Config.cc
Go to the documentation of this file.
1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 29 NTLM Authenticator */
10 
11 /* The functions in this file handle authentication.
12  * They DO NOT perform access control or auditing.
13  * See acl.c for access control and client_side.c for auditing */
14 
15 #include "squid.h"
16 #include "auth/Gadgets.h"
17 #include "auth/ntlm/Config.h"
18 #include "auth/ntlm/Scheme.h"
19 #include "auth/ntlm/User.h"
20 #include "auth/ntlm/UserRequest.h"
21 #include "auth/State.h"
22 #include "cache_cf.h"
23 #include "client_side.h"
24 #include "helper.h"
25 #include "http/Stream.h"
26 #include "HttpHeaderTools.h"
27 #include "HttpReply.h"
28 #include "HttpRequest.h"
29 #include "mgr/Registration.h"
30 #include "SquidTime.h"
31 #include "Store.h"
32 #include "wordlist.h"
33 
34 /* NTLM Scheme */
36 
38 static int authntlm_initialised = 0;
39 
41 
42 void
43 Auth::Ntlm::Config::rotateHelpers()
44 {
45  /* schedule closure of existing helpers */
46  if (ntlmauthenticators) {
48  }
49 
50  /* NP: dynamic helper restart will ensure they start up again as needed. */
51 }
52 
53 /* free any allocated configuration details */
54 void
55 Auth::Ntlm::Config::done()
56 {
58 
60 
61  if (ntlmauthenticators) {
63  }
64 
65  if (!shutting_down)
66  return;
67 
68  delete ntlmauthenticators;
70 
71  if (authenticateProgram)
72  wordlistDestroy(&authenticateProgram);
73 
74  debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");
75 }
76 
77 const char *
79 {
80  return Auth::Ntlm::Scheme::GetInstance()->type();
81 }
82 
83 /* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
84  * config file */
85 void
86 Auth::Ntlm::Config::init(Auth::SchemeConfig *)
87 {
88  if (authenticateProgram) {
89 
91 
92  if (ntlmauthenticators == NULL)
93  ntlmauthenticators = new statefulhelper("ntlmauthenticator");
94 
95  if (!proxy_auth_cache)
96  proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);
97 
99 
100  ntlmauthenticators->cmdline = authenticateProgram;
101 
102  ntlmauthenticators->childs.updateLimits(authenticateChildren);
103 
105 
107  }
108 }
109 
110 void
111 Auth::Ntlm::Config::registerWithCacheManager(void)
112 {
113  Mgr::RegisterAction("ntlmauthenticator",
114  "NTLM User Authenticator Stats",
115  authenticateNTLMStats, 0, 1);
116 }
117 
118 bool
119 Auth::Ntlm::Config::active() const
120 {
121  return authntlm_initialised == 1;
122 }
123 
124 bool
125 Auth::Ntlm::Config::configured() const
126 {
127  if ((authenticateProgram != NULL) && (authenticateChildren.n_max != 0)) {
128  debugs(29, 9, HERE << "returning configured");
129  return true;
130  }
131 
132  debugs(29, 9, HERE << "returning unconfigured");
133  return false;
134 }
135 
136 /* NTLM Scheme */
137 
138 void
139 Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request)
140 {
141  if (!authenticateProgram)
142  return;
143 
144  /* Need keep-alive */
145  if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)
146  return;
147 
148  /* New request, no user details */
149  if (auth_user_request == NULL) {
150  debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
151  httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
152 
153  if (!keep_alive) {
154  /* drop the connection */
155  request->flags.proxyKeepalive = false;
156  }
157  } else {
158  Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());
159  assert(ntlm_request != NULL);
160 
161  switch (ntlm_request->user()->credentials()) {
162 
163  case Auth::Failed:
164  /* here it makes sense to drop the connection, as auth is
165  * tied to it, even if MAYBE the client could handle it - Kinkie */
166  request->flags.proxyKeepalive = false;
167  /* [[fallthrough]] */
168 
169  case Auth::Ok:
170  /* Special case: authentication finished OK but disallowed by ACL.
171  * Need to start over to give the client another chance.
172  */
173  /* [[fallthrough]] */
174 
175  case Auth::Unchecked:
176  /* semantic change: do not drop the connection.
177  * 2.5 implementation used to keep it open - Kinkie */
178  debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM'");
179  httpHeaderPutStrf(&rep->header, hdrType, "NTLM");
180  break;
181 
182  case Auth::Handshake:
183  /* we're waiting for a response from the client. Pass it the blob */
184  debugs(29, 9, HERE << "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");
185  httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);
186  safe_free(ntlm_request->server_blob);
187  break;
188 
189  default:
190  debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");
191  fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");
192  }
193  }
194 }
195 
196 static void
198 {
199  if (ntlmauthenticators)
200  ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");
201 }
202 
203 /*
204  * Decode a NTLM [Proxy-]Auth string, placing the results in the passed
205  * Auth_user structure.
206  */
208 Auth::Ntlm::Config::decode(char const *proxy_auth, const HttpRequest *, const char *aRequestRealm)
209 {
210  Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);
211  Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();
212  assert(auth_user_request->user() == NULL);
213 
214  auth_user_request->user(newUser);
215  auth_user_request->user()->auth_type = Auth::AUTH_NTLM;
216 
217  auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);
218 
219  /* all we have to do is identify that it's NTLM - the helper does the rest */
220  debugs(29, 9, HERE << "decode: NTLM authentication");
221  return auth_user_request;
222 }
223 
void fatal(const char *message)
Definition: fatal.cc:28
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:111
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
wordlist * cmdline
Definition: helper.h:107
@ AUTH_NTLM
Definition: Type.h:20
HttpHeader header
Definition: Message.h:75
int ipc_type
Definition: helper.h:112
static int authntlm_initialised
Definition: Config.cc:38
int type
Definition: errorpage.cc:153
C * getRaw() const
Definition: RefCount.h:80
int HASHCMP(const void *, const void *)
Definition: hash.h:13
#define DBG_CRITICAL
Definition: Debug.h:40
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
#define DBG_IMPORTANT
Definition: Debug.h:41
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
static SchemeConfig * Find(const char *proxy_auth)
Definition: SchemeConfig.cc:59
static hash_table * proxy_auth_cache
Definition: Config.cc:40
#define NULL
Definition: types.h:166
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Debug.h:123
static AUTHSSTATS authenticateNTLMStats
Definition: Config.cc:35
statefulhelper * ntlmauthenticators
Definition: Config.cc:37
std::ostream & HERE(std::ostream &s)
Definition: Debug.h:152
#define safe_free(x)
Definition: xalloc.h:73
#define assert(EX)
Definition: assert.h:19
void packStatsInto(Packable *p, const char *label=NULL) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:677
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
SQUIDCEXTERN HASHHASH hash_string
Definition: hash.h:45
SQUIDCEXTERN hash_table * hash_create(HASHCMP *, int, HASHHASH *)
Definition: hash.cc:108
virtual void done()
int shutting_down
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
void helperStatefulShutdown(statefulhelper *hlp)
Definition: helper.cc:777
void helperStatefulOpenServers(statefulhelper *hlp)
Definition: helper.cc:332
#define IPC_STREAM
Definition: defines.h:108
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors