[thirdparty/cups.git] / cups / auth.c

/*
 * "$Id: auth.c 6191 2007-01-10 16:48:37Z mike $"
 *
 *   Authentication functions for the Common UNIX Printing System (CUPS).
 *
 *   Copyright 1997-2007 by Easy Software Products.
 *
 *   These coded instructions, statements, and computer programs are the
 *   property of Easy Software Products and are protected by Federal
 *   copyright law.  Distribution and use rights are outlined in the file
 *   "LICENSE.txt" which should have been included with this file.  If this
 *   file is missing or damaged please contact Easy Software Products
 *   at:
 *
 *       Attn: CUPS Licensing Information
 *       Easy Software Products
 *       44141 Airport View Drive, Suite 204
 *       Hollywood, Maryland 20636 USA
 *
 *       Voice: (301) 373-9600
 *       EMail: cups-info@cups.org
 *         WWW: http://www.cups.org
 *
 *   This file is subject to the Apple OS-Developed Software exception.
 *
 * Contents:
 *
 *   cupsDoAuthentication() - Authenticate a request.
 *   cups_local_auth()      - Get the local authorization certificate if
 *                            available/applicable...
 */

/*
 * Include necessary headers...
 */

#include "globals.h"
#include "debug.h"
#include <stdlib.h>
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <sys/stat.h>
#if defined(WIN32) || defined(__EMX__)
#  include <io.h>
#else
#  include <unistd.h>
#endif /* WIN32 || __EMX__ */


/*
 * Local functions...
 */

static int	cups_local_auth(http_t *http);


/*
 * 'cupsDoAuthentication()' - Authenticate a request.
 *
 * This function should be called in response to a HTTP_UNAUTHORIZED
 * status, prior to resubmitting your request.
 *
 * @since CUPS 1.1.20@
 */

int					/* O - 0 on success, -1 on error */
cupsDoAuthentication(http_t     *http,	/* I - HTTP connection to server */
                     const char *method,/* I - Request method (GET, POST, PUT) */
		     const char *resource)
					/* I - Resource path */
{
  const char	*password;		/* Password string */
  char		prompt[1024],		/* Prompt for user */
		realm[HTTP_MAX_VALUE],	/* realm="xyz" string */
		nonce[HTTP_MAX_VALUE],	/* nonce="xyz" string */
		encode[512];		/* Encoded username:password */
  _cups_globals_t *cg;			/* Global data */


  DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
                http, method, resource));
  DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
                http->digest_tries, http->userpass));
  DEBUG_printf(("cupsDoAuthentication: WWW-Authenticate=\"%s\"\n",
                httpGetField(http, HTTP_FIELD_WWW_AUTHENTICATE)));

 /*
  * Clear the current authentication string...
  */

  http->authstring[0] = '\0';

 /*
  * See if we can do local authentication...
  */

  if (http->digest_tries < 3 && !cups_local_auth(http))
  {
    DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));

    if (http->status == HTTP_UNAUTHORIZED)
      http->digest_tries ++;

    return (0);
  }

 /*
  * Nope, see if we should retry the current username:password...
  */

  if (http->digest_tries > 1 || !http->userpass[0])
  {
   /*
    * Nope - get a new password from the user...
    */

    cg = _cupsGlobals();

    if (!cg->lang_default)
      cg->lang_default = cupsLangDefault();

    snprintf(prompt, sizeof(prompt),
             _cupsLangString(cg->lang_default, _("Password for %s on %s? ")),
	     cupsUser(),
	     http->hostname[0] == '/' ? "localhost" : http->hostname);

    http->digest_tries  = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
                                      "Digest", 5) != 0;
    http->userpass[0]   = '\0';

    if ((password = cupsGetPassword(prompt)) == NULL)
      return (-1);

    if (!password[0])
      return (-1);

    snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
             password);
  }
  else if (http->status == HTTP_UNAUTHORIZED)
    http->digest_tries ++;

 /*
  * Got a password; encode it for the server...
  */

  if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
  {
   /*
    * Basic authentication...
    */

    httpEncode64_2(encode, sizeof(encode), http->userpass,
                   (int)strlen(http->userpass));
    snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
  }
  else
  {
   /*
    * Digest authentication...
    */

    httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
    httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);

    httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
    httpMD5Final(nonce, method, resource, encode);
    snprintf(http->authstring, sizeof(http->authstring),
	     "Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
	     "uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
	     resource, encode);
  }

  DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));

  return (0);
}


/*
 * 'cups_local_auth()' - Get the local authorization certificate if
 *                       available/applicable...
 */

static int				/* O - 0 if available, -1 if not */
cups_local_auth(http_t *http)		/* I - HTTP connection to server */
{
#if defined(WIN32) || defined(__EMX__)
 /*
  * Currently WIN32 and OS-2 do not support the CUPS server...
  */

  return (-1);
#else
  int		pid;			/* Current process ID */
  FILE		*fp;			/* Certificate file */
  char		filename[1024],		/* Certificate filename */
		certificate[33];	/* Certificate string */
  _cups_globals_t *cg = _cupsGlobals();	/* Global data */


  DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
                http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));

 /*
  * See if we are accessing localhost...
  */

  if (!httpAddrLocalhost(http->hostaddr) &&
      strcasecmp(http->hostname, "localhost") != 0)
  {
    DEBUG_puts("cups_local_auth: Not a local connection!");
    return (-1);
  }

 /*
  * Try opening a certificate file for this PID.  If that fails,
  * try the root certificate...
  */

  pid = getpid();
  snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
  if ((fp = fopen(filename, "r")) == NULL && pid > 0)
  {
    DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
                  filename, strerror(errno)));

    snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
    fp = fopen(filename, "r");
  }

  if (fp == NULL)
  {
    DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
                  filename, strerror(errno)));
    return (-1);
  }

 /*
  * Read the certificate from the file...
  */

  fgets(certificate, sizeof(certificate), fp);
  fclose(fp);

 /*
  * Set the authorization string and return...
  */

  snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);

  DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
                http->authstring));

