[thirdparty/squid.git] / src / acl / external / unix_group / check_group.cc

/*
 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/*
 * This is a helper for the external ACL interface for Squid Cache
 * Copyright (C) 2002 Rodrigo Albani de Campos (rodrigo@geekbunker.org)
 *
 * It reads STDIN looking for a username that matches a specified group
 * Returns `OK' if the user belongs to the group or `ERR' otherwise, as
 * described on http://devel.squid-cache.org/external_acl/config.html
 * To compile this program, use:
 *
 * gcc -o check_group check_group.c
 *
 * Author: Rodrigo Albani de Campos
 * E-Mail: rodrigo@geekbunker.org
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 * Change Log:
 * 2010-02-24 hno
 * Removed group number limitation and fixed related uninitialized
 * pointer reference (Bug #2813)
 *
 * Revision 1.7  2004/08/15 00:29:33  hno
 * helper protocol changed to URL-escaped strings in Squid-3.0
 *
 * Revision 1.6  2002/08/12 15:48:32  hno
 * imported strwordtok from Squid, added man page, some minor fixes
 *
 * Revision 1.5  2002/07/27 14:26:49  rcampos
 * allow groups to be sent on stdin
 *
 * Revision 1.4  2002/04/17 01:58:48  camposr
 * minor corrections in the getopt
 *
 * Revision 1.3  2002/04/17 01:43:17  camposr
 * ready for action
 *
 * Revision 1.2  2002/04/17 01:32:16  camposr
 * all main routines ready
 *
 * Revision 1.1  2002/04/16 05:02:32  camposr
 * Initial revision
 *
 */
#include "squid.h"
#include "helper/protocol_defines.h"
#include "rfc1738.h"
#include "util.h"

#include <cctype>
#include <cstring>
#if HAVE_GRP_H
#include <grp.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#if HAVE_PWD_H
#include <pwd.h>
#endif

/*
 * Verify if user's primary group matches groupname
 * Returns 0 if user is not on the group
 * Returns 1 otherwise
 */
static int
validate_user_pw(char *username, char *groupname)
{
    struct passwd *p;
    struct group *g;

    if ((p = getpwnam(username)) == nullptr) {
        /* Returns an error if user does not exist in the /etc/passwd */
        fprintf(stderr, "ERROR: User does not exist '%s'\n", username);
        return 0;
    } else {
        /* Verify if the this is the primary user group */
        if ((g = getgrgid(p->pw_gid)) != nullptr) {
            if ((strcmp(groupname, g->gr_name)) == 0)
                return 1;
        }
    }

    return 0;
}

static int
validate_user_gr(char *username, char *groupname)
{
    /*
     * Verify if the user belongs to groupname as listed in the
     * /etc/group file
     */
    struct group *g;

    if ((g = getgrnam(groupname)) == nullptr) {
        fprintf(stderr, "ERROR: Group does not exist '%s'\n", groupname);
        return 0;
    } else {
        while (*(g->gr_mem) != nullptr) {
            if (strcmp(*((g->gr_mem)++), username) == 0) {
                return 1;
            }
        }
    }
    return 0;
}

static void
usage(char *program)
{
    fprintf(stderr, "Usage: %s -g group1 [-g group2 ...] [-p] [-s]\n\n",
            program);
    fprintf(stderr, "-g group\n");
    fprintf(stderr,
            "			The group name or id that the user must belong in order to\n");
    fprintf(stderr,
            "			be allowed to authenticate.\n");
    fprintf(stderr,
            "-p			Verify primary user group as well\n");
    fprintf(stderr,
            "-s			Strip NT domain from usernames\n");
    fprintf(stderr,
            "-r			Strip Kerberos realm from usernames\n");
}

int
main(int argc, char *argv[])
{
    char *user, *suser, *p;
    char buf[HELPER_INPUT_BUFFER];
    char **grents = nullptr;
    int check_pw = 0, ch, ngroups = 0, i, j = 0, strip_dm = 0, strip_rm = 0;

    /* make standard output line buffered */
    setvbuf(stdout, nullptr, _IOLBF, 0);

    /* get user options */
    while ((ch = getopt(argc, argv, "dsrpg:")) != -1) {
        switch (ch) {
        case 'd':
            debug_enabled = 1;
            break;
        case 's':
            strip_dm = 1;
            break;
        case 'r':
            strip_rm = 1;
            break;
        case 'p':
            check_pw = 1;
            break;
        case 'g':
            grents = (char**)realloc(grents, sizeof(*grents) * (ngroups+1));
            grents[ngroups] = optarg;
            ++ngroups;
            break;
        case '?':
            if (xisprint(optopt)) {
                fprintf(stderr, "Unknown option '-%c'.\n", optopt);
            } else {
                fprintf(stderr, "Unknown option character `\\x%x'.\n", optopt);
            }
        /* [[fallthrough]] */
        default:
            usage(argv[0]);
            exit(EXIT_FAILURE);
        }
    }
    if (optind < argc) {
        fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]);
        usage(argv[0]);
        exit(EXIT_FAILURE);
    }
    while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) {
        j = 0;
        if ((p = strchr(buf, '\n')) == nullptr) {
            /* too large message received.. skip and deny */
            fprintf(stderr, "ERROR: %s: Too large: %s\n", argv[0], buf);
            while (fgets(buf, sizeof(buf), stdin)) {
                fprintf(stderr, "ERROR: %s: Too large..: %s\n", argv[0], buf);
                if (strchr(buf, '\n') != nullptr)
                    break;
            }
            SEND_BH(HLP_MSG("Username Input too large."));
            continue;
        }
        *p = '\0';
        if ((p = strtok(buf, " ")) == nullptr) {
            SEND_BH(HLP_MSG("No username given."));
            continue;
        } else {
            user = p;
            rfc1738_unescape(user);
            if (strip_dm) {
                suser = strchr(user, '\\');
                if (!suser) suser = strchr(user, '/');
                if (suser && suser[1]) user = suser + 1;
            }
            if (strip_rm) {
                suser = strchr(user, '@');
                if (suser) *suser = '\0';
            }
            /* check groups supplied by Squid */
            while ((p = strtok(nullptr, " ")) != nullptr) {
                rfc1738_unescape(p);
                if (check_pw == 1)
                    j += validate_user_pw(user, p);
                j += validate_user_gr(user, p);
            }
        }

        /* check groups supplied on the command line */
        for (i = 0; i < ngroups; ++i) {
            if (check_pw == 1) {
                j += validate_user_pw(user, grents[i]);
            }
            j += validate_user_gr(user, grents[i]);
        }

        if (j > 0) {
            SEND_OK("");
        } else {
            SEND_ERR("");
        }
    }
    return EXIT_SUCCESS;
}
Commit	Line	Data
ca02e0ec	1	/*
bf95c10a	2	* Copyright (C) 1996-2022 The Squid Software Foundation and contributors
ca02e0ec AJ	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
6328cedc	9	/*
6328cedc	10	* This is a helper for the external ACL interface for Squid Cache
6328cedc	11	* Copyright (C) 2002 Rodrigo Albani de Campos (rodrigo@geekbunker.org)
26ac0430	12	*
6328cedc	13	* It reads STDIN looking for a username that matches a specified group
26ac0430	14	* Returns `OK' if the user belongs to the group or `ERR' otherwise, as
6328cedc	15	* described on http://devel.squid-cache.org/external_acl/config.html
	16	* To compile this program, use:
	17	*
	18	* gcc -o check_group check_group.c
	19	*
	20	* Author: Rodrigo Albani de Campos
	21	* E-Mail: rodrigo@geekbunker.org
	22	*
	23	* This program is free software; you can redistribute it and/or modify
	24	* it under the terms of the GNU General Public License as published by
	25	* the Free Software Foundation; either version 2 of the License, or
	26	* (at your option) any later version.
	27	*
	28	* This program is distributed in the hope that it will be useful,
	29	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	30	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	31	* GNU General Public License for more details.
	32	*
	33	* You should have received a copy of the GNU General Public License
	34	* along with this program; if not, write to the Free Software
	35	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	36	*
	37	* Change Log:
056823c5 HN	38	* 2010-02-24 hno
	39	* Removed group number limitation and fixed related uninitialized
	40	* pointer reference (Bug #2813)
	41	*
1958420a	42	* Revision 1.7 2004/08/15 00:29:33 hno
	43	* helper protocol changed to URL-escaped strings in Squid-3.0
	44	*
6328cedc	45	* Revision 1.6 2002/08/12 15:48:32 hno
	46	* imported strwordtok from Squid, added man page, some minor fixes
	47	*
	48	* Revision 1.5 2002/07/27 14:26:49 rcampos
	49	* allow groups to be sent on stdin
	50	*
	51	* Revision 1.4 2002/04/17 01:58:48 camposr
	52	* minor corrections in the getopt
	53	*
	54	* Revision 1.3 2002/04/17 01:43:17 camposr
	55	* ready for action
	56	*
	57	* Revision 1.2 2002/04/17 01:32:16 camposr
	58	* all main routines ready
	59	*
	60	* Revision 1.1 2002/04/16 05:02:32 camposr
	61	* Initial revision
	62	*
	63	*/
f7f3304a	64	#include "squid.h"
079b1d0f	65	#include "helper/protocol_defines.h"
1fa9b1a7	66	#include "rfc1738.h"
7483aded	67	#include "util.h"
7483aded	68
074d6a40 AJ	69	#include <cctype>
074d6a40 AJ	70	#include <cstring>
c152a447	71	#if HAVE_GRP_H
6328cedc	72	#include <grp.h>
c152a447 AJ	73	#endif
c152a447 AJ	74	#if HAVE_UNISTD_H
6328cedc	75	#include <unistd.h>
c152a447 AJ	76	#endif
c152a447 AJ	77	#if HAVE_PWD_H
6328cedc	78	#include <pwd.h>
c152a447	79	#endif
6328cedc	80
26ac0430	81	/*
9cee498b	82	* Verify if user's primary group matches groupname
6328cedc	83	* Returns 0 if user is not on the group
	84	* Returns 1 otherwise
	85	*/
	86	static int
	87	validate_user_pw(char username, char groupname)
	88	{
	89	struct passwd *p;
	90	struct group *g;
	91
aee3523a	92	if ((p = getpwnam(username)) == nullptr) {
26ac0430	93	/* Returns an error if user does not exist in the /etc/passwd */
c152a447	94	fprintf(stderr, "ERROR: User does not exist '%s'\n", username);
26ac0430	95	return 0;
6328cedc	96	} else {
26ac0430	97	/* Verify if the this is the primary user group */
aee3523a	98	if ((g = getgrgid(p->pw_gid)) != nullptr) {
26ac0430 AJ	99	if ((strcmp(groupname, g->gr_name)) == 0)
	100	return 1;
	101	}
6328cedc	102	}
	103
	104	return 0;
	105	}
	106
	107	static int
	108	validate_user_gr(char username, char groupname)
	109	{
26ac0430	110	/*
6328cedc	111	* Verify if the user belongs to groupname as listed in the
	112	* /etc/group file
	113	*/
	114	struct group *g;
	115
aee3523a	116	if ((g = getgrnam(groupname)) == nullptr) {
c152a447	117	fprintf(stderr, "ERROR: Group does not exist '%s'\n", groupname);
26ac0430	118	return 0;
6328cedc	119	} else {
