[thirdparty/squid.git] / src / AuthUserRequest.h


/*
 * $Id$
 *
 * DO NOT MODIFY NEXT 2 LINES:
 * arch-tag: 674533af-8b21-4641-b71a-74c4639072a0
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */

#ifndef SQUID_AUTHUSERREQUEST_H
#define SQUID_AUTHUSERREQUEST_H

#include "client_side.h"

class AuthUser;

class ConnStateData;

class AuthScheme;

struct AuthUserIP {
    dlink_node node;
    /* IP addr this user authenticated from */

    IpAddress ipaddr;
    time_t ip_expiretime;
};

/**
 \ingroup AuthAPI
 * This is a short lived structure is the visible aspect of the authentication framework.
 */
class AuthUserRequest
{

public:
    /**
     * This is the object passed around by client_side and acl functions
     * it has request specific data, and links to user specific data
     * the user
     */
    AuthUser *_auth_user;

    /**
     *  Used by squid to determine what the next step in performing authentication for a given scheme is.
     *
     \retval -2	ERROR in the auth module. Cannot determine request direction.
     \retval -1	The auth module needs to send data to an external helper.
     *		Squid will prepare for a callback on the request and call the AUTHSSTART function.
     \retval  0	The auth module has all the information it needs to perform the authentication and provide a succeed/fail result.
     \retval  1	The auth module needs to send a new challenge to the request originator.
     *		Squid will return the appropriate status code (401 or 407) and call the registered FixError function to allow the auth module to insert it's challenge.
     */
    int direction();

    /**
     * Used by squid to determine whether the auth scheme has successfully authenticated the user request.
     *
     \retval true	User has successfully been authenticated.
     \retval false	Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
     */
    virtual int authenticated() const = 0;
    virtual void authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type) = 0;
    /* template method */
    virtual int module_direction() = 0;
    virtual void addHeader(HttpReply * rep, int accel);
    virtual void addTrailer(HttpReply * rep, int accel);
    virtual void onConnectionClose(ConnStateData *);

    /**
     * Called when squid is ready to put the request on hold and wait for a callback from the auth module
     * when the auth module has performed it's external activities.
     *
     \param handler	Handler to process the callback when its run
     \param data	CBDATA for handler
     */
    virtual void module_start(RH *handler, void *data) = 0;

    virtual AuthUser *user() {return _auth_user;}

    virtual const AuthUser *user() const {return _auth_user;}

    virtual void user(AuthUser *aUser) {_auth_user=aUser;}

    static auth_acl_t tryToAuthenticateAndSetAuthUser(AuthUserRequest **, http_hdr_type, HttpRequest *, ConnStateData *, IpAddress &);
    static void addReplyAuthHeader(HttpReply * rep, AuthUserRequest * auth_user_request, HttpRequest * request, int accelerated, int internal);

    AuthUserRequest();

    virtual ~AuthUserRequest();
    void *operator new(size_t byteCount);
    void operator delete(void *address);

    void start( RH * handler, void *data);
    char const * denyMessage(char const * const default_message = NULL);

    /** Possibly overrideable in future */
    void setDenyMessage(char const *);

    /** Possibly overrideable in future */
    char const * getDenyMessage();

    size_t refCount() const;
    void _lock();            /**< \note please use AUTHUSERREQUESTLOCK()   */
    void _unlock();          /**< \note please use AUTHUSERREQUESTUNLOCK() */

    /**
     * Squid does not make assumptions about where the username is stored.
     * This function must return a pointer to a NULL terminated string to be used in logging the request.
     * The string should NOT be allocated each time this function is called.
     *
     \retval NULL	No username/usercode is known.
     \retval *		Null-terminated username string.
     */
    char const *username() const;

    AuthScheme *scheme() const;

    virtual const char * connLastHeader();

private:

    static auth_acl_t authenticate(AuthUserRequest ** auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, IpAddress &src_addr);

    /** return a message on the 407 error pages */
    char *message;

    /** how many 'processes' are working on this data */
    size_t references;

    /**
     * We only attempt authentication once per http request. This
     * is to allow multiple auth acl references from different _access areas
     * when using connection based authentication
     */
    auth_acl_t lastReply;
};

/* AuthUserRequest */

/**
 \ingroup AuthAPI
 \deprecated Use AuthUserRequest::refCount() instead.
 */
extern size_t authenticateRequestRefCount (AuthUserRequest *);

/// \ingroup AuthAPI
extern void authenticateFixHeader(HttpReply *, AuthUserRequest *, HttpRequest *, int, int);
/// \ingroup AuthAPI
extern void authenticateAddTrailer(HttpReply *, AuthUserRequest *, HttpRequest *, int);

/// \ingroup AuthAPI
extern void authenticateAuthUserRequestRemoveIp(AuthUserRequest *, IpAddress const &);
/// \ingroup AuthAPI
extern void authenticateAuthUserRequestClearIp(AuthUserRequest *);
/// \ingroup AuthAPI
extern int authenticateAuthUserRequestIPCount(AuthUserRequest *);
/// \ingroup AuthAPI
/// \deprecated Use AuthUserRequest::direction() instead.
extern int authenticateDirection(AuthUserRequest *);

/// \ingroup AuthAPI
/// See AuthUserRequest::authenticated()
extern int authenticateUserAuthenticated(AuthUserRequest *);
/// \ingroup AuthAPI
extern int authenticateValidateUser(AuthUserRequest *);

/// \todo Drop dead code? or make a debugging option.
#if 0
#define AUTHUSERREQUESTUNLOCK(a,b) if(a){(a)->_unlock();debugs(0,0,HERE << "auth_user_request " << a << " was unlocked for " << b); (a)=NULL;}
#define AUTHUSERREQUESTLOCK(a,b) { (a)->_lock(); debugs(0,0,HERE << "auth_user_request " << a << " was locked for " << b); }
#endif
#define AUTHUSERREQUESTUNLOCK(a,b) if(a){(a)->_unlock();(a)=NULL;}
#define AUTHUSERREQUESTLOCK(a,b) (a)->_lock()


