Config.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 29 Authenticator */
10 
11 /* The functions in this file handle authentication.
12  * They DO NOT perform access control or auditing.
13  * See acl.c for access control and client_side.c for auditing */
14 
15 #include "squid.h"
16 #include "auth/basic/Config.h"
17 #include "auth/basic/Scheme.h"
18 #include "auth/basic/User.h"
19 #include "auth/basic/UserRequest.h"
20 #include "auth/CredentialsCache.h"
21 #include "auth/Gadgets.h"
22 #include "auth/State.h"
23 #include "auth/toUtf.h"
24 #include "base64.h"
25 #include "cache_cf.h"
26 #include "helper.h"
27 #include "HttpHeaderTools.h"
28 #include "HttpReply.h"
29 #include "mgr/Registration.h"
30 #include "rfc1738.h"
31 #include "sbuf/SBuf.h"
32 #include "SquidTime.h"
33 #include "Store.h"
34 #include "util.h"
35 #include "wordlist.h"
36 
37 /* Basic Scheme */
39 
41 
42 static int authbasic_initialised = 0;
43 
44 /*
45  *
46  * Public Functions
47  *
48  */
49 
50 /* internal functions */
51 
52 bool
53 Auth::Basic::Config::active() const
54 {
55  return authbasic_initialised == 1;
56 }
57 
58 bool
59 Auth::Basic::Config::configured() const
60 {
61  if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
62  debugs(29, 9, HERE << "returning configured");
63  return true;
64  }
65 
66  debugs(29, 9, HERE << "returning unconfigured");
67  return false;
68 }
69 
70 const char *
72 {
73  return Auth::Basic::Scheme::GetInstance()->type();
74 }
75 
76 void
77 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
78 {
79  if (authenticateProgram) {
80  if (utf8) {
81  debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\", charset=\"UTF-8\"'");
82  httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\", charset=\"UTF-8\"", SQUIDSBUFPRINT(realm));
83  } else {
84  debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
85  httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
86  }
87  }
88 }
89 
90 void
91 Auth::Basic::Config::rotateHelpers()
92 {
93  /* schedule closure of existing helpers */
94  if (basicauthenticators) {
96  }
97 
98  /* NP: dynamic helper restart will ensure they start up again as needed. */
99 }
100 
102 void
103 Auth::Basic::Config::done()
104 {
106 
108 
109  if (basicauthenticators) {
111  }
112 
113  delete basicauthenticators;
115 
116  if (authenticateProgram)
117  wordlistDestroy(&authenticateProgram);
118 }
119 
120 bool
121 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
122 {
123  if (!Auth::SchemeConfig::dump(entry, name, scheme))
124  return false; // not configured
125 
126  storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
127  storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
128  return true;
129 }
130 
132  credentialsTTL( 2*60*60 ),
133  casesensitive(0)
134 {
135  static const SBuf defaultRealm("Squid proxy-caching web server");
136  realm = defaultRealm;
137 }
138 
139 void
140 Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
141 {
142  if (strcmp(param_str, "credentialsttl") == 0) {
143  parse_time_t(&credentialsTTL);
144  } else if (strcmp(param_str, "casesensitive") == 0) {
145  parse_onoff(&casesensitive);
146  } else
147  Auth::SchemeConfig::parse(scheme, n_configured, param_str);
148 }
149 
150 static void
152 {
154  basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
155 }
156 
157 char *
158 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader, const HttpRequest *request)
159 {
160  const char *proxy_auth = httpAuthHeader;
161 
162  /* trim BASIC from string */
163  while (xisgraph(*proxy_auth))
164  ++proxy_auth;
165 
166  /* Trim leading whitespace before decoding */
167  while (xisspace(*proxy_auth))
168  ++proxy_auth;
169 
170  /* Trim trailing \n before decoding */
171  // XXX: really? is the \n actually still there? does the header parse not drop it?
172  char *eek = xstrdup(proxy_auth);
173  strtok(eek, "\n");
174 
175  const size_t srcLen = strlen(eek);
176  char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
177 
178  struct base64_decode_ctx ctx;
179  base64_decode_init(&ctx);
180 
181  size_t dstLen = 0;
182  if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
183  cleartext[dstLen] = '\0';
184 
185  if (utf8 && !isValidUtf8String(cleartext, cleartext + dstLen)) {
186  auto str = isCP1251EncodingAllowed(request) ?
187  Cp1251ToUtf8(cleartext) : Latin1ToUtf8(cleartext);
188  safe_free(cleartext);
189  cleartext = xstrdup(str.c_str());
190  }
191 
192  /*
193  * Don't allow NL or CR in the credentials.
194  * Oezguer Kesim <oec@codeblau.de>
195  */
196  debugs(29, 9, HERE << "'" << cleartext << "'");
197 
198  if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
199  debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
200  safe_free(cleartext);
201  }
202  } else {
203  debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
204  safe_free(cleartext);
205  }
206 
207  safe_free(eek);
208  return cleartext;
209 }
210 
219 Auth::Basic::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
220 {
221  Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
222  /* decode the username */
223 
224  // retrieve the cleartext (in a dynamically allocated char*)
225  const auto cleartext = decodeCleartext(proxy_auth, request);
226 
227  // empty header? no auth details produced...
