src/auth/basic/Config.cc

   1 /*
   2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 29    Authenticator */
  10
  11 /* The functions in this file handle authentication.
  12  * They DO NOT perform access control or auditing.
  13  * See acl.c for access control and client_side.c for auditing */
  14
  15 #include "squid.h"
  16 #include "auth/basic/Config.h"
  17 #include "auth/basic/Scheme.h"
  18 #include "auth/basic/User.h"
  19 #include "auth/basic/UserRequest.h"
  20 #include "auth/CredentialsCache.h"
  21 #include "auth/Gadgets.h"
  22 #include "auth/State.h"
  23 #include "auth/toUtf.h"
  24 #include "base64.h"
  25 #include "cache_cf.h"
  26 #include "helper.h"
  27 #include "HttpHeaderTools.h"
  28 #include "HttpReply.h"
  29 #include "mgr/Registration.h"
  30 #include "rfc1738.h"
  31 #include "sbuf/SBuf.h"
  32 #include "SquidTime.h"
  33 #include "Store.h"
  34 #include "util.h"
  35 #include "wordlist.h"
  36
  37 /* Basic Scheme */
  38 static AUTHSSTATS authenticateBasicStats;
  39
  40 helper *basicauthenticators = NULL;
  41
  42 static int authbasic_initialised = 0;
  43
  44 /*
  45  *
  46  * Public Functions
  47  *
  48  */
  49
  50 /* internal functions */
  51
  52 bool
  53 Auth::Basic::Config::active() const
  54 {
  55     return authbasic_initialised == 1;
  56 }
  57
  58 bool
  59 Auth::Basic::Config::configured() const
  60 {
  61     if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
  62         debugs(29, 9, HERE << "returning configured");
  63         return true;
  64     }
  65
  66     debugs(29, 9, HERE << "returning unconfigured");
  67     return false;
  68 }
  69
  70 const char *
  71 Auth::Basic::Config::type() const
  72 {
  73     return Auth::Basic::Scheme::GetInstance()->type();
  74 }
  75
  76 void
  77 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
  78 {
  79     if (authenticateProgram) {
  80         if (utf8) {
  81             debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\", charset=\"UTF-8\"'");
  82             httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\", charset=\"UTF-8\"", SQUIDSBUFPRINT(realm));
  83         } else {
  84             debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
  85             httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
  86         }
  87     }
  88 }
  89
  90 void
  91 Auth::Basic::Config::rotateHelpers()
  92 {
  93     /* schedule closure of existing helpers */
  94     if (basicauthenticators) {
  95         helperShutdown(basicauthenticators);
  96     }
  97
  98     /* NP: dynamic helper restart will ensure they start up again as needed. */
  99 }
 100
 101 /** shutdown the auth helpers and free any allocated configuration details */
 102 void
 103 Auth::Basic::Config::done()
 104 {
 105     Auth::SchemeConfig::done();
 106
 107     authbasic_initialised = 0;
 108
 109     if (basicauthenticators) {
 110         helperShutdown(basicauthenticators);
 111     }
 112
 113     delete basicauthenticators;
 114     basicauthenticators = NULL;
 115
 116     if (authenticateProgram)
 117         wordlistDestroy(&authenticateProgram);
 118 }
 119
 120 bool
 121 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
 122 {
 123     if (!Auth::SchemeConfig::dump(entry, name, scheme))
 124         return false; // not configured
 125
 126     storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
 127     storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
 128     return true;
 129 }
 130
 131 Auth::Basic::Config::Config() :
 132     credentialsTTL( 2*60*60 ),
 133     casesensitive(0)
 134 {
 135     static const SBuf defaultRealm("Squid proxy-caching web server");
 136     realm = defaultRealm;
 137 }
 138
 139 void
 140 Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
 141 {
 142     if (strcmp(param_str, "credentialsttl") == 0) {
 143         parse_time_t(&credentialsTTL);
 144     } else if (strcmp(param_str, "casesensitive") == 0) {
 145         parse_onoff(&casesensitive);
 146     } else
 147         Auth::SchemeConfig::parse(scheme, n_configured, param_str);
 148 }
 149
 150 static void
 151 authenticateBasicStats(StoreEntry * sentry)
 152 {
 153     if (basicauthenticators)
 154         basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
 155 }
 156
 157 char *
 158 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader, const HttpRequest *request)
 159 {
 160     const char *proxy_auth = httpAuthHeader;
 161
 162     /* trim BASIC from string */
 163     while (xisgraph(*proxy_auth))
 164         ++proxy_auth;
 165
 166     /* Trim leading whitespace before decoding */
 167     while (xisspace(*proxy_auth))
 168         ++proxy_auth;
 169
 170     /* Trim trailing \n before decoding */
 171     // XXX: really? is the \n actually still there? does the header parse not drop it?
