]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/Config.cc
projects / thirdparty / squid.git / blob
? search:


1bbf49d051dd7bc43173b563c3531ee13848c83a
[thirdparty/squid.git] / src / auth / ntlm / Config.cc
1 /*
2 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 29 NTLM Authenticator */
10
11 /* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
14
15 #include "squid.h"
16 #include "auth/Gadgets.h"
17 #include "auth/ntlm/Config.h"
18 #include "auth/ntlm/Scheme.h"
19 #include "auth/ntlm/User.h"
20 #include "auth/ntlm/UserRequest.h"
21 #include "auth/State.h"
22 #include "cache_cf.h"
23 #include "client_side.h"
24 #include "helper.h"
25 #include "http/Stream.h"
26 #include "HttpHeaderTools.h"
27 #include "HttpReply.h"
28 #include "HttpRequest.h"
29 #include "mgr/Registration.h"
30 #include "SquidTime.h"
31 #include "Store.h"
32 #include "wordlist.h"
33
34 /* NTLM Scheme */
35 static AUTHSSTATS authenticateNTLMStats;
36
37 statefulhelper *ntlmauthenticators = NULL;
38 static int authntlm_initialised = 0;
39
40 static hash_table *proxy_auth_cache = NULL;
41
42 void
43 Auth::Ntlm::Config::rotateHelpers()
44 {
45 /* schedule closure of existing helpers */
46 if (ntlmauthenticators) {
47 helperStatefulShutdown(ntlmauthenticators);
48 }
49
50 /* NP: dynamic helper restart will ensure they start up again as needed. */
51 }
52
53 /* free any allocated configuration details */
54 void
55 Auth::Ntlm::Config::done()
56 {
57 Auth::SchemeConfig::done();
58
59 authntlm_initialised = 0;
60
61 if (ntlmauthenticators) {
62 helperStatefulShutdown(ntlmauthenticators);
63 }
64
65 if (!shutting_down)
66 return;
67
68 delete ntlmauthenticators;
69 ntlmauthenticators = NULL;
70
71 if (authenticateProgram)
72 wordlistDestroy(&authenticateProgram);
73
74 debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
75 }
76
77 bool
78 Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
79 {
80 if (!Auth::SchemeConfig::dump(entry, name, scheme))
81 return false;
82
83 storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
84 return true;
85 }
86
87 Auth::Ntlm::Config::Config() : keep_alive(1)
88 { }
89
90 void
91 Auth::Ntlm::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
92 {
93 if (strcmp(param_str, "keep_alive") == 0) {
94 parse_onoff(&keep_alive);
95 } else
96 Auth::SchemeConfig::parse(scheme, n_configured, param_str);
97 }
98
99 const char *
100 Auth::Ntlm::Config::type() const
101 {
102 return Auth::Ntlm::Scheme::GetInstance()->type();
103 }
104
105 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
106 * config file */
107 void
108 Auth::Ntlm::Config::init(Auth::SchemeConfig *)
109 {
110 if (authenticateProgram) {
111
112 authntlm_initialised = 1;
113
114 if (ntlmauthenticators == NULL)
115 ntlmauthenticators = new statefulhelper("ntlmauthenticator");
116
117 if (!proxy_auth_cache)
118 proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
119
120 assert(proxy_auth_cache);
121
122 ntlmauthenticators->cmdline = authenticateProgram;
123
124 ntlmauthenticators->childs.updateLimits(authenticateChildren);
125
126 ntlmauthenticators->ipc_type = IPC_STREAM;
127
128 helperStatefulOpenServers(ntlmauthenticators);
129 }
130 }
131
132 void
133 Auth::Ntlm::Config::registerWithCacheManager(void)
134 {
135 Mgr::RegisterAction("ntlmauthenticator",
136 "NTLM User Authenticator Stats",
137 authenticateNTLMStats, 0, 1);
138 }
139
140 bool
141 Auth::Ntlm::Config::active() const
142 {
143 return authntlm_initialised == 1;
144 }
145
146 bool
147 Auth::Ntlm::Config::configured() const
148 {
149 if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
150 debugs(29, 9, HERE << "returning configured");
151 return true;
152 }
153
154 debugs(29, 9, HERE << "returning unconfigured");
155 return false;
156 }
157
158 /* NTLM Scheme */
159
160 void
161 Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request)
162 {
163 if (!authenticateProgram)
164 return;
165
166 /* Need keep-alive */
167 if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
168 return;
169
170 /* New request, no user details */
171 if (auth_user_request == NULL) {
172 debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
173 httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
174
175 if (!keep_alive) {
176 /* drop the connection */
177 request->flags.proxyKeepalive = false;
178 }
179 } else {
180 Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
181 assert(ntlm_request != NULL);
182
183 switch (ntlm_request->user()->credentials()) {
184
185 case Auth::Failed:
186 /* here it makes sense to drop the connection, as auth is
187 * tied to it, even if MAYBE the client could handle it - Kinkie */
188 request->flags.proxyKeepalive = false;
189 /* fall through */
190
191 case Auth::Ok:
192 /* Special case: authentication finished OK but disallowed by ACL.
193 * Need to start over to give the client another chance.
194 */
195 /* fall through */
196
197 case Auth::Unchecked:
198 /* semantic change: do not drop the connection.
199 * 2.5 implementation used to keep it open - Kinkie */
200 debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
201 httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
202 break;
203
204 case Auth::Handshake:
205 /* we're waiting for a response from the client. Pass it the blob */
206 debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
207 httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
208 safe_free(ntlm_request->server_blob);
209 break;
210
211 default:
212 debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
213 fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
214 }
215 }
216 }
217
218 static void
219 authenticateNTLMStats(StoreEntry * sentry)
220 {
221 if (ntlmauthenticators)
222 ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
223 }
224
225 /*
226 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
227 * Auth_user structure.
228 */
229 Auth::UserRequest::Pointer
230 Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
231 {
232 Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
233 Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
234 assert(auth_user_request->user() == NULL);
235
236 auth_user_request->user(newUser);
237 auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
238
239 auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
240
241 /* all we have to do is identify that it's NTLM - the helper does the rest */
242 debugs(29, 9, HERE << "decode: NTLM authentication");
243 return auth_user_request;
244 }
245
Mirror of https://github.com/squid-cache/squid.git