[thirdparty/squid.git] / src / auth / ntlm / Config.cc

/*
 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 29    NTLM Authenticator */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Gadgets.h"
#include "auth/ntlm/Config.h"
#include "auth/ntlm/Scheme.h"
#include "auth/ntlm/User.h"
#include "auth/ntlm/UserRequest.h"
#include "auth/State.h"
#include "cache_cf.h"
#include "client_side.h"
#include "helper.h"
#include "http/Stream.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Registration.h"
#include "SquidTime.h"
#include "Store.h"
#include "wordlist.h"

/* NTLM Scheme */
static AUTHSSTATS authenticateNTLMStats;

statefulhelper *ntlmauthenticators = NULL;
static int authntlm_initialised = 0;

static hash_table *proxy_auth_cache = NULL;

void
Auth::Ntlm::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

/* free any allocated configuration details */
void
Auth::Ntlm::Config::done()
{
    Auth::SchemeConfig::done();

    authntlm_initialised = 0;

    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    if (!shutting_down)
        return;

    delete ntlmauthenticators;
    ntlmauthenticators = NULL;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
}

const char *
Auth::Ntlm::Config::type() const
{
    return Auth::Ntlm::Scheme::GetInstance()->type();
}

/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
void
Auth::Ntlm::Config::init(Auth::SchemeConfig *)
{
    if (authenticateProgram) {

        authntlm_initialised = 1;

        if (ntlmauthenticators == NULL)
            ntlmauthenticators = new statefulhelper("ntlmauthenticator");

        if (!proxy_auth_cache)
            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);

        assert(proxy_auth_cache);

        ntlmauthenticators->cmdline = authenticateProgram;

        ntlmauthenticators->childs.updateLimits(authenticateChildren);

        ntlmauthenticators->ipc_type = IPC_STREAM;

        helperStatefulOpenServers(ntlmauthenticators);
    }
}

void
Auth::Ntlm::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("ntlmauthenticator",
                        "NTLM User Authenticator Stats",
                        authenticateNTLMStats, 0, 1);
}

bool
Auth::Ntlm::Config::active() const
{
    return authntlm_initialised == 1;
}

bool
Auth::Ntlm::Config::configured() const
{
    if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
        debugs(29, 9, HERE << "returning configured");
        return true;
    }

    debugs(29, 9, HERE << "returning unconfigured");
    return false;
}

/* NTLM Scheme */

void
Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request)
{
    if (!authenticateProgram)
        return;

    /* Need keep-alive */
    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
        return;

    /* New request, no user details */
    if (auth_user_request == NULL) {
        debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
        httpHeaderPutStrf(&rep->header, hdrType, "NTLM");

        if (!keep_alive) {
            /* drop the connection */
            request->flags.proxyKeepalive = false;
        }
    } else {
        Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
        assert(ntlm_request != NULL);

        switch (ntlm_request->user()->credentials()) {

        case Auth::Failed:
            /* here it makes sense to drop the connection, as auth is
             * tied to it, even if MAYBE the client could handle it - Kinkie */
            request->flags.proxyKeepalive = false;
        /* fall through */

        case Auth::Ok:
        /* Special case: authentication finished OK but disallowed by ACL.
         * Need to start over to give the client another chance.
         */
        /* fall through */

        case Auth::Unchecked:
            /* semantic change: do not drop the connection.
             * 2.5 implementation used to keep it open - Kinkie */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
            break;

        case Auth::Handshake:
            /* we're waiting for a response from the client. Pass it the blob */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
            safe_free(ntlm_request->server_blob);
            break;

        default:
            debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
            fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
        }
    }
}

static void
authenticateNTLMStats(StoreEntry * sentry)
{
    if (ntlmauthenticators)
        ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
}

/*
 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
 * Auth_user structure.
 */
Auth::UserRequest::Pointer
Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
{
    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
    Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
    assert(auth_user_request->user() == NULL);

    auth_user_request->user(newUser);
    auth_user_request->user()->auth_type = Auth::AUTH_NTLM;

    auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);