#endif /* SQUID_AUTHUSERREQUEST_H */
Commit	Line	Data
f5691f9c	1
f5691f9c	2	/*
262a0e14	3	* $Id$
f5691f9c	4	*
	5	* DO NOT MODIFY NEXT 2 LINES:
	6	* arch-tag: 674533af-8b21-4641-b71a-74c4639072a0
	7	*
	8	* SQUID Web Proxy Cache http://www.squid-cache.org/
	9	* ----------------------------------------------------------
	10	*
	11	* Squid is the result of efforts by numerous individuals from
	12	* the Internet community; see the CONTRIBUTORS file for full
	13	* details. Many organizations have provided support for Squid's
	14	* development; see the SPONSORS file for full details. Squid is
	15	* Copyrighted (C) 2001 by the Regents of the University of
	16	* California; see the COPYRIGHT file for full details. Squid
	17	* incorporates software developed and/or copyrighted by other
	18	* sources; see the CREDITS file for full details.
	19	*
	20	* This program is free software; you can redistribute it and/or modify
	21	* it under the terms of the GNU General Public License as published by
	22	* the Free Software Foundation; either version 2 of the License, or
	23	* (at your option) any later version.
26ac0430	24	*
f5691f9c	25	* This program is distributed in the hope that it will be useful,
	26	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	27	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	28	* GNU General Public License for more details.
26ac0430	29	*
f5691f9c	30	* You should have received a copy of the GNU General Public License
	31	* along with this program; if not, write to the Free Software
	32	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	33	*
	34	*/
	35
	36	#ifndef SQUID_AUTHUSERREQUEST_H
	37	#define SQUID_AUTHUSERREQUEST_H
	38
	39	#include "client_side.h"
	40
	41	class AuthUser;
	42
	43	class ConnStateData;
	44
	45	class AuthScheme;
	46
26ac0430	47	struct AuthUserIP {
f5691f9c	48	dlink_node node;
	49	/* IP addr this user authenticated from */
	50
ad61a2b4	51	IpAddress ipaddr;
f5691f9c	52	time_t ip_expiretime;
	53	};
	54
63be0a78	55	/**
	56	\ingroup AuthAPI
	57	* This is a short lived structure is the visible aspect of the authentication framework.
	58	*/
f5691f9c	59	class AuthUserRequest
	60	{
	61
	62	public:
63be0a78	63	/**
	64	* This is the object passed around by client_side and acl functions
	65	* it has request specific data, and links to user specific data
	66	* the user
	67	*/
e1f7507e	68	AuthUser *_auth_user;
f5691f9c	69
63be0a78	70	/**
	71	* Used by squid to determine what the next step in performing authentication for a given scheme is.
	72	*
	73	\retval -2 ERROR in the auth module. Cannot determine request direction.
	74	\retval -1 The auth module needs to send data to an external helper.
	75	* Squid will prepare for a callback on the request and call the AUTHSSTART function.
	76	\retval 0 The auth module has all the information it needs to perform the authentication and provide a succeed/fail result.
	77	\retval 1 The auth module needs to send a new challenge to the request originator.
	78	* Squid will return the appropriate status code (401 or 407) and call the registered FixError function to allow the auth module to insert it's challenge.
	79	*/
f5691f9c	80	int direction();
63be0a78	81
	82	/**
	83	* Used by squid to determine whether the auth scheme has successfully authenticated the user request.
	84	*
	85	\retval true User has successfully been authenticated.
	86	\retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
	87	*/
f5691f9c	88	virtual int authenticated() const = 0;
69d779f8	89	virtual void authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type) = 0;
f5691f9c	90	/* template method */
	91	virtual int module_direction() = 0;
	92	virtual void addHeader(HttpReply * rep, int accel);
	93	virtual void addTrailer(HttpReply * rep, int accel);
	94	virtual void onConnectionClose(ConnStateData *);
63be0a78	95
	96	/**
	97	* Called when squid is ready to put the request on hold and wait for a callback from the auth module
	98	* when the auth module has performed it's external activities.
	99	*
	100	\param handler Handler to process the callback when its run
	101	\param data CBDATA for handler
	102	*/
	103	virtual void module_start(RH handler, void data) = 0;
	104
f5691f9c	105	virtual AuthUser *user() {return _auth_user;}
	106
	107	virtual const AuthUser *user() const {return _auth_user;}
