]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | /* |
bde978a6 | 2 | * Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
94439e4e | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
94439e4e | 7 | */ |
8 | ||
bbc27441 AJ |
9 | /* DEBUG: section 29 NTLM Authenticator */ |
10 | ||
94439e4e | 11 | /* The functions in this file handle authentication. |
12 | * They DO NOT perform access control or auditing. | |
13 | * See acl.c for access control and client_side.c for auditing */ | |
14 | ||
582c2af2 | 15 | #include "squid.h" |
3ad63615 | 16 | #include "auth/Gadgets.h" |
12daeef6 | 17 | #include "auth/ntlm/Config.h" |
616cfc4c | 18 | #include "auth/ntlm/Scheme.h" |
aa110616 | 19 | #include "auth/ntlm/User.h" |
616cfc4c | 20 | #include "auth/ntlm/UserRequest.h" |
928f3421 | 21 | #include "auth/State.h" |
8a01b99e | 22 | #include "cache_cf.h" |
a46d2c0e | 23 | #include "client_side.h" |
24438ec5 | 24 | #include "helper.h" |
a5bac1d2 | 25 | #include "HttpHeaderTools.h" |
924f73bc | 26 | #include "HttpReply.h" |
a2ac85d9 | 27 | #include "HttpRequest.h" |
602d9612 | 28 | #include "mgr/Registration.h" |
cc192b50 | 29 | #include "SquidTime.h" |
602d9612 A |
30 | #include "Store.h" |
31 | #include "wordlist.h" | |
c78aa667 | 32 | |
94439e4e | 33 | /* NTLM Scheme */ |
94439e4e | 34 | static AUTHSSTATS authenticateNTLMStats; |
94439e4e | 35 | |
928f3421 | 36 | statefulhelper *ntlmauthenticators = NULL; |
94439e4e | 37 | static int authntlm_initialised = 0; |
38 | ||
94439e4e | 39 | static hash_table *proxy_auth_cache = NULL; |
40 | ||
0bcb6908 | 41 | void |
372fccd6 | 42 | Auth::Ntlm::Config::rotateHelpers() |
0bcb6908 AJ |
43 | { |
44 | /* schedule closure of existing helpers */ | |
45 | if (ntlmauthenticators) { | |
46 | helperStatefulShutdown(ntlmauthenticators); | |
47 | } | |
48 | ||
49 | /* NP: dynamic helper restart will ensure they start up again as needed. */ | |
50 | } | |
51 | ||
5817ee13 | 52 | /* free any allocated configuration details */ |
f5691f9c | 53 | void |
372fccd6 | 54 | Auth::Ntlm::Config::done() |
94439e4e | 55 | { |
d4806c91 CT |
56 | Auth::Config::done(); |
57 | ||
94439e4e | 58 | authntlm_initialised = 0; |
62e76326 | 59 | |
5817ee13 AJ |
60 | if (ntlmauthenticators) { |
61 | helperStatefulShutdown(ntlmauthenticators); | |
5817ee13 | 62 | } |
62e76326 | 63 | |
94439e4e | 64 | if (!shutting_down) |
62e76326 | 65 | return; |
66 | ||
48d54e4d | 67 | delete ntlmauthenticators; |
94439e4e | 68 | ntlmauthenticators = NULL; |
62e76326 | 69 | |
58ee2093 AJ |
70 | if (authenticateProgram) |
71 | wordlistDestroy(&authenticateProgram); | |
cdabe87d | 72 | |
372fccd6 | 73 | debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared."); |
94439e4e | 74 | } |
75 | ||
3616c90c AJ |
76 | bool |
77 | Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const | |
94439e4e | 78 | { |
3616c90c AJ |
79 | if (!Auth::Config::dump(entry, name, scheme)) |
80 | return false; | |
62e76326 | 81 | |
3616c90c AJ |
82 | storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off"); |
83 | return true; | |
94439e4e | 84 | } |
85 | ||
372fccd6 | 86 | Auth::Ntlm::Config::Config() : keep_alive(1) |
6bf4f823 | 87 | { } |
62e76326 | 88 | |
f5691f9c | 89 | void |
372fccd6 | 90 | Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str) |