  return (0);
#endif /* WIN32 || __EMX__ */
}


/*
 * End of "$Id: auth.c 6191 2007-01-10 16:48:37Z mike $".
 */
Commit	Line	Data
ef416fc2	1	/*
b86bc4cf	2	* "$Id: auth.c 6191 2007-01-10 16:48:37Z mike $"
ef416fc2	3	*
	4	* Authentication functions for the Common UNIX Printing System (CUPS).
	5	*
b86bc4cf	6	* Copyright 1997-2007 by Easy Software Products.
ef416fc2	7	*
	8	* These coded instructions, statements, and computer programs are the
	9	* property of Easy Software Products and are protected by Federal
	10	* copyright law. Distribution and use rights are outlined in the file
	11	* "LICENSE.txt" which should have been included with this file. If this
	12	* file is missing or damaged please contact Easy Software Products
	13	* at:
	14	*
	15	* Attn: CUPS Licensing Information
	16	* Easy Software Products
	17	* 44141 Airport View Drive, Suite 204
	18	* Hollywood, Maryland 20636 USA
	19	*
	20	* Voice: (301) 373-9600
	21	* EMail: cups-info@cups.org
	22	* WWW: http://www.cups.org
	23	*
	24	* This file is subject to the Apple OS-Developed Software exception.
	25	*
	26	* Contents:
	27	*
	28	* cupsDoAuthentication() - Authenticate a request.
	29	* cups_local_auth() - Get the local authorization certificate if
	30	* available/applicable...
	31	*/
	32
	33	/*
	34	* Include necessary headers...
	35	*/
	36
	37	#include "globals.h"
	38	#include "debug.h"
	39	#include <stdlib.h>
	40	#include <ctype.h>
	41	#include <errno.h>
	42	#include <fcntl.h>
	43	#include <sys/stat.h>
	44	#if defined(WIN32) \|\| defined(__EMX__)
	45	# include <io.h>
	46	#else
	47	# include <unistd.h>
	48	#endif /* WIN32 \|\| __EMX__ */
	49
	50
	51	/*
	52	* Local functions...
	53	*/
	54
	55	static int cups_local_auth(http_t *http);
	56
	57
	58	/*
	59	* 'cupsDoAuthentication()' - Authenticate a request.
	60	*
	61	* This function should be called in response to a HTTP_UNAUTHORIZED
	62	* status, prior to resubmitting your request.
	63	*
	64	* @since CUPS 1.1.20@
	65	*/
	66
	67	int /* O - 0 on success, -1 on error */
	68	cupsDoAuthentication(http_t http, / I - HTTP connection to server */
	69	const char method,/ I - Request method (GET, POST, PUT) */
	70	const char *resource)
71	/* I - Resource path */
72	{
73	const char password; / Password string */
74	char prompt[1024], /* Prompt for user */
75	realm[HTTP_MAX_VALUE], /* realm="xyz" string */
76	nonce[HTTP_MAX_VALUE], /* nonce="xyz" string */
77	encode[512]; /* Encoded username:password */
b86bc4cf	78	_cups_globals_t cg; / Global data */
ef416fc2	79
	80
	81	DEBUG_printf(("cupsDoAuthentication(http=%p, method=\"%s\", resource=\"%s\")\n",
	82	http, method, resource));
	83	DEBUG_printf(("cupsDoAuthentication: digest_tries=%d, userpass=\"%s\"\n",
	84	http->digest_tries, http->userpass));
07725fee	85	DEBUG_printf(("cupsDoAuthentication: WWW-Authenticate=\"%s\"\n",
07725fee	86	httpGetField(http, HTTP_FIELD_WWW_AUTHENTICATE)));
ef416fc2	87
	88	/*
	89	* Clear the current authentication string...
	90	*/
	91
	92	http->authstring[0] = '\0';
	93
	94	/*
	95	* See if we can do local authentication...
	96	*/
	97
d6ae789d	98	if (http->digest_tries < 3 && !cups_local_auth(http))
ef416fc2	99	{
ef416fc2	100	DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
d6ae789d	101
	102	if (http->status == HTTP_UNAUTHORIZED)
	103	http->digest_tries ++;
	104
ef416fc2	105	return (0);
	106	}
	107
	108	/*
	109	* Nope, see if we should retry the current username:password...
	110	*/
	111
	112	if (http->digest_tries > 1 \|\| !http->userpass[0])
	113	{
	114	/*
	115	* Nope - get a new password from the user...
	116	*/
	117
b86bc4cf	118	cg = _cupsGlobals();
	119
	120	if (!cg->lang_default)
	121	cg->lang_default = cupsLangDefault();
	122
	123	snprintf(prompt, sizeof(prompt),
	124	_cupsLangString(cg->lang_default, _("Password for %s on %s? ")),
	125	cupsUser(),
	126	http->hostname[0] == '/' ? "localhost" : http->hostname);
