squid : Optimising Web Delivery

Go to the documentation of this file.

 /*
  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
  *
  * Squid software is distributed under GPLv2+ license and includes
  * contributions from numerous individuals and organizations.
  * Please see the COPYING and CONTRIBUTORS files for details.
  */
  
 /* DEBUG: section 28    Access Control */
  
 #include "squid.h"
 #include "acl/FilledChecklist.h"
 #include "acl/RegexData.h"
 #include "acl/UserData.h"
 #include "auth/Acl.h"
 #include "auth/AclProxyAuth.h"
 #include "auth/Gadgets.h"
 #include "auth/User.h"
 #include "auth/UserRequest.h"
 #include "client_side.h"
 #include "http/Stream.h"
 #include "HttpRequest.h"
  
 ACLProxyAuth::~ACLProxyAuth()
 {
     delete data;
 }
  
 ACLProxyAuth::ACLProxyAuth(ACLData<char const *> *newData, char const *theType) :
     data(newData),
     type_(theType)
 {}
  
 char const *
 ACLProxyAuth::typeString() const
 {
     return type_;
 }
  
 const Acl::Options &
 ACLProxyAuth::lineOptions()
 {
     return data->lineOptions();
 }
  
 void
 ACLProxyAuth::parse()
 {
     data->parse();
 }
  
 int
 ACLProxyAuth::match(ACLChecklist *checklist)
 {
     auto answer = AuthenticateAcl(checklist, *this);
  
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
         // check for a match
         return matchProxyAuth(checklist);
  
     case ACCESS_DENIED:
         return 0; // non-match
  
     case ACCESS_DUNNO:
     case ACCESS_AUTH_REQUIRED:
     default:
         // If the answer is not allowed or denied (matches/not matches) and
         // async authentication is not in progress, then we are done.
         if (checklist->keepMatching())
             checklist->markFinished(answer, "AuthenticateAcl exception");
         return -1; // other
     }
 }
  
 SBufList
 ACLProxyAuth::dump() const
 {
     return data->dump();
 }
  
 bool
 ACLProxyAuth::empty() const
 {
     return data->empty();
 }
  
 bool
 ACLProxyAuth::valid() const
 {
     if (authenticateSchemeCount() == 0) {
         debugs(28, DBG_CRITICAL, "ERROR: Cannot use proxy auth because no authentication schemes were compiled.");
         return false;
     }
  
     if (authenticateActiveSchemeCount() == 0) {
         debugs(28, DBG_CRITICAL, "ERROR: Cannot use proxy auth because no authentication schemes are fully configured.");
         return false;
     }
  
     return true;
 }
  
 void
 ACLProxyAuth::StartLookup(ACLFilledChecklist &cl, const Acl::Node &)
 {
     debugs(28, 3, "checking password via authenticator");
  
     /* make sure someone created auth_user_request for us */
     assert(cl.auth_user_request != nullptr);
     assert(cl.auth_user_request->valid());
     cl.auth_user_request->start(cl.request.getRaw(), cl.al, LookupDone, &cl);
 }
  
 void
 ACLProxyAuth::LookupDone(void *data)
 {
     ACLFilledChecklist *checklist = Filled(static_cast<ACLChecklist*>(data));
  
     if (checklist->auth_user_request == nullptr || !checklist->auth_user_request->valid() || checklist->conn() == nullptr) {
         /* credentials could not be checked either way
          * restart the whole process */
         /* OR the connection was closed, there's no way to continue */
         checklist->auth_user_request = nullptr;
  
         if (checklist->conn() != nullptr) {
             checklist->conn()->setAuth(nullptr, "proxy_auth ACL failure");
         }
     }
  
     checklist->resumeNonBlockingCheck();
 }
  
 int
 ACLProxyAuth::matchForCache(ACLChecklist *cl)
 {
     ACLFilledChecklist *checklist = Filled(cl);
     assert (checklist->auth_user_request != nullptr);
     return data->match(checklist->auth_user_request->username());
 }
  
 /* aclMatchProxyAuth can return two exit codes:
  * 0 : Authorisation for this ACL failed. (Did not match)
  * 1 : Authorisation OK. (Matched)
  */
 int
 ACLProxyAuth::matchProxyAuth(ACLChecklist *cl)
 {
     ACLFilledChecklist *checklist = Filled(cl);
     if (!checklist->request->flags.sslBumped) {
         if (!authenticateUserAuthenticated(checklist->auth_user_request)) {
             return 0;
         }
     }
     /* check to see if we have matched the user-acl before */
     int result = cacheMatchAcl(&checklist->auth_user_request->user()->proxy_match_cache, checklist);
     checklist->auth_user_request = nullptr;
     return result;
 }
  

ACLProxyAuth::StartLookup

static void StartLookup(ACLFilledChecklist &, const Acl::Node &)

Definition: AclProxyAuth.cc:106

ACLData::lineOptions

virtual const Acl::Options & lineOptions()

supported ACL "line" options (e.g., "-i")

Definition: Data.h:26

ACLFilledChecklist

Definition: FilledChecklist.h:33

DBG_CRITICAL

#define DBG_CRITICAL

Definition: Stream.h:37

ACLProxyAuth::LookupDone

static void LookupDone(void *data)

Definition: AclProxyAuth.cc:117

client_side.h

ACLProxyAuth::typeString

const char * typeString() const override

Definition: AclProxyAuth.cc:35

RequestFlags::sslBumped

bool sslBumped

Definition: RequestFlags.h:110

Acl::Options

std::vector< const Option * > Options

Definition: Options.h:217

ConnStateData::setAuth

void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)

Definition: client_side.cc:494

HttpRequest::flags

RequestFlags flags

Definition: HttpRequest.h:141

SBufList

std::list< SBuf > SBufList

Definition: forward.h:22

ACLChecklist::keepMatching

bool keepMatching() const

Whether we should continue to match tree nodes or stop/pause.

