--------------------- PatchSet 1132 Date: 2001/01/06 22:51:16 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: general tidyup Members: src/access_log.c:1.1.1.3.12.7.2.3->1.1.1.3.12.7.2.4 src/acl.c:1.1.1.3.12.26.2.18->1.1.1.3.12.26.2.19 src/client_side.c:1.1.1.3.4.1.2.30.2.14->1.1.1.3.4.1.2.30.2.15 Index: squid/src/access_log.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/access_log.c,v retrieving revision 1.1.1.3.12.7.2.3 retrieving revision 1.1.1.3.12.7.2.4 diff -u -r1.1.1.3.12.7.2.3 -r1.1.1.3.12.7.2.4 --- squid/src/access_log.c 4 Jan 2001 10:45:29 -0000 1.1.1.3.12.7.2.3 +++ squid/src/access_log.c 6 Jan 2001 22:51:16 -0000 1.1.1.3.12.7.2.4 @@ -1,6 +1,6 @@ /* - * $Id: access_log.c,v 1.1.1.3.12.7.2.3 2001/01/04 10:45:29 rbcollins Exp $ + * $Id: access_log.c,v 1.1.1.3.12.7.2.4 2001/01/06 22:51:16 rbcollins Exp $ * * DEBUG: section 46 Access Log * AUTHOR: Duane Wessels @@ -257,8 +257,7 @@ hier_strings[al->hier.code], al->hier.host, al->http.content_type); - if (user) - safe_free(user); + safe_free(user); } static void @@ -282,8 +281,7 @@ al->cache.size, log_tags[al->cache.code], hier_strings[al->hier.code]); - if(user) - safe_free(user); + safe_free(user); } void Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.26.2.18 retrieving revision 1.1.1.3.12.26.2.19 diff -u -r1.1.1.3.12.26.2.18 -r1.1.1.3.12.26.2.19 --- squid/src/acl.c 5 Jan 2001 22:45:27 -0000 1.1.1.3.12.26.2.18 +++ squid/src/acl.c 6 Jan 2001 22:51:16 -0000 1.1.1.3.12.26.2.19 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.26.2.18 2001/01/05 22:45:27 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.26.2.19 2001/01/06 22:51:16 rbcollins Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -36,12 +36,11 @@ #include "squid.h" #include "splay.h" - - static int aclFromFile = 0; static FILE *aclFile; static void aclParseDomainList(void *curlist); #if 0 +/* potential future work */ static void aclParseProxyAuthList(void *curlist); #endif static void aclParseIpList(void *curlist); @@ -55,13 +54,8 @@ static void aclDestroyAclList(acl_list * list); static void aclDestroyTimeList(acl_time_data * data); static void aclDestroyIntRange(intrange *); - static void aclLookupProxyAuthStart(aclCheck_t * checklist); static void aclLookupProxyAuthDone(void *data, char *result); -#if OBSOLETE -static void aclLookupProxyStatefulAuthStart(aclCheck_t * checklist); -static void aclLookupProxyNTLMAuthDone(void *data, char *result); -#endif static struct _acl *aclFindByName(const char *name); static int aclMatchAcl(struct _acl *, aclCheck_t *); static int aclMatchIntegerRange(intrange * data, int i); @@ -84,7 +78,6 @@ static IPH aclLookupDstIPforASNDone; static FQDNH aclLookupSrcFQDNDone; static FQDNH aclLookupDstFQDNDone; - static wordlist *aclDumpIpList(void *); static wordlist *aclDumpDomainList(void *data); static wordlist *aclDumpTimeSpecList(acl_time_data *); @@ -108,7 +101,6 @@ static SPLAYCMP aclArpCompare; static SPLAYWALKEE aclDumpArpListWalkee; #endif - static int aclCacheMatchAcl(dlink_list * cache, squid_acl acltype, void *data, char *MatchParam); @@ -479,8 +471,7 @@ if (!decode_addr(addr1, &q->addr1, &q->mask)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0)("aclParseIpData: Ignoring invalid IP acl entry: unknown first address '%s'\n", - addr1); + debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown first address '%s'\n", addr1); safe_free(q); return NULL; } @@ -488,8 +479,7 @@ if (*addr2 && !decode_addr(addr2, &q->addr2, &q->mask)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown second address '%s'\n", - addr2); + debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown second address '%s'\n", addr2); safe_free(q); return NULL; } @@ -497,8 +487,7 @@ if (*mask && !decode_addr(mask, &q->mask, NULL)) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown netmask '%s'\n", - mask); + debug(28, 0) ("aclParseIpData: Ignoring invalid IP acl entry: unknown netmask '%s'\n", mask); safe_free(q); return NULL; } @@ -571,7 +560,8 @@ default: debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, 0) ("aclParseTimeSpec: Bad Day '%c'\n", *t); + debug(28, 0) ("aclParseTimeSpec: Bad Day '%c'\n", + *t); break; } } @@ -589,8 +579,7 @@ if (q->start > q->stop) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, - 0) ("aclParseTimeSpec: IGNORING Reversed time range\n"); + debug(28, 0) ("aclParseTimeSpec: IGNORING Reversed time range\n"); memFree(q, MEM_ACL_TIME_DATA); return; } @@ -628,8 +617,7 @@ regerror(errcode, &comp, errbuf, sizeof errbuf); debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, - 0) ("aclParseRegexList: Invalid regular expression '%s': %s\n", + debug(28, 0) ("aclParseRegexList: Invalid regular expression '%s': %s\n", t, errbuf); continue; } @@ -652,7 +640,9 @@ #if 0 /* each proxy auth acl can be for a specific front-side protocol. */ /* this is fundamentally broken: we would be requiring one user to authenticate - * twice - once for each protocol */ + * twice - once for each protocol - RBC */ +/* However we may want to allow a acl of authentication schemes to filter users against + * ie acl ntlm auth_scheme NTLM - RBC */ static void aclParseProxyAuthList(void *curlist) { @@ -737,8 +727,7 @@ new_acl = 1; } else { if (acltype != A->type) { - debug(28, 0) ("aclParseAclLine: ACL '%s' already exists with different type, skipping.\n", - A->name); + debug(28, 0) ("aclParseAclLine: ACL '%s' already exists with different type, skipping.\n", A->name); return; } debug(28, 3) ("aclParseAclLine: Appending to '%s'\n", aclname); @@ -794,16 +783,12 @@ aclParseMethodList(&A->data); break; case ACL_PROXY_AUTH: -#if 0 - if ((Config.Program.authenticate==NULL) && - (Config.Program.ntlmauthenticate==NULL)){ -#endif if (authenticateSchemeCount()==0) { debug(28,0) ("aclParseAclLine: IGNORING: Proxy Auth ACL '%s' \ because no authentication schemes were compiled.\n",A->cfgline); } else if (authenticateActiveSchemeCount()==0) { debug(28,0) ("aclParseAclLine: IGNORING: Proxy Auth ACL '%s' \ -because no authentication helper(s) are defined.\n",A->cfgline); +because no authentication schemes are fully configured.\n",A->cfgline); } else { #if 0 aclParseProxyAuthList(&A->data); @@ -813,7 +798,15 @@ } break; case ACL_PROXY_AUTH_REGEX: - aclParseRegexList(&A->data); + if (authenticateSchemeCount()==0) { + debug(28,0) ("aclParseAclLine: IGNORING: Proxy Auth ACL '%s' \ +because no authentication schemes were compiled.\n",A->cfgline); + } else if (authenticateActiveSchemeCount()==0) { + debug(28,0) ("aclParseAclLine: IGNORING: Proxy Auth ACL '%s' \ +because no authentication schemes are fully configured.\n",A->cfgline); + } else { + aclParseRegexList(&A->data); + } break; #if SQUID_SNMP case ACL_SNMP_COMMUNITY: @@ -909,8 +902,7 @@ if ((t = strtok(NULL, w_space)) == NULL) { debug(28, 0) ("%s line %d: %s\n", cfg_filename, config_lineno, config_input_line); - debug(28, - 0) ("aclParseDenyInfoLine: missing 'error page' parameter.\n"); + debug(28, 0) ("aclParseDenyInfoLine: missing 'error page' parameter.