228  if (!cleartext)
229  return auth_user_request;
230 
232  /* permitted because local_basic is purely local function scope. */
233  Auth::Basic::User *local_basic = NULL;
234 
235  char *separator = strchr(cleartext, ':');
236 
237  lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
238 
239  if (separator) {
240  /* terminate the username */
241  *separator = '\0';
242  local_basic->passwd = xstrdup(separator+1);
243  }
244 
245  if (!casesensitive)
246  Tolower(cleartext);
247  local_basic->username(cleartext);
248 
249  if (local_basic->passwd == NULL) {
250  debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
251  auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
252  } else {
253  if (local_basic->passwd[0] == '\0') {
254  debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
255  safe_free(local_basic->passwd);
256  auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
257  }
258  }
259 
260  xfree(cleartext);
261 
262  if (!local_basic->valid()) {
263  lb->auth_type = Auth::AUTH_BROKEN;
264  auth_user_request->user(lb);
265  return auth_user_request;
266  }
267 
268  /* now lookup and see if we have a matching auth_user structure in memory. */
269  Auth::User::Pointer auth_user;
270 
271  if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
272  /* the user doesn't exist in the username cache yet */
273  /* save the credentials */
274  debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
275  /* set the auth_user type */
276  lb->auth_type = Auth::AUTH_BASIC;
277  /* current time for timeouts */
278  lb->expiretime = current_time.tv_sec;
279 
280  /* this basic_user struct is the 'lucky one' to get added to the username cache */
281  /* the requests after this link to the basic_user */
282  /* store user in hash */
283  lb->addToNameCache();
284 
285  auth_user = lb;
286  assert(auth_user != NULL);
287  } else {
288  /* replace the current cached password with the new one */
289  Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
290  assert(basic_auth);
291  basic_auth->updateCached(local_basic);
292  auth_user = basic_auth;
293  }
294 
295  /* link the request to the in-cache user */
296  auth_user_request->user(auth_user);
297  return auth_user_request;
298 }
299 
302 void
303 Auth::Basic::Config::init(Auth::SchemeConfig *)
304 {
305  if (authenticateProgram) {
307 
308  if (basicauthenticators == NULL)
309  basicauthenticators = new helper("basicauthenticator");
310 
311  basicauthenticators->cmdline = authenticateProgram;
312 
313  basicauthenticators->childs.updateLimits(authenticateChildren);
314 
316 
318  }
319 }
320 
321 void
322 Auth::Basic::Config::registerWithCacheManager(void)
323 {
324  Mgr::RegisterAction("basicauthenticator",
325  "Basic User Authenticator Stats",
326  authenticateBasicStats, 0, 1);
327 }
328 
helper * basicauthenticators
Definition: Config.cc:40
void helperOpenServers(helper *hlp)
Definition: helper.cc:196
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:110
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
wordlist * cmdline
Definition: helper.h:106
#define xmalloc
HttpHeader header
Definition: Message.h:75
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition: base64.c:54
void storeAppendPrintf(StoreEntry *e, const char *fmt,...)
Definition: store.cc:881
int ipc_type
Definition: helper.h:111
Definition: SBuf.h:86
#define xstrdup
int type
Definition: errorpage.cc:152
C * getRaw() const
Definition: RefCount.h:80
static struct node * parse(FILE *fp)
Definition: parse.c:994
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
SQUIDCEXTERN void Tolower(char *)
Definition: util.c:28
#define DBG_IMPORTANT
Definition: Debug.h:46
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
virtual void parse(SchemeConfig *, int, char *)
Definition: SchemeConfig.cc:84
SBuf Latin1ToUtf8(const char *in)
converts ISO-LATIN-1 to UTF-8
Definition: toUtf.cc:14
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition: base64.c:159
void parse_time_t(time_t *var)
Definition: cache_cf.cc:2981
#define NULL
Definition: types.h:166
#define SQUIDSBUFPRINT(s)
Definition: SBuf.h:32
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:128
static int authbasic_initialised
Definition: Config.cc:42
Definition: helper.h:63
struct _Cache Cache
#define xisgraph(x)
Definition: xis.h:30
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:157
#define safe_free(x)
Definition: xalloc.h:73
#define assert(EX)
Definition: assert.h:19
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition: base64.c:129
void helperShutdown(helper *hlp)
Definition: helper.cc:735
static AUTHSSTATS authenticateBasicStats
Definition: Config.cc:38
void packStatsInto(Packable *p, const char *label=NULL) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:672
bool isValidUtf8String(const char *source, const char *sourceEnd)
returns whether the given input is a valid (or empty) sequence of UTF-8 code points
Definition: toUtf.cc:166
#define xfree
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
struct timeval current_time
Definition: stub_time.cc:15
void parse_onoff(int *var)
Definition: cache_cf.cc:2572
virtual void done()
virtual bool dump(StoreEntry *, const char *, SchemeConfig *) const
#define xisspace(x)
Definition: xis.h:17
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
#define IPC_STREAM
Definition: defines.h:161
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
SBuf Cp1251ToUtf8(const char *in)
converts CP1251 to UTF-8
Definition: toUtf.cc:35
#define SQUIDSBUFPH
Definition: SBuf.h:31
#define BASE64_DECODE_LENGTH(length)
Definition: base64.h:120
class SquidConfig Config
Definition: SquidConfig.cc:12

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors