Config.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 29 Authenticator */
10 
11 /* The functions in this file handle authentication.
12  * They DO NOT perform access control or auditing.
13  * See acl.c for access control and client_side.c for auditing */
14 
15 #include "squid.h"
16 #include "auth/basic/Config.h"
17 #include "auth/basic/Scheme.h"
18 #include "auth/basic/User.h"
19 #include "auth/basic/UserRequest.h"
20 #include "auth/CredentialsCache.h"
21 #include "auth/Gadgets.h"
22 #include "auth/State.h"
23 #include "cache_cf.h"
24 #include "charset.h"
25 #include "helper.h"
26 #include "HttpHeaderTools.h"
27 #include "HttpReply.h"
28 #include "mgr/Registration.h"
29 #include "rfc1738.h"
30 #include "SquidTime.h"
31 #include "Store.h"
32 #include "util.h"
33 #include "uudecode.h"
34 #include "wordlist.h"
35 
36 /* Basic Scheme */
38 
39 helper *basicauthenticators = NULL;
40 
41 static int authbasic_initialised = 0;
42 
43 /*
44  *
45  * Public Functions
46  *
47  */
48 
49 /* internal functions */
50 
51 bool
52 Auth::Basic::Config::active() const
53 {
54  return authbasic_initialised == 1;
55 }
56 
57 bool
58 Auth::Basic::Config::configured() const
59 {
60  if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
61  debugs(29, 9, HERE << "returning configured");
62  return true;
63  }
64 
65  debugs(29, 9, HERE << "returning unconfigured");
66  return false;
67 }
68 
69 const char *
71 {
72  return Auth::Basic::Scheme::GetInstance()->type();
73 }
74 
75 void
76 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
77 {
78  if (authenticateProgram) {
79  debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
80  httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
81  }
82 }
83 
84 void
85 Auth::Basic::Config::rotateHelpers()
86 {
87  /* schedule closure of existing helpers */
88  if (basicauthenticators) {
89  helperShutdown(basicauthenticators);
90  }
91 
92  /* NP: dynamic helper restart will ensure they start up again as needed. */
93 }
94 
96 void
97 Auth::Basic::Config::done()
98 {
100 
101  authbasic_initialised = 0;
102 
103  if (basicauthenticators) {
104  helperShutdown(basicauthenticators);
105  }
106 
107  delete basicauthenticators;
108  basicauthenticators = NULL;
109 
110  if (authenticateProgram)
111  wordlistDestroy(&authenticateProgram);
112 }
113 
114 bool
115 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
116 {
117  if (!Auth::SchemeConfig::dump(entry, name, scheme))
118  return false; // not configured
119 
120  storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
121  storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
122  return true;
123 }
124 
126  credentialsTTL( 2*60*60 ),
127  casesensitive(0)
128 {
129  static const SBuf defaultRealm("Squid proxy-caching web server");
130  realm = defaultRealm;
131 }
132 
133 void
134 Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
135 {
136  if (strcmp(param_str, "credentialsttl") == 0) {
137  parse_time_t(&credentialsTTL);
138  } else if (strcmp(param_str, "casesensitive") == 0) {
139  parse_onoff(&casesensitive);
140  } else
141  Auth::SchemeConfig::parse(scheme, n_configured, param_str);
142 }
143 
144 static void
146 {
147  if (basicauthenticators)
148  basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
149 }
150 
151 char *
152 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader)
153 {
154  const char *proxy_auth = httpAuthHeader;
155 
156  /* trim BASIC from string */
157  while (xisgraph(*proxy_auth))
158  ++proxy_auth;
159 
160  /* Trim leading whitespace before decoding */
161  while (xisspace(*proxy_auth))
162  ++proxy_auth;
163 
164  /* Trim trailing \n before decoding */
165  // XXX: really? is the \n actually still there? does the header parse not drop it?
166  char *eek = xstrdup(proxy_auth);
167  strtok(eek, "\n");
168  char *cleartext = uudecode(eek);
169  safe_free(eek);
170 
171  if (cleartext) {
172  /*
173  * Don't allow NL or CR in the credentials.
174  * Oezguer Kesim <oec@codeblau.de>
175  */
176  debugs(29, 9, HERE << "'" << cleartext << "'");
177 
178  if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
179  debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
180  safe_free(cleartext);
181  }
182  }
183  return cleartext;
184 }
185 
194 Auth::Basic::Config::decode(char const *proxy_auth, const char *aRequestRealm)
195 {
196  Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
197  /* decode the username */
198 
199  // retrieve the cleartext (in a dynamically allocated char*)
200  char *cleartext = decodeCleartext(proxy_auth);
201 
202  // empty header? no auth details produced...
