Revision: 14777
Author: adrian.chadd
Date: Thu Sep 2 18:24:55 2010
Log: Migrate the auth code to use IPv6 internally.
* I don't like how I've abused the hash key stuff here - just migrate all
of this
to use a radix tree (or two, like clientdb, which I rather dislike..)
* add a cachemgr function to dump the current state of auth user/ip entries
http://code.google.com/p/lusca-cache/source/detail?r=14777
Modified:
/playpen/LUSCA_HEAD_ipv6/src/acl.c
/playpen/LUSCA_HEAD_ipv6/src/auth/digest/auth_digest.c
/playpen/LUSCA_HEAD_ipv6/src/authenticate.c
/playpen/LUSCA_HEAD_ipv6/src/protos.h
/playpen/LUSCA_HEAD_ipv6/src/structs.h
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/acl.c Sun Jul 11 02:47:00 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/acl.c Thu Sep 2 18:24:55 2010
@@ -1607,12 +1607,16 @@
/* this is a match */
if (acldata->flags.strict) {
+ sqaddr_t a;
/*
* simply deny access - the user name is already associated with
* the request
*/
/* remove _this_ ip, as it is the culprit for going over the limit */
- authenticateAuthUserRequestRemoveIp(auth_user_request, src_addr);
+ sqinet_init(&a);
+ sqinet_set_v4_inaddr(&a, &src_addr);
+ authenticateAuthUserRequestRemoveIp(auth_user_request, &a);
+ sqinet_done(&a);
debug(28, 4) ("aclMatchUserMaxIP: Denying access in strict mode\n");
} else {
/*
@@ -1755,6 +1759,9 @@
{
request_t *r = checklist->request;
http_hdr_type headertype;
+ sqaddr_t a;
+ int rv;
+
if (NULL == r) {
return -1;
} else if (r->flags.accelerated) {
@@ -1769,7 +1776,11 @@
}
/* get authed here */
/* Note: this fills in checklist->auth_user_request when applicable
(auth incomplete) */
- switch
(authenticateTryToAuthenticateAndSetAuthUser(&checklist->auth_user_request,
headertype, checklist->request, checklist->conn, checklist->src_addr)) {
+ sqinet_init(&a);
+ sqinet_copy_v4_inaddr(&a, &checklist->src_addr, SQADDR_NONE);
+ rv =
authenticateTryToAuthenticateAndSetAuthUser(&checklist->auth_user_request,
headertype, checklist->request, checklist->conn, &a);
+ sqinet_done(&a);
+ switch (rv) {
case AUTH_ACL_CANNOT_AUTHENTICATE:
debug(28, 4) ("aclAuthenticated: returning 0 user authenticated but not
authorised.\n");
return 0;
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/auth/digest/auth_digest.c Sat Jan 17
12:21:38 2009
+++ /playpen/LUSCA_HEAD_ipv6/src/auth/digest/auth_digest.c Thu Sep 2
18:24:55 2010
@@ -727,16 +727,24 @@
return;
} else {
const char *useragent = httpHeaderGetStr(&request->header,
HDR_USER_AGENT);
- static struct in_addr last_broken_addr;
+ static sqaddr_t last_broken_addr;
static int seen_broken_client = 0;
+ struct in_addr lb;
if (!seen_broken_client) {
- last_broken_addr = no_addr;
+ sqinet_init(&last_broken_addr);
+ sqinet_set_family(&last_broken_addr, AF_INET);
+ sqinet_set_noaddr(&last_broken_addr);
seen_broken_client = 1;
}
- if (memcmp(&last_broken_addr, &request->client_addr,
sizeof(last_broken_addr)) != 0) {
- debug(29, 1) ("\nDigest POST bug detected from %s using '%s'. Please
upgrade browser. See Bug #630 for details.\n",
