From: Amos Jeffries Date: Wed, 21 Dec 2016 12:42:05 +0000 (+1300) Subject: Updates after audit X-Git-Tag: M-staged-PR71~333^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=00ef8d82e6ecc2bd666e150617bc9d5009c64c12;p=thirdparty%2Fsquid.git Updates after audit --- diff --git a/src/auth/Config.h b/src/auth/Config.h index 5a684c65e9..8cd9435721 100644 --- a/src/auth/Config.h +++ b/src/auth/Config.h @@ -20,7 +20,14 @@ namespace Auth class Config { + explicit Config(const Config &) = delete; + explicit Config(const Config *) = delete; + public: + Config() = default; + explicit Config(Config &&) = default; + ~Config() { assert(!schemeAccess); } + /// set of auth_params directives Auth::ConfigVector schemes; @@ -31,13 +38,15 @@ public: acl_access *schemeAccess = nullptr; /// the authenticate_cache_garbage_interval - time_t authenticateGCInterval; + time_t garbageCollectInterval = 0; + // TODO replace this directive with per-Scheme 'credentialsttl' + // and make Scheme::expirestime the real time-when-expires. /// the authenticate_ttl - time_t authenticateTTL; + time_t credentialsTtl = 0; /// the authenticate_ip_ttl - time_t authenticateIpTTL; + time_t ipTtl = 0; }; extern Auth::Config TheConfig; diff --git a/src/auth/CredentialsCache.cc b/src/auth/CredentialsCache.cc index 8e9ae4b5fc..e230c4ba54 100644 --- a/src/auth/CredentialsCache.cc +++ b/src/auth/CredentialsCache.cc @@ -84,7 +84,7 @@ void CredentialsCache::cleanup() { // cache entries with expiretime <= expirationTime are to be evicted - const time_t expirationTime = current_time.tv_sec - Auth::TheConfig.authenticateTTL; + const time_t expirationTime = current_time.tv_sec - Auth::TheConfig.credentialsTtl; const auto end = store_.end(); for (auto i = store_.begin(); i != end;) { @@ -132,7 +132,7 @@ CredentialsCache::scheduleCleanup() if (!gcScheduled_ && store_.size()) { gcScheduled_ = true; eventAdd(cacheCleanupEventName, &CredentialsCache::Cleanup, - this, Auth::TheConfig.authenticateGCInterval, 1); + this, Auth::TheConfig.garbageCollectInterval, 1); } } diff --git a/src/auth/Gadgets.cc b/src/auth/Gadgets.cc index b2d6f6a325..014f052b8b 100644 --- a/src/auth/Gadgets.cc +++ b/src/auth/Gadgets.cc @@ -39,7 +39,7 @@ authenticateActiveSchemeCount(void) { int rv = 0; - for (auto *scheme : Auth::TheConfig.schemes) { + for (const auto *scheme : Auth::TheConfig.schemes) { if (scheme->configured()) ++rv; } diff --git a/src/auth/User.cc b/src/auth/User.cc index afc82eca29..bbdcfd51d3 100644 --- a/src/auth/User.cc +++ b/src/auth/User.cc @@ -200,7 +200,7 @@ Auth::User::addIp(Ip::Address ipaddr) /* This ip has already been seen. */ found = 1; /* update IP ttl */ - ipdata->ip_expiretime = squid_curtime + Auth::TheConfig.authenticateIpTTL; + ipdata->ip_expiretime = squid_curtime + Auth::TheConfig.ipTtl; } else if (ipdata->ip_expiretime <= squid_curtime) { /* This IP has expired - remove from the seen list */ dlinkDelete(&ipdata->node, &ip_list); @@ -217,7 +217,7 @@ Auth::User::addIp(Ip::Address ipaddr) return; /* This ip is not in the seen list */ - ipdata = new AuthUserIP(ipaddr, squid_curtime + Auth::TheConfig.authenticateIpTTL); + ipdata = new AuthUserIP(ipaddr, squid_curtime + Auth::TheConfig.ipTtl); dlinkAddTail(ipdata, &ipdata->node, &ip_list); @@ -257,7 +257,7 @@ Auth::User::CredentialsCacheStats(StoreEntry *output) Auth::Type_str[auth_user->auth_type], CredentialState_str[auth_user->credentials()], auth_user->ttl(), - static_cast(auth_user->expiretime - squid_curtime + Auth::TheConfig.authenticateTTL), + static_cast(auth_user->expiretime - squid_curtime + Auth::TheConfig.credentialsTtl), auth_user->username(), SQUIDSBUFPRINT(auth_user->userKey()) ); diff --git a/src/auth/basic/User.cc b/src/auth/basic/User.cc index 5f541d3a38..dfcd1c6a4a 100644 --- a/src/auth/basic/User.cc +++ b/src/auth/basic/User.cc @@ -32,7 +32,7 @@ Auth::Basic::User::ttl() const return -1; // TTL is obsolete NOW. int32_t basic_ttl = expiretime - squid_curtime + static_cast(config)->credentialsTTL; - int32_t global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.authenticateTTL); + int32_t global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); return min(basic_ttl, global_ttl); } diff --git a/src/auth/digest/User.cc b/src/auth/digest/User.cc index 4a3594d2da..6264256e7c 100644 --- a/src/auth/digest/User.cc +++ b/src/auth/digest/User.cc @@ -39,7 +39,7 @@ Auth::Digest::User::~User() int32_t Auth::Digest::User::ttl() const { - int32_t global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.authenticateTTL); + int32_t global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); /* find the longest lasting nonce. */ int32_t latest_nonce = -1; diff --git a/src/cf.data.pre b/src/cf.data.pre index 029991ffa9..f2d964ff0e 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -719,7 +719,7 @@ NAME: authenticate_cache_garbage_interval IFDEF: USE_AUTH TYPE: time_t DEFAULT: 1 hour -LOC: Auth::TheConfig.authenticateGCInterval +LOC: Auth::TheConfig.garbageCollectInterval DOC_START The time period between garbage collection across the username cache. This is a trade-off between memory utilization (long intervals - say @@ -731,7 +731,7 @@ NAME: authenticate_ttl IFDEF: USE_AUTH TYPE: time_t DEFAULT: 1 hour -LOC: Auth::TheConfig.authenticateTTL +LOC: Auth::TheConfig.credentialsTtl DOC_START The time a user & their credentials stay in the logged in user cache since their last request. When the garbage @@ -742,7 +742,7 @@ DOC_END NAME: authenticate_ip_ttl IFDEF: USE_AUTH TYPE: time_t -LOC: Auth::TheConfig.authenticateIpTTL +LOC: Auth::TheConfig.ipTtl DEFAULT: 1 second DOC_START If you use proxy authentication and the 'max_user_ip' ACL,