[thirdparty/squid.git] / src / auth / UserRequest.cc

/*
 * DEBUG: section 29    Authenticator
 * AUTHOR:  Robert Collins
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Config.h"
#include "auth/Scheme.h"
#include "auth/User.h"
#include "auth/UserRequest.h"
#include "client_side.h"
#include "comm/Connection.h"
#include "HttpReply.h"
#include "HttpRequest.h"

/* Generic Functions */

char const *
Auth::UserRequest::username() const
{
    if (user() != NULL)
        return user()->username();
    else
        return NULL;
}

/**** PUBLIC FUNCTIONS (ALL GENERIC!)  ****/

/* send the initial data to an authenticator module */
void
Auth::UserRequest::start(AUTHCB * handler, void *data)
{
    assert(handler);
    assert(data);
    debugs(29, 9, HERE << "auth_user_request '" << this << "'");
    module_start(handler, data);
}

bool
Auth::UserRequest::valid() const
{
    debugs(29, 9, HERE << "Validating Auth::UserRequest '" << this << "'.");

    if (user() == NULL) {
        debugs(29, 4, HERE << "No associated Auth::User data");
        return false;
    }

    if (user()->auth_type == Auth::AUTH_UNKNOWN) {
        debugs(29, 4, HERE << "Auth::User '" << user() << "' uses unknown scheme.");
        return false;
    }

    if (user()->auth_type == Auth::AUTH_BROKEN) {
        debugs(29, 4, HERE << "Auth::User '" << user() << "' is broken for it's scheme.");
        return false;
    }

    /* any other sanity checks that we need in the future */

    /* finally return ok */
    debugs(29, 5, HERE << "Validated. Auth::UserRequest '" << this << "'.");
    return true;
}

void *
Auth::UserRequest::operator new (size_t byteCount)
{
    fatal("Auth::UserRequest not directly allocatable\n");
    return (void *)1;
}

void
Auth::UserRequest::operator delete (void *address)
{
    fatal("Auth::UserRequest child failed to override operator delete\n");
}

Auth::UserRequest::UserRequest():
        _auth_user(NULL),
        message(NULL),
        lastReply(AUTH_ACL_CANNOT_AUTHENTICATE)
{
    debugs(29, 5, HERE << "initialised request " << this);
}

Auth::UserRequest::~UserRequest()
{
    assert(LockCount()==0);
    debugs(29, 5, HERE << "freeing request " << this);

    if (user() != NULL) {
        /* release our references to the user credentials */
        user(NULL);
    }

    safe_free(message);
}

void
Auth::UserRequest::setDenyMessage(char const *aString)
{
    safe_free(message);
    message = xstrdup(aString);
}

char const *
Auth::UserRequest::getDenyMessage()
{
    return message;
}

char const *
Auth::UserRequest::denyMessage(char const * const default_message)
{
    if (this == NULL || getDenyMessage() == NULL) {
        return default_message;
    }

    return getDenyMessage();
}

static void
authenticateAuthUserRequestSetIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address &ipaddr)
{
    Auth::User::Pointer auth_user = auth_user_request->user();

    if (!auth_user)
        return;

    auth_user->addIp(ipaddr);
}

void
authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &ipaddr)
{
    Auth::User::Pointer auth_user = auth_user_request->user();

    if (!auth_user)
        return;

    auth_user->removeIp(ipaddr);
}

void
authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer auth_user_request)
{
    if (auth_user_request != NULL)
        auth_user_request->user()->clearIp();
}

int
authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer auth_user_request)
{
    assert(auth_user_request != NULL);
    assert(auth_user_request->user() != NULL);
    return auth_user_request->user()->ipcount;
}

/*
 * authenticateUserAuthenticated: is this auth_user structure logged in ?
 */
int
authenticateUserAuthenticated(Auth::UserRequest::Pointer auth_user_request)
{
    if (auth_user_request == NULL || !auth_user_request->valid())
        return 0;

    return auth_user_request->authenticated();
}

Auth::Direction
Auth::UserRequest::direction()
{
    if (user() == NULL)
        return Auth::CRED_ERROR; // No credentials. Should this be a CHALLENGE instead?

    if (authenticateUserAuthenticated(this))
        return Auth::CRED_VALID;

    return module_direction();
}

void
Auth::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accelerated)
{}

void
Auth::UserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accelerated)
{}

void
Auth::UserRequest::releaseAuthServer()
{}

const char *
Auth::UserRequest::connLastHeader()
{
    fatal("Auth::UserRequest::connLastHeader should always be overridden by conn based auth schemes");
    return NULL;
}

/*
 * authenticateAuthenticateUser: call the module specific code to
 * log this user request in.
 * Cache hits may change the auth_user pointer in the structure if needed.
 * This is basically a handle approach.
 */
static void
authenticateAuthenticateUser(Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, ConnStateData * conn, http_hdr_type type)
{
    assert(auth_user_request.getRaw() != NULL);

    auth_user_request->authenticate(request, conn, type);
}

static Auth::UserRequest::Pointer
authTryGetUser(Auth::UserRequest::Pointer auth_user_request, ConnStateData * conn, HttpRequest * request)
{
    if (auth_user_request != NULL)
        return auth_user_request;
    else if (request != NULL && request->auth_user_request != NULL)
        return request->auth_user_request;
    else if (conn != NULL)
        return conn->getAuth();
    else
        return NULL;
}

/* returns one of
 * AUTH_ACL_CHALLENGE,
 * AUTH_ACL_HELPER,
 * AUTH_ACL_CANNOT_AUTHENTICATE,
 * AUTH_AUTHENTICATED
 *
 * How to use: In your proxy-auth dependent acl code, use the following
 * construct:
 * int rv;
 * if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED)
 *   return rv;
 *
 * when this code is reached, the request/connection is authenticated.
 *
 * if you have non-acl code, but want to force authentication, you need a
 * callback mechanism like the acl testing routines that will send a 40[1|7] to
 * the client when rv==AUTH_ACL_CHALLENGE, and will communicate with
 * the authenticateStart routine for rv==AUTH_ACL_HELPER
 *
 * Caller is responsible for locking and unlocking their *auth_user_request!
 */
AuthAclState
Auth::UserRequest::authenticate(Auth::UserRequest::Pointer * auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr)
{
    const char *proxy_auth;
    assert(headertype != 0);

    proxy_auth = request->header.getStr(headertype);

    /*
     * a note on proxy_auth logix here:
     * proxy_auth==NULL -> unauthenticated request || already
     * authenticated connection so we test for an authenticated
     * connection when we recieve no authentication header.
     */

    /* a) can we find other credentials to use? and b) are they logged in already? */
    if (proxy_auth == NULL && !authenticateUserAuthenticated(authTryGetUser(*auth_user_request,conn,request))) {
        /* no header or authentication failed/got corrupted - restart */
        debugs(29, 4, HERE << "No Proxy-Auth header and no working alternative. Requesting auth header.");

        /* something wrong with the AUTH credentials. Force a new attempt */

        /* connection auth we must reset on auth errors */
        if (conn != NULL) {
            conn->setAuth(NULL, "HTTP request missing credentials");
        }

        *auth_user_request = NULL;
        return AUTH_ACL_CHALLENGE;
    }

    /*
     * Is this an already authenticated connection with a new auth header?
     * No check for function required in the if: its compulsory for conn based
     * auth modules
     */
    if (proxy_auth && conn != NULL && conn->getAuth() != NULL &&
            authenticateUserAuthenticated(conn->getAuth()) &&
            conn->getAuth()->connLastHeader() != NULL &&
            strcmp(proxy_auth, conn->getAuth()->connLastHeader())) {
        debugs(29, 2, "WARNING: DUPLICATE AUTH - authentication header on already authenticated connection!. AU " <<
               conn->getAuth() << ", Current user '" <<
               conn->getAuth()->username() << "' proxy_auth " <<
               proxy_auth);

        /* remove this request struct - the link is already authed and it can't be to reauth. */

        /* This should _only_ ever occur on the first pass through
         * authenticateAuthenticate
         */
        assert(*auth_user_request == NULL);
        conn->setAuth(NULL, "changed credentials token");
    }

    /* we have a proxy auth header and as far as we know this connection has
     * not had bungled connection oriented authentication happen on it. */
    debugs(29, 9, HERE << "header " << (proxy_auth ? proxy_auth : "-") << ".");

    if (*auth_user_request == NULL) {
        if (conn != NULL) {
            debugs(29, 9, HERE << "This is a new checklist test on:" << conn->clientConnection);
        }

        if (proxy_auth && request->auth_user_request == NULL && conn != NULL && conn->getAuth() != NULL) {
            Auth::Config * scheme = Auth::Config::Find(proxy_auth);

            if (conn->getAuth()->user() == NULL || conn->getAuth()->user()->config != scheme) {
                debugs(29, DBG_IMPORTANT, "WARNING: Unexpected change of authentication scheme from '" <<
                       (conn->getAuth()->user()!=NULL?conn->getAuth()->user()->config->type():"[no user]") <<
                       "' to '" << proxy_auth << "' (client " <<
                       src_addr << ")");

                conn->setAuth(NULL, "changed auth scheme");
            }
        }

        if (request->auth_user_request == NULL && (conn == NULL || conn->getAuth() == NULL)) {
            /* beginning of a new request check */
            debugs(29, 4, HERE << "No connection authentication type");

            *auth_user_request = Auth::Config::CreateAuthUser(proxy_auth);
            if (*auth_user_request == NULL)
                return AUTH_ACL_CHALLENGE;
            else if (!(*auth_user_request)->valid()) {
                /* the decode might have left a username for logging, or a message to
                 * the user */

                if ((*auth_user_request)->username()) {
                    request->auth_user_request = *auth_user_request;
                }

                *auth_user_request = NULL;
                return AUTH_ACL_CHALLENGE;
            }

