From: Amos Jeffries Date: Sun, 14 Aug 2011 12:18:57 +0000 (-0600) Subject: Convert AuthenticateAcl() to use new ACL states X-Git-Tag: take08~43^2~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ccec22f9bfe0636bfe41df3544680793a43dda8e;p=thirdparty%2Fsquid.git Convert AuthenticateAcl() to use new ACL states --- diff --git a/src/auth/Acl.cc b/src/auth/Acl.cc index 0974f94a79..6ad4e16697 100644 --- a/src/auth/Acl.cc +++ b/src/auth/Acl.cc @@ -6,10 +6,14 @@ #include "auth/AclProxyAuth.h" #include "HttpRequest.h" -/** retval -1 user not authenticated (authentication error?) - retval 0 user not authorized OR user authentication is in pgrogress - retval +1 user authenticated and authorized */ -int +/** + * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required. + * \retval ACCESS_DENIED user not authenticated (authentication error?) + * \retval ACCESS_DUNNO user authentication is in progress + * \retval ACCESS_DENIED user not authorized + * \retval ACCESS_ALLOWED user authenticated and authorized + */ +allow_t AuthenticateAcl(ACLChecklist *ch) { ACLFilledChecklist *checklist = Filled(ch); @@ -18,13 +22,13 @@ AuthenticateAcl(ACLChecklist *ch) if (NULL == request) { fatal ("requiresRequest SHOULD have been true for this ACL!!"); - return 0; + return ACCESS_DENIED; } else if (request->flags.accelerated) { /* WWW authorization on accelerated requests */ headertype = HDR_AUTHORIZATION; } else if (request->flags.intercepted || request->flags.spoof_client_ip) { - debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests."); - return -1; + debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); + return ACCESS_DENIED; } else { /* Proxy authorization on proxy requests */ headertype = HDR_PROXY_AUTHORIZATION; @@ -38,25 +42,25 @@ AuthenticateAcl(ACLChecklist *ch) switch (result) { case AUTH_ACL_CANNOT_AUTHENTICATE: - debugs(28, 4, HERE << "returning 0 user authenticated but not authorised."); - return 0; + debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised."); + return ACCESS_DENIED; case AUTH_AUTHENTICATED: - return 1; + return ACCESS_ALLOWED; break; case AUTH_ACL_HELPER: - debugs(28, 4, HERE << "returning 0 sending credentials to helper."); + debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending credentials to helper."); checklist->changeState(ProxyAuthLookup::Instance()); - return 0; + return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states case AUTH_ACL_CHALLENGE: - debugs(28, 4, HERE << "returning 0 sending authentication challenge."); - checklist->changeState (ProxyAuthNeeded::Instance()); - return 0; + debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending authentication challenge."); + checklist->changeState(ProxyAuthNeeded::Instance()); + return ACCESS_AUTH_REQUIRED; default: fatal("unexpected authenticateAuthenticate reply\n"); - return 0; + return ACCESS_DENIED; } } diff --git a/src/auth/Acl.h b/src/auth/Acl.h index 3c21dce4ce..0345619e1c 100644 --- a/src/auth/Acl.h +++ b/src/auth/Acl.h @@ -3,13 +3,15 @@ #if USE_AUTH +#include "acl/Acl.h" + // ACL-related code used by authentication-related code. This code is not in // auth/Gadgets to avoid making auth/libauth dependent on acl/libstate because // acl/libstate already depends on auth/libauth. class ACLChecklist; /// \ingroup AuthAPI -extern int AuthenticateAcl(ACLChecklist *ch); +extern allow_t AuthenticateAcl(ACLChecklist *ch); #endif /* USE_AUTH */ #endif /* SQUID_AUTH_ACL_H */ diff --git a/src/auth/AclMaxUserIp.cc b/src/auth/AclMaxUserIp.cc index 20e9d22f54..7d50e8513f 100644 --- a/src/auth/AclMaxUserIp.cc +++ b/src/auth/AclMaxUserIp.cc @@ -150,16 +150,29 @@ int ACLMaxUserIP::match(ACLChecklist *cl) { ACLFilledChecklist *checklist = Filled(cl); + allow_t answer = AuthenticateAcl(checklist); + checklist->currentAnswer(answer); int ti; - if ((ti = AuthenticateAcl(checklist)) != 1) + // convert to tri-state ACL match 1,0,-1 + switch(answer) + { + case ACCESS_ALLOWED: + case ACCESS_AUTH_EXPIRED_OK: + // check for a match + ti = match(checklist->auth_user_request, checklist->src_addr); + checklist->auth_user_request = NULL; return ti; - ti = match(checklist->auth_user_request, checklist->src_addr); + case ACCESS_DENIED: + case ACCESS_AUTH_EXPIRED_BAD: + return 0; // non-match - checklist->auth_user_request = NULL; - - return ti; + case ACCESS_DUNNO: + case ACCESS_AUTH_REQUIRED: + default: + return -1; // other + } } wordlist * diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc index da51da5ced..15dfa44a80 100644 --- a/src/auth/AclProxyAuth.cc +++ b/src/auth/AclProxyAuth.cc @@ -79,14 +79,26 @@ ACLProxyAuth::parse() int ACLProxyAuth::match(ACLChecklist *checklist) { - int ti; - - if ((ti = AuthenticateAcl(checklist)) != 1) - return ti; - - ti = matchProxyAuth(checklist); - - return ti; + allow_t answer = AuthenticateAcl(checklist); + checklist->currentAnswer(answer); + + // convert to tri-state ACL match 1,0,-1 + switch(answer) + { + case ACCESS_ALLOWED: + case ACCESS_AUTH_EXPIRED_OK: + // check for a match + return matchProxyAuth(checklist); + + case ACCESS_DENIED: + case ACCESS_AUTH_EXPIRED_BAD: + return 0; // non-match + + case ACCESS_DUNNO: + case ACCESS_AUTH_REQUIRED: + default: + return -1; // other + } } wordlist *