[thirdparty/squid.git] / helpers / external_acl / wbinfo_group / ext_wbinfo_group_acl.pl.in

#!@PERL@ -w
#
## Copyright (C) 1996-2014 The Squid Software Foundation and contributors
##
## Squid software is distributed under GPLv2+ license and includes
## contributions from numerous individuals and organizations.
## Please see the COPYING and CONTRIBUTORS files for details.
##
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock 
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
#   Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
#   2010-08-27 Hank Hampel <hh@nr-city.net>
#               Add Kerberos to NTLM conversion of credentials (-K)
#
#   2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
#               Add '-d' command line debugging option
#
#   2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
#               Fix for wbinfo from Samba 3.0.21
#
#   2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
#		Helper protocol changed to URL escaped in Squid-3.0
#
#   2005-06-28 Arno Streuli <astreuli@gmail.com>
#               Add multi group check
#
#   2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
#		Initial release
=pod

=head1 NAME

ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.

=head1 SYNOPSIS

ext_wbinfo_group_acl [-dh]

=head1 DESCRIPTION

ext_wbinfo_group_acl is an installed executable script.
It uses wbinfo from Samba to lookup group membership of logged in users.

This helper must be used in with an authentication scheme (typically
Basic or NTLM) based on Windows NT/2000 domain users.

It reads from the standard input the domain username and a list of groups
and tries to match each against the groups membership of the specified
username.

=head1 OPTIONS

	-d Write debug info to stderr.
	-h Print the help.
	-K downgrade Kerberos credentials to NTLM.

=head1 CONFIGURATION

	external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
	acl allowed_group external wbinfo_check Group1 Group2
	http_access allow allowed_group

If the local perl interpreter is in a unusual location it may need to be added:

	external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl

=head1 AUTHOR

This program was written by Jerry Murdock <jmurdock@itraktech.com>

This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>

=head1 COPYRIGHT

This program is put in the public domain by Jerry Murdock
<jmurdock@itraktech.com>. It is distributed in the hope that it will
be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

=head1 QUESTIONS

Questions on the usage of this program can be sent to the
Squid Users mailing list <squid-users@squid-cache.org>

=head1 REPORTING BUGS

Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.

Report bugs or bug fixes using http://bugs.squid-cache.org/

Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

Report ideas for new improvements to the
Squid Developers mailing list <squid-dev@squid-cache.org>

=head1 SEE ALSO

The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq

The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

=cut

#
# Globals
#
use vars qw/ %opt /;

# Disable output buffering
$|=1;

sub debug {
	print STDERR "@_\n" if $opt{d};
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
	if ($opt{K} && ($user =~ m/\@/)) {
		@tmpuser = split(/\@/, $user);
		$user = "$tmpuser[1]\\$tmpuser[0]";
	}
        $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
        chop  $groupSID;
        $groupGID = `wbinfo -Y "$groupSID"`;
        chop $groupGID;
        &debug( "User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   -$groupGID-");
        return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
        return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

#
# Command line options processing
#
sub init()
{
    use Getopt::Std;
    my $opt_string = 'hdK';
    getopts( "$opt_string", \%opt ) or usage();
    usage() if $opt{h};
}

#
# Message about this program and how to use it
#
sub usage()
{
	print "Usage: ext_wbinfo_group_acl -dh\n";
	print "\t-d enable debugging\n";
	print "\t-h print the help\n";
	print "\t-K downgrade Kerberos credentials to NTLM.\n";
	exit;
}

init();
print STDERR "Debugging mode ON.\n" if $opt{d};

