static void authenticateStateFree(authenticateStateData * r) { authenticateAuthUserRequestUnlock(r->auth_user_request); r->auth_user_request = NULL; cbdataFree(r); }
void requestDestroy(request_t * req) { assert(req); if (req->body_reader) requestAbortBody(req); if (req->auth_user_request) authenticateAuthUserRequestUnlock(req->auth_user_request); safe_free(req->canonical); safe_free(req->vary_hdr); safe_free(req->vary_headers); stringClean(&req->vary_encoding); safe_free(req->urlgroup); safe_free(req->extacl_user); safe_free(req->extacl_passwd); stringClean(&req->urlpath); httpHeaderClean(&req->header); if (req->cache_control) httpHdrCcDestroy(req->cache_control); if (req->range) httpHdrRangeDestroy(req->range); stringClean(&req->extacl_log); if (req->vary) { if (req->etags == &req->vary->etags) req->etags = NULL; storeLocateVaryDone(req->vary); req->vary = NULL; } assert(req->etags == NULL); safe_free(req->etag); if (req->pinned_connection) cbdataUnlock(req->pinned_connection); req->pinned_connection = NULL; memFree(req, MEM_REQUEST_T); }
void errorStateFree(ErrorState * err) { requestUnlink(err->request); safe_free(err->redirect_url); safe_free(err->url); safe_free(err->dnsserver_msg); safe_free(err->request_hdrs); wordlistDestroy(&err->ftp.server_msg); safe_free(err->ftp.request); safe_free(err->ftp.reply); if (err->auth_user_request) authenticateAuthUserRequestUnlock(err->auth_user_request); err->auth_user_request = NULL; cbdataFree(err); }
static void authenticateAuthUserRequestUnlinkIp(const struct in_addr ipaddr) { auth_user_request_ip_hash_t *hash_entry; if (!auth_user_request_ip_hash) return; hash_entry = hash_lookup(auth_user_request_ip_hash, &ipaddr); if (hash_entry) { hash_remove_link(auth_user_request_ip_hash, &hash_entry->hash); authenticateAuthUserRequestUnlock(hash_entry->auth_user_request); memPoolFree(auth_user_request_ip_pool, hash_entry); } }
void requestDestroy(request_t * req) { assert(req); if (req->body_connection) clientAbortBody(req); if (req->auth_user_request) authenticateAuthUserRequestUnlock(req->auth_user_request); safe_free(req->canonical); safe_free(req->vary_headers); stringClean(&req->urlpath); httpHeaderClean(&req->header); if (req->cache_control) httpHdrCcDestroy(req->cache_control); if (req->range) httpHdrRangeDestroy(req->range); memFree(req, MEM_REQUEST_T); }
/* clear any connection related authentication details */ static void authenticateNegotiateOnCloseConnection(ConnStateData * conn) { negotiate_request_t *negotiate_request; assert(conn != NULL); if (conn->auth_user_request != NULL) { assert(conn->auth_user_request->scheme_data != NULL); negotiate_request = conn->auth_user_request->scheme_data; assert(negotiate_request->conn == conn); if (negotiate_request->authserver != NULL) authenticateNegotiateReleaseServer(negotiate_request); /* unlock the connection based lock */ debug(29, 9) ("authenticateNegotiateOnCloseConnection: Unlocking auth_user from the connection.\n"); /* minor abstraction break here: FIXME */ /* Ensure that the auth user request will be getting closed */ /* IFF we start persisting the struct after the conn closes - say for logging * then this test may become invalid */ assert(conn->auth_user_request->references == 1); authenticateAuthUserRequestUnlock(conn->auth_user_request); conn->auth_user_request = NULL; } }
/* returns one of * AUTH_ACL_CHALLENGE, * AUTH_ACL_HELPER, * AUTH_ACL_CANNOT_AUTHENTICATE, * AUTH_AUTHENTICATED * * How to use: In your proxy-auth dependent acl code, use the following * construct: * int rv; * if ((rv = AuthenticateAuthenticate()) != AUTH_AUTHENTICATED) * return rv; * * when this code is reached, the request/connection is authenticated. * * if you have non-acl code, but want to force authentication, you need a * callback mechanism like the acl testing routines that will send a 40[1|7] to * the client when rv==AUTH_ACL_CHALLENGE, and will communicate with * the authenticateStart routine for rv==AUTH_ACL_HELPER */ auth_acl_t authenticateAuthenticate(auth_user_request_t ** auth_user_request, http_hdr_type headertype, request_t * request, ConnStateData * conn, struct in_addr src_addr) { const char *proxy_auth; assert(headertype != 0); proxy_auth = httpHeaderGetStr(&request->header, headertype); /* * a note on proxy_auth logix here: * proxy_auth==NULL -> unauthenticated request || already * authenticated connection so we test for an authenticated * connection when we recieve no authentication header. */ if (((proxy_auth == NULL) && (!authenticateUserAuthenticated(authTryGetUser(auth_user_request, conn, request)))) || (conn && conn->auth_type == AUTH_BROKEN)) { /* no header or authentication failed/got corrupted - restart */ if (conn) conn->auth_type = AUTH_UNKNOWN; debug(28, 4) ("authenticateAuthenticate: broken auth or no proxy_auth header. Requesting auth header.