[thirdparty/squid.git] / src / auth / basic / auth_basic.cc

/*
 * $Id$
 *
 * DEBUG: section 29    Authenticator
 * AUTHOR: Duane Wessels
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */


#include "squid-old.h"
#include "auth/basic/auth_basic.h"
#include "auth/basic/Scheme.h"
#include "auth/basic/User.h"
#include "auth/basic/UserRequest.h"
#include "auth/Gadgets.h"
#include "auth/State.h"
#include "charset.h"
#include "mgr/Registration.h"
#include "Store.h"
#include "HttpReply.h"
#include "rfc1738.h"
#include "uudecode.h"
#include "wordlist.h"
#include "SquidTime.h"

/* Basic Scheme */
static AUTHSSTATS authenticateBasicStats;

helper *basicauthenticators = NULL;

static int authbasic_initialised = 0;


/*
 *
 * Public Functions
 *
 */

/* internal functions */

bool
Auth::Basic::Config::active() const
{
    return authbasic_initialised == 1;
}

bool
Auth::Basic::Config::configured() const
{
    if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) &&
            (basicAuthRealm != NULL)) {
        debugs(29, 9, HERE << "returning configured");
        return true;
    }

    debugs(29, 9, HERE << "returning unconfigured");
    return false;
}

const char *
Auth::Basic::Config::type() const
{
    return Auth::Basic::Scheme::GetInstance()->type();
}

void
Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request)
{
    if (authenticateProgram) {
        debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'Basic realm=\"" << basicAuthRealm << "\"'");
        httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"%s\"", basicAuthRealm);
    }
}

void
Auth::Basic::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (basicauthenticators) {
        helperShutdown(basicauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

/** shutdown the auth helpers and free any allocated configuration details */
void
Auth::Basic::Config::done()
{
    authbasic_initialised = 0;

    if (basicauthenticators) {
        helperShutdown(basicauthenticators);
    }

    delete basicauthenticators;
    basicauthenticators = NULL;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    if (basicAuthRealm)
        safe_free(basicAuthRealm);
}

void
Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme)
{
    wordlist *list = authenticateProgram;
    storeAppendPrintf(entry, "%s %s", name, "basic");

    while (list != NULL) {
        storeAppendPrintf(entry, " %s", list->key);
        list = list->next;
    }

    storeAppendPrintf(entry, "\n");

    storeAppendPrintf(entry, "%s basic realm %s\n", name, basicAuthRealm);
    storeAppendPrintf(entry, "%s basic children %d startup=%d idle=%d concurrency=%d\n", name, authenticateChildren.n_max, authenticateChildren.n_startup, authenticateChildren.n_idle, authenticateChildren.concurrency);
    storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
    storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
}

Auth::Basic::Config::Config() :
        credentialsTTL( 2*60*60 ),
        casesensitive(0),
        utf8(0)
{
    basicAuthRealm = xstrdup("Squid proxy-caching web server");
}

Auth::Basic::Config::~Config()
{
    safe_free(basicAuthRealm);
}

void
Auth::Basic::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
{
    if (strcasecmp(param_str, "program") == 0) {
        if (authenticateProgram)
            wordlistDestroy(&authenticateProgram);

        parse_wordlist(&authenticateProgram);

        requirePathnameExists("auth_param basic program", authenticateProgram->key);
    } else if (strcasecmp(param_str, "children") == 0) {
        authenticateChildren.parseConfig();
    } else if (strcasecmp(param_str, "realm") == 0) {
        parse_eol(&basicAuthRealm);
    } else if (strcasecmp(param_str, "credentialsttl") == 0) {
        parse_time_t(&credentialsTTL);
    } else if (strcasecmp(param_str, "casesensitive") == 0) {
        parse_onoff(&casesensitive);
    } else if (strcasecmp(param_str, "utf8") == 0) {
        parse_onoff(&utf8);
    } else {
        debugs(29, DBG_CRITICAL, HERE << "unrecognised basic auth scheme parameter '" << param_str << "'");
    }
}

static void
authenticateBasicStats(StoreEntry * sentry)
{
    helperStats(sentry, basicauthenticators, "Basic Authenticator Statistics");
}

static Auth::User::Pointer
authBasicAuthUserFindUsername(const char *username)
{
    AuthUserHashPointer *usernamehash;
    debugs(29, 9, HERE << "Looking for user '" << username << "'");

    if (username && (usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, username)))) {
        while (usernamehash) {
            if ((usernamehash->user()->auth_type == Auth::AUTH_BASIC) &&
                    !strcmp(username, (char const *)usernamehash->key))
                return usernamehash->user();

            usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
        }
    }

    return NULL;
}

char *
Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
{
    const char *proxy_auth = httpAuthHeader;

