[thirdparty/cups.git] / cups / auth.c

/*
 * "$Id: auth.c 5961 2006-09-16 19:08:36Z mike $"
 *
 *   Authentication functions for the Common UNIX Printing System (CUPS).
 *
 *   Copyright 1997-2006 by Easy Software Products.
 *
 *   These coded instructions, statements, and computer programs are the
 *   property of Easy Software Products and are protected by Federal
 *   copyright law.  Distribution and use rights are outlined in the file
 *   "LICENSE.txt" which should have been included with this file.  If this
 *   file is missing or damaged please contact Easy Software Products
 *   at:
 *
 *       Attn: CUPS Licensing Information
 *       Easy Software Products
 *       44141 Airport View Drive, Suite 204
 *       Hollywood, Maryland 20636 USA
 *
 *       Voice: (301) 373-9600
 *       EMail: cups-info@cups.org
 *         WWW: http://www.cups.org
 *
 *   This file is subject to the Apple OS-Developed Software exception.
 *
 * Contents:
 *
 *   cupsDoAuthentication() - Authenticate a request.
 *   cups_local_auth()      - Get the local authorization certificate if
 *                            available/applicable...
 */

/*
 * Include necessary headers...
 */

#include "globals.h"
#include "debug.h"
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>
#if defined(WIN32) || defined(__EMX__)
#  include <io.h>
#else
#  include <unistd.h>
#endif /* WIN32 || __EMX__ */


/*
 * Local functions...
 */

static int	cups_local_auth(http_t *http);


/*
 * 'cupsDoAuthentication()' - Authenticate a request.
 *
 * This function should be called in response to a HTTP_UNAUTHORIZED
 * status, prior to resubmitting your request.
 *
 * @since CUPS 1.1.20@
 */

int					/* O - 0 on success, -1 on error */
cupsDoAuthentication(http_t     *http,	/* I - HTTP connection to server */
                     const char *method,/* I - Request method (GET, POST, PUT) */
		     const char *resource)
					/* I - Resource path */
{
  const char	*password;		/* Password string */
  char		prompt[1024],		/* Prompt for user */
		realm[HTTP_MAX_VALUE],	/* realm="xyz" string */
		nonce[HTTP_MAX_VALUE],	/* nonce="xyz" string */
		encode[512];		/* Encoded username:password */


  DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
                http, method, resource));
  DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
                http->digest_tries, http->userpass));
  DEBUG_printf(("cupsDoAuthentication: WWW-Authenticate=\"%s\"\n",
                httpGetField(http, HTTP_FIELD_WWW_AUTHENTICATE)));

 /*
  * Clear the current authentication string...
  */

  http->authstring[0] = '\0';

 /*
  * See if we can do local authentication...
  */

  if (http->digest_tries < 3 && !cups_local_auth(http))
  {
    DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));

    if (http->status == HTTP_UNAUTHORIZED)
      http->digest_tries ++;

    return (0);
  }

 /*
  * Nope, see if we should retry the current username:password...
  */

  if (http->digest_tries > 1 || !http->userpass[0])
  {
   /*
    * Nope - get a new password from the user...
    */

    snprintf(prompt, sizeof(prompt), _("Password for %s on %s? "), cupsUser(),
             http->hostname[0] == '/' ? "localhost" : http->hostname);

    http->digest_tries  = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
                                      "Digest", 5) != 0;
    http->userpass[0]   = '\0';

    if ((password = cupsGetPassword(prompt)) == NULL)
      return (-1);

    if (!password[0])
      return (-1);

    snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
             password);
  }
  else if (http->status == HTTP_UNAUTHORIZED)
    http->digest_tries ++;

 /*
  * Got a password; encode it for the server...
  */

  if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
  {
   /*
    * Basic authentication...
    */

    httpEncode64_2(encode, sizeof(encode), http->userpass,
                   strlen(http->userpass));
    snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
  }
  else
  {
   /*
    * Digest authentication...
    */

    httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
    httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);

    httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
    httpMD5Final(nonce, method, resource, encode);
    snprintf(http->authstring, sizeof(http->authstring),
	     "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
	     "uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
	     resource, encode);
  }

  DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));

  return (0);
}


/*
 * 'cups_local_auth()' - Get the local authorization certificate if
 *                       available/applicable...
 */

static int				/* O - 0 if available, -1 if not */
cups_local_auth(http_t *http)		/* I - HTTP connection to server */
{
#if defined(WIN32) || defined(__EMX__)
 /*
  * Currently WIN32 and OS-2 do not support the CUPS server...
  */

  return (-1);
#else
  int		pid;			/* Current process ID */
  FILE		*fp;			/* Certificate file */
  char		filename[1024],		/* Certificate filename */
		certificate[33];	/* Certificate string */
  _cups_globals_t *cg = _cupsGlobals();	/* Global data */


  DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
                http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));

 /*
  * See if we are accessing localhost...
  */

  if (!httpAddrLocalhost(http->hostaddr) &&
      strcasecmp(http->hostname, "localhost") != 0)
  {
    DEBUG_puts("cups_local_auth: Not a local connection!");
    return (-1);
  }

 /*
  * Try opening a certificate file for this PID.  If that fails,
  * try the root certificate...
  */

  pid = getpid();
  snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
  if ((fp = fopen(filename, "r")) == NULL && pid > 0)
  {
    DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
                  filename, strerror(errno)));

    snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
    fp = fopen(filename, "r");
  }

  if (fp == NULL)
  {
    DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
                  filename, strerror(errno)));
    return (-1);
  }

 /*
  * Read the certificate from the file...
  */

  fgets(certificate, sizeof(certificate), fp);
  fclose(fp);

 /*
  * Set the authorization string and return...
  */

  snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);

  DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
                http->authstring));