\n"); /* something wrong with the AUTH credentials. Force a new attempt */ if (conn && conn->auth_user_request) { authenticateAuthUserRequestUnlock(conn->auth_user_request); conn->auth_user_request = NULL; } if (*auth_user_request) { /* unlock the ACL lock */ authenticateAuthUserRequestUnlock(*auth_user_request); *auth_user_request = NULL; } return AUTH_ACL_CHALLENGE; } #if 0 /* * Is this an already authenticated connection with a new auth header? * No check for function required in the if: its compulsory for conn based * auth modules */ if (proxy_auth && conn && conn->auth_user_request && authenticateUserAuthenticated(conn->auth_user_request) && strcmp(proxy_auth, authscheme_list[conn->auth_user_request->auth_user->auth_module - 1].authConnLastHeader(conn->auth_user_request))) { debug(28, 2) ("authenticateAuthenticate: DUPLICATE AUTH - authentication header on already authenticated connection!. AU %p, Current user '%s' proxy_auth %s\n", conn->auth_user_request, authenticateUserRequestUsername(conn->auth_user_request), proxy_auth); /* remove this request struct - the link is already authed and it can't be to * reauth. */ /* This should _only_ ever occur on the first pass through * authenticateAuthenticate */ assert(*auth_user_request == NULL); /* unlock the conn lock on the auth_user_request */ authenticateAuthUserRequestUnlock(conn->auth_user_request); /* mark the conn as non-authed. */ conn->auth_user_request = NULL; /* Set the connection auth type */ conn->auth_type = AUTH_UNKNOWN; } #endif /* we have a proxy auth header and as far as we know this connection has * not had bungled connection oriented authentication happen on it. */ debug(28, 9) ("authenticateAuthenticate: header %s.\n", proxy_auth ? proxy_auth : NULL); if (*auth_user_request == NULL) { debug(28, 9) ("authenticateAuthenticate: This is a new checklist test on FD:%d\n", conn ? conn->fd : -1); if ((!request->auth_user_request) && (!conn || conn->auth_type == AUTH_UNKNOWN)) { /* beginning of a new request check */ debug(28, 4) ("authenticateAuthenticate: no connection authentication type\n"); if (!authenticateValidateUser(*auth_user_request = authenticateGetAuthUser(proxy_auth))) { /* the decode might have left a username for logging, or a message to * the user */ if (authenticateUserRequestUsername(*auth_user_request)) { /* lock the user for the request structure link */ authenticateAuthUserRequestLock(*auth_user_request); request->auth_user_request = *auth_user_request; } /* unlock the ACL reference granted by ...GetAuthUser. */ authenticateAuthUserRequestUnlock(*auth_user_request); *auth_user_request = NULL; return AUTH_ACL_CHALLENGE; } /* the user_request comes prelocked for the caller to GetAuthUser (us) */ } else if (request->auth_user_request) { *auth_user_request = request->auth_user_request; /* lock the user request for this ACL processing */ authenticateAuthUserRequestLock(*auth_user_request); } else { assert(conn); if (conn->auth_user_request != NULL) { *auth_user_request = conn->auth_user_request; /* lock the user request for this ACL processing */ authenticateAuthUserRequestLock(*auth_user_request); } else { /* failed connection based authentication */ debug(28, 4) ("authenticateAuthenticate: Auth user request %p conn-auth user request %p conn type %d authentication failed.\n", *auth_user_request, conn->auth_user_request, conn->auth_type); authenticateAuthUserRequestUnlock(*auth_user_request); *auth_user_request = NULL; return AUTH_ACL_CHALLENGE; } } } if (!authenticateUserAuthenticated(*auth_user_request)) { /* User not logged in. Log them in */ authenticateAuthenticateUser(*auth_user_request, request, conn, headertype); switch (authenticateDirection(*auth_user_request)) { case 1: if (!request->auth_user_request) { /* lock the user for the request structure link */ authenticateAuthUserRequestLock(*auth_user_request); request->auth_user_request = *auth_user_request; } /* fallthrough to -2 */ case -2: /* this ACL check is finished. Unlock. */ authenticateAuthUserRequestUnlock(*auth_user_request); *auth_user_request = NULL; return AUTH_ACL_CHALLENGE; case -1: /* we are partway through authentication within squid, * the *auth_user_request variables stores the auth_user_request * for the callback to here - Do not Unlock */ return AUTH_ACL_HELPER; } /* on 0 the authentication is finished - fallthrough */ /* See if user authentication failed for some reason */ if (!authenticateUserAuthenticated(*auth_user_request)) { if ((authenticateUserRequestUsername(*auth_user_request))) { if (!request->auth_user_request) { /* lock the user for the request structure link */ authenticateAuthUserRequestLock(*auth_user_request); request->auth_user_request = *auth_user_request; } } /* this ACL check is finished. Unlock. */ authenticateAuthUserRequestUnlock(*auth_user_request); *auth_user_request = NULL; return AUTH_ACL_CHALLENGE; } } /* copy username to request for logging on client-side */ /* the credentials are correct at this point */ if (!request->auth_user_request) { /* lock the user for the request structure link */ authenticateAuthUserRequestLock(*auth_user_request); request->auth_user_request = *auth_user_request; authenticateAuthUserRequestSetIp(*auth_user_request, src_addr); } /* Unlock the request - we've authenticated it */ authenticateAuthUserRequestUnlock(*auth_user_request); *auth_user_request = NULL; return AUTH_AUTHENTICATED; }