2 * SQUID Web Proxy Cache http://www.squid-cache.org/
3 * ----------------------------------------------------------
5 * Squid is the result of efforts by numerous individuals from
6 * the Internet community; see the CONTRIBUTORS file for full
7 * details. Many organizations have provided support for Squid's
8 * development; see the SPONSORS file for full details. Squid is
9 * Copyrighted (C) 2001 by the Regents of the University of
10 * California; see the COPYRIGHT file for full details. Squid
11 * incorporates software developed and/or copyrighted by other
12 * sources; see the CREDITS file for full details.
14 * This program is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * This program is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with this program; if not, write to the Free Software
26 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
30 #ifndef SQUID_AUTH_USERREQUEST_H
31 #define SQUID_AUTH_USERREQUEST_H
35 #include "auth/AuthAclState.h"
36 #include "auth/Scheme.h"
37 #include "auth/User.h"
39 #include "ip/Address.h"
41 #include "HttpHeader.h"
48 * Maximum length (buffer size) for token strings.
50 // AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc
51 #define MAX_AUTHTOKEN_LEN 32768
58 /* IP addr this user authenticated from */
64 // TODO: make auth schedule AsyncCalls?
65 typedef void AUTHCB(void*);
70 // NP: numeric values specified for old code backward compatibility.
71 // remove after transition is complete
73 CRED_CHALLENGE
= 1, ///< Client needs to be challenged. secure token.
74 CRED_VALID
= 0, ///< Credentials are valid and a up to date. The OK/Failed state is accurate.
75 CRED_LOOKUP
= -1, ///< Credentials need to be validated with the backend helper
76 CRED_ERROR
= -2 ///< ERROR in the auth module. Cannot determine the state of this request.
80 * This is a short lived structure is the visible aspect of the authentication framework.
82 * It and its children hold the state data while processing authentication for a client request.
83 * The AuthenticationStateData object is merely a CBDATA wrapper for one of these.
85 class UserRequest
: public RefCountable
88 typedef RefCount
<Auth::UserRequest
> Pointer
;
91 virtual ~UserRequest();
92 void *operator new(size_t byteCount
);
93 void operator delete(void *address
);
97 * This is the object passed around by client_side and acl functions
98 * it has request specific data, and links to user specific data
101 User::Pointer _auth_user
;
104 * Used by squid to determine what the next step in performing authentication for a given scheme is.
106 * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction.
107 * \retval CRED_LOOKUP The auth module needs to send data to an external helper.
108 * Squid will prepare for a callback on the request and call the AUTHSSTART function.
109 * \retval CRED_VALID The auth module has all the information it needs to perform the authentication
110 * and provide a succeed/fail result.
111 * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator.
112 * Squid will return the appropriate status code (401 or 407) and call the registered
113 * FixError function to allow the auth module to insert it's challenge.
115 Direction
direction();
118 * Used by squid to determine whether the auth scheme has successfully authenticated the user request.
120 \retval true User has successfully been authenticated.
121 \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
123 virtual int authenticated() const = 0;
126 * Check a auth_user pointer for validity.
127 * Does not check passwords, just data sensability. Broken or Unknown auth_types are not valid for use...
129 * \retval false User credentials are missing.
130 * \retval false User credentials use an unknown scheme type.
131 * \retval false User credentials are broken for their scheme.
133 * \retval true User credentials exist and may be able to authenticate.
137 virtual void authenticate(HttpRequest
* request
, ConnStateData
* conn
, http_hdr_type type
) = 0;
139 /* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */
140 virtual Direction
module_direction() = 0;
142 /* add the [Proxy-]Authentication-Info header */
143 virtual void addAuthenticationInfoHeader(HttpReply
* rep
, int accel
);
145 /* add the [Proxy-]Authentication-Info trailer */
146 virtual void addAuthenticationInfoTrailer(HttpReply
* rep
, int accel
);
148 virtual void onConnectionClose(ConnStateData
*);
151 * Called when squid is ready to put the request on hold and wait for a callback from the auth module
152 * when the auth module has performed it's external activities.
154 * \param handler Handler to process the callback when its run
155 * \param data CBDATA for handler
157 virtual void module_start(AUTHCB
*handler
, void *data
) = 0;
159 // User credentials object this UserRequest is managing
160 virtual User::Pointer
user() {return _auth_user
;}
161 virtual const User::Pointer
user() const {return _auth_user
;}
162 virtual void user(User::Pointer aUser
) {_auth_user
=aUser
;}
165 * Locate user credentials in one of several locations. Begin authentication if needed.
167 * Credentials may be found in one of the following locations (listed by order of preference):
168 * - the source passed as parameter aUR
169 * - cached in the HttpRequest parameter from a previous authentication of this request
170 * - cached in the ConnStateData paremeter from a previous authentication of this connection
171 * (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes,
172 * or decrypted SSL requests from inside an authenticated CONNECT tunnel)
173 * - cached in the user credentials cache from a previous authentication of the same credentials
174 * (only applies to cacheable authentication methods, ie Basic auth)
175 * - new credentials created from HTTP headers in this request
177 * The found credentials are returned in aUR and if successfully authenticated
178 * may now be cached in one or more of the above locations.
180 * \return Some AUTH_ACL_* state
182 static AuthAclState
tryToAuthenticateAndSetAuthUser(UserRequest::Pointer
*aUR
, http_hdr_type
, HttpRequest
*, ConnStateData
*, Ip::Address
&);
184 /// Add the appropriate [Proxy-]Authenticate header to the given reply
185 static void addReplyAuthHeader(HttpReply
* rep
, UserRequest::Pointer auth_user_request
, HttpRequest
* request
, int accelerated
, int internal
);
187 void start(AUTHCB
*handler
, void *data
);
188 char const * denyMessage(char const * const default_message
= NULL
);
190 /** Possibly overrideable in future */
191 void setDenyMessage(char const *);
193 /** Possibly overrideable in future */
194 char const * getDenyMessage();
197 * Squid does not make assumptions about where the username is stored.
198 * This function must return a pointer to a NULL terminated string to be used in logging the request.
199 * The string should NOT be allocated each time this function is called.
201 \retval NULL No username/usercode is known.
202 \retval * Null-terminated username string.
204 char const *username() const;
206 Scheme::Pointer
scheme() const;
208 virtual const char * connLastHeader();
212 static AuthAclState
authenticate(UserRequest::Pointer
* auth_user_request
, http_hdr_type headertype
, HttpRequest
* request
, ConnStateData
* conn
, Ip::Address
&src_addr
);
214 /** return a message on the 407 error pages */
218 * We only attempt authentication once per http request. This
219 * is to allow multiple auth acl references from different _access areas
220 * when using connection based authentication
222 AuthAclState lastReply
;
227 /* AuthUserRequest */
230 extern void authenticateFixHeader(HttpReply
*, Auth::UserRequest::Pointer
, HttpRequest
*, int, int);
232 extern void authenticateAddTrailer(HttpReply
*, Auth::UserRequest::Pointer
, HttpRequest
*, int);
235 extern void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer
, Ip::Address
const &);
237 extern void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer
);
239 extern int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer
);
242 /// See Auth::UserRequest::authenticated()
243 extern int authenticateUserAuthenticated(Auth::UserRequest::Pointer
);
245 #endif /* USE_AUTH */
246 #endif /* SQUID_AUTHUSERREQUEST_H */