f5691f9c | 91 | { |
a37d6070 | 92 | if (strcmp(param_str, "program") == 0) { |
58ee2093 AJ |
93 | if (authenticateProgram) |
94 | wordlistDestroy(&authenticateProgram); | |
62e76326 | 95 | |
58ee2093 | 96 | parse_wordlist(&authenticateProgram); |
62e76326 | 97 | |
58ee2093 | 98 | requirePathnameExists("auth_param ntlm program", authenticateProgram->key); |
a37d6070 | 99 | } else if (strcmp(param_str, "keep_alive") == 0) { |
6bf4f823 | 100 | parse_onoff(&keep_alive); |
d4806c91 CT |
101 | } else |
102 | Auth::Config::parse(scheme, n_configured, param_str); | |
94439e4e | 103 | } |
104 | ||
f5691f9c | 105 | const char * |
372fccd6 | 106 | Auth::Ntlm::Config::type() const |
94439e4e | 107 | { |
d6374be6 | 108 | return Auth::Ntlm::Scheme::GetInstance()->type(); |
94439e4e | 109 | } |
110 | ||
111 | /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the | |
112 | * config file */ | |
f5691f9c | 113 | void |
ced8def3 | 114 | Auth::Ntlm::Config::init(Auth::Config *) |
94439e4e | 115 | { |
58ee2093 | 116 | if (authenticateProgram) { |
6bf4f823 | 117 | |
62e76326 | 118 | authntlm_initialised = 1; |
119 | ||
120 | if (ntlmauthenticators == NULL) | |
48d54e4d | 121 | ntlmauthenticators = new statefulhelper("ntlmauthenticator"); |
62e76326 | 122 | |
123 | if (!proxy_auth_cache) | |
30abd221 | 124 | proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); |
62e76326 | 125 | |
126 | assert(proxy_auth_cache); | |
127 | ||
58ee2093 | 128 | ntlmauthenticators->cmdline = authenticateProgram; |
62e76326 | 129 | |
1af735c7 | 130 | ntlmauthenticators->childs.updateLimits(authenticateChildren); |
62e76326 | 131 | |
132 | ntlmauthenticators->ipc_type = IPC_STREAM; | |
133 | ||
62e76326 | 134 | helperStatefulOpenServers(ntlmauthenticators); |
94439e4e | 135 | } |
136 | } | |
137 | ||
62ee09ca | 138 | void |
372fccd6 | 139 | Auth::Ntlm::Config::registerWithCacheManager(void) |
62ee09ca | 140 | { |
8822ebee | 141 | Mgr::RegisterAction("ntlmauthenticator", |
d9fc6862 A |
142 | "NTLM User Authenticator Stats", |
143 | authenticateNTLMStats, 0, 1); | |
62ee09ca | 144 | } |
145 | ||
f5691f9c | 146 | bool |
372fccd6 | 147 | Auth::Ntlm::Config::active() const |
2d70df72 | 148 | { |
f5691f9c | 149 | return authntlm_initialised == 1; |
2d70df72 | 150 | } |
151 | ||
f5691f9c | 152 | bool |
372fccd6 | 153 | Auth::Ntlm::Config::configured() const |
94439e4e | 154 | { |
58ee2093 | 155 | if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) { |
372fccd6 | 156 | debugs(29, 9, HERE << "returning configured"); |
f5691f9c | 157 | return true; |
2d70df72 | 158 | } |
62e76326 | 159 | |
372fccd6 | 160 | debugs(29, 9, HERE << "returning unconfigured"); |
f5691f9c | 161 | return false; |
94439e4e | 162 | } |
163 | ||
164 | /* NTLM Scheme */ | |
94439e4e | 165 | |
f5691f9c | 166 | void |
c7baff40 | 167 | Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request) |
94439e4e | 168 | { |
58ee2093 | 169 | if (!authenticateProgram) |
6bf4f823 | 170 | return; |
62e76326 | 171 | |
63a05fa3 | 172 | /* Need keep-alive */ |
450fe1cb | 173 | if (!request->flags.proxyKeepalive && request->flags.mustKeepalive) |
26ac0430 | 174 | return; |
63a05fa3 | 175 | |
6bf4f823 | 176 | /* New request, no user details */ |
177 | if (auth_user_request == NULL) { | |