 172     char *eek = xstrdup(proxy_auth);
 173     strtok(eek, "\n");
 174
 175     const size_t srcLen = strlen(eek);
 176     char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
 177
 178     struct base64_decode_ctx ctx;
 179     base64_decode_init(&ctx);
 180
 181     size_t dstLen = 0;
 182     if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
 183         cleartext[dstLen] = '\0';
 184
 185         if (utf8 && !isValidUtf8String(cleartext, cleartext + dstLen)) {
 186             auto str = isCP1251EncodingAllowed(request) ?
 187                        Cp1251ToUtf8(cleartext) : Latin1ToUtf8(cleartext);
 188             safe_free(cleartext);
 189             cleartext = xstrdup(str.c_str());
 190         }
 191
 192         /*
 193          * Don't allow NL or CR in the credentials.
 194          * Oezguer Kesim <oec@codeblau.de>
 195          */
 196         debugs(29, 9, HERE << "'" << cleartext << "'");
 197
 198         if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
 199             debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
 200             safe_free(cleartext);
 201         }
 202     } else {
 203         debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
 204         safe_free(cleartext);
 205     }
 206
 207     safe_free(eek);
 208     return cleartext;
 209 }
 210
 211 /**
 212  * Decode a Basic [Proxy-]Auth string, linking the passed
 213  * auth_user_request structure to any existing user structure or creating one
 214  * if needed. Note that just returning will be treated as
 215  * "cannot decode credentials". Use the message field to return a
 216  * descriptive message to the user.
 217  */
 218 Auth::UserRequest::Pointer
 219 Auth::Basic::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
 220 {
 221     Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
 222     /* decode the username */
 223
 224     // retrieve the cleartext (in a dynamically allocated char*)
 225     const auto cleartext = decodeCleartext(proxy_auth, request);
 226
 227     // empty header? no auth details produced...
 228     if (!cleartext)
 229         return auth_user_request;
 230
 231     Auth::User::Pointer lb;
 232     /* permitted because local_basic is purely local function scope. */
 233     Auth::Basic::User *local_basic = NULL;
 234
 235     char *separator = strchr(cleartext, ':');
 236
 237     lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
 238
 239     if (separator) {
 240         /* terminate the username */
 241         *separator = '\0';
 242         local_basic->passwd = xstrdup(separator+1);
 243     }
 244
 245     if (!casesensitive)
 246         Tolower(cleartext);
 247     local_basic->username(cleartext);
 248
 249     if (local_basic->passwd == NULL) {
 250         debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
 251         auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
 252     } else {
 253         if (local_basic->passwd[0] == '\0') {
 254             debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
 255             safe_free(local_basic->passwd);
 256             auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
 257         }
 258     }
 259
 260     xfree(cleartext);
 261
 262     if (!local_basic->valid()) {
 263         lb->auth_type = Auth::AUTH_BROKEN;
 264         auth_user_request->user(lb);
 265         return auth_user_request;
 266     }
 267
 268     /* now lookup and see if we have a matching auth_user structure in memory. */
 269     Auth::User::Pointer auth_user;
 270
 271     if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
 272         /* the user doesn't exist in the username cache yet */
 273         /* save the credentials */
 274         debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
 275         /* set the auth_user type */
 276         lb->auth_type = Auth::AUTH_BASIC;
 277         /* current time for timeouts */
 278         lb->expiretime = current_time.tv_sec;
 279
 280         /* this basic_user struct is the 'lucky one' to get added to the username cache */
 281         /* the requests after this link to the basic_user */
 282         /* store user in hash */
 283         lb->addToNameCache();
 284
 285         auth_user = lb;
 286         assert(auth_user != NULL);
 287     } else {
 288         /* replace the current cached password with the new one */
 289         Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
 290         assert(basic_auth);
 291         basic_auth->updateCached(local_basic);
 292         auth_user = basic_auth;
 293     }
 294
 295     /* link the request to the in-cache user */
 296     auth_user_request->user(auth_user);
 297     return auth_user_request;
 298 }
 299
 300 /** Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 301  * config file */
 302 void
 303 Auth::Basic::Config::init(Auth::SchemeConfig *)
 304 {
 305     if (authenticateProgram) {
 306         authbasic_initialised = 1;
 307
 308         if (basicauthenticators == NULL)
 309             basicauthenticators = new helper("basicauthenticator");
 310
 311         basicauthenticators->cmdline = authenticateProgram;
 312
 313         basicauthenticators->childs.updateLimits(authenticateChildren);
 314
 315         basicauthenticators->ipc_type = IPC_STREAM;
 316
 317         helperOpenServers(basicauthenticators);
 318     }
 319 }
 320
 321 void
 322 Auth::Basic::Config::registerWithCacheManager(void)
 323 {
 324     Mgr::RegisterAction("basicauthenticator",
 325                         "Basic User Authenticator Stats",
 326                         authenticateBasicStats, 0, 1);
 327 }
 328