]>
Commit | Line | Data |
---|---|---|
6e785d85 | 1 | /* |
2 | NT_auth - Version 2.0 | |
3 | ||
4 | Modified to act as a Squid authenticator module. | |
5 | Removed all Pike stuff. | |
6 | Returns OK for a successful authentication, or ERR upon error. | |
7 | ||
8 | Guido Serassio, Torino - Italy | |
9 | ||
10 | Uses code from - | |
11 | Antonino Iannella 2000 | |
12 | Andrew Tridgell 1997 | |
13 | Richard Sharpe 1996 | |
14 | Bill Welliver 1999 | |
15 | ||
16 | * Distributed freely under the terms of the GNU General Public License, | |
17 | * version 2. See the file COPYING for licensing details | |
18 | * | |
19 | * This program is distributed in the hope that it will be useful, | |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
22 | * GNU General Public License for more details. | |
26ac0430 | 23 | |
6e785d85 | 24 | * You should have received a copy of the GNU General Public License |
25 | * along with this program; if not, write to the Free Software | |
26 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
27 | */ | |
28 | ||
f7f3304a | 29 | #include "squid.h" |
6e785d85 | 30 | #include "util.h" |
31 | ||
32 | /* Check if we try to compile on a Windows Platform */ | |
be266cb2 AJ |
33 | #if !_SQUID_WINDOWS_ |
34 | /* NON Windows Platform !!! */ | |
35 | #error NON WINDOWS PLATFORM | |
36 | #endif | |
6e785d85 | 37 | |
be266cb2 | 38 | #if _SQUID_CYGWIN_ |
6e785d85 | 39 | #include <wchar.h> |
40 | #endif | |
41 | #include "valid.h" | |
42 | ||
43 | char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN; | |
44 | const char * errormsg; | |
45 | ||
46 | const char NTV_SERVER_ERROR_MSG[] = "Internal server errror"; | |
47 | const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache"; | |
48 | const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password"; | |
49 | const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; | |
50 | ||
51 | /* returns 1 on success, 0 on failure */ | |
52 | int | |
53 | Valid_Group(char *UserName, char *Group) | |
54 | { | |
55 | int result = FALSE; | |
56 | WCHAR wszUserName[256]; // Unicode user name | |
57 | WCHAR wszGroup[256]; // Unicode Group | |
58 | ||
59 | LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; | |
60 | LPLOCALGROUP_USERS_INFO_0 pTmpBuf; | |
61 | DWORD dwLevel = 0; | |
62 | DWORD dwFlags = LG_INCLUDE_INDIRECT; | |
63 | DWORD dwPrefMaxLen = -1; | |
64 | DWORD dwEntriesRead = 0; | |
65 | DWORD dwTotalEntries = 0; | |
66 | NET_API_STATUS nStatus; | |
67 | DWORD i; | |
68 | DWORD dwTotalCount = 0; | |
69 | ||
26ac0430 | 70 | /* Convert ANSI User Name and Group to Unicode */ |
6e785d85 | 71 | |
72 | MultiByteToWideChar(CP_ACP, 0, UserName, | |
26ac0430 AJ |
73 | strlen(UserName) + 1, wszUserName, |
74 | sizeof(wszUserName) / sizeof(wszUserName[0])); | |
6e785d85 | 75 | MultiByteToWideChar(CP_ACP, 0, Group, |
26ac0430 | 76 | strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); |
6e785d85 | 77 | |
78 | /* | |
26ac0430 AJ |
79 | * Call the NetUserGetLocalGroups function |
80 | * specifying information level 0. | |
81 | * | |
82 | * The LG_INCLUDE_INDIRECT flag specifies that the | |
83 | * function should also return the names of the local | |
