]>
Commit | Line | Data |
---|---|---|
bbc27441 AJ |
1 | /* |
2 | * Copyright (C) 1996-2014 The Squid Software Foundation and contributors | |
3 | * | |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
f7f3304a | 9 | #include "squid.h" |
d4806c91 | 10 | #include "AccessLogEntry.h" |
928f3421 | 11 | #include "auth/negotiate/auth_negotiate.h" |
616cfc4c | 12 | #include "auth/negotiate/UserRequest.h" |
aa110616 | 13 | #include "auth/State.h" |
928f3421 | 14 | #include "auth/User.h" |
582c2af2 | 15 | #include "client_side.h" |
86c63190 | 16 | #include "format/Format.h" |
582c2af2 | 17 | #include "globals.h" |
928f3421 | 18 | #include "helper.h" |
a5bac1d2 | 19 | #include "HttpHeaderTools.h" |
928f3421 AJ |
20 | #include "HttpReply.h" |
21 | #include "HttpRequest.h" | |
d4806c91 | 22 | #include "MemBuf.h" |
928f3421 AJ |
23 | #include "SquidTime.h" |
24 | ||
c7baff40 | 25 | Auth::Negotiate::UserRequest::UserRequest() |
928f3421 AJ |
26 | { |
27 | waiting=0; | |
28 | client_blob=0; | |
29 | server_blob=0; | |
30 | authserver=NULL; | |
31 | request=NULL; | |
32 | } | |
33 | ||
c7baff40 | 34 | Auth::Negotiate::UserRequest::~UserRequest() |
928f3421 | 35 | { |
8bf217bd | 36 | assert(LockCount()==0); |
928f3421 AJ |
37 | safe_free(server_blob); |
38 | safe_free(client_blob); | |
39 | ||
7afc3bf2 AJ |
40 | releaseAuthServer(); |
41 | ||
928f3421 AJ |
42 | if (request) { |
43 | HTTPMSGUNLOCK(request); | |
44 | request = NULL; | |
45 | } | |
46 | } | |
47 | ||
48 | const char * | |
c7baff40 | 49 | Auth::Negotiate::UserRequest::connLastHeader() |
928f3421 AJ |
50 | { |
51 | return NULL; | |
52 | } | |
53 | ||
54 | int | |
c7baff40 | 55 | Auth::Negotiate::UserRequest::authenticated() const |
928f3421 | 56 | { |
d87154ee | 57 | if (user() != NULL && user()->credentials() == Auth::Ok) { |
928f3421 AJ |
58 | debugs(29, 9, HERE << "user authenticated."); |
59 | return 1; | |
60 | } | |
61 | ||
62 | debugs(29, 9, HERE << "user not fully authenticated."); | |
63 | return 0; | |
64 | } | |
65 | ||
d4806c91 CT |
66 | const char * |
67 | Auth::Negotiate::UserRequest::credentialsStr() | |
68 | { | |
69 | static char buf[MAX_AUTHTOKEN_LEN]; | |
70 | if (user()->credentials() == Auth::Pending) { | |
71 | snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? | |
72 | } else { | |
73 | snprintf(buf, sizeof(buf), "KK %s\n", client_blob); | |
74 | } | |
75 | return buf; | |
76 | } | |
77 | ||
51a3dd58 | 78 | Auth::Direction |
c7baff40 | 79 | Auth::Negotiate::UserRequest::module_direction() |
928f3421 | 80 | { |
c7baff40 | 81 | /* null auth_user is checked for by Auth::UserRequest::direction() */ |
928f3421 AJ |
82 | |
83 | if (waiting || client_blob) | |
51a3dd58 | 84 | return Auth::CRED_LOOKUP; /* need helper response to continue */ |
928f3421 | 85 | |
616cfc4c | 86 | if (user()->auth_type != Auth::AUTH_NEGOTIATE) |
51a3dd58 | 87 | return Auth::CRED_ERROR; |
928f3421 | 88 | |
d232141d | 89 | switch (user()->credentials()) { |
928f3421 | 90 | |
d87154ee | 91 | case Auth::Handshake: |
928f3421 | 92 | assert(server_blob); |
51a3dd58 | 93 | return Auth::CRED_CHALLENGE; |
928f3421 | 94 | |
d87154ee | 95 | case Auth::Ok: |
51a3dd58 | 96 | return Auth::CRED_VALID; |
928f3421 | 97 | |
d87154ee | 98 | case Auth::Failed: |
51a3dd58 | 99 | return Auth::CRED_ERROR; // XXX: really? not VALID or CHALLENGE? |
928f3421 | 100 | |
d232141d AJ |
101 | default: |
102 | debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication in unexpected state: " << user()->credentials()); | |
51a3dd58 | 103 | return Auth::CRED_ERROR; |
