4 * DEBUG: section 29 Negotiate Authenticator
5 * AUTHOR: Robert Collins, Henrik Nordstrom, Francesco Chemolli
7 * SQUID Web Proxy Cache http://www.squid-cache.org/
8 * ----------------------------------------------------------
10 * Squid is the result of efforts by numerous individuals from
11 * the Internet community; see the CONTRIBUTORS file for full
12 * details. Many organizations have provided support for Squid's
13 * development; see the SPONSORS file for full details. Squid is
14 * Copyrighted (C) 2001 by the Regents of the University of
15 * California; see the COPYRIGHT file for full details. Squid
16 * incorporates software developed and/or copyrighted by other
17 * sources; see the CREDITS file for full details.
19 * This program is free software; you can redistribute it and/or modify
20 * it under the terms of the GNU General Public License as published by
21 * the Free Software Foundation; either version 2 of the License, or
22 * (at your option) any later version.
24 * This program is distributed in the hope that it will be useful,
25 * but WITHOUT ANY WARRANTY; without even the implied warranty of
26 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
27 * GNU General Public License for more details.
29 * You should have received a copy of the GNU General Public License
30 * along with this program; if not, write to the Free Software
31 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
35 /* The functions in this file handle authentication.
36 * They DO NOT perform access control or auditing.
37 * See acl.c for access control and client_side.c for auditing */
41 #include "auth/negotiate/auth_negotiate.h"
42 #include "auth/Gadgets.h"
43 #include "auth/State.h"
44 #include "mgr/Registration.h"
46 #include "client_side.h"
47 #include "HttpReply.h"
48 #include "HttpRequest.h"
49 #include "SquidTime.h"
50 #include "auth/negotiate/Scheme.h"
51 #include "auth/negotiate/UserRequest.h"
55 \defgroup AuthNegotiateInternal Negotiate Authenticator Internals
56 \ingroup AuthNegotiateAPI
59 /* Negotiate Scheme */
60 static AUTHSSTATS authenticateNegotiateStats
;
62 /// \ingroup AuthNegotiateInternal
63 statefulhelper
*negotiateauthenticators
= NULL
;
65 /// \ingroup AuthNegotiateInternal
66 static int authnegotiate_initialised
= 0;
68 /// \ingroup AuthNegotiateInternal
69 Auth::Negotiate::Config negotiateConfig
;
71 /// \ingroup AuthNegotiateInternal
72 static hash_table
*proxy_auth_cache
= NULL
;
81 Auth::Negotiate::Config::rotateHelpers()
83 /* schedule closure of existing helpers */
84 if (negotiateauthenticators
) {
85 helperStatefulShutdown(negotiateauthenticators
);
88 /* NP: dynamic helper restart will ensure they start up again as needed. */
92 Auth::Negotiate::Config::done()
94 authnegotiate_initialised
= 0;
96 if (negotiateauthenticators
) {
97 helperStatefulShutdown(negotiateauthenticators
);
103 delete negotiateauthenticators
;
104 negotiateauthenticators
= NULL
;
106 if (authenticateProgram
)
107 wordlistDestroy(&authenticateProgram
);
109 debugs(29, DBG_IMPORTANT
, "Reconfigure: Negotiate authentication configuration cleared.");
113 Auth::Negotiate::Config::dump(StoreEntry
* entry
, const char *name
, Auth::Config
* scheme
)
115 wordlist
*list
= authenticateProgram
;
116 storeAppendPrintf(entry
, "%s %s", name
, "negotiate");
118 while (list
!= NULL
) {
119 storeAppendPrintf(entry
, " %s", list
->key
);
123 storeAppendPrintf(entry
, "\n%s negotiate children %d startup=%d idle=%d concurrency=%d\n",
124 name
, authenticateChildren
.n_max
, authenticateChildren
.n_startup
, authenticateChildren
.n_idle
, authenticateChildren
.concurrency
);
125 storeAppendPrintf(entry
, "%s %s keep_alive %s\n", name
, "negotiate", keep_alive
? "on" : "off");
129 Auth::Negotiate::Config::Config() : keep_alive(1)
133 Auth::Negotiate::Config::parse(Auth::Config
* scheme
, int n_configured
, char *param_str
)
135 if (strcasecmp(param_str
, "program") == 0) {
136 if (authenticateProgram
)
137 wordlistDestroy(&authenticateProgram
);
139 parse_wordlist(&authenticateProgram
);
141 requirePathnameExists("auth_param negotiate program", authenticateProgram
->key
);
142 } else if (strcasecmp(param_str
, "children") == 0) {
143 authenticateChildren
.parseConfig();
144 } else if (strcasecmp(param_str
, "keep_alive") == 0) {
145 parse_onoff(&keep_alive
);
147 debugs(29, DBG_CRITICAL
, "ERROR: unrecognised Negotiate auth scheme parameter '" << param_str
<< "'");
152 Auth::Negotiate::Config::type() const
154 return Auth::Negotiate::Scheme::GetInstance()->type();
158 * Initialize helpers and the like for this auth scheme.
