[thirdparty/squid.git] / src / auth / negotiate / UserRequest.cc

/*
 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

#include "squid.h"
#include "AccessLogEntry.h"
#include "auth/negotiate/auth_negotiate.h"
#include "auth/negotiate/UserRequest.h"
#include "auth/State.h"
#include "auth/User.h"
#include "client_side.h"
#include "format/Format.h"
#include "globals.h"
#include "helper.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "MemBuf.h"
#include "SquidTime.h"

Auth::Negotiate::UserRequest::UserRequest()
{
    waiting=0;
    client_blob=0;
    server_blob=0;
    authserver=NULL;
    request=NULL;
}

Auth::Negotiate::UserRequest::~UserRequest()
{
    assert(LockCount()==0);
    safe_free(server_blob);
    safe_free(client_blob);

    releaseAuthServer();

    if (request) {
        HTTPMSGUNLOCK(request);
        request = NULL;
    }
}

const char *
Auth::Negotiate::UserRequest::connLastHeader()
{
    return NULL;
}

int
Auth::Negotiate::UserRequest::authenticated() const
{
    if (user() != NULL && user()->credentials() == Auth::Ok) {
        debugs(29, 9, HERE << "user authenticated.");
        return 1;
    }

    debugs(29, 9, HERE << "user not fully authenticated.");
    return 0;
}

const char *
Auth::Negotiate::UserRequest::credentialsStr()
{
    static char buf[MAX_AUTHTOKEN_LEN];
    if (user()->credentials() == Auth::Pending) {
        snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
    } else {
        snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
    }
    return buf;
}

Auth::Direction
Auth::Negotiate::UserRequest::module_direction()
{
    /* null auth_user is checked for by Auth::UserRequest::direction() */

    if (waiting || client_blob)
        return Auth::CRED_LOOKUP; /* need helper response to continue */

    if (user()->auth_type != Auth::AUTH_NEGOTIATE)
        return Auth::CRED_ERROR;

    switch (user()->credentials()) {

    case Auth::Handshake:
        assert(server_blob);
        return Auth::CRED_CHALLENGE;

    case Auth::Ok:
        return Auth::CRED_VALID;

    case Auth::Failed:
        return Auth::CRED_ERROR; // XXX: really? not VALID or CHALLENGE?

    default:
        debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication in unexpected state: " << user()->credentials());
        return Auth::CRED_ERROR;
    }
}

void
Auth::Negotiate::UserRequest::startHelperLookup(HttpRequest *req, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
{
    static char buf[MAX_AUTHTOKEN_LEN];

    assert(data);
    assert(handler);

    assert(user() != NULL);
    assert(user()->auth_type == Auth::AUTH_NEGOTIATE);

    if (static_cast<Auth::Negotiate::Config*>(Auth::Config::Find("negotiate"))->authenticateProgram == NULL) {
        debugs(29, DBG_CRITICAL, "ERROR: No Negotiate authentication program configured.");
        handler(data);
        return;
    }

    debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'");

    const char *keyExtras = helperRequestKeyExtras(request, al);
    if (user()->credentials() == Auth::Pending) {
        if (keyExtras)
            snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras);
        else
            snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
    } else {
        if (keyExtras)
            snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras);
        else
            snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
    }

    waiting = 1;

    safe_free(client_blob);

    helperStatefulSubmit(negotiateauthenticators, buf, Auth::Negotiate::UserRequest::HandleReply,
                         new Auth::StateData(this, handler, data), authserver);
}

/**
 * Atomic action: properly release the Negotiate auth helpers which may have been reserved
 * for this request connections use.
 */
void
Auth::Negotiate::UserRequest::releaseAuthServer()
{
    if (authserver) {
        debugs(29, 6, HERE << "releasing Negotiate auth server '" << authserver << "'");
        helperStatefulReleaseServer(authserver);
        authserver = NULL;
    } else
        debugs(29, 6, HERE << "No Negotiate auth server to release.");
}

void
Auth::Negotiate::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type)
{
    assert(this);

    /* Check that we are in the client side, where we can generate
     * auth challenges */

    if (conn == NULL || !cbdataReferenceValid(conn)) {
        user()->credentials(Auth::Failed);
        debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication attempt to perform authentication without a connection!");
        return;
    }

    if (waiting) {
        debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication waiting for helper reply!");
        return;
    }

    if (server_blob) {
        debugs(29, 2, HERE << "need to challenge client '" << server_blob << "'!");
        return;
    }

