[thirdparty/squid.git] / src / auth / ntlm / Config.cc

/*
 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 29    NTLM Authenticator */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Gadgets.h"
#include "auth/ntlm/Config.h"
#include "auth/ntlm/Scheme.h"
#include "auth/ntlm/User.h"
#include "auth/ntlm/UserRequest.h"
#include "auth/State.h"
#include "cache_cf.h"
#include "client_side.h"
#include "helper.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Registration.h"
#include "SquidTime.h"
#include "Store.h"
#include "wordlist.h"

/* NTLM Scheme */
static AUTHSSTATS authenticateNTLMStats;

statefulhelper *ntlmauthenticators = NULL;
static int authntlm_initialised = 0;

static hash_table *proxy_auth_cache = NULL;

void
Auth::Ntlm::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

/* free any allocated configuration details */
void
Auth::Ntlm::Config::done()
{
    Auth::Config::done();

    authntlm_initialised = 0;

    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    if (!shutting_down)
        return;

    delete ntlmauthenticators;
    ntlmauthenticators = NULL;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
}

bool
Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
{
    if (!Auth::Config::dump(entry, name, scheme))
        return false;

    storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
    return true;
}

Auth::Ntlm::Config::Config() : keep_alive(1)
{ }

void
Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
{
    if (strcmp(param_str, "program") == 0) {
        if (authenticateProgram)
            wordlistDestroy(&authenticateProgram);

        parse_wordlist(&authenticateProgram);

        requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
    } else if (strcmp(param_str, "keep_alive") == 0) {
        parse_onoff(&keep_alive);
    } else
        Auth::Config::parse(scheme, n_configured, param_str);
}

const char *
Auth::Ntlm::Config::type() const
{
    return Auth::Ntlm::Scheme::GetInstance()->type();
}

/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
void
Auth::Ntlm::Config::init(Auth::Config *)
{
    if (authenticateProgram) {

        authntlm_initialised = 1;

        if (ntlmauthenticators == NULL)
            ntlmauthenticators = new statefulhelper("ntlmauthenticator");

        if (!proxy_auth_cache)
            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);

        assert(proxy_auth_cache);

        ntlmauthenticators->cmdline = authenticateProgram;

        ntlmauthenticators->childs.updateLimits(authenticateChildren);

        ntlmauthenticators->ipc_type = IPC_STREAM;

        helperStatefulOpenServers(ntlmauthenticators);
    }
}

void
Auth::Ntlm::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("ntlmauthenticator",
                        "NTLM User Authenticator Stats",
                        authenticateNTLMStats, 0, 1);
}

bool
Auth::Ntlm::Config::active() const
{
    return authntlm_initialised == 1;
}

bool
Auth::Ntlm::Config::configured() const
{
    if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
        debugs(29, 9, HERE << "returning configured");
        return true;
    }

    debugs(29, 9, HERE << "returning unconfigured");
    return false;
}

/* NTLM Scheme */

void
Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request)
{
    if (!authenticateProgram)
        return;

    /* Need keep-alive */
    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
        return;

    /* New request, no user details */
    if (auth_user_request == NULL) {
        debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
        httpHeaderPutStrf(&rep->header, hdrType, "NTLM");

        if (!keep_alive) {
            /* drop the connection */
            request->flags.proxyKeepalive = false;
        }
    } else {
        Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
        assert(ntlm_request != NULL);

        switch (ntlm_request->user()->credentials()) {

        case Auth::Failed:
            /* here it makes sense to drop the connection, as auth is
             * tied to it, even if MAYBE the client could handle it - Kinkie */
            request->flags.proxyKeepalive = false;
        /* fall through */

        case Auth::Ok:
        /* Special case: authentication finished OK but disallowed by ACL.
         * Need to start over to give the client another chance.
         */
        /* fall through */

        case Auth::Unchecked:
            /* semantic change: do not drop the connection.
             * 2.5 implementation used to keep it open - Kinkie */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
            break;

        case Auth::Handshake:
            /* we're waiting for a response from the client. Pass it the blob */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
            safe_free(ntlm_request->server_blob);
            break;

        default:
            debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
            fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
        }
    }
}

static void
authenticateNTLMStats(StoreEntry * sentry)
{
    helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
}

/*
 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
 * Auth_user structure.
 */
Auth::UserRequest::Pointer
Auth::Ntlm::Config::decode(char const *, const char *aRequestRealm)
{
    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
    Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
    assert(auth_user_request->user() == NULL);

    auth_user_request->user(newUser);
    auth_user_request->user()->auth_type = Auth::AUTH_NTLM;

