Config.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 29 Negotiate Authenticator */
10
11/* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
14
15#include "squid.h"
16#include "auth/Gadgets.h"
19#include "auth/negotiate/User.h"
21#include "auth/State.h"
22#include "cache_cf.h"
23#include "client_side.h"
24#include "helper.h"
25#include "http/Stream.h"
26#include "HttpHeaderTools.h"
27#include "HttpReply.h"
28#include "HttpRequest.h"
29#include "mgr/Registration.h"
30#include "Store.h"
31#include "wordlist.h"
32
34
36
38
39static hash_table *proxy_auth_cache = nullptr;
40
41void
42Auth::Negotiate::Config::rotateHelpers()
43{
44 /* schedule closure of existing helpers */
47 }
48
49 /* NP: dynamic helper restart will ensure they start up again as needed. */
50}
51
52void
53Auth::Negotiate::Config::done()
54{
56
58
61 }
62
63 if (!shutting_down)
64 return;
65
67
68 if (authenticateProgram)
69 wordlistDestroy(&authenticateProgram);
70
71 debugs(29, DBG_IMPORTANT, "Reconfigure: Negotiate authentication configuration cleared.");
72}
73
74const char *
75Auth::Negotiate::Config::type() const
76{
77 return Auth::Negotiate::Scheme::GetInstance()->type();
78}
79
84void
85Auth::Negotiate::Config::init(Auth::SchemeConfig *)
86{
87 if (authenticateProgram) {
88
90
91 if (negotiateauthenticators == nullptr)
92 negotiateauthenticators = statefulhelper::Make("negotiateauthenticator");
93
96
98
99 negotiateauthenticators->cmdline = authenticateProgram;
100
101 negotiateauthenticators->childs.updateLimits(authenticateChildren);
102
104
106 }
107}
108
109void
110Auth::Negotiate::Config::registerWithCacheManager(void)
111{
112 Mgr::RegisterAction("negotiateauthenticator",
113 "Negotiate User Authenticator Stats",
115}
116
117bool
118Auth::Negotiate::Config::active() const
119{
120 return authnegotiate_initialised == 1;
121}
122
123bool
124Auth::Negotiate::Config::configured() const
125{
126 if (authenticateProgram && (authenticateChildren.n_max != 0)) {
127 debugs(29, 9, "returning configured");
128 return true;
129 }
130
131 debugs(29, 9, "returning unconfigured");
132 return false;
133}
134
135void
136Auth::Negotiate::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType reqType, HttpRequest * request)
137{
138 if (!authenticateProgram)
139 return;
140
141 /* Need keep-alive */
142 if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
143 return;
144
145 /* New request, no user details */
146 if (auth_user_request == nullptr) {
147 debugs(29, 9, "Sending type:" << reqType << " header: 'Negotiate'");
148 httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
149
150 if (!keep_alive) {
151 /* drop the connection */
152 rep->header.delByName("keep-alive");
153 request->flags.proxyKeepalive = false;
154 }
155 } else {
156 Auth::Negotiate::UserRequest *negotiate_request = dynamic_cast<Auth::Negotiate::UserRequest *>(auth_user_request.getRaw());
157 assert(negotiate_request != nullptr);
158
159 switch (negotiate_request->user()->credentials()) {
160
161 case Auth::Failed:
162 /* here it makes sense to drop the connection, as auth is
163 * tied to it, even if MAYBE the client could handle it - Kinkie */
164 rep->header.delByName("keep-alive");
165 request->flags.proxyKeepalive = false;
166 [[fallthrough]];
167
168 case Auth::Ok:
169 /* Special case: authentication finished OK but disallowed by ACL.
170 * Need to start over to give the client another chance.
171 */
172 if (negotiate_request->server_blob) {
173 debugs(29, 9, "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
174 httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
175 safe_free(negotiate_request->server_blob);
176 } else {
177 debugs(29, 9, "Connection authenticated");
178 httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
179 }
180 break;
181
182 case Auth::Unchecked:
183 /* semantic change: do not drop the connection.
