AclProxyAuth.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 28 Access Control */
10 
11 #include "squid.h"
12 #include "acl/FilledChecklist.h"
13 #include "acl/RegexData.h"
14 #include "acl/UserData.h"
15 #include "auth/Acl.h"
16 #include "auth/AclProxyAuth.h"
17 #include "auth/Gadgets.h"
18 #include "auth/User.h"
19 #include "auth/UserRequest.h"
20 #include "client_side.h"
21 #include "http/Stream.h"
22 #include "HttpRequest.h"
23 
25 {
26  delete data;
27 }
28 
29 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) :
30  data(newData),
31  type_(theType)
32 {}
33 
35  data(old.data->clone()),
36  type_(old.type_)
37 {}
38 
41 {
42  data = rhs.data->clone();
43  type_ = rhs.type_;
44  return *this;
45 }
46 
47 char const *
49 {
50  return type_;
51 }
52 
53 void
55 {
57 }
58 
59 void
61 {
62  data->parse();
63 }
64 
65 int
67 {
68  allow_t answer = AuthenticateAcl(checklist);
69 
70  // convert to tri-state ACL match 1,0,-1
71  switch (answer) {
72  case ACCESS_ALLOWED:
73  // check for a match
74  return matchProxyAuth(checklist);
75 
76  case ACCESS_DENIED:
77  return 0; // non-match
78 
79  case ACCESS_DUNNO:
81  default:
82  // If the answer is not allowed or denied (matches/not matches) and
83  // async authentication is not in progress, then we are done.
84  if (checklist->keepMatching())
85  checklist->markFinished(answer, "AuthenticateAcl exception");
86  return -1; // other
87  }
88 }
89 
92 {
93  return data->dump();
94 }
95 
96 bool
98 {
99  return data->empty();
100 }
101 
102 bool
104 {
105  if (authenticateSchemeCount() == 0) {
106  debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes were compiled.");
107  return false;
108  }
109 
110  if (authenticateActiveSchemeCount() == 0) {
111  debugs(28, DBG_CRITICAL, "Can't use proxy auth because no authentication schemes are fully configured.");
112  return false;
113  }
114 
115  return true;
116 }
117 
119 
122 {
123  return &instance_;
124 }
125 
126 void
128 {
129  ACLFilledChecklist *checklist = Filled(cl);
130 
131  debugs(28, 3, HERE << "checking password via authenticator");
132 
133  /* make sure someone created auth_user_request for us */
134  assert(checklist->auth_user_request != NULL);
135  assert(checklist->auth_user_request->valid());
136  checklist->auth_user_request->start(checklist->request, checklist->al, LookupDone, checklist);
137 }
138 
139 void
141 {
142  ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
143 
144  if (checklist->auth_user_request == NULL || !checklist->auth_user_request->valid() || checklist->conn() == NULL) {
145  /* credentials could not be checked either way
146  * restart the whole process */
147  /* OR the connection was closed, there's no way to continue */
148  checklist->auth_user_request = NULL;
149 
150  if (checklist->conn() != NULL) {
151  checklist->conn()->setAuth(NULL, "proxy_auth ACL failure");
152  }
153  }
154 
156 }
157 
158 ACL *
160 {
161  return new ACLProxyAuth(*this);
162 }
163 
164 int
166 {
167  ACLFilledChecklist *checklist = Filled(cl);
168  assert (checklist->auth_user_request != NULL);
169  return data->match(checklist->auth_user_request->username());
170 }
171 
172 /* aclMatchProxyAuth can return two exit codes:
173  * 0 : Authorisation for this ACL failed. (Did not match)
174  * 1 : Authorisation OK. (Matched)
175  */
176 int
178 {
179  ACLFilledChecklist *checklist = Filled(cl);
180  if (checklist->request->flags.sslBumped)
181  return 1; // AuthenticateAcl() already handled this bumped request
182  if (!authenticateUserAuthenticated(Filled(checklist)->auth_user_request)) {
183  return 0;
184  }
185  /* check to see if we have matched the user-acl before */
186  int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
187  checklist->auth_user_request = NULL;
188  return result;
189 }
190 
int cacheMatchAcl(dlink_list *cache, ACLChecklist *)
Definition: Acl.cc:333
virtual bool empty() const =0
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition: client_side.cc:503
virtual int matchForCache(ACLChecklist *checklist)
#define assert(EX)
Definition: assert.h:17
virtual bool match(M)=0
virtual bool valid() const
void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data)
Definition: UserRequest.cc:44
Definition: Acl.h:113
ACLProxyAuth & operator=(ACLProxyAuth const &)
Definition: AclProxyAuth.cc:40
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
virtual const Acl::ParameterFlags & supportedFlags() const
Definition: Data.h:25
Definition: Acl.h:39
allow_t AuthenticateAcl(ACLChecklist *ch)
Definition: Acl.cc:28
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
bool keepMatching() const
Whether we should continue to match tree nodes or stop/pause.
Definition: Checklist.h:144
#define DBG_CRITICAL
Definition: Debug.h:44
virtual bool empty() const
Definition: AclProxyAuth.cc:97
ConnStateData * conn() const
The client connection manager.
ACLData< char const * > * data
Definition: AclProxyAuth.h:55
virtual int match(ACLChecklist *checklist)
Matches the actual data in checklist against this ACL.
Definition: AclProxyAuth.cc:66
int authenticateUserAuthenticated(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:176
virtual void checkForAsync(ACLChecklist *) const
void const char HLPCB void * data
Definition: stub_helper.cc:16
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
int matchProxyAuth(ACLChecklist *)
void ParseFlags(const Options &options, const ParameterFlags &flags)
Definition: Options.cc:240
char const * type_
Definition: AclProxyAuth.h:56
virtual void parse()
parses node represenation in squid.conf; dies on failures
Definition: AclProxyAuth.cc:60
virtual void parse()=0
virtual SBufList dump() const
Definition: AclProxyAuth.cc:91
static ProxyAuthLookup * Instance()
int authenticateSchemeCount(void)
Definition: Gadgets.cc:53
void markFinished(const allow_t &newAnswer, const char *reason)
Definition: Checklist.cc:58
std::list< SBuf > SBufList
Definition: forward.h:26
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:147
HttpRequest * request
RequestFlags flags
Definition: HttpRequest.h:129
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:262
virtual ACL * clone() const
bool valid() const
Definition: UserRequest.cc:53
virtual User::Pointer user()
Definition: UserRequest.h:143
char const * username() const
Definition: UserRequest.cc:32
virtual void parseFlags()
configures ACL options, throwing on configuration errors
Definition: AclProxyAuth.cc:54
virtual SBufList dump() const =0
static void LookupDone(void *data)
virtual ACLData * clone() const =0
int authenticateActiveSchemeCount(void)
Definition: Gadgets.cc:38
static ProxyAuthLookup instance_
Definition: AclProxyAuth.h:26
ACLProxyAuth(ACLData< char const * > *, char const *)
Definition: AclProxyAuth.cc:29
const Options & NoOptions()
Definition: Options.cc:247
#define NULL
Definition: types.h:166
Auth::UserRequest::Pointer auth_user_request
virtual char const * typeString() const
Definition: AclProxyAuth.cc:48

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors