[thirdparty/squid.git] / src / auth / ntlm / auth_ntlm.cc

/*
 * DEBUG: section 29    NTLM Authenticator
 * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Gadgets.h"
#include "auth/ntlm/auth_ntlm.h"
#include "auth/ntlm/Scheme.h"
#include "auth/ntlm/User.h"
#include "auth/ntlm/UserRequest.h"
#include "auth/State.h"
#include "cache_cf.h"
#include "client_side.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Registration.h"
#include "SquidTime.h"
#include "Store.h"
#include "wordlist.h"

/* NTLM Scheme */
static AUTHSSTATS authenticateNTLMStats;

statefulhelper *ntlmauthenticators = NULL;
static int authntlm_initialised = 0;

static hash_table *proxy_auth_cache = NULL;

/*
 *
 * Private Functions
 *
 */

void
Auth::Ntlm::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

/* free any allocated configuration details */
void
Auth::Ntlm::Config::done()
{
    Auth::Config::done();

    authntlm_initialised = 0;

    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    if (!shutting_down)
        return;

    delete ntlmauthenticators;
    ntlmauthenticators = NULL;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
}

void
Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme)
{
    wordlist *list = authenticateProgram;
    storeAppendPrintf(entry, "%s %s", name, "ntlm");

    while (list != NULL) {
        storeAppendPrintf(entry, " %s", list->key);
        list = list->next;
    }

    storeAppendPrintf(entry, "\n%s %s keep_alive %s\n", name, "ntlm", keep_alive ? "on" : "off");
    Auth::Config::dump(entry, name, scheme);
}

Auth::Ntlm::Config::Config() : keep_alive(1)
{ }

void
Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
{
    if (strcmp(param_str, "program") == 0) {
        if (authenticateProgram)
            wordlistDestroy(&authenticateProgram);

        parse_wordlist(&authenticateProgram);

        requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
    } else if (strcmp(param_str, "keep_alive") == 0) {
        parse_onoff(&keep_alive);
    } else
        Auth::Config::parse(scheme, n_configured, param_str);
}

const char *
Auth::Ntlm::Config::type() const
{
    return Auth::Ntlm::Scheme::GetInstance()->type();
}

/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
void
Auth::Ntlm::Config::init(Auth::Config * scheme)
{
    if (authenticateProgram) {

        authntlm_initialised = 1;

        if (ntlmauthenticators == NULL)
            ntlmauthenticators = new statefulhelper("ntlmauthenticator");

        if (!proxy_auth_cache)
            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);

        assert(proxy_auth_cache);

        ntlmauthenticators->cmdline = authenticateProgram;

        ntlmauthenticators->childs.updateLimits(authenticateChildren);

        ntlmauthenticators->ipc_type = IPC_STREAM;

        helperStatefulOpenServers(ntlmauthenticators);
    }
}

void
Auth::Ntlm::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("ntlmauthenticator",
                        "NTLM User Authenticator Stats",
                        authenticateNTLMStats, 0, 1);
}

bool
Auth::Ntlm::Config::active() const
{
    return authntlm_initialised == 1;
}

bool
Auth::Ntlm::Config::configured() const
{
    if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
        debugs(29, 9, HERE << "returning configured");
        return true;
    }

    debugs(29, 9, HERE << "returning unconfigured");
    return false;
}

/* NTLM Scheme */

void
Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request)
{
    if (!authenticateProgram)
        return;

    /* Need keep-alive */
    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
        return;

    /* New request, no user details */
    if (auth_user_request == NULL) {
        debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
        httpHeaderPutStrf(&rep->header, hdrType, "NTLM");

        if (!keep_alive) {
            /* drop the connection */
            request->flags.proxyKeepalive = false;
        }
    } else {
        Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
        assert(ntlm_request != NULL);

        switch (ntlm_request->user()->credentials()) {

        case Auth::Failed:
            /* here it makes sense to drop the connection, as auth is
             * tied to it, even if MAYBE the client could handle it - Kinkie */
            request->flags.proxyKeepalive = false;
            /* fall through */

        case Auth::Ok:
            /* Special case: authentication finished OK but disallowed by ACL.
             * Need to start over to give the client another chance.
             */
            /* fall through */

        case Auth::Unchecked:
            /* semantic change: do not drop the connection.
             * 2.5 implementation used to keep it open - Kinkie */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
            break;

        case Auth::Handshake:
            /* we're waiting for a response from the client. Pass it the blob */
            debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
            safe_free(ntlm_request->server_blob);
            break;

        default:
            debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
            fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
        }
    }
}

static void
authenticateNTLMStats(StoreEntry * sentry)
{
    helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
}

