From 7dfddb79cf546639f6b2ccdbd171b02cd03e5a2c Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sat, 13 Aug 2011 09:53:38 -0600 Subject: [PATCH] Support extended authentication states to ACL results Support sub-states of authentication to be sent as results from ACLs. This allows future work to resolve issues around cases such as expired but known credentials being used in fast category access controls. The new authentication states are: ACCESS_AUTH_OK - equivalent to ACCESS_ALLOWED ACCESS_AUTH_REQUIRED - Missing Credentials. Used to be ACCESS_REQ_PROXY_AUTH ACCESS_AUTH_EXPIRED_OK - Expired now. Were Okay. ACCESS_AUTH_EXPIRED_BAD - Expired now. Were Failed. Also converts cases of ACCESS_REQ_PROXY_AUTH to the new name. As yet no attempt is made to alter auth or access control logics to use the new states. --- src/acl/Acl.h | 8 +++++++- src/adaptation/AccessCheck.cc | 2 +- src/auth/AclProxyAuth.cc | 2 +- src/client_side_request.cc | 4 ++-- 4 files changed, 11 insertions(+), 5 deletions(-) diff --git a/src/acl/Acl.h b/src/acl/Acl.h index 9f10b32f6c..e6a8e4dfc1 100644 --- a/src/acl/Acl.h +++ b/src/acl/Acl.h @@ -105,10 +105,16 @@ public: /// \ingroup ACLAPI typedef enum { + // Authorization ACL result states ACCESS_DENIED, ACCESS_ALLOWED, ACCESS_DUNNO, - ACCESS_REQ_PROXY_AUTH + + // Authentication ACL result states + ACCESS_AUTH_OK = ACCESS_ALLOWED, + ACCESS_AUTH_REQUIRED, // Missing Credentials + ACCESS_AUTH_EXPIRED_OK, // Expired now. Were Okay. + ACCESS_AUTH_EXPIRED_BAD // Expired now. Were Failed. } allow_t; /// \ingroup ACLAPI diff --git a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc index 088914204f..b9ae542dd0 100644 --- a/src/adaptation/AccessCheck.cc +++ b/src/adaptation/AccessCheck.cc @@ -144,7 +144,7 @@ Adaptation::AccessCheck::AccessCheckCallbackWrapper(allow_t answer, void *data) debugs(93, 8, HERE << "callback answer=" << answer); AccessCheck *ac = (AccessCheck*)data; - /** \todo AYJ 2008-06-12: If answer == ACCESS_REQ_PROXY_AUTH + /** \todo AYJ 2008-06-12: If answer == ACCESS_AUTH_REQUIRED * we should be kicking off an authentication before continuing * with this request. see bug 2400 for details. */ diff --git a/src/auth/AclProxyAuth.cc b/src/auth/AclProxyAuth.cc index f5dc92f559..da51da5ced 100644 --- a/src/auth/AclProxyAuth.cc +++ b/src/auth/AclProxyAuth.cc @@ -181,7 +181,7 @@ ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const * The request is denied. */ debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header."); - checklist->currentAnswer(ACCESS_REQ_PROXY_AUTH); + checklist->currentAnswer(ACCESS_AUTH_REQUIRED); checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markFinished(); } diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 49615cfef9..54ac896354 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -728,7 +728,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer) if (answer != ACCESS_ALLOWED) { /* Send an error */ - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)); + int require_auth = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName)); debugs(85, 5, "Access Denied: " << http->uri); debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "")); #if USE_AUTH @@ -742,7 +742,7 @@ ClientRequestContext::clientAccessCheckDone(const allow_t &answer) * the clientCreateStoreEntry() call just below. Pedro Ribeiro * */ - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED); http->logType = LOG_TCP_DENIED; -- 2.47.3