src/auth/negotiate/Config.cc

   1 /*
   2  * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 29    Negotiate Authenticator */
  10
  11 /* The functions in this file handle authentication.
  12  * They DO NOT perform access control or auditing.
  13  * See acl.c for access control and client_side.c for auditing */
  14
  15 #include "squid.h"
  16 #include "auth/Gadgets.h"
  17 #include "auth/negotiate/Config.h"
  18 #include "auth/negotiate/Scheme.h"
  19 #include "auth/negotiate/User.h"
  20 #include "auth/negotiate/UserRequest.h"
  21 #include "auth/State.h"
  22 #include "cache_cf.h"
  23 #include "client_side.h"
  24 #include "helper.h"
  25 #include "HttpHeaderTools.h"
  26 #include "HttpReply.h"
  27 #include "HttpRequest.h"
  28 #include "mgr/Registration.h"
  29 #include "SquidTime.h"
  30 #include "Store.h"
  31 #include "wordlist.h"
  32
  33 /**
  34  \defgroup AuthNegotiateInternal Negotiate Authenticator Internals
  35  \ingroup AuthNegotiateAPI
  36  */
  37
  38 /* Negotiate Scheme */
  39 static AUTHSSTATS authenticateNegotiateStats;
  40
  41 /// \ingroup AuthNegotiateInternal
  42 statefulhelper *negotiateauthenticators = NULL;
  43
  44 /// \ingroup AuthNegotiateInternal
  45 static int authnegotiate_initialised = 0;
  46
  47 /// \ingroup AuthNegotiateInternal
  48 static hash_table *proxy_auth_cache = NULL;
  49
  50 void
  51 Auth::Negotiate::Config::rotateHelpers()
  52 {
  53     /* schedule closure of existing helpers */
  54     if (negotiateauthenticators) {
  55         helperStatefulShutdown(negotiateauthenticators);
  56     }
  57
  58     /* NP: dynamic helper restart will ensure they start up again as needed. */
  59 }
  60
  61 void
  62 Auth::Negotiate::Config::done()
  63 {
  64     Auth::Config::done();
  65
  66     authnegotiate_initialised = 0;
  67
  68     if (negotiateauthenticators) {
  69         helperStatefulShutdown(negotiateauthenticators);
  70     }
  71
  72     if (!shutting_down)
  73         return;
  74
  75     delete negotiateauthenticators;
  76     negotiateauthenticators = NULL;
  77
  78     if (authenticateProgram)
  79         wordlistDestroy(&authenticateProgram);
  80
  81     debugs(29, DBG_IMPORTANT, "Reconfigure: Negotiate authentication configuration cleared.");
  82 }
  83
  84 bool
  85 Auth::Negotiate::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
  86 {
  87     if (!Auth::Config::dump(entry, name, scheme))
  88         return false;
  89
  90     storeAppendPrintf(entry, "%s negotiate keep_alive %s\n", name, keep_alive ? "on" : "off");
  91     return true;
  92 }
  93
  94 Auth::Negotiate::Config::Config() : keep_alive(1)
  95 { }
  96
  97 void
  98 Auth::Negotiate::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
  99 {
 100     if (strcmp(param_str, "program") == 0) {
 101         if (authenticateProgram)
 102             wordlistDestroy(&authenticateProgram);
 103
 104         parse_wordlist(&authenticateProgram);
 105
 106         requirePathnameExists("auth_param negotiate program", authenticateProgram->key);
 107     } else if (strcmp(param_str, "keep_alive") == 0) {
 108         parse_onoff(&keep_alive);
 109     } else
 110         Auth::Config::parse(scheme, n_configured, param_str);
 111 }
 112
 113 const char *
 114 Auth::Negotiate::Config::type() const
 115 {
 116     return Auth::Negotiate::Scheme::GetInstance()->type();
 117 }
 118
 119 /**
 120  * Initialize helpers and the like for this auth scheme.