        } else if (request->auth_user_request != NULL) {
            *auth_user_request = request->auth_user_request;
        } else {
            assert (conn != NULL);
            if (conn->getAuth() != NULL) {
                *auth_user_request = conn->getAuth();
            } else {
                /* failed connection based authentication */
                debugs(29, 4, HERE << "Auth user request " << *auth_user_request << " conn-auth missing and failed to authenticate.");
                *auth_user_request = NULL;
                return AUTH_ACL_CHALLENGE;
            }
        }
    }

    if (!authenticateUserAuthenticated(*auth_user_request)) {
        /* User not logged in. Try to log them in */
        authenticateAuthenticateUser(*auth_user_request, request, conn, headertype);

        switch ((*auth_user_request)->direction()) {

        case Auth::CRED_CHALLENGE:

            if (request->auth_user_request == NULL) {
                request->auth_user_request = *auth_user_request;
            }

            /* fallthrough to ERROR case and do the challenge */

        case Auth::CRED_ERROR:
            /* this ACL check is finished. */
            *auth_user_request = NULL;
            return AUTH_ACL_CHALLENGE;

        case Auth::CRED_LOOKUP:
            /* we are partway through authentication within squid,
             * the *auth_user_request variables stores the auth_user_request
             * for the callback to here - Do not Unlock */
            return AUTH_ACL_HELPER;

        case Auth::CRED_VALID:
            /* authentication is finished */
            /* See if user authentication failed for some reason */
            if (!authenticateUserAuthenticated(*auth_user_request)) {
                if ((*auth_user_request)->username()) {
                    if (!request->auth_user_request) {
                        request->auth_user_request = *auth_user_request;
                    }
                }

                *auth_user_request = NULL;
                return AUTH_ACL_CHALLENGE;
            }
            // otherwise fallthrough to acceptance.
        }
    }

    /* copy username to request for logging on client-side */
    /* the credentials are correct at this point */
    if (request->auth_user_request == NULL) {
        request->auth_user_request = *auth_user_request;
        authenticateAuthUserRequestSetIp(*auth_user_request, src_addr);
    }

    return AUTH_AUTHENTICATED;
}

AuthAclState
Auth::UserRequest::tryToAuthenticateAndSetAuthUser(Auth::UserRequest::Pointer * aUR, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr)
{
    // If we have already been called, return the cached value
    Auth::UserRequest::Pointer t = authTryGetUser(*aUR, conn, request);

    if (t != NULL && t->lastReply != AUTH_ACL_CANNOT_AUTHENTICATE && t->lastReply != AUTH_ACL_HELPER) {
        if (*aUR == NULL)
            *aUR = t;

        if (request->auth_user_request == NULL && t->lastReply == AUTH_AUTHENTICATED) {
            request->auth_user_request = t;
        }
        return t->lastReply;
    }

    // ok, call the actual authenticator routine.
    AuthAclState result = authenticate(aUR, headertype, request, conn, src_addr);

    // auth process may have changed the UserRequest we are dealing with
    t = authTryGetUser(*aUR, conn, request);

    if (t != NULL && result != AUTH_ACL_CANNOT_AUTHENTICATE && result != AUTH_ACL_HELPER)
        t->lastReply = result;

    return result;
}

void
Auth::UserRequest::addReplyAuthHeader(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal)
/* send the auth types we are configured to support (and have compiled in!) */
{
    http_hdr_type type;

    switch (rep->sline.status()) {

    case Http::scProxyAuthenticationRequired:
        /* Proxy authorisation needed */
        type = HDR_PROXY_AUTHENTICATE;
        break;

    case Http::scUnauthorized:
        /* WWW Authorisation needed */
        type = HDR_WWW_AUTHENTICATE;
        break;

    default:
        /* Keep GCC happy */
        /* some other HTTP status */
        type = HDR_ENUM_END;
        break;
    }

    debugs(29, 9, HERE << "headertype:" << type << " authuser:" << auth_user_request);

    if (((rep->sline.status() == Http::scProxyAuthenticationRequired)
            || (rep->sline.status() == Http::scUnauthorized)) && internal)
        /* this is a authenticate-needed response */
    {

        if (auth_user_request != NULL && auth_user_request->direction() == Auth::CRED_CHALLENGE)
            /* add the scheme specific challenge header to the response */
            auth_user_request->user()->config->fixHeader(auth_user_request, rep, type, request);
        else {
            /* call each configured & running authscheme */

            for (Auth::ConfigVector::iterator  i = Auth::TheConfig.begin(); i != Auth::TheConfig.end(); ++i) {
                Auth::Config *scheme = *i;

                if (scheme->active())
                    scheme->fixHeader(NULL, rep, type, request);
                else
                    debugs(29, 4, HERE << "Configured scheme " << scheme->type() << " not Active");
            }
        }

    }

    /*
     * allow protocol specific headers to be _added_ to the existing
     * response - currently Digest or Negotiate auth
     */
    if (auth_user_request != NULL) {
        auth_user_request->addAuthenticationInfoHeader(rep, accelerated);
        if (auth_user_request->lastReply != AUTH_AUTHENTICATED)
            auth_user_request->lastReply = AUTH_ACL_CANNOT_AUTHENTICATE;
    }
}

// TODO remove wrapper.
void
authenticateFixHeader(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal)
{
    Auth::UserRequest::addReplyAuthHeader(rep, auth_user_request, request, accelerated, internal);
}

/* call the active auth module and allow it to add a trailer to the request */
// TODO remove wrapper
void
authenticateAddTrailer(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated)
{
    if (auth_user_request != NULL)
        auth_user_request->addAuthenticationInfoTrailer(rep, accelerated);
}

