Support extended authentication states to ACL results

Support sub-states of authentication to be sent as results from ACLs.
This allows future work to resolve issues around cases such as expired
but known credentials being used in fast category access controls.

The new authentication states are:
  ACCESS_AUTH_OK
    - equivalent to ACCESS_ALLOWED

  ACCESS_AUTH_REQUIRED
    - Missing Credentials. Used to be ACCESS_REQ_PROXY_AUTH

  ACCESS_AUTH_EXPIRED_OK
    - Expired now. Were Okay.

  ACCESS_AUTH_EXPIRED_BAD
    - Expired now. Were Failed.

Also converts cases of ACCESS_REQ_PROXY_AUTH to the new name.

As yet no attempt is made to alter auth or access control logics to use
the new states.

diff --git a/src/acl/Acl.h b/src/acl/Acl.h
index 9f10b32f6c20e04a22e026d49de8d700c4aad91e..e6a8e4dfc19185849745da8e6e88ded623a52a9d 100644 (file)
--- a/src/acl/Acl.h
+++ b/src/acl/Acl.h
@@ -105,10 +105,16 @@ public:
 
 /// \ingroup ACLAPI
 typedef enum {
+    // Authorization ACL result states
     ACCESS_DENIED,
     ACCESS_ALLOWED,
     ACCESS_DUNNO,
-    ACCESS_REQ_PROXY_AUTH
+
+    // Authentication ACL result states
+    ACCESS_AUTH_OK = ACCESS_ALLOWED,
+    ACCESS_AUTH_REQUIRED,    // Missing Credentials
+    ACCESS_AUTH_EXPIRED_OK,  // Expired now. Were Okay.
+    ACCESS_AUTH_EXPIRED_BAD  // Expired now. Were Failed.
 } allow_t;
 
 /// \ingroup ACLAPI

diff --git a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc
index 088914204fff7a2da374a76f89dbdffa8ba05046..b9ae542dd01cdd7286a5158c2afd248fc75ed16c 100644 (file)
--- a/src/adaptation/AccessCheck.cc
+++ b/src/adaptation/AccessCheck.cc
@@ -144,7 +144,7 @@ Adaptation::AccessCheck::AccessCheckCallbackWrapper(allow_t answer, void *data)
     debugs(93, 8, HERE << "callback answer=" << answer);
     AccessCheck *ac = (AccessCheck*)data;
 
-    /** \todo AYJ 2008-06-12: If answer == ACCESS_REQ_PROXY_AUTH
+    /** \todo AYJ 2008-06-12: If answer == ACCESS_AUTH_REQUIRED
      * we should be kicking off an authentication before continuing
      * with this request. see bug 2400 for details.
      */

diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc
index f5dc92f559ba50f0f8b444e08d440b73b00a502d..da51da5ced30a782d31151dd1ae4652242d72ced 100644 (file)
--- a/src/auth/AclProxyAuth.cc
+++ b/src/auth/AclProxyAuth.cc
@@ -181,7 +181,7 @@ ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const
      * The request is denied.
      */
     debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
-    checklist->currentAnswer(ACCESS_REQ_PROXY_AUTH);
+    checklist->currentAnswer(ACCESS_AUTH_REQUIRED);
     checklist->changeState (ACLChecklist::NullState::Instance());
     checklist->markFinished();
 }

diff --git a/src/client_side_request.cc b/src/client_side_request.cc
index 49615cfef9f797bf9be61a21359fed8e016ca658..54ac896354d947010cde68b3b00d576bc1afaad0 100644 (file)
--- a/src/client_side_request.cc
+++ b/src/client_side_request.cc
@@ -728,7 +728,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer)
 
     if (answer != ACCESS_ALLOWED) {
         /* Send an error */
-        int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName));
+        int require_auth = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName));
         debugs(85, 5, "Access Denied: " << http->uri);
         debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>"));
 #if USE_AUTH
@@ -742,7 +742,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer)
          * the clientCreateStoreEntry() call just below.  Pedro Ribeiro
          * <pribeiro@isel.pt>
          */
-        page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
+        page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED);
 
         http->logType = LOG_TCP_DENIED;