]>
Commit | Line | Data |
---|---|---|
f5691f9c | 1 | /* |
bf95c10a | 2 | * Copyright (C) 1996-2022 The Squid Software Foundation and contributors |
f5691f9c | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
f5691f9c | 7 | */ |
8 | ||
c7baff40 AJ |
9 | #ifndef SQUID_AUTH_USERREQUEST_H |
10 | #define SQUID_AUTH_USERREQUEST_H | |
f5691f9c | 11 | |
2f1431ea AJ |
12 | #if USE_AUTH |
13 | ||
d4806c91 | 14 | #include "AccessLogEntry.h" |
56a49fda | 15 | #include "auth/AuthAclState.h" |
5817ee13 | 16 | #include "auth/Scheme.h" |
56a49fda | 17 | #include "auth/User.h" |
a33a428a | 18 | #include "dlink.h" |
24438ec5 | 19 | #include "helper/forward.h" |
a33a428a | 20 | #include "HttpHeader.h" |
602d9612 | 21 | #include "ip/Address.h" |
f5691f9c | 22 | |
f5691f9c | 23 | class ConnStateData; |
a33a428a AJ |
24 | class HttpReply; |
25 | class HttpRequest; | |
f5691f9c | 26 | |
7afc3bf2 AJ |
27 | /** |
28 | * Maximum length (buffer size) for token strings. | |
29 | */ | |
d0873e0c CT |
30 | // XXX: Keep in sync with all others: bzr grep 'define MAX_AUTHTOKEN_LEN' |
31 | #define MAX_AUTHTOKEN_LEN 65535 | |
7afc3bf2 | 32 | |
c35dd848 AJ |
33 | /** |
34 | * Node used to link an IP address to some user credentials | |
35 | * for the max_user_ip ACL feature. | |
c35dd848 | 36 | */ |
56a49fda AJ |
37 | class AuthUserIP |
38 | { | |
741c2986 AJ |
39 | MEMPROXY_CLASS(AuthUserIP); |
40 | ||
56a49fda | 41 | public: |
a98f21ac AJ |
42 | AuthUserIP(const Ip::Address &ip, time_t t) : ipaddr(ip), ip_expiretime(t) {} |
43 | ||
f5691f9c | 44 | dlink_node node; |
f5691f9c | 45 | |
c35dd848 | 46 | /// IP address this user authenticated from |
b7ac5457 | 47 | Ip::Address ipaddr; |
c35dd848 AJ |
48 | |
49 | /** When this IP should be forgotten. | |
50 | * Set to the time of last request made from this | |
51 | * (user,IP) pair plus authenticate_ip_ttl seconds | |
52 | */ | |
f5691f9c | 53 | time_t ip_expiretime; |
54 | }; | |
55 | ||
4c535e87 AJ |
56 | // TODO: make auth schedule AsyncCalls? |
57 | typedef void AUTHCB(void*); | |
58 | ||
51a3dd58 AJ |
59 | namespace Auth |
60 | { | |
61 | ||
62 | // NP: numeric values specified for old code backward compatibility. | |
63 | // remove after transition is complete | |
64 | enum Direction { | |
65 | CRED_CHALLENGE = 1, ///< Client needs to be challenged. secure token. | |
66 | CRED_VALID = 0, ///< Credentials are valid and a up to date. The OK/Failed state is accurate. | |
67 | CRED_LOOKUP = -1, ///< Credentials need to be validated with the backend helper | |
68 | CRED_ERROR = -2 ///< ERROR in the auth module. Cannot determine the state of this request. | |
69 | }; | |
51a3dd58 | 70 | |
63be0a78 | 71 | /** |
63be0a78 | 72 | * This is a short lived structure is the visible aspect of the authentication framework. |
928f3421 AJ |
73 | * |
74 | * It and its children hold the state data while processing authentication for a client request. | |
75 | * The AuthenticationStateData object is merely a CBDATA wrapper for one of these. | |
63be0a78 | 76 | */ |
c7baff40 | 77 | class UserRequest : public RefCountable |
f5691f9c | 78 | { |
a33a428a | 79 | public: |
c7baff40 AJ |
80 | typedef RefCount<Auth::UserRequest> Pointer; |
81 | ||
82 | UserRequest(); | |
83 | virtual ~UserRequest(); | |
84 | void *operator new(size_t byteCount); | |
85 | void operator delete(void *address); | |
f5691f9c | 86 | |
87 | public: | |
63be0a78 | 88 | /** |
89 | * This is the object passed around by client_side and acl functions | |
90 | * it has request specific data, and links to user specific data | |
91 | * the user | |
92 | */ | |
c7baff40 | 93 | User::Pointer _auth_user; |
f5691f9c | 94 | |
63be0a78 | 95 | /** |
96 | * Used by squid to determine what the next step in performing authentication for a given scheme is. | |
97 | * | |
f53969cc SM |
98 | * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction. |
99 | * \retval CRED_LOOKUP The auth module needs to send data to an external helper. | |