aee3523a	120	while (*(g->gr_mem) != nullptr) {
26ac0430 AJ	121	if (strcmp(*((g->gr_mem)++), username) == 0) {
	122	return 1;
	123	}
	124	}
6328cedc	125	}
	126	return 0;
	127	}
	128
	129	static void
	130	usage(char *program)
	131	{
42aa79b5	132	fprintf(stderr, "Usage: %s -g group1 [-g group2 ...] [-p] [-s]\n\n",
26ac0430	133	program);
6328cedc	134	fprintf(stderr, "-g group\n");
6328cedc	135	fprintf(stderr,
26ac0430	136	" The group name or id that the user must belong in order to\n");
6328cedc	137	fprintf(stderr,
26ac0430	138	" be allowed to authenticate.\n");
6328cedc	139	fprintf(stderr,
26ac0430	140	"-p Verify primary user group as well\n");
42aa79b5	141	fprintf(stderr,
26ac0430	142	"-s Strip NT domain from usernames\n");
94c86ca4 CA	143	fprintf(stderr,
94c86ca4 CA	144	"-r Strip Kerberos realm from usernames\n");
6328cedc	145	}
6328cedc	146
6328cedc	147	int
	148	main(int argc, char *argv[])
	149	{
42aa79b5	150	char user, suser, *p;
c152a447	151	char buf[HELPER_INPUT_BUFFER];
aee3523a	152	char **grents = nullptr;
94c86ca4	153	int check_pw = 0, ch, ngroups = 0, i, j = 0, strip_dm = 0, strip_rm = 0;
6328cedc	154
6328cedc	155	/* make standard output line buffered */
aee3523a	156	setvbuf(stdout, nullptr, _IOLBF, 0);
6328cedc	157
6328cedc	158	/* get user options */
94c86ca4	159	while ((ch = getopt(argc, argv, "dsrpg:")) != -1) {
26ac0430	160	switch (ch) {
c152a447 AJ	161	case 'd':
	162	debug_enabled = 1;
	163	break;
26ac0430 AJ	164	case 's':
	165	strip_dm = 1;
	166	break;
94c86ca4 CA	167	case 'r':
	168	strip_rm = 1;
	169	break;
26ac0430 AJ	170	case 'p':
	171	check_pw = 1;
	172	break;
	173	case 'g':
c152a447	174	grents = (char*)realloc(grents, sizeof(grents) * (ngroups+1));
f207fe64 FC	175	grents[ngroups] = optarg;
f207fe64 FC	176	++ngroups;
26ac0430 AJ	177	break;
	178	case '?':
	179	if (xisprint(optopt)) {
26ac0430 AJ	180	fprintf(stderr, "Unknown option '-%c'.\n", optopt);
	181	} else {
	182	fprintf(stderr, "Unknown option character `\\x%x'.\n", optopt);
	183	}
8b082ed9	184	/* [[fallthrough]] */
26ac0430 AJ	185	default:
26ac0430 AJ	186	usage(argv[0]);
24885773	187	exit(EXIT_FAILURE);
26ac0430	188	}
6328cedc	189	}
6328cedc	190	if (optind < argc) {
c152a447	191	fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]);
26ac0430	192	usage(argv[0]);
24885773	193	exit(EXIT_FAILURE);
6328cedc	194	}
c152a447	195	while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) {
26ac0430	196	j = 0;
aee3523a	197	if ((p = strchr(buf, '\n')) == nullptr) {
26ac0430	198	/* too large message received.. skip and deny */
c152a447	199	fprintf(stderr, "ERROR: %s: Too large: %s\n", argv[0], buf);
26ac0430	200	while (fgets(buf, sizeof(buf), stdin)) {
c152a447	201	fprintf(stderr, "ERROR: %s: Too large..: %s\n", argv[0], buf);
aee3523a	202	if (strchr(buf, '\n') != nullptr)
26ac0430 AJ	203	break;
26ac0430 AJ	204	}
194ccc9c	205	SEND_BH(HLP_MSG("Username Input too large."));
c152a447	206	continue;
26ac0430 AJ	207	}
26ac0430 AJ	208	*p = '\0';
aee3523a	209	if ((p = strtok(buf, " ")) == nullptr) {
194ccc9c	210	SEND_BH(HLP_MSG("No username given."));
c152a447	211	continue;
26ac0430 AJ	212	} else {
	213	user = p;
	214	rfc1738_unescape(user);
1fd5d1af	215	if (strip_dm) {
26ac0430 AJ	216	suser = strchr(user, '\\');
	217	if (!suser) suser = strchr(user, '/');
	218	if (suser && suser[1]) user = suser + 1;
	219	}
94c86ca4 CA	220	if (strip_rm) {
	221	suser = strchr(user, '@');
	222	if (suser) *suser = '\0';
	223	}
26ac0430	224	/* check groups supplied by Squid */
aee3523a	225	while ((p = strtok(nullptr, " ")) != nullptr) {
26ac0430 AJ	226	rfc1738_unescape(p);
	227	if (check_pw == 1)
	228	j += validate_user_pw(user, p);
26ac0430 AJ	229	j += validate_user_gr(user, p);
	230	}
	231	}
	232
	233	/* check groups supplied on the command line */
a2f5277a	234	for (i = 0; i < ngroups; ++i) {
26ac0430 AJ	235	if (check_pw == 1) {
	236	j += validate_user_pw(user, grents[i]);
	237	}
	238	j += validate_user_gr(user, grents[i]);
	239	}
	240
	241	if (j > 0) {
c152a447	242	SEND_OK("");
26ac0430	243	} else {
c152a447	244	SEND_ERR("");
26ac0430	245	}
6328cedc	246	}
24885773	247	return EXIT_SUCCESS;
6328cedc	248	}
f53969cc	249