372fccd6 | 178 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'"); |
18ec8500 | 179 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); |
6bf4f823 | 180 | |
181 | if (!keep_alive) { | |
62e76326 | 182 | /* drop the connection */ |
e857372a | 183 | request->flags.proxyKeepalive = false; |
62e76326 | 184 | } |
6bf4f823 | 185 | } else { |
c7baff40 | 186 | Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw()); |
3a11f20d | 187 | assert(ntlm_request != NULL); |
188 | ||
d232141d | 189 | switch (ntlm_request->user()->credentials()) { |
62e76326 | 190 | |
d87154ee | 191 | case Auth::Failed: |
6bf4f823 | 192 | /* here it makes sense to drop the connection, as auth is |
193 | * tied to it, even if MAYBE the client could handle it - Kinkie */ | |
e857372a | 194 | request->flags.proxyKeepalive = false; |
f53969cc | 195 | /* fall through */ |
94439e4e | 196 | |
d87154ee | 197 | case Auth::Ok: |
f53969cc SM |
198 | /* Special case: authentication finished OK but disallowed by ACL. |
199 | * Need to start over to give the client another chance. | |
200 | */ | |
201 | /* fall through */ | |
62e76326 | 202 | |
d87154ee | 203 | case Auth::Unchecked: |
6bf4f823 | 204 | /* semantic change: do not drop the connection. |
205 | * 2.5 implementation used to keep it open - Kinkie */ | |
372fccd6 | 206 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'"); |
18ec8500 | 207 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); |
6bf4f823 | 208 | break; |
62e76326 | 209 | |
d87154ee | 210 | case Auth::Handshake: |
6bf4f823 | 211 | /* we're waiting for a response from the client. Pass it the blob */ |
372fccd6 | 212 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'"); |
18ec8500 | 213 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob); |
6bf4f823 | 214 | safe_free(ntlm_request->server_blob); |
215 | break; | |
62e76326 | 216 | |
6bf4f823 | 217 | default: |
372fccd6 | 218 | debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << "."); |
6bf4f823 | 219 | fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n"); |
220 | } | |
221 | } | |
222 | } | |
62e76326 | 223 | |
94439e4e | 224 | static void |
225 | authenticateNTLMStats(StoreEntry * sentry) | |
226 | { | |
9522b380 | 227 | helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics"); |
94439e4e | 228 | } |
229 | ||
94439e4e | 230 | /* |
6bf4f823 | 231 | * Decode a NTLM [Proxy-]Auth string, placing the results in the passed |
94439e4e | 232 | * Auth_user structure. |
233 | */ | |
c7baff40 | 234 | Auth::UserRequest::Pointer |
ced8def3 | 235 | Auth::Ntlm::Config::decode(char const *, const char *aRequestRealm) |
94439e4e | 236 | { |
d4806c91 | 237 | Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm); |
c7baff40 | 238 | Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest(); |
f5691f9c | 239 | assert(auth_user_request->user() == NULL); |
a33a428a | 240 | |
f5691f9c | 241 | auth_user_request->user(newUser); |
616cfc4c | 242 | auth_user_request->user()->auth_type = Auth::AUTH_NTLM; |
94439e4e | 243 | |
244 | /* all we have to do is identify that it's NTLM - the helper does the rest */ | |
372fccd6 | 245 | debugs(29, 9, HERE << "decode: NTLM authentication"); |
f5691f9c | 246 | return auth_user_request; |
94439e4e | 247 | } |
f53969cc | 248 |