Config.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 29 Authenticator */
10 
11 /* The functions in this file handle authentication.
12  * They DO NOT perform access control or auditing.
13  * See acl.c for access control and client_side.c for auditing */
14 
15 #include "squid.h"
16 #include "auth/basic/Config.h"
17 #include "auth/basic/Scheme.h"
18 #include "auth/basic/User.h"
19 #include "auth/basic/UserRequest.h"
20 #include "auth/CredentialsCache.h"
21 #include "auth/Gadgets.h"
22 #include "auth/State.h"
23 #include "auth/toUtf.h"
24 #include "base64.h"
25 #include "cache_cf.h"
26 #include "helper.h"
27 #include "HttpHeaderTools.h"
28 #include "HttpReply.h"
29 #include "mgr/Registration.h"
30 #include "rfc1738.h"
31 #include "sbuf/SBuf.h"
32 #include "Store.h"
33 #include "util.h"
34 #include "wordlist.h"
35 
36 /* Basic Scheme */
38 
40 
41 static int authbasic_initialised = 0;
42 
43 /*
44  *
45  * Public Functions
46  *
47  */
48 
49 /* internal functions */
50 
51 bool
52 Auth::Basic::Config::active() const
53 {
54  return authbasic_initialised == 1;
55 }
56 
57 bool
58 Auth::Basic::Config::configured() const
59 {
60  if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
61  debugs(29, 9, "returning configured");
62  return true;
63  }
64 
65  debugs(29, 9, "returning unconfigured");
66  return false;
67 }
68 
69 const char *
71 {
72  return Auth::Basic::Scheme::GetInstance()->type();
73 }
74 
75 void
76 Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
77 {
78  if (authenticateProgram) {
79  if (utf8) {
80  debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\", charset=\"UTF-8\"'");
81  httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\", charset=\"UTF-8\"", SQUIDSBUFPRINT(realm));
82  } else {
83  debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
84  httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
85  }
86  }
87 }
88 
89 void
90 Auth::Basic::Config::rotateHelpers()
91 {
92  /* schedule closure of existing helpers */
93  if (basicauthenticators) {
95  }
96 
97  /* NP: dynamic helper restart will ensure they start up again as needed. */
98 }
99 
101 void
102 Auth::Basic::Config::done()
103 {
105 
107 
108  if (basicauthenticators) {
110  }
111 
112  delete basicauthenticators;
114 
115  if (authenticateProgram)
116  wordlistDestroy(&authenticateProgram);
117 }
118 
119 bool
120 Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
121 {
122  if (!Auth::SchemeConfig::dump(entry, name, scheme))
123  return false; // not configured
124 
125  storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
126  storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
127  return true;
128 }
129 
131  credentialsTTL( 2*60*60 ),
132  casesensitive(0)
133 {
134  static const SBuf defaultRealm("Squid proxy-caching web server");
135  realm = defaultRealm;
136 }
137 
138 void
139 Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
140 {
141  if (strcmp(param_str, "credentialsttl") == 0) {
142  parse_time_t(&credentialsTTL);
143  } else if (strcmp(param_str, "casesensitive") == 0) {
144  parse_onoff(&casesensitive);
145  } else
146  Auth::SchemeConfig::parse(scheme, n_configured, param_str);
147 }
148 
149 static void
151 {
153  basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
154 }
155 
156 char *
157 Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader, const HttpRequest *request)
158 {
159  const char *proxy_auth = httpAuthHeader;
160 
161  /* trim BASIC from string */
162  while (xisgraph(*proxy_auth))
163  ++proxy_auth;
164 
165  /* Trim leading whitespace before decoding */
166  while (xisspace(*proxy_auth))
167  ++proxy_auth;
168 
169  /* Trim trailing \n before decoding */
170  // XXX: really? is the \n actually still there? does the header parse not drop it?
171  char *eek = xstrdup(proxy_auth);
172  strtok(eek, "\n");
173 
174  const size_t srcLen = strlen(eek);
175  char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
176 
177  struct base64_decode_ctx ctx;
178  base64_decode_init(&ctx);
179 
180  size_t dstLen = 0;
181  if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
182  cleartext[dstLen] = '\0';
183 
184  if (utf8 && !isValidUtf8String(cleartext, cleartext + dstLen)) {
185  auto str = isCP1251EncodingAllowed(request) ?
186  Cp1251ToUtf8(cleartext) : Latin1ToUtf8(cleartext);
187  safe_free(cleartext);
188  cleartext = xstrdup(str.c_str());
189  }
190 
191  /*
192  * Don't allow NL or CR in the credentials.
193  * Oezguer Kesim <oec@codeblau.de>
194  */
195  debugs(29, 9, "'" << cleartext << "'");
196 
197  if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
198  debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
199  safe_free(cleartext);
200  }
201  } else {
202  debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
203  safe_free(cleartext);
204  }
205 
206  safe_free(eek);
207  return cleartext;
208 }
209 
218 Auth::Basic::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
219 {
220  Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
221  /* decode the username */
222 
223  // retrieve the cleartext (in a dynamically allocated char*)
224  const auto cleartext = decodeCleartext(proxy_auth, request);
225 
226  // empty header? no auth details produced...
