------------------------------------------------------------
revno: 12128
revision-id: squid3@treenet.co.nz-20120508012110-qk77qou71es8ykzi
parent: squid3@treenet.co.nz-20120508011351-c0gt21oq3ofnynky
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Mon 2012-05-07 19:21:10 -0600
message:
  Drop ACCESS_AUTH_EXPIRED_* extended auth states
  
  Alternative approaches being discussed by squid-dev still, but agreed
  that this was the wrong approach to implementation rollout.
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20120508012110-qk77qou71es8ykzi
# target_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
# testament_sha1: eb9c350916f9e00f8ef957254d1baa460ae35e70
# timestamp: 2012-05-08 01:56:27 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/trunk/
# base_revision_id: squid3@treenet.co.nz-20120508011351-\
#   c0gt21oq3ofnynky
# 
# Begin patch
=== modified file 'src/acl/Acl.h'
--- src/acl/Acl.h	2011-12-31 01:26:10 +0000
+++ src/acl/Acl.h	2012-05-08 01:21:10 +0000
@@ -116,8 +116,6 @@
 
     // Authentication ACL result states
     ACCESS_AUTH_REQUIRED,    // Missing Credentials
-    ACCESS_AUTH_EXPIRED_OK,  // Expired now. Were Okay.
-    ACCESS_AUTH_EXPIRED_BAD  // Expired now. Were Failed.
 } allow_t;
 
 inline std::ostream &
@@ -136,12 +134,6 @@
     case ACCESS_AUTH_REQUIRED:
         o << "AUTH_REQUIRED";
         break;
-    case ACCESS_AUTH_EXPIRED_OK:
-        o << "AUTH_EXPIRED_OK";
-        break;
-    case ACCESS_AUTH_EXPIRED_BAD:
-        o << "AUTH_EXPIRED_BAD";
-        break;
     }
     return o;
 }

=== modified file 'src/auth/AclMaxUserIp.cc'
--- src/auth/AclMaxUserIp.cc	2012-01-20 18:55:04 +0000
+++ src/auth/AclMaxUserIp.cc	2012-05-08 01:21:10 +0000
@@ -157,14 +157,12 @@
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
-    case ACCESS_AUTH_EXPIRED_OK:
         // check for a match
         ti = match(checklist->auth_user_request, checklist->src_addr);
         checklist->auth_user_request = NULL;
         return ti;
 
     case ACCESS_DENIED:
-    case ACCESS_AUTH_EXPIRED_BAD:
         return 0; // non-match
 
     case ACCESS_DUNNO:

=== modified file 'src/auth/AclProxyAuth.cc'
--- src/auth/AclProxyAuth.cc	2012-01-20 18:55:04 +0000
+++ src/auth/AclProxyAuth.cc	2012-05-08 01:21:10 +0000
@@ -85,12 +85,10 @@
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
-    case ACCESS_AUTH_EXPIRED_OK:
         // check for a match
         return matchProxyAuth(checklist);
 
     case ACCESS_DENIED:
-    case ACCESS_AUTH_EXPIRED_BAD:
         return 0; // non-match
 
     case ACCESS_DUNNO:

=== modified file 'src/client_side_request.cc'
--- src/client_side_request.cc	2012-05-08 01:13:51 +0000
+++ src/client_side_request.cc	2012-05-08 01:21:10 +0000
@@ -760,12 +760,12 @@
         proxy_auth_msg = http->request->auth_user_request->denyMessage("<null>");
 #endif
 
-    if (answer != ACCESS_ALLOWED && answer != ACCESS_AUTH_EXPIRED_OK) {
+    if (answer != ACCESS_ALLOWED) {
         // auth has a grace period where credentials can be expired but okay not to challenge.
 
         /* Send an auth challenge or error */
         // XXX: do we still need aclIsProxyAuth() ?
-        bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || answer == ACCESS_AUTH_EXPIRED_BAD || aclIsProxyAuth(AclMatchedName));
+        bool auth_challenge = (answer == ACCESS_AUTH_REQUIRED || aclIsProxyAuth(AclMatchedName));
         debugs(85, 5, "Access Denied: " << http->uri);
         debugs(85, 5, "AclMatchedName = " << (AclMatchedName ? AclMatchedName : "<null>"));
 #if USE_AUTH
@@ -830,7 +830,7 @@
         return;
     }
 
-    /* ACCESS_ALLOWED (or auth in grace period ACCESS_AUTH_EXPIRED_OK) continues here ... */
+    /* ACCESS_ALLOWED continues here ... */
     safe_free(http->uri);
 
     http->uri = xstrdup(urlCanonical(http->request));

=== modified file 'src/external_acl.cc'
--- src/external_acl.cc	2012-01-20 18:55:04 +0000
+++ src/external_acl.cc	2012-05-08 01:21:10 +0000
@@ -866,11 +866,9 @@
     // convert to tri-state ACL match 1,0,-1
     switch (answer) {
     case ACCESS_ALLOWED:
-    case ACCESS_AUTH_EXPIRED_OK:
         return 1; // match
 
     case ACCESS_DENIED:
-    case ACCESS_AUTH_EXPIRED_BAD:
         return 0; // non-match
 
     case ACCESS_DUNNO:

=== modified file 'src/peer_select.cc'
--- src/peer_select.cc	2012-02-03 23:45:11 +0000
+++ src/peer_select.cc	2012-05-08 01:21:10 +0000
@@ -188,8 +188,6 @@
     case ACCESS_DUNNO:  // not relevant.
         break;
     case ACCESS_AUTH_REQUIRED:
-    case ACCESS_AUTH_EXPIRED_OK:
-    case ACCESS_AUTH_EXPIRED_BAD:
         debugs(44, DBG_IMPORTANT, "WARNING: never_direct resulted in " << answer << ". Username ACLs are not reliable here.");
         break;
     }
@@ -213,8 +211,6 @@
     case ACCESS_DUNNO:  // not relevant.
         break;
     case ACCESS_AUTH_REQUIRED:
-    case ACCESS_AUTH_EXPIRED_OK:
-    case ACCESS_AUTH_EXPIRED_BAD:
         debugs(44, DBG_IMPORTANT, "WARNING: always_direct resulted in " << answer << ". Username ACLs are not reliable here.");
         break;
     }