[thirdparty/squid.git] / helpers / external_acl / kerberos_ldap_group / support_member.cc

/*
 * -----------------------------------------------------------------------------
 *
 * Author: Markus Moeller (markus_moeller at compuserve.com)
 *
 * Copyright (C) 2007 Markus Moeller. All rights reserved.
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 *   This program is distributed in the hope that it will be useful,
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *   GNU General Public License for more details.
 *
 *   You should have received a copy of the GNU General Public License
 *   along with this program; if not, write to the Free Software
 *   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307, USA.
 *
 * -----------------------------------------------------------------------------
 */

#include "squid.h"
#include "util.h"

#ifdef HAVE_LDAP

#include "support.h"

int
check_memberof(struct main_args *margs, char *user, char *domain)
{

    /*
     *  Check order:
     *
     *  1.  Check domain against list of groups per domain
     *  1a. If domain does not exist in list try default domain
     *  1b. If default domain does not exist use default group against ldap url with user/password
     *  1c. If default group does not exist exit with error.
     *  2.  Query ldap membership
     *  2a. Use GSSAPI/SASL with HTTP/fqdn@DOMAIN credentials from keytab
     *  2b. Use username/password with TLS
     *
     */
    struct gdstruct *gr;
    int found = 0;


    /* Check users domain */

    gr = margs->groups;
    while (gr && domain) {
        debug((char *) "%s| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
        if (gr->domain && !strcasecmp(gr->domain, domain)) {
            debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
            /* query ldap */
            if (get_memberof(margs, user, domain, gr->group)) {
                if (debug_enabled)
                    debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
                else
                    log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
                found++;
                break;
            } else {
                if (debug_enabled)
                    debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
                else
                    log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
            }
        }
        gr = gr->next;
    }

    if (found)
        return (1);

    /* Check default domain */

    gr = margs->groups;
    while (gr && domain) {
        debug((char *) "%s| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
        if (gr->domain && !strcasecmp(gr->domain, "")) {
            debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
            /* query ldap */
            if (get_memberof(margs, user, domain, gr->group)) {
                if (debug_enabled)
                    debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
                else
                    log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
                found++;
                break;
            } else {
                if (debug_enabled)
                    debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
                else
                    log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
            }
        }
        gr = gr->next;
    }

    if (found)
        return (1);

    /* Check default group with ldap url */

    gr = margs->groups;
    while (gr) {
        debug((char *) "%s| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
        if (!gr->domain) {
            debug((char *) "%s| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
            /* query ldap */
            if (get_memberof(margs, user, domain, gr->group)) {
                if (debug_enabled)
                    debug((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
                else
                    log((char *) "%s| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
                found++;
                break;
            } else {
                if (debug_enabled)
                    debug((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
                else
                    log((char *) "%s| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
            }
        }
        gr = gr->next;
    }

    if (found)
        return (1);

    return (0);
}
#endif
Commit	Line	Data
b1218840 AJ	1	/*
	2	* -----------------------------------------------------------------------------
	3	*
	4	* Author: Markus Moeller (markus_moeller at compuserve.com)
	5	*
	6	* Copyright (C) 2007 Markus Moeller. All rights reserved.
	7	*
	8	* This program is free software; you can redistribute it and/or modify
	9	* it under the terms of the GNU General Public License as published by
	10	* the Free Software Foundation; either version 2 of the License, or
	11	* (at your option) any later version.
	12	*
	13	* This program is distributed in the hope that it will be useful,
	14	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	15	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	* GNU General Public License for more details.
	17	*
	18	* You should have received a copy of the GNU General Public License
	19	* along with this program; if not, write to the Free Software
	20	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
	21	*
	22	* -----------------------------------------------------------------------------
	23	*/
	24
f7f3304a	25	#include "squid.h"
b1218840 AJ	26	#include "util.h"
	27
	28	#ifdef HAVE_LDAP
	29
	30	#include "support.h"
	31
	32	int
	33	check_memberof(struct main_args margs, char user, char *domain)
	34	{
	35
2e881a6f	36	/*
b1218840 AJ	37	* Check order:
	38	*
	39	* 1. Check domain against list of groups per domain
	40	* 1a. If domain does not exist in list try default domain
2e881a6f	41	* 1b. If default domain does not exist use default group against ldap url with user/password
b1218840	42	* 1c. If default group does not exist exit with error.
2e881a6f	43	* 2. Query ldap membership
b1218840 AJ	44	* 2a. Use GSSAPI/SASL with HTTP/fqdn@DOMAIN credentials from keytab
	45	* 2b. Use username/password with TLS
	46	*
	47	*/
	48	struct gdstruct *gr;
	49	int found = 0;
	50
	51
	52	/* Check users domain */
	53
	54	gr = margs->groups;
	55	while (gr && domain) {
2e881a6f A	56	debug((char *) "%s\| %s: DEBUG: User domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
	57	if (gr->domain && !strcasecmp(gr->domain, domain)) {
	58	debug((char *) "%s\| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
	59	/* query ldap */
	60	if (get_memberof(margs, user, domain, gr->group)) {
	61	if (debug_enabled)
	62	debug((char *) "%s\| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	63	else
	64	log((char *) "%s\| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	65	found++;
	66	break;
	67	} else {
	68	if (debug_enabled)
	69	debug((char *) "%s\| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	70	else
	71	log((char *) "%s\| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	72	}
	73	}
	74	gr = gr->next;
b1218840 AJ	75	}
	76
	77	if (found)
2e881a6f	78	return (1);
b1218840 AJ	79
	80	/* Check default domain */
	81
	82	gr = margs->groups;
	83	while (gr && domain) {
2e881a6f A	84	debug((char *) "%s\| %s: DEBUG: Default domain loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
	85	if (gr->domain && !strcasecmp(gr->domain, "")) {
	86	debug((char *) "%s\| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain);
	87	/* query ldap */
	88	if (get_memberof(margs, user, domain, gr->group)) {
	89	if (debug_enabled)
	90	debug((char *) "%s\| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	91	else
	92	log((char *) "%s\| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	93	found++;
	94	break;
	95	} else {
	96	if (debug_enabled)
	97	debug((char *) "%s\| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	98	else
	99	log((char *) "%s\| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain);
	100	}
	101	}
	102	gr = gr->next;
b1218840 AJ	103	}
	104
	105	if (found)
2e881a6f	106	return (1);
b1218840 AJ	107
	108	/* Check default group with ldap url */
	109
	110	gr = margs->groups;
	111	while (gr) {
2e881a6f A	112	debug((char *) "%s\| %s: DEBUG: Default group loop: group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
	113	if (!gr->domain) {
	114	debug((char *) "%s\| %s: DEBUG: Found group@domain %s@%s\n", LogTime(), PROGRAM, gr->group, gr->domain ? gr->domain : "NULL");
	115	/* query ldap */
	116	if (get_memberof(margs, user, domain, gr->group)) {
	117	if (debug_enabled)
	118	debug((char *) "%s\| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
	119	else
	120	log((char *) "%s\| %s: INFO: User %s is member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
	121	found++;
	122	break;
	123	} else {
	124	if (debug_enabled)
	125	debug((char *) "%s\| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
	126	else
	127	log((char *) "%s\| %s: INFO: User %s is not member of group@domain %s@%s\n", LogTime(), PROGRAM, user, gr->group, gr->domain ? gr->domain : "NULL");
	128	}
	129	}
	130	gr = gr->next;
b1218840 AJ	131	}
	132
	133	if (found)
2e881a6f	134	return (1);
b1218840 AJ	135
	136	return (0);
	137	}
	138	#endif