[thirdparty/squid.git] / src / auth / ntlm / Config.cc

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 29    NTLM Authenticator */

/* The functions in this file handle authentication.
 * They DO NOT perform access control or auditing.
 * See acl.c for access control and client_side.c for auditing */

#include "squid.h"
#include "auth/Gadgets.h"
#include "auth/ntlm/Config.h"
#include "auth/ntlm/Scheme.h"
#include "auth/ntlm/User.h"
#include "auth/ntlm/UserRequest.h"
#include "auth/State.h"
#include "cache_cf.h"
#include "client_side.h"
#include "helper.h"
#include "http/Stream.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "mgr/Registration.h"
#include "Store.h"
#include "wordlist.h"

/* NTLM Scheme */
static AUTHSSTATS authenticateNTLMStats;

statefulhelper *ntlmauthenticators = nullptr;
static int authntlm_initialised = 0;

static hash_table *proxy_auth_cache = nullptr;

void
Auth::Ntlm::Config::rotateHelpers()
{
    /* schedule closure of existing helpers */
    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    /* NP: dynamic helper restart will ensure they start up again as needed. */
}

/* free any allocated configuration details */
void
Auth::Ntlm::Config::done()
{
    Auth::SchemeConfig::done();

    authntlm_initialised = 0;

    if (ntlmauthenticators) {
        helperStatefulShutdown(ntlmauthenticators);
    }

    if (!shutting_down)
        return;

    delete ntlmauthenticators;
    ntlmauthenticators = nullptr;

    if (authenticateProgram)
        wordlistDestroy(&authenticateProgram);

    debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
}

const char *
Auth::Ntlm::Config::type() const
{
    return Auth::Ntlm::Scheme::GetInstance()->type();
}

/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
void
Auth::Ntlm::Config::init(Auth::SchemeConfig *)
{
    if (authenticateProgram) {

        authntlm_initialised = 1;

        if (ntlmauthenticators == nullptr)
            ntlmauthenticators = new statefulhelper("ntlmauthenticator");

        if (!proxy_auth_cache)
            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);

        assert(proxy_auth_cache);

        ntlmauthenticators->cmdline = authenticateProgram;

        ntlmauthenticators->childs.updateLimits(authenticateChildren);

        ntlmauthenticators->ipc_type = IPC_STREAM;

        helperStatefulOpenServers(ntlmauthenticators);
    }
}

void
Auth::Ntlm::Config::registerWithCacheManager(void)
{
    Mgr::RegisterAction("ntlmauthenticator",
                        "NTLM User Authenticator Stats",
                        authenticateNTLMStats, 0, 1);
}

bool
Auth::Ntlm::Config::active() const
{
    return authntlm_initialised == 1;
}

bool
Auth::Ntlm::Config::configured() const
{
    if ((authenticateProgram != nullptr) && (authenticateChildren.n_max != 0)) {
        debugs(29, 9, "returning configured");
        return true;
    }

    debugs(29, 9, "returning unconfigured");
    return false;
}

/* NTLM Scheme */

void
Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request)
{
    if (!authenticateProgram)
        return;

    /* Need keep-alive */
    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
        return;

    /* New request, no user details */
    if (auth_user_request == nullptr) {
        debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'");
        httpHeaderPutStrf(&rep->header, hdrType, "NTLM");

        if (!keep_alive) {
            /* drop the connection */
            request->flags.proxyKeepalive = false;
        }
    } else {
        Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
        assert(ntlm_request != nullptr);

        switch (ntlm_request->user()->credentials()) {

        case Auth::Failed:
            /* here it makes sense to drop the connection, as auth is
             * tied to it, even if MAYBE the client could handle it - Kinkie */
            request->flags.proxyKeepalive = false;
            [[fallthrough]];

        case Auth::Ok:
            /* Special case: authentication finished OK but disallowed by ACL.
             * Need to start over to give the client another chance.
             */
            [[fallthrough]];

        case Auth::Unchecked:
            /* semantic change: do not drop the connection.
             * 2.5 implementation used to keep it open - Kinkie */
            debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
            break;

        case Auth::Handshake:
            /* we're waiting for a response from the client. Pass it the blob */
            debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
            httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
            safe_free(ntlm_request->server_blob);
            break;

        default:
            debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
            fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
        }
    }
}

static void
authenticateNTLMStats(StoreEntry * sentry)
{
    if (ntlmauthenticators)
        ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
}

/*
 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
 * Auth_user structure.
 */
Auth::UserRequest::Pointer
Auth::Ntlm::Config::decode(char const *proxy_auth, const HttpRequest *, const char *aRequestRealm)
{
    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
    Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
    assert(auth_user_request->user() == nullptr);

    auth_user_request->user(newUser);
    auth_user_request->user()->auth_type = Auth::AUTH_NTLM;

    auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);

    /* all we have to do is identify that it's NTLM - the helper does the rest */
    debugs(29, 9, "decode: NTLM authentication");
    return auth_user_request;
}
Commit	Line	Data
	1	/*
	2	* Copyright (C) 1996-2023 The Squid Software Foundation and contributors
	3	*
	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
	7	*/
	8
	9	/* DEBUG: section 29 NTLM Authenticator */
	10
	11	/* The functions in this file handle authentication.
	12	* They DO NOT perform access control or auditing.
	13	* See acl.c for access control and client_side.c for auditing */
	14
	15	#include "squid.h"
	16	#include "auth/Gadgets.h"
	17	#include "auth/ntlm/Config.h"
	18	#include "auth/ntlm/Scheme.h"
	19	#include "auth/ntlm/User.h"
	20	#include "auth/ntlm/UserRequest.h"
	21	#include "auth/State.h"
	22	#include "cache_cf.h"
	23	#include "client_side.h"
	24	#include "helper.h"
	25	#include "http/Stream.h"
	26	#include "HttpHeaderTools.h"
	27	#include "HttpReply.h"
	28	#include "HttpRequest.h"
	29	#include "mgr/Registration.h"
	30	#include "Store.h"
	31	#include "wordlist.h"
	32
	33	/* NTLM Scheme */
	34	static AUTHSSTATS authenticateNTLMStats;
	35
	36	statefulhelper *ntlmauthenticators = nullptr;
	37	static int authntlm_initialised = 0;
	38
	39	static hash_table *proxy_auth_cache = nullptr;
	40
	41	void
	42	Auth::Ntlm::Config::rotateHelpers()
	43	{
	44	/* schedule closure of existing helpers */
	45	if (ntlmauthenticators) {
	46	helperStatefulShutdown(ntlmauthenticators);
	47	}
	48
	49	/* NP: dynamic helper restart will ensure they start up again as needed. */
	50	}
	51
	52	/* free any allocated configuration details */
	53	void
	54	Auth::Ntlm::Config::done()
	55	{
	56	Auth::SchemeConfig::done();
	57
	58	authntlm_initialised = 0;
	59
	60	if (ntlmauthenticators) {
	61	helperStatefulShutdown(ntlmauthenticators);
	62	}
	63
	64	if (!shutting_down)
	65	return;
	66
	67	delete ntlmauthenticators;
	68	ntlmauthenticators = nullptr;
	69
	70	if (authenticateProgram)
	71	wordlistDestroy(&authenticateProgram);
	72
	73	debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
	74	}
	75
	76	const char *
	77	Auth::Ntlm::Config::type() const
	78	{
	79	return Auth::Ntlm::Scheme::GetInstance()->type();
	80	}
	81
	82	/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
	83	* config file */
	84	void
	85	Auth::Ntlm::Config::init(Auth::SchemeConfig *)
	86	{
	87	if (authenticateProgram) {
	88
	89	authntlm_initialised = 1;
	90
	91	if (ntlmauthenticators == nullptr)
	92	ntlmauthenticators = new statefulhelper("ntlmauthenticator");
	93
	94	if (!proxy_auth_cache)
	95	proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
	96
	97	assert(proxy_auth_cache);
	98
	99	ntlmauthenticators->cmdline = authenticateProgram;
	100
	101	ntlmauthenticators->childs.updateLimits(authenticateChildren);
	102
	103	ntlmauthenticators->ipc_type = IPC_STREAM;
	104
	105	helperStatefulOpenServers(ntlmauthenticators);
	106	}
	107	}
	108
	109	void
	110	Auth::Ntlm::Config::registerWithCacheManager(void)
	111	{
	112	Mgr::RegisterAction("ntlmauthenticator",
	113	"NTLM User Authenticator Stats",
	114	authenticateNTLMStats, 0, 1);
	115	}
	116
	117	bool
	118	Auth::Ntlm::Config::active() const
	119	{
	120	return authntlm_initialised == 1;
	121	}
	122
	123	bool
	124	Auth::Ntlm::Config::configured() const
	125	{
	126	if ((authenticateProgram != nullptr) && (authenticateChildren.n_max != 0)) {
	127	debugs(29, 9, "returning configured");
	128	return true;
	129	}
	130
	131	debugs(29, 9, "returning unconfigured");
	132	return false;
	133	}
	134
	135	/* NTLM Scheme */
	136
	137	void
	138	Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply rep, Http::HdrType hdrType, HttpRequest request)
	139	{
	140	if (!authenticateProgram)
	141	return;
	142
	143	/* Need keep-alive */
	144	if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
	145	return;
	146
	147	/* New request, no user details */
	148	if (auth_user_request == nullptr) {
	149	debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'");
	150	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
	151
	152	if (!keep_alive) {
	153	/* drop the connection */
	154	request->flags.proxyKeepalive = false;
	155	}
	156	} else {
	157	Auth::Ntlm::UserRequest ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest >(auth_user_request.getRaw());
	158	assert(ntlm_request != nullptr);
	159
	160	switch (ntlm_request->user()->credentials()) {
	161
	162	case Auth::Failed:
	163	/* here it makes sense to drop the connection, as auth is
	164	* tied to it, even if MAYBE the client could handle it - Kinkie */
	165	request->flags.proxyKeepalive = false;
	166	[[fallthrough]];
	167
	168	case Auth::Ok:
	169	/* Special case: authentication finished OK but disallowed by ACL.
	170	* Need to start over to give the client another chance.
	171	*/
	172	[[fallthrough]];
	173
	174	case Auth::Unchecked:
	175	/* semantic change: do not drop the connection.
	176	* 2.5 implementation used to keep it open - Kinkie */
	177	debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'");
	178	httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
	179	break;
	180
	181	case Auth::Handshake:
	182	/* we're waiting for a response from the client. Pass it the blob */
	183	debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
	184	httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
	185	safe_free(ntlm_request->server_blob);
	186	break;
	187
	188	default:
	189	debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
	190	fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
	191	}
	192	}
	193	}
	194
	195	static void
	196	authenticateNTLMStats(StoreEntry * sentry)
	197	{
	198	if (ntlmauthenticators)
	199	ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
	200	}
	201
	202	/*
	203	* Decode a NTLM [Proxy-]Auth string, placing the results in the passed
	204	* Auth_user structure.
	205	*/
	206	Auth::UserRequest::Pointer
	207	Auth::Ntlm::Config::decode(char const proxy_auth, const HttpRequest , const char *aRequestRealm)
	208	{
	209	Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
	210	Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
	211	assert(auth_user_request->user() == nullptr);
	212
	213	auth_user_request->user(newUser);
	214	auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
	215
	216	auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
	217
	218	/* all we have to do is identify that it's NTLM - the helper does the rest */
	219	debugs(29, 9, "decode: NTLM authentication");
	220	return auth_user_request;
	221	}
	222