Config.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2019 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 29 Authenticator */
10 
11 /* The functions in this file handle authentication.
12  * They DO NOT perform access control or auditing.
13  * See acl.c for access control and client_side.c for auditing */
14 
15 #include "squid.h"
16 #include "auth/basic/Config.h"
17 #include "auth/basic/Scheme.h"
18 #include "auth/basic/User.h"
19 #include "auth/basic/UserRequest.h"
20 #include "auth/CredentialsCache.h"
21 #include "auth/Gadgets.h"
22 #include "auth/State.h"
23 #include "base64.h"
24 #include "cache_cf.h"
25 #include "charset.h"
26 #include "helper.h"
27 #include "HttpHeaderTools.h"
28 #include "HttpReply.h"
29 #include "mgr/Registration.h"
30 #include "rfc1738.h"
31 #include "SquidTime.h"
32 #include "Store.h"
33 #include "util.h"
34 #include "wordlist.h"
35 
36 /* Basic Scheme */
38 
39 helper *basicauthenticators = NULL;
40 
41 static int authbasic_initialised = 0;
42 
43 /*
44  *
45  * Public Functions
46  *
47  */
48 
49 /* internal functions */
50 
51 bool
52 Auth::Basic::Config::active() const
53 {
54  return authbasic_initialised == 1;
55 }
56 
57 bool
58 Auth::Basic::Config::configured() const
59 {
60  if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
61  debugs(29, 9, HERE << "returning configured");
62  return true;
63  }
64 
65  debugs(29, 9, HERE << "returning unconfigured");
66  return false;
67 }
68 
69 const char *
71 {
72  return Auth::Basic::Scheme::GetInstance()->type();
73 }
74 
75 void
76 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
77 {
78  if (authenticateProgram) {
79  debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
80  httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
81  }
82 }
83 
84 void
85 Auth::Basic::Config::rotateHelpers()
86 {
87  /* schedule closure of existing helpers */
88  if (basicauthenticators) {
89  helperShutdown(basicauthenticators);
90  }
91 
92  /* NP: dynamic helper restart will ensure they start up again as needed. */
93 }
94 
96 void
97 Auth::Basic::Config::done()
98 {
100 
102 
103  if (basicauthenticators) {
104  helperShutdown(basicauthenticators);
105  }
106 
107  delete basicauthenticators;
108  basicauthenticators = NULL;
109 
110  if (authenticateProgram)
111  wordlistDestroy(&authenticateProgram);
112 }
113 
114 bool
115 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
116 {
117  if (!Auth::SchemeConfig::dump(entry, name, scheme))
118  return false; // not configured
119 
120  storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
121  storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
122  return true;
123 }
124 
126  credentialsTTL( 2*60*60 ),
127  casesensitive(0)
128 {
129  static const SBuf defaultRealm("Squid proxy-caching web server");
130  realm = defaultRealm;
131 }
132 
133 void
134 Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
135 {
136  if (strcmp(param_str, "credentialsttl") == 0) {
137  parse_time_t(&credentialsTTL);
138  } else if (strcmp(param_str, "casesensitive") == 0) {
139  parse_onoff(&casesensitive);
140  } else
141  Auth::SchemeConfig::parse(scheme, n_configured, param_str);
142 }
143 
144 static void
146 {
147  if (basicauthenticators)
148  basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
149 }
150 
151 char *
152 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
153 {
154  const char *proxy_auth = httpAuthHeader;
155 
156  /* trim BASIC from string */
157  while (xisgraph(*proxy_auth))
158  ++proxy_auth;
159 
160  /* Trim leading whitespace before decoding */
161  while (xisspace(*proxy_auth))
162  ++proxy_auth;
163 
164  /* Trim trailing \n before decoding */
165  // XXX: really? is the \n actually still there? does the header parse not drop it?
166  char *eek = xstrdup(proxy_auth);
167  strtok(eek, "\n");
168 
169  const size_t srcLen = strlen(eek);
170  char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
171 
172  struct base64_decode_ctx ctx;
173  base64_decode_init(&ctx);
174 
175  size_t dstLen = 0;
176  if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
177  cleartext[dstLen] = '\0';
178 
179  /*
180  * Don't allow NL or CR in the credentials.
181  * Oezguer Kesim <oec@codeblau.de>
182  */
183  debugs(29, 9, HERE << "'" << cleartext << "'");
184 
185  if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
186  debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
187  safe_free(cleartext);
188  }
189  } else {
190  debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
191  safe_free(cleartext);
192  }
193 
194  safe_free(eek);
195  return cleartext;
196 }
197 
206 Auth::Basic::Config::decode(char const *proxy_auth, const char *aRequestRealm)
207 {
208  Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
209  /* decode the username */
210 
211  // retrieve the cleartext (in a dynamically allocated char*)
212  char *cleartext = decodeCleartext(proxy_auth);
213 
214  // empty header? no auth details produced...
215  if (!cleartext)
216  return auth_user_request;
217 
219  /* permitted because local_basic is purely local function scope. */
220  Auth::Basic::User *local_basic = NULL;
221 
222  char *separator = strchr(cleartext, ':');
223 
224  lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
225 
226  if (separator) {
227  /* terminate the username */
228  *separator = '\0';
229  local_basic->passwd = xstrdup(separator+1);
230  }
231 
232  if (!casesensitive)
233  Tolower(cleartext);
234  local_basic->username(cleartext);
235 
236  if (local_basic->passwd == NULL) {
237  debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
238  auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
239  } else {
240  if (local_basic->passwd[0] == '\0') {
241  debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
242  safe_free(local_basic->passwd);
243  auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
244  }
245  }
246 
247  xfree(cleartext);
248 
249  if (!local_basic->valid()) {
250  lb->auth_type = Auth::AUTH_BROKEN;
251  auth_user_request->user(lb);
252  return auth_user_request;
253  }
254 
255  /* now lookup and see if we have a matching auth_user structure in memory. */
256  Auth::User::Pointer auth_user;
257 
258  if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
259  /* the user doesn't exist in the username cache yet */
260  /* save the credentials */
261  debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
262  /* set the auth_user type */
263  lb->auth_type = Auth::AUTH_BASIC;
264  /* current time for timeouts */
265  lb->expiretime = current_time.tv_sec;
266 
267  /* this basic_user struct is the 'lucky one' to get added to the username cache */
268  /* the requests after this link to the basic_user */
269  /* store user in hash */
270  lb->addToNameCache();
271 
272  auth_user = lb;
273  assert(auth_user != NULL);
274  } else {
275  /* replace the current cached password with the new one */
276  Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
277  assert(basic_auth);
278  basic_auth->updateCached(local_basic);
279  auth_user = basic_auth;
280  }
281 
282  /* link the request to the in-cache user */
283  auth_user_request->user(auth_user);
284  return auth_user_request;
285 }
286 
289 void
290 Auth::Basic::Config::init(Auth::SchemeConfig *)
291 {
292  if (authenticateProgram) {
294 
295  if (basicauthenticators == NULL)
296  basicauthenticators = new helper("basicauthenticator");
297 
298  basicauthenticators->cmdline = authenticateProgram;
299 
300  basicauthenticators->childs.updateLimits(authenticateChildren);
301 
302  basicauthenticators->ipc_type = IPC_STREAM;
303 
304  helperOpenServers(basicauthenticators);
305  }
306 }
307 
308 void
309 Auth::Basic::Config::registerWithCacheManager(void)
310 {
311  Mgr::RegisterAction("basicauthenticator",
312  "Basic User Authenticator Stats",
313  authenticateBasicStats, 0, 1);
314 }
315 
#define assert(EX)
Definition: assert.h:17
void parse_time_t(time_t *var)
Definition: cache_cf.cc:2980
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
virtual void done()
int type
Definition: errorpage.cc:152
Definition: SBuf.h:86
helper * basicauthenticators
Definition: Config.cc:39
#define xstrdup
Definition: helper.h:63
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:110
static struct node * parse(FILE *fp)
Definition: parse.c:995
#define safe_free(x)
Definition: xalloc.h:73
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
wordlist * cmdline
Definition: helper.h:106
void helperShutdown(helper *hlp)
Definition: helper.cc:735
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition: base64.c:54
int ipc_type
Definition: helper.h:111
void parse_onoff(int *var)
Definition: cache_cf.cc:2571
#define xisspace(x)
Definition: xis.h:17
struct _Cache Cache
SQUIDCEXTERN void Tolower(char *)
Definition: util.c:28
struct timeval current_time
Definition: stub_time.cc:15
#define BASE64_DECODE_LENGTH(length)
Definition: base64.h:120
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
void packStatsInto(Packable *p, const char *label=NULL) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:672
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:124
#define DBG_IMPORTANT
Definition: Debug.h:46
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
void setDenyMessage(char const *)
Definition: UserRequest.cc:114
#define IPC_STREAM
Definition: defines.h:161
virtual void parse(SchemeConfig *, int, char *)
Definition: SchemeConfig.cc:83
#define xisgraph(x)
Definition: xis.h:30
void helperOpenServers(helper *hlp)
Definition: helper.cc:196
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:153
HttpHeader header
Definition: Message.h:75
#define xmalloc
virtual User::Pointer user()
Definition: UserRequest.h:143
C * getRaw() const
Definition: RefCount.h:74
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition: base64.c:129
#define SQUIDSBUFPH
Definition: SBuf.h:31
static int authbasic_initialised
Definition: Config.cc:41
#define xfree
static AUTHSSTATS authenticateBasicStats
Definition: Config.cc:37
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition: base64.c:159
#define SQUIDSBUFPRINT(s)
Definition: SBuf.h:32
void storeAppendPrintf(StoreEntry *e, const char *fmt,...)
Definition: store.cc:881
class SquidConfig Config
Definition: SquidConfig.cc:12
#define NULL
Definition: types.h:166
virtual bool dump(StoreEntry *, const char *, SchemeConfig *) const

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors