From: Alex Rousskov Date: Sun, 8 Mar 2009 22:20:22 +0000 (-0600) Subject: Moved authenticated() method from ACL[Filled]Checklist into auth/Acl.{cc,h} to X-Git-Tag: SQUID_3_2_0_1~1111^2~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ada3123cae4373866496e90f498b39f2a509494;p=thirdparty%2Fsquid.git Moved authenticated() method from ACL[Filled]Checklist into auth/Acl.{cc,h} to break the circular dependency between acl/libs and auth/libs. Context: SourceLayout: acl/, take 1 --- diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc new file mode 100644 index 0000000000..b8665c2b08 --- /dev/null +++ b/src/auth/Acl.cc @@ -0,0 +1,78 @@ +#include "squid.h" +#include "acl/Acl.h" +#include "acl/FilledChecklist.h" +#include "auth/UserRequest.h" +#include "auth/Acl.h" +#include "auth/AclProxyAuth.h" +#include "HttpRequest.h" + +/** retval -1 user not authenticated (authentication error?) + retval 0 user not authorized OR user authentication is in pgrogress + retval +1 user authenticated and authorized */ +int +AuthenticateAcl(ACLChecklist *ch) +{ + ACLFilledChecklist *checklist = Filled(ch); + HttpRequest *request = checklist->request; + http_hdr_type headertype; + + if (NULL == request) { + fatal ("requiresRequest SHOULD have been true for this ACL!!"); + return 0; + } else if (request->flags.accelerated) { + /* WWW authorization on accelerated requests */ + headertype = HDR_AUTHORIZATION; + } else if (request->flags.intercepted || request->flags.spoof_client_ip) { + debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests."); + return -1; + } else { + /* Proxy authorization on proxy requests */ + headertype = HDR_PROXY_AUTHORIZATION; + } + + /* get authed here */ + /* Note: this fills in auth_user_request when applicable */ + /* + * DPW 2007-05-08 + * tryToAuthenticateAndSetAuthUser used to try to lock and + * unlock auth_user_request on our behalf, but it was too + * ugly and hard to follow. Now we do our own locking here. + * + * I'm not sure what tryToAuthenticateAndSetAuthUser does when + * auth_user_request is set before calling. I'm tempted to + * unlock and set it to NULL, but it seems safer to save the + * pointer before calling and unlock it afterwards. If the + * pointer doesn't change then its a no-op. + */ + AuthUserRequest *old_auth_user_request = checklist->auth_user_request; + const auth_acl_t result = AuthUserRequest::tryToAuthenticateAndSetAuthUser( + &checklist->auth_user_request, headertype, request, + checklist->conn(), checklist->src_addr); + if (checklist->auth_user_request) + AUTHUSERREQUESTLOCK(checklist->auth_user_request, "ACLAuth::authenticated"); + AUTHUSERREQUESTUNLOCK(old_auth_user_request, "old ACLAuth"); + switch (result) { + + case AUTH_ACL_CANNOT_AUTHENTICATE: + debugs(28, 4, HERE << "returning 0 user authenticated but not authorised."); + return 0; + + case AUTH_AUTHENTICATED: + return 1; + break; + + case AUTH_ACL_HELPER: + debugs(28, 4, HERE << "returning 0 sending credentials to helper."); + checklist->changeState(ProxyAuthLookup::Instance()); + return 0; + + case AUTH_ACL_CHALLENGE: + debugs(28, 4, HERE << "returning 0 sending authentication challenge."); + checklist->changeState (ProxyAuthNeeded::Instance()); + return 0; + + default: + fatal("unexpected authenticateAuthenticate reply\n"); + return 0; + } +} diff --git a/src/auth/Acl.h b/src/auth/Acl.h new file mode 100644 index 0000000000..5c3f947f01 --- /dev/null +++ b/src/auth/Acl.h @@ -0,0 +1,12 @@ +#ifndef SQUID_AUTH_ACL_H +#define SQUID_AUTH_ACL_H + +// ACL-related code used by authentication-related code. This code is not in +// auth/Gadgets to avoid making auth/libauth dependent on acl/libstate because +// acl/libstate already depends on auth/libauth. + +class ACLChecklist; +/// \ingroup AuthAPI +extern int AuthenticateAcl(ACLChecklist *ch); + +#endif /* SQUID_AUTH_ACL_H */