]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | /* |
262a0e14 | 2 | * $Id$ |
94439e4e | 3 | * |
4 | * DEBUG: section 29 Authenticator | |
5 | * AUTHOR: Duane Wessels | |
6 | * | |
2b6662ba | 7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ |
94439e4e | 8 | * ---------------------------------------------------------- |
9 | * | |
2b6662ba | 10 | * Squid is the result of efforts by numerous individuals from |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
94439e4e | 18 | * |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
94439e4e | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
94439e4e | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | */ | |
34 | ||
35 | /* The functions in this file handle authentication. | |
36 | * They DO NOT perform access control or auditing. | |
37 | * See acl.c for access control and client_side.c for auditing */ | |
38 | ||
39 | ||
f7f3304a | 40 | #include "squid-old.h" |
5817ee13 | 41 | #include "auth/basic/auth_basic.h" |
616cfc4c | 42 | #include "auth/basic/Scheme.h" |
aa110616 | 43 | #include "auth/basic/User.h" |
616cfc4c | 44 | #include "auth/basic/UserRequest.h" |
3ad63615 | 45 | #include "auth/Gadgets.h" |
a623c828 | 46 | #include "auth/State.h" |
25f98340 | 47 | #include "charset.h" |
8822ebee | 48 | #include "mgr/Registration.h" |
e6ccf245 | 49 | #include "Store.h" |
924f73bc | 50 | #include "HttpReply.h" |
1fa9b1a7 | 51 | #include "rfc1738.h" |
25f98340 | 52 | #include "uudecode.h" |
d295d770 | 53 | #include "wordlist.h" |
985c86bc | 54 | #include "SquidTime.h" |
94439e4e | 55 | |
94439e4e | 56 | /* Basic Scheme */ |
94439e4e | 57 | static AUTHSSTATS authenticateBasicStats; |
94439e4e | 58 | |
fe0a0419 | 59 | helper *basicauthenticators = NULL; |
94439e4e | 60 | |
94439e4e | 61 | static int authbasic_initialised = 0; |
94439e4e | 62 | |
2d72d4fd | 63 | |
94439e4e | 64 | /* |
65 | * | |
2d72d4fd | 66 | * Public Functions |
94439e4e | 67 | * |
68 | */ | |
69 | ||
2d72d4fd | 70 | /* internal functions */ |
71 | ||
f5691f9c | 72 | bool |
372fccd6 | 73 | Auth::Basic::Config::active() const |
2d70df72 | 74 | { |
f5691f9c | 75 | return authbasic_initialised == 1; |
2d70df72 | 76 | } |
77 | ||
f5691f9c | 78 | bool |
372fccd6 | 79 | Auth::Basic::Config::configured() const |
94439e4e | 80 | { |
58ee2093 | 81 | if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) && |
f5691f9c | 82 | (basicAuthRealm != NULL)) { |
4c73ba5f | 83 | debugs(29, 9, HERE << "returning configured"); |
f5691f9c | 84 | return true; |
2d70df72 | 85 | } |
62e76326 | 86 | |
4c73ba5f | 87 | debugs(29, 9, HERE << "returning unconfigured"); |
f5691f9c | 88 | return false; |
94439e4e | 89 | } |
90 | ||
f5691f9c | 91 | const char * |
372fccd6 | 92 | Auth::Basic::Config::type() const |
94439e4e | 93 | { |
d6374be6 | 94 | return Auth::Basic::Scheme::GetInstance()->type(); |
f5691f9c | 95 | } |
62e76326 | 96 | |
94439e4e | 97 | void |
c7baff40 | 98 | Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request) |
94439e4e | 99 | { |
58ee2093 | 100 | if (authenticateProgram) { |
18ec8500 FC |
101 | debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'Basic realm=\"" << basicAuthRealm << "\"'"); |
102 | httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"%s\"", basicAuthRealm); | |
94439e4e | 103 | } |
104 | } | |
105 | ||
0bcb6908 | 106 | void |
372fccd6 | 107 | Auth::Basic::Config::rotateHelpers() |
0bcb6908 AJ |
108 | { |
109 | /* schedule closure of existing helpers */ | |
110 | if (basicauthenticators) { | |
111 | helperShutdown(basicauthenticators); | |
112 | } | |
113 | ||
114 | /* NP: dynamic helper restart will ensure they start up again as needed. */ | |
115 | } | |
116 | ||
5817ee13 | 117 | /** shutdown the auth helpers and free any allocated configuration details */ |
94439e4e | 118 | void |
372fccd6 | 119 | Auth::Basic::Config::done() |
94439e4e | 120 | { |
5817ee13 AJ |
121 | authbasic_initialised = 0; |
122 | ||
123 | if (basicauthenticators) { | |
124 | helperShutdown(basicauthenticators); | |
5817ee13 AJ |
125 | } |
126 | ||
ed3ef6a8 AJ |
127 | delete basicauthenticators; |
128 | basicauthenticators = NULL; | |
129 | ||
58ee2093 AJ |
130 | if (authenticateProgram) |
131 | wordlistDestroy(&authenticateProgram); | |
62e76326 | 132 | |
f5691f9c | 133 | if (basicAuthRealm) |
134 | safe_free(basicAuthRealm); | |
94439e4e | 135 | } |
136 | ||
f5691f9c | 137 | void |
372fccd6 | 138 | Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) |
94439e4e | 139 | { |
58ee2093 | 140 | wordlist *list = authenticateProgram; |
94439e4e | 141 | storeAppendPrintf(entry, "%s %s", name, "basic"); |
62e76326 | 142 | |
94439e4e | 143 | while (list != NULL) { |
62e76326 | 144 | storeAppendPrintf(entry, " %s", list->key); |
145 | list = list->next; | |
94439e4e | 146 | } |
62e76326 | 147 | |
07eca7e0 | 148 | storeAppendPrintf(entry, "\n"); |
149 | ||
f5691f9c | 150 | storeAppendPrintf(entry, "%s basic realm %s\n", name, basicAuthRealm); |
404cfda1 | 151 | storeAppendPrintf(entry, "%s basic children %d startup=%d idle=%d concurrency=%d\n", name, authenticateChildren.n_max, authenticateChildren.n_startup, authenticateChildren.n_idle, authenticateChildren.concurrency); |
f5691f9c | 152 | storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL); |
64658378 | 153 | storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off"); |
94439e4e | 154 | } |
155 | ||
372fccd6 | 156 | Auth::Basic::Config::Config() : |
5817ee13 AJ |
157 | credentialsTTL( 2*60*60 ), |
158 | casesensitive(0), | |
159 | utf8(0) | |
f5691f9c | 160 | { |
75126633 | 161 | basicAuthRealm = xstrdup("Squid proxy-caching web server"); |
f5691f9c | 162 | } |
62e76326 | 163 | |
372fccd6 | 164 | Auth::Basic::Config::~Config() |
3845e4c8 | 165 | { |
acde4327 | 166 | safe_free(basicAuthRealm); |
3845e4c8 | 167 | } |
168 | ||
f5691f9c | 169 | void |
372fccd6 | 170 | Auth::Basic::Config::parse(Auth::Config * scheme, int n_configured, char *param_str) |
f5691f9c | 171 | { |
94439e4e | 172 | if (strcasecmp(param_str, "program") == 0) { |
58ee2093 AJ |
173 | if (authenticateProgram) |
174 | wordlistDestroy(&authenticateProgram); | |
62e76326 | 175 | |
58ee2093 | 176 | parse_wordlist(&authenticateProgram); |
62e76326 | 177 | |
58ee2093 | 178 | requirePathnameExists("auth_param basic program", authenticateProgram->key); |
94439e4e | 179 | } else if (strcasecmp(param_str, "children") == 0) { |
48d54e4d | 180 | authenticateChildren.parseConfig(); |
94439e4e | 181 | } else if (strcasecmp(param_str, "realm") == 0) { |
f5691f9c | 182 | parse_eol(&basicAuthRealm); |
94439e4e | 183 | } else if (strcasecmp(param_str, "credentialsttl") == 0) { |
f5691f9c | 184 | parse_time_t(&credentialsTTL); |
64658378 | 185 | } else if (strcasecmp(param_str, "casesensitive") == 0) { |
186 | parse_onoff(&casesensitive); | |
f741d2f6 HN |
187 | } else if (strcasecmp(param_str, "utf8") == 0) { |
188 | parse_onoff(&utf8); | |
94439e4e | 189 | } else { |
4c73ba5f | 190 | debugs(29, DBG_CRITICAL, HERE << "unrecognised basic auth scheme parameter '" << param_str << "'"); |
94439e4e | 191 | } |
192 | } | |
193 | ||
194 | static void | |
195 | authenticateBasicStats(StoreEntry * sentry) | |
196 | { | |
9522b380 | 197 | helperStats(sentry, basicauthenticators, "Basic Authenticator Statistics"); |
94439e4e | 198 | } |
199 | ||
d87154ee | 200 | static Auth::User::Pointer |
94439e4e | 201 | authBasicAuthUserFindUsername(const char *username) |
202 | { | |
e6ccf245 | 203 | AuthUserHashPointer *usernamehash; |
e1f7507e | 204 | debugs(29, 9, HERE << "Looking for user '" << username << "'"); |
62e76326 | 205 | |
e6ccf245 | 206 | if (username && (usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, username)))) { |
62e76326 | 207 | while (usernamehash) { |
616cfc4c | 208 | if ((usernamehash->user()->auth_type == Auth::AUTH_BASIC) && |
62e76326 | 209 | !strcmp(username, (char const *)usernamehash->key)) |
f5691f9c | 210 | return usernamehash->user(); |
62e76326 | 211 | |
212 | usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next); | |
213 | } | |
94439e4e | 214 | } |
62e76326 | 215 | |
94439e4e | 216 | return NULL; |
217 | } | |
218 | ||
431aae42 | 219 | char * |
372fccd6 | 220 | Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader) |
f5691f9c | 221 | { |
431aae42 | 222 | const char *proxy_auth = httpAuthHeader; |
acde4327 | 223 | |
431aae42 AJ |
224 | /* trim BASIC from string */ |
225 | while (xisgraph(*proxy_auth)) | |
742a021b | 226 | ++proxy_auth; |
62e76326 | 227 | |
431aae42 AJ |
228 | /* Trim leading whitespace before decoding */ |
229 | while (xisspace(*proxy_auth)) | |
742a021b | 230 | ++proxy_auth; |
94439e4e | 231 | |
431aae42 AJ |
232 | /* Trim trailing \n before decoding */ |
233 | // XXX: really? is the \n actually still there? does the header parse not drop it? | |
234 | char *eek = xstrdup(proxy_auth); | |
235 | strtok(eek, "\n"); | |
236 | char *cleartext = uudecode(eek); | |
237 | safe_free(eek); | |
238 | ||
239 | if (cleartext) { | |
240 | /* | |
241 | * Don't allow NL or CR in the credentials. | |
242 | * Oezguer Kesim <oec@codeblau.de> | |
243 | */ | |
244 | debugs(29, 9, HERE << "'" << cleartext << "'"); | |
245 | ||
246 | if (strcspn(cleartext, "\r\n") != strlen(cleartext)) { | |
247 | debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'"); | |
248 | safe_free(cleartext); | |
666f0b34 | 249 | } |
35b3bc89 | 250 | } |
431aae42 | 251 | return cleartext; |
f5691f9c | 252 | } |
253 | ||
4c73ba5f | 254 | /** |
f5691f9c | 255 | * Decode a Basic [Proxy-]Auth string, linking the passed |
256 | * auth_user_request structure to any existing user structure or creating one | |
26ac0430 AJ |
257 | * if needed. Note that just returning will be treated as |
258 | * "cannot decode credentials". Use the message field to return a | |
f5691f9c | 259 | * descriptive message to the user. |
260 | */ | |
c7baff40 | 261 | Auth::UserRequest::Pointer |
372fccd6 | 262 | Auth::Basic::Config::decode(char const *proxy_auth) |
f5691f9c | 263 | { |
c7baff40 | 264 | Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest); |
f5691f9c | 265 | /* decode the username */ |
f5691f9c | 266 | |
431aae42 AJ |
267 | // retrieve the cleartext (in a dynamically allocated char*) |
268 | char *cleartext = decodeCleartext(proxy_auth); | |
f5691f9c | 269 | |
431aae42 AJ |
270 | // empty header? no auth details produced... |
271 | if (!cleartext) | |
272 | return auth_user_request; | |
f5691f9c | 273 | |
d87154ee | 274 | Auth::User::Pointer lb; |
431aae42 | 275 | /* permitted because local_basic is purely local function scope. */ |
aa110616 | 276 | Auth::Basic::User *local_basic = NULL; |
431aae42 AJ |
277 | |
278 | char *seperator = strchr(cleartext, ':'); | |
279 | ||
aa110616 | 280 | lb = local_basic = new Auth::Basic::User(this); |
431aae42 AJ |
281 | if (seperator == NULL) { |
282 | local_basic->username(cleartext); | |
283 | } else { | |
284 | /* terminate the username */ | |
285 | *seperator = '\0'; | |
286 | local_basic->username(cleartext); | |
