]>
Commit | Line | Data |
---|---|---|
f5691f9c | 1 | /* |
262a0e14 | 2 | * $Id$ |
f5691f9c | 3 | * |
4 | * DEBUG: section 29 Authenticator | |
5 | * AUTHOR: Robert Collins | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
f5691f9c | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
f5691f9c | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | * Copyright (c) 2003, Robert Collins <robertc@squid-cache.org> | |
34 | */ | |
35 | ||
36 | #include "squid.h" | |
2d2b0bb7 AR |
37 | #include "auth/User.h" |
38 | #include "auth/UserRequest.h" | |
39 | #include "auth/Config.h" | |
3ad63615 AR |
40 | #include "auth/Gadgets.h" |
41 | #include "acl/Acl.h" | |
42 | #include "acl/Gadgets.h" | |
a553a5a3 | 43 | #include "event.h" |
4c19ba24 | 44 | #include "SquidTime.h" |
f5691f9c | 45 | |
46 | #ifndef _USE_INLINE_ | |
2d2b0bb7 | 47 | #include "auth/User.cci" |
f5691f9c | 48 | #endif |
49 | ||
4c19ba24 | 50 | // This should be converted into a pooled type. Does not need to be cbdata |
51 | CBDATA_TYPE(auth_user_ip_t); | |
52 | ||
f5691f9c | 53 | AuthUser::AuthUser (AuthConfig *aConfig) : |
54 | auth_type (AUTH_UNKNOWN), config(aConfig), | |
55 | usernamehash (NULL), ipcount (0), expiretime (0), references (0), username_(NULL) | |
56 | { | |
57 | proxy_auth_list.head = proxy_auth_list.tail = NULL; | |
58 | proxy_match_cache.head = proxy_match_cache.tail = NULL; | |
59 | ip_list.head = ip_list.tail = NULL; | |
60 | requests.head = requests.tail = NULL; | |
4a7a3d56 | 61 | debugs(29, 5, "AuthUser::AuthUser: Initialised auth_user '" << this << "' with refcount '" << references << "'."); |
f5691f9c | 62 | } |
63 | ||
64 | /* Combine two user structs. ONLY to be called from within a scheme | |
65 | * module. The scheme module is responsible for ensuring that the | |
66 | * two users _can_ be merged without invalidating all the request | |
67 | * scheme data. The scheme is also responsible for merging any user | |
68 | * related scheme data itself. | |
69 | */ | |
70 | void | |
71 | AuthUser::absorb (AuthUser *from) | |
72 | { | |
76f142cd | 73 | AuthUserRequest *auth_user_request; |
f5691f9c | 74 | /* |
75 | * XXX combine two authuser structs. Incomplete: it should merge | |
76 | * in hash references too and ask the module to merge in scheme | |
77 | * data | |
78 | */ | |
bf8fe701 | 79 | debugs(29, 5, "authenticateAuthUserMerge auth_user '" << from << "' into auth_user '" << this << "'."); |
f5691f9c | 80 | dlink_node *link = from->requests.head; |
81 | ||
82 | while (link) { | |
76f142cd | 83 | auth_user_request = static_cast<AuthUserRequest *>(link->data); |
f5691f9c | 84 | dlink_node *tmplink = link; |
85 | link = link->next; | |
86 | dlinkDelete(tmplink, &from->requests); | |
87 | dlinkAddTail(auth_user_request, tmplink, &requests); | |
88 | auth_user_request->user(this); | |
89 | } | |
90 | ||
91 | references += from->references; | |
92 | from->references = 0; | |
93 | delete from; | |
94 | } | |
95 | ||
96 | AuthUser::~AuthUser() | |
97 | { | |
76f142cd | 98 | AuthUserRequest *auth_user_request; |
f5691f9c | 99 | dlink_node *link, *tmplink; |
4a7a3d56 | 100 | debugs(29, 5, "AuthUser::~AuthUser: Freeing auth_user '" << this << "' with refcount '" << references << "'."); |
f5691f9c | 101 | assert(references == 0); |
102 | /* were they linked in by username ? */ | |
103 | ||
104 | if (usernamehash) { | |
105 | assert(usernamehash->user() == this); | |
bf8fe701 | 106 | debugs(29, 5, "AuthUser::~AuthUser: removing usernamehash entry '" << usernamehash << "'"); |
f5691f9c | 107 | hash_remove_link(proxy_auth_username_cache, |
108 | (hash_link *) usernamehash); | |
109 | /* don't free the key as we use the same user string as the auth_user | |
110 | * structure */ | |
111 | delete usernamehash; | |
112 | } | |
113 | ||
114 | /* remove any outstanding requests */ | |
115 | link = requests.head; | |
116 | ||
117 | while (link) { | |
bf8fe701 | 118 | debugs(29, 5, "AuthUser::~AuthUser: removing request entry '" << link->data << "'"); |
76f142cd | 119 | auth_user_request = static_cast<AuthUserRequest *>(link->data); |
f5691f9c | 120 | tmplink = link; |
121 | link = link->next; | |
122 | dlinkDelete(tmplink, &requests); | |
123 | dlinkNodeDelete(tmplink); | |
124 | delete auth_user_request; | |
125 | } | |
126 | ||
127 | /* free cached acl results */ | |
128 | aclCacheMatchFlush(&proxy_match_cache); | |
129 | ||
130 | /* free seen ip address's */ | |
131 | clearIp(); | |
132 | ||
3f5f1a01 | 133 | if (username_) |
134 | xfree((char*)username_); | |
f5691f9c | 135 | |
136 | /* prevent accidental reuse */ | |
137 | auth_type = AUTH_UNKNOWN; | |
138 | } | |
139 | ||
140 | void | |
141 | AuthUser::cacheInit(void) | |
142 | { | |
143 | if (!proxy_auth_username_cache) { | |
144 | /* First time around, 7921 should be big enough */ | |
145 | proxy_auth_username_cache = | |
30abd221 | 146 | hash_create((HASHCMP *) strcmp, 7921, hash_string); |
f5691f9c | 147 | assert(proxy_auth_username_cache); |
148 | eventAdd("User Cache Maintenance", cacheCleanup, NULL, Config.authenticateGCInterval, 1); | |
149 | } | |
150 | } | |
151 | ||
152 | void | |
153 | AuthUser::CachedACLsReset() | |
154 | { | |
155 | /* | |
156 | * We walk the hash by username as that is the unique key we use. | |
157 | * This must complete all at once, because we are ensuring correctness. | |
158 | */ | |
159 | AuthUserHashPointer *usernamehash; | |
e1f7507e | 160 | AuthUser *auth_user; |
f5691f9c | 161 | char const *username = NULL; |
bf8fe701 | 162 | debugs(29, 3, "AuthUser::CachedACLsReset: Flushing the ACL caches for all users."); |
f5691f9c | 163 | hash_first(proxy_auth_username_cache); |
164 | ||
165 | while ((usernamehash = ((AuthUserHashPointer *) hash_next(proxy_auth_username_cache)))) { | |
166 | auth_user = usernamehash->user(); | |
167 | username = auth_user->username(); | |
168 | /* free cached acl results */ | |
169 | aclCacheMatchFlush(&auth_user->proxy_match_cache); | |
170 | ||
171 | } | |
172 | ||
bf8fe701 | 173 | debugs(29, 3, "AuthUser::CachedACLsReset: Finished."); |
f5691f9c | 174 | } |
175 | ||
176 | void | |
177 | AuthUser::cacheCleanup(void *datanotused) | |
178 | { | |
179 | /* | |
180 | * We walk the hash by username as that is the unique key we use. | |
