[thirdparty/squid.git] / helpers / basic_auth / SSPI / valid.cc

/*
  NT_auth -  Version 2.0

  Modified to act as a Squid authenticator module.
  Removed all Pike stuff.
  Returns OK for a successful authentication, or ERR upon error.

  Guido Serassio, Torino - Italy

  Uses code from -
    Antonino Iannella 2000
    Andrew Tridgell 1997
    Richard Sharpe 1996
    Bill Welliver 1999

 * Distributed freely under the terms of the GNU General Public License,
 * version 2. See the file COPYING for licensing details
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.

 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
*/

#include "squid.h"
#include "util.h"

/* Check if we try to compile on a Windows Platform */
#if !_SQUID_WINDOWS_
/* NON Windows Platform !!! */
#error NON WINDOWS PLATFORM
#endif

#if _SQUID_CYGWIN_
#include <wchar.h>
#endif
#include "valid.h"

char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN;
const char * errormsg;

const char NTV_SERVER_ERROR_MSG[] = "Internal server errror";
const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache";
const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password";
const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/";

/* returns 1 on success, 0 on failure */
int
Valid_Group(char *UserName, char *Group)
{
    int result = FALSE;
    WCHAR wszUserName[256];	// Unicode user name
    WCHAR wszGroup[256];	// Unicode Group

    LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
    LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
    DWORD dwLevel = 0;
    DWORD dwFlags = LG_INCLUDE_INDIRECT;
    DWORD dwPrefMaxLen = -1;
    DWORD dwEntriesRead = 0;
    DWORD dwTotalEntries = 0;
    NET_API_STATUS nStatus;
    DWORD i;
    DWORD dwTotalCount = 0;

    /* Convert ANSI User Name and Group to Unicode */

    MultiByteToWideChar(CP_ACP, 0, UserName,
                        strlen(UserName) + 1, wszUserName,
                        sizeof(wszUserName) / sizeof(wszUserName[0]));
    MultiByteToWideChar(CP_ACP, 0, Group,
                        strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));

    /*
     * Call the NetUserGetLocalGroups function
     * specifying information level 0.
     *
     * The LG_INCLUDE_INDIRECT flag specifies that the
     * function should also return the names of the local
     * groups in which the user is indirectly a member.
     */
    nStatus = NetUserGetLocalGroups(NULL,
                                    wszUserName,
                                    dwLevel,
                                    dwFlags,
                                    (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
    /*
     * If the call succeeds,
     */
    if (nStatus == NERR_Success) {
        if ((pTmpBuf = pBuf) != NULL) {
            for (i = 0; i < dwEntriesRead; i++) {
                if (pTmpBuf == NULL) {
                    result = FALSE;
                    break;
                }
                if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
                    result = TRUE;
                    break;
                }
                pTmpBuf++;
                dwTotalCount++;
            }
        }
    } else
        result = FALSE;
    /*
     * Free the allocated memory.
     */
    if (pBuf != NULL)
        NetApiBufferFree(pBuf);
    return result;
}

/* Valid_User return codes -
   0 - User authenticated successfully.
   1 - Server error.
   2 - Group membership error.
   3 - Logon error; Incorrect password or username given.
*/

int
Valid_User(char *UserName, char *Password, char *Group)
{
    int result = NTV_SERVER_ERROR;
    size_t i;
    char NTDomain[256];
    char *domain_qualify = NULL;
    char DomainUser[256];
    char User[256];

    errormsg = NTV_SERVER_ERROR_MSG;
    strncpy(NTDomain, UserName, sizeof(NTDomain));

    for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) {
        if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL)
            break;
    }
    if (domain_qualify == NULL) {
        strcpy(User, NTDomain);
        strcpy(NTDomain, Default_NTDomain);
    } else {
        strcpy(User, domain_qualify + 1);
        domain_qualify[0] = '\0';
    }
    /* Log the client on to the local computer. */
    if (!SSP_LogonUser(User, Password, NTDomain)) {
        result = NTV_LOGON_ERROR;
        errormsg = NTV_LOGON_ERROR_MSG;
        debug("%s\n", errormsg);
    } else {
        result = NTV_NO_ERROR;
        if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0)
            strcpy(DomainUser, User);
        else {
            strcpy(DomainUser, NTDomain);
            strcat(DomainUser, "\\");
            strcat(DomainUser, User);
        }
        if (UseAllowedGroup) {
            if (!Valid_Group(DomainUser, NTAllowedGroup)) {
                result = NTV_GROUP_ERROR;
                errormsg = NTV_GROUP_ERROR_MSG;
                debug("%s\n", errormsg);
            }
        }
        if (UseDisallowedGroup) {
            if (Valid_Group(DomainUser, NTDisAllowedGroup)) {
                result = NTV_GROUP_ERROR;
                errormsg = NTV_GROUP_ERROR_MSG;
                debug("%s\n", errormsg);
            }
        }
    }
    return result;
}
Commit	Line	Data
6e785d85	1	/*
	2	NT_auth - Version 2.0
	3
	4	Modified to act as a Squid authenticator module.
	5	Removed all Pike stuff.
	6	Returns OK for a successful authentication, or ERR upon error.
	7
	8	Guido Serassio, Torino - Italy
	9
	10	Uses code from -
	11	Antonino Iannella 2000
	12	Andrew Tridgell 1997
	13	Richard Sharpe 1996
	14	Bill Welliver 1999
	15
	16	* Distributed freely under the terms of the GNU General Public License,
	17	* version 2. See the file COPYING for licensing details
	18	*
	19	* This program is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU General Public License for more details.
26ac0430	23
6e785d85	24	* You should have received a copy of the GNU General Public License
	25	* along with this program; if not, write to the Free Software
	26	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	27	*/
	28
f7f3304a	29	#include "squid.h"
6e785d85	30	#include "util.h"
	31
	32	/* Check if we try to compile on a Windows Platform */
be266cb2 AJ	33	#if !_SQUID_WINDOWS_
	34	/* NON Windows Platform !!! */
	35	#error NON WINDOWS PLATFORM
	36	#endif
6e785d85	37
be266cb2	38	#if _SQUID_CYGWIN_
6e785d85	39	#include <wchar.h>
	40	#endif
	41	#include "valid.h"
	42
	43	char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN;
	44	const char * errormsg;
	45
	46	const char NTV_SERVER_ERROR_MSG[] = "Internal server errror";
	47	const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache";
	48	const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password";
	49	const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/";
	50
	51	/* returns 1 on success, 0 on failure */
	52	int
	53	Valid_Group(char UserName, char Group)
	54	{
	55	int result = FALSE;
	56	WCHAR wszUserName[256]; // Unicode user name
	57	WCHAR wszGroup[256]; // Unicode Group
	58
	59	LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
	60	LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
	61	DWORD dwLevel = 0;
	62	DWORD dwFlags = LG_INCLUDE_INDIRECT;
	63	DWORD dwPrefMaxLen = -1;
	64	DWORD dwEntriesRead = 0;
