]>
Commit | Line | Data |
---|---|---|
f5691f9c | 1 | /* |
262a0e14 | 2 | * $Id$ |
f5691f9c | 3 | * |
4 | * DO NOT MODIFY NEXT 2 LINES: | |
5 | * arch-tag: 674533af-8b21-4641-b71a-74c4639072a0 | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
f5691f9c | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
f5691f9c | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | */ | |
34 | ||
c7baff40 AJ |
35 | #ifndef SQUID_AUTH_USERREQUEST_H |
36 | #define SQUID_AUTH_USERREQUEST_H | |
f5691f9c | 37 | |
2f1431ea AJ |
38 | #if USE_AUTH |
39 | ||
56a49fda | 40 | #include "auth/AuthAclState.h" |
5817ee13 | 41 | #include "auth/Scheme.h" |
56a49fda | 42 | #include "auth/User.h" |
a33a428a | 43 | #include "dlink.h" |
80617cbd | 44 | #include "ip/Address.h" |
a33a428a AJ |
45 | #include "typedefs.h" |
46 | #include "HttpHeader.h" | |
f5691f9c | 47 | |
f5691f9c | 48 | class ConnStateData; |
a33a428a AJ |
49 | class HttpReply; |
50 | class HttpRequest; | |
f5691f9c | 51 | |
7afc3bf2 AJ |
52 | /** |
53 | * Maximum length (buffer size) for token strings. | |
54 | */ | |
55 | // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc | |
56 | #define MAX_AUTHTOKEN_LEN 32768 | |
57 | ||
56a49fda AJ |
58 | /// \ingroup AuthAPI |
59 | class AuthUserIP | |
60 | { | |
61 | public: | |
f5691f9c | 62 | dlink_node node; |
63 | /* IP addr this user authenticated from */ | |
64 | ||
b7ac5457 | 65 | Ip::Address ipaddr; |
f5691f9c | 66 | time_t ip_expiretime; |
67 | }; | |
68 | ||
51a3dd58 AJ |
69 | namespace Auth |
70 | { | |
71 | ||
72 | // NP: numeric values specified for old code backward compatibility. | |
73 | // remove after transition is complete | |
74 | enum Direction { | |
75 | CRED_CHALLENGE = 1, ///< Client needs to be challenged. secure token. | |
76 | CRED_VALID = 0, ///< Credentials are valid and a up to date. The OK/Failed state is accurate. | |
77 | CRED_LOOKUP = -1, ///< Credentials need to be validated with the backend helper | |
78 | CRED_ERROR = -2 ///< ERROR in the auth module. Cannot determine the state of this request. | |
79 | }; | |
51a3dd58 | 80 | |
63be0a78 | 81 | /** |
63be0a78 | 82 | * This is a short lived structure is the visible aspect of the authentication framework. |
928f3421 AJ |
83 | * |
84 | * It and its children hold the state data while processing authentication for a client request. | |
85 | * The AuthenticationStateData object is merely a CBDATA wrapper for one of these. | |
63be0a78 | 86 | */ |
c7baff40 | 87 | class UserRequest : public RefCountable |
f5691f9c | 88 | { |
a33a428a | 89 | public: |
c7baff40 AJ |
90 | typedef RefCount<Auth::UserRequest> Pointer; |
91 | ||
92 | UserRequest(); | |
93 | virtual ~UserRequest(); | |
94 | void *operator new(size_t byteCount); | |
95 | void operator delete(void *address); | |
f5691f9c | 96 | |
97 | public: | |
63be0a78 | 98 | /** |
99 | * This is the object passed around by client_side and acl functions | |
100 | * it has request specific data, and links to user specific data | |
101 | * the user | |
102 | */ | |
c7baff40 | 103 | User::Pointer _auth_user; |
f5691f9c | 104 | |
63be0a78 | 105 | /** |
106 | * Used by squid to determine what the next step in performing authentication for a given scheme is. | |
107 | * | |
51a3dd58 AJ |
108 | * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction. |
109 | * \retval CRED_LOOKUP The auth module needs to send data to an external helper. | |
110 | * Squid will prepare for a callback on the request and call the AUTHSSTART function. | |
111 | * \retval CRED_VALID The auth module has all the information it needs to perform the authentication | |
112 | * and provide a succeed/fail result. | |
113 | * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator. | |
114 | * Squid will return the appropriate status code (401 or 407) and call the registered | |
115 | * FixError function to allow the auth module to insert it's challenge. | |
63be0a78 | 116 | */ |
c7baff40 | 117 | Direction direction(); |
63be0a78 | 118 | |
119 | /** | |
120 | * Used by squid to determine whether the auth scheme has successfully authenticated the user request. | |
121 | * | |
122 | \retval true User has successfully been authenticated. | |
123 | \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid. | |
124 | */ | |
f5691f9c | 125 | virtual int authenticated() const = 0; |
2e39494f AJ |
126 | |
127 | /** | |
128 | * Check a auth_user pointer for validity. | |
129 | * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use... | |
130 | * | |
131 | * \retval false User credentials are missing. | |
132 | * \retval false User credentials use an unknown scheme type. | |
133 | * \retval false User credentials are broken for their scheme. | |
134 | * | |
135 | * \retval true User credentials exist and may be able to authenticate. | |
136 | */ | |
137 | bool valid() const; | |
138 | ||
69d779f8 | 139 | virtual void authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type) = 0; |
7afc3bf2 AJ |
140 | |
141 | /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */ | |
c7baff40 | 142 | virtual Direction module_direction() = 0; |
7afc3bf2 AJ |
143 | |
144 | /* add the [Proxy-]Authentication-Info header */ | |
145 | virtual void addAuthenticationInfoHeader(HttpReply * rep, int accel); | |
146 | ||