203  if (!cleartext)
204  return auth_user_request;
205 
207  /* permitted because local_basic is purely local function scope. */
208  Auth::Basic::User *local_basic = NULL;
209 
210  char *separator = strchr(cleartext, ':');
211 
212  lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
213 
214  if (separator) {
215  /* terminate the username */
216  *separator = '\0';
217  local_basic->passwd = xstrdup(separator+1);
218  }
219 
220  if (!casesensitive)
221  Tolower(cleartext);
222  local_basic->username(cleartext);
223 
224  if (local_basic->passwd == NULL) {
225  debugs(29, 4, HERE << "no password in proxy authorization header '" << proxy_auth << "'");
226  auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
227  } else {
228  if (local_basic->passwd[0] == '\0') {
229  debugs(29, 4, HERE << "Disallowing empty password. User is '" << local_basic->username() << "'");
230  safe_free(local_basic->passwd);
231  auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
232  }
233  }
234 
235  xfree(cleartext);
236 
237  if (!local_basic->valid()) {
238  lb->auth_type = Auth::AUTH_BROKEN;
239  auth_user_request->user(lb);
240  return auth_user_request;
241  }
242 
243  /* now lookup and see if we have a matching auth_user structure in memory. */
244  Auth::User::Pointer auth_user;
245 
246  if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
247  /* the user doesn't exist in the username cache yet */
248  /* save the credentials */
249  debugs(29, 9, HERE << "Creating new user '" << lb->username() << "'");
250  /* set the auth_user type */
251  lb->auth_type = Auth::AUTH_BASIC;
252  /* current time for timeouts */
253  lb->expiretime = current_time.tv_sec;
254 
255  /* this basic_user struct is the 'lucky one' to get added to the username cache */
256  /* the requests after this link to the basic_user */
257  /* store user in hash */
258  lb->addToNameCache();
259 
260  auth_user = lb;
261  assert(auth_user != NULL);
262  } else {
263  /* replace the current cached password with the new one */
264  Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
265  assert(basic_auth);
266  basic_auth->updateCached(local_basic);
267  auth_user = basic_auth;
268  }
269 
270  /* link the request to the in-cache user */
271  auth_user_request->user(auth_user);
272  return auth_user_request;
273 }
274 
277 void
278 Auth::Basic::Config::init(Auth::SchemeConfig *)
279 {
280  if (authenticateProgram) {
281  authbasic_initialised = 1;
282 
283  if (basicauthenticators == NULL)
284  basicauthenticators = new helper("basicauthenticator");
285 
286  basicauthenticators->cmdline = authenticateProgram;
287 
288  basicauthenticators->childs.updateLimits(authenticateChildren);
289 
290  basicauthenticators->ipc_type = IPC_STREAM;
291 
292  helperOpenServers(basicauthenticators);
293  }
294 }
295 
296 void
297 Auth::Basic::Config::registerWithCacheManager(void)
298 {
299  Mgr::RegisterAction("basicauthenticator",
300  "Basic User Authenticator Stats",
301  authenticateBasicStats, 0, 1);
302 }
303 
#define assert(EX)
Definition: assert.h:17
void parse_time_t(time_t *var)
Definition: cache_cf.cc:2982
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
void packStatsInto(Packable *p, const char *label=NULL) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:553
virtual void done()
int type
Definition: errorpage.cc:79
Definition: SBuf.h:87
helper * basicauthenticators
Definition: Config.cc:39
#define xstrdup
Definition: helper.h:60
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:102
static struct node * parse(FILE *fp)
Definition: parse.c:995
#define safe_free(x)
Definition: xalloc.h:73
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
wordlist * cmdline
Definition: helper.h:98
void helperShutdown(helper *hlp)
Definition: helper.cc:616
int ipc_type
Definition: helper.h:103
void parse_onoff(int *var)
Definition: cache_cf.cc:2573
#define xisspace(x)
Definition: xis.h:17
struct _Cache Cache
SQUIDCEXTERN void Tolower(char *)
Definition: util.c:28
struct timeval current_time
Definition: stub_time.cc:15
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
#define DBG_IMPORTANT
Definition: Debug.h:45
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
#define IPC_STREAM
Definition: defines.h:161
virtual void parse(SchemeConfig *, int, char *)
Definition: SchemeConfig.cc:83
#define xisgraph(x)
Definition: xis.h:30
void helperOpenServers(helper *hlp)
Definition: helper.cc:125
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:147
HttpHeader header
Definition: Message.h:74
#define SQUIDSBUFPH
Definition: SBuf.h:32
static int authbasic_initialised
Definition: Config.cc:41
virtual bool dump(StoreEntry *, const char *, SchemeConfig *) const
#define xfree
static AUTHSSTATS authenticateBasicStats
Definition: Config.cc:37
#define SQUIDSBUFPRINT(s)
Definition: SBuf.h:33
void storeAppendPrintf(StoreEntry *e, const char *fmt,...)
Definition: store.cc:904
char * uudecode(const char *)
Definition: uudecode.c:28
C * getRaw() const
Definition: RefCount.h:74
class SquidConfig Config
Definition: SquidConfig.cc:12
#define NULL
Definition: types.h:166

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors