UserRequest.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 29 Authenticator */
10 
11 /* The functions in this file handle authentication.
12  * They DO NOT perform access control or auditing.
13  * See acl.c for access control and client_side.c for auditing */
14 
15 #include "squid.h"
16 #include "acl/FilledChecklist.h"
17 #include "auth/Config.h"
18 #include "client_side.h"
19 #include "comm/Connection.h"
20 #include "fatal.h"
21 #include "format/Format.h"
22 #include "helper.h"
23 #include "helper/Reply.h"
24 #include "http/Stream.h"
25 #include "HttpReply.h"
26 #include "HttpRequest.h"
27 #include "MemBuf.h"
28 
29 /* Generic Functions */
30 
31 char const *
32 Auth::UserRequest::username() const
33 {
34  if (user() != nullptr)
35  return user()->username();
36  else
37  return nullptr;
38 }
39 
40 /**** PUBLIC FUNCTIONS (ALL GENERIC!) ****/
41 
42 /* send the initial data to an authenticator module */
43 void
44 Auth::UserRequest::start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
45 {
46  assert(handler);
47  assert(data);
48  debugs(29, 9, this);
49  startHelperLookup(request, al, handler, data);
50 }
51 
52 bool
53 Auth::UserRequest::valid() const
54 {
55  debugs(29, 9, "Validating Auth::UserRequest '" << this << "'.");
56 
57  if (user() == nullptr) {
58  debugs(29, 4, "No associated Auth::User data");
59  return false;
60  }
61 
62  if (user()->auth_type == Auth::AUTH_UNKNOWN) {
63  debugs(29, 4, "Auth::User '" << user() << "' uses unknown scheme.");
64  return false;
65  }
66 
67  if (user()->auth_type == Auth::AUTH_BROKEN) {
68  debugs(29, 4, "Auth::User '" << user() << "' is broken for it's scheme.");
69  return false;
70  }
71 
72  /* any other sanity checks that we need in the future */
73 
74  /* finally return ok */
75  debugs(29, 5, "Validated. Auth::UserRequest '" << this << "'.");
76  return true;
77 }
78 
79 void *
80 Auth::UserRequest::operator new (size_t)
81 {
82  fatal("Auth::UserRequest not directly allocatable\n");
83  return (void *)1;
84 }
85 
86 void
87 Auth::UserRequest::operator delete (void *)
88 {
89  fatal("Auth::UserRequest child failed to override operator delete\n");
90 }
91 
92 Auth::UserRequest::UserRequest():
93  _auth_user(nullptr),
94  message(nullptr),
95  lastReply(AUTH_ACL_CANNOT_AUTHENTICATE)
96 {
97  debugs(29, 5, "initialised request " << this);
98 }
99 
100 Auth::UserRequest::~UserRequest()
101 {
102  assert(LockCount()==0);
103  debugs(29, 5, "freeing request " << this);
104 
105  if (user() != nullptr) {
106  /* release our references to the user credentials */
107  user(nullptr);
108  }
109 
110  safe_free(message);
111 }
112 
113 void
114 Auth::UserRequest::setDenyMessage(char const *aString)
115 {
116  safe_free(message);
117  message = xstrdup(aString);
118 }
119 
120 char const *
121 Auth::UserRequest::getDenyMessage() const
122 {
123  return message;
124 }
125 
126 char const *
127 Auth::UserRequest::denyMessage(char const * const default_message) const
128 {
129  if (getDenyMessage() == nullptr)
130  return default_message;
131 
132  return getDenyMessage();
133 }
134 
135 bool
136 Auth::UserRequest::authenticated() const
137 {
138  const auto u = user();
139  if (u && u->credentials() == Auth::Ok) {
140  debugs(29, 7, "yes");
141  return true;
142  }
143 
144  debugs(29, 7, "no");
145  return false;
146 }
147 
148 static void
149 authenticateAuthUserRequestSetIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address &ipaddr)
150 {
151  Auth::User::Pointer auth_user = auth_user_request->user();
152 
153  if (!auth_user)
154  return;
155 
156  auth_user->addIp(ipaddr);
157 }
158 
159 void
160 authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &ipaddr)
161 {
162  Auth::User::Pointer auth_user = auth_user_request->user();
163 
164  if (!auth_user)
165  return;
166 
167  auth_user->removeIp(ipaddr);
168 }
169 
170 void
171 authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer auth_user_request)
172 {
173  if (auth_user_request != nullptr)
174  auth_user_request->user()->clearIp();
175 }
176 
177 int
178 authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer auth_user_request)
179 {
180  assert(auth_user_request != nullptr);
181  assert(auth_user_request->user() != nullptr);
182  return auth_user_request->user()->ipcount;
183 }
184 
185 /*
186  * authenticateUserAuthenticated: is this auth_user structure logged in ?
