]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/UserRequest.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Cleanup: sync NTLM and Negotiate UserRequest code
[thirdparty/squid.git] / src / auth / ntlm / UserRequest.cc
1 #include "config.h"
2 #include "auth/ntlm/auth_ntlm.h"
3 #include "auth/ntlm/UserRequest.h"
4 #include "auth/State.h"
5 #include "cbdata.h"
6 #include "HttpRequest.h"
7 #include "SquidTime.h"
8
9 AuthNTLMUserRequest::AuthNTLMUserRequest()
10 {
11 waiting=0;
12 client_blob=0;
13 server_blob=0;
14 authserver=NULL;
15 request=NULL;
16 }
17
18 AuthNTLMUserRequest::~AuthNTLMUserRequest()
19 {
20 assert(RefCountCount()==0);
21 safe_free(server_blob);
22 safe_free(client_blob);
23
24 releaseAuthServer();
25
26 if (request) {
27 HTTPMSGUNLOCK(request);
28 request = NULL;
29 }
30 }
31
32 const char *
33 AuthNTLMUserRequest::connLastHeader()
34 {
35 return NULL;
36 }
37
38 int
39 AuthNTLMUserRequest::authenticated() const
40 {
41 if (user() != NULL && user()->credentials() == Auth::Ok) {
42 debugs(29, 9, HERE << "user authenticated.");
43 return 1;
44 }
45
46 debugs(29, 9, HERE << "user not fully authenticated.");
47 return 0;
48 }
49
50 Auth::Direction
51 AuthNTLMUserRequest::module_direction()
52 {
53 /* null auth_user is checked for by AuthUserRequest::direction() */
54
55 if (waiting || client_blob)
56 return Auth::CRED_LOOKUP; /* need helper response to continue */
57
58 if (user()->auth_type != Auth::AUTH_NTLM)
59 return Auth::CRED_ERROR;
60
61 switch (user()->credentials()) {
62
63 case Auth::Handshake:
64 assert(server_blob);
65 return Auth::CRED_CHALLENGE;
66
67 case Auth::Ok:
68 return Auth::CRED_VALID;
69
70 case Auth::Failed:
71 return Auth::CRED_ERROR; // XXX: really? not VALID or CHALLENGE?
72
73 default:
74 debugs(29, DBG_IMPORTANT, "WARNING: NTLM Authentication in unexpected state: " << user()->credentials());
75 return Auth::CRED_ERROR;
76 }
77 }
78
79 void
80 AuthNTLMUserRequest::module_start(RH * handler, void *data)
81 {
82 static char buf[MAX_AUTHTOKEN_LEN];
83
84 assert(data);
85 assert(handler);
86
87 if (static_cast<Auth::Ntlm::Config*>(Auth::Config::Find("ntlm"))->authenticateProgram == NULL) {
88 debugs(29, DBG_CRITICAL, "ERROR: NTLM Start: no NTLM program configured.");
89 handler(data, NULL);
90 return;
91 }
92
93 debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'");
94
95 authenticateStateData *r = cbdataAlloc(authenticateStateData);
96 r->handler = handler;
97 r->data = cbdataReference(data);
98 r->auth_user_request = this;
99
100 if (user()->credentials() == Auth::Pending) {
101 snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
102 } else {
103 snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
104 }
105
106 waiting = 1;
107
108 safe_free(client_blob);
109 helperStatefulSubmit(ntlmauthenticators, buf, AuthNTLMUserRequest::HandleReply, r, authserver);
110 }
111
112 /**
113 * Atomic action: properly release the NTLM auth helpers which may have been reserved
114 * for this request connections use.