  return (0);
#endif /* WIN32 || __EMX__ */
}


/*
 * End of "$Id: auth.c 5961 2006-09-16 19:08:36Z mike $".
 */
Commit	Line	Data
ef416fc2	1	/*
07725fee	2	* "$Id: auth.c 5961 2006-09-16 19:08:36Z mike $"
ef416fc2	3	*
	4	* Authentication functions for the Common UNIX Printing System (CUPS).
	5	*
	6	* Copyright 1997-2006 by Easy Software Products.
	7	*
	8	* These coded instructions, statements, and computer programs are the
	9	* property of Easy Software Products and are protected by Federal
	10	* copyright law. Distribution and use rights are outlined in the file
	11	* "LICENSE.txt" which should have been included with this file. If this
	12	* file is missing or damaged please contact Easy Software Products
	13	* at:
	14	*
	15	* Attn: CUPS Licensing Information
	16	* Easy Software Products
	17	* 44141 Airport View Drive, Suite 204
	18	* Hollywood, Maryland 20636 USA
	19	*
	20	* Voice: (301) 373-9600
	21	* EMail: cups-info@cups.org
	22	* WWW: http://www.cups.org
	23	*
	24	* This file is subject to the Apple OS-Developed Software exception.
	25	*
	26	* Contents:
	27	*
	28	* cupsDoAuthentication() - Authenticate a request.
	29	* cups_local_auth() - Get the local authorization certificate if
	30	* available/applicable...
	31	*/
	32
	33	/*
	34	* Include necessary headers...
	35	*/
	36
	37	#include "globals.h"
	38	#include "debug.h"
	39	#include <stdlib.h>
	40	#include <ctype.h>
	41	#include <errno.h>
	42	#include <fcntl.h>
	43	#include <sys/stat.h>
	44	#if defined(WIN32) \|\| defined(__EMX__)
	45	# include <io.h>
	46	#else
	47	# include <unistd.h>
	48	#endif /* WIN32 \|\| __EMX__ */
	49
	50
	51	/*
	52	* Local functions...
	53	*/
	54
	55	static int cups_local_auth(http_t *http);
	56
	57
	58	/*
	59	* 'cupsDoAuthentication()' - Authenticate a request.
	60	*
	61	* This function should be called in response to a HTTP_UNAUTHORIZED
	62	* status, prior to resubmitting your request.
	63	*
	64	* @since CUPS 1.1.20@
	65	*/
	66
67	int /* O - 0 on success, -1 on error */
68	cupsDoAuthentication(http_t http, / I - HTTP connection to server */
69	const char method,/ I - Request method (GET, POST, PUT) */
70	const char *resource)
71	/* I - Resource path */
72	{
73	const char password; / Password string */
74	char prompt[1024], /* Prompt for user */
75	realm[HTTP_MAX_VALUE], /* realm="xyz" string */
76	nonce[HTTP_MAX_VALUE], /* nonce="xyz" string */
77	encode[512]; /* Encoded username:password */
78
79
80	DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
81	http, method, resource));
82	DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
83	http->digest_tries, http->userpass));
07725fee	84	DEBUG_printf(("cupsDoAuthentication: WWW-Authenticate=\"%s\"\n",
07725fee	85	httpGetField(http, HTTP_FIELD_WWW_AUTHENTICATE)));
ef416fc2	86
	87	/*
	88	* Clear the current authentication string...
	89	*/
	90
	91	http->authstring[0] = '\0';
	92
	93	/*
	94	* See if we can do local authentication...
	95	*/
	96
d6ae789d	97	if (http->digest_tries < 3 && !cups_local_auth(http))
ef416fc2	98	{
ef416fc2	99	DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
d6ae789d	100
	101	if (http->status == HTTP_UNAUTHORIZED)
	102	http->digest_tries ++;
	103
ef416fc2	104	return (0);
	105	}
	106
	107	/*
	108	* Nope, see if we should retry the current username:password...
	109	*/
	110
	111	if (http->digest_tries > 1 \|\| !http->userpass[0])
	112	{
	113	/*
	114	* Nope - get a new password from the user...
	115	*/
	116
f301802f	117	snprintf(prompt, sizeof(prompt), _("Password for %s on %s? "), cupsUser(),
f301802f	118	http->hostname[0] == '/' ? "localhost" : http->hostname);
ef416fc2	119
	120	http->digest_tries = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
	121	"Digest", 5) != 0;
	122	http->userpass[0] = '\0';
	123
	124	if ((password = cupsGetPassword(prompt)) == NULL)
	125	return (-1);
	126
	127	if (!password[0])
	128	return (-1);
	129
	130	snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
	131	password);
	132	}
	133	else if (http->status == HTTP_UNAUTHORIZED)
	134	http->digest_tries ++;
	135
	136	/*
	137	* Got a password; encode it for the server...
	138	*/
	139
	140	if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
	141	{
	142	/*
	143	* Basic authentication...
	144	*/
	145
	146	httpEncode64_2(encode, sizeof(encode), http->userpass,
	147	strlen(http->userpass));
	148	snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
	149	}
	150	else
	151	{
	152	/*
	153	* Digest authentication...
	154	*/
	155
	156	httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
	157	httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);
	158
	159	httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
	160	httpMD5Final(nonce, method, resource, encode);
	161	snprintf(http->authstring, sizeof(http->authstring),
	162	"Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
	163	"uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
	164	resource, encode);
	165	}
	166
	167	DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
	168
	169	return (0);
	170	}
	171
	172
	173	/*
	174	* 'cups_local_auth()' - Get the local authorization certificate if
	175	* available/applicable...
	176	*/
	177
	178	static int /* O - 0 if available, -1 if not */
	179	cups_local_auth(http_t http) / I - HTTP connection to server */
	180	{
	181	#if defined(WIN32) \|\| defined(__EMX__)
	182	/*
183	* Currently WIN32 and OS-2 do not support the CUPS server...
184	*/
185
186	return (-1);
187	#else
188	int pid; /* Current process ID */
189	FILE fp; / Certificate file */
190	char filename[1024], /* Certificate filename */
191	certificate[33]; /* Certificate string */
192	_cups_globals_t cg = _cupsGlobals(); / Global data */
193
194
195	DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
196	http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));
197
198	/*
199	* See if we are accessing localhost...
200	*/
201
202	if (!httpAddrLocalhost(http->hostaddr) &&
203	strcasecmp(http->hostname, "localhost") != 0)
204	{
205	DEBUG_puts("cups_local_auth: Not a local connection!");
206	return (-1);
207	}
208
209	/*
210	* Try opening a certificate file for this PID. If that fails,
211	* try the root certificate...
212	*/
213
214	pid = getpid();
215	snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
216	if ((fp = fopen(filename, "r")) == NULL && pid > 0)
217	{
218	DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
219	filename, strerror(errno)));
220
221	snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
222	fp = fopen(filename, "r");
223	}
224
225	if (fp == NULL)
226	{
227	DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
228	filename, strerror(errno)));
229	return (-1);
230	}
231
232	/*
233	* Read the certificate from the file...
234	*/
235
236	fgets(certificate, sizeof(certificate), fp);
237	fclose(fp);
238
239	/*
240	* Set the authorization string and return...
241	*/
242
243	snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);
244
245	DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
246	http->authstring));
247
248	return (0);
249	#endif /* WIN32 \|\| __EMX__ */
250	}
251
252
253	/*
07725fee	254	* End of "$Id: auth.c 5961 2006-09-16 19:08:36Z mike $".
ef416fc2	255	*/