    /* trim BASIC from string */
    while (xisgraph(*proxy_auth))
        proxy_auth++;

    /* Trim leading whitespace before decoding */
    while (xisspace(*proxy_auth))
        proxy_auth++;

    /* Trim trailing \n before decoding */
    // XXX: really? is the \n actually still there? does the header parse not drop it?
    char *eek = xstrdup(proxy_auth);
    strtok(eek, "\n");
    char *cleartext = uudecode(eek);
    safe_free(eek);

    if (cleartext) {
        /*
         * Don't allow NL or CR in the credentials.
         * Oezguer Kesim <oec@codeblau.de>
         */
        debugs(29, 9, HERE << "'" << cleartext << "'");

        if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
            debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
            safe_free(cleartext);
        }
    }
    return cleartext;
}

/**
 * Decode a Basic [Proxy-]Auth string, linking the passed
 * auth_user_request structure to any existing user structure or creating one
 * if needed. Note that just returning will be treated as
 * "cannot decode credentials". Use the message field to return a
 * descriptive message to the user.
 */
Auth::UserRequest::Pointer
Auth::Basic::Config::decode(char const *proxy_auth)
{
    Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
    /* decode the username */

    // retrieve the cleartext (in a dynamically allocated char*)
    char *cleartext = decodeCleartext(proxy_auth);

    // empty header? no auth details produced...
    if (!cleartext)
        return auth_user_request;

    Auth::User::Pointer lb;
    /* permitted because local_basic is purely local function scope. */
    Auth::Basic::User *local_basic = NULL;

    char *seperator = strchr(cleartext, ':');

    lb = local_basic = new Auth::Basic::User(this);
    if (seperator == NULL) {
        local_basic->username(cleartext);
    } else {
        /* terminate the username */
        *seperator = '\0';
        local_basic->username(cleartext);
        local_basic->passwd = xstrdup(seperator+1);
    }

    if (!casesensitive)
        Tolower((char *)local_basic->username());

    if (local_basic->passwd == NULL) {
        debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
        auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
    } else {
        if (local_basic->passwd[0] == '\0') {
            debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
            safe_free(local_basic->passwd);
            auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
        }
    }

    xfree(cleartext);

    if (!local_basic->valid()) {
        lb->auth_type = Auth::AUTH_BROKEN;
        auth_user_request->user(lb);
        return auth_user_request;
    }

    /* now lookup and see if we have a matching auth_user structure in memory. */
    Auth::User::Pointer auth_user;

    if ((auth_user = authBasicAuthUserFindUsername(lb->username())) == NULL) {
        /* the user doesn't exist in the username cache yet */
        /* save the credentials */
        debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
        /* set the auth_user type */
        lb->auth_type = Auth::AUTH_BASIC;
        /* current time for timeouts */
        lb->expiretime = current_time.tv_sec;

        /* this basic_user struct is the 'lucky one' to get added to the username cache */
        /* the requests after this link to the basic_user */
        /* store user in hash */
        lb->addToNameCache();

        auth_user = lb;
        assert(auth_user != NULL);
    } else {
        /* replace the current cached password with the new one */
        Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
        assert(basic_auth);
        basic_auth->updateCached(local_basic);
        auth_user = basic_auth;
    }

    /* link the request to the in-cache user */
    auth_user_request->user(auth_user);
    return auth_user_request;
}

/** Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
void
Auth::Basic::Config::init(Auth::Config * schemeCfg)
{
    if (authenticateProgram) {
        authbasic_initialised = 1;

        if (basicauthenticators == NULL)
            basicauthenticators = new helper("basicauthenticator");

        basicauthenticators->cmdline = authenticateProgram;

        basicauthenticators->childs.updateLimits(authenticateChildren);

        basicauthenticators->ipc_type = IPC_STREAM;

        helperOpenServers(basicauthenticators);
    }
}

void
Auth::Basic::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("basicauthenticator",
                        "Basic User Authenticator Stats",
                        authenticateBasicStats, 0, 1);
}
Commit	Line	Data
94439e4e	1	/*
262a0e14	2	* $Id$
94439e4e	3	*
	4	* DEBUG: section 29 Authenticator
	5	* AUTHOR: Duane Wessels
	6	*
2b6662ba	7	* SQUID Web Proxy Cache http://www.squid-cache.org/
94439e4e	8	* ----------------------------------------------------------
94439e4e	9	*
2b6662ba	10	* Squid is the result of efforts by numerous individuals from
	11	* the Internet community; see the CONTRIBUTORS file for full
	12	* details. Many organizations have provided support for Squid's
	13	* development; see the SPONSORS file for full details. Squid is
	14	* Copyrighted (C) 2001 by the Regents of the University of
	15	* California; see the COPYRIGHT file for full details. Squid
	16	* incorporates software developed and/or copyrighted by other
	17	* sources; see the CREDITS file for full details.
94439e4e	18	*
	19	* This program is free software; you can redistribute it and/or modify
	20	* it under the terms of the GNU General Public License as published by
	21	* the Free Software Foundation; either version 2 of the License, or
	22	* (at your option) any later version.
26ac0430	23	*
94439e4e	24	* This program is distributed in the hope that it will be useful,
	25	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	26	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	27	* GNU General Public License for more details.
26ac0430	28	*
94439e4e	29	* You should have received a copy of the GNU General Public License
	30	* along with this program; if not, write to the Free Software
	31	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	32	*
	33	*/
	34
	35	/* The functions in this file handle authentication.
	36	* They DO NOT perform access control or auditing.
	37	* See acl.c for access control and client_side.c for auditing */
	38
	39
f7f3304a	40	#include "squid-old.h"
5817ee13	41	#include "auth/basic/auth_basic.h"
616cfc4c	42	#include "auth/basic/Scheme.h"
aa110616	43	#include "auth/basic/User.h"
616cfc4c	44	#include "auth/basic/UserRequest.h"
3ad63615	45	#include "auth/Gadgets.h"
a623c828	46	#include "auth/State.h"
25f98340	47	#include "charset.h"
8822ebee	48	#include "mgr/Registration.h"
e6ccf245	49	#include "Store.h"
924f73bc	50	#include "HttpReply.h"
1fa9b1a7	51	#include "rfc1738.h"
25f98340	52	#include "uudecode.h"
d295d770	53	#include "wordlist.h"
985c86bc	54	#include "SquidTime.h"
94439e4e	55
94439e4e	56	/* Basic Scheme */
94439e4e	57	static AUTHSSTATS authenticateBasicStats;
94439e4e	58
fe0a0419	59	helper *basicauthenticators = NULL;
94439e4e	60
94439e4e	61	static int authbasic_initialised = 0;
94439e4e	62
2d72d4fd	63
94439e4e	64	/*
94439e4e	65	*
2d72d4fd	66	* Public Functions
94439e4e	67	*
	68	*/
	69
2d72d4fd	70	/* internal functions */
2d72d4fd	71
f5691f9c	72	bool
372fccd6	73	Auth::Basic::Config::active() const
2d70df72	74	{
f5691f9c	75	return authbasic_initialised == 1;
2d70df72	76	}
2d70df72	77
f5691f9c	78	bool
372fccd6	79	Auth::Basic::Config::configured() const
