src/auth/basic/auth_basic.cc

   1 /*
   2  * DEBUG: section 29    Authenticator
   3  * AUTHOR: Duane Wessels
   4  *
   5  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   6  * ----------------------------------------------------------
   7  *
   8  *  Squid is the result of efforts by numerous individuals from
   9  *  the Internet community; see the CONTRIBUTORS file for full
  10  *  details.   Many organizations have provided support for Squid's
  11  *  development; see the SPONSORS file for full details.  Squid is
  12  *  Copyrighted (C) 2001 by the Regents of the University of
  13  *  California; see the COPYRIGHT file for full details.  Squid
  14  *  incorporates software developed and/or copyrighted by other
  15  *  sources; see the CREDITS file for full details.
  16  *
  17  *  This program is free software; you can redistribute it and/or modify
  18  *  it under the terms of the GNU General Public License as published by
  19  *  the Free Software Foundation; either version 2 of the License, or
  20  *  (at your option) any later version.
  21  *
  22  *  This program is distributed in the hope that it will be useful,
  23  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  24  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  25  *  GNU General Public License for more details.
  26  *
  27  *  You should have received a copy of the GNU General Public License
  28  *  along with this program; if not, write to the Free Software
  29  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  30  *
  31  */
  32
  33 /* The functions in this file handle authentication.
  34  * They DO NOT perform access control or auditing.
  35  * See acl.c for access control and client_side.c for auditing */
  36
  37 #include "squid.h"
  38 #include "auth/basic/auth_basic.h"
  39 #include "auth/basic/Scheme.h"
  40 #include "auth/basic/User.h"
  41 #include "auth/basic/UserRequest.h"
  42 #include "auth/Gadgets.h"
  43 #include "auth/State.h"
  44 #include "cache_cf.h"
  45 #include "charset.h"
  46 #include "HttpHeaderTools.h"
  47 #include "HttpReply.h"
  48 #include "mgr/Registration.h"
  49 #include "rfc1738.h"
  50 #include "SquidTime.h"
  51 #include "Store.h"
  52 #include "uudecode.h"
  53 #include "wordlist.h"
  54
  55 /* Basic Scheme */
  56 static AUTHSSTATS authenticateBasicStats;
  57
  58 helper *basicauthenticators = NULL;
  59
  60 static int authbasic_initialised = 0;
  61
  62 /*
  63  *
  64  * Public Functions
  65  *
  66  */
  67
  68 /* internal functions */
  69
  70 bool
  71 Auth::Basic::Config::active() const
  72 {
  73     return authbasic_initialised == 1;
  74 }
  75
  76 bool
  77 Auth::Basic::Config::configured() const
  78 {
  79     if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) &&
  80             (basicAuthRealm != NULL)) {
  81         debugs(29, 9, HERE << "returning configured");
  82         return true;
  83     }
  84
  85     debugs(29, 9, HERE << "returning unconfigured");
  86     return false;
  87 }
  88
  89 const char *
  90 Auth::Basic::Config::type() const
  91 {
  92     return Auth::Basic::Scheme::GetInstance()->type();
  93 }
  94
  95 void
  96 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request)
  97 {
  98     if (authenticateProgram) {
  99         debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'Basic realm=\"" << basicAuthRealm << "\"'");
 100         httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"%s\"", basicAuthRealm);
 101     }
 102 }
 103
 104 void
 105 Auth::Basic::Config::rotateHelpers()
 106 {
 107     /* schedule closure of existing helpers */
 108     if (basicauthenticators) {
 109         helperShutdown(basicauthenticators);
 110     }
 111
 112     /* NP: dynamic helper restart will ensure they start up again as needed. */
 113 }
 114
 115 /** shutdown the auth helpers and free any allocated configuration details */
 116 void
 117 Auth::Basic::Config::done()
 118 {
 119     authbasic_initialised = 0;
 120
 121     if (basicauthenticators) {
 122         helperShutdown(basicauthenticators);
 123     }
 124
 125     delete basicauthenticators;
 126     basicauthenticators = NULL;
 127
 128     if (authenticateProgram)
 129         wordlistDestroy(&authenticateProgram);
 130
 131     if (basicAuthRealm)
 132         safe_free(basicAuthRealm);
 133 }
 134
 135 void
 136 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme)
 137 {
 138     wordlist *list = authenticateProgram;
 139     storeAppendPrintf(entry, "%s %s", name, "basic");
 140
 141     while (list != NULL) {
 142         storeAppendPrintf(entry, " %s", list->key);
 143         list = list->next;
 144     }
 145
 146     storeAppendPrintf(entry, "\n");
 147
 148     storeAppendPrintf(entry, "%s basic realm %s\n", name, basicAuthRealm);
 149     storeAppendPrintf(entry, "%s basic children %d startup=%d idle=%d concurrency=%d\n", name, authenticateChildren.n_max, authenticateChildren.n_startup, authenticateChildren.n_idle, authenticateChildren.concurrency);
 150     storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
 151     storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
 152 }
 153
 154 Auth::Basic::Config::Config() :
 155         credentialsTTL( 2*60*60 ),
 156         casesensitive(0),
 157         utf8(0)
 158 {
 159     basicAuthRealm = xstrdup("Squid proxy-caching web server");
 160 }
 161
 162 Auth::Basic::Config::~Config()
 163 {
 164     safe_free(basicAuthRealm);
 165 }
 166
 167 void
 168 Auth::Basic::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
 169 {
 170     if (strcmp(param_str, "program") == 0) {
 171         if (authenticateProgram)
 172             wordlistDestroy(&authenticateProgram);
 173
 174         parse_wordlist(&authenticateProgram);
 175
 176         requirePathnameExists("auth_param basic program", authenticateProgram->key);
 177     } else if (strcmp(param_str, "children") == 0) {
 178         authenticateChildren.parseConfig();
 179     } else if (strcmp(param_str, "realm") == 0) {
 180         parse_eol(&basicAuthRealm);
 181     } else if (strcmp(param_str, "credentialsttl") == 0) {
 182         parse_time_t(&credentialsTTL);
 183     } else if (strcmp(param_str, "casesensitive") == 0) {
 184         parse_onoff(&casesensitive);
 185     } else if (strcmp(param_str, "utf8") == 0) {
 186         parse_onoff(&utf8);
 187     } else {
 188         debugs(29, DBG_CRITICAL, HERE << "unrecognised basic auth scheme parameter '" << param_str << "'");
 189     }
 190 }
 191
 192 static void
 193 authenticateBasicStats(StoreEntry * sentry)
 194 {
 195     helperStats(sentry, basicauthenticators, "Basic Authenticator Statistics");
 196 }
 197
 198 static Auth::User::Pointer
 199 authBasicAuthUserFindUsername(const char *username)
 200 {
 201     AuthUserHashPointer *usernamehash;
 202     debugs(29, 9, HERE << "Looking for user '" << username << "'");
 203
 204     if (username && (usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, username)))) {
 205         while (usernamehash) {
 206             if ((usernamehash->user()->auth_type == Auth::AUTH_BASIC) &&
 207                     !strcmp(username, (char const *)usernamehash->key))
 208                 return usernamehash->user();
 209
 210             usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
 211         }
 212     }
 213
 214     return NULL;
 215 }
 216
 217 char *
 218 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
 219 {
 220     const char *proxy_auth = httpAuthHeader;
 221
 222     /* trim BASIC from string */
 223     while (xisgraph(*proxy_auth))
 224         ++proxy_auth;
 225
 226     /* Trim leading whitespace before decoding */
 227     while (xisspace(*proxy_auth))
 228         ++proxy_auth;
 229
 230     /* Trim trailing \n before decoding */
 231     // XXX: really? is the \n actually still there? does the header parse not drop it?
 232     char *eek = xstrdup(proxy_auth);
 233     strtok(eek, "\n");
 234     char *cleartext = uudecode(eek);
 235     safe_free(eek);
 236
 237     if (cleartext) {
 238         /*
 239          * Don't allow NL or CR in the credentials.