#
# Main loop
#
while (<STDIN>) {
        chop;
	&debug("Got $_ from squid");
        ($user, @groups) = split(/\s+/);
	$user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
 	# test for each group squid send in it's request
 	foreach $group (@groups) {
		$group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
 		$ans = &check($user, $group);
 		last if $ans eq "OK";
 	}
	&debug("Sending $ans to squid");
	print "$ans\n";
}
Commit	Line	Data
c152a447	1	#!@PERL@ -w
ee28ce13	2	#
ca02e0ec AJ	3	## Copyright (C) 1996-2014 The Squid Software Foundation and contributors
	4	##
	5	## Squid software is distributed under GPLv2+ license and includes
	6	## contributions from numerous individuals and organizations.
	7	## Please see the COPYING and CONTRIBUTORS files for details.
	8	##
	9	#
ee28ce13	10	# external_acl helper to Squid to verify NT Domain group
	11	# membership using wbinfo
	12	#
	13	# This program is put in the public domain by Jerry Murdock
	14	# <jmurdock@itraktech.com>. It is distributed in the hope that it will
	15	# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
	16	# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	17	#
	18	# Author:
	19	# Jerry Murdock <jmurdock@itraktech.com>
	20	#
	21	# Version history:
2a4b511e AJ	22	# 2010-08-27 Hank Hampel <hh@nr-city.net>
	23	# Add Kerberos to NTLM conversion of credentials (-K)
	24	#
47ea0413	25	# 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
	26	# Add '-d' command line debugging option
	27	#
585e63cb	28	# 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
	29	# Fix for wbinfo from Samba 3.0.21
	30	#
1958420a	31	# 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
1958420a	32	# Helper protocol changed to URL escaped in Squid-3.0
ee28ce13	33	#
d617cf18	34	# 2005-06-28 Arno Streuli <astreuli@gmail.com>
d617cf18	35	# Add multi group check
585e63cb	36	#
	37	# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
	38	# Initial release
c152a447	39	=pod
d617cf18	40
c152a447 AJ	41	=head1 NAME
	42
	43	ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.
	44
	45	=head1 SYNOPSIS
	46
	47	ext_wbinfo_group_acl [-dh]
	48
	49	=head1 DESCRIPTION
	50
	51	ext_wbinfo_group_acl is an installed executable script.
	52	It uses wbinfo from Samba to lookup group membership of logged in users.
	53
	54	This helper must be used in with an authentication scheme (typically
	55	Basic or NTLM) based on Windows NT/2000 domain users.
	56
	57	It reads from the standard input the domain username and a list of groups
	58	and tries to match each against the groups membership of the specified
	59	username.
	60
	61	=head1 OPTIONS
	62
	63	-d Write debug info to stderr.
	64	-h Print the help.
2a4b511e	65	-K downgrade Kerberos credentials to NTLM.
c152a447 AJ	66
	67	=head1 CONFIGURATION
	68
	69	external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
	70	acl allowed_group external wbinfo_check Group1 Group2
	71	http_access allow allowed_group
	72
	73	If the local perl interpreter is in a unusual location it may need to be added:
	74
	75	external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl
	76
	77	=head1 AUTHOR
	78
	79	This program was written by Jerry Murdock <jmurdock@itraktech.com>
	80
	81	This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>
	82
	83	=head1 COPYRIGHT
	84
	85	This program is put in the public domain by Jerry Murdock
	86	<jmurdock@itraktech.com>. It is distributed in the hope that it will
	87	be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
	88	of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	89
	90	=head1 QUESTIONS
	91
	92	Questions on the usage of this program can be sent to the
	93	Squid Users mailing list <squid-users@squid-cache.org>
	94
	95	=head1 REPORTING BUGS
	96
	97	Bug reports need to be made in English.
	98	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
	99
	100	Report bugs or bug fixes using http://bugs.squid-cache.org/
	101
	102	Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
	103
	104	Report ideas for new improvements to the
	105	Squid Developers mailing list <squid-dev@squid-cache.org>
	106
	107	=head1 SEE ALSO
	108
	109	The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
	110
	111	The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
	112
	113	=cut
ee28ce13	114
47ea0413	115	#
	116	# Globals
	117	#
	118	use vars qw/ %opt /;
	119
ee28ce13	120	# Disable output buffering
c19c2c0b	121	$\|=1;
ee28ce13	122
ee28ce13	123	sub debug {
47ea0413	124	print STDERR "@_\n" if $opt{d};
ee28ce13	125	}
	126
	127	#
	128	# Check if a user belongs to a group
	129	#
	130	sub check {
	131	local($user, $group) = @_;
2a4b511e AJ	132	if ($opt{K} && ($user =~ m/\@/)) {
	133	@tmpuser = split(/\@/, $user);
	134	$user = "$tmpuser[1]\\$tmpuser[0]";
	135	}
585e63cb	136	$groupSID = `wbinfo -n "$group" \| cut -d" " -f1`;
ee28ce13	137	chop $groupSID;
71304ae5	138	$groupGID = `wbinfo -Y "$groupSID"`;
ee28ce13	139	chop $groupGID;
ee28ce13	140	&debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
f1061a7e AJ	141	return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
f1061a7e AJ	142	return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
ee28ce13	143	return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
	144	return 'ERR';
	145	}
	146
47ea0413	147	#
	148	# Command line options processing
	149	#
	150	sub init()
	151	{
	152	use Getopt::Std;
2a4b511e	153	my $opt_string = 'hdK';
47ea0413	154	getopts( "$opt_string", \%opt ) or usage();
	155	usage() if $opt{h};
	156	}
	157
	158	#
	159	# Message about this program and how to use it
	160	#
	161	sub usage()
	162	{
c152a447	163	print "Usage: ext_wbinfo_group_acl -dh\n";
47ea0413	164	print "\t-d enable debugging\n";
47ea0413	165	print "\t-h print the help\n";
2a4b511e	166	print "\t-K downgrade Kerberos credentials to NTLM.\n";
47ea0413	167	exit;
	168	}
	169
	170	init();
	171	print STDERR "Debugging mode ON.\n" if $opt{d};
	172
ee28ce13	173	#
	174	# Main loop
	175	#
	176	while (<STDIN>) {
	177	chop;
c19c2c0b	178	&debug("Got $_ from squid");
d617cf18	179	($user, @groups) = split(/\s+/);
1958420a	180	$user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
d617cf18	181	# test for each group squid send in it's request
	182	foreach $group (@groups) {
	183	$group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
	184	$ans = &check($user, $group);
	185	last if $ans eq "OK";
	186	}
c19c2c0b	187	&debug("Sending $ans to squid");
ee28ce13	188	print "$ans\n";
ee28ce13	189	}