/*
 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
 * Auth_user structure.
 */
Auth::UserRequest::Pointer
Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
{
    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
    Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
    assert(auth_user_request->user() == NULL);

    auth_user_request->user(newUser);
    auth_user_request->user()->auth_type = Auth::AUTH_NTLM;

    /* all we have to do is identify that it's NTLM - the helper does the rest */
    debugs(29, 9, HERE << "decode: NTLM authentication");
    return auth_user_request;
}
Commit	Line	Data
94439e4e	1	/*
94439e4e	2	* DEBUG: section 29 NTLM Authenticator
6bf4f823	3	* AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli
94439e4e	4	*
2b6662ba	5	* SQUID Web Proxy Cache http://www.squid-cache.org/
94439e4e	6	* ----------------------------------------------------------
94439e4e	7	*
2b6662ba	8	* Squid is the result of efforts by numerous individuals from
	9	* the Internet community; see the CONTRIBUTORS file for full
	10	* details. Many organizations have provided support for Squid's
	11	* development; see the SPONSORS file for full details. Squid is
	12	* Copyrighted (C) 2001 by the Regents of the University of
	13	* California; see the COPYRIGHT file for full details. Squid
	14	* incorporates software developed and/or copyrighted by other
	15	* sources; see the CREDITS file for full details.
94439e4e	16	*
	17	* This program is free software; you can redistribute it and/or modify
	18	* it under the terms of the GNU General Public License as published by
	19	* the Free Software Foundation; either version 2 of the License, or
	20	* (at your option) any later version.
26ac0430	21	*
94439e4e	22	* This program is distributed in the hope that it will be useful,
	23	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	24	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	25	* GNU General Public License for more details.
26ac0430	26	*
94439e4e	27	* You should have received a copy of the GNU General Public License
	28	* along with this program; if not, write to the Free Software
	29	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	30	*
	31	*/
	32
	33	/* The functions in this file handle authentication.
	34	* They DO NOT perform access control or auditing.
	35	* See acl.c for access control and client_side.c for auditing */
	36
582c2af2	37	#include "squid.h"
3ad63615	38	#include "auth/Gadgets.h"
5817ee13	39	#include "auth/ntlm/auth_ntlm.h"
616cfc4c	40	#include "auth/ntlm/Scheme.h"
aa110616	41	#include "auth/ntlm/User.h"
616cfc4c	42	#include "auth/ntlm/UserRequest.h"
928f3421	43	#include "auth/State.h"
8a01b99e	44	#include "cache_cf.h"
a46d2c0e	45	#include "client_side.h"
a5bac1d2	46	#include "HttpHeaderTools.h"
924f73bc	47	#include "HttpReply.h"
a2ac85d9	48	#include "HttpRequest.h"
602d9612	49	#include "mgr/Registration.h"
cc192b50	50	#include "SquidTime.h"
602d9612 A	51	#include "Store.h"
602d9612 A	52	#include "wordlist.h"
c78aa667	53
94439e4e	54	/* NTLM Scheme */
94439e4e	55	static AUTHSSTATS authenticateNTLMStats;
94439e4e	56
928f3421	57	statefulhelper *ntlmauthenticators = NULL;
94439e4e	58	static int authntlm_initialised = 0;
94439e4e	59
94439e4e	60	static hash_table *proxy_auth_cache = NULL;
	61
	62	/*
	63	*
	64	* Private Functions
	65	*
	66	*/
	67
0bcb6908	68	void
372fccd6	69	Auth::Ntlm::Config::rotateHelpers()
0bcb6908 AJ	70	{
	71	/* schedule closure of existing helpers */
	72	if (ntlmauthenticators) {
	73	helperStatefulShutdown(ntlmauthenticators);
	74	}
	75
	76	/* NP: dynamic helper restart will ensure they start up again as needed. */
	77	}
	78
5817ee13	79	/* free any allocated configuration details */
f5691f9c	80	void
372fccd6	81	Auth::Ntlm::Config::done()
94439e4e	82	{
d4806c91 CT	83	Auth::Config::done();
d4806c91 CT	84
94439e4e	85	authntlm_initialised = 0;
62e76326	86
5817ee13 AJ	87	if (ntlmauthenticators) {
5817ee13 AJ	88	helperStatefulShutdown(ntlmauthenticators);
5817ee13	89	}
62e76326	90
94439e4e	91	if (!shutting_down)
62e76326	92	return;
62e76326	93
48d54e4d	94	delete ntlmauthenticators;
94439e4e	95	ntlmauthenticators = NULL;
62e76326	96
58ee2093 AJ	97	if (authenticateProgram)
58ee2093 AJ	98	wordlistDestroy(&authenticateProgram);
cdabe87d	99
372fccd6	100	debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
94439e4e	101	}
94439e4e	102
f5691f9c	103	void
372fccd6	104	Auth::Ntlm::Config::dump(StoreEntry * entry, const char name, Auth::Config scheme)
94439e4e	105	{
58ee2093	106	wordlist *list = authenticateProgram;
94439e4e	107	storeAppendPrintf(entry, "%s %s", name, "ntlm");
62e76326	108
94439e4e	109	while (list != NULL) {
62e76326	110	storeAppendPrintf(entry, " %s", list->key);
62e76326	111	list = list->next;
94439e4e	112	}
62e76326	113
0309fc40	114	storeAppendPrintf(entry, "\n%s %s keep_alive %s\n", name, "ntlm", keep_alive ? "on" : "off");
d4806c91	115	Auth::Config::dump(entry, name, scheme);
94439e4e	116	}
94439e4e	117
372fccd6	118	Auth::Ntlm::Config::Config() : keep_alive(1)
6bf4f823	119	{ }
62e76326	120
f5691f9c	121	void
372fccd6	122	Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
f5691f9c	123	{
a37d6070	124	if (strcmp(param_str, "program") == 0) {
58ee2093 AJ	125	if (authenticateProgram)
58ee2093 AJ	126	wordlistDestroy(&authenticateProgram);
62e76326	127
58ee2093	128	parse_wordlist(&authenticateProgram);
62e76326	129
58ee2093	130	requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
a37d6070	131	} else if (strcmp(param_str, "keep_alive") == 0) {
6bf4f823	132	parse_onoff(&keep_alive);
d4806c91 CT	133	} else
d4806c91 CT	134	Auth::Config::parse(scheme, n_configured, param_str);
94439e4e	135	}
94439e4e	136
f5691f9c	137	const char *
372fccd6	138	Auth::Ntlm::Config::type() const
94439e4e	139	{
d6374be6	140	return Auth::Ntlm::Scheme::GetInstance()->type();
94439e4e	141	}
	142
	143	/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
	144	* config file */
f5691f9c	145	void
372fccd6	146	Auth::Ntlm::Config::init(Auth::Config * scheme)
94439e4e	147	{
58ee2093	148	if (authenticateProgram) {
6bf4f823	149
62e76326	150	authntlm_initialised = 1;
	151
	152	if (ntlmauthenticators == NULL)
48d54e4d	153	ntlmauthenticators = new statefulhelper("ntlmauthenticator");
62e76326	154
62e76326	155	if (!proxy_auth_cache)
30abd221	156	proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
62e76326	157
	158	assert(proxy_auth_cache);
	159
58ee2093	160	ntlmauthenticators->cmdline = authenticateProgram;
62e76326	161
1af735c7	162	ntlmauthenticators->childs.updateLimits(authenticateChildren);
62e76326	163
	164	ntlmauthenticators->ipc_type = IPC_STREAM;
	165
62e76326	166	helperStatefulOpenServers(ntlmauthenticators);
94439e4e	167	}
	168	}
	169
62ee09ca	170	void
372fccd6	171	Auth::Ntlm::Config::registerWithCacheManager(void)
62ee09ca	172	{
8822ebee	173	Mgr::RegisterAction("ntlmauthenticator",
d9fc6862 A	174	"NTLM User Authenticator Stats",
d9fc6862 A	175	authenticateNTLMStats, 0, 1);
62ee09ca	176	}
62ee09ca	177
f5691f9c	178	bool
372fccd6	179	Auth::Ntlm::Config::active() const
2d70df72	180	{
f5691f9c	181	return authntlm_initialised == 1;
2d70df72	182	}
2d70df72	183
f5691f9c	184	bool
372fccd6	185	Auth::Ntlm::Config::configured() const
94439e4e	186	{
58ee2093	187	if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