187  */
188 bool
189 authenticateUserAuthenticated(const Auth::UserRequest::Pointer &auth_user_request)
190 {
191  if (!auth_user_request || !auth_user_request->valid())
192  return false;
193 
194  return auth_user_request->authenticated();
195 }
196 
197 Auth::Direction
198 Auth::UserRequest::direction()
199 {
200  if (user() == nullptr)
201  return Auth::CRED_ERROR; // No credentials. Should this be a CHALLENGE instead?
202 
203  if (authenticateUserAuthenticated(this))
204  return Auth::CRED_VALID;
205 
206  return module_direction();
207 }
208 
209 void
210 Auth::UserRequest::addAuthenticationInfoHeader(HttpReply *, int)
211 {}
212 
213 void
214 Auth::UserRequest::addAuthenticationInfoTrailer(HttpReply *, int)
215 {}
216 
217 void
218 Auth::UserRequest::releaseAuthServer()
219 {}
220 
221 const char *
222 Auth::UserRequest::connLastHeader()
223 {
224  fatal("Auth::UserRequest::connLastHeader should always be overridden by conn based auth schemes");
225  return nullptr;
226 }
227 
228 /*
229  * authenticateAuthenticateUser: call the module specific code to
230  * log this user request in.
231  * Cache hits may change the auth_user pointer in the structure if needed.
232  * This is basically a handle approach.
233  */
234 static void
235 authenticateAuthenticateUser(Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, ConnStateData * conn, Http::HdrType type)
236 {
237  assert(auth_user_request.getRaw() != nullptr);
238 
239  auth_user_request->authenticate(request, conn, type);
240 }
241 
242 static Auth::UserRequest::Pointer
243 authTryGetUser(Auth::UserRequest::Pointer auth_user_request, ConnStateData * conn, HttpRequest * request)
244 {
245  Auth::UserRequest::Pointer res;
246 
247  if (auth_user_request != nullptr)
248  res = auth_user_request;
249  else if (request != nullptr && request->auth_user_request != nullptr)
250  res = request->auth_user_request;
251  else if (conn != nullptr)
252  res = conn->getAuth();
253 
254  // attach the credential notes from helper to the transaction
255  if (request != nullptr && res != nullptr && res->user() != nullptr) {
256  // XXX: we have no access to the transaction / AccessLogEntry so can't SyncNotes().
257  // workaround by using anything already set in HttpRequest
258  // OR use new and rely on a later Sync copying these to AccessLogEntry
259 
260  UpdateRequestNotes(conn, *request, res->user()->notes);
261  }
262 
263  return res;
264 }
265 
266 /* returns one of
267  * AUTH_ACL_CHALLENGE,
268  * AUTH_ACL_HELPER,
269  * AUTH_ACL_CANNOT_AUTHENTICATE,
270  * AUTH_AUTHENTICATED
271  *
272  * How to use: In your proxy-auth dependent acl code, use the following
273  * construct:
274  * int rv;
275  * if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED)
276  * return rv;
277  *
278  * when this code is reached, the request/connection is authenticated.