94439e4e	80	{
58ee2093	81	if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) &&
f5691f9c	82	(basicAuthRealm != NULL)) {
4c73ba5f	83	debugs(29, 9, HERE << "returning configured");
f5691f9c	84	return true;
2d70df72	85	}
62e76326	86
4c73ba5f	87	debugs(29, 9, HERE << "returning unconfigured");
f5691f9c	88	return false;
94439e4e	89	}
94439e4e	90
f5691f9c	91	const char *
372fccd6	92	Auth::Basic::Config::type() const
94439e4e	93	{
d6374be6	94	return Auth::Basic::Scheme::GetInstance()->type();
f5691f9c	95	}
62e76326	96
94439e4e	97	void
c7baff40	98	Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, http_hdr_type hdrType, HttpRequest request)
94439e4e	99	{
58ee2093	100	if (authenticateProgram) {
18ec8500 FC	101	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'Basic realm=\"" << basicAuthRealm << "\"'");
18ec8500 FC	102	httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"%s\"", basicAuthRealm);
94439e4e	103	}
	104	}
	105
0bcb6908	106	void
372fccd6	107	Auth::Basic::Config::rotateHelpers()
0bcb6908 AJ	108	{
	109	/* schedule closure of existing helpers */
	110	if (basicauthenticators) {
	111	helperShutdown(basicauthenticators);
	112	}
	113
	114	/* NP: dynamic helper restart will ensure they start up again as needed. */
	115	}
	116
5817ee13	117	/** shutdown the auth helpers and free any allocated configuration details */
94439e4e	118	void
372fccd6	119	Auth::Basic::Config::done()
94439e4e	120	{
5817ee13 AJ	121	authbasic_initialised = 0;
	122
	123	if (basicauthenticators) {
	124	helperShutdown(basicauthenticators);
5817ee13 AJ	125	}
5817ee13 AJ	126
ed3ef6a8 AJ	127	delete basicauthenticators;
	128	basicauthenticators = NULL;
	129
58ee2093 AJ	130	if (authenticateProgram)
58ee2093 AJ	131	wordlistDestroy(&authenticateProgram);
62e76326	132
f5691f9c	133	if (basicAuthRealm)
f5691f9c	134	safe_free(basicAuthRealm);
94439e4e	135	}
94439e4e	136
f5691f9c	137	void
372fccd6	138	Auth::Basic::Config::dump(StoreEntry * entry, const char name, Auth::Config scheme)
94439e4e	139	{
58ee2093	140	wordlist *list = authenticateProgram;
94439e4e	141	storeAppendPrintf(entry, "%s %s", name, "basic");
62e76326	142
94439e4e	143	while (list != NULL) {
62e76326	144	storeAppendPrintf(entry, " %s", list->key);
62e76326	145	list = list->next;
94439e4e	146	}
62e76326	147
07eca7e0	148	storeAppendPrintf(entry, "\n");
07eca7e0	149
f5691f9c	150	storeAppendPrintf(entry, "%s basic realm %s\n", name, basicAuthRealm);
404cfda1	151	storeAppendPrintf(entry, "%s basic children %d startup=%d idle=%d concurrency=%d\n", name, authenticateChildren.n_max, authenticateChildren.n_startup, authenticateChildren.n_idle, authenticateChildren.concurrency);
f5691f9c	152	storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
64658378	153	storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
94439e4e	154	}
94439e4e	155
372fccd6	156	Auth::Basic::Config::Config() :
5817ee13 AJ	157	credentialsTTL( 26060 ),
	158	casesensitive(0),
	159	utf8(0)
f5691f9c	160	{
75126633	161	basicAuthRealm = xstrdup("Squid proxy-caching web server");
f5691f9c	162	}
62e76326	163
372fccd6	164	Auth::Basic::Config::~Config()
3845e4c8	165	{
acde4327	166	safe_free(basicAuthRealm);
3845e4c8	167	}
3845e4c8	168
f5691f9c	169	void
372fccd6	170	Auth::Basic::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
f5691f9c	171	{
94439e4e	172	if (strcasecmp(param_str, "program") == 0) {
58ee2093 AJ	173	if (authenticateProgram)
58ee2093 AJ	174	wordlistDestroy(&authenticateProgram);
62e76326	175
58ee2093	176	parse_wordlist(&authenticateProgram);
62e76326	177
58ee2093	178	requirePathnameExists("auth_param basic program", authenticateProgram->key);
