[thirdparty/squid.git] / src / acl / external / kerberos_sid_group / ext_kerberos_sid_group_acl.pl.in

#!@PERL@ -w

use strict;
use Pod::Usage;
use Getopt::Long;
use File::Basename;
use Date::Format;

=pod

=head1 NAME

 ext_kerberos_sid_group_acl - external ACL helper for Squid to verify AD Domain group membership using sid.

=head1 SYNOPSIS

 ext_kerberos_sid_group_acl [-d] [-h] -p Principal Name -D Domain Controller -b Base DN -G Group1:Group2

=head1 DESCRIPTION

B<ext_kerberos_sid_group_acl> is an installed executable script.
It uses B<ldapsearch> from Openldap to lookup the name of a AD group sid.

This helper must be used in with the negotiate_kerberos_auth helper in a
Microsft AD or Samba environement.

It reads from the standard input the domain username and a list of group sids
and tries to match the group SIDs to the AD group sids.

=head1 OPTIONS

=over 12

=item B<-d>

Write debug info to stderr.

=item B<-h>

Print the help.

=item B<-p principal name>

Principal name in squid keytab to use for ldap authentication to AD

=item B<-D domain controller>

Domain controller to contact to lookup group SID

=item B<-b base DN>

Base DN for ldap search

=item B<-G AD group name>

AD group name to be used for SID lookup. List separated by a colon (:)

=back

=head1 CONFIGURATION

  auth_param negotiate program /path/to/negotiate_wrapper_auth -d \
       --ntlm /path/to/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain example.com \
       --kerberos /path/to/negotiate_kerberos_auth -d -s GSS_C_NO_NAME -k /path/to/squid.keytab -t none
  external_acl_type sid_check %LOGIN %note{group} /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2
  acl squid_allow external sid_check
  acl allowed_group external sid_check
  http_access allow allowed_group

If the local perl interpreter is in a unusual location it may need to be added:

  external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2

=head1 AUTHOR

This program was written by Markus Moeller <markus_moeller@compuserve.com>

This manual was written by Markus Moeller <markus_moeller@compuserve.com>

=head1 COPYRIGHT

 * Copyright (C) 1996-2020 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.

 This program is put in the public domain by Markus Moeller
 <markus_moeller@compuserve.com>. It is distributed in the hope that it will
 be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

=head1 QUESTIONS

Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@lists.squid-cache.org>>

=head1 REPORTING BUGS

Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.

Report bugs or bug fixes using http://bugs.squid-cache.org/

Report serious security bugs to I<Squid Bugs <squid-bugs@lists.squid-cache.org>>

Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@lists.squid-cache.org>>

=head1 SEE ALSO

negotiate_kerberos_auth(8)

The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq

The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

=cut

#
# Version history:
#   2018-06-10 Markus Moeller <markus_moeller@compuserve.com>
#               Initial release
#
# Globals
#
use vars qw/ %opt /;

my $name = basename($0);
my $principal;
my $dc;
my $basedn;
my $ccname="/tmp/squid_krb5cc";
my $groupSIDs;
my @ADgroupSIDs;
my $user;
my @groups;
my $ans;

# Disable output buffering
$|=1;

sub debug()
{
	my @lt = localtime;
	print STDERR strftime("%Y/%m/%d %H:%M:%S", @lt)." | $name: @_\n" if $opt{d};
}

sub info()
{
	my @lt = localtime;
	print STDERR strftime("%Y/%m/%d %H:%M:%S", @lt)." | $name: @_\n";
}

sub check()
{
	if ( grep( /^@_$/, @ADgroupSIDs) ) {
		&debug("DEBUG: Found @_ in AD group SID");
		return "OK";
	} else {
		&debug("DEBUG: Did not find @_ in AD group SID");
		return "ERR";
	}
}

#
# Command line options processing
#
sub init()
{
	use Getopt::Std;
	my $errmsg;
	my $opt_string = 'hdD:p:b:G:';
	getopts( "$opt_string", \%opt ) or usage();
	Pod::Usage::pod2usage(1) if $opt{h};
	Pod::Usage::pod2usage(1) if not defined $opt{D};
	Pod::Usage::pod2usage(1) if not defined $opt{b};
	Pod::Usage::pod2usage(1) if not defined $opt{p};
	Pod::Usage::pod2usage(1) if not defined $opt{G};

	$ENV{'KRB5CCNAME'} = $ccname;

	@groups = split(/:/,$opt{G});
	$errmsg=`kinit -k $opt{p} 2>&1`;
	&info("ERROR: $errmsg") if $errmsg;
	exit 99 if $errmsg;

	$errmsg="";
	foreach my $group (@groups) {
		open(LDAP, "ldapsearch -LLL -Ygssapi -H ldap://$opt{D}:389 -s sub -b \"$opt{b}\" \"(CN=$group)\" objectsid 2>&1 |");
		my $sid;
		while (<LDAP>) {
			chomp($_);
			if ( $_ =~ /^object/ && defined $sid ) {
				&info("ERROR: multiple SIDs returned for group $group");
			} elsif ( $_ =~ /^object/ ) {
				$sid=$_;
				$sid=~s/^[^\s]+\s+//;
			} else {
				$errmsg=$errmsg.";".$_;
			}
		}
		close(LDAP);
		if ( ! defined $sid ) {
			$errmsg=~s/^;//;
			&info("ERROR: $errmsg");
			&info("ERROR: no SID returned for group $group");
		} else {
			&info("INFO:ldapsearch result Group=$group, SID=$sid");
			push @ADgroupSIDs, $sid;
		}
	}
	&info("ERROR: Exit as no sid was found for any group") if ! @ADgroupSIDs;
	exit 99 if ! @ADgroupSIDs;
}

init();
&debug("INFO: Debugging mode ON.");

#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug("DEBUG: Got $_ from squid");
        ($user, $groupSIDs) = split(/\s+/);
        if ( defined $user && defined $groupSIDs ) {
		&debug("DEBUG: user=$user");
		&debug("DEBUG: groups=$groupSIDs");
		# test for each group squid send in it's request
		foreach my $group (split(/,/,$groupSIDs)) {
			$ans = &check($group);
			last if $ans eq "OK";
		}
		&debug("DEBUG: Sending $ans to squid");
		print "$ans\n";
        } else {
		&debug("DEBUG: Sending ERR to squid");
		print "ERR\n";
	}
}
Commit	Line	Data
4a544c9d	1	#!@PERL@ -w
	2
	3	use strict;
	4	use Pod::Usage;
	5	use Getopt::Long;
	6	use File::Basename;
	7	use Date::Format;
	8
	9	=pod
	10
	11	=head1 NAME
	12
	13	ext_kerberos_sid_group_acl - external ACL helper for Squid to verify AD Domain group membership using sid.
	14
	15	=head1 SYNOPSIS
	16
	17	ext_kerberos_sid_group_acl [-d] [-h] -p Principal Name -D Domain Controller -b Base DN -G Group1:Group2
	18
	19	=head1 DESCRIPTION
	20
	21	B<ext_kerberos_sid_group_acl> is an installed executable script.
	22	It uses B<ldapsearch> from Openldap to lookup the name of a AD group sid.
	23
	24	This helper must be used in with the negotiate_kerberos_auth helper in a
	25	Microsft AD or Samba environement.
	26
	27	It reads from the standard input the domain username and a list of group sids
	28	and tries to match the group SIDs to the AD group sids.
	29
	30	=head1 OPTIONS
	31
	32	=over 12
	33
	34	=item B<-d>
	35
	36	Write debug info to stderr.
	37
	38	=item B<-h>
	39
	40	Print the help.
	41
	42	=item B<-p principal name>
	43
	44	Principal name in squid keytab to use for ldap authentication to AD
	45
	46	=item B<-D domain controller>
	47
	48	Domain controller to contact to lookup group SID
	49
	50	=item B<-b base DN>
	51
	52	Base DN for ldap search
	53
	54	=item B<-G AD group name>
	55
	56	AD group name to be used for SID lookup. List separated by a colon (:)
	57
	58	=back
	59
	60	=head1 CONFIGURATION
	61
	62	auth_param negotiate program /path/to/negotiate_wrapper_auth -d \
	63	--ntlm /path/to/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain example.com \
	64	--kerberos /path/to/negotiate_kerberos_auth -d -s GSS_C_NO_NAME -k /path/to/squid.keytab -t none
65	external_acl_type sid_check %LOGIN %note{group} /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2
66	acl squid_allow external sid_check
67	acl allowed_group external sid_check
68	http_access allow allowed_group
69
70	If the local perl interpreter is in a unusual location it may need to be added:
71
72	external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2
73
74	=head1 AUTHOR
75
76	This program was written by Markus Moeller <markus_moeller@compuserve.com>
77
78	This manual was written by Markus Moeller <markus_moeller@compuserve.com>
79
80	=head1 COPYRIGHT
81
77b1029d	82	* Copyright (C) 1996-2020 The Squid Software Foundation and contributors
4a544c9d	83	*
	84	* Squid software is distributed under GPLv2+ license and includes
	85	* contributions from numerous individuals and organizations.
	86	* Please see the COPYING and CONTRIBUTORS files for details.
	87
