2 * DO NOT MODIFY NEXT 2 LINES:
3 * arch-tag: 674533af-8b21-4641-b71a-74c4639072a0
5 * SQUID Web Proxy Cache http://www.squid-cache.org/
6 * ----------------------------------------------------------
8 * Squid is the result of efforts by numerous individuals from
9 * the Internet community; see the CONTRIBUTORS file for full
10 * details. Many organizations have provided support for Squid's
11 * development; see the SPONSORS file for full details. Squid is
12 * Copyrighted (C) 2001 by the Regents of the University of
13 * California; see the COPYRIGHT file for full details. Squid
14 * incorporates software developed and/or copyrighted by other
15 * sources; see the CREDITS file for full details.
17 * This program is free software; you can redistribute it and/or modify
18 * it under the terms of the GNU General Public License as published by
19 * the Free Software Foundation; either version 2 of the License, or
20 * (at your option) any later version.
22 * This program is distributed in the hope that it will be useful,
23 * but WITHOUT ANY WARRANTY; without even the implied warranty of
24 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
25 * GNU General Public License for more details.
27 * You should have received a copy of the GNU General Public License
28 * along with this program; if not, write to the Free Software
29 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
33 #ifndef SQUID_AUTH_USERREQUEST_H
34 #define SQUID_AUTH_USERREQUEST_H
38 #include "auth/AuthAclState.h"
39 #include "auth/Scheme.h"
40 #include "auth/User.h"
42 #include "ip/Address.h"
44 #include "HttpHeader.h"
51 * Maximum length (buffer size) for token strings.
53 // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc
54 #define MAX_AUTHTOKEN_LEN 32768
61 /* IP addr this user authenticated from */
67 // TODO: make auth schedule AsyncCalls?
68 typedef void AUTHCB(void*);
73 // NP: numeric values specified for old code backward compatibility.
74 // remove after transition is complete
76 CRED_CHALLENGE
= 1, ///< Client needs to be challenged. secure token.
77 CRED_VALID
= 0, ///< Credentials are valid and a up to date. The OK/Failed state is accurate.
78 CRED_LOOKUP
= -1, ///< Credentials need to be validated with the backend helper
79 CRED_ERROR
= -2 ///< ERROR in the auth module. Cannot determine the state of this request.
83 * This is a short lived structure is the visible aspect of the authentication framework.
85 * It and its children hold the state data while processing authentication for a client request.
86 * The AuthenticationStateData object is merely a CBDATA wrapper for one of these.
88 class UserRequest
: public RefCountable
91 typedef RefCount
<Auth::UserRequest
> Pointer
;
94 virtual ~UserRequest();
95 void *operator new(size_t byteCount
);
96 void operator delete(void *address
);
100 * This is the object passed around by client_side and acl functions
101 * it has request specific data, and links to user specific data
104 User::Pointer _auth_user
;
107 * Used by squid to determine what the next step in performing authentication for a given scheme is.
109 * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction.
110 * \retval CRED_LOOKUP The auth module needs to send data to an external helper.
111 * Squid will prepare for a callback on the request and call the AUTHSSTART function.
112 * \retval CRED_VALID The auth module has all the information it needs to perform the authentication
113 * and provide a succeed/fail result.
114 * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator.
115 * Squid will return the appropriate status code (401 or 407) and call the registered
116 * FixError function to allow the auth module to insert it's challenge.
118 Direction
direction();
121 * Used by squid to determine whether the auth scheme has successfully authenticated the user request.
123 \retval true User has successfully been authenticated.
124 \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
126 virtual int authenticated() const = 0;
129 * Check a auth_user pointer for validity.
130 * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use...
132 * \retval false User credentials are missing.
133 * \retval false User credentials use an unknown scheme type.
134 * \retval false User credentials are broken for their scheme.
136 * \retval true User credentials exist and may be able to authenticate.