94439e4e	179	} else if (strcasecmp(param_str, "children") == 0) {
48d54e4d	180	authenticateChildren.parseConfig();
94439e4e	181	} else if (strcasecmp(param_str, "realm") == 0) {
f5691f9c	182	parse_eol(&basicAuthRealm);
94439e4e	183	} else if (strcasecmp(param_str, "credentialsttl") == 0) {
f5691f9c	184	parse_time_t(&credentialsTTL);
64658378	185	} else if (strcasecmp(param_str, "casesensitive") == 0) {
64658378	186	parse_onoff(&casesensitive);
f741d2f6 HN	187	} else if (strcasecmp(param_str, "utf8") == 0) {
f741d2f6 HN	188	parse_onoff(&utf8);
94439e4e	189	} else {
4c73ba5f	190	debugs(29, DBG_CRITICAL, HERE << "unrecognised basic auth scheme parameter '" << param_str << "'");
94439e4e	191	}
	192	}
	193
	194	static void
	195	authenticateBasicStats(StoreEntry * sentry)
	196	{
9522b380	197	helperStats(sentry, basicauthenticators, "Basic Authenticator Statistics");
94439e4e	198	}
94439e4e	199
d87154ee	200	static Auth::User::Pointer
94439e4e	201	authBasicAuthUserFindUsername(const char *username)
94439e4e	202	{
e6ccf245	203	AuthUserHashPointer *usernamehash;
e1f7507e	204	debugs(29, 9, HERE << "Looking for user '" << username << "'");
62e76326	205
e6ccf245	206	if (username && (usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, username)))) {
62e76326	207	while (usernamehash) {
616cfc4c	208	if ((usernamehash->user()->auth_type == Auth::AUTH_BASIC) &&
62e76326	209	!strcmp(username, (char const *)usernamehash->key))
f5691f9c	210	return usernamehash->user();
62e76326	211
	212	usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
	213	}
94439e4e	214	}
62e76326	215
94439e4e	216	return NULL;
	217	}
	218
431aae42	219	char *
372fccd6	220	Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
f5691f9c	221	{
431aae42	222	const char *proxy_auth = httpAuthHeader;
acde4327	223
431aae42 AJ	224	/* trim BASIC from string */
	225	while (xisgraph(*proxy_auth))
	226	proxy_auth++;
62e76326	227
431aae42 AJ	228	/* Trim leading whitespace before decoding */
	229	while (xisspace(*proxy_auth))
	230	proxy_auth++;
94439e4e	231
431aae42 AJ	232	/* Trim trailing \n before decoding */
	233	// XXX: really? is the \n actually still there? does the header parse not drop it?
	234	char *eek = xstrdup(proxy_auth);
	235	strtok(eek, "\n");
	236	char *cleartext = uudecode(eek);
	237	safe_free(eek);
	238
	239	if (cleartext) {
	240	/*
	241	* Don't allow NL or CR in the credentials.
	242	* Oezguer Kesim <oec@codeblau.de>
	243	*/
	244	debugs(29, 9, HERE << "'" << cleartext << "'");
	245
	246	if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
	247	debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
	248	safe_free(cleartext);
666f0b34	249	}
35b3bc89	250	}
431aae42	251	return cleartext;
f5691f9c	252	}
f5691f9c	253
4c73ba5f	254	/**
f5691f9c	255	* Decode a Basic [Proxy-]Auth string, linking the passed
f5691f9c	256	* auth_user_request structure to any existing user structure or creating one
26ac0430 AJ	257	* if needed. Note that just returning will be treated as
26ac0430 AJ	258	* "cannot decode credentials". Use the message field to return a
f5691f9c	259	* descriptive message to the user.
f5691f9c	260	*/
c7baff40	261	Auth::UserRequest::Pointer
372fccd6	262	Auth::Basic::Config::decode(char const *proxy_auth)
f5691f9c	263	{
c7baff40	264	Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
f5691f9c	265	/* decode the username */
f5691f9c	266
431aae42 AJ	267	// retrieve the cleartext (in a dynamically allocated char*)
431aae42 AJ	268	char *cleartext = decodeCleartext(proxy_auth);
f5691f9c	269
431aae42 AJ	270	// empty header? no auth details produced...
	271	if (!cleartext)
	272	return auth_user_request;
f5691f9c	273
d87154ee	274	Auth::User::Pointer lb;