Auth::Scheme::Pointer
Auth::UserRequest::scheme() const
{
    return Auth::Scheme::Find(user()->config->type());
}
Commit	Line	Data
f5691f9c	1	/*
f5691f9c	2	* DEBUG: section 29 Authenticator
	3	* AUTHOR: Robert Collins
	4	*
	5	* SQUID Web Proxy Cache http://www.squid-cache.org/
	6	* ----------------------------------------------------------
	7	*
	8	* Squid is the result of efforts by numerous individuals from
	9	* the Internet community; see the CONTRIBUTORS file for full
	10	* details. Many organizations have provided support for Squid's
	11	* development; see the SPONSORS file for full details. Squid is
	12	* Copyrighted (C) 2001 by the Regents of the University of
	13	* California; see the COPYRIGHT file for full details. Squid
	14	* incorporates software developed and/or copyrighted by other
	15	* sources; see the CREDITS file for full details.
	16	*
	17	* This program is free software; you can redistribute it and/or modify
	18	* it under the terms of the GNU General Public License as published by
	19	* the Free Software Foundation; either version 2 of the License, or
	20	* (at your option) any later version.
26ac0430	21	*
f5691f9c	22	* This program is distributed in the hope that it will be useful,
	23	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	24	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	25	* GNU General Public License for more details.
26ac0430	26	*
f5691f9c	27	* You should have received a copy of the GNU General Public License
	28	* along with this program; if not, write to the Free Software
	29	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	30	*
	31	*/
	32
	33	/* The functions in this file handle authentication.
	34	* They DO NOT perform access control or auditing.
	35	* See acl.c for access control and client_side.c for auditing */
	36
582c2af2	37	#include "squid.h"
2d2b0bb7 AR	38	#include "auth/Config.h"
2d2b0bb7 AR	39	#include "auth/Scheme.h"
c7baff40	40	#include "auth/User.h"
602d9612	41	#include "auth/UserRequest.h"
582c2af2	42	#include "client_side.h"
5c336a3b	43	#include "comm/Connection.h"
f5691f9c	44	#include "HttpReply.h"
f5691f9c	45	#include "HttpRequest.h"
f5691f9c	46
	47	/* Generic Functions */
	48
f5691f9c	49	char const *
c7baff40	50	Auth::UserRequest::username() const
f5691f9c	51	{
56a49fda	52	if (user() != NULL)
f5691f9c	53	return user()->username();
	54	else
	55	return NULL;
	56	}
	57
f5691f9c	58	/** PUBLIC FUNCTIONS (ALL GENERIC!) **/
	59
	60	/* send the initial data to an authenticator module */
	61	void
4c535e87	62	Auth::UserRequest::start(AUTHCB * handler, void *data)
f5691f9c	63	{
f5691f9c	64	assert(handler);
a088a999	65	assert(data);
c7baff40	66	debugs(29, 9, HERE << "auth_user_request '" << this << "'");
f5691f9c	67	module_start(handler, data);
	68	}
	69
2e39494f	70	bool
c7baff40	71	Auth::UserRequest::valid() const
f5691f9c	72	{
c7baff40	73	debugs(29, 9, HERE << "Validating Auth::UserRequest '" << this << "'.");
f5691f9c	74
2e39494f	75	if (user() == NULL) {
d87154ee	76	debugs(29, 4, HERE << "No associated Auth::User data");
0a608df9	77	return false;
f5691f9c	78	}
f5691f9c	79
616cfc4c	80	if (user()->auth_type == Auth::AUTH_UNKNOWN) {
d87154ee	81	debugs(29, 4, HERE << "Auth::User '" << user() << "' uses unknown scheme.");
2e39494f	82	return false;
f5691f9c	83	}
f5691f9c	84
616cfc4c	85	if (user()->auth_type == Auth::AUTH_BROKEN) {
d87154ee	86	debugs(29, 4, HERE << "Auth::User '" << user() << "' is broken for it's scheme.");
2e39494f	87	return false;
f5691f9c	88	}
	89
	90	/* any other sanity checks that we need in the future */
	91
f5691f9c	92	/* finally return ok */
c7baff40	93	debugs(29, 5, HERE << "Validated. Auth::UserRequest '" << this << "'.");
2e39494f	94	return true;
f5691f9c	95	}
	96
	97	void *
c7baff40	98	Auth::UserRequest::operator new (size_t byteCount)
f5691f9c	99	{
c7baff40	100	fatal("Auth::UserRequest not directly allocatable\n");
f5691f9c	101	return (void *)1;
	102	}
	103
	104	void
c7baff40	105	Auth::UserRequest::operator delete (void *address)
f5691f9c	106	{
c7baff40	107	fatal("Auth::UserRequest child failed to override operator delete\n");
f5691f9c	108	}
f5691f9c	109
c7baff40	110	Auth::UserRequest::UserRequest():
d232141d AJ	111	_auth_user(NULL),
	112	message(NULL),
	113	lastReply(AUTH_ACL_CANNOT_AUTHENTICATE)
f5691f9c	114	{
c7baff40	115	debugs(29, 5, HERE << "initialised request " << this);
f5691f9c	116	}
f5691f9c	117
c7baff40	118	Auth::UserRequest::~UserRequest()
f5691f9c	119	{
8bf217bd	120	assert(LockCount()==0);
c7baff40	121	debugs(29, 5, HERE << "freeing request " << this);
f5691f9c	122
56a49fda	123	if (user() != NULL) {
56a49fda	124	/* release our references to the user credentials */
f5691f9c	125	user(NULL);
	126	}
	127
56a49fda	128	safe_free(message);
f5691f9c	129	}
	130
	131	void
c7baff40	132	Auth::UserRequest::setDenyMessage(char const *aString)
f5691f9c	133	{
56a49fda AJ	134	safe_free(message);
56a49fda AJ	135	message = xstrdup(aString);
f5691f9c	136	}
	137
	138	char const *
c7baff40	139	Auth::UserRequest::getDenyMessage()
f5691f9c	140	{
	141	return message;
	142	}
	143
	144	char const *
c7baff40	145	Auth::UserRequest::denyMessage(char const * const default_message)
f5691f9c	146	{
	147	if (this == NULL \|\| getDenyMessage() == NULL) {
	148	return default_message;
	149	}
	150
	151	return getDenyMessage();
	152	}
	153
	154	static void
c7baff40	155	authenticateAuthUserRequestSetIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address &ipaddr)
f5691f9c	156	{
d87154ee	157	Auth::User::Pointer auth_user = auth_user_request->user();
f5691f9c	158
4c19ba24	159	if (!auth_user)
f5691f9c	160	return;
f5691f9c	161
4c19ba24	162	auth_user->addIp(ipaddr);
f5691f9c	163	}
	164
	165	void
c7baff40	166	authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &ipaddr)
f5691f9c	167	{
d87154ee	168	Auth::User::Pointer auth_user = auth_user_request->user();
f5691f9c	169
4c19ba24	170	if (!auth_user)
f5691f9c	171	return;
f5691f9c	172
4c19ba24	173	auth_user->removeIp(ipaddr);
f5691f9c	174	}
	175
	176	void
c7baff40	177	authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer auth_user_request)
f5691f9c	178	{
a33a428a	179	if (auth_user_request != NULL)
f5691f9c	180	auth_user_request->user()->clearIp();
	181	}
	182
4b0f5de8	183	int
c7baff40	184	authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer auth_user_request)
f5691f9c	185	{
a33a428a	186	assert(auth_user_request != NULL);
56a49fda	187	assert(auth_user_request->user() != NULL);
f5691f9c	188	return auth_user_request->user()->ipcount;
	189	}
	190
f5691f9c	191	/*
	192	* authenticateUserAuthenticated: is this auth_user structure logged in ?
	193	*/
	194	int
c7baff40	195	authenticateUserAuthenticated(Auth::UserRequest::Pointer auth_user_request)
f5691f9c	196	{
0a608df9	197	if (auth_user_request == NULL \|\| !auth_user_request->valid())
f5691f9c	198	return 0;
	199
	200	return auth_user_request->authenticated();
	201	}
	202
51a3dd58	203	Auth::Direction
c7baff40	204	Auth::UserRequest::direction()
f5691f9c	205	{
51a3dd58 AJ	206	if (user() == NULL)
	207	return Auth::CRED_ERROR; // No credentials. Should this be a CHALLENGE instead?
	208
f5691f9c	209	if (authenticateUserAuthenticated(this))
51a3dd58	210	return Auth::CRED_VALID;
f5691f9c	211
f5691f9c	212	return module_direction();
f5691f9c	213	}
	214
	215	void
c7baff40	216	Auth::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accelerated)
f5691f9c	217	{}
	218
	219	void
c7baff40	220	Auth::UserRequest::addAuthenticationInfoTrailer(HttpReply * rep, int accelerated)
f5691f9c	221	{}
	222
	223	void
cc1e110a	224	Auth::UserRequest::releaseAuthServer()
f5691f9c	225	{}
	226
	227	const char *
c7baff40	228	Auth::UserRequest::connLastHeader()
f5691f9c	229	{
c7baff40	230	fatal("Auth::UserRequest::connLastHeader should always be overridden by conn based auth schemes");
f5691f9c	231	return NULL;
	232	}
	233
	234	/*
26ac0430	235	* authenticateAuthenticateUser: call the module specific code to
f5691f9c	236	* log this user request in.
	237	* Cache hits may change the auth_user pointer in the structure if needed.
	238	* This is basically a handle approach.
	239	*/
	240	static void
c7baff40	241	authenticateAuthenticateUser(Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, ConnStateData * conn, http_hdr_type type)
f5691f9c	242	{
a33a428a	243	assert(auth_user_request.getRaw() != NULL);
f5691f9c	244
	245	auth_user_request->authenticate(request, conn, type);
	246	}
	247
c7baff40 AJ	248	static Auth::UserRequest::Pointer