140 virtual void authenticate(HttpRequest
* request
, ConnStateData
* conn
, http_hdr_type type
) = 0;
142 /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */
143 virtual Direction
module_direction() = 0;
145 /* add the [Proxy-]Authentication-Info header */
146 virtual void addAuthenticationInfoHeader(HttpReply
* rep
, int accel
);
148 /* add the [Proxy-]Authentication-Info trailer */
149 virtual void addAuthenticationInfoTrailer(HttpReply
* rep
, int accel
);
151 virtual void onConnectionClose(ConnStateData
*);
154 * Called when squid is ready to put the request on hold and wait for a callback from the auth module
155 * when the auth module has performed it's external activities.
157 * \param handler Handler to process the callback when its run
158 * \param data CBDATA for handler
160 virtual void module_start(AUTHCB
*handler
, void *data
) = 0;
162 // User credentials object this UserRequest is managing
163 virtual User::Pointer
user() {return _auth_user
;}
164 virtual const User::Pointer
user() const {return _auth_user
;}
165 virtual void user(User::Pointer aUser
) {_auth_user
=aUser
;}
168 * Locate user credentials in one of several locations. Begin authentication if needed.
170 * Credentials may be found in one of the following locations (listed by order of preference):
171 * - the source passed as parameter aUR
172 * - cached in the HttpRequest parameter from a previous authentication of this request
173 * - cached in the ConnStateData paremeter from a previous authentication of this connection
174 * (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes,
175 * or decrypted SSL requests from inside an authenticated CONNECT tunnel)
176 * - cached in the user credentials cache from a previous authentication of the same credentials
177 * (only applies to cacheable authentication methods, ie Basic auth)
178 * - new credentials created from HTTP headers in this request
180 * The found credentials are returned in aUR and if successfully authenticated
181 * may now be cached in one or more of the above locations.
183 * \return Some AUTH_ACL_* state
185 static AuthAclState
tryToAuthenticateAndSetAuthUser(UserRequest::Pointer
*aUR
, http_hdr_type
, HttpRequest
*, ConnStateData
*, Ip::Address
&);
187 /// Add the appropriate [Proxy-]Authenticate header to the given reply
188 static void addReplyAuthHeader(HttpReply
* rep
, UserRequest::Pointer auth_user_request
, HttpRequest
* request
, int accelerated
, int internal
);
190 void start(AUTHCB
*handler
, void *data
);
191 char const * denyMessage(char const * const default_message
= NULL
);
193 /** Possibly overrideable in future */
194 void setDenyMessage(char const *);
196 /** Possibly overrideable in future */
197 char const * getDenyMessage();
200 * Squid does not make assumptions about where the username is stored.
201 * This function must return a pointer to a NULL terminated string to be used in logging the request.
202 * The string should NOT be allocated each time this function is called.
204 \retval NULL No username/usercode is known.
205 \retval * Null-terminated username string.
207 char const *username() const;
209 Scheme::Pointer
scheme() const;
211 virtual const char * connLastHeader();
215 static AuthAclState
authenticate(UserRequest::Pointer
* auth_user_request
, http_hdr_type headertype
, HttpRequest
* request
, ConnStateData
* conn
, Ip::Address
&src_addr
);
217 /** return a message on the 407 error pages */
221 * We only attempt authentication once per http request. This
222 * is to allow multiple auth acl references from different _access areas
223 * when using connection based authentication
225 AuthAclState lastReply
;
230 /* AuthUserRequest */
233 extern void authenticateFixHeader(HttpReply
*, Auth::UserRequest::Pointer
, HttpRequest
*, int, int);
235 extern void authenticateAddTrailer(HttpReply
*, Auth::UserRequest::Pointer
, HttpRequest
*, int);
238 extern void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer
, Ip::Address
const &);
240 extern void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer
);
242 extern int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer
);
245 /// See Auth::UserRequest::authenticated()
246 extern int authenticateUserAuthenticated(Auth::UserRequest::Pointer
);
248 #endif /* USE_AUTH */
249 #endif /* SQUID_AUTHUSERREQUEST_H */