181 | * For big hashs we could consider stepping through the cache, 100/200 | |
182 | * entries at a time. Lets see how it flys first. | |
183 | */ | |
184 | AuthUserHashPointer *usernamehash; | |
e1f7507e | 185 | AuthUser *auth_user; |
f5691f9c | 186 | char const *username = NULL; |
bf8fe701 | 187 | debugs(29, 3, "AuthUser::cacheCleanup: Cleaning the user cache now"); |
4a7a3d56 | 188 | debugs(29, 3, "AuthUser::cacheCleanup: Current time: " << current_time.tv_sec); |
f5691f9c | 189 | hash_first(proxy_auth_username_cache); |
190 | ||
191 | while ((usernamehash = ((AuthUserHashPointer *) hash_next(proxy_auth_username_cache)))) { | |
192 | auth_user = usernamehash->user(); | |
193 | username = auth_user->username(); | |
194 | ||
195 | /* if we need to have inpedendent expiry clauses, insert a module call | |
196 | * here */ | |
bf8fe701 | 197 | debugs(29, 4, "AuthUser::cacheCleanup: Cache entry:\n\tType: " << |
198 | auth_user->auth_type << "\n\tUsername: " << username << | |
199 | "\n\texpires: " << | |
200 | (long int) (auth_user->expiretime + Config.authenticateTTL) << | |
201 | "\n\treferences: " << (long int) auth_user->references); | |
f5691f9c | 202 | |
203 | if (auth_user->expiretime + Config.authenticateTTL <= current_time.tv_sec) { | |
bf8fe701 | 204 | debugs(29, 5, "AuthUser::cacheCleanup: Removing user " << username << " from cache due to timeout."); |
f5691f9c | 205 | /* the minus 1 accounts for the cache lock */ |
206 | ||
207 | if (!(authenticateAuthUserInuse(auth_user) - 1)) | |
208 | /* we don't warn if we leave the user in the cache, | |
209 | * because other modules (ie delay pools) may keep | |
210 | * locks on users, and thats legitimate | |
211 | */ | |
212 | auth_user->unlock(); | |
213 | } | |
214 | } | |
215 | ||
bf8fe701 | 216 | debugs(29, 3, "AuthUser::cacheCleanup: Finished cleaning the user cache."); |
f5691f9c | 217 | eventAdd("User Cache Maintenance", cacheCleanup, NULL, Config.authenticateGCInterval, 1); |
218 | } | |
219 | ||
220 | void | |
221 | AuthUser::clearIp() | |
222 | { | |
223 | auth_user_ip_t *ipdata, *tempnode; | |
224 | ||
225 | ipdata = (auth_user_ip_t *) ip_list.head; | |
226 | ||
227 | while (ipdata) { | |
228 | tempnode = (auth_user_ip_t *) ipdata->node.next; | |
229 | /* walk the ip list */ | |
230 | dlinkDelete(&ipdata->node, &ip_list); | |
231 | cbdataFree(ipdata); | |
232 | /* catch incipient underflow */ | |
233 | assert(ipcount); | |
234 | ipcount--; | |
235 | ipdata = tempnode; | |
236 | } | |
237 | ||
238 | /* integrity check */ | |
239 | assert(ipcount == 0); | |
240 | } | |
241 | ||
242 | void | |
ad61a2b4 | 243 | AuthUser::removeIp(IpAddress ipaddr) |
4c19ba24 | 244 | { |
245 | auth_user_ip_t *ipdata = (auth_user_ip_t *) ip_list.head; | |
246 | ||
26ac0430 | 247 | while (ipdata) { |
4c19ba24 | 248 | /* walk the ip list */ |
249 | ||
cc192b50 | 250 | if (ipdata->ipaddr == ipaddr) { |
4c19ba24 | 251 | /* remove the node */ |
252 | dlinkDelete(&ipdata->node, &ip_list); | |
253 | cbdataFree(ipdata); | |
254 | /* catch incipient underflow */ | |
255 | assert(ipcount); | |
256 | ipcount--; | |
