--------------------- PatchSet 850 Date: 2000/11/17 12:14:33 Author: rbcollins Branch: auth_rewrite Tag: (none) Log: new (thought out!) interface to authenticate. Members: src/acl.c:1.1.1.3.12.26->1.1.1.3.12.26.2.1 src/authenticate.c:1.1.1.3.12.17->1.1.1.3.12.17.2.1 src/protos.h:1.1.1.3.12.17->1.1.1.3.12.17.2.1 src/structs.h:1.1.1.3.4.1.2.26->1.1.1.3.4.1.2.26.2.1 Index: squid/src/acl.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/acl.c,v retrieving revision 1.1.1.3.12.26 retrieving revision 1.1.1.3.12.26.2.1 diff -u -r1.1.1.3.12.26 -r1.1.1.3.12.26.2.1 --- squid/src/acl.c 12 Nov 2000 21:22:21 -0000 1.1.1.3.12.26 +++ squid/src/acl.c 17 Nov 2000 12:14:33 -0000 1.1.1.3.12.26.2.1 @@ -1,6 +1,6 @@ /* - * $Id: acl.c,v 1.1.1.3.12.26 2000/11/12 21:22:21 rbcollins Exp $ + * $Id: acl.c,v 1.1.1.3.12.26.2.1 2000/11/17 12:14:33 rbcollins Exp $ * * DEBUG: section 28 Access Control * AUTHOR: Duane Wessels @@ -1157,15 +1157,20 @@ * -3 : get something from an external stateful authenticator; #endif */ - +#if 0 static int aclMatchProxyAuth(void *data, const char *proxy_auth, acl_proxy_auth_user * auth_user, aclCheck_t * checklist, squid_acl acltype) +#endif +static int +aclMatchProxyAuth(void *data, http_hdr_type headertype, + acl_proxy_auth_user * auth_user, aclCheck_t * checklist, squid_acl acltype) { /* checklist is used to register user name when identified, nothing else */ /* login bug is used as working space for DecodeProxyAuth?!? * LOCAL_ARRAY(char, login_buf, USER_IDENT_SZ); */ + const char * proxy_auth; #if 0 LOCAL_ARRAY(char, ntlmhash, NTLM_CHALLENGE_SZ * 2); acl_proxy_auth_hash_pointer *usernamehash, *proxy_auth_hash = NULL; @@ -1196,6 +1201,8 @@ * username */ + assert(headertype != 0); + proxy_auth = httpHeaderGetStr(&checklist->request->header, headertype); if (checklist->conn == NULL) { debug(28, 1) @@ -1230,9 +1237,9 @@ } /* we have a proxy auth header and as far as we know this connection has * not had bungled NTLM authentication happen on it. */ - debug(28,6) ("aclMatchProxyAuth: auth state none with header %s.\n", - proxy_auth); + debug(28,6) ("aclMatchProxyAuth: header %s.\n", proxy_auth); if (auth_user == NULL) { + debug(28,5) ("aclMatchProxyAuth: This is a new request on FD:%d\n", checklist->conn->fd); if (checklist->conn->auth_type==AUTH_UNKNOWN) { /* beginning of a new request check */ if (!authenticateValidateUser(auth_user=authenticateGetAuthUser(proxy_auth))) { @@ -1255,15 +1262,18 @@ /* Clear the reference in the checklist */ checklist->auth_user = NULL; +#if 0 if (!auth_user->proxy_auth) /* the last [proxy]auth header was used up */ auth_user->proxy_auth=xstrdup(proxy_auth); +#endif if (!authenticateUserAuthenticated(auth_user)){ /* User not logged in. Log them in */ /* if they have not got an IP already give them one */ if (!auth_user->ipaddr.s_addr) auth_user->ipaddr = checklist->src_addr; - auth_user=authenticateAuthenticateUser(auth_user); + auth_user=authenticateAuthenticateUser(auth_user, checklist->request, headertype); + assert(auth_user != NULL); if (auth_user->flags.credentials_ok==0) { if (auth_user->auth_type==AUTH_NTLM) { /* save the auth_user data for the next call */ @@ -1868,6 +1878,7 @@ const char *header; const char *browser; int k; + http_hdr_type headertype; if (!ae) return 0; debug(28, 3) ("aclMatchAcl: checking '%s'\n", ae->cfgline); @@ -2016,6 +2027,7 @@ if (NULL == r) { return -1; } else if (!r->flags.accelerated) { +#if 0 /* Proxy authorization on proxy requests */ header = httpHeaderGetStr(&checklist->request->header, @@ -2034,21 +2046,40 @@ ae->name); return -1; #endif } +#endif + /* Proxy authorization on proxy requests */ + headertype = HDR_PROXY_AUTHORIZATION; + } else if (r->flags.internal) { + /* WWW authorization on accelerated internal requests */ + headertype = HDR_AUTHORIZATION; + } else { +#if AUTH_ON_ACCELERATION + /* WWW authorization on accelerated requests */ + headertype = HDR_AUTHORIZATION; +#else + debug(28, 1) ("aclMatchAcl: proxy_auth %s not applicable on accelera +ted requests.\n", + ae->name); return -1; +#endif + } /* * Register that we used the proxy authentication header so that * it is not forwarded to the next proxy */ r->flags.used_proxy_auth = 1; /* Check the password */ - switch (aclMatchProxyAuth(ae->data, header, + switch (aclMatchProxyAuth(ae->data, headertype, checklist->auth_user, checklist, ae->type)) { case 0: + debug(28, 5) ("aclMatchAcl: returning 0 user authenticated but not authorised.\n"); /* Authenticated but not Authorised for this ACL */ return 0; case 1: + debug(28, 5) ("aclMatchAcl: returning 1 user authenticated and authorised.\n"); /* Authenticated and Authorised for this ACL */ return 1; case -2: + debug(28, 5) ("aclMatchAcl: returning 0 sending authentication challenge.\n"); /* Authentication credentials invalid or missing. */ /* Or partway through NTLM handshake. A proxy_Authenticate header * gets sent to the client. */ @@ -2060,6 +2091,7 @@ */ return 0; case -1: + debug(28, 5) ("aclMatchAcl: returning 0 sending credentials to helper.\n"); /* * we need to validate the password */ Index: squid/src/authenticate.c =================================================================== RCS file: /cvsroot/squid-sf//squid/src/authenticate.c,v retrieving revision 1.1.1.3.12.17 retrieving revision 1.1.1.3.12.17.2.1 diff -u -r1.1.1.3.12.17 -r1.1.1.3.12.17.2.1 --- squid/src/authenticate.c 12 Nov 2000 21:22:21 -0000 1.1.1.3.12.17 +++ squid/src/authenticate.c 17 Nov 2000 12:14:33 -0000 1.1.1.3.12.17.2.1 @@ -1,6 +1,6 @@ /* - * $Id: authenticate.c,v 1.1.1.3.12.17 2000/11/12 21:22:21 rbcollins Exp $ + * $Id: authenticate.c,v 1.1.1.3.12.17.2.1 2000/11/17 12:14:33 rbcollins Exp $ * * DEBUG: section 29 Authenticator * AUTHOR: Duane Wessels @@ -68,14 +68,14 @@ static void authenticateBasicStart(acl_proxy_auth_user *, RH *, void *); static HLPCB authenticateBasicHandleReply; static void -authenticateDecodeBasicAuth(acl_proxy_auth_user *auth_user); +authenticateDecodeBasicAuth(acl_proxy_auth_user *auth_user, const char * proxy_auth); static helper *basicauthenticators = NULL; /* NTLM Scheme */ static void authenticateNTLMStart(acl_proxy_auth_user *, RH * handler, void *); static HLPSCB authenticateNTLMHandleReply; static void -authenticateDecodeNTLMAuth(acl_proxy_auth_user *auth_user); +authenticateDecodeNTLMAuth(acl_proxy_auth_user *auth_user, const char * proxy_auth); static statefulhelper *ntlmauthenticators = NULL; @@ -100,8 +100,9 @@ if (Config.Program.authenticate != NULL) { proxy_auth += 6; auth_user->auth_type = AUTH_BASIC; - auth_user->proxy_auth = xstrdup(proxy_auth); - authenticateDecodeBasicAuth(auth_user); +// auth_user->proxy_auth = xstrdup(proxy_auth); +// authenticateDecodeBasicAuth(auth_user); + authenticateDecodeBasicAuth(auth_user, proxy_auth); } else auth_user->auth_type = AUTH_UNKNOWN; } else @@ -109,8 +110,9 @@ if (Config.Program.ntlmauthenticate != NULL) { proxy_auth += 5; auth_user->auth_type = AUTH_NTLM; - auth_user->proxy_auth = xstrdup(proxy_auth); - authenticateDecodeNTLMAuth(auth_user); +// auth_user->proxy_auth = xstrdup(proxy_auth); +// authenticateDecodeNTLMAuth(auth_user); + authenticateDecodeNTLMAuth(auth_user, proxy_auth); } else auth_user->auth_type = AUTH_UNKNOWN; } else @@ -175,10 +177,9 @@ */ static void -authenticateDecodeBasicAuth(acl_proxy_auth_user *auth_user) { +authenticateDecodeBasicAuth(acl_proxy_auth_user *auth_user, const char * proxy_auth) { char *sent_auth; char *cleartext; - char *proxy_auth=auth_user->proxy_auth; assert(auth_user->auth_type == AUTH_BASIC); /* Trim leading whitespace before decoding */ @@ -226,8 +227,8 @@ auth_user->auth_data.basic_auth.passwd = xstrndup(cleartext, USER_IDENT_SZ); } /* we are finished with the proxy_auth */ - xfree(auth_user->proxy_auth); - auth_user->proxy_auth = NULL; +// xfree(auth_user->proxy_auth); +// auth_user->proxy_auth = NULL; return; } @@ -413,10 +414,10 @@ default: fatal("Invalid authenticate state for NTLMStart"); } -#if 0 - while (!xisspace(*sent_string)) /*trim NTLM/BASIC/whatever */ + + while (!xisspace(*sent_string)) /*trim NTLM */ sent_string++; -#endif + while (xisspace(*sent_string)) /*trim leading spaces */ sent_string++; debug(29, 5) ("authenticateNTLMStart: state '%d'\n", auth_user->auth_data.ntlm_auth.auth_state); @@ -486,7 +487,7 @@ */ void -authenticateDecodeNTLMAuth(acl_proxy_auth_user *auth_user) { +authenticateDecodeNTLMAuth(acl_proxy_auth_user *auth_user, const char * proxy_auth) { assert(auth_user->auth_type == AUTH_NTLM); /* all we have to do is identify that it's NTLM - the helper does the rest */ debug(29, 6) ("authenticateDecodeNTLMAuth: NTLM authentication\n"); @@ -510,7 +511,7 @@ break; case AUTH_BASIC: debug(28, 4) - ("aclLookupProxyAuthStart: going to ask authenticator on %s\n", + ("AuthenticateStart: going to ask authenticator on %s\n", auth_user->auth_data.basic_auth.username); /* we must still check this user's password */ authenticateBasicStart(auth_user, handler, data); @@ -588,7 +589,7 @@ -1 = not enough information to log them in. call AuthenticateStart */ static acl_proxy_auth_user * -authenticateBasicAuthenticateUser(acl_proxy_auth_user *data) { +authenticateBasicAuthenticateUser(acl_proxy_auth_user *data, const char * proxy_auth) { acl_proxy_auth_hash_pointer *usernamehash, *proxy_auth_hash=NULL; acl_proxy_auth_user *auth_user=data; /* if the password is not ok, do an identity */ @@ -596,7 +597,7 @@ return auth_user; /* password was checked and did match */ - debug(29, 4) ("aclMatchProxyAuth: user '%s' validated OK\n", + debug(29, 4) ("authenticateBasicAuthenticateuser: user '%s' validated OK\n", auth_user->auth_data.basic_auth.username); /* see if this is an existing user with a different proxy_auth string */ if ((usernamehash = hash_lookup(proxy_auth_username_cache, @@ -610,7 +611,7 @@ * add another link from the new proxy_auth to the * auth_user structure and update the information */ assert(proxy_auth_hash == NULL); - authenticateProxyAuthCacheAddLink(auth_user->proxy_auth, usernamehash->auth_user); + authenticateProxyAuthCacheAddLink(proxy_auth, usernamehash->auth_user); /* maybe the p/w changed. update in the old structure */ xfree(usernamehash->auth_user->auth_data.basic_auth.passwd); usernamehash->auth_user->auth_data.basic_auth.passwd = @@ -626,7 +627,7 @@ } else { /* store user in hash's */ authenticateUserNameCacheAdd(auth_user); - authenticateProxyAuthCacheAddLink(auth_user->proxy_auth, auth_user); + authenticateProxyAuthCacheAddLink(proxy_auth, auth_user); } /* auth_user is now linked, we reset these values * after external auth occurs anyway */ @@ -636,44 +637,46 @@ } static acl_proxy_auth_user * -authenticateNTLMAuthenticateUser(acl_proxy_auth_user *data) { +authenticateNTLMAuthenticateUser(void *data, const char * proxy_auth) { acl_proxy_auth_user *auth_user=data; acl_proxy_auth_hash_pointer *usernamehash, *proxy_auth_hash=NULL; LOCAL_ARRAY(char, ntlmhash, NTLM_CHALLENGE_SZ * 2); - char * proxy_auth=auth_user->proxy_auth; +// char * proxy_auth=auth_user->proxy_auth; assert(auth_user->auth_type==AUTH_NTLM); switch (auth_user->auth_data.ntlm_auth.auth_state) { case AUTHENTICATE_STATE_NONE: /* we've recieved a negotiate request. pass to a helper */ - debug(29, 3) ("aclMatchProxyAuth: auth state ntlm none. %s\n", - auth_user->proxy_auth); + debug(29, 3) ("authenticateNTLMAuthenticateUser: auth state ntlm none. %s\n", + proxy_auth); auth_user->auth_data.ntlm_auth.auth_state = AUTHENTICATE_STATE_NEGOTIATE; - auth_user->auth_data.ntlm_auth.ntlmnegotiate = auth_user->proxy_auth; - /* use it up. */ - auth_user->proxy_auth=NULL; -#if 0 +// auth_user->auth_data.ntlm_auth.ntlmnegotiate = auth_user->proxy_auth; +// /* use it up. */ +// auth_user->proxy_auth=NULL; + auth_user->auth_data.ntlm_auth.ntlmnegotiate=xstrndup(proxy_auth, NTLM_CHALLENGE_SZ+5); -#endif + return auth_user; break; case AUTHENTICATE_STATE_NEGOTIATE: auth_user->auth_data.ntlm_auth.auth_state = AUTHENTICATE_STATE_CHALLENGE; - xfree(auth_user->proxy_auth); - auth_user->proxy_auth=NULL; +// xfree(auth_user->proxy_auth); +// auth_user->proxy_auth=NULL; return auth_user; break; case AUTHENTICATE_STATE_CHALLENGE: /* we should have recieved a NTLM challenge. pass it to the same * helper process */ - debug(29,3) ("aclMatchProxyAuth: auth state challenge with header %s.\n", auth_user->proxy_auth); + debug(29,3) ("authenticateNTLMAuthenticateUser: auth state challenge with header %s.\n", proxy_auth); /* do a cache lookup here. If it matches it's a successful ntlm * challenge - release the helper and use the existing auth_user * details. */ if (strncmp("NTLM ", proxy_auth, 5) == 0) { +#if 0 proxy_auth += 5; +#endif auth_user->auth_data.ntlm_auth.ntlmauthenticate = xstrdup(proxy_auth); - xfree(auth_user->proxy_auth); - auth_user->proxy_auth = NULL; +// xfree(auth_user->proxy_auth); +// auth_user->proxy_auth = NULL; } else { fatal("Incorrect scheme in auth header\n"); /* TODO: more fault tolerance.. reset the auth scheme here */ @@ -687,14 +690,14 @@ assert(proxy_auth_cache!=NULL); proxy_auth_hash = hash_lookup(proxy_auth_cache, ntlmhash); if (!proxy_auth_hash) { /* not in the hash table */ - debug(29,3)("aclMatchProxyAuth: proxy-auth cache miss.\n"); + debug(29,3)("authenticateNTLMAuthenticateUser: proxy-auth cache miss.\n"); auth_user->auth_data.ntlm_auth.auth_state = AUTHENTICATE_STATE_RESPONSE; #if 0 xstrndup(proxy_auth, NTLM_CHALLENGE_SZ+5); #endif /* verify with the ntlm helper */ } else { - debug(29,3)("aclMatchProxyAuth: ntlm proxy-auth cache hit\n"); + debug(29,3)("authenticateNTLMAuthenticateUser: ntlm proxy-auth cache hit\n"); /* throw away the temporary entry */ authenticateNTLMReleasehelper(auth_user); authenticateAuthUserUnlock(auth_user); @@ -810,16 +813,19 @@ * -1: part way through authentication: call AuthenticateStart */ acl_proxy_auth_user * -authenticateAuthenticateUser(acl_proxy_auth_user *auth_user) { +authenticateAuthenticateUser(acl_proxy_auth_user *auth_user, request_t *request, http_hdr_type type) { + const char * proxy_auth; assert(auth_user !