Acl.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9#include "squid.h"
10#include "acl/Acl.h"
11#include "acl/FilledChecklist.h"
12#include "auth/Acl.h"
13#include "auth/AclProxyAuth.h"
14#include "auth/UserRequest.h"
15#include "client_side.h"
16#include "fatal.h"
17#include "http/Stream.h"
18#include "HttpRequest.h"
19
29{
30 ACLFilledChecklist *checklist = Filled(ch);
31 const auto request = checklist->request;
32 Http::HdrType headertype;
33
34 if (!request) {
35 fatal ("requiresRequest SHOULD have been true for this ACL!!");
36 return ACCESS_DENIED;
37 } else if (request->flags.sslBumped) {
38 debugs(28, 5, "SslBumped request: It is an encapsulated request do not authenticate");
39 checklist->auth_user_request = checklist->conn() != nullptr ? checklist->conn()->getAuth() : request->auth_user_request;
40 if (checklist->auth_user_request != nullptr)
41 return ACCESS_ALLOWED;
42 else
43 return ACCESS_DENIED;
44 } else if (request->flags.accelerated) {
45 /* WWW authorization on accelerated requests */
47 } else if (request->flags.intercepted || request->flags.interceptTproxy) {
48 debugs(28, DBG_IMPORTANT, "WARNING: Authentication not applicable on intercepted requests.");
49 return ACCESS_DENIED;
50 } else {
51 /* Proxy authorization on proxy requests */
53 }
54
55 /* get authed here */
56 /* Note: this fills in auth_user_request when applicable */
58 &checklist->auth_user_request, headertype, checklist->request.getRaw(),
59 checklist->conn(), checklist->src_addr, checklist->al);
60 switch (result) {
61
63 debugs(28, 4, "returning " << ACCESS_DENIED << " user authenticated but not authorised.");
64 return ACCESS_DENIED;
65
67 return ACCESS_ALLOWED;
68 break;
69
70 case AUTH_ACL_HELPER:
71 if (checklist->goAsync(ProxyAuthLookup::Instance()))
72 debugs(28, 4, "returning " << ACCESS_DUNNO << " sending credentials to helper.");
73 else
74 debugs(28, 2, "cannot go async; returning " << ACCESS_DUNNO);
75 return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states
76
78 debugs(28, 4, "returning " << ACCESS_AUTH_REQUIRED << " sending authentication challenge.");
79 /* Client is required to resend the request with correct authentication
80 * credentials. (This may be part of a stateful auth protocol.)
81 * The request is denied.
82 */
84
85 default:
86 fatal("unexpected authenticateAuthenticate reply\n");
87 return ACCESS_DENIED;
88 }
89}
90
AuthAclState
Definition: AuthAclState.h:14
@ AUTH_AUTHENTICATED
Definition: AuthAclState.h:18
@ AUTH_ACL_CANNOT_AUTHENTICATE
Definition: AuthAclState.h:17
@ AUTH_ACL_CHALLENGE
Definition: AuthAclState.h:15
@ AUTH_ACL_HELPER
Definition: AuthAclState.h:16
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
Acl::Answer AuthenticateAcl(ACLChecklist *ch)
Definition: Acl.cc:28
bool goAsync(AsyncState *)
Definition: Checklist.cc:114
ConnStateData * conn() const
The client connection manager.
Ip::Address src_addr
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
Auth::UserRequest::Pointer auth_user_request
HttpRequest::Pointer request
static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, Http::HdrType, HttpRequest *, ConnStateData *, Ip::Address &, AccessLogEntry::Pointer &)
Definition: UserRequest.cc:437
const Auth::UserRequest::Pointer & getAuth() const
Definition: client_side.h:123
static ProxyAuthLookup * Instance()
C * getRaw() const
Definition: RefCount.h:89
#define DBG_IMPORTANT
Definition: Stream.h:38
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
void fatal(const char *message)
Definition: fatal.cc:28
@ ACCESS_AUTH_REQUIRED
Definition: Acl.h:120
@ ACCESS_DENIED
Definition: Acl.h:115
@ ACCESS_ALLOWED
Definition: Acl.h:116
@ ACCESS_DUNNO
Definition: Acl.h:117
@ PROXY_AUTHORIZATION

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors