Name type used for Authentication TTL #1990
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -66,10 +66,15 @@ class User : public RefCountable | |
| const SBuf userKey() const {return userKey_;} | ||
|
|
||
| /** | ||
| * Credentials are not permitted to be re-used from a | ||
|
There was a problem hiding this comment. Can we say that credentials are not permitted to be cached "unless the scheme defines..."? In other words, caching code should not cache credentials for schemes that do not override this method. That would be a stronger rule/claim than the proposed "not permitted to be re-used". |
||
| * credentials cache unless the authentication scheme | ||
| * defines a way to determine a TTL with which to bound | ||
| * the scope of their valid re-use. | ||
|
There was a problem hiding this comment. Expired credentials reuse is also not permitted, right? Please add that critical information to the method description. Without that restriction, the method API does not really work because the method caller cannot distinguish "scheme did not define ..." cases from "credentials expired" cases. |
||
| * | ||
| * \returns How long these credentials are still valid for. | ||
| * Negative numbers means already expired. | ||
| */ | ||
| virtual Ttl ttl() const { return -1; } | ||
|
|
||
| /* Manage list of IPs using this username */ | ||
| void clearIp(); | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,14 +25,14 @@ Auth::Basic::User::~User() | |
| safe_free(passwd); | ||
| } | ||
|
|
||
| Auth::Ttl | ||
| Auth::Basic::User::ttl() const | ||
| { | ||
| if (credentials() != Auth::Ok && credentials() != Auth::Pending) | ||
| return Auth::User::ttl(); // TTL is obsolete NOW. | ||
|
There was a problem hiding this comment. Here and and in similar contexts, please either continue to return |
||
|
|
||
| const Ttl basic_ttl = expiretime - squid_curtime + static_cast<Auth::Basic::Config*>(config)->credentialsTTL; | ||
| const auto global_ttl = static_cast<Ttl>(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); | ||
|
|
||
| return min(basic_ttl, global_ttl); | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -36,9 +36,9 @@ class User : public Auth::User | |
|
|
||
| /** Update the cached password for a username. */ | ||
| void updateCached(User *from); | ||
|
|
||
| /* Auth::User API */ | ||
| Ttl ttl() const override; | ||
| static CbcPointer<Auth::CredentialsCache> Cache(); | ||
| void addToNameCache() override; | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -36,13 +36,11 @@ Auth::Digest::User::~User() | |
| } | ||
| } | ||
|
|
||
| Auth::Ttl | ||
| Auth::Digest::User::ttl() const | ||
| { | ||
| /* find the longest lasting nonce. */ | ||
| Ttl latest_nonce = -1; | ||
| dlink_node *link = nonces.head; | ||
| while (link) { | ||
| digest_nonce_h *nonce = static_cast<digest_nonce_h *>(link->data); | ||
|
|
@@ -52,9 +50,10 @@ Auth::Digest::User::ttl() const | |
| link = link->next; | ||
| } | ||
| if (latest_nonce == -1) | ||
| return Auth::User::ttl(); | ||
|
|
||
| const auto global_ttl = static_cast<Ttl>(expiretime - squid_curtime + Auth::TheConfig.credentialsTtl); | ||
| const Ttl nonce_ttl = latest_nonce - current_time.tv_sec + static_cast<Config*>(Auth::SchemeConfig::Find("digest"))->noncemaxduration; | ||
|
|
||
| return min(nonce_ttl, global_ttl); | ||
| } | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,9 +28,9 @@ class User : public Auth::User | |
| public: | ||
| User(Auth::SchemeConfig *, const char *requestRealm); | ||
| ~User() override; | ||
|
|
||
| /* Auth::User API */ | ||
| Ttl ttl() const override; | ||
| static CbcPointer<Auth::CredentialsCache> Cache(); | ||
| void addToNameCache() override; | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -25,6 +25,8 @@ typedef std::vector<Auth::SchemeConfig *> ConfigVector; | |
|
|
||
| class UserRequest; | ||
|
|
||
| using Ttl = int32_t; | ||
|
There was a problem hiding this comment. The new name is missing a description. The description must document what time unit this integer is using (e.g., seconds or time_t unit) and that negative values reflect "expired" entries. There was a problem hiding this comment. I am worried that the suggested name -- "Auth::Ttl" -- is too general because authentication code may need several different types for TTL. For example, There was a problem hiding this comment. The underlying type -- int32_t -- is wrong on several (probably obvious?) levels. However, I assume that this PR scope is limited to naming existing int32_t uses and excludes fixing the underlying type. Thus, I am not requesting those fixes in this PR. |
||
|
|
||
| } // namespace Auth | ||
|
|
||
| #endif /* USE_AUTH */ | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,12 +22,6 @@ Auth::Negotiate::User::~User() | |
| debugs(29, 5, "doing nothing to clear Negotiate scheme data for '" << this << "'"); | ||
| } | ||
|
|
||
| CbcPointer<Auth::CredentialsCache> | ||
| Auth::Negotiate::User::Cache() | ||
| { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -29,7 +29,6 @@ class User : public Auth::User | |
| public: | ||
| User(Auth::SchemeConfig *, const char *requestRealm); | ||
| ~User() override; | ||
|
|
||
| /* Auth::User API */ | ||
| static CbcPointer<Auth::CredentialsCache> Cache(); | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -22,12 +22,6 @@ Auth::Ntlm::User::~User() | |
| debugs(29, 5, "doing nothing to clear NTLM scheme data for '" << this << "'"); | ||
| } | ||
|
|
||
| CbcPointer<Auth::CredentialsCache> | ||
| Auth::Ntlm::User::Cache() | ||
| { | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,7 +27,6 @@ class User : public Auth::User | |
| public: | ||
| User(Auth::SchemeConfig *, const char *requestRealm); | ||
| ~User() override; | ||
|
|
||
| /* Auth::User API */ | ||
| static CbcPointer<Auth::CredentialsCache> Cache(); | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This storeAppendPrintf() function call secretly assumes that ttl() returns something that can be "printed "using
%d. I recommend refactoring CredentialsCacheStats() internals to use std::ostream instead, preferably in a separate PR. If that is not done, let's at least add an XXX: