[thirdparty/squid.git] / src / auth / negotiate / auth_negotiate.cc

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 29    Negotiate Authenticator */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Gadgets.h"
#include "auth/negotiate/auth_negotiate.h"
#include "auth/negotiate/Scheme.h"
#include "auth/negotiate/User.h"
#include "auth/negotiate/UserRequest.h"
#include "auth/State.h"
#include "cache_cf.h"
#include "client_side.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Registration.h"
#include "SquidTime.h"
#include "Store.h"
#include "wordlist.h"

/**
 \defgroup AuthNegotiateInternal Negotiate Authenticator Internals
 \ingroup AuthNegotiateAPI
 */

/* Negotiate Scheme */
static AUTHSSTATS authenticateNegotiateStats;

/// \ingroup AuthNegotiateInternal
statefulhelper *negotiateauthenticators = NULL;

/// \ingroup AuthNegotiateInternal
static int authnegotiate_initialised = 0;

/// \ingroup AuthNegotiateInternal
static hash_table *proxy_auth_cache = NULL;

/*
 *
 * Private Functions
 *
 */

void
Auth::Negotiate::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (negotiateauthenticators) {
        helperStatefulShutdown(negotiateauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

void
Auth::Negotiate::Config::done()
{
    Auth::Config::done();

    authnegotiate_initialised = 0;

    if (negotiateauthenticators) {
        helperStatefulShutdown(negotiateauthenticators);
    }

    if (!shutting_down)
        return;

    delete negotiateauthenticators;
    negotiateauthenticators = NULL;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    debugs(29, DBG_IMPORTANT, "Reconfigure: Negotiate authentication configuration cleared.");
}

bool
Auth::Negotiate::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
{
    if (!Auth::Config::dump(entry, name, scheme))
        return false;

    storeAppendPrintf(entry, "%s negotiate keep_alive %s\n", name, keep_alive ? "on" : "off");
    return true;
}

Auth::Negotiate::Config::Config() : keep_alive(1)
{ }

void
Auth::Negotiate::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
{
    if (strcmp(param_str, "program") == 0) {
        if (authenticateProgram)
            wordlistDestroy(&authenticateProgram);

        parse_wordlist(&authenticateProgram);

        requirePathnameExists("auth_param negotiate program", authenticateProgram->key);
    } else if (strcmp(param_str, "keep_alive") == 0) {
        parse_onoff(&keep_alive);
    } else
        Auth::Config::parse(scheme, n_configured, param_str);
}

const char *
Auth::Negotiate::Config::type() const
{
    return Auth::Negotiate::Scheme::GetInstance()->type();
}

/**
 * Initialize helpers and the like for this auth scheme.
 * Called AFTER parsing the config file
 */
void
Auth::Negotiate::Config::init(Auth::Config * scheme)
{
    if (authenticateProgram) {

        authnegotiate_initialised = 1;

        if (negotiateauthenticators == NULL)
            negotiateauthenticators = new statefulhelper("negotiateauthenticator");

        if (!proxy_auth_cache)
            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);

        assert(proxy_auth_cache);

        negotiateauthenticators->cmdline = authenticateProgram;

        negotiateauthenticators->childs.updateLimits(authenticateChildren);

        negotiateauthenticators->ipc_type = IPC_STREAM;

        helperStatefulOpenServers(negotiateauthenticators);
    }
}

void
Auth::Negotiate::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("negotiateauthenticator",
                        "Negotiate User Authenticator Stats",
                        authenticateNegotiateStats, 0, 1);
}

bool
Auth::Negotiate::Config::active() const
{
    return authnegotiate_initialised == 1;
}

bool
Auth::Negotiate::Config::configured() const
{
    if (authenticateProgram && (authenticateChildren.n_max != 0)) {
        debugs(29, 9, HERE << "returning configured");
        return true;
    }

    debugs(29, 9, HERE << "returning unconfigured");
    return false;
}

/* Negotiate Scheme */

void
Auth::Negotiate::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type reqType, HttpRequest * request)
{
    if (!authenticateProgram)
        return;

    /* Need keep-alive */
    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
        return;

    /* New request, no user details */
    if (auth_user_request == NULL) {
        debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
        httpHeaderPutStrf(&rep->header, reqType, "Negotiate");

        if (!keep_alive) {
            /* drop the connection */
            rep->header.delByName("keep-alive");
            request->flags.proxyKeepalive = false;
        }
    } else {
        Auth::Negotiate::UserRequest *negotiate_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
        assert(negotiate_request != NULL);

        switch (negotiate_request->user()->credentials()) {

        case Auth::Failed:
            /* here it makes sense to drop the connection, as auth is
             * tied to it, even if MAYBE the client could handle it - Kinkie */
            rep->header.delByName("keep-alive");
            request->flags.proxyKeepalive = false;
            /* fall through */

        case Auth::Ok:
            /* Special case: authentication finished OK but disallowed by ACL.
             * Need to start over to give the client another chance.
             */
            if (negotiate_request->server_blob) {
                debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
                httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
                safe_free(negotiate_request->server_blob);
            } else {
                debugs(29, 9, HERE << "Connection authenticated");
                httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
            }
            break;

        case Auth::Unchecked:
            /* semantic change: do not drop the connection.
             * 2.5 implementation used to keep it open - Kinkie */
            debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
            httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
            break;

        case Auth::Handshake:
            /* we're waiting for a response from the client. Pass it the blob */
            debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
            httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
            safe_free(negotiate_request->server_blob);
            break;

        default:
            debugs(29, DBG_CRITICAL, "ERROR: Negotiate auth fixHeader: state " << negotiate_request->user()->credentials() << ".");
            fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
        }
    }
}

static void
authenticateNegotiateStats(StoreEntry * sentry)
{
    helperStatefulStats(sentry, negotiateauthenticators, "Negotiate Authenticator Statistics");
}

/*
 * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
 * Auth_user structure.
 */
Auth::UserRequest::Pointer
Auth::Negotiate::Config::decode(char const *proxy_auth, const char *aRequestRealm)
{
    Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::Config::Find("negotiate"), aRequestRealm);
    Auth::UserRequest *auth_user_request = new Auth::Negotiate::UserRequest();
    assert(auth_user_request->user() == NULL);

    auth_user_request->user(newUser);
    auth_user_request->user()->auth_type = Auth::AUTH_NEGOTIATE;