inet_ntoa(request->client_addr), useragent ? useragent : "-");
- last_broken_addr = request->client_addr;
+
+ lb = sqinet_get_v4_inaddr(&last_broken_addr,
SQADDR_ASSERT_IS_V4);
+ if (memcmp(&lb, &request->client_addr, sizeof(struct in_addr))
== 0) {
+ char cbuf[MAX_IPSTRLEN];
+ (void) sqinet_ntoa(&last_broken_addr, cbuf, MAX_IPSTRLEN,
SQADDR_NONE);
+ debug(29, 1) ("\nDigest POST bug detected from %s using '%s'. Please
upgrade browser. See Bug #630 for details.\n",
+ cbuf, useragent ? useragent : "-");
+ sqinet_set_v4_inaddr(&last_broken_addr,
&request->client_addr);
}
}
} else {
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/authenticate.c Sat Dec 27 20:27:33 2008
+++ /playpen/LUSCA_HEAD_ipv6/src/authenticate.c Thu Sep 2 18:24:55 2010
@@ -43,8 +43,8 @@
CBDATA_TYPE(auth_user_ip_t);
static void authenticateDecodeAuth(const char *proxy_auth,
auth_user_request_t * auth_user_request);
-static auth_acl_t authenticateAuthenticate(auth_user_request_t **
auth_user_request, http_hdr_type headertype, request_t * request,
ConnStateData * conn, struct in_addr src_addr);
-static void authenticateAuthUserRequestUnlinkIp(const struct in_addr
ipaddr);
+static auth_acl_t authenticateAuthenticate(auth_user_request_t **
auth_user_request, http_hdr_type headertype, request_t * request,
ConnStateData * conn, sqaddr_t *src_addr);
+static void authenticateAuthUserRequestUnlinkIp(const sqaddr_t *ip);
static MemPool * pool_mem_auth_user;
static MemPool * pool_mem_auth_user_hash;
@@ -256,7 +256,7 @@
{
/* remove the node */
dlinkDelete(&ipdata->node, &auth_user->ip_list);
- authenticateAuthUserRequestUnlinkIp(ipdata->ipaddr);
+ authenticateAuthUserRequestUnlinkIp(&ipdata->ipaddr);
cbdataFree(ipdata);
/* catch incipient underflow */
assert(auth_user->ipcount);
@@ -265,48 +265,32 @@
typedef struct {
hash_link hash; /* must be first */
- struct in_addr ipaddr;
+ sqaddr_t ipaddr;
auth_user_request_t *auth_user_request;
time_t last_seen;
} auth_user_request_ip_hash_t;
MemPool *auth_user_request_ip_pool = NULL;
hash_table *auth_user_request_ip_hash = NULL;
-
-static unsigned int
-hash_in_addr(const void *a, unsigned int size)
-{
- const struct in_addr *ipaddr = a;
- const uint32_t ip = ntohl(ipaddr->s_addr);
- return ip % size;
-}
-
-static int
-cmp_in_addr(const struct in_addr *a, const struct in_addr *b)
-{
- const uint32_t ipa = ntohl(a->s_addr);
- const uint32_t ipb = ntohl(b->s_addr);
-
- return memcmp(&ipa, &ipb, 4);
-}
static void
-authenticateAuthUserRequestUnlinkIp(const struct in_addr ipaddr)
+authenticateAuthUserRequestUnlinkIp(const sqaddr_t *ipaddr)
{
auth_user_request_ip_hash_t *hash_entry;
if (!auth_user_request_ip_hash)
return;
- hash_entry = hash_lookup(auth_user_request_ip_hash, &ipaddr);
+ hash_entry = hash_lookup(auth_user_request_ip_hash, ipaddr);
if (hash_entry) {
hash_remove_link(auth_user_request_ip_hash, &hash_entry->hash);
authenticateAuthUserRequestUnlock(hash_entry->auth_user_request);
+ sqinet_done(&hash_entry->ipaddr);
memPoolFree(auth_user_request_ip_pool, hash_entry);
}
}
static void
-authenticateAuthUserRequestLinkIp(auth_user_request_t * auth_user_request,
const struct in_addr ipaddr, request_t * request)
+authenticateAuthUserRequestLinkIp(auth_user_request_t * auth_user_request,
sqaddr_t *ipaddr, request_t * request)
{
auth_user_request_ip_hash_t *hash_entry;
@@ -317,13 +301,14 @@
return;
if (!auth_user_request_ip_hash) {
- auth_user_request_ip_hash = hash_create((HASHCMP *) cmp_in_addr, 7921,
hash_in_addr);
+ auth_user_request_ip_hash = hash_create((HASHCMP *) sqinet_host_compare,
7921, (HASHHASH *) sqinet_hash_host_key);
auth_user_request_ip_pool = memPoolCreate("auth_user_request_ip_hash_t",
sizeof(auth_user_request_ip_hash_t));
}
authenticateAuthUserRequestUnlinkIp(ipaddr);
hash_entry = memPoolAlloc(auth_user_request_ip_pool);
- hash_entry->ipaddr = ipaddr;
+ sqinet_init(&hash_entry->ipaddr);
+ sqinet_copy(&hash_entry->ipaddr, ipaddr);
hash_entry->hash.key = &hash_entry->ipaddr;
hash_entry->auth_user_request = auth_user_request;
authenticateAuthUserRequestLock(hash_entry->auth_user_request);
@@ -332,7 +317,7 @@
}
static auth_user_request_t *
-authenticateAuthUserRequestFindByIp(const struct in_addr ipaddr)
+authenticateAuthUserRequestFindByIp(const sqaddr_t *ipaddr)
{
time_t delta = Config.authenticateIpShortcircuitTTL;
auth_user_request_ip_hash_t *hash_entry;
@@ -341,7 +326,7 @@
if (!auth_user_request_ip_hash)
return NULL;
- hash_entry = hash_lookup(auth_user_request_ip_hash, &ipaddr);
+ hash_entry = hash_lookup(auth_user_request_ip_hash, ipaddr);
if (!hash_entry)
return NULL;
@@ -354,12 +339,13 @@
}
static void
-authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request,
struct in_addr ipaddr, request_t * request)
+authenticateAuthUserRequestSetIp(auth_user_request_t * auth_user_request,
sqaddr_t *ipaddr, request_t * request)
{
auth_user_ip_t *ipdata, *next;
auth_user_t *auth_user;
- char *ip1;
+ LOCAL_ARRAY(char, ipl, MAX_IPSTRLEN);
int found = 0;
+
CBDATA_INIT_TYPE(auth_user_ip_t);
if (!auth_user_request->auth_user)
return;
@@ -373,7 +359,7 @@
while ((ipdata = next) != NULL) {
next = (auth_user_ip_t *) ipdata->node.next;
/* walk the ip list */
- if (ipdata->ipaddr.s_addr == ipaddr.s_addr) {
+ if (sqinet_host_compare(ipaddr, &ipdata->ipaddr) == 0) {
/* This ip has already been seen. */
found = 1;
/* update IP ttl */
@@ -392,17 +378,17 @@
/* This ip is not in the seen list */
ipdata = cbdataAlloc(auth_user_ip_t);
ipdata->ip_expiretime = squid_curtime;
- ipdata->ipaddr = ipaddr;
+ sqinet_init(&ipdata->ipaddr);
+ sqinet_copy(&ipdata->ipaddr, ipaddr);
dlinkAddTail(ipdata, &ipdata->node, &auth_user->ip_list);
auth_user->ipcount++;
- ip1 = xstrdup(inet_ntoa(ipaddr));
- debug(29, 2) ("authenticateAuthUserRequestSetIp: user '%s' has been
seen at a new IP address (%s)\n", authenticateUserUsername(auth_user), ip1);
- safe_free(ip1);
+ (void) sqinet_ntoa(ipaddr, ipl, MAX_IPSTRLEN, SQADDR_NONE);
+ debug(29, 2) ("authenticateAuthUserRequestSetIp: user '%s' has been
seen at a new IP address (%s)\n", authenticateUserUsername(auth_user), ipl);
}
void
-authenticateAuthUserRequestRemoveIp(auth_user_request_t *
auth_user_request, struct in_addr ipaddr)
+authenticateAuthUserRequestRemoveIp(auth_user_request_t *
auth_user_request, sqaddr_t *ipaddr)
{
auth_user_ip_t *ipdata;
auth_user_t *auth_user;
@@ -412,7 +398,7 @@
ipdata = (auth_user_ip_t *) auth_user->ip_list.head;
while (ipdata) {
/* walk the ip list */
- if (ipdata->ipaddr.s_addr == ipaddr.s_addr) {
+ if (sqinet_host_compare(ipaddr, &ipdata->ipaddr) == 0) {
authenticateAuthUserRemoveIpEntry(auth_user, ipdata);
return;
}
@@ -508,7 +494,11 @@
else if (conn && conn->auth_user_request)
return conn->auth_user_request;
else {
- request->auth_user_request =
authenticateAuthUserRequestFindByIp(request->client_addr);
+ sqaddr_t a;
+ sqinet_init(&a);
+ sqinet_set_v4_inaddr(&a, &request->client_addr);
+ request->auth_user_request = authenticateAuthUserRequestFindByIp(&a);
+ sqinet_done(&a);
if (request->auth_user_request)
authenticateAuthUserRequestLock(request->auth_user_request);
return request->auth_user_request;
@@ -535,10 +525,11 @@
* the authenticateStart routine for rv==AUTH_ACL_HELPER
*/
auth_acl_t
-authenticateAuthenticate(auth_user_request_t ** auth_user_request,
http_hdr_type headertype, request_t * request, ConnStateData * conn, struct
in_addr src_addr)
+authenticateAuthenticate(auth_user_request_t ** auth_user_request,
http_hdr_type headertype, request_t * request, ConnStateData * conn,
sqaddr_t *src_addr)
{
const char *proxy_auth;
assert(headertype != 0);
+ LOCAL_ARRAY(char, cbuf, MAX_IPSTRLEN);
proxy_auth = httpHeaderGetStr(&request->header, headertype);
@@ -601,8 +592,9 @@
if (proxy_auth && !request->auth_user_request && conn &&
conn->auth_user_request) {
int id = authenticateAuthSchemeId(proxy_auth) + 1;
if (!conn->auth_user_request->auth_user ||
conn->auth_user_request->auth_user->auth_module != id) {
+ (void) sqinet_ntoa(src_addr, cbuf, MAX_IPSTRLEN, SQADDR_NONE);
debug(29, 1) ("authenticateAuthenticate: Unexpected change of
authentication scheme from '%s' to '%s' (client %s)\n",
- authscheme_list[conn->auth_user_request->auth_user->auth_module -
1].typestr, proxy_auth, inet_ntoa(src_addr));
+ authscheme_list[conn->auth_user_request->auth_user->auth_module -
1].typestr, proxy_auth, cbuf);
authenticateAuthUserRequestUnlock(conn->auth_user_request);
conn->auth_user_request = NULL;
conn->auth_type = AUTH_UNKNOWN;
@@ -703,7 +695,7 @@
}
auth_acl_t
-authenticateTryToAuthenticateAndSetAuthUser(auth_user_request_t **
auth_user_request, http_hdr_type headertype, request_t * request,
ConnStateData * conn, struct in_addr src_addr)
+authenticateTryToAuthenticateAndSetAuthUser(auth_user_request_t **
auth_user_request, http_hdr_type headertype, request_t * request,
ConnStateData * conn, sqaddr_t *src_addr)
{
/* If we have already been called, return the cached value */
auth_user_request_t *t = authTryGetUser(auth_user_request, conn,
request);
@@ -817,6 +809,27 @@
