]> git.ipfire.org Git - thirdparty/squid.git/blob - src/auth/ntlm/auth_ntlm.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SourceLayout: shuffle helper protocol primitives to helper/libhelper.la
[thirdparty/squid.git] / src / auth / ntlm / auth_ntlm.cc
1 /*
2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 29 NTLM Authenticator */
10
11 /* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
14
15 #include "squid.h"
16 #include "auth/Gadgets.h"
17 #include "auth/ntlm/auth_ntlm.h"
18 #include "auth/ntlm/Scheme.h"
19 #include "auth/ntlm/User.h"
20 #include "auth/ntlm/UserRequest.h"
21 #include "auth/State.h"
22 #include "cache_cf.h"
23 #include "client_side.h"
24 #include "helper.h"
25 #include "HttpHeaderTools.h"
26 #include "HttpReply.h"
27 #include "HttpRequest.h"
28 #include "mgr/Registration.h"
29 #include "SquidTime.h"
30 #include "Store.h"
31 #include "wordlist.h"
32
33 /* NTLM Scheme */
34 static AUTHSSTATS authenticateNTLMStats;
35
36 statefulhelper *ntlmauthenticators = NULL;
37 static int authntlm_initialised = 0;
38
39 static hash_table *proxy_auth_cache = NULL;
40
41 /*
42 *
43 * Private Functions
44 *
45 */
46
47 void
48 Auth::Ntlm::Config::rotateHelpers()
49 {
50 /* schedule closure of existing helpers */
51 if (ntlmauthenticators) {
52 helperStatefulShutdown(ntlmauthenticators);
53 }
54
55 /* NP: dynamic helper restart will ensure they start up again as needed. */
56 }
57
58 /* free any allocated configuration details */
59 void
60 Auth::Ntlm::Config::done()
61 {
62 Auth::Config::done();
63
64 authntlm_initialised = 0;
65
66 if (ntlmauthenticators) {
67 helperStatefulShutdown(ntlmauthenticators);
68 }
69
70 if (!shutting_down)
71 return;
72
73 delete ntlmauthenticators;
74 ntlmauthenticators = NULL;
75
76 if (authenticateProgram)
77 wordlistDestroy(&authenticateProgram);
78
79 debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
80 }
81
82 bool
83 Auth::Ntlm::Config::dump(StoreEntry * entry, const char *name, Auth::Config * scheme) const
84 {
85 if (!Auth::Config::dump(entry, name, scheme))
86 return false;
87
88 storeAppendPrintf(entry, "%s ntlm keep_alive %s\n", name, keep_alive ? "on" : "off");
89 return true;
90 }
91
92 Auth::Ntlm::Config::Config() : keep_alive(1)
93 { }
94
95 void
96 Auth::Ntlm::Config::parse(Auth::Config * scheme, int n_configured, char *param_str)
97 {
98 if (strcmp(param_str, "program") == 0) {
99 if (authenticateProgram)
100 wordlistDestroy(&authenticateProgram);
101
102 parse_wordlist(&authenticateProgram);
103
104 requirePathnameExists("auth_param ntlm program", authenticateProgram->key);
105 } else if (strcmp(param_str, "keep_alive") == 0) {
106 parse_onoff(&keep_alive);
107 } else
108 Auth::Config::parse(scheme, n_configured, param_str);
109 }
110
111 const char *
112 Auth::Ntlm::Config::type() const
113 {
114 return Auth::Ntlm::Scheme::GetInstance()->type();
115 }
116
117 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
118 * config file */
119 void
120 Auth::Ntlm::Config::init(Auth::Config * scheme)
121 {
122 if (authenticateProgram) {
123
124 authntlm_initialised = 1;
125
126 if (ntlmauthenticators == NULL)
127 ntlmauthenticators = new statefulhelper("ntlmauthenticator");
128
129 if (!proxy_auth_cache)
130 proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
131
132 assert(proxy_auth_cache);
133
134 ntlmauthenticators->cmdline = authenticateProgram;
135
136 ntlmauthenticators->childs.updateLimits(authenticateChildren);
137
138 ntlmauthenticators->ipc_type = IPC_STREAM;
139
140 helperStatefulOpenServers(ntlmauthenticators);
141 }
142 }
143
144 void
145 Auth::Ntlm::Config::registerWithCacheManager(void)
146 {
147 Mgr::RegisterAction("ntlmauthenticator",
148 "NTLM User Authenticator Stats",
149 authenticateNTLMStats, 0, 1);
150 }
151
152 bool
153 Auth::Ntlm::Config::active() const
154 {
155 return authntlm_initialised == 1;
156 }
157
158 bool
159 Auth::Ntlm::Config::configured() const
160 {
161 if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
162 debugs(29, 9, HERE << "returning configured");
163 return true;
164 }
165
166 debugs(29, 9, HERE << "returning unconfigured");
167 return false;
168 }
169
170 /* NTLM Scheme */
171
172 void
173 Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, http_hdr_type hdrType, HttpRequest * request)
174 {
175 if (!authenticateProgram)
176 return;
177
178 /* Need keep-alive */
179 if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
180 return;
181
182 /* New request, no user details */
183 if (auth_user_request == NULL) {
184 debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
185 httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
186
187 if (!keep_alive) {
188 /* drop the connection */
189 request->flags.proxyKeepalive = false;
190 }
191 } else {
192 Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
193 assert(ntlm_request != NULL);
194
195 switch (ntlm_request->user()->credentials()) {
196
197 case Auth::Failed:
198 /* here it makes sense to drop the connection, as auth is
199 * tied to it, even if MAYBE the client could handle it - Kinkie */
200 request->flags.proxyKeepalive = false;
201 /* fall through */
202
203 case Auth::Ok:
204 /* Special case: authentication finished OK but disallowed by ACL.
205 * Need to start over to give the client another chance.
206 */
207 /* fall through */
208
209 case Auth::Unchecked:
210 /* semantic change: do not drop the connection.
211 * 2.5 implementation used to keep it open - Kinkie */
212 debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
213 httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
214 break;
215
216 case Auth::Handshake:
217 /* we're waiting for a response from the client. Pass it the blob */
218 debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
219 httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
220 safe_free(ntlm_request->server_blob);
221 break;
222
223 default:
224 debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
225 fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
226 }
227 }
228 }
229
230 static void
231 authenticateNTLMStats(StoreEntry * sentry)
232 {
233 helperStatefulStats(sentry, ntlmauthenticators, "NTLM Authenticator Statistics");
234 }
235
236 /*
237 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
238 * Auth_user structure.
239 */
240 Auth::UserRequest::Pointer
241 Auth::Ntlm::Config::decode(char const *proxy_auth, const char *aRequestRealm)
242 {
243 Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm);
244 Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
245 assert(auth_user_request->user() == NULL);
246
247 auth_user_request->user(newUser);
248 auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
249
250 /* all we have to do is identify that it's NTLM - the helper does the rest */
251 debugs(29, 9, HERE << "decode: NTLM authentication");
252 return auth_user_request;
253 }
Mirror of https://github.com/squid-cache/squid.git