/*
- * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#include "squid.h"
#include "AccessLogEntry.h"
+#include "auth/CredentialsCache.h"
#include "auth/negotiate/Config.h"
+#include "auth/negotiate/User.h"
#include "auth/negotiate/UserRequest.h"
#include "auth/State.h"
#include "auth/User.h"
#include "client_side.h"
+#include "fatal.h"
#include "format/Format.h"
#include "globals.h"
#include "helper.h"
#include "helper/Reply.h"
+#include "http/Stream.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "MemBuf.h"
#include "SquidTime.h"
-Auth::Negotiate::UserRequest::UserRequest()
-{
- waiting=0;
- client_blob=0;
- server_blob=0;
- authserver=NULL;
- request=NULL;
-}
+Auth::Negotiate::UserRequest::UserRequest() :
+ server_blob(nullptr),
+ client_blob(nullptr),
+ waiting(0),
+ request(nullptr)
+{}
Auth::Negotiate::UserRequest::~UserRequest()
{
Auth::Negotiate::UserRequest::credentialsStr()
{
static char buf[MAX_AUTHTOKEN_LEN];
+ int printResult = 0;
if (user()->credentials() == Auth::Pending) {
- snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
+ printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
} else {
- snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
+ printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
}
+
+ // truncation is OK because we are used only for logging
+ if (printResult < 0) {
+ debugs(29, 2, "Can not build negotiate authentication credentials.");
+ buf[0] = '\0';
+ } else if (printResult >= (int)sizeof(buf))
+ debugs(29, 2, "Negotiate authentication credentials truncated.");
+
return buf;
}
}
void
-Auth::Negotiate::UserRequest::startHelperLookup(HttpRequest *req, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
+Auth::Negotiate::UserRequest::startHelperLookup(HttpRequest *, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
{
static char buf[MAX_AUTHTOKEN_LEN];
assert(user() != NULL);
assert(user()->auth_type == Auth::AUTH_NEGOTIATE);
- if (static_cast<Auth::Negotiate::Config*>(Auth::Config::Find("negotiate"))->authenticateProgram == NULL) {
+ if (static_cast<Auth::Negotiate::Config*>(Auth::SchemeConfig::Find("negotiate"))->authenticateProgram == NULL) {
debugs(29, DBG_CRITICAL, "ERROR: No Negotiate authentication program configured.");
handler(data);
return;
debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'");
const char *keyExtras = helperRequestKeyExtras(request, al);
+ int printResult = 0;
if (user()->credentials() == Auth::Pending) {
if (keyExtras)
- snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras);
+ printResult = snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras);
else
- snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
+ printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
} else {
if (keyExtras)
- snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras);
+ printResult = snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras);
else
- snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
+ printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
+ }
+
+ if (printResult < 0 || printResult >= (int)sizeof(buf)) {
+ if (printResult < 0)
+ debugs(29, DBG_CRITICAL, "ERROR: Can not build negotiate authentication helper request");
+ else
+ debugs(29, DBG_CRITICAL, "ERROR: Negotiate authentication helper request too big for the " << sizeof(buf) << "-byte buffer");
+ handler(data);
+ return;
}
waiting = 1;
safe_free(client_blob);
helperStatefulSubmit(negotiateauthenticators, buf, Auth::Negotiate::UserRequest::HandleReply,
- new Auth::StateData(this, handler, data), authserver);
+ new Auth::StateData(this, handler, data), reservationId);
}
/**
void
Auth::Negotiate::UserRequest::releaseAuthServer()
{
- if (authserver) {
- debugs(29, 6, HERE << "releasing Negotiate auth server '" << authserver << "'");
- helperStatefulReleaseServer(authserver);
- authserver = NULL;
+ if (reservationId) {
+ debugs(29, 6, reservationId);
+ negotiateauthenticators->cancelReservation(reservationId);
+ reservationId.clear();
} else
debugs(29, 6, HERE << "No Negotiate auth server to release.");
}
void
-Auth::Negotiate::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type)
+Auth::Negotiate::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, Http::HdrType type)
{
- assert(this);
-
/* Check that we are in the client side, where we can generate
* auth challenges */
{
Auth::StateData *r = static_cast<Auth::StateData *>(data);
- debugs(29, 8, HERE << "helper: '" << reply.whichServer << "' sent us reply=" << reply);
+ debugs(29, 8, reply.reservationId << " got reply=" << reply);
if (!cbdataReferenceValid(r->data)) {
- debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data. helper '" << reply.whichServer << "'.");
+ debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data (" << reply.reservationId << ")");
delete r;
return;
}
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
- auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ static const NotePairs::Names appendables = { SBuf("group"), SBuf("tag") };
+ auth_user_request->user()->notes.replaceOrAddOrAppend(&reply.notes, appendables);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("token");
Auth::Negotiate::UserRequest *lm_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
assert(lm_request != NULL);
assert(auth_user_request->user() != NULL);
assert(auth_user_request->user()->auth_type == Auth::AUTH_NEGOTIATE);
- if (lm_request->authserver == NULL)
- lm_request->authserver = reply.whichServer.get(); // XXX: no locking?
