src/auth/basic/SSPI/basic_sspi_auth.cc

   1 /*
   2  * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /*
  10   NT_auth -  Version 2.0
  11
  12   Returns OK for a successful authentication, or ERR upon error.
  13
  14   Guido Serassio, Torino - Italy
  15
  16   Uses code from -
  17     Antonino Iannella 2000
  18     Andrew Tridgell 1997
  19     Richard Sharpe 1996
  20     Bill Welliver 1999
  21
  22  * Distributed freely under the terms of the GNU General Public License,
  23  * version 2 or later. See the file COPYING for licensing details
  24  *
  25  * This program is distributed in the hope that it will be useful,
  26  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  27  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  28  * GNU General Public License for more details.
  29
  30  * You should have received a copy of the GNU General Public License
  31  * along with this program; if not, write to the Free Software
  32  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  33 */
  34
  35 #include "squid.h"
  36 #include "auth/basic/SSPI/valid.h"
  37 #include "helper/protocol_defines.h"
  38 #include "rfc1738.h"
  39 #include "util.h"
  40
  41 #if GETOPT_H
  42 #include <getopt.h>
  43 #endif
  44
  45 /* Check if we try to compile on a Windows Platform */
  46 #if !_SQUID_WINDOWS_
  47 /* NON Windows Platform !!! */
  48 #error NON WINDOWS PLATFORM
  49 #endif
  50
  51 static char NTGroup[256];
  52 char * NTAllowedGroup;
  53 char * NTDisAllowedGroup;
  54 int UseDisallowedGroup = 0;
  55 int UseAllowedGroup = 0;
  56 int debug_enabled = 0;
  57
  58 /*
  59  * options:
  60  * -A can specify a Windows Local Group name allowed to authenticate.
  61  * -D can specify a Windows Local Group name not allowed to authenticate.
  62  * -O can specify the default Domain against to authenticate.
  63  */
  64 static void
  65 usage(const char *name)
  66 {
  67     fprintf(stderr, "Usage:\n%s [-A|D UserGroup][-O DefaultDomain][-d]\n"
  68             "-A can specify a Windows Local Group name allowed to authenticate\n"
  69             "-D can specify a Windows Local Group name not allowed to authenticate\n"
  70             "-O can specify the default Domain against to authenticate\n"
  71             "-d enable debugging.\n"
  72             "-h this message\n\n",
  73             name);
  74 }
  75
  76 void
  77 process_options(int argc, char *argv[])
  78 {
  79     int opt;
  80     while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) {
  81         switch (opt) {
  82         case 'A':
  83             safe_free(NTAllowedGroup);
  84             NTAllowedGroup=xstrdup(optarg);
  85             UseAllowedGroup = 1;
  86             break;
  87         case 'D':
  88             safe_free(NTDisAllowedGroup);
  89             NTDisAllowedGroup=xstrdup(optarg);
  90             UseDisallowedGroup = 1;
  91             break;
  92         case 'O':
  93             strncpy(Default_NTDomain, optarg, DNLEN);
  94             break;
  95         case 'd':
  96             debug_enabled = 1;
  97             break;
  98         case 'h':
  99             usage(argv[0]);
 100             exit(EXIT_SUCCESS);
 101         case '?':
 102             opt = optopt;
 103             [[fallthrough]];
 104         default:
 105             fprintf(stderr, "FATAL: Unknown option: -%c\n", opt);
 106             usage(argv[0]);
 107             exit(EXIT_FAILURE);
 108         }
 109     }
 110 }
 111
 112 /* Main program for simple authentication.
 113    Scans and checks for Squid input, and attempts to validate the user.
 114 */
 115 int
 116 main(int argc, char **argv)
 117 {
 118     char wstr[HELPER_INPUT_BUFFER];
 119     char username[256];
 120     char password[256];
 121     char *p;
 122     int err = 0;
 123
 124     process_options(argc, argv);
 125
 126     if (LoadSecurityDll(SSP_BASIC, NTLM_PACKAGE_NAME) == NULL) {
 127         fprintf(stderr, "FATAL: can't initialize SSPI, exiting.\n");
 128         exit(EXIT_FAILURE);
 129     }
 130     debug("SSPI initialized OK\n");
 131
 132     atexit(UnloadSecurityDll);
 133
 134     /* initialize FDescs */
 135     setbuf(stdout, NULL);
 136     setbuf(stderr, NULL);
 137
 138     while (fgets(wstr, HELPER_INPUT_BUFFER, stdin) != NULL) {
 139
 140         if (NULL == strchr(wstr, '\n')) {
 141             err = 1;
 142             continue;
 143         }
 144         if (err) {
 145             SEND_ERR("Oversized message");
 146             err = 0;
 147             fflush(stdout);
 148             continue;
 149         }
 150
 151         if ((p = strchr(wstr, '\n')) != NULL)
 152             *p = '\0';      /* strip \n */
 153         if ((p = strchr(wstr, '\r')) != NULL)
 154             *p = '\0';      /* strip \r */
 155         /* Clear any current settings */
 156         username[0] = '\0';
 157         password[0] = '\0';
 158         sscanf(wstr, "%s %s", username, password);  /* Extract parameters */
 159
 160         debug("Got %s from Squid\n", wstr);
 161
 162         /* Check for invalid or blank entries */
 163         if ((username[0] == '\0') || (password[0] == '\0')) {
 164             SEND_ERR("Invalid Request");
 165             fflush(stdout);
 166             continue;
 167         }
 168         rfc1738_unescape(username);
 169         rfc1738_unescape(password);
 170
 171         debug("Trying to validate; %s %s\n", username, password);
 172
 173         if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR)
 174             SEND_OK("");
 175         else
 176             SEND_ERR(errormsg);
 177         err = 0;
 178         fflush(stdout);
 179     }
 180     return EXIT_SUCCESS;
 181 }
 182