    /* all we have to do is identify that it's Negotiate - the helper does the rest */
    debugs(29, 9, HERE << "decode Negotiate authentication");
    return auth_user_request;
}
Commit	Line	Data
6bf4f823	1	/*
bbc27441	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
6bf4f823	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
6bf4f823	7	*/
6bf4f823	8
bbc27441 AJ	9	/* DEBUG: section 29 Negotiate Authenticator */
bbc27441 AJ	10
6bf4f823	11	/* The functions in this file handle authentication.
	12	* They DO NOT perform access control or auditing.
	13	* See acl.c for access control and client_side.c for auditing */
	14
582c2af2	15	#include "squid.h"
3ad63615	16	#include "auth/Gadgets.h"
602d9612 A	17	#include "auth/negotiate/auth_negotiate.h"
	18	#include "auth/negotiate/Scheme.h"
	19	#include "auth/negotiate/User.h"
	20	#include "auth/negotiate/UserRequest.h"
928f3421	21	#include "auth/State.h"
8a01b99e	22	#include "cache_cf.h"
6bf4f823	23	#include "client_side.h"
a5bac1d2	24	#include "HttpHeaderTools.h"
6bf4f823	25	#include "HttpReply.h"
6bf4f823	26	#include "HttpRequest.h"
602d9612	27	#include "mgr/Registration.h"
cc192b50	28	#include "SquidTime.h"
602d9612	29	#include "Store.h"
d295d770	30	#include "wordlist.h"
6bf4f823	31
63be0a78	32	/**
	33	\defgroup AuthNegotiateInternal Negotiate Authenticator Internals
	34	\ingroup AuthNegotiateAPI
	35	*/
	36
6bf4f823	37	/* Negotiate Scheme */
6bf4f823	38	static AUTHSSTATS authenticateNegotiateStats;
6bf4f823	39
63be0a78	40	/// \ingroup AuthNegotiateInternal
928f3421	41	statefulhelper *negotiateauthenticators = NULL;
6bf4f823	42
63be0a78	43	/// \ingroup AuthNegotiateInternal
6bf4f823	44	static int authnegotiate_initialised = 0;
6bf4f823	45
63be0a78	46	/// \ingroup AuthNegotiateInternal
6bf4f823	47	static hash_table *proxy_auth_cache = NULL;
	48
	49	/*
	50	*
	51	* Private Functions
	52	*
	53	*/
	54
0bcb6908	55	void
372fccd6	56	Auth::Negotiate::Config::rotateHelpers()
0bcb6908 AJ	57	{
	58	/* schedule closure of existing helpers */
	59	if (negotiateauthenticators) {
	60	helperStatefulShutdown(negotiateauthenticators);
	61	}
	62
	63	/* NP: dynamic helper restart will ensure they start up again as needed. */
	64	}
	65
6bf4f823	66	void
372fccd6	67	Auth::Negotiate::Config::done()
6bf4f823	68	{
d4806c91 CT	69	Auth::Config::done();
d4806c91 CT	70
6bf4f823	71	authnegotiate_initialised = 0;
6bf4f823	72
5817ee13 AJ	73	if (negotiateauthenticators) {
5817ee13 AJ	74	helperStatefulShutdown(negotiateauthenticators);
5817ee13	75	}
6bf4f823	76
6bf4f823	77	if (!shutting_down)
	78	return;
	79
48d54e4d	80	delete negotiateauthenticators;
6bf4f823	81	negotiateauthenticators = NULL;
6bf4f823	82
58ee2093 AJ	83	if (authenticateProgram)
58ee2093 AJ	84	wordlistDestroy(&authenticateProgram);
cdabe87d	85
372fccd6	86	debugs(29, DBG_IMPORTANT, "Reconfigure: Negotiate authentication configuration cleared.");
6bf4f823	87	}
6bf4f823	88
3616c90c AJ	89	bool
3616c90c AJ	90	Auth::Negotiate::Config::dump(StoreEntry * entry, const char name, Auth::Config scheme) const
6bf4f823	91	{
3616c90c AJ	92	if (!Auth::Config::dump(entry, name, scheme))
3616c90c AJ	93	return false;
6bf4f823	94
3616c90c AJ	95	storeAppendPrintf(entry, "%s negotiate keep_alive %s\n", name, keep_alive ? "on" : "off");
3616c90c AJ	96	return true;
6bf4f823	97	}
6bf4f823	98
372fccd6	99	Auth::Negotiate::Config::Config() : keep_alive(1)
6bf4f823	100	{ }
	101
	102	void
372fccd6	103	Auth::Negotiate::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
6bf4f823	104	{
a37d6070	105	if (strcmp(param_str, "program") == 0) {
58ee2093 AJ	106	if (authenticateProgram)
58ee2093 AJ	107	wordlistDestroy(&authenticateProgram);
6bf4f823	108
58ee2093	109	parse_wordlist(&authenticateProgram);
6bf4f823	110
58ee2093	111	requirePathnameExists("auth_param negotiate program", authenticateProgram->key);
a37d6070	112	} else if (strcmp(param_str, "keep_alive") == 0) {
6bf4f823	113	parse_onoff(&keep_alive);
d4806c91 CT	114	} else
d4806c91 CT	115	Auth::Config::parse(scheme, n_configured, param_str);
6bf4f823	116	}
	117
	118	const char *
372fccd6	119	Auth::Negotiate::Config::type() const
6bf4f823	120	{
d6374be6	121	return Auth::Negotiate::Scheme::GetInstance()->type();
6bf4f823	122	}
6bf4f823	123
63be0a78	124	/**
	125	* Initialize helpers and the like for this auth scheme.
	126	* Called AFTER parsing the config file
	127	*/
6bf4f823	128	void
372fccd6	129	Auth::Negotiate::Config::init(Auth::Config * scheme)
6bf4f823	130	{
58ee2093	131	if (authenticateProgram) {
81425fb6	132
6bf4f823	133	authnegotiate_initialised = 1;
	134
	135	if (negotiateauthenticators == NULL)
48d54e4d	136	negotiateauthenticators = new statefulhelper("negotiateauthenticator");
6bf4f823	137
6bf4f823	138	if (!proxy_auth_cache)
30abd221	139	proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
6bf4f823	140
	141	assert(proxy_auth_cache);
	142
58ee2093	143	negotiateauthenticators->cmdline = authenticateProgram;
6bf4f823	144
1af735c7	145	negotiateauthenticators->childs.updateLimits(authenticateChildren);
6bf4f823	146