    /* get header */
    const char *proxy_auth = aRequest->header.getStr(type);

    /* locate second word */
    const char *blob = proxy_auth;

    if (blob) {
        while (xisspace(*blob) && *blob)
            ++blob;

        while (!xisspace(*blob) && *blob)
            ++blob;

        while (xisspace(*blob) && *blob)
            ++blob;
    }

    switch (user()->credentials()) {

    case Auth::Unchecked:
        /* we've received a negotiate request. pass to a helper */
        debugs(29, 9, HERE << "auth state negotiate none. Received blob: '" << proxy_auth << "'");
        user()->credentials(Auth::Pending);
        safe_free(client_blob);
        client_blob=xstrdup(blob);
        assert(conn->getAuth() == NULL);
        conn->setAuth(this, "new Negotiate handshake request");
        request = aRequest;
        HTTPMSGLOCK(request);
        break;

    case Auth::Pending:
        debugs(29, DBG_IMPORTANT, HERE << "need to ask helper");
        break;

    case Auth::Handshake:
        /* we should have received a blob from the client. Hand it off to
         * some helper */
        safe_free(client_blob);
        client_blob = xstrdup(blob);
        if (request)
            HTTPMSGUNLOCK(request);
        request = aRequest;
        HTTPMSGLOCK(request);
        break;

    case Auth::Ok:
        fatal("Auth::Negotiate::UserRequest::authenticate: unexpected auth state DONE! Report a bug to the squid developers.\n");
        break;

    case Auth::Failed:
        /* we've failed somewhere in authentication */
        debugs(29, 9, HERE << "auth state negotiate failed. " << proxy_auth);
        break;
    }
}

void
Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply)
{
    Auth::StateData *r = static_cast<Auth::StateData *>(data);

    debugs(29, 8, HERE << "helper: '" << reply.whichServer << "' sent us reply=" << reply);

    if (!cbdataReferenceValid(r->data)) {
        debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data. helper '" << reply.whichServer << "'.");
        delete r;
        return;
    }

    Auth::UserRequest::Pointer auth_user_request = r->auth_user_request;
    assert(auth_user_request != NULL);

    // add new helper kv-pair notes to the credentials object
    // so that any transaction using those credentials can access them
    auth_user_request->user()->notes.appendNewOnly(&reply.notes);

    Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
    assert(lm_request != NULL);
    assert(lm_request->waiting);

    lm_request->waiting = 0;
    safe_free(lm_request->client_blob);

    assert(auth_user_request->user() != NULL);
    assert(auth_user_request->user()->auth_type == Auth::AUTH_NEGOTIATE);

    if (lm_request->authserver == NULL)
        lm_request->authserver = reply.whichServer.get(); // XXX: no locking?
    else
        assert(reply.whichServer == lm_request->authserver);

    switch (reply.result) {
    case HelperReply::TT:
        /* we have been given a blob to send to the client */
        safe_free(lm_request->server_blob);
        lm_request->request->flags.mustKeepalive = true;
        if (lm_request->request->flags.proxyKeepalive) {
            const char *tokenNote = reply.notes.findFirst("token");
            lm_request->server_blob = xstrdup(tokenNote);
            auth_user_request->user()->credentials(Auth::Handshake);
            auth_user_request->denyMessage("Authentication in progress");
            debugs(29, 4, HERE << "Need to challenge the client with a server token: '" << tokenNote << "'");
        } else {
            auth_user_request->user()->credentials(Auth::Failed);
            auth_user_request->denyMessage("Negotiate authentication requires a persistent connection");
        }
        break;

    case HelperReply::Okay: {
        const char *userNote = reply.notes.findFirst("user");
        const char *tokenNote = reply.notes.findFirst("token");
        if (userNote == NULL || tokenNote == NULL) {
            // XXX: handle a success with no username better
            /* protocol error */
            fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply.other().content());
            break;
        }

        /* we're finished, release the helper */
        auth_user_request->user()->username(userNote);
        auth_user_request->denyMessage("Login successful");
        safe_free(lm_request->server_blob);
        lm_request->server_blob = xstrdup(tokenNote);
        lm_request->releaseAuthServer();

        /* connection is authenticated */
        debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username());
        /* see if this is an existing user with a different proxy_auth
         * string */
        AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->userKey()));
        Auth::User::Pointer local_auth_user = lm_request->user();
        while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NEGOTIATE ||
                                strcmp(usernamehash->user()->userKey(), auth_user_request->user()->userKey()) != 0))
            usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
        if (usernamehash) {
            /* we can't seamlessly recheck the username due to the
             * challenge-response nature of the protocol.
             * Just free the temporary auth_user after merging as
             * much of it new state into the existing one as possible */
            usernamehash->user()->absorb(local_auth_user);
            /* from here on we are working with the original cached credentials. */
            local_auth_user = usernamehash->user();
            auth_user_request->user(local_auth_user);
        } else {
            /* store user in hash's */
            local_auth_user->addToNameCache();
        }
        /* set these to now because this is either a new login from an
         * existing user or a new user */
        local_auth_user->expiretime = current_time.tv_sec;
        auth_user_request->user()->credentials(Auth::Ok);
        debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << auth_user_request->user()->username() << "'");
    }
    break;

    case HelperReply::Error: {
        const char *messageNote = reply.notes.find("message");
        const char *tokenNote = reply.notes.findFirst("token");

        /* authentication failure (wrong password, etc.) */
        if (messageNote != NULL)
            auth_user_request->denyMessage(messageNote);
        else
            auth_user_request->denyMessage("Negotiate Authentication denied with no reason given");
        auth_user_request->user()->credentials(Auth::Failed);
        safe_free(lm_request->server_blob);
        if (tokenNote != NULL)
            lm_request->server_blob = xstrdup(tokenNote);
        lm_request->releaseAuthServer();
        debugs(29, 4, "Failed validating user via Negotiate. Result: " << reply);
    }
    break;

    case HelperReply::Unknown:
        debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!.");
        /* continue to the next case */

    case HelperReply::BrokenHelper: {
        /* TODO kick off a refresh process. This can occur after a YR or after
         * a KK. If after a YR release the helper and resubmit the request via
         * Authenticate Negotiate start.
         * If after a KK deny the user's request w/ 407 and mark the helper as
         * Needing YR. */
        const char *errNote = reply.notes.find("message");
        if (reply.result == HelperReply::Unknown)
            auth_user_request->denyMessage("Internal Error");
        else if (errNote != NULL)
            auth_user_request->denyMessage(errNote);
        else
            auth_user_request->denyMessage("Negotiate Authentication failed with no reason given");
        auth_user_request->user()->credentials(Auth::Failed);
        safe_free(lm_request->server_blob);
        lm_request->releaseAuthServer();
        debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication validating user. Result: " << reply);
    } // break;
    }

    if (lm_request->request) {
        HTTPMSGUNLOCK(lm_request->request);
        lm_request->request = NULL;
    }
    r->handler(r->data);
    delete r;
}

void
Auth::Negotiate::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
{
    http_hdr_type type;

    if (!server_blob)
        return;

    /* don't add to authentication error pages */
    if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
            || (accel && rep->sline.status() == Http::scUnauthorized))
        return;

    type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
    httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob);

    safe_free(server_blob);
}
Commit	Line	Data
bbc27441 AJ	1	/*
	2	* Copyright (C) 1996-2014 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
f7f3304a	9	#include "squid.h"
d4806c91	10	#include "AccessLogEntry.h"
928f3421	11	#include "auth/negotiate/auth_negotiate.h"
616cfc4c	12	#include "auth/negotiate/UserRequest.h"
aa110616	13	#include "auth/State.h"
928f3421	14	#include "auth/User.h"
582c2af2	15	#include "client_side.h"
86c63190	16	#include "format/Format.h"
582c2af2	17	#include "globals.h"
928f3421	18	#include "helper.h"
a5bac1d2	19	#include "HttpHeaderTools.h"
928f3421 AJ	20	#include "HttpReply.h"
928f3421 AJ	21	#include "HttpRequest.h"
d4806c91	22	#include "MemBuf.h"
928f3421 AJ	23	#include "SquidTime.h"
928f3421 AJ	24
c7baff40	25	Auth::Negotiate::UserRequest::UserRequest()
928f3421 AJ	26	{
	27	waiting=0;
	28	client_blob=0;
	29	server_blob=0;
	30	authserver=NULL;
	31	request=NULL;
	32	}
	33
c7baff40	34	Auth::Negotiate::UserRequest::~UserRequest()
928f3421	35	{
8bf217bd	36	assert(LockCount()==0);
928f3421 AJ	37	safe_free(server_blob);
	38	safe_free(client_blob);
	39
7afc3bf2 AJ	40	releaseAuthServer();
7afc3bf2 AJ	41
928f3421 AJ	42	if (request) {
	43	HTTPMSGUNLOCK(request);
	44	request = NULL;
	45	}
	46	}
	47
	48	const char *
c7baff40	49	Auth::Negotiate::UserRequest::connLastHeader()
928f3421 AJ	50	{
	51	return NULL;
	52	}
	53
	54	int
c7baff40	55	Auth::Negotiate::UserRequest::authenticated() const
928f3421	56	{
d87154ee	57	if (user() != NULL && user()->credentials() == Auth::Ok) {
928f3421 AJ	58	debugs(29, 9, HERE << "user authenticated.");
	59	return 1;
	60	}
	61
	62	debugs(29, 9, HERE << "user not fully authenticated.");
	63	return 0;
	64	}
	65
d4806c91 CT	66	const char *
	67	Auth::Negotiate::UserRequest::credentialsStr()
	68	{
	69	static char buf[MAX_AUTHTOKEN_LEN];
	70	if (user()->credentials() == Auth::Pending) {
	71	snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
	72	} else {
	73	snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
	74	}
	75	return buf;
	76	}
	77
51a3dd58	78	Auth::Direction
c7baff40	79	Auth::Negotiate::UserRequest::module_direction()
928f3421	80	{
c7baff40	81	/* null auth_user is checked for by Auth::UserRequest::direction() */
928f3421 AJ	82
928f3421 AJ	83	if (waiting \|\| client_blob)
51a3dd58	84	return Auth::CRED_LOOKUP; /* need helper response to continue */
928f3421	85
616cfc4c	86	if (user()->auth_type != Auth::AUTH_NEGOTIATE)
51a3dd58	87	return Auth::CRED_ERROR;
928f3421	88
d232141d	89	switch (user()->credentials()) {
928f3421	90
d87154ee	91	case Auth::Handshake:
928f3421	92	assert(server_blob);
51a3dd58	93	return Auth::CRED_CHALLENGE;
928f3421	94
d87154ee	95	case Auth::Ok:
51a3dd58	96	return Auth::CRED_VALID;
928f3421	97
d87154ee	98	case Auth::Failed:
51a3dd58	99	return Auth::CRED_ERROR; // XXX: really? not VALID or CHALLENGE?
928f3421	100
d232141d AJ	101	default:
d232141d AJ	102	debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication in unexpected state: " << user()->credentials());
51a3dd58	103	return Auth::CRED_ERROR;
d232141d	104	}
928f3421 AJ	105	}
928f3421 AJ	106
928f3421	107	void
30c3f584	108	Auth::Negotiate::UserRequest::startHelperLookup(HttpRequest req, AccessLogEntry::Pointer &al, AUTHCB handler, void *data)
928f3421	109	{
928f3421	110	static char buf[MAX_AUTHTOKEN_LEN];
928f3421 AJ	111
	112	assert(data);
	113	assert(handler);
928f3421	114
56a49fda	115	assert(user() != NULL);
616cfc4c	116	assert(user()->auth_type == Auth::AUTH_NEGOTIATE);
928f3421	117
372fccd6	118	if (static_cast<Auth::Negotiate::Config*>(Auth::Config::Find("negotiate"))->authenticateProgram == NULL) {
928f3421	119	debugs(29, DBG_CRITICAL, "ERROR: No Negotiate authentication program configured.");
4c535e87	120	handler(data);
928f3421 AJ	121	return;
	122	}
	123
7afc3bf2 AJ	124	debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'");
7afc3bf2 AJ	125
d4806c91	126	const char *keyExtras = helperRequestKeyExtras(request, al);
d87154ee	127	if (user()->credentials() == Auth::Pending) {
d4806c91 CT	128	if (keyExtras)
