static void
authenticateStateFree(authenticateStateData * r)
{
authenticateAuthUserRequestUnlock(r->auth_user_request);
r->auth_user_request = NULL;
cbdataFree(r);
}
void
requestDestroy(request_t * req)
{
assert(req);
if (req->body_reader)
requestAbortBody(req);
if (req->auth_user_request)
authenticateAuthUserRequestUnlock(req->auth_user_request);
safe_free(req->canonical);
safe_free(req->vary_hdr);
safe_free(req->vary_headers);
stringClean(&req->vary_encoding);
safe_free(req->urlgroup);
safe_free(req->extacl_user);
safe_free(req->extacl_passwd);
stringClean(&req->urlpath);
httpHeaderClean(&req->header);
if (req->cache_control)
httpHdrCcDestroy(req->cache_control);
if (req->range)
httpHdrRangeDestroy(req->range);
stringClean(&req->extacl_log);
if (req->vary) {
if (req->etags == &req->vary->etags)
req->etags = NULL;
storeLocateVaryDone(req->vary);
req->vary = NULL;
}
assert(req->etags == NULL);
safe_free(req->etag);
if (req->pinned_connection)
cbdataUnlock(req->pinned_connection);
req->pinned_connection = NULL;
memFree(req, MEM_REQUEST_T);
}
void
errorStateFree(ErrorState * err)
{
requestUnlink(err->request);
safe_free(err->redirect_url);
safe_free(err->url);
safe_free(err->dnsserver_msg);
safe_free(err->request_hdrs);
wordlistDestroy(&err->ftp.server_msg);
safe_free(err->ftp.request);
safe_free(err->ftp.reply);
if (err->auth_user_request)
authenticateAuthUserRequestUnlock(err->auth_user_request);
err->auth_user_request = NULL;
cbdataFree(err);
}
static void
authenticateAuthUserRequestUnlinkIp(const struct in_addr ipaddr)
{
auth_user_request_ip_hash_t *hash_entry;
if (!auth_user_request_ip_hash)
return;
hash_entry = hash_lookup(auth_user_request_ip_hash, &ipaddr);
if (hash_entry)
{
hash_remove_link(auth_user_request_ip_hash, &hash_entry->hash);
authenticateAuthUserRequestUnlock(hash_entry->auth_user_request);
memPoolFree(auth_user_request_ip_pool, hash_entry);
}
}
void
requestDestroy(request_t * req)
{
assert(req);
if (req->body_connection)
clientAbortBody(req);
if (req->auth_user_request)
authenticateAuthUserRequestUnlock(req->auth_user_request);
safe_free(req->canonical);
safe_free(req->vary_headers);
stringClean(&req->urlpath);
httpHeaderClean(&req->header);
if (req->cache_control)
httpHdrCcDestroy(req->cache_control);
if (req->range)
httpHdrRangeDestroy(req->range);
memFree(req, MEM_REQUEST_T);
}
/* clear any connection related authentication details */
static void
authenticateNegotiateOnCloseConnection(ConnStateData * conn)
{
negotiate_request_t *negotiate_request;
assert(conn != NULL);
if (conn->auth_user_request != NULL) {
assert(conn->auth_user_request->scheme_data != NULL);
negotiate_request = conn->auth_user_request->scheme_data;
assert(negotiate_request->conn == conn);
if (negotiate_request->authserver != NULL)
authenticateNegotiateReleaseServer(negotiate_request);
/* unlock the connection based lock */
debug(29, 9) ("authenticateNegotiateOnCloseConnection: Unlocking auth_user from the connection.\n");
/* minor abstraction break here: FIXME */
/* Ensure that the auth user request will be getting closed */
/* IFF we start persisting the struct after the conn closes - say for logging
* then this test may become invalid
*/
assert(conn->auth_user_request->references == 1);
authenticateAuthUserRequestUnlock(conn->auth_user_request);
conn->auth_user_request = NULL;
}
}
/* returns one of
* AUTH_ACL_CHALLENGE,
* AUTH_ACL_HELPER,
* AUTH_ACL_CANNOT_AUTHENTICATE,
* AUTH_AUTHENTICATED
*
* How to use: In your proxy-auth dependent acl code, use the following
* construct:
* int rv;
* if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED)
* return rv;
*
* when this code is reached, the request/connection is authenticated.
*
* if you have non-acl code, but want to force authentication, you need a
* callback mechanism like the acl testing routines that will send a 40[1|7] to
* the client when rv==AUTH_ACL_CHALLENGE, and will communicate with
* the authenticateStart routine for rv==AUTH_ACL_HELPER
*/
auth_acl_t
authenticateAuthenticate(auth_user_request_t ** auth_user_request, http_hdr_type headertype, request_t * request, ConnStateData * conn, struct in_addr src_addr)
{
const char *proxy_auth;
assert(headertype != 0);
proxy_auth = httpHeaderGetStr(&request->header, headertype);
/*
* a note on proxy_auth logix here:
* proxy_auth==NULL -> unauthenticated request || already
* authenticated connection so we test for an authenticated
* connection when we recieve no authentication header.
*/
if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(authTryGetUser(auth_user_request, conn, request))))
|| (conn && conn->auth_type == AUTH_BROKEN)) {
/* no header or authentication failed/got corrupted - restart */
if (conn)
conn->auth_type = AUTH_UNKNOWN;
debug(28, 4) ("authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header.\n");
/* something wrong with the AUTH credentials. Force a new attempt */
if (conn && conn->auth_user_request) {
authenticateAuthUserRequestUnlock(conn->auth_user_request);
conn->auth_user_request = NULL;
}
if (*auth_user_request) {
/* unlock the ACL lock */
authenticateAuthUserRequestUnlock(*auth_user_request);
*auth_user_request = NULL;
}
return AUTH_ACL_CHALLENGE;
}
#if 0
/*
* Is this an already authenticated connection with a new auth header?