	147	negotiateauthenticators->ipc_type = IPC_STREAM;
	148
	149	helperStatefulOpenServers(negotiateauthenticators);
6bf4f823	150	}
	151	}
	152
62ee09ca	153	void
372fccd6	154	Auth::Negotiate::Config::registerWithCacheManager(void)
62ee09ca	155	{
8822ebee	156	Mgr::RegisterAction("negotiateauthenticator",
d9fc6862 A	157	"Negotiate User Authenticator Stats",
d9fc6862 A	158	authenticateNegotiateStats, 0, 1);
62ee09ca	159	}
62ee09ca	160
6bf4f823	161	bool
372fccd6	162	Auth::Negotiate::Config::active() const
6bf4f823	163	{
	164	return authnegotiate_initialised == 1;
	165	}
	166
	167	bool
372fccd6	168	Auth::Negotiate::Config::configured() const
6bf4f823	169	{
58ee2093	170	if (authenticateProgram && (authenticateChildren.n_max != 0)) {
372fccd6	171	debugs(29, 9, HERE << "returning configured");
6bf4f823	172	return true;
	173	}
	174
372fccd6	175	debugs(29, 9, HERE << "returning unconfigured");
6bf4f823	176	return false;
	177	}
	178
	179	/* Negotiate Scheme */
6bf4f823	180
6bf4f823	181	void
c7baff40	182	Auth::Negotiate::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, http_hdr_type reqType, HttpRequest request)
6bf4f823	183	{
58ee2093	184	if (!authenticateProgram)
6bf4f823	185	return;
6bf4f823	186
81425fb6	187	/* Need keep-alive */
450fe1cb	188	if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
26ac0430	189	return;
81425fb6	190
6bf4f823	191	/* New request, no user details */
6bf4f823	192	if (auth_user_request == NULL) {
372fccd6	193	debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
076df709	194	httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
6bf4f823	195
	196	if (!keep_alive) {
	197	/* drop the connection */
a9925b40	198	rep->header.delByName("keep-alive");
e857372a	199	request->flags.proxyKeepalive = false;
6bf4f823	200	}
6bf4f823	201	} else {
c7baff40	202	Auth::Negotiate::UserRequest negotiate_request = dynamic_cast<Auth::Negotiate::UserRequest >(auth_user_request.getRaw());
27da7c21	203	assert(negotiate_request != NULL);
27da7c21	204
d232141d	205	switch (negotiate_request->user()->credentials()) {
6bf4f823	206
d87154ee	207	case Auth::Failed:
6bf4f823	208	/* here it makes sense to drop the connection, as auth is
6bf4f823	209	* tied to it, even if MAYBE the client could handle it - Kinkie */
a9925b40	210	rep->header.delByName("keep-alive");
e857372a	211	request->flags.proxyKeepalive = false;
6bf4f823	212	/* fall through */
6bf4f823	213
d87154ee	214	case Auth::Ok:
6bf4f823	215	/* Special case: authentication finished OK but disallowed by ACL.
	216	* Need to start over to give the client another chance.
	217	*/
6bf4f823	218	if (negotiate_request->server_blob) {
372fccd6	219	debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
076df709	220	httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
6bf4f823	221	safe_free(negotiate_request->server_blob);
6bf4f823	222	} else {
372fccd6	223	debugs(29, 9, HERE << "Connection authenticated");
076df709	224	httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
6bf4f823	225	}
6bf4f823	226	break;
6bf4f823	227
d87154ee	228	case Auth::Unchecked:
6bf4f823	229	/* semantic change: do not drop the connection.
6bf4f823	230	* 2.5 implementation used to keep it open - Kinkie */
372fccd6	231	debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
076df709	232	httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
6bf4f823	233	break;
6bf4f823	234
d87154ee	235	case Auth::Handshake:
6bf4f823	236	/* we're waiting for a response from the client. Pass it the blob */
372fccd6	237	debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
076df709	238	httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
6bf4f823	239	safe_free(negotiate_request->server_blob);
	240	break;
	241
6bf4f823	242	default:
372fccd6	243	debugs(29, DBG_CRITICAL, "ERROR: Negotiate auth fixHeader: state " << negotiate_request->user()->credentials() << ".");
6bf4f823	244	fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
	245	}
	246	}
	247	}
	248
6bf4f823	249	static void
	250	authenticateNegotiateStats(StoreEntry * sentry)
	251	{
81425fb6	252	helperStatefulStats(sentry, negotiateauthenticators, "Negotiate Authenticator Statistics");
6bf4f823	253	}
6bf4f823	254
6bf4f823	255	/*
81425fb6	256	* Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
6bf4f823	257	* Auth_user structure.
6bf4f823	258	*/
c7baff40	259	Auth::UserRequest::Pointer
d4806c91	260	Auth::Negotiate::Config::decode(char const proxy_auth, const char aRequestRealm)
6bf4f823	261	{
d4806c91	262	Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::Config::Find("negotiate"), aRequestRealm);
c7baff40	263	Auth::UserRequest *auth_user_request = new Auth::Negotiate::UserRequest();
6bf4f823	264	assert(auth_user_request->user() == NULL);
a33a428a	265
6bf4f823	266	auth_user_request->user(newUser);
616cfc4c	267	auth_user_request->user()->auth_type = Auth::AUTH_NEGOTIATE;
6bf4f823	268
81425fb6	269	/* all we have to do is identify that it's Negotiate - the helper does the rest */
372fccd6	270	debugs(29, 9, HERE << "decode Negotiate authentication");
6bf4f823	271	return auth_user_request;
6bf4f823	272	}