From e377501e9bd98b6b628504c0bcc3245c9e69e7e3 Mon Sep 17 00:00:00 2001
From: hno <>
Date: Sun, 16 Jun 2002 23:46:25 +0000
Subject: [PATCH] Generalized the proxy_auth ACL processing one small step
 further to make it easier for other ACL types to use/require authentication.

---
 src/acl.cc   | 136 ++++++++++++++++++++++++---------------------------
 src/protos.h |   3 +-
 2 files changed, 65 insertions(+), 74 deletions(-)

diff --git a/src/acl.cc b/src/acl.cc
index 7a317ac564..0b33f1eb55 100644
--- a/src/acl.cc
+++ b/src/acl.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: acl.cc,v 1.276 2002/06/14 16:27:13 hno Exp $
+ * $Id: acl.cc,v 1.277 2002/06/16 17:46:25 hno Exp $
  *
  * DEBUG: section 28    Access Control
  * AUTHOR: Duane Wessels
@@ -1270,7 +1270,7 @@ aclParseUserMaxIP(void *data)
     (*acldata)->max = atoi(t);
     debug(28, 5) ("aclParseUserMaxIP: Max IP address's %d\n", (int) (*acldata)->max);
     return;
-error:
+  error:
     fatal("aclParseUserMaxIP: Malformed ACL %d\n");
 }
 
@@ -1428,6 +1428,51 @@ aclMatchWordList(wordlist * w, const char *word)
 }
 #endif
 
