[thirdparty/squid.git] / helpers / basic_auth / SSPI / valid.cc

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
  NT_auth -  Version 2.0

  Modified to act as a Squid authenticator module.
  Removed all Pike stuff.
  Returns OK for a successful authentication, or ERR upon error.

  Guido Serassio, Torino - Italy

  Uses code from -
    Antonino Iannella 2000
    Andrew Tridgell 1997
    Richard Sharpe 1996
    Bill Welliver 1999

 * Distributed freely under the terms of the GNU General Public License,
 * version 2. See the file COPYING for licensing details
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.

 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
*/

#include "squid.h"
#include "util.h"

/* Check if we try to compile on a Windows Platform */
#if !_SQUID_WINDOWS_
/* NON Windows Platform !!! */
#error NON WINDOWS PLATFORM
#endif

#if _SQUID_CYGWIN_
#include <wchar.h>
#endif
#include "valid.h"

char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN;
const char * errormsg;

const char NTV_SERVER_ERROR_MSG[] = "Internal server errror";
const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache";
const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password";
const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/";

/* returns 1 on success, 0 on failure */
int
Valid_Group(char *UserName, char *Group)
{
    int result = FALSE;
    WCHAR wszUserName[256]; // Unicode user name
    WCHAR wszGroup[256];    // Unicode Group

    LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
    LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
    DWORD dwLevel = 0;
    DWORD dwFlags = LG_INCLUDE_INDIRECT;
    DWORD dwPrefMaxLen = -1;
    DWORD dwEntriesRead = 0;
    DWORD dwTotalEntries = 0;
    NET_API_STATUS nStatus;
    DWORD i;
    DWORD dwTotalCount = 0;

    /* Convert ANSI User Name and Group to Unicode */

    MultiByteToWideChar(CP_ACP, 0, UserName,
                        strlen(UserName) + 1, wszUserName,
                        sizeof(wszUserName) / sizeof(wszUserName[0]));
    MultiByteToWideChar(CP_ACP, 0, Group,
                        strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));

    /*
     * Call the NetUserGetLocalGroups function
     * specifying information level 0.
     *
     * The LG_INCLUDE_INDIRECT flag specifies that the
     * function should also return the names of the local
     * groups in which the user is indirectly a member.
     */
    nStatus = NetUserGetLocalGroups(NULL,
                                    wszUserName,
                                    dwLevel,
                                    dwFlags,
                                    (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
    /*
     * If the call succeeds,
     */
    if (nStatus == NERR_Success) {
        if ((pTmpBuf = pBuf) != NULL) {
            for (i = 0; i < dwEntriesRead; ++i) {
                if (pTmpBuf == NULL) {
                    result = FALSE;
                    break;
                }
                if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
                    result = TRUE;
                    break;
                }
                ++pTmpBuf;
                ++dwTotalCount;
            }
        }
    } else
        result = FALSE;
    /*
     * Free the allocated memory.
     */
    if (pBuf != NULL)
        NetApiBufferFree(pBuf);
    return result;
}

/* Valid_User return codes -
   0 - User authenticated successfully.
   1 - Server error.
   2 - Group membership error.
   3 - Logon error; Incorrect password or username given.
*/

int
Valid_User(char *UserName, char *Password, char *Group)
{
    int result = NTV_SERVER_ERROR;
    size_t i;
    char NTDomain[256];
    char *domain_qualify = NULL;
    char DomainUser[256];
    char User[256];

    errormsg = NTV_SERVER_ERROR_MSG;
    strncpy(NTDomain, UserName, sizeof(NTDomain));

    for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); ++i) {
        if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL)
            break;
    }
    if (domain_qualify == NULL) {
        strcpy(User, NTDomain);
        strcpy(NTDomain, Default_NTDomain);
    } else {
        strcpy(User, domain_qualify + 1);
        domain_qualify[0] = '\0';
    }
    /* Log the client on to the local computer. */
    if (!SSP_LogonUser(User, Password, NTDomain)) {
        result = NTV_LOGON_ERROR;
        errormsg = NTV_LOGON_ERROR_MSG;
        debug("%s\n", errormsg);
    } else {
        result = NTV_NO_ERROR;
        if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0)
            strcpy(DomainUser, User);
        else {
            strcpy(DomainUser, NTDomain);
            strcat(DomainUser, "\\");
            strcat(DomainUser, User);
        }
        if (UseAllowedGroup) {
            if (!Valid_Group(DomainUser, NTAllowedGroup)) {
                result = NTV_GROUP_ERROR;
                errormsg = NTV_GROUP_ERROR_MSG;
                debug("%s\n", errormsg);
            }
        }
        if (UseDisallowedGroup) {
            if (Valid_Group(DomainUser, NTDisAllowedGroup)) {
                result = NTV_GROUP_ERROR;
                errormsg = NTV_GROUP_ERROR_MSG;
                debug("%s\n", errormsg);
            }
        }
    }
    return result;
}
Commit	Line	Data
5b95b903 AJ	1	/*
	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
6e785d85	9	/*
	10	NT_auth - Version 2.0
	11
	12	Modified to act as a Squid authenticator module.
	13	Removed all Pike stuff.
	14	Returns OK for a successful authentication, or ERR upon error.
	15
	16	Guido Serassio, Torino - Italy
	17
	18	Uses code from -
	19	Antonino Iannella 2000
	20	Andrew Tridgell 1997
	21	Richard Sharpe 1996
	22	Bill Welliver 1999
	23
	24	* Distributed freely under the terms of the GNU General Public License,
	25	* version 2. See the file COPYING for licensing details
	26	*
	27	* This program is distributed in the hope that it will be useful,
	28	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	29	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	30	* GNU General Public License for more details.
26ac0430	31
6e785d85	32	* You should have received a copy of the GNU General Public License
	33	* along with this program; if not, write to the Free Software
	34	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	35	*/
	36
f7f3304a	37	#include "squid.h"
6e785d85	38	#include "util.h"
	39
	40	/* Check if we try to compile on a Windows Platform */
be266cb2 AJ	41	#if !_SQUID_WINDOWS_
	42	/* NON Windows Platform !!! */
	43	#error NON WINDOWS PLATFORM
	44	#endif
6e785d85	45
be266cb2	46	#if _SQUID_CYGWIN_
6e785d85	47	#include <wchar.h>
	48	#endif
	49	#include "valid.h"
	50
	51	char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN;
	52	const char * errormsg;
	53
	54	const char NTV_SERVER_ERROR_MSG[] = "Internal server errror";
	55	const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache";
	56	const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password";
	57	const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/";
	58
	59	/* returns 1 on success, 0 on failure */
	60	int
	61	Valid_Group(char UserName, char Group)
	62	{
	63	int result = FALSE;
f53969cc SM	64	WCHAR wszUserName[256]; // Unicode user name
f53969cc SM	65	WCHAR wszGroup[256]; // Unicode Group
6e785d85	66
	67	LPLOCALGROUP_USERS_INFO_0 pBuf = NULL;
	68	LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
	69	DWORD dwLevel = 0;
	70	DWORD dwFlags = LG_INCLUDE_INDIRECT;
	71	DWORD dwPrefMaxLen = -1;
	72	DWORD dwEntriesRead = 0;
	73	DWORD dwTotalEntries = 0;
	74	NET_API_STATUS nStatus;
	75	DWORD i;
	76	DWORD dwTotalCount = 0;
	77
26ac0430	78	/* Convert ANSI User Name and Group to Unicode */
6e785d85	79
6e785d85	80	MultiByteToWideChar(CP_ACP, 0, UserName,
26ac0430 AJ	81	strlen(UserName) + 1, wszUserName,
26ac0430 AJ	82	sizeof(wszUserName) / sizeof(wszUserName[0]));
6e785d85	83	MultiByteToWideChar(CP_ACP, 0, Group,
26ac0430	84	strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));
6e785d85	85
6e785d85	86	/*
26ac0430 AJ	87	* Call the NetUserGetLocalGroups function
	88	* specifying information level 0.
	89	*
	90	* The LG_INCLUDE_INDIRECT flag specifies that the
	91	* function should also return the names of the local
	92	* groups in which the user is indirectly a member.
	93	*/
	94	nStatus = NetUserGetLocalGroups(NULL,
	95	wszUserName,
	96	dwLevel,
	97	dwFlags,
	98	(LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries);
	99	/*
	100	* If the call succeeds,
	101	*/
6e785d85	102	if (nStatus == NERR_Success) {
26ac0430	103	if ((pTmpBuf = pBuf) != NULL) {
755494da	104	for (i = 0; i < dwEntriesRead; ++i) {
26ac0430 AJ	105	if (pTmpBuf == NULL) {
	106	result = FALSE;
	107	break;
	108	}
	109	if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) {
	110	result = TRUE;
	111	break;
	112	}
755494da FC	113	++pTmpBuf;
755494da FC	114	++dwTotalCount;
26ac0430 AJ	115	}
26ac0430 AJ	116	}
6e785d85	117	} else
26ac0430 AJ	118	result = FALSE;
	119	/*
	120	* Free the allocated memory.
	121	*/
6e785d85	122	if (pBuf != NULL)
26ac0430	123	NetApiBufferFree(pBuf);
6e785d85	124	return result;
	125	}
	126
	127	/* Valid_User return codes -
	128	0 - User authenticated successfully.
	129	1 - Server error.
	130	2 - Group membership error.
	131	3 - Logon error; Incorrect password or username given.
	132	*/
	133
	134	int
	135	Valid_User(char UserName, char Password, char *Group)
	136	{
	137	int result = NTV_SERVER_ERROR;
	138	size_t i;
	139	char NTDomain[256];
f3f3e961	140	char *domain_qualify = NULL;
6e785d85	141	char DomainUser[256];
	142	char User[256];
	143
	144	errormsg = NTV_SERVER_ERROR_MSG;
	145	strncpy(NTDomain, UserName, sizeof(NTDomain));
	146
755494da	147	for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); ++i) {
6e785d85	148	if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL)
	149	break;
	150	}
	151	if (domain_qualify == NULL) {
26ac0430 AJ	152	strcpy(User, NTDomain);
26ac0430 AJ	153	strcpy(NTDomain, Default_NTDomain);
6e785d85	154	} else {
26ac0430 AJ	155	strcpy(User, domain_qualify + 1);
26ac0430 AJ	156	domain_qualify[0] = '\0';
6e785d85	157	}
	158	/* Log the client on to the local computer. */
	159	if (!SSP_LogonUser(User, Password, NTDomain)) {
26ac0430	160	result = NTV_LOGON_ERROR;
6e785d85	161	errormsg = NTV_LOGON_ERROR_MSG;
	162	debug("%s\n", errormsg);
	163	} else {
26ac0430 AJ	164	result = NTV_NO_ERROR;
	165	if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0)
	166	strcpy(DomainUser, User);
	167	else {
	168	strcpy(DomainUser, NTDomain);
	169	strcat(DomainUser, "\\");
	170	strcat(DomainUser, User);
	171	}
	172	if (UseAllowedGroup) {
	173	if (!Valid_Group(DomainUser, NTAllowedGroup)) {
	174	result = NTV_GROUP_ERROR;
6e785d85	175	errormsg = NTV_GROUP_ERROR_MSG;
6e785d85	176	debug("%s\n", errormsg);
26ac0430 AJ	177	}
	178	}
	179	if (UseDisallowedGroup) {
	180	if (Valid_Group(DomainUser, NTDisAllowedGroup)) {
	181	result = NTV_GROUP_ERROR;
6e785d85	182	errormsg = NTV_GROUP_ERROR_MSG;
6e785d85	183	debug("%s\n", errormsg);
26ac0430 AJ	184	}
26ac0430 AJ	185	}
6e785d85	186	}
	187	return result;
	188	}
f53969cc	189