    /* all we have to do is identify that it's NTLM - the helper does the rest */
    debugs(29, 9, HERE << "decode: NTLM authentication");
    return auth_user_request;
}
Commit	Line	Data
94439e4e	1	/*
ef57eb7b	2	* Copyright (C) 1996-2016 The Squid Software Foundation and contributors
94439e4e	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
94439e4e	7	*/
94439e4e	8
bbc27441 AJ	9	/* DEBUG: section 29 NTLM Authenticator */
bbc27441 AJ	10
94439e4e	11	/* The functions in this file handle authentication.
	12	* They DO NOT perform access control or auditing.
	13	* See acl.c for access control and client_side.c for auditing */
	14
582c2af2	15	#include "squid.h"
3ad63615	16	#include "auth/Gadgets.h"
12daeef6	17	#include "auth/ntlm/Config.h"
616cfc4c	18	#include "auth/ntlm/Scheme.h"
aa110616	19	#include "auth/ntlm/User.h"
616cfc4c	20	#include "auth/ntlm/UserRequest.h"
928f3421	21	#include "auth/State.h"
8a01b99e	22	#include "cache_cf.h"
a46d2c0e	23	#include "client_side.h"
24438ec5	24	#include "helper.h"
d3dddfb5	25	#include "http/Stream.h"
a5bac1d2	26	#include "HttpHeaderTools.h"
924f73bc	27	#include "HttpReply.h"
a2ac85d9	28	#include "HttpRequest.h"
602d9612	29	#include "mgr/Registration.h"
cc192b50	30	#include "SquidTime.h"
602d9612 A	31	#include "Store.h"
602d9612 A	32	#include "wordlist.h"
c78aa667	33
94439e4e	34	/* NTLM Scheme */
94439e4e	35	static AUTHSSTATS authenticateNTLMStats;
94439e4e	36
928f3421	37	statefulhelper *ntlmauthenticators = NULL;
94439e4e	38	static int authntlm_initialised = 0;
94439e4e	39
94439e4e	40	static hash_table *proxy_auth_cache = NULL;
94439e4e	41
0bcb6908	42	void
372fccd6	43	Auth::Ntlm::Config::rotateHelpers()
0bcb6908 AJ	44	{
	45	/* schedule closure of existing helpers */
	46	if (ntlmauthenticators) {
	47	helperStatefulShutdown(ntlmauthenticators);
	48	}
	49
	50	/* NP: dynamic helper restart will ensure they start up again as needed. */
	51	}
	52
5817ee13	53	/* free any allocated configuration details */
f5691f9c	54	void
372fccd6	55	Auth::Ntlm::Config::done()
94439e4e	56	{
dc79fed8	57	Auth::SchemeConfig::done();
d4806c91	58
94439e4e	59	authntlm_initialised = 0;
62e76326	60
5817ee13 AJ	61	if (ntlmauthenticators) {
5817ee13 AJ	62	helperStatefulShutdown(ntlmauthenticators);
5817ee13	63	}
62e76326	64
94439e4e	65	if (!shutting_down)
62e76326	66	return;
62e76326	67
48d54e4d	68	delete ntlmauthenticators;
94439e4e	69	ntlmauthenticators = NULL;
62e76326	70
58ee2093 AJ	71	if (authenticateProgram)
58ee2093 AJ	72	wordlistDestroy(&authenticateProgram);
cdabe87d	73
372fccd6	74	debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
94439e4e	75	}
94439e4e	76
f5691f9c	77	const char *
372fccd6	78	Auth::Ntlm::Config::type() const
94439e4e	79	{
d6374be6	80	return Auth::Ntlm::Scheme::GetInstance()->type();
94439e4e	81	}
	82
	83	/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
	84	* config file */
f5691f9c	85	void
dc79fed8	86	Auth::Ntlm::Config::init(Auth::SchemeConfig *)
94439e4e	87	{
58ee2093	88	if (authenticateProgram) {
6bf4f823	89
62e76326	90	authntlm_initialised = 1;
	91
	92	if (ntlmauthenticators == NULL)
48d54e4d	93	ntlmauthenticators = new statefulhelper("ntlmauthenticator");
62e76326	94
62e76326	95	if (!proxy_auth_cache)
30abd221	96	proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
62e76326	97
	98	assert(proxy_auth_cache);
	99
58ee2093	100	ntlmauthenticators->cmdline = authenticateProgram;
62e76326	101
1af735c7	102	ntlmauthenticators->childs.updateLimits(authenticateChildren);
62e76326	103
	104	ntlmauthenticators->ipc_type = IPC_STREAM;
	105
62e76326	106	helperStatefulOpenServers(ntlmauthenticators);
94439e4e	107	}
	108	}
	109
62ee09ca	110	void
372fccd6	111	Auth::Ntlm::Config::registerWithCacheManager(void)
62ee09ca	112	{
8822ebee	113	Mgr::RegisterAction("ntlmauthenticator",
d9fc6862 A	114	"NTLM User Authenticator Stats",
d9fc6862 A	115	authenticateNTLMStats, 0, 1);
62ee09ca	116	}
62ee09ca	117
f5691f9c	118	bool
372fccd6	119	Auth::Ntlm::Config::active() const
2d70df72	120	{
