2 * SQUID Web Proxy Cache http://www.squid-cache.org/
3 * ----------------------------------------------------------
5 * Squid is the result of efforts by numerous individuals from
6 * the Internet community; see the CONTRIBUTORS file for full
7 * details. Many organizations have provided support for Squid's
8 * development; see the SPONSORS file for full details. Squid is
9 * Copyrighted (C) 2001 by the Regents of the University of
10 * California; see the COPYRIGHT file for full details. Squid
11 * incorporates software developed and/or copyrighted by other
12 * sources; see the CREDITS file for full details.
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
30 #ifndef SQUID_AUTH_USERREQUEST_H
31 #define SQUID_AUTH_USERREQUEST_H
35 #include "AccessLogEntry.h"
36 #include "auth/AuthAclState.h"
37 #include "auth/Scheme.h"
38 #include "auth/User.h"
41 #include "HttpHeader.h"
42 #include "ip/Address.h"
49 * Maximum length (buffer size) for token strings.
51 // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc
52 #define MAX_AUTHTOKEN_LEN 32768
55 * Node used to link an IP address to some user credentials
56 * for the max_user_ip ACL feature.
65 /// IP address this user authenticated from
68 /** When this IP should be forgotten.
69 * Set to the time of last request made from this
70 * (user,IP) pair plus authenticate_ip_ttl seconds
75 // TODO: make auth schedule AsyncCalls?
76 typedef void AUTHCB(void*);
81 // NP: numeric values specified for old code backward compatibility.
82 // remove after transition is complete
84 CRED_CHALLENGE
= 1, ///< Client needs to be challenged. secure token.
85 CRED_VALID
= 0, ///< Credentials are valid and a up to date. The OK/Failed state is accurate.
86 CRED_LOOKUP
= -1, ///< Credentials need to be validated with the backend helper
87 CRED_ERROR
= -2 ///< ERROR in the auth module. Cannot determine the state of this request.
91 * This is a short lived structure is the visible aspect of the authentication framework.
93 * It and its children hold the state data while processing authentication for a client request.
94 * The AuthenticationStateData object is merely a CBDATA wrapper for one of these.
96 class UserRequest
: public RefCountable
99 typedef RefCount
<Auth::UserRequest
> Pointer
;
102 virtual ~UserRequest();
103 void *operator new(size_t byteCount
);
104 void operator delete(void *address
);
108 * This is the object passed around by client_side and acl functions
109 * it has request specific data, and links to user specific data
112 User::Pointer _auth_user
;
115 * Used by squid to determine what the next step in performing authentication for a given scheme is.
117 * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction.
118 * \retval CRED_LOOKUP The auth module needs to send data to an external helper.
119 * Squid will prepare for a callback on the request and call the AUTHSSTART function.
120 * \retval CRED_VALID The auth module has all the information it needs to perform the authentication
121 * and provide a succeed/fail result.
122 * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator.
123 * Squid will return the appropriate status code (401 or 407) and call the registered
124 * FixError function to allow the auth module to insert it's challenge.
126 Direction
direction();
129 * Used by squid to determine whether the auth scheme has successfully authenticated the user request.
131 \retval true User has successfully been authenticated.
132 \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
134 virtual int authenticated() const = 0;
137 * Check a auth_user pointer for validity.
138 * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use...
140 * \retval false User credentials are missing.
141 * \retval false User credentials use an unknown scheme type.
142 * \retval false User credentials are broken for their scheme.
144 * \retval true User credentials exist and may be able to authenticate.
148 virtual void authenticate(HttpRequest
* request
, ConnStateData
* conn
, http_hdr_type type
) = 0;
150 /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */
151 virtual Direction
module_direction() = 0;
153 /* add the [Proxy-]Authentication-Info header */
154 virtual void addAuthenticationInfoHeader(HttpReply
* rep
, int accel
);
156 /* add the [Proxy-]Authentication-Info trailer */
157 virtual void addAuthenticationInfoTrailer(HttpReply
* rep
, int accel
);
159 virtual void releaseAuthServer();
161 // User credentials object this UserRequest is managing
162 virtual User::Pointer
user() {return _auth_user
;}
163 virtual const User::Pointer
user() const {return _auth_user
;}
164 virtual void user(User::Pointer aUser
) {_auth_user
=aUser
;}
167 * Locate user credentials in one of several locations. Begin authentication if needed.