+ if (!lm_request->reservationId)
+ lm_request->reservationId = reply.reservationId;
else
- assert(reply.whichServer == lm_request->authserver);
+ assert(reply.reservationId == lm_request->reservationId);
switch (reply.result) {
case Helper::TT:
const char *tokenNote = reply.notes.findFirst("token");
lm_request->server_blob = xstrdup(tokenNote);
auth_user_request->user()->credentials(Auth::Handshake);
- auth_user_request->denyMessage("Authentication in progress");
+ auth_user_request->setDenyMessage("Authentication in progress");
debugs(29, 4, HERE << "Need to challenge the client with a server token: '" << tokenNote << "'");
} else {
auth_user_request->user()->credentials(Auth::Failed);
- auth_user_request->denyMessage("Negotiate authentication requires a persistent connection");
+ auth_user_request->setDenyMessage("Negotiate authentication requires a persistent connection");
}
break;
/* we're finished, release the helper */
auth_user_request->user()->username(userNote);
- auth_user_request->denyMessage("Login successful");
+ auth_user_request->setDenyMessage("Login successful");
safe_free(lm_request->server_blob);
lm_request->server_blob = xstrdup(tokenNote);
lm_request->releaseAuthServer();
/* connection is authenticated */
debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username());
- /* see if this is an existing user with a different proxy_auth
- * string */
- AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->userKey()));
- Auth::User::Pointer local_auth_user = lm_request->user();
- while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NEGOTIATE ||
- strcmp(usernamehash->user()->userKey(), auth_user_request->user()->userKey()) != 0))
- usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
- if (usernamehash) {
+ auto local_auth_user = lm_request->user();
+ auto cached_user = Auth::Negotiate::User::Cache()->lookup(auth_user_request->user()->userKey());
+ if (!cached_user) {
+ local_auth_user->addToNameCache();
+ } else {
/* we can't seamlessly recheck the username due to the
* challenge-response nature of the protocol.
* Just free the temporary auth_user after merging as
* much of it new state into the existing one as possible */
- usernamehash->user()->absorb(local_auth_user);
+ cached_user->absorb(local_auth_user);
/* from here on we are working with the original cached credentials. */
- local_auth_user = usernamehash->user();
+ local_auth_user = cached_user;
auth_user_request->user(local_auth_user);
- } else {
- /* store user in hash's */
- local_auth_user->addToNameCache();
}
/* set these to now because this is either a new login from an
* existing user or a new user */
}
break;
- case Helper::Error: {
- const char *messageNote = reply.notes.find("message");
- const char *tokenNote = reply.notes.findFirst("token");
-
+ case Helper::Error:
/* authentication failure (wrong password, etc.) */
- if (messageNote != NULL)
- auth_user_request->denyMessage(messageNote);
- else
- auth_user_request->denyMessage("Negotiate Authentication denied with no reason given");
+ auth_user_request->denyMessageFromHelper("Negotiate", reply);
auth_user_request->user()->credentials(Auth::Failed);
safe_free(lm_request->server_blob);
- if (tokenNote != NULL)
+ if (const char *tokenNote = reply.notes.findFirst("token"))
lm_request->server_blob = xstrdup(tokenNote);
lm_request->releaseAuthServer();
debugs(29, 4, "Failed validating user via Negotiate. Result: " << reply);
- }
- break;
+ break;
case Helper::Unknown:
- debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!.");
- /* continue to the next case */
+ debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper crashed (" << reply.reservationId << ")");
+ /* continue to the next case */
- case Helper::BrokenHelper: {
+ case Helper::TimedOut:
+ case Helper::BrokenHelper:
/* TODO kick off a refresh process. This can occur after a YR or after
* a KK. If after a YR release the helper and resubmit the request via
* Authenticate Negotiate start.
* If after a KK deny the user's request w/ 407 and mark the helper as
* Needing YR. */
- const char *errNote = reply.notes.find("message");
if (reply.result == Helper::Unknown)
- auth_user_request->denyMessage("Internal Error");
- else if (errNote != NULL)
- auth_user_request->denyMessage(errNote);
+ auth_user_request->setDenyMessage("Internal Error");
else
- auth_user_request->denyMessage("Negotiate Authentication failed with no reason given");
+ auth_user_request->denyMessageFromHelper("Negotiate", reply);
auth_user_request->user()->credentials(Auth::Failed);
safe_free(lm_request->server_blob);
lm_request->releaseAuthServer();
debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication validating user. Result: " << reply);
- } // break;
+ break;
}
if (lm_request->request) {
delete r;
}
-void
-Auth::Negotiate::UserRequest::addAuthenticationInfoHeader(HttpReply * rep, int accel)
-{
- http_hdr_type type;
-
- if (!server_blob)
- return;
-
- /* don't add to authentication error pages */
- if ((!accel && rep->sline.status() == Http::scProxyAuthenticationRequired)
- || (accel && rep->sline.status() == Http::scUnauthorized))
- return;
-
- type = accel ? HDR_AUTHENTICATION_INFO : HDR_PROXY_AUTHENTICATION_INFO;
- httpHeaderPutStrf(&rep->header, type, "Negotiate %s", server_blob);
-
- safe_free(server_blob);
-}
projects / thirdparty / squid.git / blobdiff