279  *
280  * if you have non-acl code, but want to force authentication, you need a
281  * callback mechanism like the acl testing routines that will send a 40[1|7] to
282  * the client when rv==AUTH_ACL_CHALLENGE, and will communicate with
283  * the authenticateStart routine for rv==AUTH_ACL_HELPER
284  *
285  * Caller is responsible for locking and unlocking their *auth_user_request!
286  */
287 AuthAclState
288 Auth::UserRequest::authenticate(Auth::UserRequest::Pointer * auth_user_request, Http::HdrType headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr, AccessLogEntry::Pointer &al)
289 {
290  const char *proxy_auth;
291  assert(headertype != 0);
292 
293  proxy_auth = request->header.getStr(headertype);
294 
295  /*
296  * a note on proxy_auth logix here:
297  * proxy_auth==NULL -> unauthenticated request || already
298  * authenticated connection so we test for an authenticated
299  * connection when we receive no authentication header.
300  */
301 
302  /* a) can we find other credentials to use? and b) are they logged in already? */
303  if (proxy_auth == nullptr && !authenticateUserAuthenticated(authTryGetUser(*auth_user_request,conn,request))) {
304  /* no header or authentication failed/got corrupted - restart */
305  debugs(29, 4, "No Proxy-Auth header and no working alternative. Requesting auth header.");
306 
307  /* something wrong with the AUTH credentials. Force a new attempt */
308 
309  /* connection auth we must reset on auth errors */
310  if (conn != nullptr) {
311  conn->setAuth(nullptr, "HTTP request missing credentials");
312  }
313 
314  *auth_user_request = nullptr;
315  return AUTH_ACL_CHALLENGE;
316  }
317 
318  /*
319  * Is this an already authenticated connection with a new auth header?
320  * No check for function required in the if: its compulsory for conn based
321  * auth modules
322  */
323  if (proxy_auth && conn != nullptr && conn->getAuth() != nullptr &&
324  authenticateUserAuthenticated(conn->getAuth()) &&
325  conn->getAuth()->connLastHeader() != nullptr &&
326  strcmp(proxy_auth, conn->getAuth()->connLastHeader())) {
327  debugs(29, 2, "WARNING: DUPLICATE AUTH - authentication header on already authenticated connection!. AU " <<
328  conn->getAuth() << ", Current user '" <<
329  conn->getAuth()->username() << "' proxy_auth " <<
330  proxy_auth);
331 
332  /* remove this request struct - the link is already authed and it can't be to reauth. */
333 
334  /* This should _only_ ever occur on the first pass through
335  * authenticateAuthenticate
336  */
337  assert(*auth_user_request == nullptr);
338  conn->setAuth(nullptr, "changed credentials token");
339  }
340 
341  /* we have a proxy auth header and as far as we know this connection has
342  * not had bungled connection oriented authentication happen on it. */
343  debugs(29, 9, "header " << (proxy_auth ? proxy_auth : "-") << ".");
344 
345  if (*auth_user_request == nullptr) {
346  if (conn != nullptr) {
347  debugs(29, 9, "This is a new checklist test on:" << conn->clientConnection);
348  }
349 
350  if (proxy_auth && request->auth_user_request == nullptr && conn != nullptr && conn->getAuth() != nullptr) {
351  Auth::SchemeConfig * scheme = Auth::SchemeConfig::Find(proxy_auth);
352 
353  if (conn->getAuth()->user() == nullptr || conn->getAuth()->user()->config != scheme) {
354  debugs(29, DBG_IMPORTANT, "WARNING: Unexpected change of authentication scheme from '" <<
355  (conn->getAuth()->user()!=nullptr?conn->getAuth()->user()->config->type():"[no user]") <<
356  "' to '" << proxy_auth << "' (client " <<
357  src_addr << ")");
358 
359  conn->setAuth(nullptr, "changed auth scheme");
360  }
361  }
362 
363  if (request->auth_user_request == nullptr && (conn == nullptr || conn->getAuth() == nullptr)) {
364  /* beginning of a new request check */
365  debugs(29, 4, "No connection authentication type");
366 
367  *auth_user_request = Auth::SchemeConfig::CreateAuthUser(proxy_auth, al);
368  if (*auth_user_request == nullptr)
369  return AUTH_ACL_CHALLENGE;
370  else if (!(*auth_user_request)->valid()) {
371  /* the decode might have left a username for logging, or a message to
372  * the user */
373 
374  if ((*auth_user_request)->username()) {
375  request->auth_user_request = *auth_user_request;
376  }
377 
378  *auth_user_request = nullptr;
379  return AUTH_ACL_CHALLENGE;
380  }
381 
382  } else if (request->auth_user_request != nullptr) {
383  *auth_user_request = request->auth_user_request;
384  } else {
385  assert (conn != nullptr);
386  if (conn->getAuth() != nullptr) {
387  *auth_user_request = conn->getAuth();
388  } else {
389  /* failed connection based authentication */
390  debugs(29, 4, "Auth user request " << *auth_user_request << " conn-auth missing and failed to authenticate.");
391  *auth_user_request = nullptr;
392  return AUTH_ACL_CHALLENGE;
393  }
394  }
395  }
396 
397  if (!authenticateUserAuthenticated(*auth_user_request)) {
398  /* User not logged in. Try to log them in */
399  authenticateAuthenticateUser(*auth_user_request, request, conn, headertype);
400 
401  switch ((*auth_user_request)->direction()) {
402 
403  case Auth::CRED_CHALLENGE:
404 
405  if (request->auth_user_request == nullptr) {
406  request->auth_user_request = *auth_user_request;
407  }
408  *auth_user_request = nullptr;
409  return AUTH_ACL_CHALLENGE;
410 
411  case Auth::CRED_ERROR:
412  /* this ACL check is finished. */
413  *auth_user_request = nullptr;
414  return AUTH_ACL_CHALLENGE;
415 
416  case Auth::CRED_LOOKUP:
417  /* we are partway through authentication within squid,
418  * the *auth_user_request variables stores the auth_user_request
419  * for the callback to here - Do not Unlock */
420  return AUTH_ACL_HELPER;
421 
422  case Auth::CRED_VALID:
423  /* authentication is finished */
424  /* See if user authentication failed for some reason */
425  if (!authenticateUserAuthenticated(*auth_user_request)) {
426  if ((*auth_user_request)->username()) {
427  if (!request->auth_user_request) {
428  request->auth_user_request = *auth_user_request;
429  }
430  }
431 
432  *auth_user_request = nullptr;
433  return AUTH_ACL_CHALLENGE;
434  }
435  // otherwise fallthrough to acceptance.
436  }
437  }
438 
439  /* copy username to request for logging on client-side */
440  /* the credentials are correct at this point */
441  if (request->auth_user_request == nullptr) {
442  request->auth_user_request = *auth_user_request;
443  authenticateAuthUserRequestSetIp(*auth_user_request, src_addr);
444  }
445 
446  return AUTH_AUTHENTICATED;
447 }
448 
449 AuthAclState
450 Auth::UserRequest::tryToAuthenticateAndSetAuthUser(Auth::UserRequest::Pointer * aUR, Http::HdrType headertype, HttpRequest * request, ConnStateData * conn, Ip::Address &src_addr, AccessLogEntry::Pointer &al)
451 {
452  // If we have already been called, return the cached value
453  Auth::UserRequest::Pointer t = authTryGetUser(*aUR, conn, request);
454 
455  if (t != nullptr && t->lastReply != AUTH_ACL_CANNOT_AUTHENTICATE && t->lastReply != AUTH_ACL_HELPER) {
456  if (*aUR == nullptr)
457  *aUR = t;
458 
459  if (request->auth_user_request == nullptr && t->lastReply == AUTH_AUTHENTICATED) {
460  request->auth_user_request = t;
461  }
462  return t->lastReply;
463  }
464 
465  // ok, call the actual authenticator routine.