	65	DWORD dwTotalEntries = 0;
	66	NET_API_STATUS nStatus;
	67	DWORD i;
	68	DWORD dwTotalCount = 0;
	69
26ac0430	70	/* Convert ANSI User Name and Group to Unicode */
6e785d85	71
6e785d85	72	MultiByteToWideChar(CP_ACP, 0, UserName,
26ac0430 AJ	73	strlen(UserName) + 1, wszUserName,
26ac0430 AJ	74	sizeof(wszUserName) / sizeof(wszUserName[0]));
6e785d85	75	MultiByteToWideChar(CP_ACP, 0, Group,
26ac0430	76	strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));
6e785d85	77
6e785d85	78	/*
26ac0430 AJ	79	* Call the NetUserGetLocalGroups function
	80	* specifying information level 0.
	81	*
	82	* The LG_INCLUDE_INDIRECT flag specifies that the
	83	* function should also return the names of the local
	84	* groups in which the user is indirectly a member.
	85	*/
	86	nStatus = NetUserGetLocalGroups(NULL,
	87	wszUserName,
	88	dwLevel,
	89	dwFlags,
	90	(LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
	91	/*
	92	* If the call succeeds,
	93	*/
6e785d85	94	if (nStatus == NERR_Success) {
26ac0430 AJ	95	if ((pTmpBuf = pBuf) != NULL) {
	96	for (i = 0; i < dwEntriesRead; i++) {
	97	if (pTmpBuf == NULL) {
	98	result = FALSE;
	99	break;
	100	}
	101	if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
	102	result = TRUE;
	103	break;
	104	}
	105	pTmpBuf++;
	106	dwTotalCount++;
	107	}
	108	}
6e785d85	109	} else
26ac0430 AJ	110	result = FALSE;
	111	/*
	112	* Free the allocated memory.
	113	*/
6e785d85	114	if (pBuf != NULL)
26ac0430	115	NetApiBufferFree(pBuf);
6e785d85	116	return result;
	117	}
	118
	119	/* Valid_User return codes -
	120	0 - User authenticated successfully.
	121	1 - Server error.
	122	2 - Group membership error.
	123	3 - Logon error; Incorrect password or username given.
	124	*/
	125
	126	int
	127	Valid_User(char UserName, char Password, char *Group)
	128	{
	129	int result = NTV_SERVER_ERROR;
	130	size_t i;
	131	char NTDomain[256];
f3f3e961	132	char *domain_qualify = NULL;
6e785d85	133	char DomainUser[256];
	134	char User[256];
	135
	136	errormsg = NTV_SERVER_ERROR_MSG;
	137	strncpy(NTDomain, UserName, sizeof(NTDomain));
	138
	139	for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) {
	140	if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL)
	141	break;
	142	}
	143	if (domain_qualify == NULL) {
26ac0430 AJ	144	strcpy(User, NTDomain);
26ac0430 AJ	145	strcpy(NTDomain, Default_NTDomain);
6e785d85	146	} else {
26ac0430 AJ	147	strcpy(User, domain_qualify + 1);
26ac0430 AJ	148	domain_qualify[0] = '\0';
6e785d85	149	}
	150	/* Log the client on to the local computer. */
	151	if (!SSP_LogonUser(User, Password, NTDomain)) {
26ac0430	152	result = NTV_LOGON_ERROR;
6e785d85	153	errormsg = NTV_LOGON_ERROR_MSG;
	154	debug("%s\n", errormsg);
	155	} else {
26ac0430 AJ	156	result = NTV_NO_ERROR;
	157	if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0)
	158	strcpy(DomainUser, User);
	159	else {
	160	strcpy(DomainUser, NTDomain);
	161	strcat(DomainUser, "\\");
	162	strcat(DomainUser, User);
	163	}
	164	if (UseAllowedGroup) {
	165	if (!Valid_Group(DomainUser, NTAllowedGroup)) {
	166	result = NTV_GROUP_ERROR;
6e785d85	167	errormsg = NTV_GROUP_ERROR_MSG;
6e785d85	168	debug("%s\n", errormsg);
26ac0430 AJ	169	}
	170	}
	171	if (UseDisallowedGroup) {
	172	if (Valid_Group(DomainUser, NTDisAllowedGroup)) {
	173	result = NTV_GROUP_ERROR;
6e785d85	174	errormsg = NTV_GROUP_ERROR_MSG;
6e785d85	175	debug("%s\n", errormsg);
26ac0430 AJ	176	}
26ac0430 AJ	177	}
6e785d85	178	}
	179	return result;
	180	}