme name expands to all auth_param-configured
+       schemes in their configuration order. This directive cannot be used
+       to configure Squid to offer no authentication schemes at all.
+
+       The first matching auth_schemes rule determines the schemes order
+       for the current Authentication Required transaction. Note that the
+       future response is not yet available during auth_schemes evaluation.
+
+       If this directive is not used or none of its rules match, then Squid
+       responds with all configured authentication schemes in the order of
+       auth_param directives in the configuration file.
+
+       This directive does not determine when authentication is used or
+       how each authentication scheme authenticates clients.
+
+       The following example sends basic and negotiate authentication
+       schemes, in that order, when requesting authentication of HTTP
+       requests matching the isIE ACL (not shown) while sending all
+       auth_param schemes in their configuration order to other clients:
+
+               auth_schemes basic,negotiate isIE
+               auth_schemes ALL all # explicit default
+
+       This directive supports fast ACLs only.
+
+       See also: auth_param.
+DOC_END
+
 COMMENT_START
  NETWORK OPTIONS
  -----------------------------------------------------------------------------

diff --git a/src/tests/stub_libauth.cc b/src/tests/stub_libauth.cc
index bac9f8670623295fbee5e30f0f6e55c0b6712bac..db8162c8d60b76aad567ae071232044943acf384 100644 (file)
--- a/src/tests/stub_libauth.cc
+++ b/src/tests/stub_libauth.cc
@@ -36,6 +36,9 @@ Auth::Scheme::Pointer Auth::Scheme::Find(const char *) STUB_RETVAL(NULL)
 std::vector<Auth::Scheme::Pointer> & Auth::Scheme::GetSchemes() STUB_RETVAL(*_Schemes);
 void Auth::Scheme::FreeAll() STUB
 
+#include "auth/SchemesConfig.h"
+void Auth::SchemesConfig::expand() STUB
+
 #include "auth/User.h"
 Auth::User::User(Auth::SchemeConfig *, const char *) STUB
 Auth::CredentialState Auth::User::credentials() const STUB_RETVAL(credentials_state)
@@ -77,12 +80,5 @@ Auth::Scheme::Pointer Auth::UserRequest::scheme() const STUB_RETVAL(NULL)
 #include "AuthReg.h"
 void Auth::Init() STUB_NOP
 
-#include "auth/SchemesConfig.h"
-namespace Auth
-{
-std::vector<Auth::SchemesConfig> SchemeListConfig;
-void SchemesConfig::expand() STUB
-}
-
 #endif /* USE_AUTH */