159 * Called AFTER parsing the config file
162 Auth::Negotiate::Config::init(Auth::Config
* scheme
)
164 if (authenticateProgram
) {
166 authnegotiate_initialised
= 1;
168 if (negotiateauthenticators
== NULL
)
169 negotiateauthenticators
= new statefulhelper("negotiateauthenticator");
171 if (!proxy_auth_cache
)
172 proxy_auth_cache
= hash_create((HASHCMP
*) strcmp
, 7921, hash_string
);
174 assert(proxy_auth_cache
);
176 negotiateauthenticators
->cmdline
= authenticateProgram
;
178 negotiateauthenticators
->childs
= authenticateChildren
;
180 negotiateauthenticators
->ipc_type
= IPC_STREAM
;
182 helperStatefulOpenServers(negotiateauthenticators
);
184 CBDATA_INIT_TYPE(authenticateStateData
);
189 Auth::Negotiate::Config::registerWithCacheManager(void)
191 Mgr::RegisterAction("negotiateauthenticator",
192 "Negotiate User Authenticator Stats",
193 authenticateNegotiateStats
, 0, 1);
197 Auth::Negotiate::Config::active() const
199 return authnegotiate_initialised
== 1;
203 Auth::Negotiate::Config::configured() const
205 if (authenticateProgram
&& (authenticateChildren
.n_max
!= 0)) {
206 debugs(29, 9, HERE
<< "returning configured");
210 debugs(29, 9, HERE
<< "returning unconfigured");
214 /* Negotiate Scheme */
217 Auth::Negotiate::Config::fixHeader(AuthUserRequest::Pointer auth_user_request
, HttpReply
*rep
, http_hdr_type reqType
, HttpRequest
* request
)
219 AuthNegotiateUserRequest
*negotiate_request
;
221 if (!authenticateProgram
)
224 /* Need keep-alive */
225 if (!request
->flags
.proxy_keepalive
&& request
->flags
.must_keepalive
)
228 /* New request, no user details */
229 if (auth_user_request
== NULL
) {
230 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate'");
231 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
234 /* drop the connection */
235 rep
->header
.delByName("keep-alive");
236 request
->flags
.proxy_keepalive
= 0;
239 negotiate_request
= dynamic_cast<AuthNegotiateUserRequest
*>(auth_user_request
.getRaw());
240 assert(negotiate_request
!= NULL
);
242 switch (negotiate_request
->user()->credentials()) {
245 /* here it makes sense to drop the connection, as auth is
246 * tied to it, even if MAYBE the client could handle it - Kinkie */
247 rep
->header
.delByName("keep-alive");
248 request
->flags
.proxy_keepalive
= 0;
252 /* Special case: authentication finished OK but disallowed by ACL.
253 * Need to start over to give the client another chance.
255 if (negotiate_request
->server_blob
) {
256 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate " << negotiate_request
->server_blob
<< "'");
257 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate %s", negotiate_request
->server_blob
);
258 safe_free(negotiate_request
->server_blob
);
260 debugs(29, 9, HERE
<< "Connection authenticated");
261 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
265 case Auth::Unchecked
:
266 /* semantic change: do not drop the connection.
267 * 2.5 implementation used to keep it open - Kinkie */
268 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate'");
269 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate");
272 case Auth::Handshake
:
273 /* we're waiting for a response from the client. Pass it the blob */
274 debugs(29, 9, HERE
<< "Sending type:" << reqType
<< " header: 'Negotiate " << negotiate_request
->server_blob
<< "'");
275 httpHeaderPutStrf(&rep
->header
, reqType
, "Negotiate %s", negotiate_request
->server_blob
);
276 safe_free(negotiate_request
->server_blob
);
280 debugs(29, DBG_CRITICAL
, "ERROR: Negotiate auth fixHeader: state " << negotiate_request
->user()->credentials() << ".");
281 fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
286 NegotiateUser::~NegotiateUser()
288 debugs(29, 5, HERE
<< "doing nothing to clearNegotiate scheme data for '" << this << "'");
292 NegotiateUser::ttl() const
294 return -1; // Negotiate cannot be cached.
298 authenticateNegotiateStats(StoreEntry
* sentry
)
300 helperStatefulStats(sentry
, negotiateauthenticators
, "Negotiate Authenticator Statistics");
304 * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
305 * Auth_user structure.
307 AuthUserRequest::Pointer
308 Auth::Negotiate::Config::decode(char const *proxy_auth
)
310 NegotiateUser
*newUser
= new NegotiateUser(&negotiateConfig
);
311 AuthUserRequest
*auth_user_request
= new AuthNegotiateUserRequest();
312 assert(auth_user_request
->user() == NULL
);
314 auth_user_request
->user(newUser
);
315 auth_user_request
->user()->auth_type
= Auth::AUTH_NEGOTIATE
;
317 /* all we have to do is identify that it's Negotiate - the helper does the rest */
318 debugs(29, 9, HERE
<< "decode Negotiate authentication");
319 return auth_user_request
;
322 NegotiateUser::NegotiateUser(Auth::Config
*aConfig
) : Auth::User(aConfig
)
324 proxy_auth_list
.head
= proxy_auth_list
.tail
= NULL
;