4
* DEBUG: section 28 Access Control
5
* AUTHOR: Duane Wessels
7
* SQUID Web Proxy Cache http://www.squid-cache.org/
8
* ----------------------------------------------------------
10
* Squid is the result of efforts by numerous individuals from
11
* the Internet community; see the CONTRIBUTORS file for full
12
* details. Many organizations have provided support for Squid's
13
* development; see the SPONSORS file for full details. Squid is
14
* Copyrighted (C) 2001 by the Regents of the University of
15
* California; see the COPYRIGHT file for full details. Squid
16
* incorporates software developed and/or copyrighted by other
17
* sources; see the CREDITS file for full details.
19
* This program is free software; you can redistribute it and/or modify
20
* it under the terms of the GNU General Public License as published by
21
* the Free Software Foundation; either version 2 of the License, or
22
* (at your option) any later version.
24
* This program is distributed in the hope that it will be useful,
25
* but WITHOUT ANY WARRANTY; without even the implied warranty of
26
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27
* GNU General Public License for more details.
29
* You should have received a copy of the GNU General Public License
30
* along with this program; if not, write to the Free Software
31
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
34
* Copyright (c) 2003, Robert Collins <robertc@squid-cache.org>
38
#include "ACLProxyAuth.h"
39
#include "authenticate.h"
40
#include "ACLChecklist.h"
41
#include "ACLUserData.h"
42
#include "ACLRegexData.h"
43
#include "client_side.h"
44
#include "HttpRequest.h"
46
#include "AuthUserRequest.h"
48
ACLProxyAuth::~ACLProxyAuth()
53
ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) : data (newData), type_(theType) {}
55
ACLProxyAuth::ACLProxyAuth (ACLProxyAuth const &old) : data (old.data->clone()), type_(old.type_)
59
ACLProxyAuth::operator= (ACLProxyAuth const &rhs)
61
data = rhs.data->clone();
67
ACLProxyAuth::typeString() const
79
ACLProxyAuth::match(ACLChecklist *checklist)
83
if ((ti = checklist->authenticated()) != 1)
86
ti = matchProxyAuth(checklist);
92
ACLProxyAuth::dump() const
98
ACLProxyAuth::empty () const
100
return data->empty();
104
ACLProxyAuth::valid () const
106
if (authenticateSchemeCount() == 0) {
107
debugs(28, 0, "Can't use proxy auth because no authentication schemes were compiled.");
111
if (authenticateActiveSchemeCount() == 0) {
112
debugs(28, 0, "Can't use proxy auth because no authentication schemes are fully configured.");
119
ProxyAuthNeeded ProxyAuthNeeded::instance_;
122
ProxyAuthNeeded::Instance()
127
ProxyAuthLookup ProxyAuthLookup::instance_;
130
ProxyAuthLookup::Instance()
136
ProxyAuthLookup::checkForAsync(ACLChecklist *checklist)const
138
checklist->asyncInProgress(true);
139
debugs(28, 3, "ACLChecklist::checkForAsync: checking password via authenticator");
141
AuthUserRequest *auth_user_request;
142
/* make sure someone created auth_user_request for us */
143
assert(checklist->auth_user_request != NULL);
144
auth_user_request = checklist->auth_user_request;
146
assert(authenticateValidateUser(auth_user_request));
147
auth_user_request->start(LookupDone, checklist);
151
ProxyAuthLookup::LookupDone(void *data, char *result)
153
ACLChecklist *checklist = (ACLChecklist *)data;
154
assert (checklist->asyncState() == ProxyAuthLookup::Instance());
157
fatal("AclLookupProxyAuthDone: Old code floating around somewhere.\nMake clean and if that doesn't work, report a bug to the squid developers.\n");
159
if (!authenticateValidateUser(checklist->auth_user_request) || checklist->conn() == NULL) {
160
/* credentials could not be checked either way
161
* restart the whole process */
162
/* OR the connection was closed, there's no way to continue */
163
AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ProxyAuthLookup");
165
if (checklist->conn() != NULL) {
166
AUTHUSERREQUESTUNLOCK(checklist->conn()->auth_user_request, "conn via ProxyAuthLookup"); // DPW discomfort
167
checklist->conn()->auth_type = AUTH_BROKEN;
171
checklist->asyncInProgress(false);
172
checklist->changeState (ACLChecklist::NullState::Instance());
177
ProxyAuthNeeded::checkForAsync(ACLChecklist *checklist) const
179
/* Client is required to resend the request with correct authentication
180
* credentials. (This may be part of a stateful auth protocol.)
181
* The request is denied.
183
debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header.");
184
checklist->currentAnswer(ACCESS_REQ_PROXY_AUTH);
185
checklist->changeState (ACLChecklist::NullState::Instance());
186
checklist->markFinished();
189
ACL::Prototype ACLProxyAuth::UserRegistryProtoype(&ACLProxyAuth::UserRegistryEntry_, "proxy_auth");
190
ACLProxyAuth ACLProxyAuth::UserRegistryEntry_(new ACLUserData, "proxy_auth");
191
ACL::Prototype ACLProxyAuth::RegexRegistryProtoype(&ACLProxyAuth::RegexRegistryEntry_, "proxy_auth_regex" );
192
ACLProxyAuth ACLProxyAuth::RegexRegistryEntry_(new ACLRegexData, "proxy_auth_regex");
195
ACLProxyAuth::clone() const
197
return new ACLProxyAuth(*this);
201
ACLProxyAuth::matchForCache(ACLChecklist *checklist)
203
assert (checklist->auth_user_request);
204
return data->match(checklist->auth_user_request->username());
207
/* aclMatchProxyAuth can return two exit codes:
208
* 0 : Authorisation for this ACL failed. (Did not match)
209
* 1 : Authorisation OK. (Matched)
212
ACLProxyAuth::matchProxyAuth(ACLChecklist *checklist)
214
checkAuthForCaching(checklist);
215
/* check to see if we have matched the user-acl before */
216
int result = cacheMatchAcl(&checklist->auth_user_request->user()->
217
proxy_match_cache, checklist);
218
AUTHUSERREQUESTUNLOCK(checklist->auth_user_request, "ACLChecklist via ACLProxyAuth");
223
ACLProxyAuth::checkAuthForCaching(ACLChecklist *checklist)const
225
/* for completeness */
226
/* consistent parameters ? */
227
assert(authenticateUserAuthenticated(checklist->auth_user_request));
228
/* this check completed */