100 | * Squid will prepare for a callback on the request and call the AUTHSSTART function. | |
101 | * \retval CRED_VALID The auth module has all the information it needs to perform the authentication | |
102 | * and provide a succeed/fail result. | |
103 | * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator. | |
104 | * Squid will return the appropriate status code (401 or 407) and call the registered | |
105 | * FixError function to allow the auth module to insert it's challenge. | |
63be0a78 | 106 | */ |
c7baff40 | 107 | Direction direction(); |
63be0a78 | 108 | |
109 | /** | |
110 | * Used by squid to determine whether the auth scheme has successfully authenticated the user request. | |
111 | * | |
f53969cc SM |
112 | \retval true User has successfully been authenticated. |
113 | \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid. | |
63be0a78 | 114 | */ |
f5691f9c | 115 | virtual int authenticated() const = 0; |
2e39494f AJ |
116 | |
117 | /** | |
118 | * Check a auth_user pointer for validity. | |
119 | * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use... | |
120 | * | |
121 | * \retval false User credentials are missing. | |
122 | * \retval false User credentials use an unknown scheme type. | |
123 | * \retval false User credentials are broken for their scheme. | |
124 | * | |
f53969cc | 125 | * \retval true User credentials exist and may be able to authenticate. |
2e39494f AJ |
126 | */ |
127 | bool valid() const; | |
128 | ||
789217a2 | 129 | virtual void authenticate(HttpRequest * request, ConnStateData * conn, Http::HdrType type) = 0; |
7afc3bf2 AJ |
130 | |
131 | /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */ | |
c7baff40 | 132 | virtual Direction module_direction() = 0; |
7afc3bf2 AJ |
133 | |
134 | /* add the [Proxy-]Authentication-Info header */ | |
135 | virtual void addAuthenticationInfoHeader(HttpReply * rep, int accel); | |
136 | ||
137 | /* add the [Proxy-]Authentication-Info trailer */ | |
138 | virtual void addAuthenticationInfoTrailer(HttpReply * rep, int accel); | |
139 | ||
cc1e110a | 140 | virtual void releaseAuthServer(); |
63be0a78 | 141 | |
c7baff40 AJ |
142 | // User credentials object this UserRequest is managing |
143 | virtual User::Pointer user() {return _auth_user;} | |
144 | virtual const User::Pointer user() const {return _auth_user;} | |
145 | virtual void user(User::Pointer aUser) {_auth_user=aUser;} | |
f5691f9c | 146 | |
c7baff40 AJ |
147 | /** |
148 | * Locate user credentials in one of several locations. Begin authentication if needed. | |
149 | * | |
150 | * Credentials may be found in one of the following locations (listed by order of preference): | |
151 | * - the source passed as parameter aUR | |
152 | * - cached in the HttpRequest parameter from a previous authentication of this request | |
2f8abb64 | 153 | * - cached in the ConnStateData parameter from a previous authentication of this connection |
c7baff40 AJ |
154 | * (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes, |
155 | * or decrypted SSL requests from inside an authenticated CONNECT tunnel) | |
156 | * - cached in the user credentials cache from a previous authentication of the same credentials | |
157 | * (only applies to cacheable authentication methods, ie Basic auth) | |
158 | * - new credentials created from HTTP headers in this request | |
159 | * | |
160 | * The found credentials are returned in aUR and if successfully authenticated | |
161 | * may now be cached in one or more of the above locations. | |
162 | * | |
163 | * \return Some AUTH_ACL_* state | |
164 | */ | |
789217a2 | 165 | static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, Http::HdrType, HttpRequest *, ConnStateData *, Ip::Address &, AccessLogEntry::Pointer &); |
f5691f9c | 166 | |
c7baff40 | 167 | /// Add the appropriate [Proxy-]Authenticate header to the given reply |
923a8d89 | 168 | static void AddReplyAuthHeader(HttpReply * rep, UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal); |
