]>
Commit | Line | Data |
---|---|---|
f5691f9c | 1 | |
2 | /* | |
262a0e14 | 3 | * $Id$ |
f5691f9c | 4 | * |
5 | * DO NOT MODIFY NEXT 2 LINES: | |
6 | * arch-tag: 674533af-8b21-4641-b71a-74c4639072a0 | |
7 | * | |
8 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
9 | * ---------------------------------------------------------- | |
10 | * | |
11 | * Squid is the result of efforts by numerous individuals from | |
12 | * the Internet community; see the CONTRIBUTORS file for full | |
13 | * details. Many organizations have provided support for Squid's | |
14 | * development; see the SPONSORS file for full details. Squid is | |
15 | * Copyrighted (C) 2001 by the Regents of the University of | |
16 | * California; see the COPYRIGHT file for full details. Squid | |
17 | * incorporates software developed and/or copyrighted by other | |
18 | * sources; see the CREDITS file for full details. | |
19 | * | |
20 | * This program is free software; you can redistribute it and/or modify | |
21 | * it under the terms of the GNU General Public License as published by | |
22 | * the Free Software Foundation; either version 2 of the License, or | |
23 | * (at your option) any later version. | |
26ac0430 | 24 | * |
f5691f9c | 25 | * This program is distributed in the hope that it will be useful, |
26 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
27 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
28 | * GNU General Public License for more details. | |
26ac0430 | 29 | * |
f5691f9c | 30 | * You should have received a copy of the GNU General Public License |
31 | * along with this program; if not, write to the Free Software | |
32 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
33 | * | |
34 | */ | |
35 | ||
36 | #ifndef SQUID_AUTHUSERREQUEST_H | |
37 | #define SQUID_AUTHUSERREQUEST_H | |
38 | ||
39 | #include "client_side.h" | |
40 | ||
41 | class AuthUser; | |
42 | ||
43 | class ConnStateData; | |
44 | ||
45 | class AuthScheme; | |
46 | ||
26ac0430 | 47 | struct AuthUserIP { |
f5691f9c | 48 | dlink_node node; |
49 | /* IP addr this user authenticated from */ | |
50 | ||
b7ac5457 | 51 | Ip::Address ipaddr; |
f5691f9c | 52 | time_t ip_expiretime; |
53 | }; | |
54 | ||
63be0a78 | 55 | /** |
56 | \ingroup AuthAPI | |
57 | * This is a short lived structure is the visible aspect of the authentication framework. | |
58 | */ | |
f5691f9c | 59 | class AuthUserRequest |
60 | { | |
61 | ||
62 | public: | |
63be0a78 | 63 | /** |
64 | * This is the object passed around by client_side and acl functions | |
65 | * it has request specific data, and links to user specific data | |
66 | * the user | |
67 | */ | |
e1f7507e | 68 | AuthUser *_auth_user; |
f5691f9c | 69 | |
63be0a78 | 70 | /** |
71 | * Used by squid to determine what the next step in performing authentication for a given scheme is. | |
72 | * | |
73 | \retval -2 ERROR in the auth module. Cannot determine request direction. | |
74 | \retval -1 The auth module needs to send data to an external helper. | |
75 | * Squid will prepare for a callback on the request and call the AUTHSSTART function. | |
76 | \retval 0 The auth module has all the information it needs to perform the authentication and provide a succeed/fail result. | |
77 | \retval 1 The auth module needs to send a new challenge to the request originator. | |
78 | * Squid will return the appropriate status code (401 or 407) and call the registered FixError function to allow the auth module to insert it's challenge. | |
79 | */ | |
f5691f9c | 80 | int direction(); |
63be0a78 | 81 | |
82 | /** | |
83 | * Used by squid to determine whether the auth scheme has successfully authenticated the user request. | |
84 | * | |
85 | \retval true User has successfully been authenticated. | |
86 | \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid. | |
87 | */ | |
f5691f9c | 88 | virtual int authenticated() const = 0; |
69d779f8 | 89 | virtual void authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type) = 0; |
f5691f9c | 90 | /* template method */ |
91 | virtual int module_direction() = 0; | |
92 | virtual void addHeader(HttpReply * rep, int accel); | |
93 | virtual void addTrailer(HttpReply * rep, int accel); | |
94 | virtual void onConnectionClose(ConnStateData *); | |
63be0a78 | 95 | |
96 | /** | |
97 | * Called when squid is ready to put the request on hold and wait for a callback from the auth module | |
98 | * when the auth module has performed it's external activities. | |
99 | * | |
100 | \param handler Handler to process the callback when its run | |
101 | \param data CBDATA for handler | |
102 | */ | |
103 | virtual void module_start(RH *handler, void *data) = 0; | |
104 | ||
f5691f9c | 105 | virtual AuthUser *user() {return _auth_user;} |
