From 1e4b04da8d478b179643545d05edb03f72453517 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Fri, 31 Jan 2025 23:40:27 +1300 Subject: [PATCH 1/2] Add named type for Authentication TTL --- src/auth/User.cc | 2 +- src/auth/User.h | 11 ++++++++--- src/auth/basic/User.cc | 8 ++++---- src/auth/basic/User.h | 2 +- src/auth/digest/User.cc | 11 +++++------ src/auth/digest/User.h | 2 +- src/auth/forward.h | 2 ++ src/auth/negotiate/User.cc | 6 ------ src/auth/negotiate/User.h | 1 - src/auth/ntlm/User.cc | 6 ------ src/auth/ntlm/User.h | 1 - 11 files changed, 22 insertions(+), 30 deletions(-) diff --git a/src/auth/User.cc b/src/auth/User.cc index ccbb6acaaeb..e6f556d4ae0 100644 --- a/src/auth/User.cc +++ b/src/auth/User.cc @@ -256,7 +256,7 @@ Auth::User::CredentialsCacheStats(StoreEntry *output) Auth::Type_str[auth_user->auth_type], CredentialState_str[auth_user->credentials()], auth_user->ttl(), - static_cast(auth_user->expiretime - squid_curtime + Auth::TheConfig.credentialsTtl), + static_cast(auth_user->expiretime - squid_curtime + Auth::TheConfig.credentialsTtl), auth_user->username(), SQUIDSBUFPRINT(auth_user->userKey()) ); diff --git a/src/auth/User.h b/src/auth/User.h index 46d402770eb..74585fb1dd0 100644 --- a/src/auth/User.h +++ b/src/auth/User.h @@ -66,10 +66,15 @@ class User : public RefCountable const SBuf userKey() const {return userKey_;} /** - * How long these credentials are still valid for. - * Negative numbers means already expired. + * Credentials are not permitted to be re-used from a + * credentials cache unless the authentication scheme + * defines a way to determin a TTL with which to bound + * the scope of their valid re-use. + * + * \returns How long these credentials are still valid for. + * Negative numbers means already expired. */ - virtual int32_t ttl() const = 0; + virtual Ttl ttl() const { return -1; } /* Manage list of IPs using this username */ void clearIp(); diff --git a/src/auth/basic/User.cc b/src/auth/basic/User.cc index 8b45a9b5817..cb481566d8b 100644 --- a/src/auth/basic/User.cc +++ b/src/auth/basic/User.cc @@ -25,14 +25,14 @@ Auth::Basic::User::~User() safe_free(passwd); } -int32_t +Auth::Ttl Auth::Basic::User::ttl() const { if (credentials() != Auth::Ok && credentials() != Auth::Pending) - return -1; // TTL is obsolete NOW. + return Auth::User::ttl(); // TTL is obsolete NOW. - int32_t basic_ttl = expiretime - squid_curtime + static_cast(config)->credentialsTTL; - int32_t global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); + const Ttl basic_ttl = expiretime - squid_curtime + static_cast(config)->credentialsTTL; + const auto global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); return min(basic_ttl, global_ttl); } diff --git a/src/auth/basic/User.h b/src/auth/basic/User.h index d2411004459..e69f02fcba9 100644 --- a/src/auth/basic/User.h +++ b/src/auth/basic/User.h @@ -36,9 +36,9 @@ class User : public Auth::User /** Update the cached password for a username. */ void updateCached(User *from); - int32_t ttl() const override; /* Auth::User API */ + Ttl ttl() const override; static CbcPointer Cache(); void addToNameCache() override; diff --git a/src/auth/digest/User.cc b/src/auth/digest/User.cc index c12c171bd28..bdf7c5490d5 100644 --- a/src/auth/digest/User.cc +++ b/src/auth/digest/User.cc @@ -36,13 +36,11 @@ Auth::Digest::User::~User() } } -int32_t +Auth::Ttl Auth::Digest::User::ttl() const { - int32_t global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); - /* find the longest lasting nonce. */ - int32_t latest_nonce = -1; + Ttl latest_nonce = -1; dlink_node *link = nonces.head; while (link) { digest_nonce_h *nonce = static_cast(link->data); @@ -52,9 +50,10 @@ Auth::Digest::User::ttl() const link = link->next; } if (latest_nonce == -1) - return min(-1, global_ttl); + return Auth::User::ttl(); - int32_t nonce_ttl = latest_nonce - current_time.tv_sec + static_cast(Auth::SchemeConfig::Find("digest"))->noncemaxduration; + const auto global_ttl = static_cast(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); + const Ttl nonce_ttl = latest_nonce - current_time.tv_sec + static_cast(Auth::SchemeConfig::Find("digest"))->noncemaxduration; return min(nonce_ttl, global_ttl); } diff --git a/src/auth/digest/User.h b/src/auth/digest/User.h index 206c2afa6f5..ab2300653e0 100644 --- a/src/auth/digest/User.h +++ b/src/auth/digest/User.h @@ -28,9 +28,9 @@ class User : public Auth::User public: User(Auth::SchemeConfig *, const char *requestRealm); ~User() override; - int32_t ttl() const override; /* Auth::User API */ + Ttl ttl() const override; static CbcPointer Cache(); void addToNameCache() override; diff --git a/src/auth/forward.h b/src/auth/forward.h index bc4dfc2c355..8cd055a1b6b 100644 --- a/src/auth/forward.h +++ b/src/auth/forward.h @@ -25,6 +25,8 @@ typedef std::vector ConfigVector; class UserRequest; +using Ttl = int32_t; + } // namespace Auth #endif /* USE_AUTH */ diff --git a/src/auth/negotiate/User.cc b/src/auth/negotiate/User.cc index 294569c22b6..cd06322f8ac 100644 --- a/src/auth/negotiate/User.cc +++ b/src/auth/negotiate/User.cc @@ -22,12 +22,6 @@ Auth::Negotiate::User::~User() debugs(29, 5, "doing nothing to clear Negotiate scheme data for '" << this << "'"); } -int32_t -Auth::Negotiate::User::ttl() const -{ - return -1; // Negotiate cannot be cached. -} - CbcPointer Auth::Negotiate::User::Cache() { diff --git a/src/auth/negotiate/User.h b/src/auth/negotiate/User.h index 283e5158297..083671a7c77 100644 --- a/src/auth/negotiate/User.h +++ b/src/auth/negotiate/User.h @@ -29,7 +29,6 @@ class User : public Auth::User public: User(Auth::SchemeConfig *, const char *requestRealm); ~User() override; - int32_t ttl() const override; /* Auth::User API */ static CbcPointer Cache(); diff --git a/src/auth/ntlm/User.cc b/src/auth/ntlm/User.cc index c93903983ac..44592ddb590 100644 --- a/src/auth/ntlm/User.cc +++ b/src/auth/ntlm/User.cc @@ -22,12 +22,6 @@ Auth::Ntlm::User::~User() debugs(29, 5, "doing nothing to clear NTLM scheme data for '" << this << "'"); } -int32_t -Auth::Ntlm::User::ttl() const -{ - return -1; // NTLM credentials cannot be cached. -} - CbcPointer Auth::Ntlm::User::Cache() { diff --git a/src/auth/ntlm/User.h b/src/auth/ntlm/User.h index e0e75873995..47dd20cb392 100644 --- a/src/auth/ntlm/User.h +++ b/src/auth/ntlm/User.h @@ -27,7 +27,6 @@ class User : public Auth::User public: User(Auth::SchemeConfig *, const char *requestRealm); ~User() override; - int32_t ttl() const override; /* Auth::User API */ static CbcPointer Cache(); From 9d74f827965b3cf1f12586290981571262442b97 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sat, 1 Feb 2025 10:10:38 +1300 Subject: [PATCH 2/2] Spelling fix --- src/auth/User.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/auth/User.h b/src/auth/User.h index 74585fb1dd0..1e6fdb3a6ff 100644 --- a/src/auth/User.h +++ b/src/auth/User.h @@ -68,7 +68,7 @@ class User : public RefCountable /** * Credentials are not permitted to be re-used from a * credentials cache unless the authentication scheme - * defines a way to determin a TTL with which to bound + * defines a way to determine a TTL with which to bound * the scope of their valid re-use. * * \returns How long these credentials are still valid for.