From: Amos Jeffries Date: Mon, 19 Dec 2016 10:27:54 +0000 (+1300) Subject: Shuffle auth_schemes config objects into Auth::Config X-Git-Tag: M-staged-PR71~333^2~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d6e94bda4fd4a326a84d4f100d141489a8f7d9b6;p=thirdparty%2Fsquid.git Shuffle auth_schemes config objects into Auth::Config Also, move the directive definition down into "Access Controls" section of squid.conf to avoid dependency issues with acl directive definitions being done too late. --- diff --git a/src/SquidConfig.h b/src/SquidConfig.h index 5ff7e0795d..416c386c48 100644 --- a/src/SquidConfig.h +++ b/src/SquidConfig.h @@ -397,9 +397,6 @@ public: acl_access *forceRequestBodyContinuation; acl_access *serverPconnForNonretriable; -#if USE_AUTH - acl_access *authSchemes; -#endif } accessList; AclDenyInfoList *denyInfoList; diff --git a/src/auth/Config.cc b/src/auth/Config.cc index bdc30fc507..2760f08d65 100644 --- a/src/auth/Config.cc +++ b/src/auth/Config.cc @@ -9,6 +9,7 @@ /* DEBUG: section 29 Authenticator */ #include "squid.h" +#include "acl/Tree.h" #include "auth/Config.h" Auth::Config Auth::TheConfig; diff --git a/src/auth/Config.h b/src/auth/Config.h index 23c074727f..665e5bd2b3 100644 --- a/src/auth/Config.h +++ b/src/auth/Config.h @@ -11,6 +11,7 @@ #if USE_AUTH +#include "acl/forward.h" #include "auth/SchemeConfig.h" #include "auth/SchemesConfig.h" @@ -24,7 +25,10 @@ public: Auth::ConfigVector schemes; /// set of auth_schemes directives - Auth::SchemesConfig *schemeLists = nullptr; + std::vector schemeLists; + + /// the ACL list for auth_schemes directives + acl_access *schemeAccess = nullptr; }; extern Auth::Config TheConfig; diff --git a/src/auth/SchemesConfig.cc b/src/auth/SchemesConfig.cc index d217821583..ccd725331a 100644 --- a/src/auth/SchemesConfig.cc +++ b/src/auth/SchemesConfig.cc @@ -11,11 +11,6 @@ #include "fatal.h" #include "parser/Tokenizer.h" -namespace Auth -{ -std::vector SchemeListConfig; -} - static void addUnique(const SBuf &scheme, std::vector &vec) { diff --git a/src/auth/SchemesConfig.h b/src/auth/SchemesConfig.h index fb04bc5b3b..0ec456bcc2 100644 --- a/src/auth/SchemesConfig.h +++ b/src/auth/SchemesConfig.h @@ -17,7 +17,6 @@ namespace Auth { /** - * \ingroup AuthAPI * Stores authentication schemes list, configured by auth_schemes * directive. */ @@ -31,7 +30,7 @@ public: public: /// corresponding vector of Auth::Config objects - ConfigVector authConfigs; + Auth::ConfigVector authConfigs; private: /// raw auth schemes list (may have duplicates) @@ -43,8 +42,6 @@ public: const char *rawSchemes; }; -extern std::vector SchemeListConfig; - } // namespace Auth #endif /* USE_AUTH */ diff --git a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc index cd988df894..c899349913 100644 --- a/src/auth/UserRequest.cc +++ b/src/auth/UserRequest.cc @@ -463,13 +463,13 @@ Auth::UserRequest::tryToAuthenticateAndSetAuthUser(Auth::UserRequest::Pointer * static Auth::ConfigVector & schemesConfig(HttpRequest *request, HttpReply *rep) { - if (!Auth::SchemeListConfig.empty()) { + if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) { ACLFilledChecklist ch(NULL, request, NULL); ch.reply = rep; HTTPMSGLOCK(ch.reply); - const allow_t answer = ch.fastCheck(::Config.accessList.authSchemes); + const allow_t answer = ch.fastCheck(Auth::TheConfig.schemeAccess); if (answer == ACCESS_ALLOWED) - return Auth::SchemeListConfig.at(answer.kind).authConfigs; + return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs; } return Auth::TheConfig.schemes; } diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 75236de293..d3f508eb6b 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -943,7 +943,7 @@ configDoConfigure(void) } } - for (auto &authSchemes : Auth::SchemeListConfig) { + for (auto &authSchemes : Auth::TheConfig.schemeLists) { authSchemes.expand(); if (authSchemes.authConfigs.empty()) { debugs(3, DBG_CRITICAL, "auth_schemes: at least one scheme name is required; got: " << authSchemes.rawSchemes); @@ -1841,15 +1841,15 @@ parse_AuthSchemes(acl_access **authSchemes) self_destruct(); return; } - Auth::SchemeListConfig.emplace_back(tok, ConfigParser::LastTokenWasQuoted()); - const allow_t action = allow_t(ACCESS_ALLOWED, Auth::SchemeListConfig.size() - 1); + Auth::TheConfig.schemeLists.emplace_back(tok, ConfigParser::LastTokenWasQuoted()); + const allow_t action = allow_t(ACCESS_ALLOWED, Auth::TheConfig.schemeLists.size() - 1); ParseAclWithAction(authSchemes, action, "auth_schemes"); } static void free_AuthSchemes(acl_access **authSchemes) { - Auth::SchemeListConfig.clear(); + Auth::TheConfig.schemeLists.clear(); free_acl_access(authSchemes); } @@ -1858,7 +1858,7 @@ dump_AuthSchemes(StoreEntry *entry, const char *name, acl_access *authSchemes) { if (authSchemes) dump_SBufList(entry, authSchemes->treeDump(name, [](const allow_t &action) { - return Auth::SchemeListConfig.at(action.kind).rawSchemes; + return Auth::TheConfig.schemeLists.at(action.kind).rawSchemes; })); } diff --git a/src/cf.data.pre b/src/cf.data.pre index 62a2e4c408..525a2e9ff3 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -771,51 +771,6 @@ DOC_START environment with relatively static address assignments. DOC_END -NAME: auth_schemes -TYPE: AuthSchemes -IFDEF: USE_AUTH -LOC: Config.accessList.authSchemes -DEFAULT: none -DEFAULT_DOC: use all auth_param schemes in their configuration order -DOC_START - Use this directive to customize authentication schemes presence and - order in Squid's Unauthorized and Authentication Required responses. - - auth_schemes scheme1,scheme2,... [!]aclname ... - - where schemeN is the name of one of the authentication schemes - configured using auth_param directives. At least one scheme name is - required. Multiple scheme names are separated by commas. Either - avoid whitespace or quote the entire schemes list. - - A special "ALL" scheme name expands to all auth_param-configured - schemes in their configuration order. This directive cannot be used - to configure Squid to offer no authentication schemes at all. - - The first matching auth_schemes rule determines the schemes order - for the current Authentication Required transaction. Note that the - future response is not yet available during auth_schemes evaluation. - - If this directive is not used or none of its rules match, then Squid - responds with all configured authentication schemes in the order of - auth_param directives in the configuration file. - - This directive does not determine when authentication is used or - how each authentication scheme authenticates clients. - - The following example sends basic and negotiate authentication - schemes, in that order, when requesting authentication of HTTP - requests matching the isIE ACL (not shown) while sending all - auth_param schemes in their configuration order to other clients: - - auth_schemes basic,negotiate isIE - auth_schemes ALL all # explicit default - - This directive supports fast ACLs only. - - See also: auth_param. -DOC_END - COMMENT_START ACCESS CONTROLS ----------------------------------------------------------------------------- @@ -1931,6 +1886,51 @@ DOC_START See also: squid_error ACL DOC_END +NAME: auth_schemes +TYPE: AuthSchemes +IFDEF: USE_AUTH +LOC: Auth::TheConfig.schemeAccess +DEFAULT: none +DEFAULT_DOC: use all auth_param schemes in their configuration order +DOC_START + Use this directive to customize authentication schemes presence and + order in Squid's Unauthorized and Authentication Required responses. + + auth_schemes scheme1,scheme2,... [!]aclname ... + + where schemeN is the name of one of the authentication schemes + configured using auth_param directives. At least one scheme name is + required. Multiple scheme names are separated by commas. Either + avoid whitespace or quote the entire schemes list. + + A special "ALL" scheme name expands to all auth_param-configured + schemes in their configuration order. This directive cannot be used + to configure Squid to offer no authentication schemes at all. + + The first matching auth_schemes rule determines the schemes order + for the current Authentication Required transaction. Note that the + future response is not yet available during auth_schemes evaluation. + + If this directive is not used or none of its rules match, then Squid + responds with all configured authentication schemes in the order of + auth_param directives in the configuration file. + + This directive does not determine when authentication is used or + how each authentication scheme authenticates clients. + + The following example sends basic and negotiate authentication + schemes, in that order, when requesting authentication of HTTP + requests matching the isIE ACL (not shown) while sending all + auth_param schemes in their configuration order to other clients: + + auth_schemes basic,negotiate isIE + auth_schemes ALL all # explicit default + + This directive supports fast ACLs only. + + See also: auth_param. +DOC_END + COMMENT_START NETWORK OPTIONS ----------------------------------------------------------------------------- diff --git a/src/tests/stub_libauth.cc b/src/tests/stub_libauth.cc index bac9f86706..db8162c8d6 100644 --- a/src/tests/stub_libauth.cc +++ b/src/tests/stub_libauth.cc @@ -36,6 +36,9 @@ Auth::Scheme::Pointer Auth::Scheme::Find(const char *) STUB_RETVAL(NULL) std::vector & Auth::Scheme::GetSchemes() STUB_RETVAL(*_Schemes); void Auth::Scheme::FreeAll() STUB +#include "auth/SchemesConfig.h" +void Auth::SchemesConfig::expand() STUB + #include "auth/User.h" Auth::User::User(Auth::SchemeConfig *, const char *) STUB Auth::CredentialState Auth::User::credentials() const STUB_RETVAL(credentials_state) @@ -77,12 +80,5 @@ Auth::Scheme::Pointer Auth::UserRequest::scheme() const STUB_RETVAL(NULL) #include "AuthReg.h" void Auth::Init() STUB_NOP -#include "auth/SchemesConfig.h" -namespace Auth -{ -std::vector SchemeListConfig; -void SchemesConfig::expand() STUB -} - #endif /* USE_AUTH */