summaryrefslogtreecommitdiffstats
path: root/src/auth.h
blob: 6d8edeb93177845b2c0bfa3f7178515483142452 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
/*
    Copyright (C) 2005-2009  Michel de Boer <michel@twinklephone.com>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
*/

/**
 * @file
 * SIP authentication
 */

#ifndef _AUTH_H
#define _AUTH_H

#include "parser/credentials.h"
#include "parser/request.h"
#include "sockets/url.h"
#include <list>

using namespace std;

/** Size of the credentials cache. */
#define AUTH_CACHE_SIZE	50

/** Credentials cache entry. */
class t_cr_cache_entry {
public:
	/**
	 * Destination for which credentials are cached.
	 * This is not used for the SIP authentication itself.
	 */
	t_url		to;
	
	/** The credentials. */
	t_credentials	credentials;
	
	/** Password. */
	string 		passwd;
	
	/** Indicates if proxy authentication was requested. */
	bool		proxy;

	/** Constructor. */
	t_cr_cache_entry(const t_url &_to, const t_credentials &_cr,
		const string &_passwd, bool _proxy);
};


/** An object of this class authorizes a request given some credentials. */
class t_auth {
private:
	/** Indicates if the current registration request is a re-REGISTER. */
	bool re_register;

	/**
	 * LRU cache credentials for a destination.
	 * The first entry in the list is the least recently used.
	 */
	list<t_cr_cache_entry>	cache;

	/**
	 * Find a cache entry that matches the realm.
	 * @param _to [in] Destination for which authentication is needed.
	 * @param realm [in] The authentication realm.
	 * @param proxy [in] Indicates if proxy authentication was requested.
	 * @return An iterator to the cached credentials if found.
	 * @return The end iterator if not found.
	 */
	list<t_cr_cache_entry>::iterator find_cache_entry(const t_url &_to, 
		const string &realm, bool proxy=false);

	/**
	 * Update cached credentials.
	 * If the cache does not contain the credentials already
	 * then it will be added to the end of the list. If the cache
	 * already contains the maximum number of entries, then the least
	 * recently used entry will be removed.
	 * If the cache already contains an entry for credentials, then
	 * this entry will be moved to the end of the list.
	 * @param to [in] Destination for which authentication is needed.
	 * @param cr [in] Credentials to update.
	 * @param passwd [in] The password to store.
	 * @param proxy Indicates if proxy authentication was requested.
	 */
	void update_cache(const t_url &to, const t_credentials &cr,
		const string &passwd, bool proxy);

	/**
	 * Check if authorization failed.
	 * Authorization failed if the challenge is for a realm for which
	 * the request already contains an authorization header and the
	 * challenge is not stale.
	 * @return true, if authorization failed.
	 * @return false, otherwise.
	 */
	bool auth_failed(t_request *r, const t_challenge &c,
		bool proxy=false) const;

	/**
	 * Remove existing credentials for this challenge from the
	 * authorization or proxy-authorization header.
	 * @param r [in] The request from which the credentials must be removed.
	 * @param c [in] The challenge for which the credentials must be removed.
	 * @param proxy [in] Indicates if proxy authentication was requested.
	 */
	void remove_credentials(t_request *r, const t_challenge &c,
		bool proxy=false) const;

public:
	/** Constructor. */
	t_auth();
	
	/**
	 * Authorize the request based on the challenge in the response
	 * @param user_config [in] The user profile.
	 * @param r [in] The request to be authorized.
	 * @param resp [in] The response containing the challenge.
	 * @return true, if authorization succeeds.
	 * @return false, if authorization fails.
	 * @post On successful authorization, the credentials has been added to
	 * the request in the proper header (Authorization or Proxy-Authorization).
	 */
	bool authorize(t_user *user_config, t_request *r, t_response *resp);
	
	/**
	 * Remove credentials for a particular realm from cache.
	 * @param realm [in] The authentication realm.
	 */
	void remove_from_cache(const string &realm);
	
	/**
	 * Set the re-REGISTER indication.
	 * @param on [in] Value to set.
	 */
	void set_re_register(bool on);
	
	/** Get the re-REGISTER indication. */
	bool get_re_register(void) const;
};

#endif