c7baff40 AJ	249	authTryGetUser(Auth::UserRequest::Pointer auth_user_request, ConnStateData * conn, HttpRequest * request)
f5691f9c	250	{
a33a428a AJ	251	if (auth_user_request != NULL)
	252	return auth_user_request;
	253	else if (request != NULL && request->auth_user_request != NULL)
f5691f9c	254	return request->auth_user_request;
4d3a24ca	255	else if (conn != NULL)
cc1e110a	256	return conn->getAuth();
f5691f9c	257	else
	258	return NULL;
	259	}
	260
	261	/* returns one of
	262	* AUTH_ACL_CHALLENGE,
	263	* AUTH_ACL_HELPER,
	264	* AUTH_ACL_CANNOT_AUTHENTICATE,
	265	* AUTH_AUTHENTICATED
	266	*
26ac0430	267	* How to use: In your proxy-auth dependent acl code, use the following
f5691f9c	268	* construct:
	269	* int rv;
	270	* if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED)
	271	* return rv;
26ac0430	272	*
f5691f9c	273	* when this code is reached, the request/connection is authenticated.
f5691f9c	274	*
26ac0430	275	* if you have non-acl code, but want to force authentication, you need a
f5691f9c	276	* callback mechanism like the acl testing routines that will send a 40[1\|7] to
26ac0430	277	* the client when rv==AUTH_ACL_CHALLENGE, and will communicate with
f5691f9c	278	* the authenticateStart routine for rv==AUTH_ACL_HELPER
4f0ef8e8	279	*
4f0ef8e8	280	* Caller is responsible for locking and unlocking their *auth_user_request!
f5691f9c	281	*/
56a49fda	282	AuthAclState
c7baff40	283	Auth::UserRequest::authenticate(Auth::UserRequest::Pointer * auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr)
f5691f9c	284	{
	285	const char *proxy_auth;
	286	assert(headertype != 0);
	287
a9925b40	288	proxy_auth = request->header.getStr(headertype);
f5691f9c	289
	290	/*
	291	* a note on proxy_auth logix here:
	292	* proxy_auth==NULL -> unauthenticated request \|\| already
	293	* authenticated connection so we test for an authenticated
	294	* connection when we recieve no authentication header.
	295	*/
	296
a1ce83aa AJ	297	/* a) can we find other credentials to use? and b) are they logged in already? */
a1ce83aa AJ	298	if (proxy_auth == NULL && !authenticateUserAuthenticated(authTryGetUser(*auth_user_request,conn,request))) {
f5691f9c	299	/* no header or authentication failed/got corrupted - restart */
a1ce83aa AJ	300	debugs(29, 4, HERE << "No Proxy-Auth header and no working alternative. Requesting auth header.");
a1ce83aa AJ	301
f5691f9c	302	/* something wrong with the AUTH credentials. Force a new attempt */
f5691f9c	303
a1ce83aa	304	/* connection auth we must reset on auth errors */
4d3a24ca	305	if (conn != NULL) {
cc1e110a	306	conn->setAuth(NULL, "HTTP request missing credentials");
f5691f9c	307	}
f5691f9c	308
26ac0430	309	*auth_user_request = NULL;
f5691f9c	310	return AUTH_ACL_CHALLENGE;
	311	}
	312
	313	/*
	314	* Is this an already authenticated connection with a new auth header?
26ac0430	315	* No check for function required in the if: its compulsory for conn based
f5691f9c	316	* auth modules
f5691f9c	317	*/
cc1e110a AJ	318	if (proxy_auth && conn != NULL && conn->getAuth() != NULL &&
	319	authenticateUserAuthenticated(conn->getAuth()) &&
	320	conn->getAuth()->connLastHeader() != NULL &&
	321	strcmp(proxy_auth, conn->getAuth()->connLastHeader())) {
a1ce83aa	322	debugs(29, 2, "WARNING: DUPLICATE AUTH - authentication header on already authenticated connection!. AU " <<
cc1e110a AJ	323	conn->getAuth() << ", Current user '" <<
cc1e110a AJ	324	conn->getAuth()->username() << "' proxy_auth " <<
bf8fe701	325	proxy_auth);
bf8fe701	326
a1ce83aa	327	/* remove this request struct - the link is already authed and it can't be to reauth. */
f5691f9c	328
f5691f9c	329	/* This should _only_ ever occur on the first pass through
26ac0430	330	* authenticateAuthenticate
f5691f9c	331	*/
f5691f9c	332	assert(*auth_user_request == NULL);
cc1e110a	333	conn->setAuth(NULL, "changed credentials token");
f5691f9c	334	}
	335
	336	/* we have a proxy auth header and as far as we know this connection has
	337	* not had bungled connection oriented authentication happen on it. */
a1ce83aa	338	debugs(29, 9, HERE << "header " << (proxy_auth ? proxy_auth : "-") << ".");
f5691f9c	339
26ac0430	340	if (*auth_user_request == NULL) {
5c336a3b	341	if (conn != NULL) {
73c36fd9	342	debugs(29, 9, HERE << "This is a new checklist test on:" << conn->clientConnection);
