[thirdparty/squid.git] / src / auth / basic / SSPI / basic_sspi_auth.cc

/*
 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
  NT_auth -  Version 2.0

  Returns OK for a successful authentication, or ERR upon error.

  Guido Serassio, Torino - Italy

  Uses code from -
    Antonino Iannella 2000
    Andrew Tridgell 1997
    Richard Sharpe 1996
    Bill Welliver 1999

 * Distributed freely under the terms of the GNU General Public License,
 * version 2 or later. See the file COPYING for licensing details
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.

 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
*/

#include "squid.h"
#include "auth/basic/SSPI/valid.h"
#include "helper/protocol_defines.h"
#include "rfc1738.h"
#include "util.h"

#if GETOPT_H
#include <getopt.h>
#endif

/* Check if we try to compile on a Windows Platform */
#if !_SQUID_WINDOWS_
/* NON Windows Platform !!! */
#error NON WINDOWS PLATFORM
#endif

static char NTGroup[256];
char * NTAllowedGroup;
char * NTDisAllowedGroup;
int UseDisallowedGroup = 0;
int UseAllowedGroup = 0;
int debug_enabled = 0;

/*
 * options:
 * -A can specify a Windows Local Group name allowed to authenticate.
 * -D can specify a Windows Local Group name not allowed to authenticate.
 * -O can specify the default Domain against to authenticate.
 */
static void
usage(const char *name)
{
    fprintf(stderr, "Usage:\n%s [-A|D UserGroup][-O DefaultDomain][-d]\n"
            "-A can specify a Windows Local Group name allowed to authenticate\n"
            "-D can specify a Windows Local Group name not allowed to authenticate\n"
            "-O can specify the default Domain against to authenticate\n"
            "-d enable debugging.\n"
            "-h this message\n\n",
            name);
}

void
process_options(int argc, char *argv[])
{
    int opt;
    while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) {
        switch (opt) {
        case 'A':
            safe_free(NTAllowedGroup);
            NTAllowedGroup=xstrdup(optarg);
            UseAllowedGroup = 1;
            break;
        case 'D':
            safe_free(NTDisAllowedGroup);
            NTDisAllowedGroup=xstrdup(optarg);
            UseDisallowedGroup = 1;
            break;
        case 'O':
            strncpy(Default_NTDomain, optarg, DNLEN);
            break;
        case 'd':
            debug_enabled = 1;
            break;
        case 'h':
            usage(argv[0]);
            exit(EXIT_SUCCESS);
        case '?':
            opt = optopt;
        /* fall thru to default */
        default:
            fprintf(stderr, "FATAL: Unknown option: -%c\n", opt);
            usage(argv[0]);
            exit(EXIT_FAILURE);
        }
    }
}

/* Main program for simple authentication.
   Scans and checks for Squid input, and attempts to validate the user.
*/
int
main(int argc, char **argv)
{
    char wstr[HELPER_INPUT_BUFFER];
    char username[256];
    char password[256];
    char *p;
    int err = 0;

    process_options(argc, argv);

    if (LoadSecurityDll(SSP_BASIC, NTLM_PACKAGE_NAME) == NULL) {
        fprintf(stderr, "FATAL: can't initialize SSPI, exiting.\n");
        exit(EXIT_FAILURE);
    }
    debug("SSPI initialized OK\n");

    atexit(UnloadSecurityDll);

    /* initialize FDescs */
    setbuf(stdout, NULL);
    setbuf(stderr, NULL);

    while (fgets(wstr, HELPER_INPUT_BUFFER, stdin) != NULL) {

        if (NULL == strchr(wstr, '\n')) {
            err = 1;
            continue;
        }
        if (err) {
            SEND_ERR("Oversized message");
            err = 0;
            fflush(stdout);
            continue;
        }

        if ((p = strchr(wstr, '\n')) != NULL)
            *p = '\0';      /* strip \n */
        if ((p = strchr(wstr, '\r')) != NULL)
            *p = '\0';      /* strip \r */
        /* Clear any current settings */
        username[0] = '\0';
        password[0] = '\0';
        sscanf(wstr, "%s %s", username, password);  /* Extract parameters */

        debug("Got %s from Squid\n", wstr);

        /* Check for invalid or blank entries */
        if ((username[0] == '\0') || (password[0] == '\0')) {
            SEND_ERR("Invalid Request");
            fflush(stdout);
            continue;
        }
        rfc1738_unescape(username);
        rfc1738_unescape(password);

        debug("Trying to validate; %s %s\n", username, password);

        if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR)
            SEND_OK("");
        else
            SEND_ERR(errormsg);
        err = 0;
        fflush(stdout);
    }
    return EXIT_SUCCESS;
}
Commit	Line	Data
5b95b903	1	/*
77b1029d	2	* Copyright (C) 1996-2020 The Squid Software Foundation and contributors
5b95b903 AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
6e785d85	9	/*
	10	NT_auth - Version 2.0
	11
	12	Returns OK for a successful authentication, or ERR upon error.
	13
	14	Guido Serassio, Torino - Italy
	15
	16	Uses code from -
	17	Antonino Iannella 2000
	18	Andrew Tridgell 1997
	19	Richard Sharpe 1996
	20	Bill Welliver 1999
	21
	22	* Distributed freely under the terms of the GNU General Public License,
da07f754	23	* version 2 or later. See the file COPYING for licensing details
6e785d85	24	*
	25	* This program is distributed in the hope that it will be useful,
	26	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	27	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	28	* GNU General Public License for more details.
26ac0430	29
6e785d85	30	* You should have received a copy of the GNU General Public License
	31	* along with this program; if not, write to the Free Software
	32	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	33	*/
	34
f7f3304a	35	#include "squid.h"
03901cf8	36	#include "auth/basic/SSPI/valid.h"
079b1d0f	37	#include "helper/protocol_defines.h"
1f7c83ca	38	#include "rfc1738.h"
5a48ed18 AJ	39	#include "util.h"
5a48ed18 AJ	40
5a48ed18	41	#if GETOPT_H
26ac0430	42	#include <getopt.h>
5a48ed18	43	#endif
6e785d85	44
6e785d85	45	/* Check if we try to compile on a Windows Platform */
be266cb2 AJ	46	#if !_SQUID_WINDOWS_
	47	/* NON Windows Platform !!! */
	48	#error NON WINDOWS PLATFORM
	49	#endif
6e785d85	50
6e785d85	51	static char NTGroup[256];
	52	char * NTAllowedGroup;
	53	char * NTDisAllowedGroup;
	54	int UseDisallowedGroup = 0;
	55	int UseAllowedGroup = 0;
	56	int debug_enabled = 0;
	57
	58	/*
	59	* options:
	60	* -A can specify a Windows Local Group name allowed to authenticate.
	61	* -D can specify a Windows Local Group name not allowed to authenticate.
	62	* -O can specify the default Domain against to authenticate.
	63	*/
1f7c83ca AJ	64	static void
1f7c83ca AJ	65	usage(const char *name)
6e785d85	66	{
43fed740	67	fprintf(stderr, "Usage:\n%s [-A\|D UserGroup][-O DefaultDomain][-d]\n"
26ac0430 AJ	68	"-A can specify a Windows Local Group name allowed to authenticate\n"
	69	"-D can specify a Windows Local Group name not allowed to authenticate\n"
	70	"-O can specify the default Domain against to authenticate\n"
	71	"-d enable debugging.\n"
	72	"-h this message\n\n",
1f7c83ca	73	name);
6e785d85	74	}