* No check for function required in the if: its compulsory for conn based
* auth modules
*/
if (proxy_auth && conn && conn->auth_user_request &&
authenticateUserAuthenticated(conn->auth_user_request) &&
strcmp(proxy_auth, authscheme_list[conn->auth_user_request->auth_user->auth_module - 1].authConnLastHeader(conn->auth_user_request))) {
debug(28, 2) ("authenticateAuthenticate: DUPLICATE AUTH - authentication header on already authenticated connection!. AU %p, Current user '%s' proxy_auth %s\n", conn->auth_user_request, authenticateUserRequestUsername(conn->auth_user_request), proxy_auth);
/* remove this request struct - the link is already authed and it can't be to
* reauth.
*/
/* This should _only_ ever occur on the first pass through
* authenticateAuthenticate
*/
assert(*auth_user_request == NULL);
/* unlock the conn lock on the auth_user_request */
authenticateAuthUserRequestUnlock(conn->auth_user_request);
/* mark the conn as non-authed. */
conn->auth_user_request = NULL;
/* Set the connection auth type */
conn->auth_type = AUTH_UNKNOWN;
}
#endif
/* we have a proxy auth header and as far as we know this connection has
* not had bungled connection oriented authentication happen on it. */
debug(28, 9) ("authenticateAuthenticate: header %s.\n", proxy_auth ? proxy_auth : NULL);
if (*auth_user_request == NULL) {
debug(28, 9) ("authenticateAuthenticate: This is a new checklist test on FD:%d\n",
conn ? conn->fd : -1);
if ((!request->auth_user_request)
&& (!conn || conn->auth_type == AUTH_UNKNOWN)) {
/* beginning of a new request check */
debug(28, 4) ("authenticateAuthenticate: no connection authentication type\n");
if (!authenticateValidateUser(*auth_user_request =
authenticateGetAuthUser(proxy_auth))) {
/* the decode might have left a username for logging, or a message to
* the user */
if (authenticateUserRequestUsername(*auth_user_request)) {
/* lock the user for the request structure link */
authenticateAuthUserRequestLock(*auth_user_request);
request->auth_user_request = *auth_user_request;
}
/* unlock the ACL reference granted by ...GetAuthUser. */
authenticateAuthUserRequestUnlock(*auth_user_request);
*auth_user_request = NULL;
return AUTH_ACL_CHALLENGE;
}
/* the user_request comes prelocked for the caller to GetAuthUser (us) */
} else if (request->auth_user_request) {
*auth_user_request = request->auth_user_request;
/* lock the user request for this ACL processing */
authenticateAuthUserRequestLock(*auth_user_request);
} else {
assert(conn);
if (conn->auth_user_request != NULL) {
*auth_user_request = conn->auth_user_request;
/* lock the user request for this ACL processing */
authenticateAuthUserRequestLock(*auth_user_request);
} else {
/* failed connection based authentication */
debug(28, 4) ("authenticateAuthenticate: Auth user request %p conn-auth user request %p conn type %d authentication failed.\n",
*auth_user_request, conn->auth_user_request, conn->auth_type);
authenticateAuthUserRequestUnlock(*auth_user_request);
*auth_user_request = NULL;
return AUTH_ACL_CHALLENGE;
}
}
}
if (!authenticateUserAuthenticated(*auth_user_request)) {
/* User not logged in. Log them in */
authenticateAuthenticateUser(*auth_user_request, request,
conn, headertype);
switch (authenticateDirection(*auth_user_request)) {
case 1:
if (!request->auth_user_request) {
/* lock the user for the request structure link */
authenticateAuthUserRequestLock(*auth_user_request);
request->auth_user_request = *auth_user_request;
}
/* fallthrough to -2 */
case -2:
/* this ACL check is finished. Unlock. */
authenticateAuthUserRequestUnlock(*auth_user_request);
*auth_user_request = NULL;
return AUTH_ACL_CHALLENGE;
case -1:
/* we are partway through authentication within squid,
* the *auth_user_request variables stores the auth_user_request
* for the callback to here - Do not Unlock */
return AUTH_ACL_HELPER;
}
/* on 0 the authentication is finished - fallthrough */
/* See if user authentication failed for some reason */
if (!authenticateUserAuthenticated(*auth_user_request)) {
if ((authenticateUserRequestUsername(*auth_user_request))) {
if (!request->auth_user_request) {
/* lock the user for the request structure link */
authenticateAuthUserRequestLock(*auth_user_request);
request->auth_user_request = *auth_user_request;
}
}
/* this ACL check is finished. Unlock. */
authenticateAuthUserRequestUnlock(*auth_user_request);
*auth_user_request = NULL;
return AUTH_ACL_CHALLENGE;
}
}
/* copy username to request for logging on client-side */
/* the credentials are correct at this point */
if (!request->auth_user_request) {
/* lock the user for the request structure link */
authenticateAuthUserRequestLock(*auth_user_request);
request->auth_user_request = *auth_user_request;
authenticateAuthUserRequestSetIp(*auth_user_request, src_addr);
}
/* Unlock the request - we've authenticated it */
authenticateAuthUserRequestUnlock(*auth_user_request);
*auth_user_request = NULL;
return AUTH_AUTHENTICATED;
}
