src/auth/basic/Config.cc

   1 /*
   2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 29    Authenticator */
  10
  11 /* The functions in this file handle authentication.
  12  * They DO NOT perform access control or auditing.
  13  * See acl.c for access control and client_side.c for auditing */
  14
  15 #include "squid.h"
  16 #include "auth/basic/Config.h"
  17 #include "auth/basic/Scheme.h"
  18 #include "auth/basic/User.h"
  19 #include "auth/basic/UserRequest.h"
  20 #include "auth/CredentialsCache.h"
  21 #include "auth/Gadgets.h"
  22 #include "auth/State.h"
  23 #include "auth/toUtf.h"
  24 #include "base64.h"
  25 #include "cache_cf.h"
  26 #include "helper.h"
  27 #include "HttpHeaderTools.h"
  28 #include "HttpReply.h"
  29 #include "mgr/Registration.h"
  30 #include "rfc1738.h"
  31 #include "sbuf/SBuf.h"
  32 #include "Store.h"
  33 #include "util.h"
  34 #include "wordlist.h"
  35
  36 /* Basic Scheme */
  37 static AUTHSSTATS authenticateBasicStats;
  38
  39 Helper::ClientPointer basicauthenticators;
  40
  41 static int authbasic_initialised = 0;
  42
  43 /*
  44  *
  45  * Public Functions
  46  *
  47  */
  48
  49 /* internal functions */
  50
  51 bool
  52 Auth::Basic::Config::active() const
  53 {
  54     return authbasic_initialised == 1;
  55 }
  56
  57 bool
  58 Auth::Basic::Config::configured() const
  59 {
  60     if ((authenticateProgram != nullptr) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
  61         debugs(29, 9, "returning configured");
  62         return true;
  63     }
  64
  65     debugs(29, 9, "returning unconfigured");
  66     return false;
  67 }
  68
  69 const char *
  70 Auth::Basic::Config::type() const
  71 {
  72     return Auth::Basic::Scheme::GetInstance()->type();
  73 }
  74
  75 void
  76 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
  77 {
  78     if (authenticateProgram) {
  79         if (utf8) {
  80             debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\", charset=\"UTF-8\"'");
  81             httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\", charset=\"UTF-8\"", SQUIDSBUFPRINT(realm));
  82         } else {
  83             debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
  84             httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
  85         }
  86     }
  87 }
  88
  89 void
  90 Auth::Basic::Config::rotateHelpers()
  91 {
  92     /* schedule closure of existing helpers */
  93     if (basicauthenticators) {
  94         helperShutdown(basicauthenticators);
  95     }
  96
  97     /* NP: dynamic helper restart will ensure they start up again as needed. */
  98 }
  99
 100 /** shutdown the auth helpers and free any allocated configuration details */
 101 void
 102 Auth::Basic::Config::done()
 103 {
 104     Auth::SchemeConfig::done();
 105
 106     authbasic_initialised = 0;
 107
 108     if (basicauthenticators) {
 109         helperShutdown(basicauthenticators);
 110     }
 111
 112     basicauthenticators = nullptr;
 113
 114     if (authenticateProgram)
 115         wordlistDestroy(&authenticateProgram);
 116 }
 117
 118 bool
 119 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
 120 {
 121     if (!Auth::SchemeConfig::dump(entry, name, scheme))
 122         return false; // not configured
 123
 124     storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
 125     storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
 126     return true;
 127 }
 128
 129 Auth::Basic::Config::Config() :
 130     credentialsTTL( 2*60*60 ),
 131     casesensitive(0)
 132 {
 133     static const SBuf defaultRealm("Squid proxy-caching web server");
 134     realm = defaultRealm;
 135 }
 136
 137 void
 138 Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
 139 {
 140     if (strcmp(param_str, "credentialsttl") == 0) {
 141         parse_time_t(&credentialsTTL);
 142     } else if (strcmp(param_str, "casesensitive") == 0) {
 143         parse_onoff(&casesensitive);
 144     } else
 145         Auth::SchemeConfig::parse(scheme, n_configured, param_str);
 146 }
 147
 148 static void
 149 authenticateBasicStats(StoreEntry * sentry)
 150 {
 151     if (basicauthenticators)
 152         basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
 153 }
 154
 155 char *
 156 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader, const HttpRequest *request)
 157 {
 158     const char *proxy_auth = httpAuthHeader;
 159
 160     /* trim BASIC from string */
 161     while (xisgraph(*proxy_auth))
 162         ++proxy_auth;
 163
 164     /* Trim leading whitespace before decoding */
 165     while (xisspace(*proxy_auth))
 166         ++proxy_auth;
 167
 168     /* Trim trailing \n before decoding */
 169     // XXX: really? is the \n actually still there? does the header parse not drop it?
