+
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Bulgarian/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Czech/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Czech/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Danish/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Danish/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Dutch/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Dutch/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/English/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/English/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Estonian/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Estonian/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:07 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Finnish/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Finnish/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/French/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/French/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/German/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/German/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Hungarian/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Hungarian/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Italian/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Italian/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Japanese/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Japanese/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Korean/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Korean/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Polish/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You need to change your password. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Polish/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+You are not authorized to access the cache using IP Address '%i'. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Portuguese/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+Você precisa alterar sua senha. +
+
+ --- /dev/null Wed Feb 14 00:51:37 2007 +++ squid/errors/Portuguese/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007 @@ -0,0 +1,10 @@ +
++
+Você não está autorizado para acesso ao cache através do endereço IP '%i'; +
+
+
Index: squid/errors/Portuguese/README
===================================================================
RCS file: /cvsroot/squid-sf//squid/errors/Portuguese/README,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.110.1
diff -u -r1.1.1.1 -r1.1.1.1.110.1
--- squid/errors/Portuguese/README 26 Jan 2000 03:21:47 -0000 1.1.1.1
+++ squid/errors/Portuguese/README 13 Apr 2001 23:17:15 -0000 1.1.1.1.110.1
@@ -1,2 +1,2 @@
-Thank you to Pedro Lineu Orso
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Romanian/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Russian-1251/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Russian-1251/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Russian-koi8-r/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Russian-koi8-r/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Simplify_Chinese/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Simplify_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Slovak/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Slovak/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Spanish/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Spanish/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Swedish/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Swedish/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:08 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Traditional_Chinese/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:09 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Traditional_Chinese/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:09 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Turkish/ERR_REQ_PWD_CHANGE Wed Feb 14 00:52:09 2007
@@ -0,0 +1,10 @@
+
+
+You need to change your password.
+
+
+
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/errors/Turkish/ERR_UNAUTHORIZED_IP_ADDRESS Wed Feb 14 00:52:09 2007
@@ -0,0 +1,10 @@
+
+
+You are not authorized to access the cache using IP Address '%i'.
+
+
+
Index: squid/src/acl.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/acl.c,v
retrieving revision 1.29
retrieving revision 1.29.8.1
diff -u -r1.29 -r1.29.8.1
--- squid/src/acl.c 6 Apr 2001 06:49:27 -0000 1.29
+++ squid/src/acl.c 13 Apr 2001 23:17:16 -0000 1.29.8.1
@@ -1,6 +1,6 @@
/*
- * $Id: acl.c,v 1.29 2001/04/06 06:49:27 squidadm Exp $
+ * $Id: acl.c,v 1.29.8.1 2001/04/13 23:17:16 hno Exp $
*
* DEBUG: section 28 Access Control
* AUTHOR: Duane Wessels
@@ -1173,12 +1173,15 @@
}
}
-/* aclMatchProxyAuth can return four exit codes:
- * 0 : Authenticated OK, Authorisation for this ACL failed.
- * 1 : Authenticated OK, Authorisation OK.
- * -1 : send data to an external authenticator
- * -2 : send data to the client
- */
+/* aclMatchProxyAuth can return any of these exit codes */
+enum {
+ PROXYAUTH_NOTMATCH = 0, /* Authenticated OK, not in ACL */
+ PROXYAUTH_MATCHED = 1, /* Authenticated OK, matched ACL */
+ PROXYAUTH_VALIDATE = -1, /* Ask external authenticator */
+ PROXYAUTH_FAIL = -2, /* Authentication failure, bad password */
+ PROXYAUTH_EXPIRED = -3, /* Authentication failure, expired */
+ PROXYAUTH_BADIP = -4, /* Authentication failure, diallowed IP */
+};
static int
aclMatchProxyAuth(void *data, http_hdr_type headertype,
auth_user_request_t * auth_user_request, aclCheck_t * checklist,
@@ -1205,7 +1208,7 @@
* deny access: clientreadrequest requires conn data, and it is always
* compiled in so we should have it too.
*/
- return 0;
+ return PROXYAUTH_NOTMATCH;
}
/*
* a note on proxy_auth logix here:
@@ -1225,7 +1228,7 @@
/* unlock the ACL lock */
authenticateAuthUserRequestUnlock(auth_user_request);
}
- return -2;
+ return PROXYAUTH_FAIL;
}
/* we have a proxy auth header and as far as we know this connection has
* not had bungled connection oriented authentication happen on it. */
@@ -1248,7 +1251,7 @@
/* unlock the ACL reference. */
authenticateAuthUserRequestUnlock(auth_user_request);
}
- return -2;
+ return PROXYAUTH_FAIL;
}
/* the user_request comes prelocked for the caller to GetAuthUser (us) */
} else if (checklist->request->auth_user_request) {
@@ -1265,7 +1268,7 @@
debug(28, 4) ("aclMatchProxyAuth: Auth user request %d conn-auth user request %d conn type %d authentication failed.\n",
auth_user_request, checklist->conn->auth_user_request,
checklist->conn->auth_type);
- return -2;
+ return PROXYAUTH_FAIL;
}
}
}
@@ -1278,20 +1281,28 @@
authenticateAuthenticateUser(auth_user_request, checklist->request,
checklist->conn, headertype);
switch (authenticateDirection(auth_user_request)) {
- case 1:
+ case AUTHDIR_CHALLENGE:
/* this ACL check is finished. Unlock. */
authenticateAuthUserRequestUnlock(auth_user_request);
- return -2;
- case -1:
+ return PROXYAUTH_FAIL;
+ case AUTHDIR_REVALIDATE:
/* we are partway through authentication within squid
* store the auth_user for the callback to here */
checklist->auth_user_request = auth_user_request;
/* we will be called back here. Do not Unlock */
- return -1;
- case -2:
+ return PROXYAUTH_VALIDATE;
+ case AUTHDIR_FAILED:
+ /* this ACL check is finished. Unlock. */
+ authenticateAuthUserRequestUnlock(auth_user_request);
+ return PROXYAUTH_FAIL;
+ case AUTHDIR_EXPIRED:
+ /* this ACL check is finished. Unlock. */
+ authenticateAuthUserRequestUnlock(auth_user_request);
+ return PROXYAUTH_EXPIRED;
+ case AUTHDIR_BADIP:
/* this ACL check is finished. Unlock. */
authenticateAuthUserRequestUnlock(auth_user_request);
- return -2;
+ return PROXYAUTH_BADIP;
} /* on 0 the authentication is finished - fallthrough */
/* See of user authentication failed for some reason */
if (!authenticateUserAuthenticated(auth_user_request)) {
@@ -1305,7 +1316,7 @@
}
/* this ACL check is finished. Unlock. */
authenticateAuthUserRequestUnlock(auth_user_request);
- return -2;
+ return PROXYAUTH_FAIL;
}
}
@@ -1327,11 +1338,12 @@
/* check to see if we have matched the user-acl before */
return aclCacheMatchAcl(&auth_user_request->auth_user->
proxy_match_cache, acltype, data,
- authenticateUserRequestUsername(auth_user_request));
+ authenticateUserRequestUsername(auth_user_request)) ?
+ PROXYAUTH_MATCHED : PROXYAUTH_NOTMATCH;
}
/* this acl check completed */
authenticateAuthUserRequestUnlock(auth_user_request);
- return 0;
+ return PROXYAUTH_NOTMATCH;
}
static void
@@ -1619,22 +1631,30 @@
/* Check the credentials */
switch (aclMatchProxyAuth(ae->data, headertype,
checklist->auth_user_request, checklist, ae->type)) {
- case 0:
+ case PROXYAUTH_NOTMATCH:
debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n");
/* Authenticated but not Authorised for this ACL */
return 0;
- case 1:
+ case PROXYAUTH_MATCHED:
debug(28, 4) ("aclMatchAcl: returning 1 user authenticated and authorised.\n");
/* Authenticated and Authorised for this ACL */
return 1;
- case -2:
+ case PROXYAUTH_BADIP:
+ debug(28, 4) ("aclMatchAcl: returning 0 unauthorized IP address for user\n");
+ checklist->state[ACL_PROXY_AUTH] = ACL_UNAUTHORIZED_IP_ADDRESS;
+ return 0;
+ case PROXYAUTH_EXPIRED:
+ debug(28, 4) ("aclMatchAcl: returning 0 user password expired.\n");
+ checklist->state[ACL_PROXY_AUTH] = ACL_EXPIRED_PASSWORD;
+ return 0;
+ case PROXYAUTH_FAIL:
debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n");
/* Authentication credentials invalid or missing. */
/* Or partway through NTLM handshake. A proxy_Authenticate header
* gets sent to the client. */
checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED;
return 0;
- case -1:
+ case PROXYAUTH_VALIDATE:
debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n");
/*
* we need to validate the password
@@ -1777,6 +1797,14 @@
aclLookupProxyAuthStart(checklist);
checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_PENDING;
return;
+ } else if (checklist->state[ACL_PROXY_AUTH] == ACL_EXPIRED_PASSWORD) {
+ debug(28, 3) ("aclCheck: user password expired, must be changed\n");
+ allow = ACCESS_REQ_PWD_CHANGE;
+ match = -1;
+ } else if (checklist->state[ACL_PROXY_AUTH] == ACL_UNAUTHORIZED_IP_ADDRESS) {
+ debug(28, 3) ("aclCheck: unauthorized IP Address for user\n");
+ allow = ACCESS_UNAUTHORIZED_IP_ADDRESS;
+ match = -1;
} else if (checklist->state[ACL_PROXY_AUTH] == ACL_PROXY_AUTH_NEEDED) {
/* Client is required to resend the request with correct authentication
* credentials. (This may be part of a stateful auth protocol.