 121  * Called AFTER parsing the config file
 122  */
 123 void
 124 Auth::Negotiate::Config::init(Auth::Config *)
 125 {
 126     if (authenticateProgram) {
 127
 128         authnegotiate_initialised = 1;
 129
 130         if (negotiateauthenticators == NULL)
 131             negotiateauthenticators = new statefulhelper("negotiateauthenticator");
 132
 133         if (!proxy_auth_cache)
 134             proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
 135
 136         assert(proxy_auth_cache);
 137
 138         negotiateauthenticators->cmdline = authenticateProgram;
 139
 140         negotiateauthenticators->childs.updateLimits(authenticateChildren);
 141
 142         negotiateauthenticators->ipc_type = IPC_STREAM;
 143
 144         helperStatefulOpenServers(negotiateauthenticators);
 145     }
 146 }
 147
 148 void
 149 Auth::Negotiate::Config::registerWithCacheManager(void)
 150 {
 151     Mgr::RegisterAction("negotiateauthenticator",
 152                         "Negotiate User Authenticator Stats",
 153                         authenticateNegotiateStats, 0, 1);
 154 }
 155
 156 bool
 157 Auth::Negotiate::Config::active() const
 158 {
 159     return authnegotiate_initialised == 1;
 160 }
 161
 162 bool
 163 Auth::Negotiate::Config::configured() const
 164 {
 165     if (authenticateProgram && (authenticateChildren.n_max != 0)) {
 166         debugs(29, 9, HERE << "returning configured");
 167         return true;
 168     }
 169
 170     debugs(29, 9, HERE << "returning unconfigured");
 171     return false;
 172 }
 173
 174 /* Negotiate Scheme */
 175
 176 void
 177 Auth::Negotiate::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type reqType, HttpRequest * request)
 178 {
 179     if (!authenticateProgram)
 180         return;
 181
 182     /* Need keep-alive */
 183     if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
 184         return;
 185
 186     /* New request, no user details */
 187     if (auth_user_request == NULL) {
 188         debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
 189         httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
 190
 191         if (!keep_alive) {
 192             /* drop the connection */
 193             rep->header.delByName("keep-alive");
 194             request->flags.proxyKeepalive = false;
 195         }
 196     } else {
 197         Auth::Negotiate::UserRequest *negotiate_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
 198         assert(negotiate_request != NULL);
 199
 200         switch (negotiate_request->user()->credentials()) {
 201
 202         case Auth::Failed:
 203             /* here it makes sense to drop the connection, as auth is
 204              * tied to it, even if MAYBE the client could handle it - Kinkie */
 205             rep->header.delByName("keep-alive");
 206             request->flags.proxyKeepalive = false;
 207         /* fall through */
 208
 209         case Auth::Ok:
 210             /* Special case: authentication finished OK but disallowed by ACL.
 211              * Need to start over to give the client another chance.
 212              */
 213             if (negotiate_request->server_blob) {
 214                 debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
 215                 httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
 216                 safe_free(negotiate_request->server_blob);
 217             } else {
 218                 debugs(29, 9, HERE << "Connection authenticated");
 219                 httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
 220             }
 221             break;
 222
 223         case Auth::Unchecked:
 224             /* semantic change: do not drop the connection.
 225              * 2.5 implementation used to keep it open - Kinkie */
 226             debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
 227             httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
 228             break;
 229
 230         case Auth::Handshake:
 231             /* we're waiting for a response from the client. Pass it the blob */
 232             debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
 233             httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
 234             safe_free(negotiate_request->server_blob);
 235             break;
 236
 237         default:
 238             debugs(29, DBG_CRITICAL, "ERROR: Negotiate auth fixHeader: state " << negotiate_request->user()->credentials() << ".");
 239             fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
 240         }
 241     }
 242 }
 243
 244 static void
 245 authenticateNegotiateStats(StoreEntry * sentry)
 246 {
 247     helperStatefulStats(sentry, negotiateauthenticators, "Negotiate Authenticator Statistics");
 248 }
 249
 250 /*
 251  * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
 252  * Auth_user structure.
 253  */
 254 Auth::UserRequest::Pointer
 255 Auth::Negotiate::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 256 {
 257     Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::Config::Find("negotiate"), aRequestRealm);
 258     Auth::UserRequest *auth_user_request = new Auth::Negotiate::UserRequest();
 259     assert(auth_user_request->user() == NULL);
 260
 261     auth_user_request->user(newUser);
 262     auth_user_request->user()->auth_type = Auth::AUTH_NEGOTIATE;
 263
 264     auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
 265
 266     /* all we have to do is identify that it's Negotiate - the helper does the rest */
 267     debugs(29, 9, HERE << "decode Negotiate authentication");
 268     return auth_user_request;
 269 }
 270