+int
+aclAuthenticated(aclCheck_t * checklist)
+{
+    request_t *r = checklist->request;
+    http_hdr_type headertype;
+    if (NULL == r) {
+	return -1;
+    } else if (!r->flags.accelerated) {
+	/* Proxy authorization on proxy requests */
+	headertype = HDR_PROXY_AUTHORIZATION;
+    } else if (r->flags.internal) {
+	/* WWW authorization on accelerated internal requests */
+	headertype = HDR_AUTHORIZATION;
+    } else {
+#if AUTH_ON_ACCELERATION
+	/* WWW authorization on accelerated requests */
+	headertype = HDR_AUTHORIZATION;
+#else
+	debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.\n");
+	return -1;
+#endif
+    }
+    /* get authed here */
+    /* Note: this fills in checklist->auth_user_request when applicable */
+    switch (authenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn, checklist->src_addr)) {
+    case AUTH_ACL_CANNOT_AUTHENTICATE:
+	debug(28, 4) ("aclMatchAcl: returning  0 user authenticated but not authorised.\n");
+	return 0;
+    case AUTH_AUTHENTICATED:
+	return 1;
+	break;
+    case AUTH_ACL_HELPER:
+	debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n");
+	checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED;
+	return 0;
+    case AUTH_ACL_CHALLENGE:
+	debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n");
+	checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED;
+	return 0;
+    default:
+	fatal("unexpected authenticateAuthenticate reply\n");
+	return -1;
+    }
+}
+
 static int
 aclMatchAcl(acl * ae, aclCheck_t * checklist)
 {
@@ -1438,7 +1483,6 @@ aclMatchAcl(acl * ae, aclCheck_t * checklist)
     const char *header;
     const char *browser;
     int k, ti;
-    http_hdr_type headertype;
     if (!ae)
 	return 0;
     switch (ae->type) {
@@ -1610,85 +1654,29 @@ aclMatchAcl(acl * ae, aclCheck_t * checklist)
 	/* NOTREACHED */
     case ACL_PROXY_AUTH:
     case ACL_PROXY_AUTH_REGEX:
+	if ((ti = aclAuthenticated(checklist)) != 0)
+	    return ti;
+	ti = aclMatchProxyAuth(ae->data, checklist->auth_user_request,
+	    checklist, ae->type);
+	checklist->auth_user_request = NULL;
+	return ti;
+	/* NOTREACHED */
     case ACL_MAX_USER_IP:
-	/* ALL authentication predicated ACL's live here */
-	if (NULL == r) {
-	    return -1;
-	} else if (!r->flags.accelerated) {
-	    /* Proxy authorization on proxy requests */
-	    headertype = HDR_PROXY_AUTHORIZATION;
-	} else if (r->flags.internal) {
-	    /* WWW authorization on accelerated internal requests */
-	    headertype = HDR_AUTHORIZATION;
-	} else {
-#if AUTH_ON_ACCELERATION
-	    /* WWW authorization on accelerated requests */
-	    headertype = HDR_AUTHORIZATION;
-#else
-	    debug(28, 1) ("aclMatchAcl: proxy_auth %s not applicable on accelerated requests.\n", ae->name);
-	    return -1;
-#endif
-	}
-	/* get authed here */
-	if ((ti = authenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn, checklist->src_addr)) != AUTH_AUTHENTICATED) {
-	    switch (ti) {
-	    case 0:
-		/* Authenticated but not Authorised for this ACL */
-		debug(28, 4) ("aclMatchAcl: returning  0 user authenticated but not authorised.\n");
-		return 0;
-	    case 1:
-		fatal("AUTH_AUTHENTICATED == 1\n");
-		break;
-	    case -1:
-		/* Send data to the helper */
-		debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n");
-		checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED;
-		return 0;
-	    case -2:
-		/* Send a challenge to the client */
-		debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n");
-		checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED;
-		return 0;
-	    }
-	}
-	/* then, switch on type again to do the correct match routine :> */
-	switch (ae->type) {
-	case ACL_PROXY_AUTH:
-	case ACL_PROXY_AUTH_REGEX:
-	    ti = aclMatchProxyAuth(ae->data, headertype,
-		checklist->auth_user_request, checklist, ae->type);
-	    break;
-	case ACL_MAX_USER_IP:
-	    ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request,
-		checklist->src_addr);
-	    break;
-	default:
-	    /* Keep GCC happy */
-	    break;
-	}
+	if ((ti = aclAuthenticated(checklist)) != 0)
+	    return ti;
+	ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request,
+	    checklist->src_addr);
 	checklist->auth_user_request = NULL;
-	/* Check the credentials */
-	switch (ti) {
-	case 0:
-	    debug(28, 4) ("aclMatchAcl: returning  0 user authenticated but not authorised.\n");
-	    /* Authenticated but not Authorised for this ACL */
-	    return 0;
-	case 1:
-	    debug(28, 4) ("aclMatchAcl: returning  1 user authenticated and authorised.\n");
-	    /* Authenticated and Authorised for this ACL */
-	    return 1;
-	case -2:
-	case -1:
-	    fatal("Invalid response from match routine\n");
-	    break;
-	}
+	return ti;
 	/* NOTREACHED */
 #if SQUID_SNMP
     case ACL_SNMP_COMMUNITY:
 	return aclMatchWordList(ae->data, checklist->snmp_community);
+	/* NOTREACHED */
 #endif
     case ACL_SRC_ASN:
 	return asnMatchIp(ae->data, checklist->src_addr);
+	/* NOTREACHED */
     case ACL_DST_ASN:
 	ia = ipcache_gethostbyname(r->host, IP_LOOKUP_IF_MISS);
 	if (ia) {
@@ -1705,9 +1693,11 @@ aclMatchAcl(acl * ae, aclCheck_t * checklist)
 	    return asnMatchIp(ae->data, no_addr);
 	}
 	return 0;
+	/* NOTREACHED */
 #if USE_ARP_ACL
     case ACL_SRC_ARP:
 	return aclMatchArp(&ae->data, checklist->src_addr);
+	/* NOTREACHED */
 #endif
     case ACL_REQ_MIME_TYPE:
 	header = httpHeaderGetStr(&checklist->request->header,
diff --git a/src/protos.h b/src/protos.h
index 65129dc2c4..3156cecb23 100644
--- a/src/protos.h
+++ b/src/protos.h
@@ -1,6 +1,6 @@
 
 /*
- * $Id: protos.h,v 1.437 2002/04/21 21:52:47 hno Exp $
+ * $Id: protos.h,v 1.438 2002/06/16 17:46:26 hno Exp $
  *
  *
  * SQUID Web Proxy Cache          http://www.squid-cache.org/
@@ -74,6 +74,7 @@ extern const char *aclTypeToStr(squid_acl);
 extern wordlist *aclDumpGeneric(const acl *);
 extern int aclPurgeMethodInUse(acl_access *);
 extern void aclCacheMatchFlush(dlink_list * cache);
+extern int aclAuthenticated(aclCheck_t * checklist);
 
 /*
  * cache_cf.c
-- 
2.47.3