src/auth/negotiate/Config.cc

   1 /*
   2  * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
   3  *
   4  * Squid software is distributed under GPLv2+ license and includes
   5  * contributions from numerous individuals and organizations.
   6  * Please see the COPYING and CONTRIBUTORS files for details.
   7  */
   8
   9 /* DEBUG: section 29    Negotiate Authenticator */
  10
  11 /* The functions in this file handle authentication.
  12  * They DO NOT perform access control or auditing.
  13  * See acl.c for access control and client_side.c for auditing */
  14
  15 #include "squid.h"
  16 #include "auth/Gadgets.h"
  17 #include "auth/negotiate/Config.h"
  18 #include "auth/negotiate/Scheme.h"
  19 #include "auth/negotiate/User.h"
  20 #include "auth/negotiate/UserRequest.h"
  21 #include "auth/State.h"
  22 #include "cache_cf.h"
  23 #include "client_side.h"
  24 #include "helper.h"
  25 #include "http/Stream.h"
  26 #include "HttpHeaderTools.h"
  27 #include "HttpReply.h"
  28 #include "HttpRequest.h"
  29 #include "mgr/Registration.h"
  30 #include "SquidTime.h"
  31 #include "Store.h"
  32 #include "wordlist.h"
  33
  34 /**
  35  \defgroup AuthNegotiateInternal Negotiate Authenticator Internals
  36  \ingroup AuthNegotiateAPI
  37  */
  38
  39 /* Negotiate Scheme */
  40 static AUTHSSTATS authenticateNegotiateStats;
  41
  42 /// \ingroup AuthNegotiateInternal
  43 statefulhelper *negotiateauthenticators = NULL;
  44
  45 /// \ingroup AuthNegotiateInternal
  46 static int authnegotiate_initialised = 0;
  47
  48 /// \ingroup AuthNegotiateInternal
  49 static hash_table *proxy_auth_cache = NULL;
  50
  51 void
  52 Auth::Negotiate::Config::rotateHelpers()
  53 {
  54     /* schedule closure of existing helpers */
  55     if (negotiateauthenticators) {
  56         helperStatefulShutdown(negotiateauthenticators);
  57     }
  58
  59     /* NP: dynamic helper restart will ensure they start up again as needed. */
  60 }
  61
  62 void
  63 Auth::Negotiate::Config::done()
  64 {
  65     Auth::Config::done();
  66
  67     authnegotiate_initialised = 0;
  68
  69     if (negotiateauthenticators) {
  70         helperStatefulShutdown(negotiateauthenticators);
  71     }
  72
  73     if (!shutting_down)
  74         return;
  75
  76     delete negotiateauthenticators;
  77     negotiateauthenticators = NULL;
  78
  79     if (authenticateProgram)
  80         wordlistDestroy(&authenticateProgram);
  81
  82     debugs(29, DBG_IMPORTANT, "Reconfigure: Negotiate authentication configuration cleared.");
  83 }
  84
  85 bool
  86 Auth::Negotiate::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
  87 {
  88     if (!Auth::Config::dump(entry, name, scheme))
  89         return false;
  90
  91     storeAppendPrintf(entry, "%s negotiate keep_alive %s\n", name, keep_alive ? "on" : "off");
  92     return true;
  93 }
  94
  95 Auth::Negotiate::Config::Config() : keep_alive(1)
  96 { }
  97
  98 void
  99 Auth::Negotiate::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
 100 {
 101     if (strcmp(param_str, "program") == 0) {
 102         if (authenticateProgram)
 103             wordlistDestroy(&authenticateProgram);
 104
 105         parse_wordlist(&authenticateProgram);
 106
 107         requirePathnameExists("auth_param negotiate program", authenticateProgram->key);
 108     } else if (strcmp(param_str, "keep_alive") == 0) {
 109         parse_onoff(&keep_alive);
 110     } else
 111         Auth::Config::parse(scheme, n_configured, param_str);
 112 }
 113
 114 const char *
 115 Auth::Negotiate::Config::type() const
 116 {
 117     return Auth::Negotiate::Scheme::GetInstance()->type();
 118 }
 119
 120 /**
 121  * Initialize helpers and the like for this auth scheme.
 122  * Called AFTER parsing the config file
 123  */
 124 void
 125 Auth::Negotiate::Config::init(Auth::Config *)
 126 {
 127     if (authenticateProgram) {
 128
 129         authnegotiate_initialised = 1;
 130
 131         if (negotiateauthenticators == NULL)
 132             negotiateauthenticators = new statefulhelper("negotiateauthenticator");
 133
 134         if (!proxy_auth_cache)
 135             proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
 136
 137         assert(proxy_auth_cache);
 138
 139         negotiateauthenticators->cmdline = authenticateProgram;
 140
 141         negotiateauthenticators->childs.updateLimits(authenticateChildren);
 142
 143         negotiateauthenticators->ipc_type = IPC_STREAM;
 144
 145         helperStatefulOpenServers(negotiateauthenticators);
 146     }
 147 }
 148
 149 void
 150 Auth::Negotiate::Config::registerWithCacheManager(void)
 151 {
 152     Mgr::RegisterAction("negotiateauthenticator",
 153                         "Negotiate User Authenticator Stats",
 154                         authenticateNegotiateStats, 0, 1);
 155 }
 156
 157 bool
 158 Auth::Negotiate::Config::active() const
 159 {
 160     return authnegotiate_initialised == 1;
 161 }
 162
 163 bool
 164 Auth::Negotiate::Config::configured() const
 165 {
 166     if (authenticateProgram && (authenticateChildren.n_max != 0)) {
 167         debugs(29, 9, HERE << "returning configured");
 168         return true;
 169     }
 170
 171     debugs(29, 9, HERE << "returning unconfigured");
 172     return false;
 173 }
 174
 175 /* Negotiate Scheme */
 176
 177 void
 178 Auth::Negotiate::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType reqType, HttpRequest * request)
 179 {
 180     if (!authenticateProgram)
 181         return;
 182
 183     /* Need keep-alive */
 184     if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
 185         return;
 186
 187     /* New request, no user details */
 188     if (auth_user_request == NULL) {
 189         debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
 190         httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
 191
 192         if (!keep_alive) {
 193             /* drop the connection */
 194             rep->header.delByName("keep-alive");
 195             request->flags.proxyKeepalive = false;
 196         }
 197     } else {
 198         Auth::Negotiate::UserRequest *negotiate_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
 199         assert(negotiate_request != NULL);
 200
 201         switch (negotiate_request->user()->credentials()) {
 202
 203         case Auth::Failed:
 204             /* here it makes sense to drop the connection, as auth is
 205              * tied to it, even if MAYBE the client could handle it - Kinkie */
 206             rep->header.delByName("keep-alive");
 207             request->flags.proxyKeepalive = false;
 208         /* fall through */
 209
 210         case Auth::Ok:
 211             /* Special case: authentication finished OK but disallowed by ACL.
 212              * Need to start over to give the client another chance.
 213              */
 214             if (negotiate_request->server_blob) {
 215                 debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
 216                 httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
 217                 safe_free(negotiate_request->server_blob);
 218             } else {
 219                 debugs(29, 9, HERE << "Connection authenticated");
 220                 httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
 221             }
 222             break;
 223
 224         case Auth::Unchecked:
 225             /* semantic change: do not drop the connection.
 226              * 2.5 implementation used to keep it open - Kinkie */
 227             debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate'");
 228             httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
 229             break;
 230
 231         case Auth::Handshake:
 232             /* we're waiting for a response from the client. Pass it the blob */
 233             debugs(29, 9, HERE << "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
 234             httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
 235             safe_free(negotiate_request->server_blob);
 236             break;
 237
 238         default:
 239             debugs(29, DBG_CRITICAL, "ERROR: Negotiate auth fixHeader: state " << negotiate_request->user()->credentials() << ".");
 240             fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
 241         }
 242     }
 243 }
 244
 245 static void
 246 authenticateNegotiateStats(StoreEntry * sentry)
 247 {
 248     if (negotiateauthenticators)
 249         negotiateauthenticators->packStatsInto(sentry, "Negotiate Authenticator Statistics");
 250 }
 251
 252 /*
 253  * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
 254  * Auth_user structure.
 255  */
 256 Auth::UserRequest::Pointer
 257 Auth::Negotiate::Config::decode(char const *proxy_auth, const char *aRequestRealm)
 258 {
 259     Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::Config::Find("negotiate"), aRequestRealm);
 260     Auth::UserRequest *auth_user_request = new Auth::Negotiate::UserRequest();
 261     assert(auth_user_request->user() == NULL);
 262
 263     auth_user_request->user(newUser);
 264     auth_user_request->user()->auth_type = Auth::AUTH_NEGOTIATE;
 265
 266     auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
 267
 268     /* all we have to do is identify that it's Negotiate - the helper does the rest */
 269     debugs(29, 9, HERE << "decode Negotiate authentication");
 270     return auth_user_request;
 271 }
 272