 170     char *eek = xstrdup(proxy_auth);
 171     strtok(eek, "\n");
 172
 173     const size_t srcLen = strlen(eek);
 174     char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
 175
 176     struct base64_decode_ctx ctx;
 177     base64_decode_init(&ctx);
 178
 179     size_t dstLen = 0;
 180     if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
 181         cleartext[dstLen] = '\0';
 182
 183         if (utf8 && !isValidUtf8String(cleartext, cleartext + dstLen)) {
 184             auto str = isCP1251EncodingAllowed(request) ?
 185                        Cp1251ToUtf8(cleartext) : Latin1ToUtf8(cleartext);
 186             safe_free(cleartext);
 187             cleartext = xstrdup(str.c_str());
 188         }
 189
 190         /*
 191          * Don't allow NL or CR in the credentials.
 192          * Oezguer Kesim <oec@codeblau.de>
 193          */
 194         debugs(29, 9, "'" << cleartext << "'");
 195
 196         if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
 197             debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
 198             safe_free(cleartext);
 199         }
 200     } else {
 201         debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
 202         safe_free(cleartext);
 203     }
 204
 205     safe_free(eek);
 206     return cleartext;
 207 }
 208
 209 /**
 210  * Decode a Basic [Proxy-]Auth string, linking the passed
 211  * auth_user_request structure to any existing user structure or creating one
 212  * if needed. Note that just returning will be treated as
 213  * "cannot decode credentials". Use the message field to return a
 214  * descriptive message to the user.
 215  */
 216 Auth::UserRequest::Pointer
 217 Auth::Basic::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
 218 {
 219     Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
 220     /* decode the username */
 221
 222     // retrieve the cleartext (in a dynamically allocated char*)
 223     const auto cleartext = decodeCleartext(proxy_auth, request);
 224
 225     // empty header? no auth details produced...
 226     if (!cleartext)
 227         return auth_user_request;
 228
 229     Auth::User::Pointer lb;
 230     /* permitted because local_basic is purely local function scope. */
 231     Auth::Basic::User *local_basic = nullptr;
 232
 233     char *separator = strchr(cleartext, ':');
 234
 235     lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
 236
 237     if (separator) {
 238         /* terminate the username */
 239         *separator = '\0';
 240         local_basic->passwd = xstrdup(separator+1);
 241     }
 242
 243     if (!casesensitive)
 244         Tolower(cleartext);
 245     local_basic->username(cleartext);
 246
 247     if (local_basic->passwd == nullptr) {
 248         debugs(29, 4, "no password in proxy authorization header '" << proxy_auth << "'");
 249         auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
 250     } else {
 251         if (local_basic->passwd[0] == '\0') {
 252             debugs(29, 4, "Disallowing empty password. User is '" << local_basic->username() << "'");
 253             safe_free(local_basic->passwd);
 254             auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
 255         }
 256     }
 257
 258     xfree(cleartext);
 259
 260     if (!local_basic->valid()) {
 261         lb->auth_type = Auth::AUTH_BROKEN;
 262         auth_user_request->user(lb);
 263         return auth_user_request;
 264     }
 265
 266     /* now lookup and see if we have a matching auth_user structure in memory. */
 267     Auth::User::Pointer auth_user;
 268
 269     if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
 270         /* the user doesn't exist in the username cache yet */
 271         /* save the credentials */
 272         debugs(29, 9, "Creating new user '" << lb->username() << "'");
 273         /* set the auth_user type */
 274         lb->auth_type = Auth::AUTH_BASIC;
 275         /* current time for timeouts */
 276         lb->expiretime = current_time.tv_sec;
 277
 278         /* this basic_user struct is the 'lucky one' to get added to the username cache */
 279         /* the requests after this link to the basic_user */
 280         /* store user in hash */
 281         lb->addToNameCache();
 282
 283         auth_user = lb;
 284         assert(auth_user != nullptr);
 285     } else {
 286         /* replace the current cached password with the new one */
 287         Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
 288         assert(basic_auth);
 289         basic_auth->updateCached(local_basic);
 290         auth_user = basic_auth;
 291     }
 292
 293     /* link the request to the in-cache user */
 294     auth_user_request->user(auth_user);
 295     return auth_user_request;
 296 }
 297
 298 /** Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 299  * config file */
 300 void
 301 Auth::Basic::Config::init(Auth::SchemeConfig *)
 302 {
 303     if (authenticateProgram) {
 304         authbasic_initialised = 1;
 305
 306         if (basicauthenticators == nullptr)
 307             basicauthenticators = helper::Make("basicauthenticator");
 308
 309         basicauthenticators->cmdline = authenticateProgram;
 310
 311         basicauthenticators->childs.updateLimits(authenticateChildren);
 312
 313         basicauthenticators->ipc_type = IPC_STREAM;
 314
 315         helperOpenServers(basicauthenticators);
 316     }
 317 }
 318
 319 void
 320 Auth::Basic::Config::registerWithCacheManager(void)
 321 {
 322     Mgr::RegisterAction("basicauthenticator",
 323                         "Basic User Authenticator Stats",
 324                         authenticateBasicStats, 0, 1);
 325 }
 326