/*
- * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
+ * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
#include "squid.h"
#include "AccessLogEntry.h"
-#include "auth/ntlm/auth_ntlm.h"
+#include "auth/CredentialsCache.h"
+#include "auth/ntlm/Config.h"
+#include "auth/ntlm/User.h"
#include "auth/ntlm/UserRequest.h"
#include "auth/State.h"
#include "cbdata.h"
#include "client_side.h"
+#include "fatal.h"
#include "format/Format.h"
#include "globals.h"
+#include "helper.h"
+#include "helper/Reply.h"
+#include "http/Stream.h"
#include "HttpMsg.h"
#include "HttpRequest.h"
#include "MemBuf.h"
#include "SquidTime.h"
-Auth::Ntlm::UserRequest::UserRequest()
-{
- waiting=0;
- client_blob=0;
- server_blob=0;
- authserver=NULL;
- request=NULL;
-}
+Auth::Ntlm::UserRequest::UserRequest() :
+ authserver(nullptr),
+ server_blob(nullptr),
+ client_blob(nullptr),
+ waiting(0),
+ request(nullptr)
+{}
Auth::Ntlm::UserRequest::~UserRequest()
{
Auth::Ntlm::UserRequest::credentialsStr()
{
static char buf[MAX_AUTHTOKEN_LEN];
+ int printResult;
if (user()->credentials() == Auth::Pending) {
- snprintf(buf, sizeof(buf), "YR %s\n", client_blob);
+ printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob);
} else {
- snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
+ printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
}
+
+ // truncation is OK because we are used only for logging
+ if (printResult < 0) {
+ debugs(29, 2, "Can not build ntlm authentication credentials.");
+ buf[0] = '\0';
+ } else if (printResult >= (int)sizeof(buf))
+ debugs(29, 2, "Ntlm authentication credentials truncated.");
+
return buf;
}
}
void
-Auth::Ntlm::UserRequest::startHelperLookup(HttpRequest *req, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
+Auth::Ntlm::UserRequest::startHelperLookup(HttpRequest *, AccessLogEntry::Pointer &al, AUTHCB * handler, void *data)
{
static char buf[MAX_AUTHTOKEN_LEN];
assert(data);
assert(handler);
- if (static_cast<Auth::Ntlm::Config*>(Auth::Config::Find("ntlm"))->authenticateProgram == NULL) {
+ if (static_cast<Auth::Ntlm::Config*>(Auth::SchemeConfig::Find("ntlm"))->authenticateProgram == NULL) {
debugs(29, DBG_CRITICAL, "ERROR: NTLM Start: no NTLM program configured.");
handler(data);
return;
debugs(29, 8, HERE << "credentials state is '" << user()->credentials() << "'");
const char *keyExtras = helperRequestKeyExtras(request, al);
+ int printResult = 0;
if (user()->credentials() == Auth::Pending) {
if (keyExtras)
- snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras);
+ printResult = snprintf(buf, sizeof(buf), "YR %s %s\n", client_blob, keyExtras);
else
- snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
+ printResult = snprintf(buf, sizeof(buf), "YR %s\n", client_blob); //CHECKME: can ever client_blob be 0 here?
} else {
if (keyExtras)
- snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras);
+ printResult = snprintf(buf, sizeof(buf), "KK %s %s\n", client_blob, keyExtras);
else
- snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
+ printResult = snprintf(buf, sizeof(buf), "KK %s\n", client_blob);
}
waiting = 1;
+ if (printResult < 0 || printResult >= (int)sizeof(buf)) {
+ if (printResult < 0)
+ debugs(29, DBG_CRITICAL, "ERROR: Can not build ntlm authentication helper request");
+ else
+ debugs(29, DBG_CRITICAL, "ERROR: Ntlm authentication helper request too big for the " << sizeof(buf) << "-byte buffer.");
+ handler(data);
+ return;
+ }
+
safe_free(client_blob);
helperStatefulSubmit(ntlmauthenticators, buf, Auth::Ntlm::UserRequest::HandleReply,
new Auth::StateData(this, handler, data), authserver);
}
void
-Auth::Ntlm::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, http_hdr_type type)
+Auth::Ntlm::UserRequest::authenticate(HttpRequest * aRequest, ConnStateData * conn, Http::HdrType type)
{
- assert(this);
-
/* Check that we are in the client side, where we can generate
* auth challenges */
}
void
-Auth::Ntlm::UserRequest::HandleReply(void *data, const HelperReply &reply)
+Auth::Ntlm::UserRequest::HandleReply(void *data, const Helper::Reply &reply)
{
Auth::StateData *r = static_cast<Auth::StateData *>(data);
// add new helper kv-pair notes to the credentials object
// so that any transaction using those credentials can access them
auth_user_request->user()->notes.appendNewOnly(&reply.notes);
+ // remove any private credentials detail which got added.