372fccd6	188	debugs(29, 9, HERE << "returning configured");
f5691f9c	189	return true;
2d70df72	190	}
62e76326	191
372fccd6	192	debugs(29, 9, HERE << "returning unconfigured");
f5691f9c	193	return false;
94439e4e	194	}
	195
	196	/* NTLM Scheme */
94439e4e	197
f5691f9c	198	void
c7baff40	199	Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, http_hdr_type hdrType, HttpRequest request)
94439e4e	200	{
58ee2093	201	if (!authenticateProgram)
6bf4f823	202	return;
62e76326	203
63a05fa3	204	/* Need keep-alive */
450fe1cb	205	if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
26ac0430	206	return;
63a05fa3	207
6bf4f823	208	/* New request, no user details */
6bf4f823	209	if (auth_user_request == NULL) {
372fccd6	210	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	211	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	212
6bf4f823	213	if (!keep_alive) {
62e76326	214	/* drop the connection */
e857372a	215	request->flags.proxyKeepalive = false;
62e76326	216	}
6bf4f823	217	} else {
c7baff40	218	Auth::Ntlm::UserRequest ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest >(auth_user_request.getRaw());
3a11f20d	219	assert(ntlm_request != NULL);
3a11f20d	220
d232141d	221	switch (ntlm_request->user()->credentials()) {
62e76326	222
d87154ee	223	case Auth::Failed:
6bf4f823	224	/* here it makes sense to drop the connection, as auth is
6bf4f823	225	* tied to it, even if MAYBE the client could handle it - Kinkie */
e857372a	226	request->flags.proxyKeepalive = false;
6bf4f823	227	/* fall through */
94439e4e	228
d87154ee	229	case Auth::Ok:
6bf4f823	230	/* Special case: authentication finished OK but disallowed by ACL.
	231	* Need to start over to give the client another chance.
	232	*/
	233	/* fall through */
62e76326	234
d87154ee	235	case Auth::Unchecked:
6bf4f823	236	/* semantic change: do not drop the connection.
6bf4f823	237	* 2.5 implementation used to keep it open - Kinkie */
372fccd6	238	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
18ec8500	239	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
6bf4f823	240	break;
62e76326	241
d87154ee	242	case Auth::Handshake:
6bf4f823	243	/* we're waiting for a response from the client. Pass it the blob */
372fccd6	244	debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
18ec8500	245	httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
6bf4f823	246	safe_free(ntlm_request->server_blob);
6bf4f823	247	break;
62e76326	248
6bf4f823	249	default:
372fccd6	250	debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
6bf4f823	251	fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
	252	}
	253	}
	254	}
62e76326	255
94439e4e	256	static void
	257	authenticateNTLMStats(StoreEntry * sentry)
	258	{
9522b380	259	helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
94439e4e	260	}
94439e4e	261
94439e4e	262	/*
6bf4f823	263	* Decode a NTLM [Proxy-]Auth string, placing the results in the passed
94439e4e	264	* Auth_user structure.
94439e4e	265	*/
c7baff40	266	Auth::UserRequest::Pointer
d4806c91	267	Auth::Ntlm::Config::decode(char const proxy_auth, const char aRequestRealm)
94439e4e	268	{
d4806c91	269	Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
c7baff40	270	Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
f5691f9c	271	assert(auth_user_request->user() == NULL);
a33a428a	272
f5691f9c	273	auth_user_request->user(newUser);
616cfc4c	274	auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
94439e4e	275
94439e4e	276	/* all we have to do is identify that it's NTLM - the helper does the rest */
372fccd6	277	debugs(29, 9, HERE << "decode: NTLM authentication");
f5691f9c	278	return auth_user_request;
94439e4e	279	}