466  AuthAclState result = authenticate(aUR, headertype, request, conn, src_addr, al);
467 
468  // auth process may have changed the UserRequest we are dealing with
469  t = authTryGetUser(*aUR, conn, request);
470 
471  if (t != nullptr && result != AUTH_ACL_CANNOT_AUTHENTICATE && result != AUTH_ACL_HELPER)
472  t->lastReply = result;
473 
474  return result;
475 }
476 
477 static Auth::ConfigVector &
478 schemesConfig(HttpRequest *request, HttpReply *rep)
479 {
480  if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) {
481  ACLFilledChecklist ch(nullptr, request);
482  ch.updateReply(rep);
483  const auto &answer = ch.fastCheck(Auth::TheConfig.schemeAccess);
484  if (answer.allowed())
485  return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs;
486  }
487  return Auth::TheConfig.schemes;
488 }
489 
490 void
491 Auth::UserRequest::AddReplyAuthHeader(HttpReply * rep, Auth::UserRequest::Pointer auth_user_request, HttpRequest * request, int accelerated, int internal)
492 /* send the auth types we are configured to support (and have compiled in!) */
493 {
494  Http::HdrType type;
495 
496  switch (rep->sline.status()) {
497 
498  case Http::scProxyAuthenticationRequired:
499  /* Proxy authorisation needed */
500  type = Http::HdrType::PROXY_AUTHENTICATE;
501  break;
502 
503  case Http::scUnauthorized:
504  /* WWW Authorisation needed */
505  type = Http::HdrType::WWW_AUTHENTICATE;
506  break;
507 
508  default:
509  /* Keep GCC happy */
510  /* some other HTTP status */
511  type = Http::HdrType::BAD_HDR;
512  break;
513  }
514 
515  debugs(29, 9, "headertype:" << type << " authuser:" << auth_user_request);
516 
517  if (((rep->sline.status() == Http::scProxyAuthenticationRequired)
518  || (rep->sline.status() == Http::scUnauthorized)) && internal)
519  /* this is a authenticate-needed response */
520  {
521 
522  if (auth_user_request != nullptr && auth_user_request->direction() == Auth::CRED_CHALLENGE)
523  /* add the scheme specific challenge header to the response */
524  auth_user_request->user()->config->fixHeader(auth_user_request, rep, type, request);
525  else {
526  /* call each configured & running auth scheme */
527  Auth::ConfigVector &configs = schemesConfig(request, rep);
528  for (auto *scheme : configs) {
529  if (scheme->active()) {
530  if (auth_user_request != nullptr && auth_user_request->scheme()->type() == scheme->type())
531  scheme->fixHeader(auth_user_request, rep, type, request);
532  else
533  scheme->fixHeader(nullptr, rep, type, request);
534  } else
535  debugs(29, 4, "Configured scheme " << scheme->type() << " not Active");
536  }
537  }
538 
539  }
540 
541  /*
542  * allow protocol specific headers to be _added_ to the existing
543  * response - currently Digest or Negotiate auth
544  */
545  if (auth_user_request != nullptr) {
546  auth_user_request->addAuthenticationInfoHeader(rep, accelerated);
547  if (auth_user_request->lastReply != AUTH_AUTHENTICATED)
548  auth_user_request->lastReply = AUTH_ACL_CANNOT_AUTHENTICATE;
549  }
550 }
551 
552 Auth::Scheme::Pointer
553 Auth::UserRequest::scheme() const
554 {
555  return Auth::Scheme::Find(user()->config->type());
556 }
557 
558 const char *
559 Auth::UserRequest::helperRequestKeyExtras(HttpRequest *request, AccessLogEntry::Pointer &al)
560 {
561  if (Format::Format *reqFmt = user()->config->keyExtras) {
562  static MemBuf mb;
563  mb.reset();
564  // We should pass AccessLogEntry as second argument ....
565  Auth::UserRequest::Pointer oldReq = request->auth_user_request;
566  request->auth_user_request = this;
567  reqFmt->assemble(mb, al, 0);
568  request->auth_user_request = oldReq;
569  debugs(29, 5, "Assembled line to send :" << mb.content());
570  return mb.content();
571  }
572  return nullptr;
573 }
574 
575 void
576 Auth::UserRequest::denyMessageFromHelper(const char *proto, const Helper::Reply &reply)
577 {
578  static SBuf messageNote;
579  if (!reply.notes.find(messageNote, "message")) {
580  messageNote.append(proto);
581  messageNote.append(" Authentication denied with no reason given");
582  }
583  setDenyMessage(messageNote.c_str());
584 }
585 
fatal
void fatal(const char *message)
Definition: fatal.cc:28
Auth::UserRequest::AddReplyAuthHeader
static void AddReplyAuthHeader(HttpReply *rep, UserRequest::Pointer auth_user_request, HttpRequest *request, int accelerated, int internal)
Add the appropriate [Proxy-]Authenticate header to the given reply.
Definition: UserRequest.cc:491
Http::scUnauthorized
@ scUnauthorized
Definition: StatusCode.h:46
client_side.h
authenticateAuthenticateUser
static void authenticateAuthenticateUser(Auth::UserRequest::Pointer auth_user_request, HttpRequest *request, ConnStateData *conn, Http::HdrType type)
Definition: UserRequest.cc:235
Auth::UserRequest::tryToAuthenticateAndSetAuthUser
static AuthAclState tryToAuthenticateAndSetAuthUser(UserRequest::Pointer *aUR, Http::HdrType, HttpRequest *, ConnStateData *, Ip::Address &, AccessLogEntry::Pointer &)
Definition: UserRequest.cc:450
HttpHeader::getStr
const char * getStr(Http::HdrType id) const
Definition: HttpHeader.cc:1163
ConnStateData::setAuth
void setAuth(const Auth::UserRequest::Pointer &aur, const char *cause)
Definition: client_side.cc:494
Http::Message::header
HttpHeader header
Definition: Message.h:74
Auth::Config::schemeAccess
acl_access * schemeAccess
the ACL list for auth_schemes directives
Definition: Config.h:35
Auth::SchemeConfig::fixHeader
virtual void fixHeader(UserRequest::Pointer, HttpReply *, Http::HdrType, HttpRequest *)=0
SBuf
Definition: SBuf.h:93
Auth::Config::schemes
Auth::ConfigVector schemes
set of auth_params directives
Definition: Config.h:29
Auth::UserRequest::helperRequestKeyExtras
const char * helperRequestKeyExtras(HttpRequest *, AccessLogEntry::Pointer &al)
Definition: UserRequest.cc:559
authenticate
static void authenticate(int socket_fd, const char *username, const char *passwd)
Definition: basic_radius_auth.cc:279
Auth::UserRequest::getDenyMessage
const char * getDenyMessage() const
Definition: UserRequest.cc:121
xstrdup
#define xstrdup
Definition: negotiate_wrapper.cc:51
Auth::CRED_LOOKUP
@ CRED_LOOKUP
Credentials need to be validated with the backend helper.