5c336a3b	343	}
f5691f9c	344
cc1e110a	345	if (proxy_auth && request->auth_user_request == NULL && conn != NULL && conn->getAuth() != NULL) {
9f3d2b2e	346	Auth::Config * scheme = Auth::Config::Find(proxy_auth);
638b2ce3	347
cc1e110a	348	if (conn->getAuth()->user() == NULL \|\| conn->getAuth()->user()->config != scheme) {
c7baff40	349	debugs(29, DBG_IMPORTANT, "WARNING: Unexpected change of authentication scheme from '" <<
cc1e110a	350	(conn->getAuth()->user()!=NULL?conn->getAuth()->user()->config->type():"[no user]") <<
bf8fe701	351	"' to '" << proxy_auth << "' (client " <<
cc192b50	352	src_addr << ")");
bf8fe701	353
cc1e110a	354	conn->setAuth(NULL, "changed auth scheme");
638b2ce3	355	}
	356	}
	357
cc1e110a	358	if (request->auth_user_request == NULL && (conn == NULL \|\| conn->getAuth() == NULL)) {
f5691f9c	359	/* beginning of a new request check */
a1ce83aa	360	debugs(29, 4, HERE << "No connection authentication type");
f5691f9c	361
9f3d2b2e	362	*auth_user_request = Auth::Config::CreateAuthUser(proxy_auth);
0a608df9 AJ	363	if (*auth_user_request == NULL)
	364	return AUTH_ACL_CHALLENGE;
	365	else if (!(*auth_user_request)->valid()) {
f5691f9c	366	/* the decode might have left a username for logging, or a message to
	367	* the user */
	368
	369	if ((*auth_user_request)->username()) {
f5691f9c	370	request->auth_user_request = *auth_user_request;
	371	}
	372
f5691f9c	373	*auth_user_request = NULL;
f5691f9c	374	return AUTH_ACL_CHALLENGE;
	375	}
	376
a33a428a	377	} else if (request->auth_user_request != NULL) {
f5691f9c	378	*auth_user_request = request->auth_user_request;
f5691f9c	379	} else {
4d3a24ca	380	assert (conn != NULL);
cc1e110a AJ	381	if (conn->getAuth() != NULL) {
cc1e110a AJ	382	*auth_user_request = conn->getAuth();
f5691f9c	383	} else {
f5691f9c	384	/* failed connection based authentication */
cc1e110a	385	debugs(29, 4, HERE << "Auth user request " << *auth_user_request << " conn-auth missing and failed to authenticate.");
f5691f9c	386	*auth_user_request = NULL;
	387	return AUTH_ACL_CHALLENGE;
	388	}
	389	}
	390	}
	391
26ac0430	392	if (!authenticateUserAuthenticated(*auth_user_request)) {
51a3dd58	393	/* User not logged in. Try to log them in */
a33a428a	394	authenticateAuthenticateUser(*auth_user_request, request, conn, headertype);
f5691f9c	395
51a3dd58	396	switch ((*auth_user_request)->direction()) {
f5691f9c	397
51a3dd58	398	case Auth::CRED_CHALLENGE:
f5691f9c	399
a33a428a	400	if (request->auth_user_request == NULL) {
f5691f9c	401	request->auth_user_request = *auth_user_request;
	402	}
	403
51a3dd58	404	/* fallthrough to ERROR case and do the challenge */
f5691f9c	405
51a3dd58	406	case Auth::CRED_ERROR:
4f0ef8e8	407	/* this ACL check is finished. */
f5691f9c	408	*auth_user_request = NULL;
f5691f9c	409	return AUTH_ACL_CHALLENGE;
f5691f9c	410
51a3dd58	411	case Auth::CRED_LOOKUP:
f5691f9c	412	/* we are partway through authentication within squid,
	413	* the *auth_user_request variables stores the auth_user_request
	414	* for the callback to here - Do not Unlock */
	415	return AUTH_ACL_HELPER;
f5691f9c	416
51a3dd58 AJ	417	case Auth::CRED_VALID:
	418	/* authentication is finished */
	419	/* See if user authentication failed for some reason */
	420	if (!authenticateUserAuthenticated(*auth_user_request)) {
	421	if ((*auth_user_request)->username()) {
	422	if (!request->auth_user_request) {
	423	request->auth_user_request = *auth_user_request;
	424	}
f5691f9c	425	}
f5691f9c	426
51a3dd58 AJ	427	*auth_user_request = NULL;
	428	return AUTH_ACL_CHALLENGE;
	429	}
	430	// otherwise fallthrough to acceptance.
f5691f9c	431	}
	432	}
	433
	434	/* copy username to request for logging on client-side */
	435	/* the credentials are correct at this point */
a33a428a	436	if (request->auth_user_request == NULL) {
f5691f9c	437	request->auth_user_request = *auth_user_request;
f5691f9c	438	authenticateAuthUserRequestSetIp(*auth_user_request, src_addr);
	439	}
	440
f5691f9c	441	return AUTH_AUTHENTICATED;
	442	}
	443
56a49fda	444	AuthAclState
c7baff40	445	Auth::UserRequest::tryToAuthenticateAndSetAuthUser(Auth::UserRequest::Pointer * aUR, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr)
f5691f9c	446	{
c7baff40 AJ	447	// If we have already been called, return the cached value
c7baff40 AJ	448	Auth::UserRequest::Pointer t = authTryGetUser(*aUR, conn, request);
f5691f9c	449
a33a428a	450	if (t != NULL && t->lastReply != AUTH_ACL_CANNOT_AUTHENTICATE && t->lastReply != AUTH_ACL_HELPER) {
c7baff40 AJ	451	if (*aUR == NULL)
c7baff40 AJ	452	*aUR = t;
f5691f9c	453
a33a428a	454	if (request->auth_user_request == NULL && t->lastReply == AUTH_AUTHENTICATED) {
26ac0430	455	request->auth_user_request = t;
26ac0430	456	}
f5691f9c	457	return t->lastReply;
	458	}
	459
c7baff40 AJ	460	// ok, call the actual authenticator routine.
c7baff40 AJ	461	AuthAclState result = authenticate(aUR, headertype, request, conn, src_addr);
f5691f9c	462
c7baff40 AJ	463	// auth process may have changed the UserRequest we are dealing with
c7baff40 AJ	464	t = authTryGetUser(*aUR, conn, request);
f5691f9c	465
a33a428a	466	if (t != NULL && result != AUTH_ACL_CANNOT_AUTHENTICATE && result != AUTH_ACL_HELPER)
f5691f9c	467	t->lastReply = result;
	468
	469	return result;
	470	}
	471
f5691f9c	472	void
c7baff40	473	Auth::UserRequest::addReplyAuthHeader(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal)
f5691f9c	474	/* send the auth types we are configured to support (and have compiled in!) */
	475	{
	476	http_hdr_type type;
	477
9b769c67	478	switch (rep->sline.status()) {
f5691f9c	479
955394ce	480	case Http::scProxyAuthenticationRequired:
f5691f9c	481	/* Proxy authorisation needed */
	482	type = HDR_PROXY_AUTHENTICATE;
	483	break;
	484
955394ce	485	case Http::scUnauthorized:
f5691f9c	486	/* WWW Authorisation needed */
	487	type = HDR_WWW_AUTHENTICATE;
	488	break;
	489
	490	default:
	491	/* Keep GCC happy */
	492	/* some other HTTP status */
	493	type = HDR_ENUM_END;
	494	break;
	495	}
	496
c7baff40	497	debugs(29, 9, HERE << "headertype:" << type << " authuser:" << auth_user_request);
f5691f9c	498
9b769c67 AJ	499	if (((rep->sline.status() == Http::scProxyAuthenticationRequired)
9b769c67 AJ	500	\|\| (rep->sline.status() == Http::scUnauthorized)) && internal)
f5691f9c	501	/* this is a authenticate-needed response */
	502	{
	503
51a3dd58 AJ	504	if (auth_user_request != NULL && auth_user_request->direction() == Auth::CRED_CHALLENGE)
51a3dd58 AJ	505	/* add the scheme specific challenge header to the response */
f5691f9c	506	auth_user_request->user()->config->fixHeader(auth_user_request, rep, type, request);
26ac0430	507	else {
f5691f9c	508	/* call each configured & running authscheme */
f5691f9c	509
9f3d2b2e AJ	510	for (Auth::ConfigVector::iterator i = Auth::TheConfig.begin(); i != Auth::TheConfig.end(); ++i) {
9f3d2b2e AJ	511	Auth::Config scheme = i;
f5691f9c	512
	513	if (scheme->active())
	514	scheme->fixHeader(NULL, rep, type, request);
	515	else
c7baff40	516	debugs(29, 4, HERE << "Configured scheme " << scheme->type() << " not Active");
f5691f9c	517	}
	518	}
	519
	520	}
7afc3bf2	521
f5691f9c	522	/*
f5691f9c	523	* allow protocol specific headers to be _added_ to the existing
7afc3bf2	524	* response - currently Digest or Negotiate auth
f5691f9c	525	*/
26ac0430	526	if (auth_user_request != NULL) {
7afc3bf2	527	auth_user_request->addAuthenticationInfoHeader(rep, accelerated);
26ac0430 AJ	528	if (auth_user_request->lastReply != AUTH_AUTHENTICATED)
26ac0430 AJ	529	auth_user_request->lastReply = AUTH_ACL_CANNOT_AUTHENTICATE;
f5691f9c	530	}
	531	}
	532
c7baff40	533	// TODO remove wrapper.
f5691f9c	534	void
c7baff40	535	authenticateFixHeader(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal)
f5691f9c	536	{
c7baff40	537	Auth::UserRequest::addReplyAuthHeader(rep, auth_user_request, request, accelerated, internal);
f5691f9c	538	}
f5691f9c	539
f5691f9c	540	/* call the active auth module and allow it to add a trailer to the request */
c7baff40	541	// TODO remove wrapper
f5691f9c	542	void
c7baff40	543	authenticateAddTrailer(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated)
f5691f9c	544	{
f5691f9c	545	if (auth_user_request != NULL)
7afc3bf2	546	auth_user_request->addAuthenticationInfoTrailer(rep, accelerated);
f5691f9c	547	}
f5691f9c	548
c6cf8dee	549	Auth::Scheme::Pointer
c7baff40	550	Auth::UserRequest::scheme() const
f5691f9c	551	{
c6cf8dee	552	return Auth::Scheme::Find(user()->config->type());
f5691f9c	553	}