From 0a0c70cdc6ca87dff680d55d9e4d9f7be44c17ef Mon Sep 17 00:00:00 2001 From: serassio <> Date: Sun, 24 Apr 2005 20:00:43 +0000 Subject: [PATCH] Bug #1223: Make the use of the %m error page to return auth info messages This patch extends the helper protocols for Basic and Digest to provide some basic information in error responses, and makes use of the error response already included in the NTLM helper protocol, making these messages available as %m in error pages. Can be used if desired to indicate why a login failed. The exact messages returned is helper dependent. Forward port of 2.5 patch. --- helpers/basic_auth/LDAP/squid_ldap_auth.c | 4 ++-- helpers/basic_auth/NCSA/ncsa_auth.c | 4 ++-- helpers/basic_auth/YP/yp_auth.c | 4 ++-- helpers/basic_auth/getpwnam/getpwnam_auth.c | 4 ++-- src/auth/basic/auth_basic.cc | 10 +++++++--- src/auth/digest/auth_digest.cc | 14 ++++++++++---- src/auth/ntlm/auth_ntlm.cc | 16 +++++++++------- src/cf.data.pre | 12 ++++++++---- 8 files changed, 42 insertions(+), 26 deletions(-) diff --git a/helpers/basic_auth/LDAP/squid_ldap_auth.c b/helpers/basic_auth/LDAP/squid_ldap_auth.c index 9c7b307033..3573d49700 100644 --- a/helpers/basic_auth/LDAP/squid_ldap_auth.c +++ b/helpers/basic_auth/LDAP/squid_ldap_auth.c @@ -576,7 +576,7 @@ main(int argc, char **argv) rfc1738_unescape(user); rfc1738_unescape(passwd); if (!validUsername(user)) { - printf("ERR\n"); + printf("ERR No such user\n"); continue; } tryagain = (ld != NULL); @@ -590,7 +590,7 @@ main(int argc, char **argv) ld = NULL; goto recover; } - printf("ERR\n"); + printf("ERR %s\n", ldap_err2string(squid_ldap_errno(ld))); } else { printf("OK\n"); } diff --git a/helpers/basic_auth/NCSA/ncsa_auth.c b/helpers/basic_auth/NCSA/ncsa_auth.c index d07e52779a..1718057fcf 100644 --- a/helpers/basic_auth/NCSA/ncsa_auth.c +++ b/helpers/basic_auth/NCSA/ncsa_auth.c @@ -139,13 +139,13 @@ main(int argc, char **argv) rfc1738_unescape(passwd); u = (user_data *)hash_lookup(hash, user); if (u == NULL) { - printf("ERR\n"); + printf("ERR No such user\n"); } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd)) == 0) { printf("OK\n"); } else if (strcmp(u->passwd, (char *) crypt_md5(passwd, u->passwd)) == 0) { printf("OK\n"); } else { - printf("ERR\n"); + printf("ERR Wrong password\n"); } } exit(0); diff --git a/helpers/basic_auth/YP/yp_auth.c b/helpers/basic_auth/YP/yp_auth.c index 3c0fd2cc2c..06b39d167d 100644 --- a/helpers/basic_auth/YP/yp_auth.c +++ b/helpers/basic_auth/YP/yp_auth.c @@ -71,13 +71,13 @@ main(int argc, char **argv) if (!nispasswd) { /* User does not exist */ - printf("ERR\n"); + printf("ERR No such user\n"); } else if (strcmp(nispasswd, (char *) crypt(passwd, nispasswd)) == 0) { /* All ok !, thanks... */ printf("OK\n"); } else { /* Password incorrect */ - printf("ERR\n"); + printf("ERR Wrong password\n"); } } exit(0); diff --git a/helpers/basic_auth/getpwnam/getpwnam_auth.c b/helpers/basic_auth/getpwnam/getpwnam_auth.c index ebd7cc38db..72c5f7a430 100644 --- a/helpers/basic_auth/getpwnam/getpwnam_auth.c +++ b/helpers/basic_auth/getpwnam/getpwnam_auth.c @@ -70,10 +70,10 @@ main() rfc1738_unescape(passwd); pwd = getpwnam(user); if (pwd == NULL) { - printf(ERR); + printf("ERR No such user\n"); } else { if (strcmp(pwd->pw_passwd, (char *) crypt(passwd, pwd->pw_passwd))) { - printf(ERR); + printf("ERR Wrong password\n"); } else { printf(OK); } diff --git a/src/auth/basic/auth_basic.cc b/src/auth/basic/auth_basic.cc index f3f8b78bd5..dc91cd0670 100644 --- a/src/auth/basic/auth_basic.cc +++ b/src/auth/basic/auth_basic.cc @@ -1,5 +1,5 @@ /* - * $Id: auth_basic.cc,v 1.37 2005/03/19 15:41:55 serassio Exp $ + * $Id: auth_basic.cc,v 1.38 2005/04/24 14:00:51 serassio Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -247,7 +247,7 @@ authenticateBasicHandleReply(void *data, char *reply) if (reply) { if ((t = strchr(reply, ' '))) - *t = '\0'; + *t++ = '\0'; if (*reply == '\0') reply = NULL; @@ -259,9 +259,13 @@ authenticateBasicHandleReply(void *data, char *reply) if (reply && (strncasecmp(reply, "OK", 2) == 0)) basic_auth->flags.credentials_ok = 1; - else + else { basic_auth->flags.credentials_ok = 3; + if (t && *t) + r->auth_user_request->setDenyMessage(t); + } + basic_auth->credentials_checkedtime = squid_curtime; if (cbdataReferenceValidDone(r->data, &cbdata)) diff --git a/src/auth/digest/auth_digest.cc b/src/auth/digest/auth_digest.cc index 8e230b8253..9df9f1a70d 100644 --- a/src/auth/digest/auth_digest.cc +++ b/src/auth/digest/auth_digest.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_digest.cc,v 1.42 2005/04/18 21:52:43 hno Exp $ + * $Id: auth_digest.cc,v 1.43 2005/04/24 14:00:52 serassio Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Robert Collins @@ -635,6 +635,7 @@ AuthDigestUserRequest::authenticate(HttpRequest * request, ConnStateData::Pointe if (strcasecmp(digest_request->response, Response)) { credentials(Failed); + digest_request->setDenyMessage("Incorrect password"); return; } else { const char *useragent = httpHeaderGetStr(&request->header, HDR_USER_AGENT); @@ -654,6 +655,7 @@ AuthDigestUserRequest::authenticate(HttpRequest * request, ConnStateData::Pointe } } else { credentials(Failed); + digest_request->setDenyMessage("Incorrect password"); return; } @@ -663,6 +665,7 @@ AuthDigestUserRequest::authenticate(HttpRequest * request, ConnStateData::Pointe digest_user->username()); digest_request->flags.nonce_stale = 1; credentials(Failed); + digest_request->setDenyMessage("Stale nonce"); return; } } @@ -819,7 +822,7 @@ authenticateDigestHandleReply(void *data, char *reply) if (reply) { if ((t = strchr(reply, ' '))) - *t = '\0'; + *t++ = '\0'; if (*reply == '\0' || *reply == '\n') reply = NULL; @@ -831,9 +834,12 @@ authenticateDigestHandleReply(void *data, char *reply) assert(digest_request); digest_user = dynamic_cast < digest_user_h * >(auth_user_request->user()); - if (reply && (strncasecmp(reply, "ERR", 3) == 0)) + if (reply && (strncasecmp(reply, "ERR", 3) == 0)) { digest_request->credentials(AuthDigestUserRequest::Failed); - else if (reply) { + + if (t && *t) + digest_request->setDenyMessage(t); + } else if (reply) { CvtBin(reply, digest_user->HA1); digest_user->HA1created = 1; } diff --git a/src/auth/ntlm/auth_ntlm.cc b/src/auth/ntlm/auth_ntlm.cc index fe076200f7..91d61d9c6c 100644 --- a/src/auth/ntlm/auth_ntlm.cc +++ b/src/auth/ntlm/auth_ntlm.cc @@ -1,6 +1,6 @@ /* - * $Id: auth_ntlm.cc,v 1.46 2004/12/24 01:03:39 hno Exp $ + * $Id: auth_ntlm.cc,v 1.47 2005/04/24 14:00:52 serassio Exp $ * * DEBUG: section 29 NTLM Authenticator * AUTHOR: Robert Collins @@ -419,7 +419,6 @@ authenticateNTLMHandleReply(void *data, void *lastserver, char *reply) authenticateStateData *r = static_cast(data); ntlm_helper_state_t *helperstate; stateful_helper_callback_t result = S_HELPER_UNKNOWN; - char *t = NULL; auth_user_request_t *auth_user_request; auth_user_t *auth_user; ntlm_user_t *ntlm_user; @@ -546,9 +545,10 @@ authenticateNTLMHandleReply(void *data, void *lastserver, char *reply) ntlm_request->authserver = NULL; debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply); ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED; + reply += 3; - if ((t = strchr(reply, ' '))) /* strip after a space */ - *t = '\0'; + if (*reply) + auth_user_request->setDenyMessage(reply); } else if (strncasecmp(reply, "NA", 2) == 0) { /* NTLM Helper protocol violation! */ fatal("NTLM Helper returned invalid response \"NA\" - a error message MUST be attached\n"); @@ -593,13 +593,15 @@ authenticateNTLMHandleReply(void *data, void *lastserver, char *reply) /* first the standard KK stuff */ debug(29, 4) ("authenticateNTLMHandleReply: Error validating user via NTLM. Error returned '%s'\n", reply); - if ((t = strchr(reply, ' '))) /* strip after a space */ - *t = '\0'; - /* now we mark the helper for resetting. */ helperstate->starve = 1; ntlm_request->auth_state = AUTHENTICATE_STATE_FAILED; + + reply += 3; + + if (*reply) + auth_user_request->setDenyMessage(reply); } else { /* TODO: only work with auth_user here if it exists */ /* TODO: take the request state into consideration */ diff --git a/src/cf.data.pre b/src/cf.data.pre index 85b7c8b5b7..b0c05461dd 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.385 2005/03/18 17:17:51 hno Exp $ +# $Id: cf.data.pre,v 1.386 2005/04/24 14:00:45 serassio Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1742,9 +1742,11 @@ DOC_START "program" cmdline Specify the command for the external authenticator. Such a program reads a line containing "username password" and replies - "OK" or "ERR" in an endless loop. If you use an authenticator, - make sure you have 1 acl of type proxy_auth. By default, the - basic authentication sheme is not used unless a program is specified. + "ERR" in an endless loop. "ERR" responses may optionally be followed + by a error description available as %m in the returned error page. + If you use an authenticator, make sure you have 1 acl of type proxy_auth. + By default, the basic authentication scheme is not used unless a program + is specified. If you want to use the traditional proxy authentication, jump over to the ../auth_modules/NCSA directory and @@ -1804,6 +1806,8 @@ DOC_START replies with the appropriate H(A1) value base64 encoded or ERR if the user (or his H(A1) hash) does not exists. See rfc 2616 for the definition of H(A1). + "ERR" responses may optionally be followed by a error description + available as %m in the returned error page. By default, the digest authentication is not used unless a program is specified. -- 2.47.3