From e082eaba2cd5bd112dd848c0cb34703586681cd7 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sat, 22 Sep 2012 23:13:29 +1200 Subject: [PATCH] Convert AF result handlers to use OK result with parameters Add the token= key for server blobs from Negotiate helpers. Update HelperReply parser to convert AF responses when received. --- src/HelperReply.cc | 21 +++++++++++++++------ src/HelperReply.h | 2 +- src/auth/negotiate/UserRequest.cc | 9 ++++----- src/auth/ntlm/UserRequest.cc | 7 +++---- 4 files changed, 23 insertions(+), 16 deletions(-) diff --git a/src/HelperReply.cc b/src/HelperReply.cc index 7d8eecdcf8..24a67646d2 100644 --- a/src/HelperReply.cc +++ b/src/HelperReply.cc @@ -35,9 +35,20 @@ HelperReply::HelperReply(const char *buf, size_t len, bool urlQuoting) : result = HelperReply::TT; p+=2; } else if (!strncmp(p,"AF ",3)) { - // NTLM OK response - result = HelperReply::AF; - p+=2; + // NTLM/Negotate OK response + result = HelperReply::OK; + p+=3; + // followed by an auth token + char *token = strwordtok(NULL, &p); + authToken.init(); + authToken.append(token, strlen(token)); + // ... and an optional username field + for(;xisspace(*p);p++); // skip whitespace + if (*p) { + user.init(); + user.append(p,strlen(p)); + p += user.size(); + } } else if (!strncmp(p,"NA ",3)) { // NTLM fail-closed ERR response result = HelperReply::NA; @@ -62,6 +73,7 @@ HelperReply::HelperReply(const char *buf, size_t len, bool urlQuoting) : found |= parseKeyValue("password=", 9, password); found |= parseKeyValue("message=", 8, message); found |= parseKeyValue("log=", 8, log); + found |= parseKeyValue("token=", 8, authToken); } while(found); if (urlQuoting) { @@ -114,9 +126,6 @@ operator <<(std::ostream &os, const HelperReply &r) case HelperReply::TT: os << "TT"; break; - case HelperReply::AF: - os << "AF"; - break; case HelperReply::NA: os << "NA"; break; diff --git a/src/HelperReply.h b/src/HelperReply.h index e0f29ee158..807ab77a91 100644 --- a/src/HelperReply.h +++ b/src/HelperReply.h @@ -49,7 +49,6 @@ public: // some result codes for backward compatibility with NTLM/Negotiate // TODO: migrate these into variants of the above results with key-pair parameters TT, - AF, NA } result; @@ -59,6 +58,7 @@ public: MemBuf password; MemBuf message; MemBuf log; + MemBuf authToken; // TODO other (custom) key=pair values. when the callbacks actually use this object. // for now they retain their own parsing routines handling other() diff --git a/src/auth/negotiate/UserRequest.cc b/src/auth/negotiate/UserRequest.cc index bab1f280cd..24ae06081e 100644 --- a/src/auth/negotiate/UserRequest.cc +++ b/src/auth/negotiate/UserRequest.cc @@ -291,10 +291,9 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply) } break; - case HelperReply::AF: case HelperReply::Okay: { - if (arg == NULL) { + if (!reply.user.hasContent()) { // XXX: handle a success with no username better /* protocol error */ fatalf("authenticateNegotiateHandleReply: *** Unsupported helper response ***, '%s'\n", reply.other().content()); @@ -302,10 +301,10 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply) } /* we're finished, release the helper */ - auth_user_request->user()->username(arg); + auth_user_request->user()->username(reply.user.content()); auth_user_request->denyMessage("Login successful"); safe_free(lm_request->server_blob); - lm_request->server_blob = xstrdup(blob); + lm_request->server_blob = xstrdup(reply.authToken.content()); lm_request->releaseAuthServer(); /* connection is authenticated */ @@ -334,7 +333,7 @@ Auth::Negotiate::UserRequest::HandleReply(void *data, const HelperReply &reply) * existing user or a new user */ local_auth_user->expiretime = current_time.tv_sec; auth_user_request->user()->credentials(Auth::Ok); - debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << arg << "'"); + debugs(29, 4, HERE << "Successfully validated user via Negotiate. Username '" << reply.user << "'"); } break; diff --git a/src/auth/ntlm/UserRequest.cc b/src/auth/ntlm/UserRequest.cc index aef9f05dcc..e613207b12 100644 --- a/src/auth/ntlm/UserRequest.cc +++ b/src/auth/ntlm/UserRequest.cc @@ -275,16 +275,15 @@ Auth::Ntlm::UserRequest::HandleReply(void *data, const HelperReply &reply) } break; - case HelperReply::AF: case HelperReply::Okay: { /* we're finished, release the helper */ - auth_user_request->user()->username(blob); + auth_user_request->user()->username(reply.user.content()); auth_user_request->denyMessage("Login successful"); safe_free(lm_request->server_blob); lm_request->releaseAuthServer(); - debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << blob << "'"); + debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << reply.user << "'"); /* connection is authenticated */ debugs(29, 4, HERE << "authenticated user " << auth_user_request->user()->username()); /* see if this is an existing user with a different proxy_auth @@ -311,7 +310,7 @@ Auth::Ntlm::UserRequest::HandleReply(void *data, const HelperReply &reply) * existing user or a new user */ local_auth_user->expiretime = current_time.tv_sec; auth_user_request->user()->credentials(Auth::Ok); - debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << blob << "'"); + debugs(29, 4, HERE << "Successfully validated user via NTLM. Username '" << reply.user << "'"); } break; -- 2.47.3