d232141d | 104 | } |
928f3421 AJ |
105 | } |
106 | ||
928f3421 | 107 | void |
30c3f584 | 108 | Auth::Negotiate::UserRequest::startHelperLookup(HttpRequest *req, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data) |
928f3421 | 109 | { |
928f3421 | 110 | static char buf[MAX_AUTHTOKEN_LEN]; |
928f3421 AJ |
111 | |
112 | assert(data); | |
113 | assert(handler); | |
928f3421 | 114 | |
56a49fda | 115 | assert(user() != NULL); |
616cfc4c | 116 | assert(user()->auth_type == Auth::AUTH_NEGOTIATE); |
928f3421 | 117 | |
372fccd6 | 118 | if (static_cast<Auth::Negotiate::Config*>(Auth::Config::Find("negotiate"))->authenticateProgram == NULL) { |
928f3421 | 119 | debugs(29, DBG_CRITICAL, "ERROR: No Negotiate authentication program configured."); |
4c535e87 | 120 | handler(data); |
928f3421 AJ |
121 | return; |
122 | } | |
123 | ||
7afc3bf2 AJ |
124 | debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'"); |
125 | ||
d4806c91 | 126 | const char *keyExtras = helperRequestKeyExtras(request, al); |
d87154ee | 127 | if (user()->credentials() == Auth::Pending) { |
d4806c91 CT |
128 | if (keyExtras) |
129 | snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras); | |
130 | else | |
131 | snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? | |
928f3421 | 132 | } else { |
d4806c91 CT |
133 | if (keyExtras) |
134 | snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras); | |
135 | else | |
136 | snprintf(buf, sizeof(buf), "KK %s\n", client_blob); | |
928f3421 AJ |
137 | } |
138 | ||
139 | waiting = 1; | |
140 | ||
141 | safe_free(client_blob); | |
1c756645 | 142 | |
c7baff40 | 143 | helperStatefulSubmit(negotiateauthenticators, buf, Auth::Negotiate::UserRequest::HandleReply, |
1c756645 | 144 | new Auth::StateData(this, handler, data), authserver); |
928f3421 AJ |
145 | } |
146 | ||
147 | /** | |
148 | * Atomic action: properly release the Negotiate auth helpers which may have been reserved | |
149 | * for this request connections use. | |
150 | */ | |
151 | void | |
c7baff40 | 152 | Auth::Negotiate::UserRequest::releaseAuthServer() |
928f3421 AJ |
153 | { |
154 | if (authserver) { | |
155 | debugs(29, 6, HERE << "releasing Negotiate auth server '" << authserver << "'"); | |
156 | helperStatefulReleaseServer(authserver); | |
157 | authserver = NULL; | |
158 | } else | |
159 | debugs(29, 6, HERE << "No Negotiate auth server to release."); | |
160 | } | |
161 | ||
928f3421 | 162 | void |
c7baff40 | 163 | Auth::Negotiate::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type) |
928f3421 | 164 | { |
7afc3bf2 AJ |
165 | assert(this); |
166 | ||
167 | /* Check that we are in the client side, where we can generate | |
168 | * auth challenges */ | |
928f3421 | 169 | |
7afc3bf2 | 170 | if (conn == NULL || !cbdataReferenceValid(conn)) { |
d87154ee | 171 | user()->credentials(Auth::Failed); |
928f3421 AJ |
172 | debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication attempt to perform authentication without a connection!"); |
173 | return; | |
174 | } | |
175 | ||
176 | if (waiting) { | |
177 | debugs(29, DBG_IMPORTANT, "WARNING: Negotiate Authentication waiting for helper reply!"); | |
178 | return; | |
179 | } | |
180 | ||
181 | if (server_blob) { | |
182 | debugs(29, 2, HERE << "need to challenge client '" << server_blob << "'!"); | |
183 | return; | |
184 | } | |
185 | ||
186 | /* get header */ | |
56a49fda | 187 | const char *proxy_auth = aRequest->header.getStr(type); |
928f3421 AJ |
188 | |
189 | /* locate second word */ | |
56a49fda | 190 | const char *blob = proxy_auth; |
928f3421 AJ |
191 | |
192 | if (blob) { | |
193 | while (xisspace(*blob) && *blob) | |
742a021b | 194 | ++blob; |
928f3421 AJ |
195 | |
196 | while (!xisspace(*blob) && *blob) | |
742a021b | 197 | ++blob; |
928f3421 AJ |
198 | |
199 | while (xisspace(*blob) && *blob) | |
742a021b | 200 | ++blob; |
928f3421 AJ |
201 | } |
202 | ||
d232141d | 203 | switch (user()->credentials()) { |
928f3421 | 204 | |
d87154ee | 205 | case Auth::Unchecked: |
928f3421 AJ |
206 | /* we've received a negotiate request. pass to a helper */ |
207 | debugs(29, 9, HERE << "auth state negotiate none. Received blob: '" << proxy_auth << "'"); | |
d87154ee | 208 | user()->credentials(Auth::Pending); |
928f3421 AJ |
209 | safe_free(client_blob); |
210 | client_blob=xstrdup(blob); | |
cc1e110a AJ |
211 | assert(conn->getAuth() == NULL); |
212 | conn->setAuth(this, "new Negotiate handshake request"); | |
928f3421 AJ |
213 | request = aRequest; |
214 | HTTPMSGLOCK(request); | |
215 | break; | |
216 | ||
d87154ee | 217 | case Auth::Pending: |
e0236918 | 218 | debugs(29, DBG_IMPORTANT, HERE << "need to ask helper"); |
928f3421 AJ |
219 | break; |
220 | ||
d87154ee | 221 | case Auth::Handshake: |
928f3421 AJ |
222 | /* we should have received a blob from the client. Hand it off to |
223 | * some helper */ | |
224 | safe_free(client_blob); | |
225 | client_blob = xstrdup(blob); | |
226 | if (request) | |
227 | HTTPMSGUNLOCK(request); | |
228 | request = aRequest; | |
229 | HTTPMSGLOCK(request); | |
230 | break; | |
231 | ||
d87154ee | 232 | case Auth::Ok: |
c7baff40 | 233 | fatal("Auth::Negotiate::UserRequest::authenticate: unexpected auth state DONE! Report a bug to the squid developers.\n"); |
928f3421 AJ |
234 | break; |
235 | ||
d87154ee | 236 | case Auth::Failed: |
928f3421 AJ |
237 | /* we've failed somewhere in authentication */ |
238 | debugs(29, 9, HERE << "auth state negotiate failed. " << proxy_auth); | |
239 | break; | |
ec5858ff | 240 | } |
928f3421 AJ |
241 | } |
242 | ||
243 | void | |
0272dd08 | 244 | Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply) |
928f3421 | 245 | { |
1c756645 | 246 | Auth::StateData *r = static_cast<Auth::StateData *>(data); |
928f3421 | 247 | |
0272dd08 | 248 | debugs(29, 8, HERE << "helper: '" << reply.whichServer << "' sent us reply=" << reply); |
928f3421 | 249 | |
1c756645 | 250 | if (!cbdataReferenceValid(r->data)) { |
0272dd08 | 251 | debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data. helper '" << reply.whichServer << "'."); |
1c756645 | 252 | delete r; |
928f3421 | 253 | return; |
ec5858ff | 254 | } |
928f3421 | 255 | |
c7baff40 | 256 | Auth::UserRequest::Pointer auth_user_request = r->auth_user_request; |
928f3421 AJ |
257 | assert(auth_user_request != NULL); |
258 | ||
71e7400c AJ |
259 | // add new helper kv-pair notes to the credentials object |
260 | // so that any transaction using those credentials can access them | |
261 | auth_user_request->user()->notes.appendNewOnly(&reply.notes); | |
262 | ||
c7baff40 | 263 | Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw()); |
7afc3bf2 AJ |
264 | assert(lm_request != NULL); |
265 | assert(lm_request->waiting); | |
928f3421 | 266 | |
7afc3bf2 AJ |
267 | lm_request->waiting = 0; |
268 | safe_free(lm_request->client_blob); | |
928f3421 | 269 | |
56a49fda | 270 | assert(auth_user_request->user() != NULL); |
616cfc4c | 271 | assert(auth_user_request->user()->auth_type == Auth::AUTH_NEGOTIATE); |
928f3421 | 272 | |
7afc3bf2 | 273 | if (lm_request->authserver == NULL) |
0272dd08 | 274 | lm_request->authserver = reply.whichServer.get(); // XXX: no locking? |
928f3421 | 275 | else |
e166785a | 276 | assert(reply.whichServer == lm_request->authserver); |
928f3421 | 277 | |
dacb64b9 | 278 | switch (reply.result) { |
0272dd08 AJ |
279 | case HelperReply::TT: |
280 | /* we have been given a blob to send to the client */ | |
7afc3bf2 | 281 | safe_free(lm_request->server_blob); |
e857372a | 282 | lm_request->request->flags.mustKeepalive = true; |
450fe1cb | 283 | if (lm_request->request->flags.proxyKeepalive) { |
cf9f0261 CT |
284 | const char *tokenNote = reply.notes.findFirst("token"); |
285 | lm_request->server_blob = xstrdup(tokenNote); | |
d87154ee | 286 | auth_user_request->user()->credentials(Auth::Handshake); |
928f3421 | 287 | auth_user_request->denyMessage("Authentication in progress"); |
cf9f0261 | 288 | debugs(29, 4, HERE << "Need to challenge the client with a server token: '" << tokenNote << "'"); |
928f3421 | 289 | } else { |
d87154ee | 290 | auth_user_request->user()->credentials(Auth::Failed); |
d850d8ee | 291 | auth_user_request->denyMessage("Negotiate authentication requires a persistent connection"); |
928f3421 | 292 | } |
0272dd08 | 293 | break; |
928f3421 | 294 | |
dacb64b9 | 295 | case HelperReply::Okay: { |
cf9f0261 CT |
296 | const char *userNote = reply.notes.findFirst("user"); |
297 | const char *tokenNote = reply.notes.findFirst("token"); | |
7bbefa01 | 298 | if (userNote == NULL || tokenNote == NULL) { |
0272dd08 AJ |
299 | // XXX: handle a success with no username better |
300 | /* protocol error */ | |
301 | fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply.other().content()); | |
302 | break; | |
f207fe64 | 303 | } |
928f3421 | 304 | |
0272dd08 | 305 | /* we're finished, release the helper */ |
cf9f0261 | 306 | auth_user_request->user()->username(userNote); |
928f3421 | 307 | auth_user_request->denyMessage("Login successful"); |
7afc3bf2 | 308 | safe_free(lm_request->server_blob); |
cf9f0261 | 309 | lm_request->server_blob = xstrdup(tokenNote); |
7afc3bf2 | 310 | lm_request->releaseAuthServer(); |
928f3421 AJ |
311 | |
312 | /* connection is authenticated */ | |
56a49fda | 313 | debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username()); |
928f3421 AJ |
314 | /* see if this is an existing user with a different proxy_auth |
315 | * string */ | |
d4806c91 | 316 | AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->userKey())); |
7afc3bf2 | 317 | Auth::User::Pointer local_auth_user = lm_request->user(); |
616cfc4c | 318 | while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NEGOTIATE || |
d4806c91 | 319 | strcmp(usernamehash->user()->userKey(), auth_user_request->user()->userKey()) != 0)) |
928f3421 AJ |
320 | usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next); |
321 | if (usernamehash) { | |
322 | /* we can't seamlessly recheck the username due to the | |
323 | * challenge-response nature of the protocol. | |
56a49fda AJ |
324 | * Just free the temporary auth_user after merging as |
325 | * much of it new state into the existing one as possible */ | |
928f3421 | 326 | usernamehash->user()->absorb(local_auth_user); |
56a49fda | 327 | /* from here on we are working with the original cached credentials. */ |
58e94342 AJ |
328 | local_auth_user = usernamehash->user(); |
329 | auth_user_request->user(local_auth_user); | |
928f3421 AJ |
330 | } else { |
331 | /* store user in hash's */ | |
332 | local_auth_user->addToNameCache(); | |
928f3421 AJ |
333 | } |
334 | /* set these to now because this is either a new login from an | |