 240          * Oezguer Kesim <oec@codeblau.de>
 241          */
 242         debugs(29, 9, HERE << "'" << cleartext << "'");
 243
 244         if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
 245             debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
 246             safe_free(cleartext);
 247         }
 248     }
 249     return cleartext;
 250 }
 251
 252 /**
 253  * Decode a Basic [Proxy-]Auth string, linking the passed
 254  * auth_user_request structure to any existing user structure or creating one
 255  * if needed. Note that just returning will be treated as
 256  * "cannot decode credentials". Use the message field to return a
 257  * descriptive message to the user.
 258  */
 259 Auth::UserRequest::Pointer
 260 Auth::Basic::Config::decode(char const *proxy_auth)
 261 {
 262     Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
 263     /* decode the username */
 264
 265     // retrieve the cleartext (in a dynamically allocated char*)
 266     char *cleartext = decodeCleartext(proxy_auth);
 267
 268     // empty header? no auth details produced...
 269     if (!cleartext)
 270         return auth_user_request;
 271
 272     Auth::User::Pointer lb;
 273     /* permitted because local_basic is purely local function scope. */
 274     Auth::Basic::User *local_basic = NULL;
 275
 276     char *seperator = strchr(cleartext, ':');
 277
 278     lb = local_basic = new Auth::Basic::User(this);
 279     if (seperator == NULL) {
 280         local_basic->username(cleartext);
 281     } else {
 282         /* terminate the username */
 283         *seperator = '\0';
 284         local_basic->username(cleartext);
 285         local_basic->passwd = xstrdup(seperator+1);
 286     }
 287
 288     if (!casesensitive)
 289         Tolower((char *)local_basic->username());
 290
 291     if (local_basic->passwd == NULL) {
 292         debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
 293         auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
 294     } else {
 295         if (local_basic->passwd[0] == '\0') {
 296             debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
 297             safe_free(local_basic->passwd);
 298             auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
 299         }
 300     }
 301
 302     xfree(cleartext);
 303
 304     if (!local_basic->valid()) {
 305         lb->auth_type = Auth::AUTH_BROKEN;
 306         auth_user_request->user(lb);
 307         return auth_user_request;
 308     }
 309
 310     /* now lookup and see if we have a matching auth_user structure in memory. */
 311     Auth::User::Pointer auth_user;
 312
 313     if ((auth_user = authBasicAuthUserFindUsername(lb->username())) == NULL) {
 314         /* the user doesn't exist in the username cache yet */
 315         /* save the credentials */
 316         debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
 317         /* set the auth_user type */
 318         lb->auth_type = Auth::AUTH_BASIC;
 319         /* current time for timeouts */
 320         lb->expiretime = current_time.tv_sec;
 321
 322         /* this basic_user struct is the 'lucky one' to get added to the username cache */
 323         /* the requests after this link to the basic_user */
 324         /* store user in hash */
 325         lb->addToNameCache();
 326
 327         auth_user = lb;
 328         assert(auth_user != NULL);
 329     } else {
 330         /* replace the current cached password with the new one */
 331         Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
 332         assert(basic_auth);
 333         basic_auth->updateCached(local_basic);
 334         auth_user = basic_auth;
 335     }
 336
 337     /* link the request to the in-cache user */
 338     auth_user_request->user(auth_user);
 339     return auth_user_request;
 340 }
 341
 342 /** Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 343  * config file */
 344 void
 345 Auth::Basic::Config::init(Auth::Config * schemeCfg)
 346 {
 347     if (authenticateProgram) {
 348         authbasic_initialised = 1;
 349
 350         if (basicauthenticators == NULL)
 351             basicauthenticators = new helper("basicauthenticator");
 352
 353         basicauthenticators->cmdline = authenticateProgram;
 354
 355         basicauthenticators->childs.updateLimits(authenticateChildren);
 356
 357         basicauthenticators->ipc_type = IPC_STREAM;
 358
 359         helperOpenServers(basicauthenticators);
 360     }
 361 }
 362
 363 void
 364 Auth::Basic::Config::registerWithCacheManager(void)
 365 {
 366     Mgr::RegisterAction("basicauthenticator",
 367                         "Basic User Authenticator Stats",
 368                         authenticateBasicStats, 0, 1);
 369 }