From: Amos Jeffries Date: Sat, 13 Feb 2010 05:11:24 +0000 (+1300) Subject: Correct use of authentication by external_acl_type X-Git-Tag: SQUID_3_2_0_1~167^2~34 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3265364bb35f34a05e582343336654a404b59cfb;p=thirdparty%2Fsquid.git Correct use of authentication by external_acl_type The require_auth flag may NOT be altered by running code. Especially not updated on any individual request status. --- diff --git a/src/auth/basic/auth_basic.cc b/src/auth/basic/auth_basic.cc index df89259903..706ef1737a 100644 --- a/src/auth/basic/auth_basic.cc +++ b/src/auth/basic/auth_basic.cc @@ -370,7 +370,10 @@ BasicUser::decode(char const *proxy_auth, AuthUserRequest::Pointer auth_user_req extractUsername(); extractPassword(); } - currentRequest = NULL; + currentRequest = NULL; // AYJ: why ?? we have only just filled it with data! + // so that we dont have circular UserRequest->User->UseRequest loops persisting outside the auth decode sequence???? + + // okay we dont need the original buffer string any more. httpAuthHeader = NULL; } @@ -475,26 +478,23 @@ AuthBasicConfig::decode(char const *proxy_auth) return auth_user_request; } - /* now lookup and see if we have a matching auth_user structure in - * memory. */ - - AuthUser *auth_user; + /* now lookup and see if we have a matching auth_user structure in memory. */ + AuthUser *auth_user = NULL; if ((auth_user = authBasicAuthUserFindUsername(local_basic.username())) == NULL) { + /* TODO: optimize. make "local_basic" the object we will store. dont allocate, duplicate, discard. */ auth_user = local_basic.makeCachedFrom(); basic_auth = dynamic_cast(auth_user); assert (basic_auth); } else { basic_auth = dynamic_cast(auth_user); - assert (basic_auth); - basic_auth->updateCached (&local_basic); + assert(basic_auth); + basic_auth->updateCached(&local_basic); } /* link the request to the in-cache user */ auth_user_request->user(basic_auth); - basic_auth->addRequest(auth_user_request); - return auth_user_request; } diff --git a/src/external_acl.cc b/src/external_acl.cc index 3d1b515e8f..b6e94b3801 100644 --- a/src/external_acl.cc +++ b/src/external_acl.cc @@ -121,6 +121,12 @@ public: dlink_list queue; + /** + * Configuration flag. May only be altered by the configuration parser. + * + * Indicates that all uses of this external_acl_type helper require authentication + * details to be processed. If none are available its a fail match. + */ bool require_auth; enum { @@ -741,17 +747,17 @@ aclMatchExternal(external_acl_data *acl, ACLFilledChecklist *ch) if (acl->def->require_auth) { int ti; /* Make sure the user is authenticated */ + debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated."); if ((ti = AuthenticateAcl(ch)) != 1) { debugs(82, 2, "aclMatchExternal: " << acl->def->name << " user not authenticated (" << ti << ")"); return ti; } + debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated."); } key = makeExternalAclKey(ch, acl); - acl->def->require_auth = NULL; - if (!key) { /* Not sufficient data to process */ return -1; @@ -1278,6 +1284,7 @@ ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * if (acl->def->require_auth) { int ti; /* Make sure the user is authenticated */ + debugs(82, 3, "aclMatchExternal: " << acl->def->name << " check user authenticated."); if ((ti = AuthenticateAcl(ch)) != 1) { debugs(82, 1, "externalAclLookup: " << acl->def->name << @@ -1285,6 +1292,7 @@ ACLExternal::ExternalAclLookup(ACLChecklist *checklist, ACLExternal * me, EAH * callback(callback_data, NULL); return; } + debugs(82, 3, "aclMatchExternal: " << acl->def->name << " user is authenticated."); } const char *key = makeExternalAclKey(ch, acl);