=NULL); + proxy_auth = httpHeaderGetStr(&request->header, type); + debug(29,6) ("authenticateAuthenticateUser: authentication header type %d, value '%s'\n.", type,proxy_auth); /* switch used so we get warn-on-compile if new AUTH type added but not * handled */ switch (auth_user->auth_type){ case AUTH_BASIC: - return authenticateBasicAuthenticateUser(auth_user); + return authenticateBasicAuthenticateUser(auth_user, proxy_auth); break; case AUTH_NTLM: - return authenticateNTLMAuthenticateUser(auth_user); + return authenticateNTLMAuthenticateUser(auth_user, proxy_auth); break; case AUTH_UNKNOWN: case AUTH_BROKEN: @@ -1063,7 +1069,9 @@ case AUTH_BROKEN: case AUTH_UNKNOWN: } - if (u->proxy_auth) xfree(u->proxy_auth); +#if 0 + if (u->proxy_auth) xfree(u->proxy_auth); +#endif memFree(u, MEM_ACL_PROXY_AUTH_USER); } Index: squid/src/protos.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/protos.h,v retrieving revision 1.1.1.3.12.17 retrieving revision 1.1.1.3.12.17.2.1 diff -u -r1.1.1.3.12.17 -r1.1.1.3.12.17.2.1 --- squid/src/protos.h 16 Nov 2000 11:47:00 -0000 1.1.1.3.12.17 +++ squid/src/protos.h 17 Nov 2000 12:14:33 -0000 1.1.1.3.12.17.2.1 @@ -1,6 +1,6 @@ /* - * $Id: protos.h,v 1.1.1.3.12.17 2000/11/16 11:47:00 rbcollins Exp $ + * $Id: protos.h,v 1.1.1.3.12.17.2.1 2000/11/17 12:14:33 rbcollins Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -713,7 +713,7 @@ extern void authenticateShutdown(void); extern void authenticateFixErrorHeader(HttpReply * rep, ErrorState * err); extern acl_proxy_auth_user *authenticateGetAuthUser(const char *proxy_auth); -extern acl_proxy_auth_user *authenticateAuthenticateUser(acl_proxy_auth_user *auth_user); +extern acl_proxy_auth_user *authenticateAuthenticateUser(acl_proxy_auth_user *auth_user, request_t * request, http_hdr_type type); extern void authenticateAuthUserUnlock(acl_proxy_auth_user *auth_user); extern void authenticateAuthUserLock(acl_proxy_auth_user *auth_user); extern int authenticateAuthUserInuse(acl_proxy_auth_user *auth_user); Index: squid/src/structs.h =================================================================== RCS file: /cvsroot/squid-sf//squid/src/structs.h,v retrieving revision 1.1.1.3.4.1.2.26 retrieving revision 1.1.1.3.4.1.2.26.2.1 diff -u -r1.1.1.3.4.1.2.26 -r1.1.1.3.4.1.2.26.2.1 --- squid/src/structs.h 16 Nov 2000 11:47:00 -0000 1.1.1.3.4.1.2.26 +++ squid/src/structs.h 17 Nov 2000 12:14:33 -0000 1.1.1.3.4.1.2.26.2.1 @@ -1,6 +1,6 @@ /* - * $Id: structs.h,v 1.1.1.3.4.1.2.26 2000/11/16 11:47:00 rbcollins Exp $ + * $Id: structs.h,v 1.1.1.3.4.1.2.26.2.1 2000/11/17 12:14:33 rbcollins Exp $ * * * SQUID Internet Object Cache http://squid.nlanr.net/Squid/ @@ -108,8 +108,9 @@ /* we may have many proxy-authenticate strings that decode to the same user*/ dlink_list proxy_auth_list; dlink_list proxy_match_cache; - /* the [proxy_]auth header used when creating this user */ - char * proxy_auth; +// /* the [proxy_]auth header used when creating this user */ +// char * proxy_auth; +// Removed the above - it was too restricting. struct { unsigned int credentials_ok:2; /*0=unchecked,1=ok,2=failed*/ } flags;