AclProxyAuth_8cc_source.html

/*

 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors

 *

 * Squid software is distributed under GPLv2+ license and includes

 * contributions from numerous individuals and organizations.

 * Please see the COPYING and CONTRIBUTORS files for details.

 */


/* DEBUG: section 28    Access Control */


#include "squid.h"

#include "acl/FilledChecklist.h"

#include "acl/RegexData.h"

#include "acl/UserData.h"

#include "auth/Acl.h"

#include "auth/AclProxyAuth.h"

#include "auth/Gadgets.h"

#include "auth/User.h"

#include "auth/UserRequest.h"

#include "client_side.h"

#include "http/Stream.h"

#include "HttpRequest.h"


ACLProxyAuth::~ACLProxyAuth()

{

    delete data;

}


ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) :

    data(newData),

    type_(theType)

{}


char const *


ACLProxyAuth::typeString() const

{

    return type_;

}


const Acl::Options &


ACLProxyAuth::lineOptions()

{

    return data->lineOptions();

}


void


ACLProxyAuth::parse()

{

    data->parse();

}


int


ACLProxyAuth::match(ACLChecklist *checklist)

{

    auto answer = AuthenticateAcl(checklist, *this);


    // convert to tri-state ACL match 1,0,-1

    switch (answer) {

    case ACCESS_ALLOWED:

        // check for a match

        return matchProxyAuth(checklist);


    case ACCESS_DENIED:

        return 0; // non-match


    case ACCESS_DUNNO:

    case ACCESS_AUTH_REQUIRED:

    default:

        // If the answer is not allowed or denied (matches/not matches) and

        // async authentication is not in progress, then we are done.

        if (checklist->keepMatching())

            checklist->markFinished(answer, "AuthenticateAcl exception");

        return -1; // other

    }

}


SBufList


ACLProxyAuth::dump() const

{

    return data->dump();

}


bool


ACLProxyAuth::empty() const

{

    return data->empty();

}


bool


ACLProxyAuth::valid() const

{

    if (authenticateSchemeCount() == 0) {

        debugs(28, DBG_CRITICAL, "ERROR: Cannot use proxy auth because no authentication schemes were compiled.");

        return false;

    }


    if (authenticateActiveSchemeCount() == 0) {

        debugs(28, DBG_CRITICAL, "ERROR: Cannot use proxy auth because no authentication schemes are fully configured.");

        return false;

    }


    return true;

}


void


ACLProxyAuth::StartLookup(ACLFilledChecklist &cl, const Acl::Node &)

{

    debugs(28, 3, "checking password via authenticator");


    /* make sure someone created auth_user_request for us */

    assert(cl.auth_user_request != nullptr);

    assert(cl.auth_user_request->valid());

    cl.auth_user_request->start(cl.request.getRaw(), cl.al, LookupDone, &cl);

}


void


ACLProxyAuth::LookupDone(void *data)

{

    ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));


    if (checklist->auth_user_request == nullptr || !checklist->auth_user_request->valid() || checklist->conn() == nullptr) {

        /* credentials could not be checked either way

         * restart the whole process */

        /* OR the connection was closed, there's no way to continue */

        checklist->auth_user_request = nullptr;


        if (checklist->conn() != nullptr) {

            checklist->conn()->setAuth(nullptr, "proxy_auth ACL failure");

        }

    }


    checklist->resumeNonBlockingCheck();

}


int


ACLProxyAuth::matchForCache(ACLChecklist *cl)

{

    ACLFilledChecklist *checklist = Filled(cl);

    assert (checklist->auth_user_request != nullptr);

    return data->match(checklist->auth_user_request->username());

}


/* aclMatchProxyAuth can return two exit codes:

 * 0 : Authorisation for this ACL failed. (Did not match)

 * 1 : Authorisation OK. (Matched)

 */

int


ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)

{

    ACLFilledChecklist *checklist = Filled(cl);

    if (!checklist->request->flags.sslBumped) {

        if (!authenticateUserAuthenticated(checklist->auth_user_request)) {

            return 0;

        }

    }

    /* check to see if we have matched the user-acl before */

    int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);

    checklist->auth_user_request = nullptr;

    return result;

}


AclProxyAuth.h

FilledChecklist.h

Filled
ACLFilledChecklist * Filled(ACLChecklist *checklist)
convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>
Definition FilledChecklist.h:146

HttpRequest.h

RegexData.h

UserData.h

authenticateUserAuthenticated
bool authenticateUserAuthenticated(const Auth::UserRequest::Pointer &auth_user_request)
Definition UserRequest.cc:190

UserRequest.h

User.h

assert
#define assert(EX)
Definition assert.h:17

AuthenticateAcl
Acl::Answer AuthenticateAcl(ACLChecklist *ch, const Acl::Node &acl)
Definition Acl.cc:28

Acl.h

authenticateActiveSchemeCount
int authenticateActiveSchemeCount(void)
Definition Gadgets.cc:38

authenticateSchemeCount
int authenticateSchemeCount(void)
Definition Gadgets.cc:53

Gadgets.h

ACLChecklist
Definition Checklist.h:31

ACLChecklist::markFinished
void markFinished(const Acl::Answer &newAnswer, const char *reason)
Definition Checklist.cc:45

ACLChecklist::resumeNonBlockingCheck
void resumeNonBlockingCheck()
Definition Checklist.cc:230

ACLChecklist::keepMatching
bool keepMatching() const
Whether we should continue to match tree nodes or stop/pause.
Definition Checklist.h:96

ACLData
Configured ACL parameter(s) (e.g., domain names in dstdomain ACL).
Definition Data.h:18

ACLData::parse
virtual void parse()=0

ACLData::dump
virtual SBufList dump() const =0

ACLData::match
virtual bool match(M)=0

ACLData::empty
virtual bool empty() const =0

ACLData::lineOptions
virtual const Acl::Options & lineOptions()
supported ACL "line" options (e.g., "-i")
Definition Data.h:26

ACLFilledChecklist
Definition FilledChecklist.h:34

ACLFilledChecklist::conn
ConnStateData * conn() const
The client connection manager.
Definition FilledChecklist.cc:106

ACLFilledChecklist::al
AccessLogEntry::Pointer al
info for the future access.log, and external ACL
Definition FilledChecklist.h:124

ACLFilledChecklist::auth_user_request
Auth::UserRequest::Pointer auth_user_request
Definition FilledChecklist.h:106

ACLFilledChecklist::request
HttpRequest::Pointer request
Definition FilledChecklist.h:103

ACLProxyAuth::dump
SBufList dump() const override
Definition AclProxyAuth.cc:78

ACLProxyAuth::matchProxyAuth
int matchProxyAuth(ACLChecklist *)
Definition AclProxyAuth.cc:148

ACLProxyAuth::parse
void parse() override
parses node representation in squid.conf; dies on failures
Definition AclProxyAuth.cc:47

ACLProxyAuth::lineOptions
const Acl::Options & lineOptions() override
Definition AclProxyAuth.cc:41

ACLProxyAuth::ACLProxyAuth
ACLProxyAuth(ACLData< char const * > *, char const *)
Definition AclProxyAuth.cc:29

ACLProxyAuth::StartLookup
static void StartLookup(ACLFilledChecklist &, const Acl::Node &)
Definition AclProxyAuth.cc:106

ACLProxyAuth::data
ACLData< char const * > * data
Definition AclProxyAuth.h:46

ACLProxyAuth::type_
char const  * type_
Definition AclProxyAuth.h:47

ACLProxyAuth::LookupDone
static void LookupDone(void *data)
Definition AclProxyAuth.cc:117

ACLProxyAuth::~ACLProxyAuth
~ACLProxyAuth() override
Definition AclProxyAuth.cc:24

ACLProxyAuth::valid
bool valid() const override
Definition AclProxyAuth.cc:90

ACLProxyAuth::typeString
char const * typeString() const override
Definition AclProxyAuth.cc:35

ACLProxyAuth::matchForCache
int matchForCache(ACLChecklist *checklist) override
Definition AclProxyAuth.cc:136

ACLProxyAuth::empty
bool empty() const override
Definition AclProxyAuth.cc:84

ACLProxyAuth::match
int match(ACLChecklist *checklist) override
Matches the actual data in checklist against this Acl::Node.
Definition AclProxyAuth.cc:53

Acl::Node
Definition Node.h:26

Acl::Node::cacheMatchAcl
int cacheMatchAcl(dlink_list *cache, ACLChecklist *)
Definition Acl.cc:401

Auth::UserRequest::valid
bool valid() const
Definition UserRequest.cc:54

Auth::UserRequest::start
void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data)
Definition UserRequest.cc:45

Auth::UserRequest::username
char const * username() const
Definition UserRequest.cc:33

Auth::UserRequest::user
virtual User::Pointer user()
Definition UserRequest.h:143

ConnStateData::setAuth
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition client_side.cc:494

HttpRequest::flags
RequestFlags flags
Definition HttpRequest.h:141

RefCount::getRaw
C * getRaw() const
Definition RefCount.h:89

RequestFlags::sslBumped
bool sslBumped
Definition RequestFlags.h:110

client_side.h

debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition Stream.h:192

DBG_CRITICAL
#define DBG_CRITICAL
Definition Stream.h:37

ACCESS_AUTH_REQUIRED
@ ACCESS_AUTH_REQUIRED
Definition Acl.h:46

ACCESS_DENIED
@ ACCESS_DENIED
Definition Acl.h:41

ACCESS_ALLOWED
@ ACCESS_ALLOWED
Definition Acl.h:42

ACCESS_DUNNO
@ ACCESS_DUNNO
Definition Acl.h:43

Stream.h

Acl::Options
std::vector< const Option * > Options
Definition Options.h:217

SBufList
std::list< SBuf > SBufList
Definition forward.h:23

squid.h