------------------------------------------------------------ revno: 11645 revision-id: squid3@treenet.co.nz-20110814121857-3qvvvqg9gi4hp6et parent: squid3@treenet.co.nz-20110814114033-kf6lnpayb7j8ysvh committer: Amos Jeffries branch nick: trunk timestamp: Sun 2011-08-14 06:18:57 -0600 message: Convert AuthenticateAcl() to use new ACL states ------------------------------------------------------------ # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: squid3@treenet.co.nz-20110814121857-3qvvvqg9gi4hp6et # target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # testament_sha1: f94a553e3f2030222496f56cc6753bd0537128f6 # timestamp: 2011-08-14 12:59:22 +0000 # source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/ # base_revision_id: squid3@treenet.co.nz-20110814114033-\ # kf6lnpayb7j8ysvh # # Begin patch === modified file 'src/auth/Acl.cc' --- src/auth/Acl.cc 2010-06-03 00:12:32 +0000 +++ src/auth/Acl.cc 2011-08-14 12:18:57 +0000 @@ -6,10 +6,14 @@ #include "auth/AclProxyAuth.h" #include "HttpRequest.h" -/** retval -1 user not authenticated (authentication error?) - retval 0 user not authorized OR user authentication is in pgrogress - retval +1 user authenticated and authorized */ -int +/** + * \retval ACCESS_AUTH_REQUIRED credentials missing. challenge required. + * \retval ACCESS_DENIED user not authenticated (authentication error?) + * \retval ACCESS_DUNNO user authentication is in progress + * \retval ACCESS_DENIED user not authorized + * \retval ACCESS_ALLOWED user authenticated and authorized + */ +allow_t AuthenticateAcl(ACLChecklist *ch) { ACLFilledChecklist *checklist = Filled(ch); @@ -18,13 +22,13 @@ if (NULL == request) { fatal ("requiresRequest SHOULD have been true for this ACL!!"); - return 0; + return ACCESS_DENIED; } else if (request->flags.accelerated) { /* WWW authorization on accelerated requests */ headertype = HDR_AUTHORIZATION; } else if (request->flags.intercepted || request->flags.spoof_client_ip) { - debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests."); - return -1; + debugs(28, DBG_IMPORTANT, "NOTICE: Authentication not applicable on intercepted requests."); + return ACCESS_DENIED; } else { /* Proxy authorization on proxy requests */ headertype = HDR_PROXY_AUTHORIZATION; @@ -38,25 +42,25 @@ switch (result) { case AUTH_ACL_CANNOT_AUTHENTICATE: - debugs(28, 4, HERE << "returning 0 user authenticated but not authorised."); - return 0; + debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " user authenticated but not authorised."); + return ACCESS_DENIED; case AUTH_AUTHENTICATED: - return 1; + return ACCESS_ALLOWED; break; case AUTH_ACL_HELPER: - debugs(28, 4, HERE << "returning 0 sending credentials to helper."); + debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending credentials to helper."); checklist->changeState(ProxyAuthLookup::Instance()); - return 0; + return ACCESS_DUNNO; // XXX: break this down into DUNNO, EXPIRED_OK, EXPIRED_BAD states case AUTH_ACL_CHALLENGE: - debugs(28, 4, HERE << "returning 0 sending authentication challenge."); - checklist->changeState (ProxyAuthNeeded::Instance()); - return 0; + debugs(28, 4, HERE << "returning " << ACCESS_DENIED << " sending authentication challenge."); + checklist->changeState(ProxyAuthNeeded::Instance()); + return ACCESS_AUTH_REQUIRED; default: fatal("unexpected authenticateAuthenticate reply\n"); - return 0; + return ACCESS_DENIED; } } === modified file 'src/auth/Acl.h' --- src/auth/Acl.h 2011-02-07 10:27:53 +0000 +++ src/auth/Acl.h 2011-08-14 12:18:57 +0000 @@ -3,13 +3,15 @@ #if USE_AUTH +#include "acl/Acl.h" + // ACL-related code used by authentication-related code. This code is not in // auth/Gadgets to avoid making auth/libauth dependent on acl/libstate because // acl/libstate already depends on auth/libauth. class ACLChecklist; /// \ingroup AuthAPI -extern int AuthenticateAcl(ACLChecklist *ch); +extern allow_t AuthenticateAcl(ACLChecklist *ch); #endif /* USE_AUTH */ #endif /* SQUID_AUTH_ACL_H */ === modified file 'src/auth/AclMaxUserIp.cc' --- src/auth/AclMaxUserIp.cc 2010-04-17 10:38:50 +0000 +++ src/auth/AclMaxUserIp.cc 2011-08-14 12:18:57 +0000 @@ -150,16 +150,29 @@ ACLMaxUserIP::match(ACLChecklist *cl) { ACLFilledChecklist *checklist = Filled(cl); + allow_t answer = AuthenticateAcl(checklist); + checklist->currentAnswer(answer); int ti; - if ((ti = AuthenticateAcl(checklist)) != 1) + // convert to tri-state ACL match 1,0,-1 + switch(answer) + { + case ACCESS_ALLOWED: + case ACCESS_AUTH_EXPIRED_OK: + // check for a match + ti = match(checklist->auth_user_request, checklist->src_addr); + checklist->auth_user_request = NULL; return ti; - ti = match(checklist->auth_user_request, checklist->src_addr); - - checklist->auth_user_request = NULL; - - return ti; + case ACCESS_DENIED: + case ACCESS_AUTH_EXPIRED_BAD: + return 0; // non-match + + case ACCESS_DUNNO: + case ACCESS_AUTH_REQUIRED: + default: + return -1; // other + } } wordlist * === modified file 'src/auth/AclProxyAuth.cc' --- src/auth/AclProxyAuth.cc 2011-08-13 15:53:38 +0000 +++ src/auth/AclProxyAuth.cc 2011-08-14 12:18:57 +0000 @@ -79,14 +79,26 @@ int ACLProxyAuth::match(ACLChecklist *checklist) { - int ti; - - if ((ti = AuthenticateAcl(checklist)) != 1) - return ti; - - ti = matchProxyAuth(checklist); - - return ti; + allow_t answer = AuthenticateAcl(checklist); + checklist->currentAnswer(answer); + + // convert to tri-state ACL match 1,0,-1 + switch(answer) + { + case ACCESS_ALLOWED: + case ACCESS_AUTH_EXPIRED_OK: + // check for a match + return matchProxyAuth(checklist); + + case ACCESS_DENIED: + case ACCESS_AUTH_EXPIRED_BAD: + return 0; // non-match + + case ACCESS_DUNNO: + case ACCESS_AUTH_REQUIRED: + default: + return -1; // other + } } wordlist *