431aae42	275	/* permitted because local_basic is purely local function scope. */
aa110616	276	Auth::Basic::User *local_basic = NULL;
431aae42 AJ	277
	278	char *seperator = strchr(cleartext, ':');
	279
aa110616	280	lb = local_basic = new Auth::Basic::User(this);
431aae42 AJ	281	if (seperator == NULL) {
	282	local_basic->username(cleartext);
	283	} else {
	284	/* terminate the username */
	285	*seperator = '\0';
	286	local_basic->username(cleartext);
	287	local_basic->passwd = xstrdup(seperator+1);
	288	}
	289
	290	if (!casesensitive)
	291	Tolower((char *)local_basic->username());
	292
	293	if (local_basic->passwd == NULL) {
	294	debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
	295	auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
	296	} else {
	297	if (local_basic->passwd[0] == '\0') {
	298	debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
	299	safe_free(local_basic->passwd);
	300	auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
	301	}
	302	}
f5691f9c	303
431aae42	304	xfree(cleartext);
f5691f9c	305
56a49fda	306	if (!local_basic->valid()) {
616cfc4c	307	lb->auth_type = Auth::AUTH_BROKEN;
431aae42	308	auth_user_request->user(lb);
f5691f9c	309	return auth_user_request;
94439e4e	310	}
62e76326	311
3265364b	312	/* now lookup and see if we have a matching auth_user structure in memory. */
d87154ee	313	Auth::User::Pointer auth_user;
56a49fda	314
431aae42	315	if ((auth_user = authBasicAuthUserFindUsername(lb->username())) == NULL) {
56a49fda AJ	316	/* the user doesn't exist in the username cache yet */
56a49fda AJ	317	/* save the credentials */
431aae42	318	debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
56a49fda	319	/* set the auth_user type */
616cfc4c	320	lb->auth_type = Auth::AUTH_BASIC;
56a49fda	321	/* current time for timeouts */
431aae42	322	lb->expiretime = current_time.tv_sec;
56a49fda AJ	323
	324	/* this basic_user struct is the 'lucky one' to get added to the username cache */
	325	/* the requests after this link to the basic_user */
	326	/* store user in hash */
431aae42	327	lb->addToNameCache();
62e76326	328
431aae42	329	auth_user = lb;
56a49fda	330	assert(auth_user != NULL);
f5691f9c	331	} else {
56a49fda	332	/* replace the current cached password with the new one */
aa110616	333	Auth::Basic::User basic_auth = dynamic_cast<Auth::Basic::User >(auth_user.getRaw());
3265364b	334	assert(basic_auth);
56a49fda AJ	335	basic_auth->updateCached(local_basic);
56a49fda AJ	336	auth_user = basic_auth;
f5691f9c	337	}
62e76326	338
f5691f9c	339	/* link the request to the in-cache user */
56a49fda	340	auth_user_request->user(auth_user);
f5691f9c	341	return auth_user_request;
94439e4e	342	}
94439e4e	343
4c73ba5f	344	/** Initialize helpers and the like for this auth scheme. Called AFTER parsing the
94439e4e	345	* config file */
f5691f9c	346	void
372fccd6	347	Auth::Basic::Config::init(Auth::Config * schemeCfg)
94439e4e	348	{
58ee2093	349	if (authenticateProgram) {
62e76326	350	authbasic_initialised = 1;
	351
	352	if (basicauthenticators == NULL)
48d54e4d	353	basicauthenticators = new helper("basicauthenticator");
62e76326	354
58ee2093	355	basicauthenticators->cmdline = authenticateProgram;
62e76326	356
1af735c7	357	basicauthenticators->childs.updateLimits(authenticateChildren);
07eca7e0	358
62e76326	359	basicauthenticators->ipc_type = IPC_STREAM;
	360
	361	helperOpenServers(basicauthenticators);
94439e4e	362	}
	363	}
	364
62ee09ca	365	void
372fccd6	366	Auth::Basic::Config::registerWithCacheManager(void)
62ee09ca	367	{
8822ebee	368	Mgr::RegisterAction("basicauthenticator",
d9fc6862 A	369	"Basic User Authenticator Stats",
d9fc6862 A	370	authenticateBasicStats, 0, 1);
62ee09ca	371	}