/*
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
*
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
*/
#ifndef SQUID_AUTH_USERREQUEST_H
#if USE_AUTH
+#include "AccessLogEntry.h"
#include "auth/AuthAclState.h"
#include "auth/Scheme.h"
#include "auth/User.h"
#include "dlink.h"
-#include "ip/Address.h"
-#include "helper.h"
+#include "helper/forward.h"
#include "HttpHeader.h"
+#include "ip/Address.h"
class ConnStateData;
class HttpReply;
/**
* Maximum length (buffer size) for token strings.
*/
-// AYJ: must match re-definition in helpers/negotiate_auth/kerberos/negotiate_kerb_auth.cc
-#define MAX_AUTHTOKEN_LEN 32768
+// XXX: Keep in sync with all others: bzr grep 'define MAX_AUTHTOKEN_LEN'
+#define MAX_AUTHTOKEN_LEN 65535
-/// \ingroup AuthAPI
+/**
+ * Node used to link an IP address to some user credentials
+ * for the max_user_ip ACL feature.
+ */
class AuthUserIP
{
+ MEMPROXY_CLASS(AuthUserIP);
+
public:
+ AuthUserIP(const Ip::Address &ip, time_t t) : ipaddr(ip), ip_expiretime(t) {}
+
dlink_node node;
- /* IP addr this user authenticated from */
+ /// IP address this user authenticated from
Ip::Address ipaddr;
+
+ /** When this IP should be forgotten.
+ * Set to the time of last request made from this
+ * (user,IP) pair plus authenticate_ip_ttl seconds
+ */
time_t ip_expiretime;
};
/**
* Used by squid to determine what the next step in performing authentication for a given scheme is.
*
- * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction.
- * \retval CRED_LOOKUP The auth module needs to send data to an external helper.
- * Squid will prepare for a callback on the request and call the AUTHSSTART function.
- * \retval CRED_VALID The auth module has all the information it needs to perform the authentication
- * and provide a succeed/fail result.
- * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator.
- * Squid will return the appropriate status code (401 or 407) and call the registered
- * FixError function to allow the auth module to insert it's challenge.
+ * \retval CRED_ERROR ERROR in the auth module. Cannot determine request direction.
+ * \retval CRED_LOOKUP The auth module needs to send data to an external helper.
+ * Squid will prepare for a callback on the request and call the AUTHSSTART function.
+ * \retval CRED_VALID The auth module has all the information it needs to perform the authentication
+ * and provide a succeed/fail result.
+ * \retval CRED_CHALLENGE The auth module needs to send a new challenge to the request originator.
+ * Squid will return the appropriate status code (401 or 407) and call the registered
+ * FixError function to allow the auth module to insert it's challenge.
*/
Direction direction();
/**
* Used by squid to determine whether the auth scheme has successfully authenticated the user request.
*
- \retval true User has successfully been authenticated.
- \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
+ \retval true User has successfully been authenticated.
+ \retval false Timeouts on cached credentials have occurred or for any reason the credentials are not valid.
*/
virtual int authenticated() const = 0;
* \retval false User credentials use an unknown scheme type.
* \retval false User credentials are broken for their scheme.
*
- * \retval true User credentials exist and may be able to authenticate.
+ * \retval true User credentials exist and may be able to authenticate.
*/
bool valid() const;
- virtual void authenticate(HttpRequest * request, ConnStateData * conn, http_hdr_type type) = 0;
+ virtual void authenticate(HttpRequest * request, ConnStateData * conn, Http::HdrType type) = 0;
/* template method - what needs to be done next? advertise schemes, challenge, handle error, nothing? */
virtual Direction module_direction() = 0;
/* add the [Proxy-]Authentication-Info trailer */
virtual void addAuthenticationInfoTrailer(HttpReply * rep, int accel);
- virtual void onConnectionClose(ConnStateData *);
-
- /**
- * Called when squid is ready to put the request on hold and wait for a callback from the auth module
- * when the auth module has performed it's external activities.
- *
- * \param handler Handler to process the callback when its run
- * \param data CBDATA for handler
- */
- virtual void module_start(AUTHCB *handler, void *data) = 0;
+ virtual void releaseAuthServer();
// User credentials object this UserRequest is managing
virtual User::Pointer user() {return _auth_user;}
* Credentials may be found in one of the following locations (listed by order of preference):
* - the source passed as parameter aUR
* - cached in the HttpRequest parameter from a previous authentication of this request
- * - cached in the ConnStateData paremeter from a previous authentication of this connection
+ * - cached in the ConnStateData parameter from a previous authentication of this connection
* (only applies to some situations. ie NTLM, Negotiate, Kerberos auth schemes,
* or decrypted SSL requests from inside an authenticated CONNECT tunnel)
* - cached in the user credentials cache from a previous authentication of the same credentials
*
* \return Some AUTH_ACL_* state
*/
- static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, http_hdr_type, HttpRequest *, ConnStateData *, Ip::Address &);
+ static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, Http::HdrType, HttpRequest *, ConnStateData *, Ip::Address &, AccessLogEntry::Pointer &);
/// Add the appropriate [Proxy-]Authenticate header to the given reply
- static void addReplyAuthHeader(HttpReply * rep, UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal);
+ static void AddReplyAuthHeader(HttpReply * rep, UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal);
- void start(AUTHCB *handler, void *data);
- char const * denyMessage(char const * const default_message = NULL);
+ /** Start an asynchronous helper lookup to verify the user credentials
+ *
+ * Uses startHelperLookup() for scheme-specific actions.
+ *
+ * The given callback will be called when the auth module has performed
+ * it's external activities.
+ *
+ * \param handler Handler to process the callback when its run
+ * \param data CBDATA for handler
+ */
+ void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data);
- /** Possibly overrideable in future */
+ char const * denyMessage(char const * const default_message = NULL) const;
+
+ /** Possibly overridable in future */
void setDenyMessage(char const *);
- /** Possibly overrideable in future */
- char const * getDenyMessage();
+ /** Possibly overridable in future */
+ char const * getDenyMessage() const;
/**
* Squid does not make assumptions about where the username is stored.
* This function must return a pointer to a NULL terminated string to be used in logging the request.
* The string should NOT be allocated each time this function is called.
*
- \retval NULL No username/usercode is known.
- \retval * Null-terminated username string.
+ \retval NULL No username/usercode is known.
+ \retval * Null-terminated username string.
*/
char const *username() const;
virtual const char * connLastHeader();
+ /**
+ * The string representation of the credentials send by client
+ */
+ virtual const char *credentialsStr() = 0;
+
+ const char *helperRequestKeyExtras(HttpRequest *, AccessLogEntry::Pointer &al);
+
+ /// Sets the reason of 'authentication denied' helper response.
+ void denyMessageFromHelper(char const *proto, const Helper::Reply &reply);
+
+protected:
+ /**
+ * The scheme-specific actions to be performed when sending helper lookup.
+ *
+ * \see void start(HttpRequest *, AccessLogEntry::Pointer &, AUTHCB *, void *);
+ */
+ virtual void startHelperLookup(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data) = 0;
+
private:
- static AuthAclState authenticate(UserRequest::Pointer * auth_user_request, http_hdr_type headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr);
+ static AuthAclState authenticate(UserRequest::Pointer * auth_user_request, Http::HdrType headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr, AccessLogEntry::Pointer &al);
/** return a message on the 407 error pages */
char *message;
/* AuthUserRequest */
/// \ingroup AuthAPI
-extern void authenticateFixHeader(HttpReply *, Auth::UserRequest::Pointer, HttpRequest *, int, int);
+void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer, Ip::Address const &);
/// \ingroup AuthAPI
-extern void authenticateAddTrailer(HttpReply *, Auth::UserRequest::Pointer, HttpRequest *, int);
-
-/// \ingroup AuthAPI
-extern void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer, Ip::Address const &);
+void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer);
/// \ingroup AuthAPI
-extern void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer);
-/// \ingroup AuthAPI
-extern int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer);
+int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer);
/// \ingroup AuthAPI
/// See Auth::UserRequest::authenticated()
-extern int authenticateUserAuthenticated(Auth::UserRequest::Pointer);
+int authenticateUserAuthenticated(Auth::UserRequest::Pointer);
#endif /* USE_AUTH */
#endif /* SQUID_AUTHUSERREQUEST_H */
+