Config.cc
Go to the documentation of this file.
1/*
2 * Copyright (C) 1996-2022 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9/* DEBUG: section 29 Authenticator */
10
11/* The functions in this file handle authentication.
12 * They DO NOT perform access control or auditing.
13 * See acl.c for access control and client_side.c for auditing */
14
15#include "squid.h"
16#include "auth/basic/Config.h"
17#include "auth/basic/Scheme.h"
18#include "auth/basic/User.h"
21#include "auth/Gadgets.h"
22#include "auth/State.h"
23#include "auth/toUtf.h"
24#include "base64.h"
25#include "cache_cf.h"
26#include "helper.h"
27#include "HttpHeaderTools.h"
28#include "HttpReply.h"
29#include "mgr/Registration.h"
30#include "rfc1738.h"
31#include "sbuf/SBuf.h"
32#include "Store.h"
33#include "util.h"
34#include "wordlist.h"
35
36/* Basic Scheme */
38
40
41static int authbasic_initialised = 0;
42
43/*
44 *
45 * Public Functions
46 *
47 */
48
49/* internal functions */
50
51bool
52Auth::Basic::Config::active() const
53{
54 return authbasic_initialised == 1;
55}
56
57bool
58Auth::Basic::Config::configured() const
59{
60 if ((authenticateProgram != nullptr) && (authenticateChildren.n_max != 0) && !realm.isEmpty()) {
61 debugs(29, 9, "returning configured");
62 return true;
63 }
64
65 debugs(29, 9, "returning unconfigured");
66 return false;
67}
68
69const char *
71{
72 return Auth::Basic::Scheme::GetInstance()->type();
73}
74
75void
76Auth::Basic::Config::fixHeader(Auth::UserRequest::Pointer, HttpReply *rep, Http::HdrType hdrType, HttpRequest *)
77{
78 if (authenticateProgram) {
79 if (utf8) {
80 debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\", charset=\"UTF-8\"'");
81 httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\", charset=\"UTF-8\"", SQUIDSBUFPRINT(realm));
82 } else {
83 debugs(29, 9, "Sending type:" << hdrType << " header: 'Basic realm=\"" << realm << "\"'");
84 httpHeaderPutStrf(&rep->header, hdrType, "Basic realm=\"" SQUIDSBUFPH "\"", SQUIDSBUFPRINT(realm));
85 }
86 }
87}
88
89void
90Auth::Basic::Config::rotateHelpers()
91{
92 /* schedule closure of existing helpers */
95 }
96
97 /* NP: dynamic helper restart will ensure they start up again as needed. */
98}
99
101void
102Auth::Basic::Config::done()
103{
105
107
110 }
111
112 delete basicauthenticators;
113 basicauthenticators = nullptr;
114
115 if (authenticateProgram)
116 wordlistDestroy(&authenticateProgram);
117}
118
119bool
120Auth::Basic::Config::dump(StoreEntry * entry, const char *name, Auth::SchemeConfig * scheme) const
121{
122 if (!Auth::SchemeConfig::dump(entry, name, scheme))
123 return false; // not configured
124
125 storeAppendPrintf(entry, "%s basic credentialsttl %d seconds\n", name, (int) credentialsTTL);
126 storeAppendPrintf(entry, "%s basic casesensitive %s\n", name, casesensitive ? "on" : "off");
127 return true;
128}
129
131 credentialsTTL( 2*60*60 ),
132 casesensitive(0)
133{
134 static const SBuf defaultRealm("Squid proxy-caching web server");
135 realm = defaultRealm;
136}
137
138void
139Auth::Basic::Config::parse(Auth::SchemeConfig * scheme, int n_configured, char *param_str)
140{
141 if (strcmp(param_str, "credentialsttl") == 0) {
142 parse_time_t(&credentialsTTL);
143 } else if (strcmp(param_str, "casesensitive") == 0) {
144 parse_onoff(&casesensitive);
145 } else
146 Auth::SchemeConfig::parse(scheme, n_configured, param_str);
147}
148
149static void
151{
153 basicauthenticators->packStatsInto(sentry, "Basic Authenticator Statistics");
154}
155
156char *
157Auth::Basic::Config::decodeCleartext(const char *httpAuthHeader, const HttpRequest *request)
158{
159 const char *proxy_auth = httpAuthHeader;
160
161 /* trim BASIC from string */
162 while (xisgraph(*proxy_auth))
163 ++proxy_auth;
164
165 /* Trim leading whitespace before decoding */
166 while (xisspace(*proxy_auth))
167 ++proxy_auth;
168
169 /* Trim trailing \n before decoding */
170 // XXX: really? is the \n actually still there? does the header parse not drop it?
171 char *eek = xstrdup(proxy_auth);
172 strtok(eek, "\n");
173
174 const size_t srcLen = strlen(eek);
175 char *cleartext = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(srcLen)+1));
176
177 struct base64_decode_ctx ctx;
178 base64_decode_init(&ctx);
179
180 size_t dstLen = 0;
181 if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
182 cleartext[dstLen] = '\0';
183
184 if (utf8 && !isValidUtf8String(cleartext, cleartext + dstLen)) {
185 auto str = isCP1251EncodingAllowed(request) ?
186 Cp1251ToUtf8(cleartext) : Latin1ToUtf8(cleartext);
187 safe_free(cleartext);
188 cleartext = xstrdup(str.c_str());
189 }
190
191 /*
192 * Don't allow NL or CR in the credentials.
193 * Oezguer Kesim <oec@codeblau.de>
194 */
195 debugs(29, 9, "'" << cleartext << "'");
196
197 if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
198 debugs(29, DBG_IMPORTANT, "WARNING: Bad characters in authorization header '" << httpAuthHeader << "'");
199 safe_free(cleartext);
200 }
201 } else {
202 debugs(29, 2, "WARNING: Invalid Base64 character in authorization header '" << httpAuthHeader << "'");
203 safe_free(cleartext);
204 }
205
206 safe_free(eek);
207 return cleartext;
208}
209
218Auth::Basic::Config::decode(char const *proxy_auth, const HttpRequest *request, const char *aRequestRealm)
219{
220 Auth::UserRequest::Pointer auth_user_request = dynamic_cast<Auth::UserRequest*>(new Auth::Basic::UserRequest);
221 /* decode the username */
222
223 // retrieve the cleartext (in a dynamically allocated char*)
224 const auto cleartext = decodeCleartext(proxy_auth, request);
225
226 // empty header? no auth details produced...
227 if (!cleartext)
228 return auth_user_request;
229
231 /* permitted because local_basic is purely local function scope. */
232 Auth::Basic::User *local_basic = nullptr;
233
234 char *separator = strchr(cleartext, ':');
235
236 lb = local_basic = new Auth::Basic::User(this, aRequestRealm);
237
238 if (separator) {
239 /* terminate the username */
240 *separator = '\0';
241 local_basic->passwd = xstrdup(separator+1);
242 }
243
244 if (!casesensitive)
245 Tolower(cleartext);
246 local_basic->username(cleartext);
247
248 if (local_basic->passwd == nullptr) {
249 debugs(29, 4, "no password in proxy authorization header '" << proxy_auth << "'");
250 auth_user_request->setDenyMessage("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
251 } else {
252 if (local_basic->passwd[0] == '\0') {
253 debugs(29, 4, "Disallowing empty password. User is '" << local_basic->username() << "'");
254 safe_free(local_basic->passwd);
255 auth_user_request->setDenyMessage("Request denied because you provided an empty password. Users MUST have a password.");
256 }
257 }
258
259 xfree(cleartext);
260
261 if (!local_basic->valid()) {
262 lb->auth_type = Auth::AUTH_BROKEN;
263 auth_user_request->user(lb);
264 return auth_user_request;
265 }
266
267 /* now lookup and see if we have a matching auth_user structure in memory. */
268 Auth::User::Pointer auth_user;
269
270 if (!(auth_user = Auth::Basic::User::Cache()->lookup(lb->userKey()))) {
271 /* the user doesn't exist in the username cache yet */
272 /* save the credentials */
273 debugs(29, 9, "Creating new user '" << lb->username() << "'");
274 /* set the auth_user type */
275 lb->auth_type = Auth::AUTH_BASIC;
276 /* current time for timeouts */
277 lb->expiretime = current_time.tv_sec;
278
279 /* this basic_user struct is the 'lucky one' to get added to the username cache */
280 /* the requests after this link to the basic_user */
281 /* store user in hash */
282 lb->addToNameCache();
283
284 auth_user = lb;
285 assert(auth_user != nullptr);
286 } else {
287 /* replace the current cached password with the new one */
288 Auth::Basic::User *basic_auth = dynamic_cast<Auth::Basic::User *>(auth_user.getRaw());
289 assert(basic_auth);
290 basic_auth->updateCached(local_basic);
291 auth_user = basic_auth;
292 }
293
