/*
- * $Id: acl.cc,v 1.276 2002/06/14 16:27:13 hno Exp $
+ * $Id: acl.cc,v 1.277 2002/06/16 17:46:25 hno Exp $
*
* DEBUG: section 28 Access Control
* AUTHOR: Duane Wessels
(*acldata)->max = atoi(t);
debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) (*acldata)->max);
return;
-error:
+ error:
fatal("aclParseUserMaxIP: Malformed ACL %d\n");
}
}
#endif
+int
+aclAuthenticated(aclCheck_t * checklist)
+{
+ request_t *r = checklist->request;
+ http_hdr_type headertype;
+ if (NULL == r) {
+ return -1;
+ } else if (!r->flags.accelerated) {
+ /* Proxy authorization on proxy requests */
+ headertype = HDR_PROXY_AUTHORIZATION;
+ } else if (r->flags.internal) {
+ /* WWW authorization on accelerated internal requests */
+ headertype = HDR_AUTHORIZATION;
+ } else {
+#if AUTH_ON_ACCELERATION
+ /* WWW authorization on accelerated requests */
+ headertype = HDR_AUTHORIZATION;
+#else
+ debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.\n");
+ return -1;
+#endif
+ }
+ /* get authed here */
+ /* Note: this fills in checklist->auth_user_request when applicable */
+ switch (authenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn, checklist->src_addr)) {
+ case AUTH_ACL_CANNOT_AUTHENTICATE:
+ debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n");
+ return 0;
+ case AUTH_AUTHENTICATED:
+ return 1;
+ break;
+ case AUTH_ACL_HELPER:
+ debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n");
+ checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED;
+ return 0;
+ case AUTH_ACL_CHALLENGE:
+ debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n");
+ checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED;
+ return 0;
+ default:
+ fatal("unexpected authenticateAuthenticate reply\n");
+ return -1;
+ }
+}
+
static int
aclMatchAcl(acl * ae, aclCheck_t * checklist)
{
const char *header;
const char *browser;
int k, ti;
- http_hdr_type headertype;
if (!ae)
return 0;
switch (ae->type) {
/* NOTREACHED */
case ACL_PROXY_AUTH:
case ACL_PROXY_AUTH_REGEX:
+ if ((ti = aclAuthenticated(checklist)) != 0)
+ return ti;
+ ti = aclMatchProxyAuth(ae->data, checklist->auth_user_request,
+ checklist, ae->type);
+ checklist->auth_user_request = NULL;
+ return ti;
+ /* NOTREACHED */
case ACL_MAX_USER_IP:
- /* ALL authentication predicated ACL's live here */
- if (NULL == r) {
- return -1;
- } else if (!r->flags.accelerated) {
- /* Proxy authorization on proxy requests */
- headertype = HDR_PROXY_AUTHORIZATION;
- } else if (r->flags.internal) {
- /* WWW authorization on accelerated internal requests */
- headertype = HDR_AUTHORIZATION;
- } else {
-#if AUTH_ON_ACCELERATION
- /* WWW authorization on accelerated requests */
- headertype = HDR_AUTHORIZATION;
-#else
- debug(28, 1) ("aclMatchAcl: proxy_auth %s not applicable on accelerated requests.\n", ae->name);
- return -1;
-#endif
- }
- /* get authed here */
- if ((ti = authenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn, checklist->src_addr)) != AUTH_AUTHENTICATED) {
- switch (ti) {
- case 0:
- /* Authenticated but not Authorised for this ACL */
- debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n");
- return 0;
- case 1:
- fatal("AUTH_AUTHENTICATED == 1\n");
- break;
- case -1:
- /* Send data to the helper */
- debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n");
- checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED;
- return 0;
- case -2:
- /* Send a challenge to the client */
- debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n");
- checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED;
- return 0;
- }
- }
- /* then, switch on type again to do the correct match routine :> */
- switch (ae->type) {
- case ACL_PROXY_AUTH:
- case ACL_PROXY_AUTH_REGEX:
- ti = aclMatchProxyAuth(ae->data, headertype,
- checklist->auth_user_request, checklist, ae->type);
- break;
- case ACL_MAX_USER_IP:
- ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request,
- checklist->src_addr);
- break;
- default:
- /* Keep GCC happy */
- break;
- }
+ if ((ti = aclAuthenticated(checklist)) != 0)
+ return ti;
+ ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request,
+ checklist->src_addr);
checklist->auth_user_request = NULL;
- /* Check the credentials */
- switch (ti) {
- case 0:
- debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n");
- /* Authenticated but not Authorised for this ACL */
- return 0;
- case 1:
- debug(28, 4) ("aclMatchAcl: returning 1 user authenticated and authorised.\n");
- /* Authenticated and Authorised for this ACL */
- return 1;
- case -2:
- case -1:
- fatal("Invalid response from match routine\n");
- break;
- }
+ return ti;
/* NOTREACHED */
#if SQUID_SNMP
case ACL_SNMP_COMMUNITY:
return aclMatchWordList(ae->data, checklist->snmp_community);
+ /* NOTREACHED */
#endif
case ACL_SRC_ASN:
return asnMatchIp(ae->data, checklist->src_addr);
+ /* NOTREACHED */
case ACL_DST_ASN:
ia = ipcache_gethostbyname(r->host, IP_LOOKUP_IF_MISS);
if (ia) {
return asnMatchIp(ae->data, no_addr);
}
return 0;
+ /* NOTREACHED */
#if USE_ARP_ACL
case ACL_SRC_ARP:
return aclMatchArp(&ae->data, checklist->src_addr);
+ /* NOTREACHED */
#endif
case ACL_REQ_MIME_TYPE:
header = httpHeaderGetStr(&checklist->request->header,
projects / thirdparty / squid.git / commitdiff
