]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/UserRequest.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Renamed squid.h to squid-old.h and config.h to squid.h
[thirdparty/squid.git] / src / auth / ntlm / UserRequest.cc
1 #include "squid.h"
2 #include "auth/ntlm/auth_ntlm.h"
3 #include "auth/ntlm/UserRequest.h"
4 #include "auth/State.h"
5 #include "cbdata.h"
6 #include "HttpRequest.h"
7 #include "SquidTime.h"
8
9 Auth::Ntlm::UserRequest::UserRequest()
10 {
11 waiting=0;
12 client_blob=0;
13 server_blob=0;
14 authserver=NULL;
15 request=NULL;
16 }
17
18 Auth::Ntlm::UserRequest::~UserRequest()
19 {
20 assert(RefCountCount()==0);
21 safe_free(server_blob);
22 safe_free(client_blob);
23
24 releaseAuthServer();
25
26 if (request) {
27 HTTPMSGUNLOCK(request);
28 request = NULL;
29 }
30 }
31
32 const char *
33 Auth::Ntlm::UserRequest::connLastHeader()
34 {
35 return NULL;
36 }
37
38 int
39 Auth::Ntlm::UserRequest::authenticated() const
40 {
41 if (user() != NULL && user()->credentials() == Auth::Ok) {
42 debugs(29, 9, HERE << "user authenticated.");
43 return 1;
44 }
45
46 debugs(29, 9, HERE << "user not fully authenticated.");
47 return 0;
48 }
49
50 Auth::Direction
51 Auth::Ntlm::UserRequest::module_direction()
52 {
53 /* null auth_user is checked for by Auth::UserRequest::direction() */
54
55 if (waiting || client_blob)
56 return Auth::CRED_LOOKUP; /* need helper response to continue */
57
58 if (user()->auth_type != Auth::AUTH_NTLM)
59 return Auth::CRED_ERROR;
60
61 switch (user()->credentials()) {
62
63 case Auth::Handshake:
64 assert(server_blob);
65 return Auth::CRED_CHALLENGE;
66
67 case Auth::Ok:
68 return Auth::CRED_VALID;
69
70 case Auth::Failed:
71 return Auth::CRED_ERROR; // XXX: really? not VALID or CHALLENGE?
72
73 default:
74 debugs(29, DBG_IMPORTANT, "WARNING: NTLM Authentication in unexpected state: " << user()->credentials());
75 return Auth::CRED_ERROR;
76 }
77 }
78
79 void
80 Auth::Ntlm::UserRequest::module_start(RH * handler, void *data)
81 {
82 static char buf[MAX_AUTHTOKEN_LEN];
83
84 assert(data);
85 assert(handler);
86
87 if (static_cast<Auth::Ntlm::Config*>(Auth::Config::Find("ntlm"))->authenticateProgram == NULL) {
88 debugs(29, DBG_CRITICAL, "ERROR: NTLM Start: no NTLM program configured.");
89 handler(data, NULL);
90 return;
91 }
92
93 debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'");
94
95 if (user()->credentials() == Auth::Pending) {
96 snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
97 } else {
98 snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
99 }
100
101 waiting = 1;
102
103 safe_free(client_blob);
104 helperStatefulSubmit(ntlmauthenticators, buf, Auth::Ntlm::UserRequest::HandleReply,
105 new Auth::StateData(this, handler, data), authserver);
106 }
107
108 /**
109 * Atomic action: properly release the NTLM auth helpers which may have been reserved
110 * for this request connections use.