169 * Credentials may be found in one of the following locations (listed by order of preference):
170 * - the source passed as parameter aUR
171 * - cached in the HttpRequest parameter from a previous authentication of this request
172 * - cached in the ConnStateData paremeter from a previous authentication of this connection
173 * (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes,
174 * or decrypted SSL requests from inside an authenticated CONNECT tunnel)
175 * - cached in the user credentials cache from a previous authentication of the same credentials
176 * (only applies to cacheable authentication methods, ie Basic auth)
177 * - new credentials created from HTTP headers in this request
179 * The found credentials are returned in aUR and if successfully authenticated
180 * may now be cached in one or more of the above locations.
182 * \return Some AUTH_ACL_* state
184 static AuthAclState
tryToAuthenticateAndSetAuthUser(UserRequest::Pointer
*aUR
, http_hdr_type
, HttpRequest
*, ConnStateData
*, Ip::Address
&, AccessLogEntry::Pointer
&);
186 /// Add the appropriate [Proxy-]Authenticate header to the given reply
187 static void addReplyAuthHeader(HttpReply
* rep
, UserRequest::Pointer auth_user_request
, HttpRequest
* request
, int accelerated
, int internal
);
189 /** Start an asynchronous helper lookup to verify the user credentials
191 * Uses startHelperLookup() for scheme-specific actions.
193 * The given callback will be called when the auth module has performed
194 * it's external activities.
196 * \param handler Handler to process the callback when its run
197 * \param data CBDATA for handler
199 void start(HttpRequest
*request
, AccessLogEntry::Pointer
&al
, AUTHCB
*handler
, void *data
);
201 char const * denyMessage(char const * const default_message
= NULL
);
203 /** Possibly overrideable in future */
204 void setDenyMessage(char const *);
206 /** Possibly overrideable in future */
207 char const * getDenyMessage();
210 * Squid does not make assumptions about where the username is stored.
211 * This function must return a pointer to a NULL terminated string to be used in logging the request.
212 * The string should NOT be allocated each time this function is called.
214 \retval NULL No username/usercode is known.
215 \retval * Null-terminated username string.
217 char const *username() const;
219 Scheme::Pointer
scheme() const;
221 virtual const char * connLastHeader();
224 * The string representation of the credentials send by client
226 virtual const char *credentialsStr() = 0;
228 const char *helperRequestKeyExtras(HttpRequest
*, AccessLogEntry::Pointer
&al
);
232 * The scheme-specific actions to be performed when sending helper lookup.
234 * \see void start(HttpRequest *, AccessLogEntry::Pointer &, AUTHCB *, void *);
236 virtual void startHelperLookup(HttpRequest
*request
, AccessLogEntry::Pointer
&al
, AUTHCB
*handler
, void *data
) = 0;
240 static AuthAclState
authenticate(UserRequest::Pointer
* auth_user_request
, http_hdr_type headertype
, HttpRequest
* request
, ConnStateData
* conn
, Ip::Address
&src_addr
, AccessLogEntry::Pointer
&al
);
242 /** return a message on the 407 error pages */
246 * We only attempt authentication once per http request. This
247 * is to allow multiple auth acl references from different _access areas
248 * when using connection based authentication
250 AuthAclState lastReply
;
255 /* AuthUserRequest */
258 void authenticateFixHeader(HttpReply
*, Auth::UserRequest::Pointer
, HttpRequest
*, int, int);
260 void authenticateAddTrailer(HttpReply
*, Auth::UserRequest::Pointer
, HttpRequest
*, int);
263 void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer
, Ip::Address
const &);
265 void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer
);
267 int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer
);
270 /// See Auth::UserRequest::authenticated()
271 int authenticateUserAuthenticated(Auth::UserRequest::Pointer
);
273 #endif /* USE_AUTH */
274 #endif /* SQUID_AUTHUSERREQUEST_H */