From dd332b92ede1a82099319c8cc2ff473a2c087001 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Mon, 7 May 2012 19:21:10 -0600
Subject: [PATCH] Drop ACCESS_AUTH_EXPIRED_* extended auth states

Alternative approaches being discussed by squid-dev still, but agreed
that this was the wrong approach to implementation rollout.
---
 src/acl/Acl.h              | 8 --------
 src/auth/AclMaxUserIp.cc   | 2 --
 src/auth/AclProxyAuth.cc   | 2 --
 src/client_side_request.cc | 6 +++---
 src/external_acl.cc        | 2 --
 src/peer_select.cc         | 4 ----
 6 files changed, 3 insertions(+), 21 deletions(-)

diff --git a/src/acl/Acl.h b/src/acl/Acl.h
index 66b1424570..6eff7c1b68 100644
--- a/src/acl/Acl.h
+++ b/src/acl/Acl.h
@@ -116,8 +116,6 @@ typedef enum {
 
     // Authentication ACL result states
     ACCESS_AUTH_REQUIRED,    // Missing Credentials
-    ACCESS_AUTH_EXPIRED_OK,  // Expired now. Were Okay.
-    ACCESS_AUTH_EXPIRED_BAD  // Expired now. Were Failed.
 } allow_t;
 
 inline std::ostream &
@@ -136,12 +134,6 @@ operator <<(std::ostream &o, const allow_t a)
     case ACCESS_AUTH_REQUIRED:
         o << "AUTH_REQUIRED";
         break;
-    case ACCESS_AUTH_EXPIRED_OK:
-        o << "AUTH_EXPIRED_OK";
-        break;
-    case ACCESS_AUTH_EXPIRED_BAD:
-        o << "AUTH_EXPIRED_BAD";
-        break;
     }
     return o;
 }
diff --git a/src/auth/AclMaxUserIp.cc b/src/auth/AclMaxUserIp.cc
index 1aa9155357..8c07bf7723 100644
--- a/src/auth/AclMaxUserIp.cc
+++ b/src/auth/AclMaxUserIp.cc
@@ -157,14 +157,12 @@ ACLMaxUserIP::match(ACLChecklist *cl)
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
-    case ACCESS_AUTH_EXPIRED_OK:
         // check for a match
         ti = match(checklist->auth_user_request, checklist->src_addr);
         checklist->auth_user_request = NULL;
         return ti;
 
     case ACCESS_DENIED:
-    case ACCESS_AUTH_EXPIRED_BAD:
         return 0; // non-match
 
     case ACCESS_DUNNO:
diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc
index 085e6c4e9c..f1c2ad5682 100644
--- a/src/auth/AclProxyAuth.cc
+++ b/src/auth/AclProxyAuth.cc
@@ -85,12 +85,10 @@ ACLProxyAuth::match(ACLChecklist *checklist)
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
-    case ACCESS_AUTH_EXPIRED_OK:
         // check for a match
         return matchProxyAuth(checklist);
 
     case ACCESS_DENIED:
-    case ACCESS_AUTH_EXPIRED_BAD:
         return 0; // non-match
 
     case ACCESS_DUNNO:
diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 422a412498..4fcca31076 100644
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -760,12 +760,12 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer)
         proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>");
 #endif
 
-    if (answer != ACCESS_ALLOWED && answer != ACCESS_AUTH_EXPIRED_OK) {
+    if (answer != ACCESS_ALLOWED) {
         // auth has a grace period where credentials can be expired but okay not to challenge.
 
         /* Send an auth challenge or error */
         // XXX: do we still need aclIsProxyAuth() ?
-        bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || answer == ACCESS_AUTH_EXPIRED_BAD || aclIsProxyAuth(AclMatchedName));
+        bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName));
         debugs(85, 5, "Access Denied: " << http->uri);
         debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>"));
 #if USE_AUTH
@@ -830,7 +830,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer)
         return;
     }
 
-    /* ACCESS_ALLOWED (or auth in grace period ACCESS_AUTH_EXPIRED_OK) continues here ... */
+    /* ACCESS_ALLOWED continues here ... */
     safe_free(http->uri);
 
     http->uri = xstrdup(urlCanonical(http->request));
diff --git a/src/external_acl.cc b/src/external_acl.cc
index a358895fb9..618b97a804 100644
--- a/src/external_acl.cc
+++ b/src/external_acl.cc
@@ -866,11 +866,9 @@ ACLExternal::match(ACLChecklist *checklist)
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
-    case ACCESS_AUTH_EXPIRED_OK:
         return 1; // match
 
     case ACCESS_DENIED:
-    case ACCESS_AUTH_EXPIRED_BAD:
         return 0; // non-match
 
     case ACCESS_DUNNO:
diff --git a/src/peer_select.cc b/src/peer_select.cc
index eae94e1c3b..e33d9fde1b 100644
--- a/src/peer_select.cc
+++ b/src/peer_select.cc
@@ -188,8 +188,6 @@ peerCheckNeverDirectDone(allow_t answer, void *data)
     case ACCESS_DUNNO:  // not relevant.
         break;
     case ACCESS_AUTH_REQUIRED:
-    case ACCESS_AUTH_EXPIRED_OK:
-    case ACCESS_AUTH_EXPIRED_BAD:
         debugs(44, DBG_IMPORTANT, "WARNING: never_direct resulted in " << answer << ". Username ACLs are not reliable here.");
         break;
     }
@@ -213,8 +211,6 @@ peerCheckAlwaysDirectDone(allow_t answer, void *data)
     case ACCESS_DUNNO:  // not relevant.
         break;
     case ACCESS_AUTH_REQUIRED:
-    case ACCESS_AUTH_EXPIRED_OK:
-    case ACCESS_AUTH_EXPIRED_BAD:
         debugs(44, DBG_IMPORTANT, "WARNING: always_direct resulted in " << answer << ". Username ACLs are not reliable here.");
         break;
     }
-- 
2.47.2