111 */
112 void
113 Auth::Ntlm::UserRequest::releaseAuthServer()
114 {
115 if (authserver) {
116 debugs(29, 6, HERE << "releasing NTLM auth server '" << authserver << "'");
117 helperStatefulReleaseServer(authserver);
118 authserver = NULL;
119 } else
120 debugs(29, 6, HERE << "No NTLM auth server to release.");
121 }
122
123 void
124 Auth::Ntlm::UserRequest::onConnectionClose(ConnStateData *conn)
125 {
126 assert(conn != NULL);
127
128 debugs(29, 8, HERE << "closing connection '" << conn << "' (this is '" << this << "')");
129
130 if (conn->auth_user_request == NULL) {
131 debugs(29, 8, HERE << "no auth_user_request");
132 return;
133 }
134
135 releaseAuthServer();
136
137 /* unlock the connection based lock */
138 debugs(29, 9, HERE << "Unlocking auth_user from the connection '" << conn << "'.");
139
140 conn->auth_user_request = NULL;
141 }
142
143 void
144 Auth::Ntlm::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type)
145 {
146 assert(this);
147
148 /* Check that we are in the client side, where we can generate
149 * auth challenges */
150
151 if (conn == NULL || !cbdataReferenceValid(conn)) {
152 user()->credentials(Auth::Failed);
153 debugs(29, DBG_IMPORTANT, "WARNING: NTLM Authentication attempt to perform authentication without a connection!");
154 return;
155 }
156
157 if (waiting) {
158 debugs(29, DBG_IMPORTANT, "WARNING: NTLM Authentication waiting for helper reply!");
159 return;
160 }
161
162 if (server_blob) {
163 debugs(29, 2, HERE << "need to challenge client '" << server_blob << "'!");
164 return;
165 }
166
167 /* get header */
168 const char *proxy_auth = aRequest->header.getStr(type);
169
170 /* locate second word */
171 const char *blob = proxy_auth;
172
173 /* if proxy_auth is actually NULL, we'd better not manipulate it. */
174 if (blob) {
175 while (xisspace(*blob) && *blob)
176 blob++;
177
178 while (!xisspace(*blob) && *blob)
179 blob++;
180
181 while (xisspace(*blob) && *blob)
182 blob++;
183 }
184
185 switch (user()->credentials()) {
186
187 case Auth::Unchecked:
188 /* we've received a ntlm request. pass to a helper */
189 debugs(29, 9, HERE << "auth state ntlm none. Received blob: '" << proxy_auth << "'");
190 user()->credentials(Auth::Pending);
191 safe_free(client_blob);
192 client_blob=xstrdup(blob);
193 assert(conn->auth_user_request == NULL);
194 conn->auth_user_request = this;
195 request = aRequest;
196 HTTPMSGLOCK(request);
197 break;
198
199 case Auth::Pending:
200 debugs(29, 1, HERE << "need to ask helper");
201 break;
202
203 case Auth::Handshake:
204 /* we should have received a blob from the client. Hand it off to
205 * some helper */
206 safe_free(client_blob);
207 client_blob = xstrdup(blob);
208 if (request)
209 HTTPMSGUNLOCK(request);
210 request = aRequest;
211 HTTPMSGLOCK(request);
212 break;
213
214 case Auth::Ok:
215 fatal("Auth::Ntlm::UserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n");
216 break;
217
218 case Auth::Failed:
219 /* we've failed somewhere in authentication */
220 debugs(29, 9, HERE << "auth state ntlm failed. " << proxy_auth);
221 break;
222 }
223 }
224
225 void
226 Auth::Ntlm::UserRequest::HandleReply(void *data, void *lastserver, char *reply)
227 {
228 Auth::StateData *r = static_cast<Auth::StateData *>(data);
229 char *blob;
230
231 debugs(29, 8, HERE << "helper: '" << lastserver << "' sent us '" << (reply ? reply : "<NULL>") << "'");
232
233 if (!cbdataReferenceValid(r->data)) {
234 debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication invalid callback data. helper '" << lastserver << "'.");
235 delete r;
236 return;
237 }
238
239 if (!reply) {
240 debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication Helper '" << lastserver << "' crashed!.");
241 reply = (char *)"BH Internal error";
242 }
243
244 Auth::UserRequest::Pointer auth_user_request = r->auth_user_request;
245 assert(auth_user_request != NULL);
246
247 Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
248 assert(lm_request != NULL);
249 assert(lm_request->waiting);
250
251 lm_request->waiting = 0;
252 safe_free(lm_request->client_blob);
253
254 assert(auth_user_request->user() != NULL);