115 */
116 void
117 AuthNTLMUserRequest::releaseAuthServer()
118 {
119 if (authserver) {
120 debugs(29, 6, HERE << "releasing NTLM auth server '" << authserver << "'");
121 helperStatefulReleaseServer(authserver);
122 authserver = NULL;
123 } else
124 debugs(29, 6, HERE << "No NTLM auth server to release.");
125 }
126
127 void
128 AuthNTLMUserRequest::onConnectionClose(ConnStateData *conn)
129 {
130 assert(conn != NULL);
131
132 debugs(29, 8, "AuthNTLMUserRequest::onConnectionClose: closing connection '" << conn << "' (this is '" << this << "')");
133
134 if (conn->auth_user_request == NULL) {
135 debugs(29, 8, "AuthNTLMUserRequest::onConnectionClose: no auth_user_request");
136 return;
137 }
138
139 releaseAuthServer();
140
141 /* unlock the connection based lock */
142 debugs(29, 9, HERE << "Unlocking auth_user from the connection '" << conn << "'.");
143
144 conn->auth_user_request = NULL;
145 }
146
147 void
148 AuthNTLMUserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type)
149 {
150 assert(this);
151
152 /* Check that we are in the client side, where we can generate
153 * auth challenges */
154
155 if (conn == NULL || !cbdataReferenceValid(conn)) {
156 user()->credentials(Auth::Failed);
157 debugs(29, DBG_IMPORTANT, "WARNING: NTLM Authentication attempt to perform authentication without a connection!");
158 return;
159 }
160
161 if (waiting) {
162 debugs(29, DBG_IMPORTANT, "WARNING: NTLM Authentication waiting for helper reply!");
163 return;
164 }
165
166 if (server_blob) {
167 debugs(29, 2, HERE << "need to challenge client '" << server_blob << "'!");
168 return;
169 }
170
171 /* get header */
172 const char *proxy_auth = aRequest->header.getStr(type);
173
174 /* locate second word */
175 const char *blob = proxy_auth;
176
177 /* if proxy_auth is actually NULL, we'd better not manipulate it. */
178 if (blob) {
179 while (xisspace(*blob) && *blob)
180 blob++;
181
182 while (!xisspace(*blob) && *blob)
183 blob++;
184
185 while (xisspace(*blob) && *blob)
186 blob++;
187 }
188
189 switch (user()->credentials()) {
190
191 case Auth::Unchecked:
192 /* we've received a ntlm request. pass to a helper */
193 debugs(29, 9, HERE << "auth state ntlm none. Received blob: '" << proxy_auth << "'");
194 user()->credentials(Auth::Pending);
195 safe_free(client_blob);
196 client_blob=xstrdup(blob);
197 assert(conn->auth_user_request == NULL);
198 conn->auth_user_request = this;
199 request = aRequest;
200 HTTPMSGLOCK(request);
201 break;
202
203 case Auth::Pending:
204 debugs(29, 1, HERE << "need to ask helper");
205 break;
206
207 case Auth::Handshake:
208 /* we should have received a blob from the client. Hand it off to
209 * some helper */
210 safe_free(client_blob);
211 client_blob = xstrdup(blob);
212 if (request)
213 HTTPMSGUNLOCK(request);
214 request = aRequest;
215 HTTPMSGLOCK(request);
216 break;
217
218 case Auth::Ok:
219 fatal("AuthNTLMUserRequest::authenticate: unexpect auth state DONE! Report a bug to the squid developers.\n");
220 break;
221
222 case Auth::Failed:
223 /* we've failed somewhere in authentication */
224 debugs(29, 9, HERE << "auth state ntlm failed. " << proxy_auth);
225 break;
226 }
227 }
228
229 void
230 AuthNTLMUserRequest::HandleReply(void *data, void *lastserver, char *reply)
231 {
232 authenticateStateData *r = static_cast<authenticateStateData *>(data);
233
234 int valid;
235 char *blob;
236
237 debugs(29, 8, HERE << "helper: '" << lastserver << "' sent us '" << (reply ? reply : "<NULL>") << "'");
238 valid = cbdataReferenceValid(r->data);
239
240 if (!valid) {
241 debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication invalid callback data. helper '" << lastserver << "'.");
242 cbdataReferenceDone(r->data);
243 authenticateStateFree(r);
244 return;
245 }
246
247 if (!reply) {
248 debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication Helper '" << lastserver << "' crashed!.");
249 reply = (char *)"BH Internal error";
250 }
251
252 AuthUserRequest::Pointer auth_user_request = r->auth_user_request;
253 assert(auth_user_request != NULL);
254
255 AuthNTLMUserRequest *lm_request = dynamic_cast<AuthNTLMUserRequest *>(auth_user_request.getRaw());
256 assert(lm_request != NULL);
257 assert(lm_request->waiting);
258
259 lm_request->waiting = 0;
260 safe_free(lm_request->client_blob);
261
262 assert(auth_user_request->user() != NULL);
263 assert(auth_user_request->user()->auth_type == Auth::AUTH_NTLM);
264
265 if (lm_request->authserver == NULL)
266 lm_request->authserver = static_cast<helper_stateful_server*>(lastserver);
267 else
268 assert(lm_request->authserver == lastserver);
269
270 /* seperate out the useful data */
271 blob = strchr(reply, ' ');
272 if (blob)
273 blob++;
274
275 if (strncasecmp(reply, "TT ", 3) == 0) {
276 /* we have been given a blob to send to the client */
277 safe_free(lm_request->server_blob);
278 lm_request->request->flags.must_keepalive = 1;
279 if (lm_request->request->flags.proxy_keepalive) {
280 lm_request->server_blob = xstrdup(blob);
281 auth_user_request->user()->credentials(Auth::Handshake);
282 auth_user_request->denyMessage("Authentication in progress");
283 debugs(29, 4, HERE << "Need to challenge the client with a server blob '" << blob << "'");
284 } else {
285 auth_user_request->user()->credentials(Auth::Failed);
286 auth_user_request->denyMessage("NTLM authentication requires a persistent connection");
287 }
288 } else if (strncasecmp(reply, "AF ", 3) == 0) {
289 /* we're finished, release the helper */
290 auth_user_request->user()->username(blob);
291 auth_user_request->denyMessage("Login successful");
292 safe_free(lm_request->server_blob);
293 lm_request->releaseAuthServer();
294
295 debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << blob << "'");
296 /* connection is authenticated */
297 debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username());
298 /* see if this is an existing user with a different proxy_auth
299 * string */
300 AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->username()));
301 Auth::User::Pointer local_auth_user = lm_request->user();
302 while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NTLM ||
303 strcmp(usernamehash->user()->username(), auth_user_request->user()->username()) != 0))
304 usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
305 if (usernamehash) {
306 /* we can't seamlessly recheck the username due to the
307 * challenge-response nature of the protocol.
308 * Just free the temporary auth_user after merging as
309 * much of it new state into the existing one as possible */
310 usernamehash->user()->absorb(local_auth_user);
311 /* from here on we are working with the original cached credentials. */
312 local_auth_user = usernamehash->user();
313 auth_user_request->user(local_auth_user);
314 } else {
315 /* store user in hash's */
316 local_auth_user->addToNameCache();
317 }
318 /* set these to now because this is either a new login from an
319 * existing user or a new user */
320 local_auth_user->expiretime = current_time.tv_sec;
321 auth_user_request->user()->credentials(Auth::Ok);
322 debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << blob << "'");
323
324 } else if (strncasecmp(reply, "NA ", 3) == 0) {
325 /* authentication failure (wrong password, etc.) */
326 auth_user_request->denyMessage(blob);
327 auth_user_request->user()->credentials(Auth::Failed);
328 safe_free(lm_request->server_blob);
329 lm_request->releaseAuthServer();
330 debugs(29, 4, HERE << "Failed validating user via NTLM. Error returned '" << blob << "'");
331 } else if (strncasecmp(reply, "BH ", 3) == 0) {
332 /* TODO kick off a refresh process. This can occur after a YR or after
333 * a KK. If after a YR release the helper and resubmit the request via
334 * Authenticate NTLM start.
335 * If after a KK deny the user's request w/ 407 and mark the helper as
336 * Needing YR. */
337 auth_user_request->denyMessage(blob);
338 auth_user_request->user()->credentials(Auth::Failed);
339 safe_free(lm_request->server_blob);
340 lm_request->releaseAuthServer();
341 debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication validating user. Error returned '" << reply << "'");
342 } else {
343 /* protocol error */
344 fatalf("authenticateNTLMHandleReply: *** Unsupported helper response ***, '%s'\n", reply);
345 }
346
347 if (lm_request->request) {
348 HTTPMSGUNLOCK(lm_request->request);
349 lm_request->request = NULL;
350 }
351 r->handler(r->data, NULL);
352 cbdataReferenceDone(r->data);
353 authenticateStateFree(r);
354 }
Mirror of https://github.com/squid-cache/squid.git