Index: squid/src/client_side.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/client_side.c,v
retrieving revision 1.25
retrieving revision 1.25.2.1
diff -u -r1.25 -r1.25.2.1
--- squid/src/client_side.c 13 Apr 2001 18:12:37 -0000 1.25
+++ squid/src/client_side.c 13 Apr 2001 23:17:16 -0000 1.25.2.1
@@ -1,6 +1,6 @@
/*
- * $Id: client_side.c,v 1.25 2001/04/13 18:12:37 squidadm Exp $
+ * $Id: client_side.c,v 1.25.2.1 2001/04/13 23:17:16 hno Exp $
*
* DEBUG: section 33 Client-side Routines
* AUTHOR: Duane Wessels
@@ -247,7 +247,13 @@
http->log_type = LOG_TCP_DENIED;
http->entry = clientCreateStoreEntry(http, http->request->method,
null_request_flags);
- if (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) {
+ if (answer == ACCESS_REQ_PWD_CHANGE) {
+ status = HTTP_FORBIDDEN;
+ page_id = ERR_REQ_PWD_CHANGE;
+ } else if (answer == ACCESS_UNAUTHORIZED_IP_ADDRESS) {
+ status = HTTP_FORBIDDEN;
+ page_id = ERR_UNAUTHORIZED_IP_ADDRESS;
+ } else if (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) {
if (!http->flags.accel) {
/* Proxy authorisation needed */
status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
Index: squid/src/enums.h
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/enums.h,v
retrieving revision 1.18
retrieving revision 1.18.2.1
diff -u -r1.18 -r1.18.2.1
--- squid/src/enums.h 10 Apr 2001 13:20:52 -0000 1.18
+++ squid/src/enums.h 13 Apr 2001 23:17:17 -0000 1.18.2.1
@@ -1,6 +1,6 @@
/*
- * $Id: enums.h,v 1.18 2001/04/10 13:20:52 squidadm Exp $
+ * $Id: enums.h,v 1.18.2.1 2001/04/13 23:17:17 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -89,6 +89,8 @@
ERR_FTP_UNAVAILABLE,
ERR_ONLY_IF_CACHED_MISS, /* failure to satisfy only-if-cached request */
ERR_TOO_BIG,
+ ERR_REQ_PWD_CHANGE,
+ ERR_UNAUTHORIZED_IP_ADDRESS,
ERR_MAX
} err_type;
@@ -138,6 +140,8 @@
ACL_LOOKUP_PENDING,
ACL_LOOKUP_DONE,
ACL_PROXY_AUTH_NEEDED,
+ ACL_EXPIRED_PASSWORD,
+ ACL_UNAUTHORIZED_IP_ADDRESS,
} acl_lookup_state;
enum {
@@ -498,7 +502,9 @@
typedef enum {
ACCESS_DENIED,
ACCESS_ALLOWED,
- ACCESS_REQ_PROXY_AUTH
+ ACCESS_REQ_PROXY_AUTH,
+ ACCESS_REQ_PWD_CHANGE,
+ ACCESS_UNAUTHORIZED_IP_ADDRESS,
} allow_t;
typedef enum {
@@ -751,3 +757,22 @@
CBDATA_store_client,
CBDATA_FIRST_CUSTOM_TYPE = 1000
} cbdata_type;
+
+enum _credentials_status_t {
+ CREDENTIALS_UNKNOWN,
+ CREDENTIALS_OK,
+ CREDENTIALS_FAILED,
+ CREDENTIALS_EVALUATING,
+ CREDENTIALS_EXPIRED,
+ CREDENTIALS_BADIP,
+};
+
+enum _authdir_result_t {
+ AUTHDIR_OK = 0,
+ AUTHDIR_CHALLENGE = 1,
+ AUTHDIR_REVALIDATE = -1,
+ AUTHDIR_FAILED = -2,
+ AUTHDIR_EXPIRED = -3,
+ AUTHDIR_BADIP = -4,
+};
+
Index: squid/src/structs.h
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/structs.h,v
retrieving revision 1.29
retrieving revision 1.29.8.1
diff -u -r1.29 -r1.29.8.1
--- squid/src/structs.h 4 Apr 2001 06:45:08 -0000 1.29
+++ squid/src/structs.h 13 Apr 2001 23:17:17 -0000 1.29.8.1
@@ -1,6 +1,6 @@
/*
- * $Id: structs.h,v 1.29 2001/04/04 06:45:08 squidadm Exp $
+ * $Id: structs.h,v 1.29.8.1 2001/04/13 23:17:17 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -98,9 +98,7 @@
/* we may have many proxy-authenticate strings that decode to the same user */
dlink_list proxy_auth_list;
dlink_list proxy_match_cache;
- struct {
- unsigned int credentials_ok:2; /*0=unchecked,1=ok,2=failed */
- } flags;
+ credentials_status_t credentials_status;
long expiretime;
/* IP addr this user authenticated from */
struct in_addr ipaddr;
Index: squid/src/typedefs.h
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/typedefs.h,v
retrieving revision 1.17
retrieving revision 1.17.18.1
diff -u -r1.17 -r1.17.18.1
--- squid/src/typedefs.h 1 Mar 2001 04:04:19 -0000 1.17
+++ squid/src/typedefs.h 13 Apr 2001 23:17:17 -0000 1.17.18.1
@@ -1,6 +1,6 @@
/*
- * $Id: typedefs.h,v 1.17 2001/03/01 04:04:19 hno Exp $
+ * $Id: typedefs.h,v 1.17.18.1 2001/04/13 23:17:17 hno Exp $
*
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
@@ -61,6 +61,7 @@
typedef struct _acl_time_data acl_time_data;
typedef struct _acl_name_list acl_name_list;
typedef struct _acl_deny_info_list acl_deny_info_list;
+typedef enum _credentials_status_t credentials_status_t;
typedef struct _auth_user_t auth_user_t;
typedef struct _auth_user_request_t auth_user_request_t;
typedef struct _auth_user_hash_pointer auth_user_hash_pointer;
@@ -187,6 +188,7 @@
typedef struct _RemovalPurgeWalker RemovalPurgeWalker;
typedef struct _RemovalPolicyNode RemovalPolicyNode;
typedef struct _RemovalPolicySettings RemovalPolicySettings;
+typedef enum _authdir_result_t authdir_result_t;
typedef struct _http_version_t http_version_t;
@@ -294,7 +296,7 @@
typedef void AUTHSAUTHUSER(auth_user_request_t *, request_t *, ConnStateData *, http_hdr_type);
typedef int AUTHSCONFIGURED(void);
typedef void AUTHSDECODE(auth_user_request_t *, const char *);
-typedef int AUTHSDIRECTION(auth_user_request_t *);
+typedef authdir_result_t AUTHSDIRECTION(auth_user_request_t *);
typedef void AUTHSDUMP(StoreEntry *, const char *, authScheme *);
typedef void AUTHSFIXERR(auth_user_request_t *, HttpReply *, http_hdr_type, request_t *);
typedef void AUTHSADDHEADER(auth_user_request_t *, HttpReply *, int);
Index: squid/src/auth/basic/auth_basic.c
===================================================================
RCS file: /cvsroot/squid-sf//squid/src/auth/basic/auth_basic.c,v
retrieving revision 1.11
retrieving revision 1.11.16.1
diff -u -r1.11 -r1.11.16.1
--- squid/src/auth/basic/auth_basic.c 21 Mar 2001 23:43:33 -0000 1.11
+++ squid/src/auth/basic/auth_basic.c 13 Apr 2001 23:17:17 -0000 1.11.16.1
@@ -149,7 +149,7 @@
authenticateBasicAuthenticated(auth_user_request_t * auth_user_request)
{
basic_data *basic_auth = auth_user_request->auth_user->scheme_data;
- if ((auth_user_request->auth_user->flags.credentials_ok == 1) && (basic_auth->credentials_checkedtime + basicConfig->credentialsTTL > squid_curtime))
+ if ((auth_user_request->auth_user->credentials_status == CREDENTIALS_OK) && (basic_auth->credentials_checkedtime + basicConfig->credentialsTTL > squid_curtime))
return 1;
debug(29, 4) ("User not authenticated or credentials need rechecking.\n");
return 0;
@@ -175,7 +175,7 @@
auth_user = auth_user_request->auth_user;
/* if the password is not ok, do an identity */
- if (auth_user->flags.credentials_ok != 1)
+ if (auth_user->credentials_status != CREDENTIALS_OK)
return;
assert(auth_user->scheme_data != NULL);
@@ -197,25 +197,31 @@
return;
}
-int
+authdir_result_t
authenticateBasicDirection(auth_user_request_t * auth_user_request)
{
/* null auth_user is checked for by authenticateDirection */
auth_user_t *auth_user = auth_user_request->auth_user;
basic_data *basic_auth = auth_user->scheme_data;
- switch (auth_user->flags.credentials_ok) {
- case 0: /* not checked */
- return -1;
- case 1: /* checked & ok */
+ switch (auth_user->credentials_status) {
+ case CREDENTIALS_UNKNOWN: /* not checked */
+ return AUTHDIR_REVALIDATE;
+ case CREDENTIALS_OK: /* checked & ok */
if (basic_auth->credentials_checkedtime + basicConfig->credentialsTTL <= squid_curtime)
- return -1;
- return 0;
- case 2: /* paused while waiting for a username:password check on another request */
- return -1;
- case 3: /* authentication process failed. */
- return -2;
+ return AUTHDIR_REVALIDATE;
+ return AUTHDIR_OK;
+ case CREDENTIALS_EVALUATING: /* paused while waiting for a username:password check on another request */
+ return AUTHDIR_REVALIDATE;
+ case CREDENTIALS_FAILED: /* authentication process failed. */
+ return AUTHDIR_FAILED;
+ case CREDENTIALS_EXPIRED: /* authentication process indicated expired password */
+ return AUTHDIR_EXPIRED;
+ case CREDENTIALS_BADIP: /* authentication process indicated bad IP */
+ return AUTHDIR_BADIP;
+ default:
+ debug(29, 1) ("authenticateBasicDirection: Unknown credential status %d\n", auth_user->credentials_status);
+ return AUTHDIR_FAILED; /* just in case... */
}
- return -2;
}
void
@@ -275,10 +281,15 @@
assert(r->auth_user_request->auth_user->auth_type == AUTH_BASIC);
auth_user = r->auth_user_request->auth_user;
basic_auth = auth_user->scheme_data;
- if (reply && (strncasecmp(reply, "OK", 2) == 0))
- auth_user->flags.credentials_ok = 1;
- else
- auth_user->flags.credentials_ok = 3;
+ auth_user->credentials_status = CREDENTIALS_FAILED;
+ if (reply) {
+ if (strncasecmp(reply, "OK", 2) == 0)
+ auth_user->credentials_status = CREDENTIALS_OK;
+ else if (strncasecmp(reply, "EXP", 3) == 0)
+ auth_user->credentials_status = CREDENTIALS_EXPIRED;
+ else if (strncasecmp(reply, "NIP", 3) == 0)
+ auth_user->credentials_status = CREDENTIALS_BADIP;
+ }
basic_auth->credentials_checkedtime = squid_curtime;
valid = cbdataValid(r->data);
if (valid)
@@ -515,7 +526,7 @@
basic_auth = auth_user->scheme_data;
if (strcmp(local_basic.passwd, basic_auth->passwd)) {
debug(29, 4) ("authBasicDecodeAuth: new password found. Updating in user master record and resetting auth state to unchecked\n");
- auth_user->flags.credentials_ok = 0;
+ auth_user->credentials_status = CREDENTIALS_UNKNOWN;
xfree(basic_auth->passwd);
basic_auth->passwd = local_basic.passwd;
} else
@@ -575,7 +586,7 @@
return;
}
/* check to see if the auth_user already has a request outstanding */
- if (auth_user_request->auth_user->flags.credentials_ok == 2) {
+ if (auth_user_request->auth_user->credentials_status == CREDENTIALS_OK) {
/* there is a request with the same credentials already being verified */
auth_basic_queue_node *node;
node = xmalloc(sizeof(auth_basic_queue_node));
@@ -595,7 +606,7 @@
r->data = data;
r->auth_user_request = auth_user_request;
/* mark the user as haveing verification in progress */
- auth_user_request->auth_user->flags.credentials_ok = 2;
+ auth_user_request->auth_user->credentials_status = CREDENTIALS_EVALUATING;
snprintf(buf, 8192, "%s %s\n", basic_auth->username, basic_auth->passwd);
helperSubmit(basicauthenticators, buf, authenticateBasicHandleReply, r);
}
--- /dev/null Wed Feb 14 00:51:37 2007
+++ squid/src/auth/basic/helpers/NCSA_PLUS/Makefile.in Wed Feb 14 00:52:09 2007
@@ -0,0 +1,100 @@
+#
+# Makefile for the Squid Object Cache server
+#
+# $Id: Makefile.in,v 1.1.2.1 2001/04/13 23:17:17 hno Exp $
+#
+# Uncomment and customize the following to suit your needs:
+#
+
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+exec_suffix = @exec_suffix@
+cgi_suffix = @cgi_suffix@
+top_srcdir = @top_srcdir@
+bindir = @bindir@
+libexecdir = @libexecdir@
+sysconfdir = @sysconfdir@
+localstatedir = @localstatedir@
+srcdir = @srcdir@
+VPATH = @srcdir@
+
+# Gotta love the DOS legacy
+#
+NCSA_AUTH_PLUS_EXE = ncsa_auth_plus$(exec_suffix)
+
+DEFAULT_PASSWD_FILE = $(sysconfdir)/passwd
+
+CC = @CC@
+MAKEDEPEND = @MAKEDEPEND@
+INSTALL = @INSTALL@
+INSTALL_BIN = @INSTALL_PROGRAM@
+INSTALL_FILE = @INSTALL_DATA@
+INSTALL_SUID = @INSTALL_PROGRAM@ -o root -m 4755
+RANLIB = @RANLIB@
+LN_S = @LN_S@
+PERL = @PERL@
+CRYPTLIB = @CRYPTLIB@
+REGEXLIB = @REGEXLIB@
+PTHREADLIB = @PTHREADLIB@
+SNMPLIB = @SNMPLIB@
+MALLOCLIB = @LIB_MALLOC@
+AC_CFLAGS = @CFLAGS@
+LDFLAGS = @LDFLAGS@
+XTRA_LIBS = @XTRA_LIBS@
+XTRA_OBJS = @XTRA_OBJS@
+MV = @MV@
+RM = @RM@
+SHELL = /bin/sh
+
+
+INCLUDE = -I. -I../../../../../include -I$(top_srcdir)/include
+CFLAGS = $(AC_CFLAGS) $(INCLUDE) $(DEFINES)
+AUTH_LIBS = -L../../../../../lib -lmiscutil $(CRYPTLIB) $(XTRA_LIBS)
+
+PROGS = $(NCSA_AUTH_PLUS_EXE)
+OBJS = ncsa_auth_plus.o
+
+all: $(NCSA_AUTH_PLUS_EXE)
+
+$(OBJS): $(top_srcdir)/include/version.h
+
+$(NCSA_AUTH_PLUS_EXE): ncsa_auth_plus.o
+ $(CC) $(LDFLAGS) ncsa_auth_plus.o -o $@ $(AUTH_LIBS)
+
+install-mkdirs:
+ -@if test ! -d $(prefix); then \
+ echo "mkdir $(prefix)"; \
+ mkdir -p $(prefix); \
+ fi
+ -@if test ! -d $(bindir); then \
+ echo "mkdir $(bindir)"; \
+ mkdir -p $(bindir); \
+ fi
+
+# Michael Lupp ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+ERROR
+Expired User Password.
+
+ERROR
+Unauthorized IP Address.
+
+