255 assert(auth_user_request->user()->auth_type == Auth::AUTH_NTLM);
256
257 if (lm_request->authserver == NULL)
258 lm_request->authserver = static_cast<helper_stateful_server*>(lastserver);
259 else
260 assert(lm_request->authserver == lastserver);
261
262 /* seperate out the useful data */
263 blob = strchr(reply, ' ');
264 if (blob)
265 blob++;
266
267 if (strncasecmp(reply, "TT ", 3) == 0) {
268 /* we have been given a blob to send to the client */
269 safe_free(lm_request->server_blob);
270 lm_request->request->flags.must_keepalive = 1;
271 if (lm_request->request->flags.proxy_keepalive) {
272 lm_request->server_blob = xstrdup(blob);
273 auth_user_request->user()->credentials(Auth::Handshake);
274 auth_user_request->denyMessage("Authentication in progress");
275 debugs(29, 4, HERE << "Need to challenge the client with a server blob '" << blob << "'");
276 } else {
277 auth_user_request->user()->credentials(Auth::Failed);
278 auth_user_request->denyMessage("NTLM authentication requires a persistent connection");
279 }
280 } else if (strncasecmp(reply, "AF ", 3) == 0) {
281 /* we're finished, release the helper */
282 auth_user_request->user()->username(blob);
283 auth_user_request->denyMessage("Login successful");
284 safe_free(lm_request->server_blob);
285 lm_request->releaseAuthServer();
286
287 debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << blob << "'");
288 /* connection is authenticated */
289 debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username());
290 /* see if this is an existing user with a different proxy_auth
291 * string */
292 AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->username()));
293 Auth::User::Pointer local_auth_user = lm_request->user();
294 while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NTLM ||
295 strcmp(usernamehash->user()->username(), auth_user_request->user()->username()) != 0))
296 usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
297 if (usernamehash) {
298 /* we can't seamlessly recheck the username due to the
299 * challenge-response nature of the protocol.
300 * Just free the temporary auth_user after merging as
301 * much of it new state into the existing one as possible */
302 usernamehash->user()->absorb(local_auth_user);
303 /* from here on we are working with the original cached credentials. */
304 local_auth_user = usernamehash->user();
305 auth_user_request->user(local_auth_user);
306 } else {
307 /* store user in hash's */
308 local_auth_user->addToNameCache();
309 }
310 /* set these to now because this is either a new login from an
311 * existing user or a new user */
312 local_auth_user->expiretime = current_time.tv_sec;
313 auth_user_request->user()->credentials(Auth::Ok);
314 debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << blob << "'");
315
316 } else if (strncasecmp(reply, "NA ", 3) == 0) {
317 /* authentication failure (wrong password, etc.) */
318 auth_user_request->denyMessage(blob);
319 auth_user_request->user()->credentials(Auth::Failed);
320 safe_free(lm_request->server_blob);
321 lm_request->releaseAuthServer();
322 debugs(29, 4, HERE << "Failed validating user via NTLM. Error returned '" << blob << "'");
323 } else if (strncasecmp(reply, "BH ", 3) == 0) {
324 /* TODO kick off a refresh process. This can occur after a YR or after
325 * a KK. If after a YR release the helper and resubmit the request via
326 * Authenticate NTLM start.
327 * If after a KK deny the user's request w/ 407 and mark the helper as
328 * Needing YR. */
329 auth_user_request->denyMessage(blob);
330 auth_user_request->user()->credentials(Auth::Failed);
331 safe_free(lm_request->server_blob);
332 lm_request->releaseAuthServer();
333 debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication validating user. Error returned '" << reply << "'");
334 } else {
335 /* protocol error */
336 fatalf("authenticateNTLMHandleReply: *** Unsupported helper response ***, '%s'\n", reply);
337 }
338
339 if (lm_request->request) {
340 HTTPMSGUNLOCK(lm_request->request);
341 lm_request->request = NULL;
342 }
343 r->handler(r->data, NULL);
344 delete r;
345 }
Mirror of https://github.com/squid-cache/squid.git