184 * 2.5 implementation used to keep it open - Kinkie */
185 debugs(29, 9, "Sending type:" << reqType << " header: 'Negotiate'");
186 httpHeaderPutStrf(&rep->header, reqType, "Negotiate");
187 break;
188
189 case Auth::Handshake:
190 /* we're waiting for a response from the client. Pass it the blob */
191 debugs(29, 9, "Sending type:" << reqType << " header: 'Negotiate " << negotiate_request->server_blob << "'");
192 httpHeaderPutStrf(&rep->header, reqType, "Negotiate %s", negotiate_request->server_blob);
193 safe_free(negotiate_request->server_blob);
194 break;
195
196 default:
197 debugs(29, DBG_CRITICAL, "ERROR: Negotiate auth fixHeader: state " << negotiate_request->user()->credentials() << ".");
198 fatal("unexpected state in AuthenticateNegotiateFixErrorHeader.\n");
199 }
200 }
201}
202
203static void
205{
207 negotiateauthenticators->packStatsInto(sentry, "Negotiate Authenticator Statistics");
208}
209
210/*
211 * Decode a Negotiate [Proxy-]Auth string, placing the results in the passed
212 * Auth_user structure.
213 */
215Auth::Negotiate::Config::decode(char const *proxy_auth, const HttpRequest *, const char *aRequestRealm)
216{
217 Auth::Negotiate::User *newUser = new Auth::Negotiate::User(Auth::SchemeConfig::Find("negotiate"), aRequestRealm);
218 Auth::UserRequest *auth_user_request = new Auth::Negotiate::UserRequest();
219 assert(auth_user_request->user() == nullptr);
220
221 auth_user_request->user(newUser);
222 auth_user_request->user()->auth_type = Auth::AUTH_NEGOTIATE;
223
224 auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
225
226 /* all we have to do is identify that it's Negotiate - the helper does the rest */
227 debugs(29, 9, "decode Negotiate authentication");
228 return auth_user_request;
229}
230
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
#define assert(EX)
Definition: assert.h:17
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
static AUTHSSTATS authenticateNegotiateStats
Definition: Config.cc:33
static int authnegotiate_initialised
Definition: Config.cc:37
static hash_table * proxy_auth_cache
Definition: Config.cc:39
Helper::StatefulClientPointer negotiateauthenticators
Definition: Config.cc:35
virtual void done()
static SchemeConfig * Find(const char *proxy_auth)
Definition: SchemeConfig.cc:59
virtual User::Pointer user()
Definition: UserRequest.h:143
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
void packStatsInto(Packable *p, const char *label=nullptr) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:696
ChildConfig childs
Configuration settings for number running.
Definition: helper.h:118
wordlist * cmdline
Definition: helper.h:114
int ipc_type
Definition: helper.h:119
int delByName(const SBuf &name)
Definition: HttpHeader.cc:648
RequestFlags flags
Definition: HttpRequest.h:141
HttpHeader header
Definition: Message.h:74
C * getRaw() const
Definition: RefCount.h:89
bool mustKeepalive
Definition: RequestFlags.h:83
bool proxyKeepalive
Definition: RequestFlags.h:42
static Pointer Make(const char *name)
Definition: helper.cc:765
void openSessions() override
Definition: helper.cc:329
#define DBG_IMPORTANT
Definition: Stream.h:38
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:194
#define DBG_CRITICAL
Definition: Stream.h:37
#define IPC_STREAM
Definition: defines.h:106
void fatal(const char *message)
Definition: fatal.cc:28
int shutting_down
SQUIDCEXTERN hash_table * hash_create(HASHCMP *, int, HASHHASH *)
Definition: hash.cc:108
int HASHCMP(const void *, const void *)
Definition: hash.h:13
SQUIDCEXTERN HASHHASH hash_string
Definition: hash.h:45
void helperStatefulShutdown(const statefulhelper::Pointer &hlp)
Definition: helper.cc:807
@ AUTH_NEGOTIATE
Definition: Type.h:22
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
#define safe_free(x)
Definition: xalloc.h:73

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors