AclProxyAuth.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 28 Access Control */
10
11#include "squid.h"
12#include "acl/FilledChecklist.h"
13#include "acl/RegexData.h"
14#include "acl/UserData.h"
15#include "auth/Acl.h"
16#include "auth/AclProxyAuth.h"
17#include "auth/Gadgets.h"
18#include "auth/User.h"
19#include "auth/UserRequest.h"
20#include "client_side.h"
21#include "http/Stream.h"
22#include "HttpRequest.h"
23
25{
26 delete data;
27}
28
29ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) :
30 data(newData),
31 type_(theType)
32{}
33
34char const *
36{
37 return type_;
38}
39
40const Acl::Options &
42{
43 return data->lineOptions();
44}
45
46void
48{
49 data->parse();
50}
51
52int
54{
55 auto answer = AuthenticateAcl(checklist);
56
57 // convert to tri-state ACL match 1,0,-1
58 switch (answer) {
59 case ACCESS_ALLOWED:
60 // check for a match
61 return matchProxyAuth(checklist);
62
63 case ACCESS_DENIED:
64 return 0; // non-match
65
66 case ACCESS_DUNNO:
68 default:
69 // If the answer is not allowed or denied (matches/not matches) and
70 // async authentication is not in progress, then we are done.
71 if (checklist->keepMatching())
72 checklist->markFinished(answer, "AuthenticateAcl exception");
73 return -1; // other
74 }
75}
76
79{
80 return data->dump();
81}
82
83bool
85{
86 return data->empty();
87}
88
89bool
91{
92 if (authenticateSchemeCount() == 0) {
93 debugs(28, DBG_CRITICAL, "ERROR: Cannot use proxy auth because no authentication schemes were compiled.");
94 return false;
95 }
96
98 debugs(28, DBG_CRITICAL, "ERROR: Cannot use proxy auth because no authentication schemes are fully configured.");
99 return false;
100 }
101
102 return true;
103}
104
106
109{
110 return &instance_;
111}
112
113void
115{
116 ACLFilledChecklist *checklist = Filled(cl);
117
118 debugs(28, 3, "checking password via authenticator");
119
120 /* make sure someone created auth_user_request for us */
121 assert(checklist->auth_user_request != nullptr);
122 assert(checklist->auth_user_request->valid());
123 checklist->auth_user_request->start(checklist->request, checklist->al, LookupDone, checklist);
124}
125
126void
128{
129 ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
130
131 if (checklist->auth_user_request == nullptr || !checklist->auth_user_request->valid() || checklist->conn() == nullptr) {
132 /* credentials could not be checked either way
133 * restart the whole process */
134 /* OR the connection was closed, there's no way to continue */
135 checklist->auth_user_request = nullptr;
136
137 if (checklist->conn() != nullptr) {
138 checklist->conn()->setAuth(nullptr, "proxy_auth ACL failure");
139 }
140 }
141
143}
144
145int
147{
148 ACLFilledChecklist *checklist = Filled(cl);
149 assert (checklist->auth_user_request != nullptr);
150 return data->match(checklist->auth_user_request->username());
151}
152
153/* aclMatchProxyAuth can return two exit codes:
154 * 0 : Authorisation for this ACL failed. (Did not match)
155 * 1 : Authorisation OK. (Matched)
156 */
157int
159{
160 ACLFilledChecklist *checklist = Filled(cl);
161 if (!checklist->request->flags.sslBumped) {
163 return 0;
164 }
165 }
166 /* check to see if we have matched the user-acl before */
167 int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
168 checklist->auth_user_request = nullptr;
169 return result;
170}
171
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
int authenticateUserAuthenticated(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:176
#define assert(EX)
Definition: assert.h:19
Acl::Answer AuthenticateAcl(ACLChecklist *ch)
Definition: Acl.cc:28
int authenticateActiveSchemeCount(void)
Definition: Gadgets.cc:38
int authenticateSchemeCount(void)
Definition: Gadgets.cc:53
void markFinished(const Acl::Answer &newAnswer, const char *reason)
Definition: Checklist.cc:57
bool keepMatching() const
Whether we should continue to match tree nodes or stop/pause.
Definition: Checklist.h:146
void resumeNonBlockingCheck(AsyncState *state)
Definition: Checklist.cc:261
virtual void parse()=0
virtual SBufList dump() const =0
virtual bool match(M)=0
virtual bool empty() const =0
virtual const Acl::Options & lineOptions()
supported ACL "line" options (e.g., "-i")
Definition: Data.h:26
HttpRequest * request
ConnStateData * conn() const
The client connection manager.
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
Auth::UserRequest::Pointer auth_user_request
virtual int match(ACLChecklist *checklist)
Matches the actual data in checklist against this ACL.
Definition: AclProxyAuth.cc:53
virtual bool empty() const
Definition: AclProxyAuth.cc:84
int matchProxyAuth(ACLChecklist *)
virtual char const * typeString() const
Definition: AclProxyAuth.cc:35
virtual SBufList dump() const
Definition: AclProxyAuth.cc:78
virtual void parse()
parses node representation in squid.conf; dies on failures
Definition: AclProxyAuth.cc:47
ACLProxyAuth(ACLData< char const * > *, char const *)
Definition: AclProxyAuth.cc:29
virtual const Acl::Options & lineOptions()
Definition: AclProxyAuth.cc:41
ACLData< char const * > * data
Definition: AclProxyAuth.h:54
char const * type_
Definition: AclProxyAuth.h:55
virtual int matchForCache(ACLChecklist *checklist)
virtual bool valid() const
Definition: AclProxyAuth.cc:90
int cacheMatchAcl(dlink_list *cache, ACLChecklist *)
Definition: Acl.cc:341
bool valid() const
Definition: UserRequest.cc:53
void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data)
Definition: UserRequest.cc:44
char const * username() const
Definition: UserRequest.cc:32
virtual User::Pointer user()
Definition: UserRequest.h:143
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition: client_side.cc:507
RequestFlags flags
Definition: HttpRequest.h:141
static ProxyAuthLookup * Instance()
virtual void checkForAsync(ACLChecklist *) const
static void LookupDone(void *data)
static ProxyAuthLookup instance_
Definition: AclProxyAuth.h:26
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
#define DBG_CRITICAL
Definition: Stream.h:40
@ ACCESS_AUTH_REQUIRED
Definition: Acl.h:114
@ ACCESS_DENIED
Definition: Acl.h:109
@ ACCESS_ALLOWED
Definition: Acl.h:110
@ ACCESS_DUNNO
Definition: Acl.h:111
std::vector< const Option * > Options
Definition: Options.h:214
std::list< SBuf > SBufList
Definition: forward.h:23

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors