]>
Commit | Line | Data |
---|---|---|
6bf4f823 | 1 | /* |
262a0e14 | 2 | * $Id$ |
6bf4f823 | 3 | * |
4 | * DEBUG: section 29 Negotiate Authenticator | |
5 | * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli | |
6 | * | |
7 | * SQUID Web Proxy Cache http://www.squid-cache.org/ | |
8 | * ---------------------------------------------------------- | |
9 | * | |
10 | * Squid is the result of efforts by numerous individuals from | |
11 | * the Internet community; see the CONTRIBUTORS file for full | |
12 | * details. Many organizations have provided support for Squid's | |
13 | * development; see the SPONSORS file for full details. Squid is | |
14 | * Copyrighted (C) 2001 by the Regents of the University of | |
15 | * California; see the COPYRIGHT file for full details. Squid | |
16 | * incorporates software developed and/or copyrighted by other | |
17 | * sources; see the CREDITS file for full details. | |
18 | * | |
19 | * This program is free software; you can redistribute it and/or modify | |
20 | * it under the terms of the GNU General Public License as published by | |
21 | * the Free Software Foundation; either version 2 of the License, or | |
22 | * (at your option) any later version. | |
26ac0430 | 23 | * |
6bf4f823 | 24 | * This program is distributed in the hope that it will be useful, |
25 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
26 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
27 | * GNU General Public License for more details. | |
26ac0430 | 28 | * |
6bf4f823 | 29 | * You should have received a copy of the GNU General Public License |
30 | * along with this program; if not, write to the Free Software | |
31 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
32 | * | |
33 | */ | |
34 | ||
35 | /* The functions in this file handle authentication. | |
36 | * They DO NOT perform access control or auditing. | |
37 | * See acl.c for access control and client_side.c for auditing */ | |
38 | ||
39 | ||
40 | #include "squid.h" | |
41 | #include "auth_negotiate.h" | |
3ad63615 | 42 | #include "auth/Gadgets.h" |
62ee09ca | 43 | #include "CacheManager.h" |
6bf4f823 | 44 | #include "Store.h" |
45 | #include "client_side.h" | |
46 | #include "HttpReply.h" | |
47 | #include "HttpRequest.h" | |
cc192b50 | 48 | #include "SquidTime.h" |
63be0a78 | 49 | /** \todo remove this include */ |
6bf4f823 | 50 | #include "negotiateScheme.h" |
d295d770 | 51 | #include "wordlist.h" |
6bf4f823 | 52 | |
63be0a78 | 53 | /** |
54 | \defgroup AuthNegotiateInternal Negotiate Authenticator Internals | |
55 | \ingroup AuthNegotiateAPI | |
56 | */ | |
57 | ||
1f16a8cc AJ |
58 | /** |
59 | * Maximum length (buffer size) for token strings. | |
60 | */ | |
94fd8c3a | 61 | // AYJ: must match re-definition in helpers/negotiate_auth/squid_kerb_auth/squid_kerb_auth.c |
1f16a8cc AJ |
62 | #define MAX_AUTHTOKEN_LEN 32768 |
63 | ||
6bf4f823 | 64 | |
63be0a78 | 65 | /// \ingroup AuthNegotiateInternal |
6bf4f823 | 66 | static void |
67 | authenticateStateFree(authenticateStateData * r) | |
68 | { | |
4f0ef8e8 | 69 | AUTHUSERREQUESTUNLOCK(r->auth_user_request, "r"); |
6bf4f823 | 70 | cbdataFree(r); |
71 | } | |
72 | ||
73 | /* Negotiate Scheme */ | |
74 | static HLPSCB authenticateNegotiateHandleReply; | |
75 | static AUTHSSTATS authenticateNegotiateStats; | |
76 | ||
63be0a78 | 77 | /// \ingroup AuthNegotiateInternal |
6bf4f823 | 78 | static statefulhelper *negotiateauthenticators = NULL; |
79 | ||
80 | CBDATA_TYPE(authenticateStateData); | |
81 | ||
63be0a78 | 82 | /// \ingroup AuthNegotiateInternal |
6bf4f823 | 83 | static int authnegotiate_initialised = 0; |
84 | ||
63be0a78 | 85 | /// \ingroup AuthNegotiateInternal |
6bf4f823 | 86 | static auth_negotiate_config negotiateConfig; |
87 | ||
63be0a78 | 88 | /// \ingroup AuthNegotiateInternal |
6bf4f823 | 89 | static hash_table *proxy_auth_cache = NULL; |
90 | ||
91 | /* | |
92 | * | |
93 | * Private Functions | |
94 | * | |
95 | */ | |
96 | ||
63be0a78 | 97 | /** |
98 | \ingroup AuthNegotiateInternal | |
99 | \todo move to negotiateScheme.cc | |
100 | */ | |
6bf4f823 | 101 | void |
102 | negotiateScheme::done() | |
