Re: Source Code - X-Authenticate-Group from Amos Jeffries on 2010-11-22 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 22 Nov 2010 21:16:25 +1300

On 22/11/10 07:37, viswanathan wrote:
> hi all
>
> I am very interesting in squid development and i am working in squid
> 3.1.8 deployment now. I facing one issue X-Authenticate-Group header
> passing to iCAP from squid. X-Authenticate-User working good. So this is
> the right time to get into source code please help me - to what is my
> first step. please provide any documentation for squid source code.
>

Hi viswanathan,
You have set yourself a rough problem. Please work with 3.2 code. The
auth systems are greatly different between 3.2 and 3.1 and somewhat
simpler in the later.

At present the group information is unknown to Squid.

What Squid does is pass a username and binary blob header over to the
authenticators. Proxy-Authenticate: for forward proxy or
WWW_Authenticate: for reverse-proxy. Which reply OK/ERR.

Later Squid passes the username and a full list of possible groups to an
external_acl_type helper which does group validation. This validator
returns OK/ERR if *any* of the groups match.

At no point presently is Squid aware of *which* particular groups are valid.

What documentation we have is available online at:
http:///squid.treenet.co.nz/Doc/Code

The authenticators and external ACL are allowed to pass key=value pairs
back to Squid. In order to send the group information anywhere you will
need to:

*** store the group details alongside the username. Possibly multiple
groups.

+ auth_param store these in AuthUser objects. Each protocol has its
own child version which share things stored in this parent.

+ external_acl_type stores things in ExternalACLEntryData.
The actual ACL processing retrieves those details at the end of function
aclMatchExternal() where it copies the entry data into ch->request. The
AuthUser can be accessed there via ch->request->auth_user_request->user()
NP: auth_user_request might be NULL if there is no logged in user.

*** make Squid accept group=X from authenticators and/or external ACL.
Possibly multiple groups.

+ auth_param basic protcol: src/auth/basic/auth_basic.cc contains
function authenticateBasicHandleReply

+ auth_param digest protocol: src/auth/digest/digestUserRequest.cc
contains method AuthDigestUserRequest::HandleReply

+ auth_param ntlm protocol: src/auth/ntlm/ntlmUserRequest.cc cntains
method AuthNTLMUserRequest::HandleReply

+ auth_param negotiate protocol:
src/auth/negotiate/negotiateUserRequest.cc contains method
AuthNegotiateUserRequest::HandleReply

+ external_acl_type helpers: src/external_acl.cc contains function
externalAclHandleReply

*** generate the X-Authenticated-Group header at same time as adding
X-Authenticated-User.

*** Alter either the auth helpers or the external lookup helpers as
needed to send the group= keys within their replies.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.9
   Beta testers wanted for 3.2.0.3

Received on Mon Nov 22 2010 - 08:16:34 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 22 2010 - 12:00:05 MST