Definition: Checklist.h:96

FilledChecklist.h

RegexData.h

ACLProxyAuth::lineOptions

const Acl::Options & lineOptions() override

Definition: AclProxyAuth.cc:41

ACLData< char const * >

UserRequest.h

RefCount::getRaw

C * getRaw() const

Definition: RefCount.h:89

ACLFilledChecklist::al

AccessLogEntry::Pointer al

info for the future access.log, and external ACL

Definition: FilledChecklist.h:124

Auth::UserRequest::user

virtual User::Pointer user()

Definition: UserRequest.h:143

ACLChecklist

Definition: Checklist.h:30

ACLProxyAuth::valid

bool valid() const override

Definition: AclProxyAuth.cc:90

AclProxyAuth.h

ACLProxyAuth::matchProxyAuth

int matchProxyAuth(ACLChecklist *)

Definition: AclProxyAuth.cc:148

ACLFilledChecklist::conn

ConnStateData * conn() const

The client connection manager.

Definition: FilledChecklist.cc:123

ACCESS_AUTH_REQUIRED

@ ACCESS_AUTH_REQUIRED

Definition: Acl.h:46

Auth::UserRequest::valid

bool valid() const

Definition: UserRequest.cc:53

ACLProxyAuth::data

ACLData< char const * > * data

Definition: AclProxyAuth.h:46

Auth::UserRequest::username

const char * username() const

Definition: UserRequest.cc:32

Filled

ACLFilledChecklist * Filled(ACLChecklist *checklist)

convenience and safety wrapper for dynamic_cast<ACLFilledChecklist*>

Definition: FilledChecklist.h:146

ACLProxyAuth::type_

const char * type_

Definition: AclProxyAuth.h:47

ACLFilledChecklist::request

HttpRequest::Pointer request

Definition: FilledChecklist.h:103

Gadgets.h

ACLChecklist::markFinished

void markFinished(const Acl::Answer &newAnswer, const char *reason)

Definition: Checklist.cc:45

assert

#define assert(EX)

Definition: assert.h:17

authenticateUserAuthenticated

bool authenticateUserAuthenticated(const Auth::UserRequest::Pointer &auth_user_request)

Definition: UserRequest.cc:189

Auth::UserRequest::start

void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data)

Definition: UserRequest.cc:44

AuthenticateAcl

Acl::Answer AuthenticateAcl(ACLChecklist *ch, const Acl::Node &acl)

Definition: Acl.cc:28

ACLProxyAuth::dump

SBufList dump() const override

Definition: AclProxyAuth.cc:78

User.h

HttpRequest.h

ACLData::parse

virtual void parse()=0

ACLProxyAuth::ACLProxyAuth

ACLProxyAuth(ACLData< char const * > *, char const *)

Definition: AclProxyAuth.cc:29

authenticateSchemeCount

int authenticateSchemeCount(void)

Definition: Gadgets.cc:53

Stream.h

ACLProxyAuth::~ACLProxyAuth

~ACLProxyAuth() override

Definition: AclProxyAuth.cc:24

Acl::Node

Definition: Node.h:25

Acl::Node::cacheMatchAcl

int cacheMatchAcl(dlink_list *cache, ACLChecklist *)

Definition: Acl.cc:401

authenticateActiveSchemeCount

int authenticateActiveSchemeCount(void)

Definition: Gadgets.cc:38

ACCESS_ALLOWED

@ ACCESS_ALLOWED

Definition: Acl.h:42

ACCESS_DENIED

@ ACCESS_DENIED

Definition: Acl.h:41

ACLData::match

virtual bool match(M)=0

ACCESS_DUNNO

@ ACCESS_DUNNO

Definition: Acl.h:43

ACLProxyAuth::matchForCache

int matchForCache(ACLChecklist *checklist) override

Definition: AclProxyAuth.cc:136

ACLData::empty

virtual bool empty() const =0

UserData.h

ACLProxyAuth::empty

bool empty() const override

Definition: AclProxyAuth.cc:84

squid.h

ACLFilledChecklist::auth_user_request

Auth::UserRequest::Pointer auth_user_request

Definition: FilledChecklist.h:106

debugs

#define debugs(SECTION, LEVEL, CONTENT)

Definition: Stream.h:192

ACLProxyAuth::match

int match(ACLChecklist *checklist) override

Matches the actual data in checklist against this Acl::Node.

Definition: AclProxyAuth.cc:53

ACLProxyAuth::parse

void parse() override

parses node representation in squid.conf; dies on failures

Definition: AclProxyAuth.cc:47

ACLChecklist::resumeNonBlockingCheck

void resumeNonBlockingCheck()

Definition: Checklist.cc:230

Acl.h

ACLData::dump

virtual SBufList dump() const =0

squid-cache.org

Optimising Web Delivery

Introduction

Documentation

Support

Miscellaneous