Correct use of authentication by external_acl_type

The require_auth flag may NOT be altered by running code.
Especially not updated on any individual request status.

diff --git a/src/auth/basic/auth_basic.cc b/src/auth/basic/auth_basic.cc
index df892599034d36a2a3269baf6db337be9198a440..706ef1737a398ce3524f21656fe7b891aecf0ebc 100644 (file)
--- a/src/auth/basic/auth_basic.cc
+++ b/src/auth/basic/auth_basic.cc
@@ -370,7 +370,10 @@ BasicUser::decode(char const *proxy_auth, AuthUserRequest::Pointer auth_user_req
         extractUsername();
         extractPassword();
     }
-    currentRequest = NULL;
+    currentRequest = NULL; // AYJ: why ?? we have only just filled it with data!
+    // so that we dont have circular UserRequest->User->UseRequest loops persisting outside the auth decode sequence????
+
+    // okay we dont need the original buffer string any more.
     httpAuthHeader = NULL;
 }
 
@@ -475,26 +478,23 @@ AuthBasicConfig::decode(char const *proxy_auth)
         return auth_user_request;
     }
 
-    /* now lookup and see if we have a matching auth_user structure in
-     * memory. */
-
-    AuthUser *auth_user;
+    /* now lookup and see if we have a matching auth_user structure in memory. */
+    AuthUser *auth_user = NULL;
 
     if ((auth_user = authBasicAuthUserFindUsername(local_basic.username())) == NULL) {
+        /* TODO: optimize. make "local_basic" the object we will store. dont allocate, duplicate, discard. */
         auth_user = local_basic.makeCachedFrom();
         basic_auth = dynamic_cast<BasicUser *>(auth_user);
         assert (basic_auth);
     } else {
         basic_auth = dynamic_cast<BasicUser *>(auth_user);
-        assert (basic_auth);
-        basic_auth->updateCached (&local_basic);
+        assert(basic_auth);
+        basic_auth->updateCached(&local_basic);
     }
 
     /* link the request to the in-cache user */
     auth_user_request->user(basic_auth);
-
     basic_auth->addRequest(auth_user_request);
-
     return auth_user_request;
 }
 

diff --git a/src/external_acl.cc b/src/external_acl.cc
index 3d1b515e8f084cfa78c1ceded7e70ea464f506ba..b6e94b3801ad92c1e63df31659c369deedb39386 100644 (file)
--- a/src/external_acl.cc
+++ b/src/external_acl.cc
@@ -121,6 +121,12 @@ public:
 
     dlink_list queue;
 
+    /**
+     * Configuration flag. May only be altered by the configuration parser.
+     *
+     * Indicates that all uses of this external_acl_type helper require authentication
+     * details to be processed. If none are available its a fail match.
+     */
     bool require_auth;
 
     enum {
@@ -741,17 +747,17 @@ aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch)
         if (acl->def->require_auth) {
             int ti;
             /* Make sure the user is authenticated */
+            debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated.");
 
             if ((ti = AuthenticateAcl(ch)) != 1) {
                 debugs(82, 2, "aclMatchExternal: " << acl->def->name << " user not authenticated (" << ti << ")");
                 return ti;
             }
+            debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated.");
         }
 
         key = makeExternalAclKey(ch, acl);
 
-        acl->def->require_auth = NULL;
-
         if (!key) {
             /* Not sufficient data to process */
             return -1;
@@ -1278,6 +1284,7 @@ ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH *
     if (acl->def->require_auth) {
         int ti;
         /* Make sure the user is authenticated */
+        debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated.");
 
         if ((ti = AuthenticateAcl(ch)) != 1) {
             debugs(82, 1, "externalAclLookup: " << acl->def->name <<
@@ -1285,6 +1292,7 @@ ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH *
             callback(callback_data, NULL);
             return;
         }
+        debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated.");
     }
 
     const char *key = makeExternalAclKey(ch, acl);