]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | /* |
262a0e14 | 2 | * $Id$ |
94439e4e | 3 | * |
4 | * DEBUG: section 29 NTLM Authenticator | |
6bf4f823 | 5 | * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli |
94439e4e | 6 | * |
2b6662ba | 7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ |
94439e4e | 8 | * ---------------------------------------------------------- |
9 | * | |
2b6662ba | 10 | * Squid is the result of efforts by numerous individuals from |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
94439e4e | 18 | * |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
94439e4e | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
94439e4e | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | */ | |
34 | ||
35 | /* The functions in this file handle authentication. | |
36 | * They DO NOT perform access control or auditing. | |
37 | * See acl.c for access control and client_side.c for auditing */ | |
38 | ||
582c2af2 | 39 | #include "squid.h" |
3ad63615 | 40 | #include "auth/Gadgets.h" |
5817ee13 | 41 | #include "auth/ntlm/auth_ntlm.h" |
616cfc4c | 42 | #include "auth/ntlm/Scheme.h" |
aa110616 | 43 | #include "auth/ntlm/User.h" |
616cfc4c | 44 | #include "auth/ntlm/UserRequest.h" |
928f3421 | 45 | #include "auth/State.h" |
8822ebee | 46 | #include "mgr/Registration.h" |
e6ccf245 | 47 | #include "Store.h" |
a46d2c0e | 48 | #include "client_side.h" |
924f73bc | 49 | #include "HttpReply.h" |
a2ac85d9 | 50 | #include "HttpRequest.h" |
582c2af2 | 51 | #include "protos.h" |
d295d770 | 52 | #include "wordlist.h" |
cc192b50 | 53 | #include "SquidTime.h" |
c78aa667 | 54 | |
94439e4e | 55 | /* NTLM Scheme */ |
94439e4e | 56 | static AUTHSSTATS authenticateNTLMStats; |
94439e4e | 57 | |
928f3421 | 58 | statefulhelper *ntlmauthenticators = NULL; |
94439e4e | 59 | static int authntlm_initialised = 0; |
60 | ||
94439e4e | 61 | static hash_table *proxy_auth_cache = NULL; |
62 | ||
63 | /* | |
64 | * | |
65 | * Private Functions | |
66 | * | |
67 | */ | |
68 | ||
0bcb6908 | 69 | void |
372fccd6 | 70 | Auth::Ntlm::Config::rotateHelpers() |
0bcb6908 AJ |
71 | { |
72 | /* schedule closure of existing helpers */ | |
73 | if (ntlmauthenticators) { | |
74 | helperStatefulShutdown(ntlmauthenticators); | |
75 | } | |
76 | ||
77 | /* NP: dynamic helper restart will ensure they start up again as needed. */ | |
78 | } | |
79 | ||
5817ee13 | 80 | /* free any allocated configuration details */ |
f5691f9c | 81 | void |
372fccd6 | 82 | Auth::Ntlm::Config::done() |
94439e4e | 83 | { |
94439e4e | 84 | authntlm_initialised = 0; |
62e76326 | 85 | |
5817ee13 AJ |
86 | if (ntlmauthenticators) { |
87 | helperStatefulShutdown(ntlmauthenticators); | |
5817ee13 | 88 | } |
62e76326 | 89 | |
94439e4e | 90 | if (!shutting_down) |
62e76326 | 91 | return; |
92 | ||
48d54e4d | 93 | delete ntlmauthenticators; |
94439e4e | 94 | ntlmauthenticators = NULL; |
62e76326 | 95 | |
58ee2093 AJ |
96 | if (authenticateProgram) |
97 | wordlistDestroy(&authenticateProgram); | |
cdabe87d | 98 | |
372fccd6 | 99 | debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared."); |
94439e4e | 100 | } |
101 | ||
f5691f9c | 102 | void |
372fccd6 | 103 | Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) |
94439e4e | 104 | { |
58ee2093 | 105 | wordlist *list = authenticateProgram; |
94439e4e | 106 | storeAppendPrintf(entry, "%s %s", name, "ntlm"); |
62e76326 | 107 | |
94439e4e | 108 | while (list != NULL) { |
62e76326 | 109 | storeAppendPrintf(entry, " %s", list->key); |
110 | list = list->next; | |
94439e4e | 111 | } |
62e76326 | 112 | |
404cfda1 AJ |