\n"); return; } A = memAllocate(MEM_ACL_DENY_INFO_LIST); @@ -1073,7 +1065,7 @@ while (data) { debug(28, 3) ("aclMatchUser: looking for '%s'\n", data->key); if (strcmp(data->key, "REQUIRED") == 0 && *user != '\0' - && strcmp(user, dash_str) != 0) + && strcmp(user, dash_str) != 0) return 1; if (strcmp(data->key, user) == 0) return 1; @@ -1092,8 +1084,11 @@ * The Match Param and the cache MUST be tied together by the calling routine. * You have been warned :-] * Also only Matchxxx that are of the form (void *, void *) can be used. - * probably some ugly overloading _could_ be done but I'll leave that to the - * brave. + * probably some ugly overloading _could_ be done but I'll leave that as an + * exercise for the reader. Note that caching of time based acl's is not + * wise due to no expiry occuring to the cache entries until the user expires + * or a reconfigure takes place. + * RBC */ static int aclCacheMatchAcl(dlink_list * cache, squid_acl acltype, void *data, @@ -1106,7 +1101,7 @@ while (link) { auth_match = link->data; if (auth_match->acl_data == data) { - debug(28, 3) ("aclCacheMatchAcl: cache hit on acl '%d'\n", + debug(28, 4) ("aclCacheMatchAcl: cache hit on acl '%d'\n", data); return auth_match->matchrv; } @@ -1121,6 +1116,8 @@ case ACL_PROXY_AUTH_REGEX: matchrv = aclMatchRegex(data, MatchParam); default: + /* This is a fatal to ensure that aclCacheMatchAcl calls are _only_ + * made for supported acl types */ fatal("aclCacheMatchAcl: unknown or unexpected ACL type"); return 0; /* NOTREACHED */ } @@ -1145,7 +1142,7 @@ } } -/* aclMatchProxyAuth can return three exit codes: +/* aclMatchProxyAuth can return four exit codes: * 0 : Authenticated OK, Authorisation for this ACL failed. * 1 : Authenticated OK, Authorisation failed. * -1 : send data to an external authenticator @@ -1157,15 +1154,13 @@ { /* checklist is used to register user name when identified, nothing else */ const char * proxy_auth; - assert(auth_user_request == checklist->auth_user_request); /* consistent parameters ? */ + /* consistent parameters ? */ + assert(auth_user_request == checklist->auth_user_request); /* General program flow in proxy_auth acls * 1. Consistency checks: are we getting sensible data - * 2. What sort of authentication is it? - * 3. For each authentication sort, - * goto an external helper if needed, store the authenticate header in - * a cache, handle ip timeouts and the like - * 4. look up the username in squid_acl (and cache the result against the + * 2. Call the authenticate* functions to establish a authenticated user + * 4. look up the username in acltype (and cache the result against the * username */ @@ -1217,10 +1212,7 @@ } return -2; } -#if 0 - /* lock the new user request for this ACL processing */ - authenticateAuthUserRequestLock(auth_user_request); -#endif + /* the user_request comes prelocked for the caller to GetAuthUser (us) */ } else if (checklist->request->auth_user_request) { auth_user_request=checklist->request->auth_user_request; /* lock the user request for this ACL processing */ Index: squid/src/client_side.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v retrieving revision 1.1.1.3.4.1.2.30.2.14 retrieving revision 1.1.1.3.4.1.2.30.2.15 diff -u -r1.1.1.3.4.1.2.30.2.14 -r1.1.1.3.4.1.2.30.2.15 --- squid/src/client_side.c 6 Jan 2001 13:31:53 -0000 1.1.1.3.4.1.2.30.2.14 +++ squid/src/client_side.c 6 Jan 2001 22:51:16 -0000 1.1.1.3.4.1.2.30.2.15 @@ -1,6 +1,6 @@ /* - * $Id: client_side.c,v 1.1.1.3.4.1.2.30.2.14 2001/01/06 13:31:53 rbcollins Exp $ + * $Id: client_side.c,v 1.1.1.3.4.1.2.30.2.15 2001/01/06 22:51:16 rbcollins Exp $ * * DEBUG: section 33 Client-side Routines * AUTHOR: Duane Wessels @@ -769,6 +769,7 @@ { http->al.cache.authuser = xstrdup(authenticateUserRequestUsername(request->auth_user_request)); authenticateAuthUserRequestUnlock(request->auth_user_request); + request->auth_user_request= NULL; } #if 0 if (request->authuser[0])