4 * DEBUG: section 29 Negotiate Authenticator
5 * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli
7 * SQUID Web Proxy Cache http://www.squid-cache.org/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from
11 * the Internet community; see the CONTRIBUTORS file for full
12 * details. Many organizations have provided support for Squid's
13 * development; see the SPONSORS file for full details. Squid is
14 * Copyrighted (C) 2001 by the Regents of the University of
15 * California; see the COPYRIGHT file for full details. Squid
16 * incorporates software developed and/or copyrighted by other
17 * sources; see the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
35 /* The functions in this file handle authentication.
36 * They DO NOT perform access control or auditing.
37 * See acl.c for access control and client_side.c for auditing */
41 #include "auth/negotiate/auth_negotiate.h"
42 #include "auth/Gadgets.h"
43 #include "auth/State.h"
44 #include "mgr/Registration.h"
46 #include "client_side.h"
47 #include "HttpReply.h"
48 #include "HttpRequest.h"
49 #include "SquidTime.h"
50 #include "auth/negotiate/Scheme.h"
51 #include "auth/negotiate/User.h"
52 #include "auth/negotiate/UserRequest.h"
56 \defgroup AuthNegotiateInternal Negotiate Authenticator Internals
57 \ingroup AuthNegotiateAPI
60 /* Negotiate Scheme */
61 static AUTHSSTATS authenticateNegotiateStats
;
63 /// \ingroup AuthNegotiateInternal
64 statefulhelper
*negotiateauthenticators
= NULL
;
66 /// \ingroup AuthNegotiateInternal
67 static int authnegotiate_initialised
= 0;
69 /// \ingroup AuthNegotiateInternal
70 Auth::Negotiate::Config negotiateConfig
;
72 /// \ingroup AuthNegotiateInternal
73 static hash_table
*proxy_auth_cache
= NULL
;
82 Auth::Negotiate::Config::rotateHelpers()
84 /* schedule closure of existing helpers */
85 if (negotiateauthenticators
) {
86 helperStatefulShutdown(negotiateauthenticators
);
89 /* NP: dynamic helper restart will ensure they start up again as needed. */
93 Auth::Negotiate::Config::done()
95 authnegotiate_initialised
= 0;
97 if (negotiateauthenticators
) {
98 helperStatefulShutdown(negotiateauthenticators
);
104 delete negotiateauthenticators
;
105 negotiateauthenticators
= NULL
;
107 if (authenticateProgram
)
108 wordlistDestroy(&authenticateProgram
);
110 debugs(29, DBG_IMPORTANT
, "Reconfigure: Negotiate authentication configuration cleared.");
114 Auth::Negotiate::Config::dump(StoreEntry
* entry
, const char *name
, Auth::Config
* scheme
)
116 wordlist
*list
= authenticateProgram
;
117 storeAppendPrintf(entry
, "%s %s", name
, "negotiate");
119 while (list
!= NULL
) {
120 storeAppendPrintf(entry
, " %s", list
->key
);
124 storeAppendPrintf(entry
, "\n%s negotiate children %d startup=%d idle=%d concurrency=%d\n",
125 name
, authenticateChildren
.n_max
, authenticateChildren
.n_startup
, authenticateChildren
.n_idle
, authenticateChildren
.concurrency
);
126 storeAppendPrintf(entry
, "%s %s keep_alive %s\n", name
, "negotiate", keep_alive
? "on" : "off");
130 Auth::Negotiate::Config::Config() : keep_alive(1)
134 Auth::Negotiate::Config::parse(Auth::Config
* scheme
, int n_configured
, char *param_str
)
136 if (strcasecmp(param_str
, "program") == 0) {
137 if (authenticateProgram
)
138 wordlistDestroy(&authenticateProgram
);
140 parse_wordlist(&authenticateProgram
);
142 requirePathnameExists("auth_param negotiate program", authenticateProgram
->key
);
143 } else if (strcasecmp(param_str
, "children") == 0) {
144 authenticateChildren
.parseConfig();
145 } else if (strcasecmp(param_str
, "keep_alive") == 0) {
146 parse_onoff(&keep_alive
);
148 debugs(29, DBG_CRITICAL
, "ERROR: unrecognised Negotiate auth scheme parameter '" << param_str
<< "'");
153 Auth::Negotiate::Config::type() const
155 return Auth::Negotiate::Scheme::GetInstance()->type();
159 * Initialize helpers and the like for this auth scheme.
160 * Called AFTER parsing the config file
163 Auth::Negotiate::Config::init(Auth::Config
* scheme
)
165 if (authenticateProgram
) {
167 authnegotiate_initialised
= 1;
169 if (negotiateauthenticators
== NULL
)
170 negotiateauthenticators
= new statefulhelper("negotiateauthenticator");
172 if (!proxy_auth_cache
)
173 proxy_auth_cache
= hash_create((HASHCMP
*) strcmp
, 7921, hash_string
);
175 assert(proxy_auth_cache
);
177 negotiateauthenticators
->cmdline
= authenticateProgram
;
179 negotiateauthenticators
->childs
= authenticateChildren
;
181 negotiateauthenticators
->ipc_type
= IPC_STREAM
;
183 helperStatefulOpenServers(negotiateauthenticators
);
185 CBDATA_INIT_TYPE(authenticateStateData
);
190 Auth::Negotiate::Config::registerWithCacheManager(void)
192 Mgr::RegisterAction("negotiateauthenticator",
193 "Negotiate User Authenticator Stats",
194 authenticateNegotiateStats
, 0, 1);
198 Auth::Negotiate::Config::active() const
200 return authnegotiate_initialised
== 1;
204 Auth::Negotiate::Config::configured() const
206 if (authenticateProgram
&& (authenticateChildren
.n_max
!= 0)) {
207 debugs(29, 9, HERE
<< "returning configured");
211 debugs(29, 9, HERE
<< "returning unconfigured");
215 /* Negotiate Scheme */
218 Auth::Negotiate::Config::fixHeader(AuthUserRequest::Pointer auth_user_request
, HttpReply
*rep
, http_hdr_type reqType
, HttpRequest
* request
)
220 AuthNegotiateUserRequest
*negotiate_request
;
222 if (!authenticateProgram
)
225 /* Need keep-alive */
226 if (!request
->flags
.proxy_keepalive
&& request
->flags
.must_keepalive
)
229 /* New request, no user details */
230 if (auth_user_request
== NULL
) {
231 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate'");
232 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
235 /* drop the connection */
236 rep
->header
.delByName("keep-alive");
237 request
->flags
.proxy_keepalive
= 0;
240 negotiate_request
= dynamic_cast<AuthNegotiateUserRequest
*>(auth_user_request
.getRaw());
241 assert(negotiate_request
!= NULL
);
243 switch (negotiate_request
->user()->credentials()) {
246 /* here it makes sense to drop the connection, as auth is
247 * tied to it, even if MAYBE the client could handle it - Kinkie */
248 rep
->header
.delByName("keep-alive");
249 request
->flags
.proxy_keepalive
= 0;
253 /* Special case: authentication finished OK but disallowed by ACL.
254 * Need to start over to give the client another chance.
256 if (negotiate_request
->server_blob
) {
257 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate " << negotiate_request
->server_blob
<< "'");
258 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate %s", negotiate_request
->server_blob
);
259 safe_free(negotiate_request
->server_blob
);
261 debugs(29, 9, HERE
<< "Connection authenticated");
262 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
266 case Auth::Unchecked
:
267 /* semantic change: do not drop the connection.
268 * 2.5 implementation used to keep it open - Kinkie */
269 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate'");
270 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
273 case Auth::Handshake
:
274 /* we're waiting for a response from the client. Pass it the blob */
275 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate " << negotiate_request
->server_blob
<< "'");
276 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate %s", negotiate_request
->server_blob
);
277 safe_free(negotiate_request
->server_blob
);
281 debugs(29, DBG_CRITICAL
, "ERROR: Negotiate auth fixHeader: state " << negotiate_request
->user()->credentials() << ".");
282 fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
288 authenticateNegotiateStats(StoreEntry
* sentry
)
290 helperStatefulStats(sentry
, negotiateauthenticators
, "Negotiate Authenticator Statistics");
294 * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
295 * Auth_user structure.
297 AuthUserRequest::Pointer
298 Auth::Negotiate::Config::decode(char const *proxy_auth
)
300 Auth::Negotiate::User
*newUser
= new Auth::Negotiate::User(&negotiateConfig
);
301 AuthUserRequest
*auth_user_request
= new AuthNegotiateUserRequest();
302 assert(auth_user_request
->user() == NULL
);
304 auth_user_request
->user(newUser
);
305 auth_user_request
->user()->auth_type
= Auth::AUTH_NEGOTIATE
;
307 /* all we have to do is identify that it's Negotiate - the helper does the rest */
308 debugs(29, 9, HERE
<< "decode Negotiate authentication");
309 return auth_user_request
;