------------------------------------------------------------ revno: 11639 revision-id: squid3@treenet.co.nz-20110813155338-mz1fygklp84zc3xr parent: squid3@treenet.co.nz-20110813145547-l4nzlg07i751xc0q committer: Amos Jeffries branch nick: trunk timestamp: Sat 2011-08-13 09:53:38 -0600 message: Support extended authentication states to ACL results Support sub-states of authentication to be sent as results from ACLs. This allows future work to resolve issues around cases such as expired but known credentials being used in fast category access controls. The new authentication states are: ACCESS_AUTH_OK - equivalent to ACCESS_ALLOWED ACCESS_AUTH_REQUIRED - Missing Credentials. Used to be ACCESS_REQ_PROXY_AUTH ACCESS_AUTH_EXPIRED_OK - Expired now. Were Okay. ACCESS_AUTH_EXPIRED_BAD - Expired now. Were Failed. Also converts cases of ACCESS_REQ_PROXY_AUTH to the new name. As yet no attempt is made to alter auth or access control logics to use the new states. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20110813155338-mz1fygklp84zc3xr # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: 89b8c4acc03f2f8a9f98818b5ad4a61236ab4890 # timestamp: 2011-08-13 16:52:41 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # base_revision_id: squid3@treenet.co.nz-20110813145547-\ # l4nzlg07i751xc0q # # Begin patch === modified file 'src/acl/Acl.h' --- src/acl/Acl.h 2011-07-16 15:21:48 +0000 +++ src/acl/Acl.h 2011-08-13 15:53:38 +0000 @@ -105,10 +105,16 @@ /// \ingroup ACLAPI typedef enum { + // Authorization ACL result states ACCESS_DENIED, ACCESS_ALLOWED, ACCESS_DUNNO, - ACCESS_REQ_PROXY_AUTH + + // Authentication ACL result states + ACCESS_AUTH_OK = ACCESS_ALLOWED, + ACCESS_AUTH_REQUIRED, // Missing Credentials + ACCESS_AUTH_EXPIRED_OK, // Expired now. Were Okay. + ACCESS_AUTH_EXPIRED_BAD // Expired now. Were Failed. } allow_t; /// \ingroup ACLAPI === modified file 'src/adaptation/AccessCheck.cc' --- src/adaptation/AccessCheck.cc 2011-07-16 15:21:48 +0000 +++ src/adaptation/AccessCheck.cc 2011-08-13 15:53:38 +0000 @@ -144,7 +144,7 @@ debugs(93, 8, HERE << "callback answer=" << answer); AccessCheck *ac = (AccessCheck*)data; - /** \todo AYJ 2008-06-12: If answer == ACCESS_REQ_PROXY_AUTH + /** \todo AYJ 2008-06-12: If answer == ACCESS_AUTH_REQUIRED * we should be kicking off an authentication before continuing * with this request. see bug 2400 for details. */ === modified file 'src/auth/AclProxyAuth.cc' --- src/auth/AclProxyAuth.cc 2011-07-16 15:21:48 +0000 +++ src/auth/AclProxyAuth.cc 2011-08-13 15:53:38 +0000 @@ -181,7 +181,7 @@ * The request is denied. */ debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header."); - checklist->currentAnswer(ACCESS_REQ_PROXY_AUTH); + checklist->currentAnswer(ACCESS_AUTH_REQUIRED); checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markFinished(); } === modified file 'src/client_side_request.cc' --- src/client_side_request.cc 2011-08-04 03:21:06 +0000 +++ src/client_side_request.cc 2011-08-13 15:53:38 +0000 @@ -728,7 +728,7 @@ if (answer != ACCESS_ALLOWED) { /* Send an error */ - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)); + int require_auth = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName)); debugs(85, 5, "Access Denied: " << http->uri); debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "")); #if USE_AUTH @@ -742,7 +742,7 @@ * the clientCreateStoreEntry() call just below. Pedro Ribeiro * */ - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED); http->logType = LOG_TCP_DENIED;