113 | storeAppendPrintf(entry, "\n%s ntlm children %d startup=%d idle=%d concurrency=%d\n", |
114 | name, authenticateChildren.n_max, authenticateChildren.n_startup, authenticateChildren.n_idle, authenticateChildren.concurrency); | |
6bf4f823 | 115 | storeAppendPrintf(entry, "%s %s keep_alive %s\n", name, "ntlm", keep_alive ? "on" : "off"); |
94439e4e | 116 | |
117 | } | |
118 | ||
372fccd6 | 119 | Auth::Ntlm::Config::Config() : keep_alive(1) |
6bf4f823 | 120 | { } |
62e76326 | 121 | |
f5691f9c | 122 | void |
372fccd6 | 123 | Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str) |
f5691f9c | 124 | { |
94439e4e | 125 | if (strcasecmp(param_str, "program") == 0) { |
58ee2093 AJ |
126 | if (authenticateProgram) |
127 | wordlistDestroy(&authenticateProgram); | |
62e76326 | 128 | |
58ee2093 | 129 | parse_wordlist(&authenticateProgram); |
62e76326 | 130 | |
58ee2093 | 131 | requirePathnameExists("auth_param ntlm program", authenticateProgram->key); |
94439e4e | 132 | } else if (strcasecmp(param_str, "children") == 0) { |
48d54e4d | 133 | authenticateChildren.parseConfig(); |
6bf4f823 | 134 | } else if (strcasecmp(param_str, "keep_alive") == 0) { |
135 | parse_onoff(&keep_alive); | |
94439e4e | 136 | } else { |
372fccd6 | 137 | debugs(29, DBG_CRITICAL, "ERROR unrecognised NTLM auth scheme parameter '" << param_str << "'"); |
94439e4e | 138 | } |
139 | } | |
140 | ||
f5691f9c | 141 | const char * |
372fccd6 | 142 | Auth::Ntlm::Config::type() const |
94439e4e | 143 | { |
d6374be6 | 144 | return Auth::Ntlm::Scheme::GetInstance()->type(); |
94439e4e | 145 | } |
146 | ||
147 | /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the | |
148 | * config file */ | |
f5691f9c | 149 | void |
372fccd6 | 150 | Auth::Ntlm::Config::init(Auth::Config * scheme) |
94439e4e | 151 | { |
58ee2093 | 152 | if (authenticateProgram) { |
6bf4f823 | 153 | |
62e76326 | 154 | authntlm_initialised = 1; |
155 | ||
156 | if (ntlmauthenticators == NULL) | |
48d54e4d | 157 | ntlmauthenticators = new statefulhelper("ntlmauthenticator"); |
62e76326 | 158 | |
159 | if (!proxy_auth_cache) | |
30abd221 | 160 | proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); |
62e76326 | 161 | |
162 | assert(proxy_auth_cache); | |
163 | ||
58ee2093 | 164 | ntlmauthenticators->cmdline = authenticateProgram; |
62e76326 | 165 | |
1af735c7 | 166 | ntlmauthenticators->childs.updateLimits(authenticateChildren); |
62e76326 | 167 | |
168 | ntlmauthenticators->ipc_type = IPC_STREAM; | |
169 | ||
62e76326 | 170 | helperStatefulOpenServers(ntlmauthenticators); |
94439e4e | 171 | } |
172 | } | |
173 | ||
62ee09ca | 174 | void |
372fccd6 | 175 | Auth::Ntlm::Config::registerWithCacheManager(void) |
62ee09ca | 176 | { |
8822ebee | 177 | Mgr::RegisterAction("ntlmauthenticator", |
d9fc6862 A |
178 | "NTLM User Authenticator Stats", |
179 | authenticateNTLMStats, 0, 1); | |
62ee09ca | 180 | } |
181 | ||
f5691f9c | 182 | bool |
372fccd6 | 183 | Auth::Ntlm::Config::active() const |
2d70df72 | 184 | { |
f5691f9c | 185 | return authntlm_initialised == 1; |
2d70df72 | 186 | } |
187 | ||
f5691f9c | 188 | bool |
372fccd6 | 189 | Auth::Ntlm::Config::configured() const |
94439e4e | 190 | { |
58ee2093 | 191 | if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) { |
372fccd6 | 192 | debugs(29, 9, HERE << "returning configured"); |
f5691f9c | 193 | return true; |
2d70df72 | 194 | } |
62e76326 | 195 | |
372fccd6 | 196 | debugs(29, 9, HERE << "returning unconfigured"); |
f5691f9c | 197 | return false; |
94439e4e | 198 | } |
199 | ||
200 | /* NTLM Scheme */ | |
94439e4e | 201 | |
f5691f9c | 202 | void |
c7baff40 | 203 | Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request) |