	129	snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras);
	130	else
	131	snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
928f3421	132	} else {
d4806c91 CT	133	if (keyExtras)
	134	snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras);
	135	else
	136	snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
928f3421 AJ	137	}
	138
	139	waiting = 1;
	140
	141	safe_free(client_blob);
1c756645	142
c7baff40	143	helperStatefulSubmit(negotiateauthenticators, buf, Auth::Negotiate::UserRequest::HandleReply,
1c756645	144	new Auth::StateData(this, handler, data), authserver);
928f3421 AJ	145	}
	146
	147	/**
	148	* Atomic action: properly release the Negotiate auth helpers which may have been reserved
	149	* for this request connections use.
	150	*/
	151	void
c7baff40	152	Auth::Negotiate::UserRequest::releaseAuthServer()
928f3421 AJ	153	{
	154	if (authserver) {
	155	debugs(29, 6, HERE << "releasing Negotiate auth server '" << authserver << "'");
	156	helperStatefulReleaseServer(authserver);
	157	authserver = NULL;
	158	} else
	159	debugs(29, 6, HERE << "No Negotiate auth server to release.");
	160	}
	161
928f3421	162	void
c7baff40	163	Auth::Negotiate::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type)
928f3421	164	{
7afc3bf2 AJ	165	assert(this);
	166
	167	/* Check that we are in the client side, where we can generate
	168	* auth challenges */
928f3421	169
7afc3bf2	170	if (conn == NULL \|\| !cbdataReferenceValid(conn)) {
d87154ee	171	user()->credentials(Auth::Failed);
928f3421 AJ	172	debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication attempt to perform authentication without a connection!");
	173	return;
	174	}
	175
	176	if (waiting) {
	177	debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication waiting for helper reply!");
	178	return;
	179	}
	180
	181	if (server_blob) {
	182	debugs(29, 2, HERE << "need to challenge client '" << server_blob << "'!");
	183	return;
	184	}
	185
	186	/* get header */
56a49fda	187	const char *proxy_auth = aRequest->header.getStr(type);
928f3421 AJ	188
928f3421 AJ	189	/* locate second word */
56a49fda	190	const char *blob = proxy_auth;
928f3421 AJ	191
	192	if (blob) {
	193	while (xisspace(blob) && blob)
742a021b	194	++blob;
928f3421 AJ	195
928f3421 AJ	196	while (!xisspace(blob) && blob)
742a021b	197	++blob;
928f3421 AJ	198
928f3421 AJ	199	while (xisspace(blob) && blob)
742a021b	200	++blob;
928f3421 AJ	201	}
928f3421 AJ	202
d232141d	203	switch (user()->credentials()) {
928f3421	204
d87154ee	205	case Auth::Unchecked:
928f3421 AJ	206	/* we've received a negotiate request. pass to a helper */
928f3421 AJ	207	debugs(29, 9, HERE << "auth state negotiate none. Received blob: '" << proxy_auth << "'");
d87154ee	208	user()->credentials(Auth::Pending);
928f3421 AJ	209	safe_free(client_blob);
928f3421 AJ	210	client_blob=xstrdup(blob);
cc1e110a AJ	211	assert(conn->getAuth() == NULL);
cc1e110a AJ	212	conn->setAuth(this, "new Negotiate handshake request");
928f3421 AJ	213	request = aRequest;
	214	HTTPMSGLOCK(request);
	215	break;
	216
d87154ee	217	case Auth::Pending:
e0236918	218	debugs(29, DBG_IMPORTANT, HERE << "need to ask helper");
928f3421 AJ	219	break;
928f3421 AJ	220
d87154ee	221	case Auth::Handshake:
928f3421 AJ	222	/* we should have received a blob from the client. Hand it off to
	223	* some helper */
	224	safe_free(client_blob);
	225	client_blob = xstrdup(blob);
	226	if (request)
	227	HTTPMSGUNLOCK(request);
	228	request = aRequest;
	229	HTTPMSGLOCK(request);
	230	break;
	231
d87154ee	232	case Auth::Ok:
c7baff40	233	fatal("Auth::Negotiate::UserRequest::authenticate: unexpected auth state DONE! Report a bug to the squid developers.\n");
928f3421 AJ	234	break;
928f3421 AJ	235
d87154ee	236	case Auth::Failed:
928f3421 AJ	237	/* we've failed somewhere in authentication */
	238	debugs(29, 9, HERE << "auth state negotiate failed. " << proxy_auth);
	239	break;
ec5858ff	240	}
928f3421 AJ	241	}
	242
	243	void
0272dd08	244	Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply)