    /* all we have to do is identify that it's NTLM - the helper does the rest */
    debugs(29, 9, HERE << "decode: NTLM authentication");
    return auth_user_request;
}
Commit	Line	Data
94439e4e	1	/*
bde978a6	2	* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
94439e4e	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
94439e4e	7	*/
94439e4e	8
bbc27441 AJ	9	/* DEBUG: section 29 NTLM Authenticator */
bbc27441 AJ	10
94439e4e	11	/* The functions in this file handle authentication.
	12	* They DO NOT perform access control or auditing.
	13	* See acl.c for access control and client_side.c for auditing */
	14
582c2af2	15	#include "squid.h"
3ad63615	16	#include "auth/Gadgets.h"
12daeef6	17	#include "auth/ntlm/Config.h"
616cfc4c	18	#include "auth/ntlm/Scheme.h"
aa110616	19	#include "auth/ntlm/User.h"
616cfc4c	20	#include "auth/ntlm/UserRequest.h"
928f3421	21	#include "auth/State.h"
8a01b99e	22	#include "cache_cf.h"
a46d2c0e	23	#include "client_side.h"
24438ec5	24	#include "helper.h"
a5bac1d2	25	#include "HttpHeaderTools.h"
924f73bc	26	#include "HttpReply.h"
a2ac85d9	27	#include "HttpRequest.h"
602d9612	28	#include "mgr/Registration.h"
cc192b50	29	#include "SquidTime.h"
602d9612 A	30	#include "Store.h"
602d9612 A	31	#include "wordlist.h"
c78aa667	32
94439e4e	33	/* NTLM Scheme */
94439e4e	34	static AUTHSSTATS authenticateNTLMStats;
94439e4e	35
928f3421	36	statefulhelper *ntlmauthenticators = NULL;
94439e4e	37	static int authntlm_initialised = 0;
94439e4e	38
94439e4e	39	static hash_table *proxy_auth_cache = NULL;
94439e4e	40
0bcb6908	41	void
372fccd6	42	Auth::Ntlm::Config::rotateHelpers()
0bcb6908 AJ	43	{
	44	/* schedule closure of existing helpers */
	45	if (ntlmauthenticators) {
	46	helperStatefulShutdown(ntlmauthenticators);
	47	}
	48
	49	/* NP: dynamic helper restart will ensure they start up again as needed. */
	50	}
	51
5817ee13	52	/* free any allocated configuration details */
f5691f9c	53	void
372fccd6	54	Auth::Ntlm::Config::done()
94439e4e	55	{
d4806c91 CT	56	Auth::Config::done();
d4806c91 CT	57
94439e4e	58	authntlm_initialised = 0;
62e76326	59
5817ee13 AJ	60	if (ntlmauthenticators) {
5817ee13 AJ	61	helperStatefulShutdown(ntlmauthenticators);
5817ee13	62	}
62e76326	63
94439e4e	64	if (!shutting_down)
62e76326	65	return;
62e76326	66
48d54e4d	67	delete ntlmauthenticators;
94439e4e	68	ntlmauthenticators = NULL;
62e76326	69
58ee2093 AJ	70	if (authenticateProgram)
58ee2093 AJ	71	wordlistDestroy(&authenticateProgram);
cdabe87d	72
372fccd6	73	debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
94439e4e	74	}
94439e4e	75
3616c90c AJ	76	bool
3616c90c AJ	77	Auth::Ntlm::Config::dump(StoreEntry * entry, const char name, Auth::Config scheme) const
94439e4e	78	{
3616c90c AJ	79	if (!Auth::Config::dump(entry, name, scheme))
3616c90c AJ	80	return false;
62e76326	81
3616c90c AJ	82	storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
3616c90c AJ	83	return true;
94439e4e	84	}
94439e4e	85
372fccd6	86	Auth::Ntlm::Config::Config() : keep_alive(1)
6bf4f823	87	{ }
62e76326	88
f5691f9c	89	void
372fccd6	90	Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
f5691f9c	91	{
a37d6070	92	if (strcmp(param_str, "program") == 0) {
58ee2093 AJ	93	if (authenticateProgram)
58ee2093 AJ	94	wordlistDestroy(&authenticateProgram);
62e76326	95
58ee2093	96	parse_wordlist(&authenticateProgram);
62e76326	97
58ee2093	98	requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
a37d6070	99	} else if (strcmp(param_str, "keep_alive") == 0) {
6bf4f823	100	parse_onoff(&keep_alive);
d4806c91 CT	101	} else
d4806c91 CT	102	Auth::Config::parse(scheme, n_configured, param_str);
94439e4e	103	}
94439e4e	104
f5691f9c	105	const char *
372fccd6	106	Auth::Ntlm::Config::type() const
94439e4e	107	{
d6374be6	108	return Auth::Ntlm::Scheme::GetInstance()->type();
94439e4e	109	}
	110
	111	/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
	112	* config file */
f5691f9c	113	void
ced8def3	114	Auth::Ntlm::Config::init(Auth::Config *)
94439e4e	115	{
58ee2093	116	if (authenticateProgram) {
6bf4f823	117
62e76326	118	authntlm_initialised = 1;
	119
	120	if (ntlmauthenticators == NULL)
48d54e4d	121	ntlmauthenticators = new statefulhelper("ntlmauthenticator");
62e76326	122
62e76326	123	if (!proxy_auth_cache)
30abd221	124	proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
62e76326	125
	126	assert(proxy_auth_cache);
	127
58ee2093	128	ntlmauthenticators->cmdline = authenticateProgram;
62e76326	129