257 | return; | |
258 | } | |
259 | ||
260 | ipdata = (auth_user_ip_t *) ipdata->node.next; | |
261 | } | |
262 | ||
263 | } | |
264 | ||
265 | void | |
ad61a2b4 | 266 | AuthUser::addIp(IpAddress ipaddr) |
4c19ba24 | 267 | { |
268 | auth_user_ip_t *ipdata = (auth_user_ip_t *) ip_list.head; | |
4c19ba24 | 269 | int found = 0; |
270 | ||
271 | CBDATA_INIT_TYPE(auth_user_ip_t); | |
272 | ||
273 | /* | |
274 | * we walk the entire list to prevent the first item in the list | |
275 | * preventing old entries being flushed and locking a user out after | |
276 | * a timeout+reconfigure | |
277 | */ | |
26ac0430 | 278 | while (ipdata) { |
4c19ba24 | 279 | auth_user_ip_t *tempnode = (auth_user_ip_t *) ipdata->node.next; |
280 | /* walk the ip list */ | |
f5691f9c | 281 | |
cc192b50 | 282 | if (ipdata->ipaddr == ipaddr) { |
283 | /* This ip has already been seen. */ | |
4c19ba24 | 284 | found = 1; |
285 | /* update IP ttl */ | |
286 | ipdata->ip_expiretime = squid_curtime; | |
287 | } else if (ipdata->ip_expiretime + Config.authenticateIpTTL < squid_curtime) { | |
288 | /* This IP has expired - remove from the seen list */ | |
289 | dlinkDelete(&ipdata->node, &ip_list); | |
290 | cbdataFree(ipdata); | |
291 | /* catch incipient underflow */ | |
292 | assert(ipcount); | |
293 | ipcount--; | |
294 | } | |
295 | ||
296 | ipdata = tempnode; | |
297 | } | |
298 | ||
299 | if (found) | |
300 | return; | |
301 | ||
302 | /* This ip is not in the seen list */ | |
303 | ipdata = cbdataAlloc(auth_user_ip_t); | |
304 | ||
305 | ipdata->ip_expiretime = squid_curtime; | |
306 | ||
307 | ipdata->ipaddr = ipaddr; | |
308 | ||
309 | dlinkAddTail(ipdata, &ipdata->node, &ip_list); | |
310 | ||
311 | ipcount++; | |
312 | ||
cc192b50 | 313 | debugs(29, 2, "authenticateAuthUserAddIp: user '" << username() << "' has been seen at a new IP address (" << ipaddr << ")"); |
4c19ba24 | 314 | } |
315 | ||
316 | ||
317 | void | |
f5691f9c | 318 | AuthUser::lock() |
319 | { | |
bf8fe701 | 320 | debugs(29, 9, "authenticateAuthUserLock auth_user '" << this << "'."); |
f5691f9c | 321 | assert(this != NULL); |
322 | references++; | |
4a7a3d56 | 323 | debugs(29, 9, "authenticateAuthUserLock auth_user '" << this << "' now at '" << references << "'."); |
f5691f9c | 324 | } |
325 | ||
326 | void | |
327 | AuthUser::unlock() | |
328 | { | |
bf8fe701 | 329 | debugs(29, 9, "authenticateAuthUserUnlock auth_user '" << this << "'."); |
f5691f9c | 330 | assert(this != NULL); |
331 | ||
332 | if (references > 0) { | |
333 | references--; | |
334 | } else { | |
bf8fe701 | 335 | debugs(29, 1, "Attempt to lower Auth User " << this << " refcount below 0!"); |
f5691f9c | 336 | } |
337 | ||
4a7a3d56 | 338 | debugs(29, 9, "authenticateAuthUserUnlock auth_user '" << this << "' now at '" << references << "'."); |
f5691f9c | 339 | |
340 | if (references == 0) | |
341 | delete this; | |
342 | } | |
343 | ||
344 | /* addToNameCache: add a auth_user structure to the username cache */ | |
345 | void | |
346 | AuthUser::addToNameCache() | |
347 | { | |
348 | usernamehash = new AuthUserHashPointer (this); | |
349 | } |