/*
- * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#include "squid.h"
#include "AccessLogEntry.h"
+#include "auth/CredentialsCache.h"
#include "auth/negotiate/Config.h"
#include "auth/negotiate/User.h"
#include "auth/negotiate/UserRequest.h"
#include "auth/State.h"
#include "auth/User.h"
-#include "auth/UserNameCache.h"
#include "client_side.h"
#include "fatal.h"
#include "format/Format.h"
#include "globals.h"
#include "helper.h"
#include "helper/Reply.h"
+#include "http/Stream.h"
#include "HttpHeaderTools.h"
#include "HttpReply.h"
#include "HttpRequest.h"
#include "SquidTime.h"
Auth::Negotiate::UserRequest::UserRequest() :
- authserver(nullptr),
server_blob(nullptr),
client_blob(nullptr),
waiting(0),
assert(user() != NULL);
assert(user()->auth_type == Auth::AUTH_NEGOTIATE);
- if (static_cast<Auth::Negotiate::Config*>(Auth::Config::Find("negotiate"))->authenticateProgram == NULL) {
+ if (static_cast<Auth::Negotiate::Config*>(Auth::SchemeConfig::Find("negotiate"))->authenticateProgram == NULL) {
debugs(29, DBG_CRITICAL, "ERROR: No Negotiate authentication program configured.");
handler(data);
return;
safe_free(client_blob);
helperStatefulSubmit(negotiateauthenticators, buf, Auth::Negotiate::UserRequest::HandleReply,
- new Auth::StateData(this, handler, data), authserver);
+ new Auth::StateData(this, handler, data), reservationId);
}
/**
void
Auth::Negotiate::UserRequest::releaseAuthServer()
{
- if (authserver) {
- debugs(29, 6, HERE << "releasing Negotiate auth server '" << authserver << "'");
- helperStatefulReleaseServer(authserver);
- authserver = NULL;
+ if (reservationId) {
+ debugs(29, 6, reservationId);
+ negotiateauthenticators->cancelReservation(reservationId);
+ reservationId.clear();
} else
debugs(29, 6, HERE << "No Negotiate auth server to release.");
}
{
Auth::StateData *r = static_cast<Auth::StateData *>(data);
- debugs(29, 8, HERE << "helper: '" << reply.whichServer << "' sent us reply=" << reply);
+ debugs(29, 8, reply.reservationId << " got reply=" << reply);
if (!cbdataReferenceValid(r->data)) {
- debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data. helper '" << reply.whichServer << "'.");
+ debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication invalid callback data (" << reply.reservationId << ")");
delete r;
return;
}
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
- auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ static const NotePairs::Names appendables = { SBuf("group"), SBuf("tag") };
+ auth_user_request->user()->notes.replaceOrAddOrAppend(&reply.notes, appendables);
// remove any private credentials detail which got added.
auth_user_request->user()->notes.remove("token");
assert(auth_user_request->user() != NULL);
assert(auth_user_request->user()->auth_type == Auth::AUTH_NEGOTIATE);
- if (lm_request->authserver == NULL)
- lm_request->authserver = reply.whichServer.get(); // XXX: no locking?
+ if (!lm_request->reservationId)
+ lm_request->reservationId = reply.reservationId;
else
- assert(reply.whichServer == lm_request->authserver);
+ assert(reply.reservationId == lm_request->reservationId);
switch (reply.result) {
case Helper::TT:
const char *tokenNote = reply.notes.findFirst("token");
lm_request->server_blob = xstrdup(tokenNote);
auth_user_request->user()->credentials(Auth::Handshake);
- auth_user_request->denyMessage("Authentication in progress");
+ auth_user_request->setDenyMessage("Authentication in progress");
debugs(29, 4, HERE << "Need to challenge the client with a server token: '" << tokenNote << "'");
} else {
auth_user_request->user()->credentials(Auth::Failed);
- auth_user_request->denyMessage("Negotiate authentication requires a persistent connection");
+ auth_user_request->setDenyMessage("Negotiate authentication requires a persistent connection");
}
break;
/* we're finished, release the helper */
auth_user_request->user()->username(userNote);
- auth_user_request->denyMessage("Login successful");
+ auth_user_request->setDenyMessage("Login successful");
safe_free(lm_request->server_blob);
lm_request->server_blob = xstrdup(tokenNote);
lm_request->releaseAuthServer();
}
break;
- case Helper::Error: {
- const char *messageNote = reply.notes.find("message");
- const char *tokenNote = reply.notes.findFirst("token");
-
+ case Helper::Error:
/* authentication failure (wrong password, etc.) */
- if (messageNote != NULL)
- auth_user_request->denyMessage(messageNote);
- else
- auth_user_request->denyMessage("Negotiate Authentication denied with no reason given");
+ auth_user_request->denyMessageFromHelper("Negotiate", reply);
auth_user_request->user()->credentials(Auth::Failed);
safe_free(lm_request->server_blob);
- if (tokenNote != NULL)
+ if (const char *tokenNote = reply.notes.findFirst("token"))
lm_request->server_blob = xstrdup(tokenNote);
lm_request->releaseAuthServer();
debugs(29, 4, "Failed validating user via Negotiate. Result: " << reply);
- }
- break;
+ break;
case Helper::Unknown:
- debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper '" << reply.whichServer << "' crashed!.");
+ debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication Helper crashed (" << reply.reservationId << ")");
/* continue to the next case */
case Helper::TimedOut:
- case Helper::BrokenHelper: {
+ case Helper::BrokenHelper:
/* TODO kick off a refresh process. This can occur after a YR or after
* a KK. If after a YR release the helper and resubmit the request via
* Authenticate Negotiate start.
* If after a KK deny the user's request w/ 407 and mark the helper as
* Needing YR. */
- const char *errNote = reply.notes.find("message");
if (reply.result == Helper::Unknown)
- auth_user_request->denyMessage("Internal Error");
- else if (errNote != NULL)
- auth_user_request->denyMessage(errNote);
+ auth_user_request->setDenyMessage("Internal Error");
else
- auth_user_request->denyMessage("Negotiate Authentication failed with no reason given");
+ auth_user_request->denyMessageFromHelper("Negotiate", reply);
auth_user_request->user()->credentials(Auth::Failed);
safe_free(lm_request->server_blob);
lm_request->releaseAuthServer();
debugs(29, DBG_IMPORTANT, "ERROR: Negotiate Authentication validating user. Result: " << reply);
- } // break;
+ break;
}
if (lm_request->request) {