103 | { | |
104 | /* TODO: this should be a Config call. */ | |
bf8fe701 | 105 | debugs(29, 2, "negotiateScheme::done: shutting down Negotiate authentication."); |
6bf4f823 | 106 | |
107 | if (negotiateauthenticators) | |
108 | helperStatefulShutdown(negotiateauthenticators); | |
109 | ||
110 | authnegotiate_initialised = 0; | |
111 | ||
112 | if (!shutting_down) | |
113 | return; | |
114 | ||
115 | if (negotiateauthenticators) | |
116 | helperStatefulFree(negotiateauthenticators); | |
117 | ||
118 | negotiateauthenticators = NULL; | |
119 | ||
bf8fe701 | 120 | debugs(29, 2, "negotiateScheme::done: Negotiate authentication Shutdown."); |
6bf4f823 | 121 | } |
122 | ||
6bf4f823 | 123 | void |
124 | AuthNegotiateConfig::done() | |
125 | { | |
126 | if (authenticate) | |
127 | wordlistDestroy(&authenticate); | |
128 | } | |
129 | ||
130 | void | |
131 | AuthNegotiateConfig::dump(StoreEntry * entry, const char *name, AuthConfig * scheme) | |
132 | { | |
133 | wordlist *list = authenticate; | |
134 | storeAppendPrintf(entry, "%s %s", name, "negotiate"); | |
135 | ||
136 | while (list != NULL) { | |
137 | storeAppendPrintf(entry, " %s", list->key); | |
138 | list = list->next; | |
139 | } | |
140 | ||
141 | storeAppendPrintf(entry, "\n%s negotiate children %d\n", | |
142 | name, authenticateChildren); | |
143 | storeAppendPrintf(entry, "%s %s keep_alive %s\n", name, "negotiate", keep_alive ? "on" : "off"); | |
144 | ||
145 | } | |
146 | ||
147 | AuthNegotiateConfig::AuthNegotiateConfig() : authenticateChildren(5), keep_alive(1) | |
148 | { } | |
149 | ||
150 | void | |
151 | AuthNegotiateConfig::parse(AuthConfig * scheme, int n_configured, char *param_str) | |
152 | { | |
153 | if (strcasecmp(param_str, "program") == 0) { | |
154 | if (authenticate) | |
155 | wordlistDestroy(&authenticate); | |
156 | ||
157 | parse_wordlist(&authenticate); | |
158 | ||
42900318 | 159 | requirePathnameExists("auth_param negotiate program", authenticate->key); |
6bf4f823 | 160 | } else if (strcasecmp(param_str, "children") == 0) { |
161 | parse_int(&authenticateChildren); | |
162 | } else if (strcasecmp(param_str, "keep_alive") == 0) { | |
163 | parse_onoff(&keep_alive); | |
164 | } else { | |
bf8fe701 | 165 | debugs(29, 0, "AuthNegotiateConfig::parse: unrecognised negotiate auth scheme parameter '" << param_str << "'"); |
6bf4f823 | 166 | } |
167 | ||
168 | /* | |
169 | * disable client side request pipelining. There is a race with | |
170 | * Negotiate when the client sends a second request on an Negotiate | |
171 | * connection before the authenticate challenge is sent. With | |
172 | * this patch, the client may fail to authenticate, but squid's | |
173 | * state will be preserved. Caveats: this should be a post-parse | |
174 | * test, but that can wait for the modular parser to be integrated. | |
175 | */ | |
176 | if (authenticate) | |
177 | Config.onoff.pipeline_prefetch = 0; | |
178 | } | |
179 | ||
180 | const char * | |
181 | AuthNegotiateConfig::type() const | |
182 | { | |
183 | return negotiateScheme::GetInstance().type(); | |
184 | } | |
185 | ||
63be0a78 | 186 | /** |
187 | * Initialize helpers and the like for this auth scheme. | |
188 | * Called AFTER parsing the config file | |
189 | */ | |
6bf4f823 | 190 | void |
191 | AuthNegotiateConfig::init(AuthConfig * scheme) | |
192 | { | |
6bf4f823 | 193 | if (authenticate) { |
81425fb6 | 194 | |
6bf4f823 | 195 | authnegotiate_initialised = 1; |
196 | ||
197 | if (negotiateauthenticators == NULL) | |
198 | negotiateauthenticators = helperStatefulCreate("negotiateauthenticator"); | |
199 | ||
200 | if (!proxy_auth_cache) | |
30abd221 | 201 | proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string); |
6bf4f823 | 202 | |
203 | assert(proxy_auth_cache); | |
204 | ||
205 | negotiateauthenticators->cmdline = authenticate; | |
206 | ||
207 | negotiateauthenticators->n_to_start = authenticateChildren; | |
208 | ||
209 | negotiateauthenticators->ipc_type = IPC_STREAM; | |
210 | ||
211 | helperStatefulOpenServers(negotiateauthenticators); | |
212 | ||
6bf4f823 | 213 | CBDATA_INIT_TYPE(authenticateStateData); |
