2 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
9 /* DEBUG: section 29 NTLM Authenticator */
11 /* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
16 #include "auth/Gadgets.h"
17 #include "auth/ntlm/auth_ntlm.h"
18 #include "auth/ntlm/Scheme.h"
19 #include "auth/ntlm/User.h"
20 #include "auth/ntlm/UserRequest.h"
21 #include "auth/State.h"
23 #include "client_side.h"
25 #include "HttpHeaderTools.h"
26 #include "HttpReply.h"
27 #include "HttpRequest.h"
28 #include "mgr/Registration.h"
29 #include "SquidTime.h"
34 static AUTHSSTATS authenticateNTLMStats
;
36 statefulhelper
*ntlmauthenticators
= NULL
;
37 static int authntlm_initialised
= 0;
39 static hash_table
*proxy_auth_cache
= NULL
;
48 Auth::Ntlm::Config::rotateHelpers()
50 /* schedule closure of existing helpers */
51 if (ntlmauthenticators
) {
52 helperStatefulShutdown(ntlmauthenticators
);
55 /* NP: dynamic helper restart will ensure they start up again as needed. */
58 /* free any allocated configuration details */
60 Auth::Ntlm::Config::done()
64 authntlm_initialised
= 0;
66 if (ntlmauthenticators
) {
67 helperStatefulShutdown(ntlmauthenticators
);
73 delete ntlmauthenticators
;
74 ntlmauthenticators
= NULL
;
76 if (authenticateProgram
)
77 wordlistDestroy(&authenticateProgram
);
79 debugs(29, DBG_IMPORTANT
, "Reconfigure: NTLM authentication configuration cleared.");
83 Auth::Ntlm::Config::dump(StoreEntry
* entry
, const char *name
, Auth::Config
* scheme
) const
85 if (!Auth::Config::dump(entry
, name
, scheme
))
88 storeAppendPrintf(entry
, "%s ntlm keep_alive %s\n", name
, keep_alive
? "on" : "off");
92 Auth::Ntlm::Config::Config() : keep_alive(1)
96 Auth::Ntlm::Config::parse(Auth::Config
* scheme
, int n_configured
, char *param_str
)
98 if (strcmp(param_str
, "program") == 0) {
99 if (authenticateProgram
)
100 wordlistDestroy(&authenticateProgram
);
102 parse_wordlist(&authenticateProgram
);
104 requirePathnameExists("auth_param ntlm program", authenticateProgram
->key
);
105 } else if (strcmp(param_str
, "keep_alive") == 0) {
106 parse_onoff(&keep_alive
);
108 Auth::Config::parse(scheme
, n_configured
, param_str
);
112 Auth::Ntlm::Config::type() const
114 return Auth::Ntlm::Scheme::GetInstance()->type();
117 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
120 Auth::Ntlm::Config::init(Auth::Config
* scheme
)
122 if (authenticateProgram
) {
124 authntlm_initialised
= 1;
126 if (ntlmauthenticators
== NULL
)
127 ntlmauthenticators
= new statefulhelper("ntlmauthenticator");
129 if (!proxy_auth_cache
)
130 proxy_auth_cache
= hash_create((HASHCMP
*) strcmp
, 7921, hash_string
);
132 assert(proxy_auth_cache
);
134 ntlmauthenticators
->cmdline
= authenticateProgram
;
136 ntlmauthenticators
->childs
.updateLimits(authenticateChildren
);
138 ntlmauthenticators
->ipc_type
= IPC_STREAM
;
140 helperStatefulOpenServers(ntlmauthenticators
);
145 Auth::Ntlm::Config::registerWithCacheManager(void)
147 Mgr::RegisterAction("ntlmauthenticator",
148 "NTLM User Authenticator Stats",
149 authenticateNTLMStats
, 0, 1);
153 Auth::Ntlm::Config::active() const
155 return authntlm_initialised
== 1;
159 Auth::Ntlm::Config::configured() const
161 if ((authenticateProgram
!= NULL
) && (authenticateChildren
.n_max
!= 0)) {
162 debugs(29, 9, HERE
<< "returning configured");
166 debugs(29, 9, HERE
<< "returning unconfigured");
173 Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request
, HttpReply
*rep
, http_hdr_type hdrType
, HttpRequest
* request
)
175 if (!authenticateProgram
)
178 /* Need keep-alive */
179 if (!request
->flags
.proxyKeepalive
&& request
->flags
.mustKeepalive
)
182 /* New request, no user details */
183 if (auth_user_request
== NULL
) {
184 debugs(29, 9, HERE
<< "Sending type:" << hdrType
<< " header: 'NTLM'");
185 httpHeaderPutStrf(&rep
->header
, hdrType
, "NTLM");
188 /* drop the connection */
189 request
->flags
.proxyKeepalive
= false;
192 Auth::Ntlm::UserRequest
*ntlm_request
= dynamic_cast<Auth::Ntlm::UserRequest
*>(auth_user_request
.getRaw());
193 assert(ntlm_request
!= NULL
);
195 switch (ntlm_request
->user()->credentials()) {
198 /* here it makes sense to drop the connection, as auth is
199 * tied to it, even if MAYBE the client could handle it - Kinkie */
200 request
->flags
.proxyKeepalive
= false;
204 /* Special case: authentication finished OK but disallowed by ACL.
205 * Need to start over to give the client another chance.
209 case Auth::Unchecked
:
210 /* semantic change: do not drop the connection.
211 * 2.5 implementation used to keep it open - Kinkie */
212 debugs(29, 9, HERE
<< "Sending type:" << hdrType
<< " header: 'NTLM'");
213 httpHeaderPutStrf(&rep
->header
, hdrType
, "NTLM");
216 case Auth::Handshake
:
217 /* we're waiting for a response from the client. Pass it the blob */
218 debugs(29, 9, HERE
<< "Sending type:" << hdrType
<< " header: 'NTLM " << ntlm_request
->server_blob
<< "'");
219 httpHeaderPutStrf(&rep
->header
, hdrType
, "NTLM %s", ntlm_request
->server_blob
);
220 safe_free(ntlm_request
->server_blob
);
224 debugs(29, DBG_CRITICAL
, "NTLM Auth fixHeader: state " << ntlm_request
->user()->credentials() << ".");
225 fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
231 authenticateNTLMStats(StoreEntry
* sentry
)
233 helperStatefulStats(sentry
, ntlmauthenticators
, "NTLM Authenticator Statistics");
237 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
238 * Auth_user structure.
240 Auth::UserRequest::Pointer
241 Auth::Ntlm::Config::decode(char const *proxy_auth
, const char *aRequestRealm
)
243 Auth::Ntlm::User
*newUser
= new Auth::Ntlm::User(Auth::Config::Find("ntlm"), aRequestRealm
);
244 Auth::UserRequest::Pointer auth_user_request
= new Auth::Ntlm::UserRequest();
245 assert(auth_user_request
->user() == NULL
);
247 auth_user_request
->user(newUser
);
248 auth_user_request
->user()->auth_type
= Auth::AUTH_NTLM
;
250 /* all we have to do is identify that it's NTLM - the helper does the rest */
251 debugs(29, 9, HERE
<< "decode: NTLM authentication");
252 return auth_user_request
;