928f3421	245	{
1c756645	246	Auth::StateData r = static_cast<Auth::StateData >(data);
928f3421	247
0272dd08	248	debugs(29, 8, HERE << "helper: '" << reply.whichServer << "' sent us reply=" << reply);
928f3421	249
1c756645	250	if (!cbdataReferenceValid(r->data)) {
0272dd08	251	debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data. helper '" << reply.whichServer << "'.");
1c756645	252	delete r;
928f3421	253	return;
ec5858ff	254	}
928f3421	255
c7baff40	256	Auth::UserRequest::Pointer auth_user_request = r->auth_user_request;
928f3421 AJ	257	assert(auth_user_request != NULL);
928f3421 AJ	258
71e7400c AJ	259	// add new helper kv-pair notes to the credentials object
	260	// so that any transaction using those credentials can access them
	261	auth_user_request->user()->notes.appendNewOnly(&reply.notes);
	262
c7baff40	263	Auth::Negotiate::UserRequest lm_request = dynamic_cast<Auth::Negotiate::UserRequest >(auth_user_request.getRaw());
7afc3bf2 AJ	264	assert(lm_request != NULL);
7afc3bf2 AJ	265	assert(lm_request->waiting);
928f3421	266
7afc3bf2 AJ	267	lm_request->waiting = 0;
7afc3bf2 AJ	268	safe_free(lm_request->client_blob);
928f3421	269
56a49fda	270	assert(auth_user_request->user() != NULL);
616cfc4c	271	assert(auth_user_request->user()->auth_type == Auth::AUTH_NEGOTIATE);
928f3421	272
7afc3bf2	273	if (lm_request->authserver == NULL)
0272dd08	274	lm_request->authserver = reply.whichServer.get(); // XXX: no locking?
928f3421	275	else
e166785a	276	assert(reply.whichServer == lm_request->authserver);
928f3421	277
dacb64b9	278	switch (reply.result) {
0272dd08 AJ	279	case HelperReply::TT:
0272dd08 AJ	280	/* we have been given a blob to send to the client */
7afc3bf2	281	safe_free(lm_request->server_blob);
e857372a	282	lm_request->request->flags.mustKeepalive = true;
450fe1cb	283	if (lm_request->request->flags.proxyKeepalive) {
cf9f0261 CT	284	const char *tokenNote = reply.notes.findFirst("token");
cf9f0261 CT	285	lm_request->server_blob = xstrdup(tokenNote);
d87154ee	286	auth_user_request->user()->credentials(Auth::Handshake);
928f3421	287	auth_user_request->denyMessage("Authentication in progress");
cf9f0261	288	debugs(29, 4, HERE << "Need to challenge the client with a server token: '" << tokenNote << "'");
928f3421	289	} else {
d87154ee	290	auth_user_request->user()->credentials(Auth::Failed);
d850d8ee	291	auth_user_request->denyMessage("Negotiate authentication requires a persistent connection");
928f3421	292	}
0272dd08	293	break;
928f3421	294
dacb64b9	295	case HelperReply::Okay: {
cf9f0261 CT	296	const char *userNote = reply.notes.findFirst("user");
cf9f0261 CT	297	const char *tokenNote = reply.notes.findFirst("token");
7bbefa01	298	if (userNote == NULL \|\| tokenNote == NULL) {
0272dd08 AJ	299	// XXX: handle a success with no username better
	300	/* protocol error */
	301	fatalf("authenticateNegotiateHandleReply: * Unsupported helper response *, '%s'\n", reply.other().content());
	302	break;
f207fe64	303	}
928f3421	304
0272dd08	305	/* we're finished, release the helper */
cf9f0261	306	auth_user_request->user()->username(userNote);
928f3421	307	auth_user_request->denyMessage("Login successful");
7afc3bf2	308	safe_free(lm_request->server_blob);
cf9f0261	309	lm_request->server_blob = xstrdup(tokenNote);
7afc3bf2	310	lm_request->releaseAuthServer();
928f3421 AJ	311
928f3421 AJ	312	/* connection is authenticated */
56a49fda	313	debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username());
928f3421 AJ	314	/* see if this is an existing user with a different proxy_auth
928f3421 AJ	315	* string */
d4806c91	316	AuthUserHashPointer usernamehash = static_cast<AuthUserHashPointer >(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->userKey()));
7afc3bf2	317	Auth::User::Pointer local_auth_user = lm_request->user();
616cfc4c	318	while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NEGOTIATE \|\|
d4806c91	319	strcmp(usernamehash->user()->userKey(), auth_user_request->user()->userKey()) != 0))
928f3421 AJ	320	usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