335 | * existing user or a new user */ | |
336 | local_auth_user->expiretime = current_time.tv_sec; | |
58e94342 | 337 | auth_user_request->user()->credentials(Auth::Ok); |
7bbefa01 | 338 | debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << auth_user_request->user()->username() << "'"); |
0272dd08 | 339 | } |
dacb64b9 | 340 | break; |
928f3421 | 341 | |
7bbefa01 | 342 | case HelperReply::Error: { |
cf9f0261 CT |
343 | const char *messageNote = reply.notes.find("message"); |
344 | const char *tokenNote = reply.notes.findFirst("token"); | |
7bbefa01 | 345 | |
0272dd08 | 346 | /* authentication failure (wrong password, etc.) */ |
ff9a79c5 | 347 | if (messageNote != NULL) |
cf9f0261 | 348 | auth_user_request->denyMessage(messageNote); |
723fd4c1 AJ |
349 | else |
350 | auth_user_request->denyMessage("Negotiate Authentication denied with no reason given"); | |
7afc3bf2 AJ |
351 | auth_user_request->user()->credentials(Auth::Failed); |
352 | safe_free(lm_request->server_blob); | |
723fd4c1 | 353 | if (tokenNote != NULL) |
cf9f0261 | 354 | lm_request->server_blob = xstrdup(tokenNote); |
7afc3bf2 | 355 | lm_request->releaseAuthServer(); |
87a122b0 | 356 | debugs(29, 4, "Failed validating user via Negotiate. Result: " << reply); |
7bbefa01 AJ |
357 | } |
358 | break; | |
0272dd08 AJ |
359 | |
360 | case HelperReply::Unknown: | |
361 | debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!."); | |
0272dd08 AJ |
362 | /* continue to the next case */ |
363 | ||
7bbefa01 | 364 | case HelperReply::BrokenHelper: { |
928f3421 AJ |
365 | /* TODO kick off a refresh process. This can occur after a YR or after |
366 | * a KK. If after a YR release the helper and resubmit the request via | |
367 | * Authenticate Negotiate start. | |
368 | * If after a KK deny the user's request w/ 407 and mark the helper as | |
369 | * Needing YR. */ | |
cf9f0261 | 370 | const char *errNote = reply.notes.find("message"); |
7bbefa01 AJ |
371 | if (reply.result == HelperReply::Unknown) |
372 | auth_user_request->denyMessage("Internal Error"); | |
373 | else if (errNote != NULL) | |
cf9f0261 | 374 | auth_user_request->denyMessage(errNote); |
7bbefa01 AJ |
375 | else |
376 | auth_user_request->denyMessage("Negotiate Authentication failed with no reason given"); | |
d87154ee | 377 | auth_user_request->user()->credentials(Auth::Failed); |
7afc3bf2 AJ |
378 | safe_free(lm_request->server_blob); |
379 | lm_request->releaseAuthServer(); | |
87a122b0 | 380 | debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication validating user. Result: " << reply); |
7bbefa01 | 381 | } // break; |
928f3421 AJ |
382 | } |
383 | ||
b4eca36b DW |
384 | if (lm_request->request) { |
385 | HTTPMSGUNLOCK(lm_request->request); | |
386 | lm_request->request = NULL; | |
387 | } | |
4c535e87 | 388 | r->handler(r->data); |
1c756645 | 389 | delete r; |
928f3421 AJ |
390 | } |
391 | ||
7afc3bf2 | 392 | void |
c7baff40 | 393 | Auth::Negotiate::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel) |
7afc3bf2 AJ |
394 | { |
395 | http_hdr_type type; | |
396 | ||
397 | if (!server_blob) | |
398 | return; | |
399 | ||
400 | /* don't add to authentication error pages */ | |
9b769c67 AJ |
401 | if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired) |
402 | || (accel && rep->sline.status() == Http::scUnauthorized)) | |
7afc3bf2 AJ |
403 | return; |
404 | ||
405 | type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO; | |
406 | httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob); | |
407 | ||
408 | safe_free(server_blob); | |
409 | } |