147 | /* add the [Proxy-]Authentication-Info trailer */ | |
148 | virtual void addAuthenticationInfoTrailer(HttpReply * rep, int accel); | |
149 | ||
f5691f9c | 150 | virtual void onConnectionClose(ConnStateData *); |
63be0a78 | 151 | |
152 | /** | |
153 | * Called when squid is ready to put the request on hold and wait for a callback from the auth module | |
154 | * when the auth module has performed it's external activities. | |
155 | * | |
7afc3bf2 AJ |
156 | * \param handler Handler to process the callback when its run |
157 | * \param data CBDATA for handler | |
63be0a78 | 158 | */ |
159 | virtual void module_start(RH *handler, void *data) = 0; | |
160 | ||
c7baff40 AJ |
161 | // User credentials object this UserRequest is managing |
162 | virtual User::Pointer user() {return _auth_user;} | |
163 | virtual const User::Pointer user() const {return _auth_user;} | |
164 | virtual void user(User::Pointer aUser) {_auth_user=aUser;} | |
f5691f9c | 165 | |
c7baff40 AJ |
166 | /** |
167 | * Locate user credentials in one of several locations. Begin authentication if needed. | |
168 | * | |
169 | * Credentials may be found in one of the following locations (listed by order of preference): | |
170 | * - the source passed as parameter aUR | |
171 | * - cached in the HttpRequest parameter from a previous authentication of this request | |
172 | * - cached in the ConnStateData paremeter from a previous authentication of this connection | |
173 | * (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes, | |
174 | * or decrypted SSL requests from inside an authenticated CONNECT tunnel) | |
175 | * - cached in the user credentials cache from a previous authentication of the same credentials | |
176 | * (only applies to cacheable authentication methods, ie Basic auth) | |
177 | * - new credentials created from HTTP headers in this request | |
178 | * | |
179 | * The found credentials are returned in aUR and if successfully authenticated | |
180 | * may now be cached in one or more of the above locations. | |
181 | * | |
182 | * \return Some AUTH_ACL_* state | |
183 | */ | |
184 | static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, http_hdr_type, HttpRequest *, ConnStateData *, Ip::Address &); | |
f5691f9c | 185 | |
c7baff40 AJ |
186 | /// Add the appropriate [Proxy-]Authenticate header to the given reply |
187 | static void addReplyAuthHeader(HttpReply * rep, UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal); | |
f5691f9c | 188 | |
e1f7507e AJ |
189 | void start( RH * handler, void *data); |
190 | char const * denyMessage(char const * const default_message = NULL); | |
63be0a78 | 191 | |
192 | /** Possibly overrideable in future */ | |
e1f7507e | 193 | void setDenyMessage(char const *); |
63be0a78 | 194 | |
195 | /** Possibly overrideable in future */ | |
e1f7507e | 196 | char const * getDenyMessage(); |
f5691f9c | 197 | |
63be0a78 | 198 | /** |
199 | * Squid does not make assumptions about where the username is stored. | |
200 | * This function must return a pointer to a NULL terminated string to be used in logging the request. | |
201 | * The string should NOT be allocated each time this function is called. | |
202 | * | |
203 | \retval NULL No username/usercode is known. | |
204 | \retval * Null-terminated username string. | |
205 | */ | |
f5691f9c | 206 | char const *username() const; |
207 | ||
c7baff40 | 208 | Scheme::Pointer scheme() const; |
f5691f9c | 209 | |
6bf4f823 | 210 | virtual const char * connLastHeader(); |
211 | ||
f5691f9c | 212 | private: |
213 | ||
c7baff40 | 214 | static AuthAclState authenticate(UserRequest::Pointer * auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr); |
f5691f9c | 215 | |
63be0a78 | 216 | /** return a message on the 407 error pages */ |
f5691f9c | 217 | char *message; |
218 | ||
63be0a78 | 219 | /** |
220 | * We only attempt authentication once per http request. This | |
f5691f9c | 221 | * is to allow multiple auth acl references from different _access areas |
222 | * when using connection based authentication | |
223 | */ | |
56a49fda | 224 | AuthAclState lastReply; |
f5691f9c | 225 | }; |
226 | ||
c7baff40 AJ |
227 | } // namespace Auth |
228 | ||
f5691f9c | 229 | /* AuthUserRequest */ |
63be0a78 | 230 | |
63be0a78 | 231 | /// \ingroup AuthAPI |
c7baff40 | 232 | extern void authenticateFixHeader(HttpReply *, Auth::UserRequest::Pointer, HttpRequest *, int, int); |
63be0a78 | 233 | /// \ingroup AuthAPI |
c7baff40 | 234 | extern void authenticateAddTrailer(HttpReply *, Auth::UserRequest::Pointer, HttpRequest *, int); |
f5691f9c | 235 | |
63be0a78 | 236 | /// \ingroup AuthAPI |
c7baff40 | 237 | extern void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer, Ip::Address const &); |
63be0a78 | 238 | /// \ingroup AuthAPI |
c7baff40 | 239 | extern void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer); |
63be0a78 | 240 | /// \ingroup AuthAPI |
c7baff40 | 241 | extern int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer); |
f5691f9c | 242 | |
63be0a78 | 243 | /// \ingroup AuthAPI |
c7baff40 AJ |
244 | /// See Auth::UserRequest::authenticated() |
245 | extern int authenticateUserAuthenticated(Auth::UserRequest::Pointer); | |
4f0ef8e8 | 246 | |
2f1431ea | 247 | #endif /* USE_AUTH */ |
f5691f9c | 248 | #endif /* SQUID_AUTHUSERREQUEST_H */ |