src/auth/UserRequest.h

   1 /*
   2  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   3  * ----------------------------------------------------------
   4  *
   5  *  Squid is the result of efforts by numerous individuals from
   6  *  the Internet community; see the CONTRIBUTORS file for full
   7  *  details.   Many organizations have provided support for Squid's
   8  *  development; see the SPONSORS file for full details.  Squid is
   9  *  Copyrighted (C) 2001 by the Regents of the University of
  10  *  California; see the COPYRIGHT file for full details.  Squid
  11  *  incorporates software developed and/or copyrighted by other
  12  *  sources; see the CREDITS file for full details.
  13  *
  14  *  This program is free software; you can redistribute it and/or modify
  15  *  it under the terms of the GNU General Public License as published by
  16  *  the Free Software Foundation; either version 2 of the License, or
  17  *  (at your option) any later version.
  18  *
  19  *  This program is distributed in the hope that it will be useful,
  20  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  *  GNU General Public License for more details.
  23  *
  24  *  You should have received a copy of the GNU General Public License
  25  *  along with this program; if not, write to the Free Software
  26  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  27  *
  28  */
  29
  30 #ifndef SQUID_AUTH_USERREQUEST_H
  31 #define SQUID_AUTH_USERREQUEST_H
  32
  33 #if USE_AUTH
  34
  35 #include "AccessLogEntry.h"
  36 #include "auth/AuthAclState.h"
  37 #include "auth/Scheme.h"
  38 #include "auth/User.h"
  39 #include "dlink.h"
  40 #include "helper.h"
  41 #include "HttpHeader.h"
  42 #include "ip/Address.h"
  43
  44 class ConnStateData;
  45 class HttpReply;
  46 class HttpRequest;
  47
  48 /**
  49  * Maximum length (buffer size) for token strings.
  50  */
  51 // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc
  52 #define MAX_AUTHTOKEN_LEN   32768
  53
  54 /**
  55  * Node used to link an IP address to some user credentials
  56  * for the max_user_ip ACL feature.
  57  *
  58  * \ingroup AuthAPI
  59  */
  60 class AuthUserIP
  61 {
  62 public:
  63     dlink_node node;
  64
  65     /// IP address this user authenticated from
  66     Ip::Address ipaddr;
  67
  68     /** When this IP should be forgotten.
  69      * Set to the time of last request made from this
  70      * (user,IP) pair plus authenticate_ip_ttl seconds
  71      */
  72     time_t ip_expiretime;
  73 };
  74
  75 // TODO: make auth schedule AsyncCalls?
  76 typedef void AUTHCB(void*);
  77
  78 namespace Auth
  79 {
  80
  81 // NP: numeric values specified for old code backward compatibility.
  82 //  remove after transition is complete
  83 enum Direction {
  84     CRED_CHALLENGE = 1, ///< Client needs to be challenged. secure token.
  85     CRED_VALID = 0,     ///< Credentials are valid and a up to date. The OK/Failed state is accurate.
  86     CRED_LOOKUP = -1,   ///< Credentials need to be validated with the backend helper
  87     CRED_ERROR = -2     ///< ERROR in the auth module. Cannot determine the state of this request.
  88 };
  89
  90 /**
  91  * This is a short lived structure is the visible aspect of the authentication framework.
  92  *
  93  * It and its children hold the state data while processing authentication for a client request.
  94  * The AuthenticationStateData object is merely a CBDATA wrapper for one of these.
  95  */
  96 class UserRequest : public RefCountable
  97 {
  98 public:
  99     typedef RefCount<Auth::UserRequest> Pointer;
 100
 101     UserRequest();
 102     virtual ~UserRequest();
 103     void *operator new(size_t byteCount);
 104     void operator delete(void *address);
 105
 106 public:
 107     /**
 108      * This is the object passed around by client_side and acl functions
 109      * it has request specific data, and links to user specific data
 110      * the user
 111      */
 112     User::Pointer _auth_user;
 113
 114     /**
 115      *  Used by squid to determine what the next step in performing authentication for a given scheme is.
 116      *
 117      * \retval CRED_ERROR       ERROR in the auth module. Cannot determine request direction.
 118      * \retval CRED_LOOKUP      The auth module needs to send data to an external helper.
 119      *                          Squid will prepare for a callback on the request and call the AUTHSSTART function.
 120      * \retval CRED_VALID       The auth module has all the information it needs to perform the authentication
 121      *                          and provide a succeed/fail result.
 122      * \retval CRED_CHALLENGE   The auth module needs to send a new challenge to the request originator.
 123      *                          Squid will return the appropriate status code (401 or 407) and call the registered
 124      *                          FixError function to allow the auth module to insert it's challenge.
 125      */
 126     Direction direction();
 127
 128     /**
 129      * Used by squid to determine whether the auth scheme has successfully authenticated the user request.
 130      *
 131      \retval true       User has successfully been authenticated.
 132      \retval false      Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
 133      */
 134     virtual int authenticated() const = 0;
 135
 136     /**
 137      * Check a auth_user pointer for validity.
 138      * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use...
 139      *
 140      * \retval false    User credentials are missing.
 141      * \retval false    User credentials use an unknown scheme type.