106 | ||
107 | virtual const AuthUser *user() const {return _auth_user;} | |
108 | ||
e1f7507e | 109 | virtual void user(AuthUser *aUser) {_auth_user=aUser;} |
f5691f9c | 110 | |
b7ac5457 | 111 | static auth_acl_t tryToAuthenticateAndSetAuthUser(AuthUserRequest **, http_hdr_type, HttpRequest *, ConnStateData *, Ip::Address &); |
76f142cd | 112 | static void addReplyAuthHeader(HttpReply * rep, AuthUserRequest * auth_user_request, HttpRequest * request, int accelerated, int internal); |
f5691f9c | 113 | |
114 | AuthUserRequest(); | |
115 | ||
116 | virtual ~AuthUserRequest(); | |
e1f7507e AJ |
117 | void *operator new(size_t byteCount); |
118 | void operator delete(void *address); | |
f5691f9c | 119 | |
e1f7507e AJ |
120 | void start( RH * handler, void *data); |
121 | char const * denyMessage(char const * const default_message = NULL); | |
63be0a78 | 122 | |
123 | /** Possibly overrideable in future */ | |
e1f7507e | 124 | void setDenyMessage(char const *); |
63be0a78 | 125 | |
126 | /** Possibly overrideable in future */ | |
e1f7507e | 127 | char const * getDenyMessage(); |
f5691f9c | 128 | |
f5691f9c | 129 | size_t refCount() const; |
cfdb8f88 AJ |
130 | void _lock(); /**< \note please use AUTHUSERREQUESTLOCK() */ |
131 | void _unlock(); /**< \note please use AUTHUSERREQUESTUNLOCK() */ | |
f5691f9c | 132 | |
63be0a78 | 133 | /** |
134 | * Squid does not make assumptions about where the username is stored. | |
135 | * This function must return a pointer to a NULL terminated string to be used in logging the request. | |
136 | * The string should NOT be allocated each time this function is called. | |
137 | * | |
138 | \retval NULL No username/usercode is known. | |
139 | \retval * Null-terminated username string. | |
140 | */ | |
f5691f9c | 141 | char const *username() const; |
142 | ||
143 | AuthScheme *scheme() const; | |
144 | ||
6bf4f823 | 145 | virtual const char * connLastHeader(); |
146 | ||
f5691f9c | 147 | private: |
148 | ||
b7ac5457 | 149 | static auth_acl_t authenticate(AuthUserRequest ** auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr); |
f5691f9c | 150 | |
63be0a78 | 151 | /** return a message on the 407 error pages */ |
f5691f9c | 152 | char *message; |
153 | ||
63be0a78 | 154 | /** how many 'processes' are working on this data */ |
f5691f9c | 155 | size_t references; |
156 | ||
63be0a78 | 157 | /** |
158 | * We only attempt authentication once per http request. This | |
f5691f9c | 159 | * is to allow multiple auth acl references from different _access areas |
160 | * when using connection based authentication | |
161 | */ | |
162 | auth_acl_t lastReply; | |
163 | }; | |
164 | ||
165 | /* AuthUserRequest */ | |
63be0a78 | 166 | |
167 | /** | |
168 | \ingroup AuthAPI | |
169 | \deprecated Use AuthUserRequest::refCount() instead. | |
170 | */ | |
76f142cd | 171 | extern size_t authenticateRequestRefCount (AuthUserRequest *); |
f5691f9c | 172 | |
63be0a78 | 173 | /// \ingroup AuthAPI |
76f142cd | 174 | extern void authenticateFixHeader(HttpReply *, AuthUserRequest *, HttpRequest *, int, int); |
63be0a78 | 175 | /// \ingroup AuthAPI |
76f142cd | 176 | extern void authenticateAddTrailer(HttpReply *, AuthUserRequest *, HttpRequest *, int); |
f5691f9c | 177 | |
63be0a78 | 178 | /// \ingroup AuthAPI |
b7ac5457 | 179 | extern void authenticateAuthUserRequestRemoveIp(AuthUserRequest *, Ip::Address const &); |
63be0a78 | 180 | /// \ingroup AuthAPI |
76f142cd | 181 | extern void authenticateAuthUserRequestClearIp(AuthUserRequest *); |
63be0a78 | 182 | /// \ingroup AuthAPI |
76f142cd | 183 | extern int authenticateAuthUserRequestIPCount(AuthUserRequest *); |
63be0a78 | 184 | /// \ingroup AuthAPI |
185 | /// \deprecated Use AuthUserRequest::direction() instead. | |
76f142cd | 186 | extern int authenticateDirection(AuthUserRequest *); |
f5691f9c | 187 | |
63be0a78 | 188 | /// \ingroup AuthAPI |
189 | /// See AuthUserRequest::authenticated() | |
76f142cd | 190 | extern int authenticateUserAuthenticated(AuthUserRequest *); |
63be0a78 | 191 | /// \ingroup AuthAPI |
76f142cd | 192 | extern int authenticateValidateUser(AuthUserRequest *); |
f5691f9c | 193 | |
63be0a78 | 194 | /// \todo Drop dead code? or make a debugging option. |
4f0ef8e8 | 195 | #if 0 |
196 | #define AUTHUSERREQUESTUNLOCK(a,b) if(a){(a)->_unlock();debugs(0,0,HERE << "auth_user_request " << a << " was unlocked for " << b); (a)=NULL;} | |
197 | #define AUTHUSERREQUESTLOCK(a,b) { (a)->_lock(); debugs(0,0,HERE << "auth_user_request " << a << " was locked for " << b); } | |
198 | #endif | |
199 | #define AUTHUSERREQUESTUNLOCK(a,b) if(a){(a)->_unlock();(a)=NULL;} | |
200 | #define AUTHUSERREQUESTLOCK(a,b) (a)->_lock() | |
201 | ||
202 | ||
f5691f9c | 203 | #endif /* SQUID_AUTHUSERREQUEST_H */ |