	321	if (usernamehash) {
	322	/* we can't seamlessly recheck the username due to the
	323	* challenge-response nature of the protocol.
56a49fda AJ	324	* Just free the temporary auth_user after merging as
56a49fda AJ	325	* much of it new state into the existing one as possible */
928f3421	326	usernamehash->user()->absorb(local_auth_user);
56a49fda	327	/* from here on we are working with the original cached credentials. */
58e94342 AJ	328	local_auth_user = usernamehash->user();
58e94342 AJ	329	auth_user_request->user(local_auth_user);
928f3421 AJ	330	} else {
	331	/* store user in hash's */
	332	local_auth_user->addToNameCache();
928f3421 AJ	333	}
	334	/* set these to now because this is either a new login from an
	335	* existing user or a new user */
	336	local_auth_user->expiretime = current_time.tv_sec;
58e94342	337	auth_user_request->user()->credentials(Auth::Ok);
7bbefa01	338	debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << auth_user_request->user()->username() << "'");
0272dd08	339	}
dacb64b9	340	break;
928f3421	341
7bbefa01	342	case HelperReply::Error: {
cf9f0261 CT	343	const char *messageNote = reply.notes.find("message");
cf9f0261 CT	344	const char *tokenNote = reply.notes.findFirst("token");
7bbefa01	345
0272dd08	346	/* authentication failure (wrong password, etc.) */
ff9a79c5	347	if (messageNote != NULL)
cf9f0261	348	auth_user_request->denyMessage(messageNote);
723fd4c1 AJ	349	else
723fd4c1 AJ	350	auth_user_request->denyMessage("Negotiate Authentication denied with no reason given");
7afc3bf2 AJ	351	auth_user_request->user()->credentials(Auth::Failed);
7afc3bf2 AJ	352	safe_free(lm_request->server_blob);
723fd4c1	353	if (tokenNote != NULL)
cf9f0261	354	lm_request->server_blob = xstrdup(tokenNote);
7afc3bf2	355	lm_request->releaseAuthServer();
87a122b0	356	debugs(29, 4, "Failed validating user via Negotiate. Result: " << reply);
7bbefa01 AJ	357	}
7bbefa01 AJ	358	break;
0272dd08 AJ	359
	360	case HelperReply::Unknown:
	361	debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!.");
0272dd08 AJ	362	/* continue to the next case */
0272dd08 AJ	363
7bbefa01	364	case HelperReply::BrokenHelper: {
928f3421 AJ	365	/* TODO kick off a refresh process. This can occur after a YR or after
	366	* a KK. If after a YR release the helper and resubmit the request via
	367	* Authenticate Negotiate start.
	368	* If after a KK deny the user's request w/ 407 and mark the helper as
	369	* Needing YR. */
cf9f0261	370	const char *errNote = reply.notes.find("message");
7bbefa01 AJ	371	if (reply.result == HelperReply::Unknown)
	372	auth_user_request->denyMessage("Internal Error");
	373	else if (errNote != NULL)
cf9f0261	374	auth_user_request->denyMessage(errNote);
7bbefa01 AJ	375	else
7bbefa01 AJ	376	auth_user_request->denyMessage("Negotiate Authentication failed with no reason given");
d87154ee	377	auth_user_request->user()->credentials(Auth::Failed);
7afc3bf2 AJ	378	safe_free(lm_request->server_blob);
7afc3bf2 AJ	379	lm_request->releaseAuthServer();
87a122b0	380	debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication validating user. Result: " << reply);
7bbefa01	381	} // break;
928f3421 AJ	382	}
928f3421 AJ	383
b4eca36b DW	384	if (lm_request->request) {
	385	HTTPMSGUNLOCK(lm_request->request);
	386	lm_request->request = NULL;
	387	}
4c535e87	388	r->handler(r->data);
1c756645	389	delete r;
928f3421 AJ	390	}
928f3421 AJ	391
7afc3bf2	392	void
c7baff40	393	Auth::Negotiate::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
7afc3bf2 AJ	394	{
	395	http_hdr_type type;
	396
	397	if (!server_blob)
	398	return;
	399
	400	/* don't add to authentication error pages */
9b769c67 AJ	401	if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
9b769c67 AJ	402	\|\| (accel && rep->sline.status() == Http::scUnauthorized))
7afc3bf2 AJ	403	return;
	404
	405	type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
	406	httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob);
	407
	408	safe_free(server_blob);
	409	}