f5691f9c	121	return authntlm_initialised == 1;
2d70df72	122	}
2d70df72	123
f5691f9c	124	bool
372fccd6	125	Auth::Ntlm::Config::configured() const
94439e4e	126	{
58ee2093	127	if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
372fccd6	128	debugs(29, 9, HERE << "returning configured");
f5691f9c	129	return true;
2d70df72	130	}
62e76326	131
372fccd6	132	debugs(29, 9, HERE << "returning unconfigured");
f5691f9c	133	return false;
94439e4e	134	}
	135
	136	/* NTLM Scheme */
94439e4e	137
f5691f9c	138	void
789217a2	139	Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, Http::HdrType hdrType, HttpRequest request)
94439e4e	140	{
58ee2093	141	if (!authenticateProgram)
6bf4f823	142	return;
62e76326	143
63a05fa3	144	/* Need keep-alive */
450fe1cb	145	if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
26ac0430	146	return;
63a05fa3	147
6bf4f823	148	/* New request, no user details */
6bf4f823	149	if (auth_user_request == NULL) {
372fccd6	150	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	151	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	152
6bf4f823	153	if (!keep_alive) {
62e76326	154	/* drop the connection */
e857372a	155	request->flags.proxyKeepalive = false;
62e76326	156	}
6bf4f823	157	} else {
c7baff40	158	Auth::Ntlm::UserRequest ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest >(auth_user_request.getRaw());
3a11f20d	159	assert(ntlm_request != NULL);
3a11f20d	160
d232141d	161	switch (ntlm_request->user()->credentials()) {
62e76326	162
d87154ee	163	case Auth::Failed:
6bf4f823	164	/* here it makes sense to drop the connection, as auth is
6bf4f823	165	* tied to it, even if MAYBE the client could handle it - Kinkie */
e857372a	166	request->flags.proxyKeepalive = false;
f53969cc	167	/* fall through */
94439e4e	168
d87154ee	169	case Auth::Ok:
f53969cc SM	170	/* Special case: authentication finished OK but disallowed by ACL.
	171	* Need to start over to give the client another chance.
	172	*/
	173	/* fall through */
62e76326	174
d87154ee	175	case Auth::Unchecked:
6bf4f823	176	/* semantic change: do not drop the connection.
6bf4f823	177	* 2.5 implementation used to keep it open - Kinkie */
372fccd6	178	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	179	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	180	break;
62e76326	181
d87154ee	182	case Auth::Handshake:
6bf4f823	183	/* we're waiting for a response from the client. Pass it the blob */
372fccd6	184	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
18ec8500	185	httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
6bf4f823	186	safe_free(ntlm_request->server_blob);
6bf4f823	187	break;
62e76326	188
6bf4f823	189	default:
372fccd6	190	debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
6bf4f823	191	fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
	192	}
	193	}
	194	}
62e76326	195
94439e4e	196	static void
	197	authenticateNTLMStats(StoreEntry * sentry)
	198	{
bf3e8d5a AJ	199	if (ntlmauthenticators)
bf3e8d5a AJ	200	ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
94439e4e	201	}
94439e4e	202
94439e4e	203	/*
6bf4f823	204	* Decode a NTLM [Proxy-]Auth string, placing the results in the passed
94439e4e	205	* Auth_user structure.
94439e4e	206	*/
c7baff40	207	Auth::UserRequest::Pointer
c10ebce8	208	Auth::Ntlm::Config::decode(char const proxy_auth, const char aRequestRealm)
94439e4e	209	{
dc79fed8	210	Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
c7baff40	211	Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
f5691f9c	212	assert(auth_user_request->user() == NULL);
a33a428a	213
f5691f9c	214	auth_user_request->user(newUser);
616cfc4c	215	auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
94439e4e	216
c10ebce8 AJ	217	auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
c10ebce8 AJ	218
94439e4e	219	/* all we have to do is identify that it's NTLM - the helper does the rest */
372fccd6	220	debugs(29, 9, HERE << "decode: NTLM authentication");
f5691f9c	221	return auth_user_request;
94439e4e	222	}
f53969cc	223