214 | } | |
215 | } | |
216 | ||
62ee09ca | 217 | void |
15fab853 | 218 | AuthNegotiateConfig::registerWithCacheManager(void) |
62ee09ca | 219 | { |
15fab853 | 220 | CacheManager::GetInstance()-> |
26ac0430 AJ |
221 | registerAction("negotiateauthenticator", |
222 | "Negotiate User Authenticator Stats", | |
223 | authenticateNegotiateStats, 0, 1); | |
62ee09ca | 224 | } |
225 | ||
6bf4f823 | 226 | bool |
227 | AuthNegotiateConfig::active() const | |
228 | { | |
229 | return authnegotiate_initialised == 1; | |
230 | } | |
231 | ||
232 | bool | |
233 | AuthNegotiateConfig::configured() const | |
234 | { | |
235 | if ((authenticate != NULL) && (authenticateChildren != 0)) { | |
bf8fe701 | 236 | debugs(29, 9, "AuthNegotiateConfig::configured: returning configured"); |
6bf4f823 | 237 | return true; |
238 | } | |
239 | ||
bf8fe701 | 240 | debugs(29, 9, "AuthNegotiateConfig::configured: returning unconfigured"); |
6bf4f823 | 241 | return false; |
242 | } | |
243 | ||
244 | /* Negotiate Scheme */ | |
245 | /* See AuthUserRequest.cc::authenticateDirection for return values */ | |
246 | int | |
247 | AuthNegotiateUserRequest::module_direction() | |
248 | { | |
249 | /* null auth_user is checked for by authenticateDirection */ | |
250 | ||
251 | if (waiting || client_blob) | |
252 | return -1; /* need helper response to continue */ | |
253 | ||
254 | switch (auth_state) { | |
255 | ||
256 | /* no progress at all. */ | |
257 | ||
258 | case AUTHENTICATE_STATE_NONE: | |
bf8fe701 | 259 | debugs(29, 1, "AuthNegotiateUserRequest::direction: called before Negotiate Authenticate for request " << this << "!. Report a bug to squid-dev."); |
6bf4f823 | 260 | return -2; /* error */ |
261 | ||
262 | case AUTHENTICATE_STATE_FAILED: | |
263 | return -2; /* error */ | |
264 | ||
265 | ||
266 | case AUTHENTICATE_STATE_IN_PROGRESS: | |
267 | assert(server_blob); | |
268 | return 1; /* send to client */ | |
269 | ||
6bf4f823 | 270 | case AUTHENTICATE_STATE_DONE: |
271 | return 0; /* do nothing */ | |
272 | ||
273 | case AUTHENTICATE_STATE_INITIAL: | |
bf8fe701 | 274 | debugs(29, 1, "AuthNegotiateUserRequest::direction: Unexpected AUTHENTICATE_STATE_INITIAL"); |
6bf4f823 | 275 | return -2; |
276 | } | |
277 | ||
278 | return -2; | |
279 | } | |
280 | ||
281 | /* add the [proxy]authorisation header */ | |
282 | void | |
283 | AuthNegotiateUserRequest::addHeader(HttpReply * rep, int accel) | |
284 | { | |
285 | http_hdr_type type; | |
286 | ||
287 | if (!server_blob) | |
288 | return; | |
289 | ||
290 | /* don't add to authentication error pages */ | |
291 | ||
292 | if ((!accel && rep->sline.status == HTTP_PROXY_AUTHENTICATION_REQUIRED) | |
293 | || (accel && rep->sline.status == HTTP_UNAUTHORIZED)) | |
294 | return; | |
295 | ||
296 | type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO; | |
297 | ||
298 | httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob); | |
299 | ||
300 | safe_free(server_blob); | |
301 | } | |
302 | ||
303 | void | |
076df709 | 304 | AuthNegotiateConfig::fixHeader(AuthUserRequest *auth_user_request, HttpReply *rep, http_hdr_type reqType, HttpRequest * request) |
6bf4f823 | 305 | { |
306 | AuthNegotiateUserRequest *negotiate_request; | |
307 | ||
6bf4f823 | 308 | if (!authenticate) |
309 | return; | |
310 | ||
81425fb6 | 311 | /* Need keep-alive */ |
312 | if (!request->flags.proxy_keepalive && request->flags.must_keepalive) | |
26ac0430 | 313 | return; |
81425fb6 | 314 | |
6bf4f823 | 315 | /* New request, no user details */ |
316 | if (auth_user_request == NULL) { | |
076df709 FC |
317 | debugs(29, 9, "AuthNegotiateConfig::fixHeader: Sending type:" << reqType << " header: 'Negotiate'"); |
318 | httpHeaderPutStrf(&rep->header, reqType, "Negotiate"); | |
6bf4f823 | 319 | |
320 | if (!keep_alive) { | |
321 | /* drop the connection */ | |
a9925b40 | 322 | rep->header.delByName("keep-alive"); |
6bf4f823 | 323 | request->flags.proxy_keepalive = 0; |
324 | } | |
325 | } else { | |
326 | negotiate_request = dynamic_cast<AuthNegotiateUserRequest *>(auth_user_request); | |
327 | ||
27da7c21 | 328 | assert(negotiate_request != NULL); |
329 | ||
6bf4f823 | 330 | switch (negotiate_request->auth_state) { |
331 | ||
332 | case AUTHENTICATE_STATE_FAILED: | |
333 | /* here it makes sense to drop the connection, as auth is | |
334 | * tied to it, even if MAYBE the client could handle it - Kinkie */ | |
a9925b40 | 335 | rep->header.delByName("keep-alive"); |
6bf4f823 | 336 | request->flags.proxy_keepalive = 0; |
337 | /* fall through */ | |
338 | ||
ebd65a33 | 339 | case AUTHENTICATE_STATE_DONE: |
6bf4f823 | 340 | /* Special case: authentication finished OK but disallowed by ACL. |
341 | * Need to start over to give the client another chance. | |
342 | */ | |
343 | ||
344 | if (negotiate_request->server_blob) { | |
076df709 FC |
345 | debugs(29, 9, "authenticateNegotiateFixErrorHeader: Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'"); |
346 | httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob); | |
6bf4f823 | 347 | safe_free(negotiate_request->server_blob); |
348 | } else { | |
bf8fe701 | 349 | debugs(29, 9, "authenticateNegotiateFixErrorHeader: Connection authenticated"); |
076df709 | 350 | httpHeaderPutStrf(&rep->header, reqType, "Negotiate"); |
6bf4f823 | 351 | } |
352 | ||
353 | break; | |
354 | ||
355 | case AUTHENTICATE_STATE_NONE: | |
356 | /* semantic change: do not drop the connection. | |
357 | * 2.5 implementation used to keep it open - Kinkie */ | |
076df709 FC |
358 | debugs(29, 9, "AuthNegotiateConfig::fixHeader: Sending type:" << reqType << " header: 'Negotiate'"); |
359 | httpHeaderPutStrf(&rep->header, reqType, "Negotiate"); | |
6bf4f823 | 360 | break; |
361 | ||
362 | case AUTHENTICATE_STATE_IN_PROGRESS: | |
363 | /* we're waiting for a response from the client. Pass it the blob */ | |
076df709 FC |
364 | debugs(29, 9, "AuthNegotiateConfig::fixHeader: Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'"); |
365 | httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob); | |
6bf4f823 | 366 | safe_free(negotiate_request->server_blob); |
367 | break; | |
368 | ||
369 | ||
370 | default: | |
bf8fe701 | 371 | debugs(29, 0, "AuthNegotiateConfig::fixHeader: state " << negotiate_request->auth_state << "."); |
6bf4f823 | 372 | fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n"); |
373 | } | |
374 | } | |
375 | } | |
376 | ||
377 | NegotiateUser::~NegotiateUser() | |
378 | { | |
81425fb6 | 379 | debugs(29, 5, "NegotiateUser::~NegotiateUser: doing nothing to clearNegotiate scheme data for '" << this << "'"); |
6bf4f823 | 380 | } |
381 | ||
dcb802aa | 382 | static void |
6bf4f823 | 383 | authenticateNegotiateHandleReply(void *data, void *lastserver, char *reply) |
384 | { | |
385 | authenticateStateData *r = static_cast<authenticateStateData *>(data); | |
386 | ||
387 | int valid; | |
6bf4f823 | 388 | char *blob, *arg = NULL; |
389 | ||
76f142cd | 390 | AuthUserRequest *auth_user_request; |
6bf4f823 | 391 | AuthUser *auth_user; |
392 | NegotiateUser *negotiate_user; | |
393 | AuthNegotiateUserRequest *negotiate_request; | |
394 | ||
bf8fe701 | 395 | debugs(29, 8, "authenticateNegotiateHandleReply: helper: '" << lastserver << "' sent us '" << (reply ? reply : "<NULL>") << "'"); |
a6151f51 | 396 | valid = cbdataReferenceValid(r->data); |
6bf4f823 | 397 | |
398 | if (!valid) { | |
dcb802aa | 399 | debugs(29, 1, "authenticateNegotiateHandleReply: invalid callback data. helper '" << lastserver << "'."); |
6bf4f823 | 400 | cbdataReferenceDone(r->data); |
401 | authenticateStateFree(r); | |
dcb802aa | 402 | return; |
6bf4f823 | 403 | } |
404 | ||
405 | if (!reply) { | |
bf8fe701 | 406 | debugs(29, 1, "authenticateNegotiateHandleReply: Helper '" << lastserver << "' crashed!."); |
c9c40182 | 407 | reply = (char *)"BH Internal error"; |
6bf4f823 | 408 | } |
409 | ||
410 | auth_user_request = r->auth_user_request; | |
411 | assert(auth_user_request != NULL); | |
412 | negotiate_request = dynamic_cast<AuthNegotiateUserRequest *>(auth_user_request); | |
413 | ||
27da7c21 | 414 | assert(negotiate_request != NULL); |
6bf4f823 | 415 | assert(negotiate_request->waiting); |
416 | negotiate_request->waiting = 0; | |
417 | safe_free(negotiate_request->client_blob); | |
418 | ||
419 | auth_user = negotiate_request->user(); | |
420 | assert(auth_user != NULL); | |
421 | assert(auth_user->auth_type == AUTH_NEGOTIATE); | |
422 | negotiate_user = dynamic_cast<negotiate_user_t *>(auth_user_request->user()); | |
423 | ||
27da7c21 | 424 | assert(negotiate_user != NULL); |
425 | ||
6bf4f823 | 426 | if (negotiate_request->authserver == NULL) |
427 | negotiate_request->authserver = static_cast<helper_stateful_server*>(lastserver); | |
428 | else | |
429 | assert(negotiate_request->authserver == lastserver); | |
430 | ||
431 | /* seperate out the useful data */ | |
432 | blob = strchr(reply, ' '); | |
433 | ||
c9c40182 | 434 | if (blob) { |
6bf4f823 | 435 | blob++; |
436 | arg = strchr(blob + 1, ' '); | |
c9c40182 | 437 | } else { |
438 | arg = NULL; | |
6bf4f823 | 439 | } |
440 | ||
c9c40182 | 441 | if (strncasecmp(reply, "TT ", 3) == 0) { |
6bf4f823 | 442 | /* we have been given a blob to send to the client */ |
6bf4f823 | 443 | if (arg) |
444 | *arg++ = '\0'; | |
6bf4f823 | 445 | safe_free(negotiate_request->server_blob); |
26ac0430 AJ |
446 | negotiate_request->request->flags.must_keepalive = 1; |
447 | if (negotiate_request->request->flags.proxy_keepalive) { | |
448 | negotiate_request->server_blob = xstrdup(blob); | |
449 | negotiate_request->auth_state = AUTHENTICATE_STATE_IN_PROGRESS; | |
450 | auth_user_request->denyMessage("Authentication in progress"); | |
451 | debugs(29, 4, "authenticateNegotiateHandleReply: Need to challenge the client with a server blob '" << blob << "'"); | |
26ac0430 AJ |
452 | } else { |
453 | negotiate_request->auth_state = AUTHENTICATE_STATE_FAILED; | |
454 | auth_user_request->denyMessage("NTLM authentication requires a persistent connection"); | |
26ac0430 | 455 | } |
c9c40182 | 456 | } else if (strncasecmp(reply, "AF ", 3) == 0 && arg != NULL) { |
6bf4f823 | 457 | /* we're finished, release the helper */ |
458 | ||
459 | if (arg) | |
460 | *arg++ = '\0'; | |
461 | ||
462 | negotiate_user->username(arg); | |
463 | ||
464 | auth_user_request->denyMessage("Login successful"); | |
465 | ||
466 | safe_free(negotiate_request->server_blob); | |
467 | ||
468 | negotiate_request->server_blob = xstrdup(blob); | |
469 | ||
d945258c | 470 | negotiate_request->releaseAuthServer(); |
6bf4f823 | 471 | |
71ee0c43 | 472 | negotiate_request->auth_state = AUTHENTICATE_STATE_DONE; |
6bf4f823 | 473 | |
81425fb6 | 474 | debugs(29, 4, "authenticateNegotiateHandleReply: Successfully validated user via Negotiate. Username '" << blob << "'"); |
71ee0c43 | 475 | |
476 | /* connection is authenticated */ | |
477 | debugs(29, 4, "AuthNegotiateUserRequest::authenticate: authenticated user " << negotiate_user->username()); | |
478 | /* see if this is an existing user with a different proxy_auth | |
479 | * string */ | |
e1f7507e | 480 | AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, negotiate_user->username())); |
26ac0430 | 481 | AuthUser *local_auth_user = negotiate_request->user(); |
71ee0c43 | 482 | while (usernamehash && (usernamehash->user()->auth_type != AUTH_NEGOTIATE || strcmp(usernamehash->user()->username(), negotiate_user->username()) != 0)) |
483 | usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next); | |
484 | if (usernamehash) { | |
485 | /* we can't seamlessly recheck the username due to the | |
486 | * challenge-response nature of the protocol. | |
487 | * Just free the temporary auth_user */ | |
488 | usernamehash->user()->absorb(local_auth_user); | |
489 | //authenticateAuthUserMerge(local_auth_user, usernamehash->user()); | |
490 | local_auth_user = usernamehash->user(); | |
491 | negotiate_request->_auth_user = local_auth_user; | |
492 | } else { | |
493 | /* store user in hash's */ | |
494 | local_auth_user->addToNameCache(); | |
495 | // authenticateUserNameCacheAdd(local_auth_user); | |
496 | } | |
497 | /* set these to now because this is either a new login from an | |
498 | * existing user or a new user */ | |
499 | local_auth_user->expiretime = current_time.tv_sec; | |
d945258c | 500 | negotiate_request->releaseAuthServer(); |
26ac0430 | 501 | negotiate_request->auth_state = AUTHENTICATE_STATE_DONE; |
71ee0c43 | 502 | |
c9c40182 | 503 | } else if (strncasecmp(reply, "NA ", 3) == 0 && arg != NULL) { |
6bf4f823 | 504 | /* authentication failure (wrong password, etc.) */ |
505 | ||
506 | if (arg) | |
507 | *arg++ = '\0'; | |
508 | ||
509 | auth_user_request->denyMessage(arg); | |
510 | ||
511 | negotiate_request->auth_state = AUTHENTICATE_STATE_FAILED; | |
512 | ||
513 | safe_free(negotiate_request->server_blob); | |
514 | ||
515 | negotiate_request->server_blob = xstrdup(blob); | |
516 | ||
d945258c | 517 | negotiate_request->releaseAuthServer(); |
6bf4f823 | 518 | |
81425fb6 | 519 | debugs(29, 4, "authenticateNegotiateHandleReply: Failed validating user via Negotiate. Error returned '" << blob << "'"); |
6bf4f823 | 520 | } else if (strncasecmp(reply, "BH ", 3) == 0) { |
521 | /* TODO kick off a refresh process. This can occur after a YR or after | |
522 | * a KK. If after a YR release the helper and resubmit the request via | |
81425fb6 | 523 | * Authenticate Negotiate start. |
6bf4f823 | 524 | * If after a KK deny the user's request w/ 407 and mark the helper as |
525 | * Needing YR. */ | |
526 | auth_user_request->denyMessage(blob); | |
527 | negotiate_request->auth_state = AUTHENTICATE_STATE_FAILED; | |
528 | safe_free(negotiate_request->server_blob); | |
d945258c | 529 | negotiate_request->releaseAuthServer(); |
81425fb6 | 530 | debugs(29, 1, "authenticateNegotiateHandleReply: Error validating user via Negotiate. Error returned '" << reply << "'"); |
6bf4f823 | 531 | } else { |
532 | /* protocol error */ | |
533 | fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply); | |
534 | } | |
535 | ||
8d3b341e | 536 | if (negotiate_request->request) { |
26ac0430 AJ |
537 | HTTPMSGUNLOCK(negotiate_request->request); |
538 | negotiate_request->request = NULL; | |
8d3b341e | 539 | } |
6bf4f823 | 540 | r->handler(r->data, NULL); |
541 | cbdataReferenceDone(r->data); | |
542 | authenticateStateFree(r); | |
6bf4f823 | 543 | } |
544 | ||
545 | static void | |
546 | authenticateNegotiateStats(StoreEntry * sentry) | |
547 | { | |
81425fb6 | 548 | helperStatefulStats(sentry, negotiateauthenticators, "Negotiate Authenticator Statistics"); |
6bf4f823 | 549 | } |
550 | ||
551 | ||
e1f7507e | 552 | /** send the initial data to a stateful negotiate authenticator module */ |
6bf4f823 | 553 | void |
554 | AuthNegotiateUserRequest::module_start(RH * handler, void *data) | |
555 | { | |
556 | authenticateStateData *r = NULL; | |
1f16a8cc | 557 | static char buf[MAX_AUTHTOKEN_LEN]; |
6bf4f823 | 558 | negotiate_user_t *negotiate_user; |
e1f7507e | 559 | AuthUser *auth_user = user(); |
6bf4f823 | 560 | |
561 | assert(data); | |
562 | assert(handler); | |
563 | assert(auth_user); | |
564 | assert(auth_user->auth_type == AUTH_NEGOTIATE); | |
565 | ||
566 | negotiate_user = dynamic_cast<negotiate_user_t *>(user()); | |
567 | ||
bf8fe701 | 568 | debugs(29, 8, "AuthNegotiateUserRequest::module_start: auth state is '" << auth_state << "'"); |
6bf4f823 | 569 | |
570 | if (negotiateConfig.authenticate == NULL) { | |
81425fb6 | 571 | debugs(29, 0, "AuthNegotiateUserRequest::module_start: no Negotiate program specified."); |
6bf4f823 | 572 | handler(data, NULL); |
573 | return; | |
574 | } | |
575 | ||
576 | r = cbdataAlloc(authenticateStateData); | |
577 | r->handler = handler; | |
1d412b78 | 578 | r->data = cbdataReference(data); |
81425fb6 | 579 | r->auth_user_request = this; |
4f0ef8e8 | 580 | AUTHUSERREQUESTLOCK(r->auth_user_request, "r"); |
81425fb6 | 581 | |
6bf4f823 | 582 | if (auth_state == AUTHENTICATE_STATE_INITIAL) { |
1f16a8cc | 583 | snprintf(buf, MAX_AUTHTOKEN_LEN, "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here? |
6bf4f823 | 584 | } else { |
1f16a8cc | 585 | snprintf(buf, MAX_AUTHTOKEN_LEN, "KK %s\n", client_blob); |
6bf4f823 | 586 | } |
587 | ||
588 | waiting = 1; | |
589 | ||
590 | safe_free(client_blob); | |
591 | helperStatefulSubmit(negotiateauthenticators, buf, authenticateNegotiateHandleReply, r, authserver); | |
592 | } | |
593 | ||
d945258c AJ |
594 | /** |
595 | * Atomic action: properly release the Negotiate auth helpers which may have been reserved | |
596 | * for this request connections use. | |
597 | */ | |
598 | void | |
599 | AuthNegotiateUserRequest::releaseAuthServer() | |
6bf4f823 | 600 | { |
d945258c AJ |
601 | if (authserver) { |
602 | debugs(29, 6, HERE << "releasing Negotiate auth server '" << authserver << "'"); | |
603 | helperStatefulReleaseServer(authserver); | |
604 | authserver = NULL; | |
e1381638 | 605 | } else |
d945258c | 606 | debugs(29, 6, HERE << "No Negotiate auth server to release."); |
6bf4f823 | 607 | } |
608 | ||
609 | /* clear any connection related authentication details */ | |
610 | void | |
4f0ef8e8 | 611 | AuthNegotiateUserRequest::onConnectionClose(ConnStateData *conn) |
6bf4f823 | 612 | { |
4f0ef8e8 | 613 | assert(conn != NULL); |
6bf4f823 | 614 | |
4f0ef8e8 | 615 | debugs(29, 8, "AuthNegotiateUserRequest::onConnectionClose: closing connection '" << conn << "' (this is '" << this << "')"); |
6bf4f823 | 616 | |
4f0ef8e8 | 617 | if (conn->auth_user_request == NULL) { |
bf8fe701 | 618 | debugs(29, 8, "AuthNegotiateUserRequest::onConnectionClose: no auth_user_request"); |
6bf4f823 | 619 | return; |
620 | } | |
621 | ||
d945258c | 622 | releaseAuthServer(); |
6bf4f823 | 623 | |
624 | /* unlock the connection based lock */ | |
4f0ef8e8 | 625 | debugs(29, 9, "AuthNegotiateUserRequest::onConnectionClose: Unlocking auth_user from the connection '" << conn << "'."); |
81425fb6 | 626 | |
4f0ef8e8 | 627 | AUTHUSERREQUESTUNLOCK(conn->auth_user_request, "conn"); |
6bf4f823 | 628 | } |
629 | ||
630 | /* | |
81425fb6 | 631 | * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed |
6bf4f823 | 632 | * Auth_user structure. |
633 | */ | |
634 | AuthUserRequest * | |
635 | AuthNegotiateConfig::decode(char const *proxy_auth) | |
636 | { | |
637 | NegotiateUser *newUser = new NegotiateUser(&negotiateConfig); | |
638 | AuthNegotiateUserRequest *auth_user_request = new AuthNegotiateUserRequest (); | |
639 | assert(auth_user_request->user() == NULL); | |
640 | auth_user_request->user(newUser); | |
641 | auth_user_request->user()->auth_type = AUTH_NEGOTIATE; | |
642 | auth_user_request->user()->addRequest(auth_user_request); | |
643 | ||
81425fb6 | 644 | /* all we have to do is identify that it's Negotiate - the helper does the rest */ |
645 | debugs(29, 9, "AuthNegotiateConfig::decode: Negotiate authentication"); | |
6bf4f823 | 646 | return auth_user_request; |
647 | } | |
648 | ||
649 | int | |
650 | AuthNegotiateUserRequest::authenticated() const | |
651 | { | |
c9acda3a | 652 | if (auth_state == AUTHENTICATE_STATE_DONE) { |
bf8fe701 | 653 | debugs(29, 9, "AuthNegotiateUserRequest::authenticated: user authenticated."); |
6bf4f823 | 654 | return 1; |
655 | } | |
656 | ||
bf8fe701 | 657 | debugs(29, 9, "AuthNegotiateUserRequest::authenticated: user not fully authenticated."); |
6bf4f823 | 658 | |
659 | return 0; | |
660 | } | |
661 | ||
662 | void | |
e4ae841b | 663 | AuthNegotiateUserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type) |
6bf4f823 | 664 | { |
665 | const char *proxy_auth, *blob; | |
666 | ||
e1f7507e AJ |
667 | /** \todo rename this!! */ |
668 | AuthUser *local_auth_user; | |
6bf4f823 | 669 | negotiate_user_t *negotiate_user; |
670 | ||
671 | local_auth_user = user(); | |
672 | assert(local_auth_user); | |
673 | assert(local_auth_user->auth_type == AUTH_NEGOTIATE); | |
674 | negotiate_user = dynamic_cast<negotiate_user_t *>(local_auth_user); | |
675 | assert (this); | |
676 | ||
e1f7507e | 677 | /** Check that we are in the client side, where we can generate |
6bf4f823 | 678 | * auth challenges */ |
679 | ||
486bf0fb | 680 | if (conn == NULL) { |
6bf4f823 | 681 | auth_state = AUTHENTICATE_STATE_FAILED; |
bf8fe701 | 682 | debugs(29, 1, "AuthNegotiateUserRequest::authenticate: attempt to perform authentication without a connection!"); |
6bf4f823 | 683 | return; |
684 | } | |
685 | ||
686 | if (waiting) { | |
bf8fe701 | 687 | debugs(29, 1, "AuthNegotiateUserRequest::authenticate: waiting for helper reply!"); |
6bf4f823 | 688 | return; |
689 | } | |
690 | ||
691 | if (server_blob) { | |
bf8fe701 | 692 | debugs(29, 2, "AuthNegotiateUserRequest::authenticate: need to challenge client '" << server_blob << "'!"); |
6bf4f823 | 693 | return; |
694 | } | |
695 | ||
696 | /* get header */ | |
e4ae841b | 697 | proxy_auth = aRequest->header.getStr(type); |
6bf4f823 | 698 | |
c9c40182 | 699 | /* locate second word */ |
700 | blob = proxy_auth; | |
701 | ||
26ac0430 | 702 | if (blob) { |
4e95a930 | 703 | while (xisspace(*blob) && *blob) |
704 | blob++; | |
c9c40182 | 705 | |
4e95a930 | 706 | while (!xisspace(*blob) && *blob) |
707 | blob++; | |
6bf4f823 | 708 | |
4e95a930 | 709 | while (xisspace(*blob) && *blob) |
710 | blob++; | |
711 | } | |
6bf4f823 | 712 | |
713 | switch (auth_state) { | |
714 | ||
715 | case AUTHENTICATE_STATE_NONE: | |
2324cda2 | 716 | /* we've received a negotiate request. pass to a helper */ |
bf8fe701 | 717 | debugs(29, 9, "AuthNegotiateUserRequest::authenticate: auth state negotiate none. Received blob: '" << proxy_auth << "'"); |
6bf4f823 | 718 | auth_state = AUTHENTICATE_STATE_INITIAL; |
719 | safe_free(client_blob); | |
720 | client_blob=xstrdup(blob); | |
721 | conn->auth_type = AUTH_NEGOTIATE; | |
81425fb6 | 722 | assert(conn->auth_user_request == NULL); |
6bf4f823 | 723 | conn->auth_user_request = this; |
26ac0430 | 724 | AUTHUSERREQUESTLOCK(conn->auth_user_request, "conn"); |
e4ae841b FC |
725 | request = aRequest; |
726 | HTTPMSGLOCK(request); | |
6bf4f823 | 727 | return; |
728 | ||
729 | break; | |
730 | ||
731 | case AUTHENTICATE_STATE_INITIAL: | |
bf8fe701 | 732 | debugs(29, 1, "AuthNegotiateUserRequest::authenticate: need to ask helper"); |
6bf4f823 | 733 | |
734 | return; | |
735 | ||
736 | break; | |
737 | ||
738 | ||
739 | case AUTHENTICATE_STATE_IN_PROGRESS: | |
740 | /* we should have received a blob from the client. Hand it off to | |
741 | * some helper */ | |
742 | safe_free(client_blob); | |
743 | ||
744 | client_blob = xstrdup (blob); | |
745 | ||
e4ae841b FC |
746 | if (request) |
747 | HTTPMSGUNLOCK(request); | |
748 | request = aRequest; | |
749 | HTTPMSGLOCK(request); | |
6bf4f823 | 750 | return; |
751 | ||
752 | break; | |
753 | ||
81425fb6 | 754 | case AUTHENTICATE_STATE_DONE: |
26ac0430 | 755 | fatal("AuthNegotiateUserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n"); |
81425fb6 | 756 | |
26ac0430 | 757 | break; |
81425fb6 | 758 | |
71ee0c43 | 759 | case AUTHENTICATE_STATE_FAILED: |
760 | /* we've failed somewhere in authentication */ | |
761 | debugs(29, 9, "AuthNegotiateUserRequest::authenticate: auth state negotiate failed. " << proxy_auth); | |
6bf4f823 | 762 | |
763 | return; | |
764 | ||
765 | break; | |
6bf4f823 | 766 | } |
767 | ||
768 | return; | |
769 | } | |
770 | ||
771 | AuthNegotiateUserRequest::AuthNegotiateUserRequest() : | |
26ac0430 | 772 | /*conn(NULL),*/ auth_state(AUTHENTICATE_STATE_NONE), |
6bf4f823 | 773 | _theUser(NULL) |
774 | { | |
775 | waiting=0; | |
776 | client_blob=0; | |
777 | server_blob=0; | |
778 | authserver=NULL; | |
01413e4e | 779 | request=NULL; |
6bf4f823 | 780 | } |
781 | ||
782 | AuthNegotiateUserRequest::~AuthNegotiateUserRequest() | |
783 | { | |
784 | safe_free(server_blob); | |
785 | safe_free(client_blob); | |
786 | ||
787 | if (authserver != NULL) { | |
bf8fe701 | 788 | debugs(29, 9, "AuthNegotiateUserRequest::~AuthNegotiateUserRequest: releasing server '" << authserver << "'"); |
6bf4f823 | 789 | helperStatefulReleaseServer(authserver); |
790 | authserver = NULL; | |
791 | } | |
8d3b341e | 792 | if (request) { |
26ac0430 AJ |
793 | HTTPMSGUNLOCK(request); |
794 | request = NULL; | |
8d3b341e | 795 | } |
6bf4f823 | 796 | } |
797 | ||
798 | void | |
799 | NegotiateUser::deleteSelf() const | |
800 | { | |
801 | delete this; | |
802 | } | |
803 | ||
076df709 | 804 | NegotiateUser::NegotiateUser (AuthConfig *aConfig) : AuthUser (aConfig) |
6bf4f823 | 805 | { |
806 | proxy_auth_list.head = proxy_auth_list.tail = NULL; | |
807 | } | |
808 | ||
809 | AuthConfig * | |
810 | negotiateScheme::createConfig() | |
811 | { | |
812 | return &negotiateConfig; | |
813 | } | |
814 | ||
815 | const char * | |
816 | AuthNegotiateUserRequest::connLastHeader() | |
817 | { | |
818 | return NULL; | |
819 | } | |
820 |