ef416fc2	127
	128	http->digest_tries = strncasecmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE],
	129	"Digest", 5) != 0;
	130	http->userpass[0] = '\0';
	131
	132	if ((password = cupsGetPassword(prompt)) == NULL)
	133	return (-1);
	134
	135	if (!password[0])
	136	return (-1);
	137
	138	snprintf(http->userpass, sizeof(http->userpass), "%s:%s", cupsUser(),
	139	password);
	140	}
	141	else if (http->status == HTTP_UNAUTHORIZED)
	142	http->digest_tries ++;
	143
	144	/*
	145	* Got a password; encode it for the server...
	146	*/
	147
	148	if (strncmp(http->fields[HTTP_FIELD_WWW_AUTHENTICATE], "Digest", 6))
	149	{
	150	/*
	151	* Basic authentication...
	152	*/
	153
	154	httpEncode64_2(encode, sizeof(encode), http->userpass,
b86bc4cf	155	(int)strlen(http->userpass));
ef416fc2	156	snprintf(http->authstring, sizeof(http->authstring), "Basic %s", encode);
	157	}
	158	else
	159	{
	160	/*
	161	* Digest authentication...
	162	*/
	163
	164	httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "realm", realm);
	165	httpGetSubField(http, HTTP_FIELD_WWW_AUTHENTICATE, "nonce", nonce);
	166
	167	httpMD5(cupsUser(), realm, strchr(http->userpass, ':') + 1, encode);
	168	httpMD5Final(nonce, method, resource, encode);
	169	snprintf(http->authstring, sizeof(http->authstring),
	170	"Digest username=\"%s\", realm=\"%s\", nonce=\"%s\", "
	171	"uri=\"%s\", response=\"%s\"", cupsUser(), realm, nonce,
	172	resource, encode);
	173	}
	174
	175	DEBUG_printf(("cupsDoAuthentication: authstring=\"%s\"\n", http->authstring));
	176
	177	return (0);
	178	}
	179
	180
	181	/*
	182	* 'cups_local_auth()' - Get the local authorization certificate if
	183	* available/applicable...
	184	*/
	185
	186	static int /* O - 0 if available, -1 if not */
	187	cups_local_auth(http_t http) / I - HTTP connection to server */
	188	{
	189	#if defined(WIN32) \|\| defined(__EMX__)
	190	/*
	191	* Currently WIN32 and OS-2 do not support the CUPS server...
	192	*/
	193
	194	return (-1);
	195	#else
	196	int pid; /* Current process ID */
	197	FILE fp; / Certificate file */
	198	char filename[1024], /* Certificate filename */
	199	certificate[33]; /* Certificate string */
	200	_cups_globals_t cg = _cupsGlobals(); / Global data */
	201
	202
	203	DEBUG_printf(("cups_local_auth(http=%p) hostaddr=%s, hostname=\"%s\"\n",
	204	http, httpAddrString(http->hostaddr, filename, sizeof(filename)), http->hostname));
	205
	206	/*
	207	* See if we are accessing localhost...
	208	*/
	209
	210	if (!httpAddrLocalhost(http->hostaddr) &&
	211	strcasecmp(http->hostname, "localhost") != 0)
	212	{
	213	DEBUG_puts("cups_local_auth: Not a local connection!");
	214	return (-1);
	215	}
	216
	217	/*
	218	* Try opening a certificate file for this PID. If that fails,
	219	* try the root certificate...
220	*/
221
222	pid = getpid();
223	snprintf(filename, sizeof(filename), "%s/certs/%d", cg->cups_statedir, pid);
224	if ((fp = fopen(filename, "r")) == NULL && pid > 0)
225	{
226	DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
227	filename, strerror(errno)));
228
229	snprintf(filename, sizeof(filename), "%s/certs/0", cg->cups_statedir);
230	fp = fopen(filename, "r");
231	}
232
233	if (fp == NULL)
234	{
235	DEBUG_printf(("cups_local_auth: Unable to open file %s: %s\n",
236	filename, strerror(errno)));
237	return (-1);
238	}
239
240	/*
241	* Read the certificate from the file...
242	*/
243
244	fgets(certificate, sizeof(certificate), fp);
245	fclose(fp);
246
247	/*
248	* Set the authorization string and return...
249	*/
250
251	snprintf(http->authstring, sizeof(http->authstring), "Local %s", certificate);
252
253	DEBUG_printf(("cups_local_auth: Returning authstring = \"%s\"\n",
254	http->authstring));
255
256	return (0);
257	#endif /* WIN32 \|\| __EMX__ */
258	}
259
260
261	/*
b86bc4cf	262	* End of "$Id: auth.c 6191 2007-01-10 16:48:37Z mike $".
ef416fc2	263	*/