src/auth/ntlm/Config.cc

   1 /*
   2  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 29    NTLM Authenticator */
  10
  11 /* The functions in this file handle authentication.
  12  * They DO NOT perform access control or auditing.
  13  * See acl.c for access control and client_side.c for auditing */
  14
  15 #include "squid.h"
  16 #include "auth/Gadgets.h"
  17 #include "auth/ntlm/Config.h"
  18 #include "auth/ntlm/Scheme.h"
  19 #include "auth/ntlm/User.h"
  20 #include "auth/ntlm/UserRequest.h"
  21 #include "auth/State.h"
  22 #include "cache_cf.h"
  23 #include "client_side.h"
  24 #include "helper.h"
  25 #include "http/Stream.h"
  26 #include "HttpHeaderTools.h"
  27 #include "HttpReply.h"
  28 #include "HttpRequest.h"
  29 #include "mgr/Registration.h"
  30 #include "SquidTime.h"
  31 #include "Store.h"
  32 #include "wordlist.h"
  33
  34 /* NTLM Scheme */
  35 static AUTHSSTATS authenticateNTLMStats;
  36
  37 statefulhelper *ntlmauthenticators = NULL;
  38 static int authntlm_initialised = 0;
  39
  40 static hash_table *proxy_auth_cache = NULL;
  41
  42 void
  43 Auth::Ntlm::Config::rotateHelpers()
  44 {
  45     /* schedule closure of existing helpers */
  46     if (ntlmauthenticators) {
  47         helperStatefulShutdown(ntlmauthenticators);
  48     }
  49
  50     /* NP: dynamic helper restart will ensure they start up again as needed. */
  51 }
  52
  53 /* free any allocated configuration details */
  54 void
  55 Auth::Ntlm::Config::done()
  56 {
  57     Auth::SchemeConfig::done();
  58
  59     authntlm_initialised = 0;
  60
  61     if (ntlmauthenticators) {
  62         helperStatefulShutdown(ntlmauthenticators);
  63     }
  64
  65     if (!shutting_down)
  66         return;
  67
  68     delete ntlmauthenticators;
  69     ntlmauthenticators = NULL;
  70
  71     if (authenticateProgram)
  72         wordlistDestroy(&authenticateProgram);
  73
  74     debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
  75 }
  76
  77 const char *
  78 Auth::Ntlm::Config::type() const
  79 {
  80     return Auth::Ntlm::Scheme::GetInstance()->type();
  81 }
  82
  83 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
  84  * config file */
  85 void
  86 Auth::Ntlm::Config::init(Auth::SchemeConfig *)
  87 {
  88     if (authenticateProgram) {
  89
  90         authntlm_initialised = 1;
  91
  92         if (ntlmauthenticators == NULL)
  93             ntlmauthenticators = new statefulhelper("ntlmauthenticator");
  94
  95         if (!proxy_auth_cache)
  96             proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
  97
  98         assert(proxy_auth_cache);
  99
 100         ntlmauthenticators->cmdline = authenticateProgram;
 101
 102         ntlmauthenticators->childs.updateLimits(authenticateChildren);
 103
 104         ntlmauthenticators->ipc_type = IPC_STREAM;
 105
 106         helperStatefulOpenServers(ntlmauthenticators);
 107     }
 108 }
 109
 110 void
 111 Auth::Ntlm::Config::registerWithCacheManager(void)
 112 {
 113     Mgr::RegisterAction("ntlmauthenticator",
 114                         "NTLM User Authenticator Stats",
 115                         authenticateNTLMStats, 0, 1);
 116 }
 117
 118 bool
 119 Auth::Ntlm::Config::active() const
 120 {
 121     return authntlm_initialised == 1;
 122 }
 123
 124 bool
 125 Auth::Ntlm::Config::configured() const
 126 {
 127     if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
 128         debugs(29, 9, HERE << "returning configured");
 129         return true;
 130     }
 131
 132     debugs(29, 9, HERE << "returning unconfigured");
 133     return false;
 134 }
 135
 136 /* NTLM Scheme */
 137
 138 void
 139 Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request)
 140 {
 141     if (!authenticateProgram)
 142         return;
 143
 144     /* Need keep-alive */
 145     if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
 146         return;
 147
 148     /* New request, no user details */
 149     if (auth_user_request == NULL) {
 150         debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
 151         httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
 152
 153         if (!keep_alive) {
 154             /* drop the connection */
 155             request->flags.proxyKeepalive = false;
 156         }
 157     } else {
 158         Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
 159         assert(ntlm_request != NULL);
 160
 161         switch (ntlm_request->user()->credentials()) {
 162
 163         case Auth::Failed:
 164             /* here it makes sense to drop the connection, as auth is
 165              * tied to it, even if MAYBE the client could handle it - Kinkie */
 166             request->flags.proxyKeepalive = false;
 167         /* fall through */
 168
 169         case Auth::Ok:
 170         /* Special case: authentication finished OK but disallowed by ACL.
 171          * Need to start over to give the client another chance.
 172          */
 173         /* fall through */
 174
 175         case Auth::Unchecked:
 176             /* semantic change: do not drop the connection.
 177              * 2.5 implementation used to keep it open - Kinkie */
 178             debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
 179             httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
 180             break;
 181
 182         case Auth::Handshake:
 183             /* we're waiting for a response from the client. Pass it the blob */
 184             debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
 185             httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
 186             safe_free(ntlm_request->server_blob);
 187             break;
 188
 189         default:
 190             debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
 191             fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
 192         }
 193     }
 194 }
 195
 196 static void
 197 authenticateNTLMStats(StoreEntry * sentry)
 198 {
 199     if (ntlmauthenticators)
 200         ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
 201 }
 202
 203 /*
 204  * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
 205  * Auth_user structure.
 206  */
 207 Auth::UserRequest::Pointer
 208 Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 209 {
 210     Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
 211     Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
 212     assert(auth_user_request->user() == NULL);
 213
 214     auth_user_request->user(newUser);
 215     auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
 216
 217     auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
 218
 219     /* all we have to do is identify that it's NTLM - the helper does the rest */
 220     debugs(29, 9, HERE << "decode: NTLM authentication");
 221     return auth_user_request;
 222 }
 223