Definition: UserRequest.h:67
Auth::ConfigVector
std::vector< Auth::SchemeConfig * > ConfigVector
Definition: forward.h:23
AuthAclState
AuthAclState
Definition: AuthAclState.h:14
AUTH_AUTHENTICATED
@ AUTH_AUTHENTICATED
Definition: AuthAclState.h:18
HttpRequest::auth_user_request
Auth::UserRequest::Pointer auth_user_request
Definition: HttpRequest.h:127
RefCount::getRaw
C * getRaw() const
Definition: RefCount.h:89
Auth::TheConfig
Auth::Config TheConfig
Definition: Config.cc:15
HttpReply::sline
Http::StatusLine sline
Definition: HttpReply.h:56
authenticateAuthUserRequestSetIp
static void authenticateAuthUserRequestSetIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address &ipaddr)
Definition: UserRequest.cc:149
AUTH_ACL_CANNOT_AUTHENTICATE
@ AUTH_ACL_CANNOT_AUTHENTICATE
Definition: AuthAclState.h:17
Auth::UserRequest::setDenyMessage
void setDenyMessage(char const *)
Definition: UserRequest.cc:114
Auth::UserRequest::user
virtual User::Pointer user()
Definition: UserRequest.h:143
Auth::Direction
Direction
Definition: UserRequest.h:64
Auth::UserRequest::lastReply
AuthAclState lastReply
Definition: UserRequest.h:234
size_t
int const char size_t
Definition: stub_liblog.cc:83
Auth::SchemeConfig::Find
static SchemeConfig * Find(const char *proxy_auth)
Definition: SchemeConfig.cc:59
ACLFilledChecklist::updateReply
void updateReply(const HttpReply::Pointer &)
Definition: FilledChecklist.cc:254
AUTH_ACL_CHALLENGE
@ AUTH_ACL_CHALLENGE
Definition: AuthAclState.h:15
Auth::AUTH_UNKNOWN
@ AUTH_UNKNOWN
Definition: Type.h:18
Http::WWW_AUTHENTICATE
@ WWW_AUTHENTICATE
Definition: RegisteredHeaders.h:107
Auth::UserRequest::direction
Direction direction()
Definition: UserRequest.cc:198
authenticateAuthUserRequestRemoveIp
void authenticateAuthUserRequestRemoveIp(Auth::UserRequest::Pointer auth_user_request, Ip::Address const &ipaddr)
Definition: UserRequest.cc:160
Auth::UserRequest::~UserRequest
~UserRequest() override
Definition: UserRequest.cc:100
Auth::CRED_CHALLENGE
@ CRED_CHALLENGE
Client needs to be challenged. secure token.
Definition: UserRequest.h:65
Auth::UserRequest::valid
bool valid() const
Definition: UserRequest.cc:53
Http::StatusLine::status
Http::StatusCode status() const
retrieve the status code for this status line
Definition: StatusLine.h:45
Auth::UserRequest::username
const char * username() const
Definition: UserRequest.cc:32
ACLChecklist::fastCheck
const Acl::Answer & fastCheck()
Definition: Checklist.cc:298
authTryGetUser
static Auth::UserRequest::Pointer authTryGetUser(Auth::UserRequest::Pointer auth_user_request, ConnStateData *conn, HttpRequest *request)
Definition: UserRequest.cc:243
Auth::CRED_ERROR
@ CRED_ERROR
ERROR in the auth module. Cannot determine the state of this request.
Definition: UserRequest.h:68
MemBuf
Definition: MemBuf.h:23
Auth::User::clearIp
void clearIp()
Definition: User.cc:139
Auth::SchemeConfig::type
virtual const char * type() const =0
Helper::Reply::notes
NotePairs notes
Definition: Reply.h:62
Auth::User::notes
NotePairs notes
list of key=value pairs the helper produced
Definition: User.h:56
NotePairs::find
bool find(SBuf &resultNote, const char *noteKey, const char *sep=",") const
Definition: Notes.cc:281
safe_free
#define safe_free(x)
Definition: xalloc.h:73
assert
#define assert(EX)
Definition: assert.h:17
Auth::UserRequest::authenticate
virtual void authenticate(HttpRequest *request, ConnStateData *conn, Http::HdrType type)=0
Auth::UserRequest::addAuthenticationInfoTrailer
virtual void addAuthenticationInfoTrailer(HttpReply *rep, int accel)
Definition: UserRequest.cc:214
Auth::User::config
Auth::SchemeConfig * config
Definition: User.h:50
authenticateUserAuthenticated
bool authenticateUserAuthenticated(const Auth::UserRequest::Pointer &auth_user_request)
Definition: UserRequest.cc:189
authenticateAuthUserRequestIPCount
int authenticateAuthUserRequestIPCount(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:178
SBuf::c_str
const char * c_str()
Definition: SBuf.cc:516
Server::clientConnection
Comm::ConnectionPointer clientConnection
Definition: Server.h:100
Auth::UserRequest::start
void start(HttpRequest *request, AccessLogEntry::Pointer &al, AUTHCB *handler, void *data)
Definition: UserRequest.cc:44
SBuf::append
SBuf & append(const SBuf &S)
Definition: SBuf.cc:185
schemesConfig
static Auth::ConfigVector & schemesConfig(HttpRequest *request, HttpReply *rep)
Definition: UserRequest.cc:478
Auth::UserRequest::denyMessageFromHelper
void denyMessageFromHelper(char const *proto, const Helper::Reply &reply)
Sets the reason of 'authentication denied' helper response.