	75
	76	void
	77	process_options(int argc, char *argv[])
	78	{
43fed740	79	int opt;
6e785d85	80	while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) {
26ac0430 AJ	81	switch (opt) {
	82	case 'A':
	83	safe_free(NTAllowedGroup);
	84	NTAllowedGroup=xstrdup(optarg);
	85	UseAllowedGroup = 1;
	86	break;
	87	case 'D':
	88	safe_free(NTDisAllowedGroup);
	89	NTDisAllowedGroup=xstrdup(optarg);
	90	UseDisallowedGroup = 1;
	91	break;
	92	case 'O':
	93	strncpy(Default_NTDomain, optarg, DNLEN);
	94	break;
	95	case 'd':
	96	debug_enabled = 1;
	97	break;
	98	case 'h':
	99	usage(argv[0]);
24885773	100	exit(EXIT_SUCCESS);
26ac0430 AJ	101	case '?':
26ac0430 AJ	102	opt = optopt;
f53969cc	103	/* fall thru to default */
26ac0430	104	default:
43fed740	105	fprintf(stderr, "FATAL: Unknown option: -%c\n", opt);
1f7c83ca	106	usage(argv[0]);
24885773	107	exit(EXIT_FAILURE);
26ac0430	108	}
6e785d85	109	}
6e785d85	110	}
	111
	112	/* Main program for simple authentication.
	113	Scans and checks for Squid input, and attempts to validate the user.
	114	*/
6e785d85	115	int
6e785d85	116	main(int argc, char **argv)
6e785d85	117	{
43fed740	118	char wstr[HELPER_INPUT_BUFFER];
6e785d85	119	char username[256];
	120	char password[256];
	121	char *p;
	122	int err = 0;
	123
6e785d85	124	process_options(argc, argv);
6e785d85	125
6e785d85	126	if (LoadSecurityDll(SSP_BASIC, NTLM_PACKAGE_NAME) == NULL) {
43fed740	127	fprintf(stderr, "FATAL: can't initialize SSPI, exiting.\n");
24885773	128	exit(EXIT_FAILURE);
6e785d85	129	}
	130	debug("SSPI initialized OK\n");
	131
	132	atexit(UnloadSecurityDll);
	133
26ac0430	134	/* initialize FDescs */
6e785d85	135	setbuf(stdout, NULL);
	136	setbuf(stderr, NULL);
	137
43fed740	138	while (fgets(wstr, HELPER_INPUT_BUFFER, stdin) != NULL) {
26ac0430 AJ	139
	140	if (NULL == strchr(wstr, '\n')) {
	141	err = 1;
	142	continue;
	143	}
	144	if (err) {
43fed740 AJ	145	SEND_ERR("Oversized message");
	146	err = 0;
	147	fflush(stdout);
	148	continue;
26ac0430 AJ	149	}
	150
	151	if ((p = strchr(wstr, '\n')) != NULL)
f53969cc	152	p = '\0'; / strip \n */
26ac0430	153	if ((p = strchr(wstr, '\r')) != NULL)
f53969cc	154	p = '\0'; / strip \r */
26ac0430 AJ	155	/* Clear any current settings */
	156	username[0] = '\0';
	157	password[0] = '\0';
f53969cc	158	sscanf(wstr, "%s %s", username, password); /* Extract parameters */
6e785d85	159
	160	debug("Got %s from Squid\n", wstr);
	161
26ac0430 AJ	162	/* Check for invalid or blank entries */
26ac0430 AJ	163	if ((username[0] == '\0') \|\| (password[0] == '\0')) {
43fed740	164	SEND_ERR("Invalid Request");
26ac0430 AJ	165	fflush(stdout);
	166	continue;
	167	}
	168	rfc1738_unescape(username);
	169	rfc1738_unescape(password);
6e785d85	170
	171	debug("Trying to validate; %s %s\n", username, password);
	172
26ac0430	173	if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR)
43fed740	174	SEND_OK("");
26ac0430	175	else
43fed740	176	SEND_ERR(errormsg);
26ac0430 AJ	177	err = 0;
26ac0430 AJ	178	fflush(stdout);
6e785d85	179	}
24885773	180	return EXIT_SUCCESS;
6e785d85	181	}
f53969cc	182