+ auth_user_request->user()->notes.remove("token");
Auth::Ntlm::UserRequest *lm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
assert(lm_request != NULL);
assert(reply.whichServer == lm_request->authserver);
switch (reply.result) {
- case HelperReply::TT:
+ case Helper::TT:
/* we have been given a blob to send to the client */
safe_free(lm_request->server_blob);
lm_request->request->flags.mustKeepalive = true;
}
break;
- case HelperReply::Okay: {
+ case Helper::Okay: {
/* we're finished, release the helper */
const char *userLabel = reply.notes.findFirst("user");
if (!userLabel) {
debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << userLabel << "'");
/* connection is authenticated */
debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username());
- /* see if this is an existing user with a different proxy_auth
- * string */
- AuthUserHashPointer *usernamehash = static_cast<AuthUserHashPointer *>(hash_lookup(proxy_auth_username_cache, auth_user_request->user()->userKey()));
- Auth::User::Pointer local_auth_user = lm_request->user();
- while (usernamehash && (usernamehash->user()->auth_type != Auth::AUTH_NTLM ||
- strcmp(usernamehash->user()->userKey(), auth_user_request->user()->userKey()) != 0))
- usernamehash = static_cast<AuthUserHashPointer *>(usernamehash->next);
- if (usernamehash) {
+ /* see if this is an existing user */
+ auto local_auth_user = lm_request->user();
+ auto cached_user = Auth::Ntlm::User::Cache()->lookup(auth_user_request->user()->userKey());
+ if (!cached_user) {
+ local_auth_user->addToNameCache();
+ } else {
/* we can't seamlessly recheck the username due to the
* challenge-response nature of the protocol.
* Just free the temporary auth_user after merging as
* much of it new state into the existing one as possible */
- usernamehash->user()->absorb(local_auth_user);
+ cached_user->absorb(local_auth_user);
/* from here on we are working with the original cached credentials. */
- local_auth_user = usernamehash->user();
+ local_auth_user = cached_user;
auth_user_request->user(local_auth_user);
- } else {
- /* store user in hash's */
- local_auth_user->addToNameCache();
}
/* set these to now because this is either a new login from an
* existing user or a new user */
}
break;
- case HelperReply::Error: {
+ case Helper::Error: {
/* authentication failure (wrong password, etc.) */
const char *errNote = reply.notes.find("message");
if (errNote != NULL)
}
break;
- case HelperReply::Unknown:
+ case Helper::Unknown:
debugs(29, DBG_IMPORTANT, "ERROR: NTLM Authentication Helper '" << reply.whichServer << "' crashed!.");
- /* continue to the next case */
+ /* continue to the next case */
- case HelperReply::BrokenHelper: {
+ case Helper::TimedOut:
+ case Helper::BrokenHelper: {
/* TODO kick off a refresh process. This can occur after a YR or after
* a KK. If after a YR release the helper and resubmit the request via
* Authenticate NTLM start.
* If after a KK deny the user's request w/ 407 and mark the helper as
* Needing YR. */
const char *errNote = reply.notes.find("message");
- if (reply.result == HelperReply::Unknown)
+ if (reply.result == Helper::Unknown)
auth_user_request->denyMessage("Internal Error");
else if (errNote != NULL)
auth_user_request->denyMessage(errNote);
r->handler(r->data);
delete r;
}
+