94439e4e | 204 | { |
58ee2093 | 205 | if (!authenticateProgram) |
6bf4f823 | 206 | return; |
62e76326 | 207 | |
63a05fa3 | 208 | /* Need keep-alive */ |
209 | if (!request->flags.proxy_keepalive && request->flags.must_keepalive) | |
26ac0430 | 210 | return; |
63a05fa3 | 211 | |
6bf4f823 | 212 | /* New request, no user details */ |
213 | if (auth_user_request == NULL) { | |
372fccd6 | 214 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'"); |
18ec8500 | 215 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); |
6bf4f823 | 216 | |
217 | if (!keep_alive) { | |
62e76326 | 218 | /* drop the connection */ |
62e76326 | 219 | request->flags.proxy_keepalive = 0; |
62e76326 | 220 | } |
6bf4f823 | 221 | } else { |
c7baff40 | 222 | Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw()); |
3a11f20d | 223 | assert(ntlm_request != NULL); |
224 | ||
d232141d | 225 | switch (ntlm_request->user()->credentials()) { |
62e76326 | 226 | |
d87154ee | 227 | case Auth::Failed: |
6bf4f823 | 228 | /* here it makes sense to drop the connection, as auth is |
229 | * tied to it, even if MAYBE the client could handle it - Kinkie */ | |
6bf4f823 | 230 | request->flags.proxy_keepalive = 0; |
231 | /* fall through */ | |
94439e4e | 232 | |
d87154ee | 233 | case Auth::Ok: |
6bf4f823 | 234 | /* Special case: authentication finished OK but disallowed by ACL. |
235 | * Need to start over to give the client another chance. | |
236 | */ | |
237 | /* fall through */ | |
62e76326 | 238 | |
d87154ee | 239 | case Auth::Unchecked: |
6bf4f823 | 240 | /* semantic change: do not drop the connection. |
241 | * 2.5 implementation used to keep it open - Kinkie */ | |
372fccd6 | 242 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'"); |
18ec8500 | 243 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM"); |
6bf4f823 | 244 | break; |
62e76326 | 245 | |
d87154ee | 246 | case Auth::Handshake: |
6bf4f823 | 247 | /* we're waiting for a response from the client. Pass it the blob */ |
372fccd6 | 248 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'"); |
18ec8500 | 249 | httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob); |
6bf4f823 | 250 | safe_free(ntlm_request->server_blob); |
251 | break; | |
62e76326 | 252 | |
6bf4f823 | 253 | default: |
372fccd6 | 254 | debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << "."); |
6bf4f823 | 255 | fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n"); |
256 | } | |
257 | } | |
258 | } | |
62e76326 | 259 | |
94439e4e | 260 | static void |
261 | authenticateNTLMStats(StoreEntry * sentry) | |
262 | { | |
9522b380 | 263 | helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics"); |
94439e4e | 264 | } |
265 | ||
94439e4e | 266 | /* |
6bf4f823 | 267 | * Decode a NTLM [Proxy-]Auth string, placing the results in the passed |
94439e4e | 268 | * Auth_user structure. |
269 | */ | |
c7baff40 | 270 | Auth::UserRequest::Pointer |
372fccd6 | 271 | Auth::Ntlm::Config::decode(char const *proxy_auth) |
94439e4e | 272 | { |
aa110616 | 273 | Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm")); |
c7baff40 | 274 | Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest(); |
f5691f9c | 275 | assert(auth_user_request->user() == NULL); |
a33a428a | 276 | |
f5691f9c | 277 | auth_user_request->user(newUser); |
616cfc4c | 278 | auth_user_request->user()->auth_type = Auth::AUTH_NTLM; |
94439e4e | 279 | |
280 | /* all we have to do is identify that it's NTLM - the helper does the rest */ | |
372fccd6 | 281 | debugs(29, 9, HERE << "decode: NTLM authentication"); |
f5691f9c | 282 | return auth_user_request; |
94439e4e | 283 | } |