294 /* link the request to the in-cache user */
295 auth_user_request->user(auth_user);
296 return auth_user_request;
297}
298
301void
302Auth::Basic::Config::init(Auth::SchemeConfig *)
303{
304 if (authenticateProgram) {
306
307 if (basicauthenticators == nullptr)
308 basicauthenticators = new helper("basicauthenticator");
309
310 basicauthenticators->cmdline = authenticateProgram;
311
312 basicauthenticators->childs.updateLimits(authenticateChildren);
313
315
317 }
318}
319
320void
321Auth::Basic::Config::registerWithCacheManager(void)
322{
323 Mgr::RegisterAction("basicauthenticator",
324 "Basic User Authenticator Stats",
326}
327
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
#define SQUIDSBUFPH
Definition: SBuf.h:31
#define SQUIDSBUFPRINT(s)
Definition: SBuf.h:32
class SquidConfig Config
Definition: SquidConfig.cc:12
#define assert(EX)
Definition: assert.h:19
void AUTHSSTATS(StoreEntry *)
Definition: Gadgets.h:21
static int authbasic_initialised
Definition: Config.cc:41
helper * basicauthenticators
Definition: Config.cc:39
static AUTHSSTATS authenticateBasicStats
Definition: Config.cc:37
void base64_decode_init(struct base64_decode_ctx *ctx)
Definition: base64.c:54
int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src)
Definition: base64.c:129
int base64_decode_final(struct base64_decode_ctx *ctx)
Definition: base64.c:159
#define BASE64_DECODE_LENGTH(length)
Definition: base64.h:120
void parse_time_t(time_t *var)
Definition: cache_cf.cc:2980
void parse_onoff(int *var)
Definition: cache_cf.cc:2609
virtual void done()
virtual bool dump(StoreEntry *, const char *, SchemeConfig *) const
virtual void parse(SchemeConfig *, int, char *)
Definition: SchemeConfig.cc:84
void setDenyMessage(char const *)
Definition: UserRequest.cc:114
virtual User::Pointer user()
Definition: UserRequest.h:143
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition: ChildConfig.cc:44
HttpHeader header
Definition: Message.h:74
C * getRaw() const
Definition: RefCount.h:80
Definition: SBuf.h:94
Definition: helper.h:64
void packStatsInto(Packable *p, const char *label=nullptr) const
Dump some stats about the helper state to a Packable object.
Definition: helper.cc:677
wordlist * cmdline
Definition: helper.h:107
Helper::ChildConfig childs
Configuration settings for number running.
Definition: helper.h:111
int ipc_type
Definition: helper.h:112
#define DBG_IMPORTANT
Definition: Stream.h:41
#define debugs(SECTION, LEVEL, CONTENT)
Definition: Stream.h:196
#define IPC_STREAM
Definition: defines.h:106
int type
Definition: errorpage.cc:152
void helperShutdown(helper *hlp)
Definition: helper.cc:740
void helperOpenServers(helper *hlp)
Definition: helper.cc:201
@ AUTH_BASIC
Definition: Type.h:19
@ AUTH_BROKEN
Definition: Type.h:23
void RegisterAction(char const *action, char const *desc, OBJH *handler, int pw_req_flag, int atomic)
Definition: Registration.cc:16
#define xfree
#define xstrdup
#define xmalloc
static struct node * parse(FILE *fp)
Definition: parse.c:965
void storeAppendPrintf(StoreEntry *e, const char *fmt,...)
Definition: store.cc:828
struct _request * request(char *urlin)
Definition: tcp-banger2.c:291
struct _Cache Cache
struct timeval current_time
the current UNIX time in timeval {seconds, microseconds} format
Definition: gadgets.cc:17
SBuf Cp1251ToUtf8(const char *in)
converts CP1251 to UTF-8
Definition: toUtf.cc:37
SBuf Latin1ToUtf8(const char *in)
converts ISO-LATIN-1 to UTF-8
Definition: toUtf.cc:16
bool isValidUtf8String(const char *source, const char *sourceEnd)
returns whether the given input is a valid (or empty) sequence of UTF-8 code points
Definition: toUtf.cc:172
SQUIDCEXTERN void Tolower(char *)
Definition: util.c:28
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition: wordlist.cc:16
#define safe_free(x)
Definition: xalloc.h:73
#define xisgraph(x)
Definition: xis.h:30
#define xisspace(x)
Definition: xis.h:17

 

Introduction

Documentation

Support

Miscellaneous

Web Site Translations

Mirrors