2 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 #ifndef SQUID_AUTH_USERREQUEST_H
10 #define SQUID_AUTH_USERREQUEST_H
14 #include "AccessLogEntry.h"
15 #include "auth/AuthAclState.h"
16 #include "auth/Scheme.h"
17 #include "auth/User.h"
19 #include "helper/forward.h"
20 #include "HttpHeader.h"
21 #include "ip/Address.h"
28 * Maximum length (buffer size) for token strings.
30 // XXX: Keep in sync with all others: bzr grep 'define MAX_AUTHTOKEN_LEN'
31 #define MAX_AUTHTOKEN_LEN 65535
34 * Node used to link an IP address to some user credentials
35 * for the max_user_ip ACL feature.
39 MEMPROXY_CLASS(AuthUserIP
);
42 AuthUserIP(const Ip::Address
&ip
, time_t t
) : ipaddr(ip
), ip_expiretime(t
) {}
46 /// IP address this user authenticated from
49 /** When this IP should be forgotten.
50 * Set to the time of last request made from this
51 * (user,IP) pair plus authenticate_ip_ttl seconds
56 // TODO: make auth schedule AsyncCalls?
57 typedef void AUTHCB(void*);
62 // NP: numeric values specified for old code backward compatibility.
63 // remove after transition is complete
65 CRED_CHALLENGE
= 1, ///< Client needs to be challenged. secure token.
66 CRED_VALID
= 0, ///< Credentials are valid and a up to date. The OK/Failed state is accurate.
67 CRED_LOOKUP
= -1, ///< Credentials need to be validated with the backend helper
68 CRED_ERROR
= -2 ///< ERROR in the auth module. Cannot determine the state of this request.
72 * This is a short lived structure is the visible aspect of the authentication framework.
74 * It and its children hold the state data while processing authentication for a client request.
75 * The AuthenticationStateData object is merely a CBDATA wrapper for one of these.
77 class UserRequest
: public RefCountable
80 typedef RefCount
<Auth::UserRequest
> Pointer
;
83 virtual ~UserRequest();
84 void *operator new(size_t byteCount
);
85 void operator delete(void *address
);
89 * This is the object passed around by client_side and acl functions
90 * it has request specific data, and links to user specific data
93 User::Pointer _auth_user
;
96 * Used by squid to determine what the next step in performing authentication for a given scheme is.
98 * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction.
99 * \retval CRED_LOOKUP The auth module needs to send data to an external helper.
100 * Squid will prepare for a callback on the request and call the AUTHSSTART function.
101 * \retval CRED_VALID The auth module has all the information it needs to perform the authentication
102 * and provide a succeed/fail result.
103 * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator.
104 * Squid will return the appropriate status code (401 or 407) and call the registered
105 * FixError function to allow the auth module to insert it's challenge.
107 Direction
direction();
110 * Used by squid to determine whether the auth scheme has successfully authenticated the user request.
112 \retval true User has successfully been authenticated.
113 \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
115 virtual int authenticated() const = 0;
118 * Check a auth_user pointer for validity.
119 * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use...
121 * \retval false User credentials are missing.
122 * \retval false User credentials use an unknown scheme type.
123 * \retval false User credentials are broken for their scheme.
125 * \retval true User credentials exist and may be able to authenticate.
129 virtual void authenticate(HttpRequest
* request
, ConnStateData
* conn
, Http::HdrType type
) = 0;
131 /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */
132 virtual Direction
module_direction() = 0;
134 /* add the [Proxy-]Authentication-Info header */
135 virtual void addAuthenticationInfoHeader(HttpReply
* rep
, int accel
);
137 /* add the [Proxy-]Authentication-Info trailer */
138 virtual void addAuthenticationInfoTrailer(HttpReply
* rep
, int accel
);
140 virtual void releaseAuthServer();
142 // User credentials object this UserRequest is managing
143 virtual User::Pointer
user() {return _auth_user
;}
144 virtual const User::Pointer
user() const {return _auth_user
;}
145 virtual void user(User::Pointer aUser
) {_auth_user
=aUser
;}
148 * Locate user credentials in one of several locations. Begin authentication if needed.
150 * Credentials may be found in one of the following locations (listed by order of preference):
151 * - the source passed as parameter aUR
152 * - cached in the HttpRequest parameter from a previous authentication of this request
153 * - cached in the ConnStateData paremeter from a previous authentication of this connection
154 * (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes,
155 * or decrypted SSL requests from inside an authenticated CONNECT tunnel)
156 * - cached in the user credentials cache from a previous authentication of the same credentials
157 * (only applies to cacheable authentication methods, ie Basic auth)
158 * - new credentials created from HTTP headers in this request
160 * The found credentials are returned in aUR and if successfully authenticated
161 * may now be cached in one or more of the above locations.
163 * \return Some AUTH_ACL_* state
165 static AuthAclState
tryToAuthenticateAndSetAuthUser(UserRequest::Pointer
*aUR
, Http::HdrType
, HttpRequest
*, ConnStateData
*, Ip::Address
&, AccessLogEntry::Pointer
&);
167 /// Add the appropriate [Proxy-]Authenticate header to the given reply
168 static void AddReplyAuthHeader(HttpReply
* rep
, UserRequest::Pointer auth_user_request
, HttpRequest
* request
, int accelerated
, int internal
);
170 /** Start an asynchronous helper lookup to verify the user credentials
172 * Uses startHelperLookup() for scheme-specific actions.
174 * The given callback will be called when the auth module has performed
175 * it's external activities.
177 * \param handler Handler to process the callback when its run
178 * \param data CBDATA for handler
180 void start(HttpRequest
*request
, AccessLogEntry::Pointer
&al
, AUTHCB
*handler
, void *data
);
182 char const * denyMessage(char const * const default_message
= NULL
) const;
184 /** Possibly overrideable in future */
185 void setDenyMessage(char const *);
187 /** Possibly overrideable in future */
188 char const * getDenyMessage() const;
191 * Squid does not make assumptions about where the username is stored.
192 * This function must return a pointer to a NULL terminated string to be used in logging the request.
193 * The string should NOT be allocated each time this function is called.
195 \retval NULL No username/usercode is known.
196 \retval * Null-terminated username string.
198 char const *username() const;
200 Scheme::Pointer
scheme() const;
202 virtual const char * connLastHeader();
205 * The string representation of the credentials send by client
207 virtual const char *credentialsStr() = 0;
209 const char *helperRequestKeyExtras(HttpRequest
*, AccessLogEntry::Pointer
&al
);
211 /// Sets the reason of 'authentication denied' helper response.
212 void denyMessageFromHelper(char const *proto
, const Helper::Reply
&reply
);
216 * The scheme-specific actions to be performed when sending helper lookup.
218 * \see void start(HttpRequest *, AccessLogEntry::Pointer &, AUTHCB *, void *);
220 virtual void startHelperLookup(HttpRequest
*request
, AccessLogEntry::Pointer
&al
, AUTHCB
*handler
, void *data
) = 0;
224 static AuthAclState
authenticate(UserRequest::Pointer
* auth_user_request
, Http::HdrType headertype
, HttpRequest
* request
, ConnStateData
* conn
, Ip::Address
&src_addr
, AccessLogEntry::Pointer
&al
);
226 /** return a message on the 407 error pages */
230 * We only attempt authentication once per http request. This
231 * is to allow multiple auth acl references from different _access areas
232 * when using connection based authentication
234 AuthAclState lastReply
;
239 /* AuthUserRequest */
242 void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer
, Ip::Address
const &);
244 void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer
);
246 int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer
);
249 /// See Auth::UserRequest::authenticated()
250 int authenticateUserAuthenticated(Auth::UserRequest::Pointer
);
252 #endif /* USE_AUTH */
253 #endif /* SQUID_AUTHUSERREQUEST_H */