287 | local_basic->passwd = xstrdup(seperator+1); | |
288 | } | |
289 | ||
290 | if (!casesensitive) | |
291 | Tolower((char *)local_basic->username()); | |
292 | ||
293 | if (local_basic->passwd == NULL) { | |
294 | debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'"); | |
295 | auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug"); | |
296 | } else { | |
297 | if (local_basic->passwd[0] == '\0') { | |
298 | debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'"); | |
299 | safe_free(local_basic->passwd); | |
300 | auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password."); | |
301 | } | |
302 | } | |
f5691f9c | 303 | |
431aae42 | 304 | xfree(cleartext); |
f5691f9c | 305 | |
56a49fda | 306 | if (!local_basic->valid()) { |
616cfc4c | 307 | lb->auth_type = Auth::AUTH_BROKEN; |
431aae42 | 308 | auth_user_request->user(lb); |
f5691f9c | 309 | return auth_user_request; |
94439e4e | 310 | } |
62e76326 | 311 | |
3265364b | 312 | /* now lookup and see if we have a matching auth_user structure in memory. */ |
d87154ee | 313 | Auth::User::Pointer auth_user; |
56a49fda | 314 | |
431aae42 | 315 | if ((auth_user = authBasicAuthUserFindUsername(lb->username())) == NULL) { |
56a49fda AJ |
316 | /* the user doesn't exist in the username cache yet */ |
317 | /* save the credentials */ | |
431aae42 | 318 | debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'"); |
56a49fda | 319 | /* set the auth_user type */ |
616cfc4c | 320 | lb->auth_type = Auth::AUTH_BASIC; |
56a49fda | 321 | /* current time for timeouts */ |
431aae42 | 322 | lb->expiretime = current_time.tv_sec; |
56a49fda AJ |
323 | |
324 | /* this basic_user struct is the 'lucky one' to get added to the username cache */ | |
325 | /* the requests after this link to the basic_user */ | |
326 | /* store user in hash */ | |
431aae42 | 327 | lb->addToNameCache(); |
62e76326 | 328 | |
431aae42 | 329 | auth_user = lb; |
56a49fda | 330 | assert(auth_user != NULL); |
f5691f9c | 331 | } else { |
56a49fda | 332 | /* replace the current cached password with the new one */ |
aa110616 | 333 | Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw()); |
3265364b | 334 | assert(basic_auth); |
56a49fda AJ |
335 | basic_auth->updateCached(local_basic); |
336 | auth_user = basic_auth; | |
f5691f9c | 337 | } |
62e76326 | 338 | |
f5691f9c | 339 | /* link the request to the in-cache user */ |
56a49fda | 340 | auth_user_request->user(auth_user); |
f5691f9c | 341 | return auth_user_request; |
94439e4e | 342 | } |
343 | ||
4c73ba5f | 344 | /** Initialize helpers and the like for this auth scheme. Called AFTER parsing the |
94439e4e | 345 | * config file */ |
f5691f9c | 346 | void |
372fccd6 | 347 | Auth::Basic::Config::init(Auth::Config * schemeCfg) |
94439e4e | 348 | { |
58ee2093 | 349 | if (authenticateProgram) { |
62e76326 | 350 | authbasic_initialised = 1; |
351 | ||
352 | if (basicauthenticators == NULL) | |
48d54e4d | 353 | basicauthenticators = new helper("basicauthenticator"); |
62e76326 | 354 | |
58ee2093 | 355 | basicauthenticators->cmdline = authenticateProgram; |
62e76326 | 356 | |
1af735c7 | 357 | basicauthenticators->childs.updateLimits(authenticateChildren); |
07eca7e0 | 358 | |
62e76326 | 359 | basicauthenticators->ipc_type = IPC_STREAM; |
360 | ||
361 | helperOpenServers(basicauthenticators); | |
94439e4e | 362 | } |
363 | } | |
364 | ||
62ee09ca | 365 | void |
372fccd6 | 366 | Auth::Basic::Config::registerWithCacheManager(void) |
62ee09ca | 367 | { |
8822ebee | 368 | Mgr::RegisterAction("basicauthenticator", |
d9fc6862 A |
369 | "Basic User Authenticator Stats", |
370 | authenticateBasicStats, 0, 1); | |
62ee09ca | 371 | } |