pool_mem_auth_user = memPoolCreate("auth_user_t", sizeof(auth_user_t));
pool_mem_auth_user_hash = memPoolCreate("auth_user_hash_pointer",
sizeof(auth_user_hash_pointer));
}
+
+static void
+authenticateUserNameCachePrint(StoreEntry *e)
+{
+ auth_user_hash_pointer *u;
+ auth_user_ip_t *i;
+ dlink_node *n;
+ LOCAL_ARRAY(char, ibuf, MAX_IPSTRLEN);
+ hash_first(proxy_auth_username_cache);
+ while ((u = (auth_user_hash_pointer *)
hash_next(proxy_auth_username_cache))) {
+ storeAppendPrintf(e, "(type %d) (ref %d)\n",
u->auth_user->auth_module, u->auth_user->references);
+ n = u->auth_user->ip_list.head;
+ while (n) {
+ i = n->data;
+ sqinet_ntoa(&i->ipaddr, ibuf, sizeof(ibuf), SQADDR_NONE);
+ storeAppendPrintf(e, " IP %s; expires %d\n", ibuf, (int)
i->ip_expiretime);
+ n = n->next;
+ }
+ }
+ hash_last(proxy_auth_username_cache);
+}
void
authenticateInit(authConfig * config)
@@ -831,6 +844,8 @@
}
if (!proxy_auth_username_cache)
authenticateInitUserCache();
+
+ cachemgrRegister("auth", "Authentication",
authenticateUserNameCachePrint, 0, 1);
}
void
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/protos.h Sun Jul 11 16:49:18 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/protos.h Thu Sep 2 18:24:55 2010
@@ -467,14 +467,14 @@
extern void authenticateShutdown(void);
extern void authenticateFixHeader(HttpReply *, auth_user_request_t *,
request_t *, int, int);
extern void authenticateAddTrailer(HttpReply *, auth_user_request_t *,
request_t *, int);
-extern auth_acl_t
authenticateTryToAuthenticateAndSetAuthUser(auth_user_request_t **,
http_hdr_type, request_t *, ConnStateData *, struct in_addr);
+extern auth_acl_t
authenticateTryToAuthenticateAndSetAuthUser(auth_user_request_t **,
http_hdr_type, request_t *, ConnStateData *, sqaddr_t *);
extern void authenticateAuthUserUnlock(auth_user_t * auth_user);
extern void authenticateAuthUserLock(auth_user_t * auth_user);
extern void authenticateAuthUserRequestUnlock(auth_user_request_t *);
extern void authenticateAuthUserRequestLock(auth_user_request_t *);
extern char *authenticateAuthUserRequestMessage(auth_user_request_t *);
extern int authenticateAuthUserInuse(auth_user_t * auth_user);
-extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *,
struct in_addr);
+extern void authenticateAuthUserRequestRemoveIp(auth_user_request_t *,
sqaddr_t *);
extern void authenticateAuthUserRequestClearIp(auth_user_request_t *);
extern int authenticateAuthUserRequestIPCount(auth_user_request_t *);
extern int authenticateDirection(auth_user_request_t *);
=======================================
--- /playpen/LUSCA_HEAD_ipv6/src/structs.h Tue Aug 31 18:24:09 2010
+++ /playpen/LUSCA_HEAD_ipv6/src/structs.h Thu Sep 2 18:24:55 2010
@@ -105,7 +105,7 @@
struct _auth_user_ip_t {
dlink_node node;
/* IP addr this user authenticated from */
- struct in_addr ipaddr;
+ sqaddr_t ipaddr;
time_t ip_expiretime;
};
--
You received this message because you are subscribed to the Google Groups
"lusca-commit" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/lusca-commit?hl=en.