84 | * groups in which the user is indirectly a member. | |
85 | */ | |
86 | nStatus = NetUserGetLocalGroups(NULL, | |
87 | wszUserName, | |
88 | dwLevel, | |
89 | dwFlags, | |
90 | (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); | |
91 | /* | |
92 | * If the call succeeds, | |
93 | */ | |
6e785d85 | 94 | if (nStatus == NERR_Success) { |
26ac0430 AJ |
95 | if ((pTmpBuf = pBuf) != NULL) { |
96 | for (i = 0; i < dwEntriesRead; i++) { | |
97 | if (pTmpBuf == NULL) { | |
98 | result = FALSE; | |
99 | break; | |
100 | } | |
101 | if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { | |
102 | result = TRUE; | |
103 | break; | |
104 | } | |
105 | pTmpBuf++; | |
106 | dwTotalCount++; | |
107 | } | |
108 | } | |
6e785d85 | 109 | } else |
26ac0430 AJ |
110 | result = FALSE; |
111 | /* | |
112 | * Free the allocated memory. | |
113 | */ | |
6e785d85 | 114 | if (pBuf != NULL) |
26ac0430 | 115 | NetApiBufferFree(pBuf); |
6e785d85 | 116 | return result; |
117 | } | |
118 | ||
119 | /* Valid_User return codes - | |
120 | 0 - User authenticated successfully. | |
121 | 1 - Server error. | |
122 | 2 - Group membership error. | |
123 | 3 - Logon error; Incorrect password or username given. | |
124 | */ | |
125 | ||
126 | int | |
127 | Valid_User(char *UserName, char *Password, char *Group) | |
128 | { | |
129 | int result = NTV_SERVER_ERROR; | |
130 | size_t i; | |
131 | char NTDomain[256]; | |
f3f3e961 | 132 | char *domain_qualify = NULL; |
6e785d85 | 133 | char DomainUser[256]; |
134 | char User[256]; | |
135 | ||
136 | errormsg = NTV_SERVER_ERROR_MSG; | |
137 | strncpy(NTDomain, UserName, sizeof(NTDomain)); | |
138 | ||
139 | for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) { | |
140 | if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL) | |
141 | break; | |
142 | } | |
143 | if (domain_qualify == NULL) { | |
26ac0430 AJ |
144 | strcpy(User, NTDomain); |
145 | strcpy(NTDomain, Default_NTDomain); | |
6e785d85 | 146 | } else { |
26ac0430 AJ |
147 | strcpy(User, domain_qualify + 1); |
148 | domain_qualify[0] = '\0'; | |
6e785d85 | 149 | } |
150 | /* Log the client on to the local computer. */ | |
151 | if (!SSP_LogonUser(User, Password, NTDomain)) { | |
26ac0430 | 152 | result = NTV_LOGON_ERROR; |
6e785d85 | 153 | errormsg = NTV_LOGON_ERROR_MSG; |
154 | debug("%s\n", errormsg); | |
155 | } else { | |
26ac0430 AJ |
156 | result = NTV_NO_ERROR; |
157 | if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0) | |
158 | strcpy(DomainUser, User); | |
159 | else { | |
160 | strcpy(DomainUser, NTDomain); | |
161 | strcat(DomainUser, "\\"); | |
162 | strcat(DomainUser, User); | |
163 | } | |
164 | if (UseAllowedGroup) { | |
165 | if (!Valid_Group(DomainUser, NTAllowedGroup)) { | |
166 | result = NTV_GROUP_ERROR; | |
6e785d85 | 167 | errormsg = NTV_GROUP_ERROR_MSG; |
168 | debug("%s\n", errormsg); | |
26ac0430 AJ |
169 | } |
170 | } | |
171 | if (UseDisallowedGroup) { | |
172 | if (Valid_Group(DomainUser, NTDisAllowedGroup)) { | |
173 | result = NTV_GROUP_ERROR; | |
6e785d85 | 174 | errormsg = NTV_GROUP_ERROR_MSG; |
175 | debug("%s\n", errormsg); | |
26ac0430 AJ |
176 | } |
177 | } | |
6e785d85 | 178 | } |
179 | return result; | |
180 | } |