f5691f9c | 169 | |
30c3f584 AJ |
170 | /** Start an asynchronous helper lookup to verify the user credentials |
171 | * | |
172 | * Uses startHelperLookup() for scheme-specific actions. | |
173 | * | |
174 | * The given callback will be called when the auth module has performed | |
175 | * it's external activities. | |
176 | * | |
f53969cc SM |
177 | * \param handler Handler to process the callback when its run |
178 | * \param data CBDATA for handler | |
30c3f584 | 179 | */ |
d4806c91 | 180 | void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data); |
30c3f584 | 181 | |
aee3523a | 182 | char const * denyMessage(char const * const default_message = nullptr) const; |
63be0a78 | 183 | |
2f8abb64 | 184 | /** Possibly overridable in future */ |
e1f7507e | 185 | void setDenyMessage(char const *); |
63be0a78 | 186 | |
2f8abb64 | 187 | /** Possibly overridable in future */ |
6f9a30f8 | 188 | char const * getDenyMessage() const; |
f5691f9c | 189 | |
63be0a78 | 190 | /** |
191 | * Squid does not make assumptions about where the username is stored. | |
192 | * This function must return a pointer to a NULL terminated string to be used in logging the request. | |
193 | * The string should NOT be allocated each time this function is called. | |
194 | * | |
f53969cc SM |
195 | \retval NULL No username/usercode is known. |
196 | \retval * Null-terminated username string. | |
63be0a78 | 197 | */ |
f5691f9c | 198 | char const *username() const; |
199 | ||
c7baff40 | 200 | Scheme::Pointer scheme() const; |
f5691f9c | 201 | |
6bf4f823 | 202 | virtual const char * connLastHeader(); |
203 | ||
d4806c91 CT |
204 | /** |
205 | * The string representation of the credentials send by client | |
206 | */ | |
207 | virtual const char *credentialsStr() = 0; | |
208 | ||
209 | const char *helperRequestKeyExtras(HttpRequest *, AccessLogEntry::Pointer &al); | |
30c3f584 | 210 | |
6f9a30f8 EB |
211 | /// Sets the reason of 'authentication denied' helper response. |
212 | void denyMessageFromHelper(char const *proto, const Helper::Reply &reply); | |
213 | ||
30c3f584 AJ |
214 | protected: |
215 | /** | |
216 | * The scheme-specific actions to be performed when sending helper lookup. | |
217 | * | |
218 | * \see void start(HttpRequest *, AccessLogEntry::Pointer &, AUTHCB *, void *); | |
219 | */ | |
220 | virtual void startHelperLookup(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data) = 0; | |
221 | ||
f5691f9c | 222 | private: |
223 | ||
789217a2 | 224 | static AuthAclState authenticate(UserRequest::Pointer * auth_user_request, Http::HdrType headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr, AccessLogEntry::Pointer &al); |
f5691f9c | 225 | |
63be0a78 | 226 | /** return a message on the 407 error pages */ |
f5691f9c | 227 | char *message; |
228 | ||
63be0a78 | 229 | /** |
230 | * We only attempt authentication once per http request. This | |
f5691f9c | 231 | * is to allow multiple auth acl references from different _access areas |
232 | * when using connection based authentication | |
233 | */ | |
56a49fda | 234 | AuthAclState lastReply; |
f5691f9c | 235 | }; |
236 | ||
c7baff40 AJ |
237 | } // namespace Auth |
238 | ||
f5691f9c | 239 | /* AuthUserRequest */ |
63be0a78 | 240 | |
63be0a78 | 241 | /// \ingroup AuthAPI |
8a648e8d | 242 | void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer, Ip::Address const &); |
63be0a78 | 243 | /// \ingroup AuthAPI |
8a648e8d | 244 | void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer); |
63be0a78 | 245 | /// \ingroup AuthAPI |
8a648e8d | 246 | int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer); |
f5691f9c | 247 | |
63be0a78 | 248 | /// \ingroup AuthAPI |
c7baff40 | 249 | /// See Auth::UserRequest::authenticated() |
8a648e8d | 250 | int authenticateUserAuthenticated(Auth::UserRequest::Pointer); |
4f0ef8e8 | 251 | |
2f1431ea | 252 | #endif /* USE_AUTH */ |
f5691f9c | 253 | #endif /* SQUID_AUTHUSERREQUEST_H */ |
f53969cc | 254 |