 142      * \retval false    User credentials are broken for their scheme.
 143      *
 144      * \retval true     User credentials exist and may be able to authenticate.
 145      */
 146     bool valid() const;
 147
 148     virtual void authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type) = 0;
 149
 150     /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */
 151     virtual Direction module_direction() = 0;
 152
 153     /* add the [Proxy-]Authentication-Info header */
 154     virtual void addAuthenticationInfoHeader(HttpReply * rep, int accel);
 155
 156     /* add the [Proxy-]Authentication-Info trailer */
 157     virtual void addAuthenticationInfoTrailer(HttpReply * rep, int accel);
 158
 159     virtual void releaseAuthServer();
 160
 161     // User credentials object this UserRequest is managing
 162     virtual User::Pointer user() {return _auth_user;}
 163     virtual const User::Pointer user() const {return _auth_user;}
 164     virtual void user(User::Pointer aUser) {_auth_user=aUser;}
 165
 166     /**
 167      * Locate user credentials in one of several locations. Begin authentication if needed.
 168      *
 169      * Credentials may be found in one of the following locations (listed by order of preference):
 170      * - the source passed as parameter aUR
 171      * - cached in the HttpRequest parameter from a previous authentication of this request
 172      * - cached in the ConnStateData paremeter from a previous authentication of this connection
 173      *   (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes,
 174      *    or decrypted SSL requests from inside an authenticated CONNECT tunnel)
 175      * - cached in the user credentials cache from a previous authentication of the same credentials
 176      *   (only applies to cacheable authentication methods, ie Basic auth)
 177      * - new credentials created from HTTP headers in this request
 178      *
 179      * The found credentials are returned in aUR and if successfully authenticated
 180      * may now be cached in one or more of the above locations.
 181      *
 182      * \return Some AUTH_ACL_* state
 183      */
 184     static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, http_hdr_type, HttpRequest *, ConnStateData *, Ip::Address &, AccessLogEntry::Pointer &);
 185
 186     /// Add the appropriate [Proxy-]Authenticate header to the given reply
 187     static void addReplyAuthHeader(HttpReply * rep, UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal);
 188
 189     /** Start an asynchronous helper lookup to verify the user credentials
 190      *
 191      * Uses startHelperLookup() for scheme-specific actions.
 192      *
 193      * The given callback will be called when the auth module has performed
 194      * it's external activities.
 195      *
 196      * \param handler   Handler to process the callback when its run
 197      * \param data      CBDATA for handler
 198      */
 199     void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data);
 200
 201     char const * denyMessage(char const * const default_message = NULL);
 202
 203     /** Possibly overrideable in future */
 204     void setDenyMessage(char const *);
 205
 206     /** Possibly overrideable in future */
 207     char const * getDenyMessage();
 208
 209     /**
 210      * Squid does not make assumptions about where the username is stored.
 211      * This function must return a pointer to a NULL terminated string to be used in logging the request.
 212      * The string should NOT be allocated each time this function is called.
 213      *
 214      \retval NULL       No username/usercode is known.
 215      \retval *          Null-terminated username string.
 216      */
 217     char const *username() const;
 218
 219     Scheme::Pointer scheme() const;
 220
 221     virtual const char * connLastHeader();
 222
 223     /**
 224      * The string representation of the credentials send by client
 225      */
 226     virtual const char *credentialsStr() = 0;
 227
 228     const char *helperRequestKeyExtras(HttpRequest *, AccessLogEntry::Pointer &al);
 229
 230 protected:
 231     /**
 232      * The scheme-specific actions to be performed when sending helper lookup.
 233      *
 234      * \see void start(HttpRequest *, AccessLogEntry::Pointer &, AUTHCB *, void *);
 235      */
 236     virtual void startHelperLookup(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data) = 0;
 237
 238 private:
 239
 240     static AuthAclState authenticate(UserRequest::Pointer * auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr, AccessLogEntry::Pointer &al);
 241
 242     /** return a message on the 407 error pages */
 243     char *message;
 244
 245     /**
 246      * We only attempt authentication once per http request. This
 247      * is to allow multiple auth acl references from different _access areas
 248      * when using connection based authentication
 249      */
 250     AuthAclState lastReply;
 251 };
 252
 253 } // namespace Auth
 254
 255 /* AuthUserRequest */
 256
 257 /// \ingroup AuthAPI
 258 void authenticateFixHeader(HttpReply *, Auth::UserRequest::Pointer, HttpRequest *, int, int);
 259 /// \ingroup AuthAPI
 260 void authenticateAddTrailer(HttpReply *, Auth::UserRequest::Pointer, HttpRequest *, int);
 261
 262 /// \ingroup AuthAPI
 263 void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer, Ip::Address const &);
 264 /// \ingroup AuthAPI
 265 void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer);
 266 /// \ingroup AuthAPI
 267 int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer);
 268
 269 /// \ingroup AuthAPI
 270 /// See Auth::UserRequest::authenticated()
 271 int authenticateUserAuthenticated(Auth::UserRequest::Pointer);
 272
 273 #endif /* USE_AUTH */
 274 #endif /* SQUID_AUTHUSERREQUEST_H */