------------------------------------------------------------ revno: 11643 revision-id: squid3@treenet.co.nz-20110814055534-kgpjxr0ye6v6n84q parent: squid3@treenet.co.nz-20110814034826-vpbxnuba8zcpejlk committer: Amos Jeffries branch nick: trunk timestamp: Sat 2011-08-13 23:55:34 -0600 message: Update response generationg to handle auth ACL reply cases Known + expired + OK credentials do not need a re-challenge. They are in grace period where helper revalidation is all that is needed. Any other result requires an error or challenge response of some sort. Also, drop the ACCESS_ prefix from enum names. This makes it easier to see what the handling should be. ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20110814055534-kgpjxr0ye6v6n84q # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: ef19faefbf9ee4f66233ac47092e01ea4ff2dd51 # timestamp: 2011-08-14 06:52:01 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # base_revision_id: squid3@treenet.co.nz-20110814034826-\ # vpbxnuba8zcpejlk # # Begin patch === modified file 'src/acl/Acl.h' --- src/acl/Acl.h 2011-08-13 15:53:38 +0000 +++ src/acl/Acl.h 2011-08-14 05:55:34 +0000 @@ -111,10 +111,10 @@ ACCESS_DUNNO, // Authentication ACL result states - ACCESS_AUTH_OK = ACCESS_ALLOWED, - ACCESS_AUTH_REQUIRED, // Missing Credentials - ACCESS_AUTH_EXPIRED_OK, // Expired now. Were Okay. - ACCESS_AUTH_EXPIRED_BAD // Expired now. Were Failed. + AUTH_OK = ACCESS_ALLOWED, + AUTH_REQUIRED, // Missing Credentials + AUTH_EXPIRED_OK, // Expired now. Were Okay. + AUTH_EXPIRED_BAD // Expired now. Were Failed. } allow_t; /// \ingroup ACLAPI === modified file 'src/adaptation/AccessCheck.cc' --- src/adaptation/AccessCheck.cc 2011-08-13 15:53:38 +0000 +++ src/adaptation/AccessCheck.cc 2011-08-14 05:55:34 +0000 @@ -144,7 +144,7 @@ debugs(93, 8, HERE << "callback answer=" << answer); AccessCheck *ac = (AccessCheck*)data; - /** \todo AYJ 2008-06-12: If answer == ACCESS_AUTH_REQUIRED + /** \todo AYJ 2008-06-12: If answer == AUTH_REQUIRED * we should be kicking off an authentication before continuing * with this request. see bug 2400 for details. */ === modified file 'src/auth/AclProxyAuth.cc' --- src/auth/AclProxyAuth.cc 2011-08-13 15:53:38 +0000 +++ src/auth/AclProxyAuth.cc 2011-08-14 05:55:34 +0000 @@ -181,7 +181,7 @@ * The request is denied. */ debugs(28, 6, "ACLChecklist::checkForAsync: requiring Proxy Auth header."); - checklist->currentAnswer(ACCESS_AUTH_REQUIRED); + checklist->currentAnswer(AUTH_REQUIRED); checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markFinished(); } === modified file 'src/client_side_request.cc' --- src/client_side_request.cc 2011-08-13 15:53:38 +0000 +++ src/client_side_request.cc 2011-08-14 05:55:34 +0000 @@ -726,13 +726,16 @@ proxy_auth_msg = http->request->auth_user_request->denyMessage(""); #endif - if (answer != ACCESS_ALLOWED) { - /* Send an error */ - int require_auth = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName)); + if (answer != ACCESS_ALLOWED && answer != AUTH_EXPIRED_OK) { + // auth has a grace period where credentials can be expired but okay not to challenge. + + /* Send an auth challenge or error */ + // XXX: do we still need aclIsProxyAuth() ? + bool auth_challenge = (answer == AUTH_REQUIRED || answer == AUTH_EXPIRED_BAD || aclIsProxyAuth(AclMatchedName)); debugs(85, 5, "Access Denied: " << http->uri); debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "")); #if USE_AUTH - if (require_auth) + if (auth_challenge) debugs(33, 5, "Proxy Auth Message = " << (proxy_auth_msg ? proxy_auth_msg : "")); #endif @@ -742,11 +745,11 @@ * the clientCreateStoreEntry() call just below. Pedro Ribeiro * */ - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_AUTH_REQUIRED); + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != AUTH_REQUIRED); http->logType = LOG_TCP_DENIED; - if (require_auth) { + if (auth_challenge) { #if USE_AUTH if (!http->flags.accel) { /* Proxy authorisation needed */ @@ -789,7 +792,7 @@ return; } - /* ACCESS_ALLOWED continues here ... */ + /* ACCESS_ALLOWED (or auth in grace period AUTH_EXPIRED_OK) continues here ... */ safe_free(http->uri); http->uri = xstrdup(urlCanonical(http->request));