227  if (!cleartext)
228  return auth_user_request;
229 
231  /* permitted because local_basic is purely local function scope. */
232  Auth::Basic::User *local_basic = NULL;
233 
234  char *separator = strchr(cleartext, ':');
235 
236  lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
237 
238  if (separator) {
239  /* terminate the username */
240  *separator = '\0';
241  local_basic->passwd = xstrdup(separator+1);
242  }
243 
244  if (!casesensitive)
245  Tolower(cleartext);
246  local_basic->username(cleartext);
247 
248  if (local_basic->passwd == NULL) {
249  debugs(29, 4, "no password in proxy authorization header '" << proxy_auth << "'");
250  auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
251  } else {
252  if (local_basic->passwd[0] == '\0') {
253  debugs(29, 4, "Disallowing empty password. User is '" << local_basic->username() << "'");
254  safe_free(local_basic->passwd);
255  auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
256  }
257  }
258 
259  xfree(cleartext);
260 
261  if (!local_basic->valid()) {
262  lb->auth_type = Auth::AUTH_BROKEN;
263  auth_user_request->user(lb);
264  return auth_user_request;
265  }
266 
267  /* now lookup and see if we have a matching auth_user structure in memory. */
268  Auth::User::Pointer auth_user;
269 
270  if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
271  /* the user doesn't exist in the username cache yet */
272  /* save the credentials */
273  debugs(29, 9, "Creating new user '" << lb->username() << "'");
274  /* set the auth_user type */
275  lb->auth_type = Auth::AUTH_BASIC;
276  /* current time for timeouts */
277  lb->expiretime = current_time.tv_sec;
278 
279  /* this basic_user struct is the 'lucky one' to get added to the username cache */
280  /* the requests after this link to the basic_user */
281  /* store user in hash */
282  lb->addToNameCache();
283 
284  auth_user = lb;
285  assert(auth_user != NULL);
286  } else {
287  /* replace the current cached password with the new one */
288  Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
289  assert(basic_auth);
290  basic_auth->updateCached(local_basic);
291  auth_user = basic_auth;
292  }
293 
294  /* link the request to the in-cache user */
295  auth_user_request->user(auth_user);
296  return auth_user_request;
297 }
298 
301 void
302 Auth::Basic::Config::init(Auth::SchemeConfig *)
303 {
304  if (authenticateProgram) {
306 
307  if (basicauthenticators == NULL)
308  basicauthenticators = new helper("basicauthenticator");
309 
310  basicauthenticators->cmdline = authenticateProgram;
311 
312  basicauthenticators->childs.updateLimits(authenticateChildren);
313 
315 
317  }
318 }
319 
320 void
321 Auth::Basic::Config::registerWithCacheManager(void)
322 {
323  Mgr::RegisterAction("basicauthenticator",
324  "Basic User Authenticator Stats",
325  authenticateBasicStats, 0, 1);
326 }
327 
helper * basicauthenticators
Definition: Config.cc:39
void helperOpenServers(helper *hlp)
Definition: helper.cc:201
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:111
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
wordlist * cmdline
Definition: helper.h:107
#define xmalloc
HttpHeader header
Definition: Message.h:75
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition: base64.c:54
void storeAppendPrintf(StoreEntry *e, const char *fmt,...)
Definition: store.cc:830
int ipc_type
Definition: helper.h:112
Definition: SBuf.h:94
#define xstrdup
int type
Definition: errorpage.cc:152
C * getRaw() const
Definition: RefCount.h:80
static struct node * parse(FILE *fp)
Definition: parse.c:965
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
SQUIDCEXTERN void Tolower(char *)
Definition: util.c:28
void setDenyMessage(char const *)
Definition: UserRequest.cc:114
virtual User::Pointer user()
Definition: UserRequest.h:143
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
virtual void parse(SchemeConfig *, int, char *)
Definition: SchemeConfig.cc:84
SBuf Latin1ToUtf8(const char *in)
converts ISO-LATIN-1 to UTF-8
Definition: toUtf.cc:16
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition: base64.c:159
struct timeval current_time
the current UNIX time in timeval {seconds, microseconds} format
Definition: gadgets.cc:17
void parse_time_t(time_t *var)
Definition: cache_cf.cc:2987
#define NULL
Definition: types.h:166
#define SQUIDSBUFPRINT(s)
Definition: SBuf.h:32
static int authbasic_initialised
Definition: Config.cc:41
Definition: helper.h:64
struct _Cache Cache
#define xisgraph(x)
Definition: xis.h:30
#define safe_free(x)
Definition: xalloc.h:73
#define assert(EX)
Definition: assert.h:19
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition: base64.c:129
void helperShutdown(helper *hlp)
Definition: helper.cc:740
static AUTHSSTATS authenticateBasicStats
Definition: Config.cc:37
void packStatsInto(Packable *p, const char *label=NULL) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:677
bool isValidUtf8String(const char *source, const char *sourceEnd)
returns whether the given input is a valid (or empty) sequence of UTF-8 code points
Definition: toUtf.cc:172
#define xfree
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
@ AUTH_BASIC
Definition: Type.h:19
#define DBG_IMPORTANT
Definition: Stream.h:41
void parse_onoff(int *var)
Definition: cache_cf.cc:2616
virtual void done()
virtual bool dump(StoreEntry *, const char *, SchemeConfig *) const
@ AUTH_BROKEN
Definition: Type.h:23
#define xisspace(x)
Definition: xis.h:17
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
#define IPC_STREAM
Definition: defines.h:108
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
SBuf Cp1251ToUtf8(const char *in)
converts CP1251 to UTF-8
Definition: toUtf.cc:37
#define SQUIDSBUFPH
Definition: SBuf.h:31
#define BASE64_DECODE_LENGTH(length)
Definition: base64.h:120
class SquidConfig Config
Definition: SquidConfig.cc:12

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors