AclProxyAuth.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
15 #include "auth/Acl.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "http/Stream.h"
22 #include "HttpRequest.h"
23 
25 {
26  delete data;
27 }
28 
29 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) :
30  data(newData),
31  type_(theType)
32 {}
33 
34 char const *
36 {
37  return type_;
38 }
39 
40 const Acl::Options &
42 {
43  return data->lineOptions();
44 }
45 
46 void
48 {
49  data->parse();
50 }
51 
52 int
54 {
55  auto answer = AuthenticateAcl(checklist);
56 
57  // convert to tri-state ACL match 1,0,-1
58  switch (answer) {
59  case ACCESS_ALLOWED:
60  // check for a match
61  return matchProxyAuth(checklist);
62 
63  case ACCESS_DENIED:
64  return 0; // non-match
65 
66  case ACCESS_DUNNO:
68  default:
69  // If the answer is not allowed or denied (matches/not matches) and
70  // async authentication is not in progress, then we are done.
71  if (checklist->keepMatching())
72  checklist->markFinished(answer, "AuthenticateAcl exception");
73  return -1; // other
74  }
75 }
76 
79 {
80  return data->dump();
81 }
82 
83 bool
85 {
86  return data->empty();
87 }
88 
89 bool
91 {
92  if (authenticateSchemeCount() == 0) {
93  debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled.");
94  return false;
95  }
96 
97  if (authenticateActiveSchemeCount() == 0) {
98  debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured.");
99  return false;
100  }
101 
102  return true;
103 }
104 
106 
109 {
110  return &instance_;
111 }
112 
113 void
115 {
116  ACLFilledChecklist *checklist = Filled(cl);
117 
118  debugs(28, 3, HERE << "checking password via authenticator");
119 
120  /* make sure someone created auth_user_request for us */
121  assert(checklist->auth_user_request != NULL);
122  assert(checklist->auth_user_request->valid());
123  checklist->auth_user_request->start(checklist->request, checklist->al, LookupDone, checklist);
124 }
125 
126 void
128 {
129  ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
130 
131  if (checklist->auth_user_request == NULL || !checklist->auth_user_request->valid() || checklist->conn() == NULL) {
132  /* credentials could not be checked either way
133  * restart the whole process */
134  /* OR the connection was closed, there's no way to continue */
135  checklist->auth_user_request = NULL;
136 
137  if (checklist->conn() != NULL) {
138  checklist->conn()->setAuth(NULL, "proxy_auth ACL failure");
139  }
140  }
141 
143 }
144 
145 int
147 {
148  ACLFilledChecklist *checklist = Filled(cl);
149  assert (checklist->auth_user_request != NULL);
150  return data->match(checklist->auth_user_request->username());
151 }
152 
153 /* aclMatchProxyAuth can return two exit codes:
154  * 0 : Authorisation for this ACL failed. (Did not match)
155  * 1 : Authorisation OK. (Matched)
156  */
157 int
159 {
160  ACLFilledChecklist *checklist = Filled(cl);
161  if (!checklist->request->flags.sslBumped) {
163  return 0;
164  }
165  }
166  /* check to see if we have matched the user-acl before */
167  int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
168  checklist->auth_user_request = NULL;
169  return result;
170 }
171 
virtual const Acl::Options & lineOptions()
supported ACL "line" options (e.g., "-i")
Definition: Data.h:26
virtual char const * typeString() const
Definition: AclProxyAuth.cc:35
virtual void checkForAsync(ACLChecklist *) const
std::vector< const Option * > Options
Definition: Options.h:214
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition: client_side.cc:510
RequestFlags flags
Definition: HttpRequest.h:141
std::list< SBuf > SBufList
Definition: forward.h:22
bool keepMatching() const
Whether we should continue to match tree nodes or stop/pause.
Definition: Checklist.h:146
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
#define DBG_CRITICAL
Definition: Debug.h:40
virtual int match(ACLChecklist *checklist)
Matches the actual data in checklist against this ACL.
Definition: AclProxyAuth.cc:53
virtual User::Pointer user()
Definition: UserRequest.h:143
char const * type_
Definition: AclProxyAuth.h:55
virtual const Acl::Options & lineOptions()
Definition: AclProxyAuth.cc:41
int matchProxyAuth(ACLChecklist *)
ConnStateData * conn() const
The client connection manager.
@ ACCESS_AUTH_REQUIRED
Definition: Acl.h:114
#define NULL
Definition: types.h:166
int authenticateUserAuthenticated(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:176
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
bool valid() const
Definition: UserRequest.cc:53
ACLData< char const * > * data
Definition: AclProxyAuth.h:54
virtual void parse()
parses node representation in squid.conf; dies on failures
Definition: AclProxyAuth.cc:47
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:152
void markFinished(const Acl::Answer &newAnswer, const char *reason)
Definition: Checklist.cc:57
virtual bool valid() const
Definition: AclProxyAuth.cc:90
#define assert(EX)
Definition: assert.h:19
HttpRequest * request
static ProxyAuthLookup instance_
Definition: AclProxyAuth.h:26
virtual SBufList dump() const
Definition: AclProxyAuth.cc:78
void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data)
Definition: UserRequest.cc:44
virtual bool empty() const
Definition: AclProxyAuth.cc:84
static void LookupDone(void *data)
virtual void parse()=0
ACLProxyAuth(ACLData< char const * > *, char const *)
Definition: AclProxyAuth.cc:29
int authenticateSchemeCount(void)
Definition: Gadgets.cc:53
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:261
Acl::Answer AuthenticateAcl(ACLChecklist *ch)
Definition: Acl.cc:28
char const * username() const
Definition: UserRequest.cc:32
int authenticateActiveSchemeCount(void)
Definition: Gadgets.cc:38
@ ACCESS_ALLOWED
Definition: Acl.h:110
@ ACCESS_DENIED
Definition: Acl.h:109
virtual bool match(M)=0
static ProxyAuthLookup * Instance()
@ ACCESS_DUNNO
Definition: Acl.h:111
int cacheMatchAcl(dlink_list *cache, ACLChecklist *)
Definition: Acl.cc:341
virtual bool empty() const =0
Auth::UserRequest::Pointer auth_user_request
virtual int matchForCache(ACLChecklist *checklist)
virtual SBufList dump() const =0

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors