--------------------- PatchSet 2668 Date: 2001/07/26 14:36:23 Author: rbcollins Branch: ntlm Tag: (none) Log: more refactoring of auth code; addition of max_user_ip acl Members: src/acl.c:1.1.1.3.12.58->1.1.1.3.12.59 src/cf.data.pre:1.1.1.3.4.1.2.39->1.1.1.3.4.1.2.40 src/enums.h:1.1.1.3.12.28->1.1.1.3.12.29 Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.58 retrieving revision 1.1.1.3.12.59 diff -u -r1.1.1.3.12.58 -r1.1.1.3.12.59 --- squid/src/acl.c 25 Jul 2001 10:25:23 -0000 1.1.1.3.12.58 +++ squid/src/acl.c 26 Jul 2001 14:36:23 -0000 1.1.1.3.12.59 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.58 2001/07/25 10:25:23 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.59 2001/07/26 14:36:23 rbcollins Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -67,6 +67,7 @@ #if SQUID_SNMP static int aclMatchWordList(wordlist *, const char *); #endif +static int aclMatchUserMaxIP(void *, auth_user_request_t *); static squid_acl aclStrToType(const char *s); static int decode_addr(const char *, struct in_addr *, struct in_addr *); static void aclCheck(aclCheck_t * checklist); @@ -220,6 +221,8 @@ return ACL_REQ_MIME_TYPE; if (!strcmp(s, "rep_mime_type")) return ACL_REP_MIME_TYPE; + if (!strcmp(s, "max_user_ip")) + return ACL_MAX_USER_IP; return ACL_NONE; } @@ -288,6 +291,8 @@ return "req_mime_type"; if (type == ACL_REP_MIME_TYPE) return "rep_mime_type"; + if (type == ACL_MAX_USER_IP) + return "max_user_ip"; return "ERROR"; } @@ -782,6 +787,7 @@ case ACL_SRC_ASN: case ACL_MAXCONN: case ACL_DST_ASN: + case ACL_MAX_USER_IP: aclParseIntlist(&A->data); break; #if SRC_RTT_NOT_YET_FINISHED @@ -1310,6 +1316,7 @@ case 1: /* this ACL check is finished. Unlock. */ authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; return AUTH_ACL_CHALLENGE; case -1: /* we are partway through authentication within squid, @@ -1319,6 +1326,7 @@ case -2: /* this ACL check is finished. Unlock. */ authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; return AUTH_ACL_CHALLENGE; } /* on 0 the authentication is finished - fallthrough */ @@ -1333,6 +1341,7 @@ } /* this ACL check is finished. Unlock. */ authenticateAuthUserRequestUnlock(*auth_user_request); + *auth_user_request=NULL; return AUTH_ACL_CHALLENGE; } } @@ -1352,29 +1361,22 @@ squid_acl acltype) { /* checklist is used to register user name when identified, nothing else */ - const char *proxy_auth; - int rv; - /* consistent parameters ? */ - assert(auth_user_request == checklist->auth_user_request); - + /* General program flow in proxy_auth acls * 1. Consistency checks: are we getting sensible data * 2. Call the authenticate* functions to establish a authenticated user * 4. look up the username in acltype (and cache the result against the * username */ - - if ((rv = AuthenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn)) != AUTH_AUTHENTICATED) - return rv; - - - proxy_auth = httpHeaderGetStr(&checklist->request->header, headertype); /* get the auth_user_request */ auth_user_request = checklist->auth_user_request; /* Clear the reference in the checklist */ checklist->auth_user_request = NULL; + /* consistent parameters ? */ + assert (authenticateUserAuthenticated(auth_user_request)); + /* This needs to move into a new ACL in some way authenticateAuthUserRequestSetIp(auth_user_request, checklist->src_addr); @@ -1389,26 +1391,37 @@ authenticateAuthUserRequestLock(auth_user_request); checklist->request->auth_user_request = auth_user_request; } +#if 0 if (authenticateCheckAuthUserIP(checklist->src_addr, auth_user_request)) { /* Once the match is completed we have finished with the * auth_user structure */ +#endif /* this ACL check completed */ authenticateAuthUserRequestUnlock(auth_user_request); /* check to see if we have matched the user-acl before */ return aclCacheMatchAcl(&auth_user_request->auth_user-> proxy_match_cache, acltype, data, authenticateUserRequestUsername(auth_user_request)); +#if 0 } else { debug(28, 1) ("XXX authenticateCheckAuthUserIP returned 0, somebody " "make sure the username gets logged to access.log.\n"); debug(28, 1) ("XXX if it works, tell developers to remove this " "message\n"); } +#endif /* this acl check completed */ authenticateAuthUserRequestUnlock(auth_user_request); return 0; } +int +aclMatchUserMaxIP(void *data, auth_user_request_t *auth_user_request) +{ + /* never match for now */ + return 0; +} + static void aclLookupProxyAuthStart(aclCheck_t * checklist) { @@ -1515,7 +1528,7 @@ char *esc_buf; const char *header; const char *browser; - int k; + int k,ti; http_hdr_type headertype; if (!ae) return 0; @@ -1674,6 +1687,8 @@ /* NOTREACHED */ case ACL_PROXY_AUTH: case ACL_PROXY_AUTH_REGEX: + case ACL_MAX_USER_IP: + /* ALL authentication predicated ACL's live here */ if (NULL == r) { return -1; } else if (!r->flags.accelerated) { @@ -1691,9 +1706,44 @@ return -1; #endif } + /* get authed here */ + if ((ti = AuthenticateAuthenticate(&checklist->auth_user_request, headertype, checklist->request, checklist->conn)) != AUTH_AUTHENTICATED) { + switch (ti) { + case 0: + /* Authenticated but not Authorised for this ACL */ + debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); + return 0; + case 1: + fatal("AUTH_AUTHENTICATED == 1\n"); + break; + case -1: + /* Send data to the helper */ + debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); + checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED; + return 0; + case -2: + /* Send a challenge to the client */ + debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); + checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; + return 0; + } + } + /* then, switch on type again to do the correct match routine :> */ + switch (ae->type) { + case ACL_PROXY_AUTH: + case ACL_PROXY_AUTH_REGEX: + ti = aclMatchProxyAuth(ae->data, headertype, + checklist->auth_user_request, checklist, ae->type); + break; + case ACL_MAX_USER_IP: + ti = aclMatchUserMaxIP(ae->data, checklist->auth_user_request); + break; + default: + /* Keep GCC happy */ + break; + } /* Check the credentials */ - switch (aclMatchProxyAuth(ae->data, headertype, - checklist->auth_user_request, checklist, ae->type)) { + switch (ti) { case 0: debug(28, 4) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); /* Authenticated but not Authorised for this ACL */ @@ -1703,20 +1753,11 @@ /* Authenticated and Authorised for this ACL */ return 1; case -2: - debug(28, 4) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); - /* Authentication credentials invalid or missing. */ - /* Or partway through NTLM handshake. A proxy_Authenticate header - * gets sent to the client. */ - checklist->state[ACL_PROXY_AUTH] = ACL_PROXY_AUTH_NEEDED; - return 0; case -1: - debug(28, 4) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); - /* - * we need to validate the password - */ - checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_NEEDED; - return 0; + fatal("Invalid response from match routine\n"); + break; } + /* NOTREACHED */ #if SQUID_SNMP case ACL_SNMP_COMMUNITY: @@ -2149,6 +2190,7 @@ case ACL_NETDB_SRC_RTT: #endif case ACL_MAXCONN: + case ACL_MAX_USER_IP: intlistDestroy((intlist **) & a->data); break; case ACL_URL_PORT: @@ -2487,6 +2529,7 @@ case ACL_SRC_ASN: case ACL_MAXCONN: case ACL_DST_ASN: + case ACL_MAX_USER_IP: return aclDumpIntlistList(a->data); case ACL_URL_PORT: case ACL_MY_PORT: Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.1.1.3.4.1.2.39 retrieving revision 1.1.1.3.4.1.2.40 diff -u -r1.1.1.3.4.1.2.39 -r1.1.1.3.4.1.2.40 --- squid/src/cf.data.pre 20 Jul 2001 13:25:41 -0000 1.1.1.3.4.1.2.39 +++ squid/src/cf.data.pre 26 Jul 2001 14:36:23 -0000 1.1.1.3.4.1.2.40 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.1.1.3.4.1.2.39 2001/07/20 13:25:41 rbcollins Exp $ +# $Id: cf.data.pre,v 1.1.1.3.4.1.2.40 2001/07/26 14:36:23 rbcollins Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1925,6 +1925,15 @@ # This will be matched when the client's IP address has # more than HTTP connections established. + acl aclname max_user_ip + # This will be matched when the user attempts to log in from more + # than different ip address's. The authenticate_ip_ttl + # parameter controls the timeout on the ip entries. + # NOTE: in acceleration mode, clients may appear to come from + # multiple address's if they are going through proxy farms, + # so a limit of 1 may cause user problems. + + acl aclname req_mime_type mime-type1 ... # regex match agains the mime type of the request generated # by the client. Can be used to detect file upload or some Index: squid/src/enums.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/enums.h,v retrieving revision 1.1.1.3.12.28 retrieving revision 1.1.1.3.12.29 diff -u -r1.1.1.3.12.28 -r1.1.1.3.12.29 --- squid/src/enums.h 25 Jul 2001 10:25:23 -0000 1.1.1.3.12.28 +++ squid/src/enums.h 26 Jul 2001 14:36:23 -0000 1.1.1.3.12.29 @@ -1,6 +1,6 @@ /* - * $Id: enums.h,v 1.1.1.3.12.28 2001/07/25 10:25:23 rbcollins Exp $ + * $Id: enums.h,v 1.1.1.3.12.29 2001/07/26 14:36:23 rbcollins Exp $ * * * SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -129,6 +129,7 @@ ACL_MAXCONN, ACL_REQ_MIME_TYPE, ACL_REP_MIME_TYPE, + ACL_MAX_USER_IP, ACL_ENUM_MAX } squid_acl;