	108
e1f7507e	109	virtual void user(AuthUser *aUser) {_auth_user=aUser;}
f5691f9c	110
ad61a2b4	111	static auth_acl_t tryToAuthenticateAndSetAuthUser(AuthUserRequest *, http_hdr_type, HttpRequest , ConnStateData *, IpAddress &);
76f142cd	112	static void addReplyAuthHeader(HttpReply * rep, AuthUserRequest * auth_user_request, HttpRequest * request, int accelerated, int internal);
f5691f9c	113
	114	AuthUserRequest();
	115
	116	virtual ~AuthUserRequest();
e1f7507e AJ	117	void *operator new(size_t byteCount);
e1f7507e AJ	118	void operator delete(void *address);
f5691f9c	119
e1f7507e AJ	120	void start( RH * handler, void *data);
e1f7507e AJ	121	char const * denyMessage(char const * const default_message = NULL);
63be0a78	122
63be0a78	123	/** Possibly overrideable in future */
e1f7507e	124	void setDenyMessage(char const *);
63be0a78	125
63be0a78	126	/** Possibly overrideable in future */
e1f7507e	127	char const * getDenyMessage();
f5691f9c	128
f5691f9c	129	size_t refCount() const;
cfdb8f88 AJ	130	void _lock(); /*< \note please use AUTHUSERREQUESTLOCK() /
cfdb8f88 AJ	131	void _unlock(); /*< \note please use AUTHUSERREQUESTUNLOCK() /
f5691f9c	132
63be0a78	133	/**
	134	* Squid does not make assumptions about where the username is stored.
	135	* This function must return a pointer to a NULL terminated string to be used in logging the request.
	136	* The string should NOT be allocated each time this function is called.
	137	*
	138	\retval NULL No username/usercode is known.
	139	\retval * Null-terminated username string.
	140	*/
f5691f9c	141	char const *username() const;
	142
	143	AuthScheme *scheme() const;
	144
6bf4f823	145	virtual const char * connLastHeader();
6bf4f823	146
f5691f9c	147	private:
f5691f9c	148
ad61a2b4	149	static auth_acl_t authenticate(AuthUserRequest ** auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, IpAddress &src_addr);
f5691f9c	150
63be0a78	151	/** return a message on the 407 error pages */
f5691f9c	152	char *message;
f5691f9c	153
63be0a78	154	/** how many 'processes' are working on this data */
f5691f9c	155	size_t references;
f5691f9c	156
63be0a78	157	/**
63be0a78	158	* We only attempt authentication once per http request. This
f5691f9c	159	* is to allow multiple auth acl references from different _access areas
	160	* when using connection based authentication
	161	*/
	162	auth_acl_t lastReply;
	163	};
	164
	165	/* AuthUserRequest */
63be0a78	166
	167	/**
	168	\ingroup AuthAPI
	169	\deprecated Use AuthUserRequest::refCount() instead.
	170	*/
76f142cd	171	extern size_t authenticateRequestRefCount (AuthUserRequest *);
f5691f9c	172
63be0a78	173	/// \ingroup AuthAPI
76f142cd	174	extern void authenticateFixHeader(HttpReply , AuthUserRequest , HttpRequest *, int, int);
63be0a78	175	/// \ingroup AuthAPI
76f142cd	176	extern void authenticateAddTrailer(HttpReply , AuthUserRequest , HttpRequest *, int);
f5691f9c	177
63be0a78	178	/// \ingroup AuthAPI
ad61a2b4	179	extern void authenticateAuthUserRequestRemoveIp(AuthUserRequest *, IpAddress const &);
63be0a78	180	/// \ingroup AuthAPI
76f142cd	181	extern void authenticateAuthUserRequestClearIp(AuthUserRequest *);
63be0a78	182	/// \ingroup AuthAPI
76f142cd	183	extern int authenticateAuthUserRequestIPCount(AuthUserRequest *);
63be0a78	184	/// \ingroup AuthAPI
63be0a78	185	/// \deprecated Use AuthUserRequest::direction() instead.
76f142cd	186	extern int authenticateDirection(AuthUserRequest *);
f5691f9c	187
63be0a78	188	/// \ingroup AuthAPI
63be0a78	189	/// See AuthUserRequest::authenticated()
76f142cd	190	extern int authenticateUserAuthenticated(AuthUserRequest *);
63be0a78	191	/// \ingroup AuthAPI
76f142cd	192	extern int authenticateValidateUser(AuthUserRequest *);
f5691f9c	193
63be0a78	194	/// \todo Drop dead code? or make a debugging option.
4f0ef8e8	195	#if 0
	196	#define AUTHUSERREQUESTUNLOCK(a,b) if(a){(a)->_unlock();debugs(0,0,HERE << "auth_user_request " << a << " was unlocked for " << b); (a)=NULL;}
	197	#define AUTHUSERREQUESTLOCK(a,b) { (a)->_lock(); debugs(0,0,HERE << "auth_user_request " << a << " was locked for " << b); }
	198	#endif
	199	#define AUTHUSERREQUESTUNLOCK(a,b) if(a){(a)->_unlock();(a)=NULL;}
	200	#define AUTHUSERREQUESTLOCK(a,b) (a)->_lock()
	201
	202
f5691f9c	203	#endif /* SQUID_AUTHUSERREQUEST_H */