1af735c7	130	ntlmauthenticators->childs.updateLimits(authenticateChildren);
62e76326	131
	132	ntlmauthenticators->ipc_type = IPC_STREAM;
	133
62e76326	134	helperStatefulOpenServers(ntlmauthenticators);
94439e4e	135	}
	136	}
	137
62ee09ca	138	void
372fccd6	139	Auth::Ntlm::Config::registerWithCacheManager(void)
62ee09ca	140	{
8822ebee	141	Mgr::RegisterAction("ntlmauthenticator",
d9fc6862 A	142	"NTLM User Authenticator Stats",
d9fc6862 A	143	authenticateNTLMStats, 0, 1);
62ee09ca	144	}
62ee09ca	145
f5691f9c	146	bool
372fccd6	147	Auth::Ntlm::Config::active() const
2d70df72	148	{
f5691f9c	149	return authntlm_initialised == 1;
2d70df72	150	}
2d70df72	151
f5691f9c	152	bool
372fccd6	153	Auth::Ntlm::Config::configured() const
94439e4e	154	{
58ee2093	155	if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
372fccd6	156	debugs(29, 9, HERE << "returning configured");
f5691f9c	157	return true;
2d70df72	158	}
62e76326	159
372fccd6	160	debugs(29, 9, HERE << "returning unconfigured");
f5691f9c	161	return false;
94439e4e	162	}
	163
	164	/* NTLM Scheme */
94439e4e	165
f5691f9c	166	void
c7baff40	167	Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, http_hdr_type hdrType, HttpRequest request)
94439e4e	168	{
58ee2093	169	if (!authenticateProgram)
6bf4f823	170	return;
62e76326	171
63a05fa3	172	/* Need keep-alive */
450fe1cb	173	if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
26ac0430	174	return;
63a05fa3	175
6bf4f823	176	/* New request, no user details */
6bf4f823	177	if (auth_user_request == NULL) {
372fccd6	178	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	179	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	180
6bf4f823	181	if (!keep_alive) {
62e76326	182	/* drop the connection */
e857372a	183	request->flags.proxyKeepalive = false;
62e76326	184	}
6bf4f823	185	} else {
c7baff40	186	Auth::Ntlm::UserRequest ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest >(auth_user_request.getRaw());
3a11f20d	187	assert(ntlm_request != NULL);
3a11f20d	188
d232141d	189	switch (ntlm_request->user()->credentials()) {
62e76326	190
d87154ee	191	case Auth::Failed:
6bf4f823	192	/* here it makes sense to drop the connection, as auth is
6bf4f823	193	* tied to it, even if MAYBE the client could handle it - Kinkie */
e857372a	194	request->flags.proxyKeepalive = false;
f53969cc	195	/* fall through */
94439e4e	196
d87154ee	197	case Auth::Ok:
f53969cc SM	198	/* Special case: authentication finished OK but disallowed by ACL.
	199	* Need to start over to give the client another chance.
	200	*/
	201	/* fall through */
62e76326	202
d87154ee	203	case Auth::Unchecked:
6bf4f823	204	/* semantic change: do not drop the connection.
6bf4f823	205	* 2.5 implementation used to keep it open - Kinkie */
372fccd6	206	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	207	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	208	break;
62e76326	209
d87154ee	210	case Auth::Handshake:
6bf4f823	211	/* we're waiting for a response from the client. Pass it the blob */
372fccd6	212	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
18ec8500	213	httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
6bf4f823	214	safe_free(ntlm_request->server_blob);
6bf4f823	215	break;
62e76326	216
6bf4f823	217	default:
372fccd6	218	debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
6bf4f823	219	fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
	220	}
	221	}
	222	}
62e76326	223
94439e4e	224	static void
	225	authenticateNTLMStats(StoreEntry * sentry)
	226	{
9522b380	227	helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
94439e4e	228	}
94439e4e	229
94439e4e	230	/*
6bf4f823	231	* Decode a NTLM [Proxy-]Auth string, placing the results in the passed
94439e4e	232	* Auth_user structure.
94439e4e	233	*/
c7baff40	234	Auth::UserRequest::Pointer
ced8def3	235	Auth::Ntlm::Config::decode(char const , const char aRequestRealm)
94439e4e	236	{
d4806c91	237	Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
c7baff40	238	Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
f5691f9c	239	assert(auth_user_request->user() == NULL);
a33a428a	240
f5691f9c	241	auth_user_request->user(newUser);
616cfc4c	242	auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
94439e4e	243
94439e4e	244	/* all we have to do is identify that it's NTLM - the helper does the rest */
372fccd6	245	debugs(29, 9, HERE << "decode: NTLM authentication");
f5691f9c	246	return auth_user_request;
94439e4e	247	}
f53969cc	248