Definition: UserRequest.cc:576
ConnStateData::getAuth
const Auth::UserRequest::Pointer & getAuth() const
Definition: client_side.h:123
Auth::UserRequest::connLastHeader
virtual const char * connLastHeader()
Definition: UserRequest.cc:222
Auth::UserRequest::denyMessage
const char * denyMessage(char const *const default_message=nullptr) const
Definition: UserRequest.cc:127
Auth::UserRequest::scheme
Scheme::Pointer scheme() const
Definition: UserRequest.cc:553
Auth::UserRequest::addAuthenticationInfoHeader
virtual void addAuthenticationInfoHeader(HttpReply *rep, int accel)
Definition: UserRequest.cc:210
Auth::CRED_VALID
@ CRED_VALID
Credentials are valid and a up to date. The OK/Failed state is accurate.
Definition: UserRequest.h:66
Auth::User::removeIp
void removeIp(Ip::Address)
Definition: User.cc:161
Auth::SchemeConfig::CreateAuthUser
static UserRequest::Pointer CreateAuthUser(const char *proxy_auth, AccessLogEntry::Pointer &al)
Definition: SchemeConfig.cc:33
Http::PROXY_AUTHENTICATE
@ PROXY_AUTHENTICATE
Definition: RegisteredHeaders.h:80
MemBuf::content
char * content()
start of the added data
Definition: MemBuf.h:41
Auth::Config::schemeLists
std::vector< Auth::SchemesConfig > schemeLists
set of auth_schemes directives
Definition: Config.h:32
Auth::Scheme::Find
static Scheme::Pointer Find(const char *)
Definition: Scheme.cc:33
DBG_IMPORTANT
#define DBG_IMPORTANT
Definition: Stream.h:38
Http::scProxyAuthenticationRequired
@ scProxyAuthenticationRequired
Definition: StatusCode.h:52
AUTH_ACL_HELPER
@ AUTH_ACL_HELPER
Definition: AuthAclState.h:16
MemBuf::reset
void reset()
Definition: MemBuf.cc:129
Auth::User::ipcount
size_t ipcount
Definition: User.h:52
Auth::AUTH_BROKEN
@ AUTH_BROKEN
Definition: Type.h:23
AUTHCB
void AUTHCB(void *)
Definition: UserRequest.h:57
Auth::User::addIp
void addIp(Ip::Address)
Definition: User.cc:184
authenticateAuthUserRequestClearIp
void authenticateAuthUserRequestClearIp(Auth::UserRequest::Pointer auth_user_request)
Definition: UserRequest.cc:171
Auth::UserRequest::authenticated
virtual bool authenticated() const
Definition: UserRequest.cc:136
debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:192
UpdateRequestNotes
void UpdateRequestNotes(ConnStateData *csd, HttpRequest &request, NotePairs const &helperNotes)
Definition: HttpRequest.cc:760
Auth::UserRequest::releaseAuthServer
virtual void releaseAuthServer()
Definition: UserRequest.cc:218

 

Introduction

Documentation

Support

Miscellaneous