	88	This program is put in the public domain by Markus Moeller
	89	<markus_moeller@compuserve.com>. It is distributed in the hope that it will
	90	be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
	91	of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
	92
	93	=head1 QUESTIONS
	94
	95	Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@lists.squid-cache.org>>
	96
	97	=head1 REPORTING BUGS
	98
	99	Bug reports need to be made in English.
	100	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
	101
	102	Report bugs or bug fixes using http://bugs.squid-cache.org/
	103
	104	Report serious security bugs to I<Squid Bugs <squid-bugs@lists.squid-cache.org>>
	105
	106	Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@lists.squid-cache.org>>
	107
	108	=head1 SEE ALSO
	109
	110	negotiate_kerberos_auth(8)
	111
	112	The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
	113
	114	The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
	115
	116	=cut
	117
	118	#
	119	# Version history:
	120	# 2018-06-10 Markus Moeller <markus_moeller@compuserve.com>
	121	# Initial release
	122	#
	123	# Globals
	124	#
	125	use vars qw/ %opt /;
	126
	127	my $name = basename($0);
	128	my $principal;
	129	my $dc;
	130	my $basedn;
	131	my $ccname="/tmp/squid_krb5cc";
	132	my $groupSIDs;
	133	my @ADgroupSIDs;
	134	my $user;
	135	my @groups;
	136	my $ans;
	137
	138	# Disable output buffering
	139	$\|=1;
	140
	141	sub debug()
	142	{
	143	my @lt = localtime;
	144	print STDERR strftime("%Y/%m/%d %H:%M:%S", @lt)." \| $name: @_\n" if $opt{d};
	145	}
	146
147	sub info()
148	{
149	my @lt = localtime;
150	print STDERR strftime("%Y/%m/%d %H:%M:%S", @lt)." \| $name: @_\n";
151	}
152
153	sub check()
154	{
155	if ( grep( /^@_$/, @ADgroupSIDs) ) {
156	&debug("DEBUG: Found @_ in AD group SID");
157	return "OK";
158	} else {
159	&debug("DEBUG: Did not find @_ in AD group SID");
160	return "ERR";
161	}
162	}
163
164	#
165	# Command line options processing
166	#
167	sub init()
168	{
169	use Getopt::Std;
170	my $errmsg;
171	my $opt_string = 'hdD:p:b:G:';
172	getopts( "$opt_string", \%opt ) or usage();
173	Pod::Usage::pod2usage(1) if $opt{h};
174	Pod::Usage::pod2usage(1) if not defined $opt{D};
175	Pod::Usage::pod2usage(1) if not defined $opt{b};
176	Pod::Usage::pod2usage(1) if not defined $opt{p};
177	Pod::Usage::pod2usage(1) if not defined $opt{G};
178
179	$ENV{'KRB5CCNAME'} = $ccname;
180
181	@groups = split(/:/,$opt{G});
182	$errmsg=`kinit -k $opt{p} 2>&1`;
183	&info("ERROR: $errmsg") if $errmsg;
184	exit 99 if $errmsg;
185
186	$errmsg="";
187	foreach my $group (@groups) {
188	open(LDAP, "ldapsearch -LLL -Ygssapi -H ldap://$opt{D}:389 -s sub -b \"$opt{b}\" \"(CN=$group)\" objectsid 2>&1 \|");
189	my $sid;
190	while (<LDAP>) {
191	chomp($_);
192	if ( $_ =~ /^object/ && defined $sid ) {
193	&info("ERROR: multiple SIDs returned for group $group");
194	} elsif ( $_ =~ /^object/ ) {
195	$sid=$_;
196	$sid=~s/^[^\s]+\s+//;
197	} else {
198	$errmsg=$errmsg.";".$_;
199	}
200	}
201	close(LDAP);
202	if ( ! defined $sid ) {
203	$errmsg=~s/^;//;
204	&info("ERROR: $errmsg");
205	&info("ERROR: no SID returned for group $group");
206	} else {
207	&info("INFO:ldapsearch result Group=$group, SID=$sid");
208	push @ADgroupSIDs, $sid;
209	}
210	}
211	&info("ERROR: Exit as no sid was found for any group") if ! @ADgroupSIDs;
212	exit 99 if ! @ADgroupSIDs;
213	}
214
215	init();
216	&debug("INFO: Debugging mode ON.");
217
218	#
219	# Main loop
220	#
221	while (<STDIN>) {
222	chop;
223	&debug("DEBUG: Got $_ from squid");
224	($user, $groupSIDs) = split(/\s+/);
225	if ( defined $user && defined $groupSIDs ) {
226	&debug("DEBUG: user=$user");
227	&debug("DEBUG: groups=$groupSIDs");
228	# test for each group squid send in it's request
229	foreach my $group (split(/,/,$groupSIDs)) {
230	$ans = &check($group);
231	last if $ans eq "OK";
232	}
233	&debug("DEBUG: Sending $ans to squid");
234	print "$ans\n";
235	} else {
236	&debug("DEBUG: Sending ERR to squid");
237	print "ERR\n";
238	}
239	}
240