--------------------- PatchSet 4904 Date: 2002/09/08 07:34:20 Author: serassio Branch: nt-2_5 Tag: (none) Log: Added support for matching multiple groups in one ACL Members: helpers/external_acl/win32_group/readme.txt:1.1.8.3->1.1.8.4 helpers/external_acl/win32_group/win32_check_group.c:1.1.8.4->1.1.8.5 Index: squid/helpers/external_acl/win32_group/readme.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/external_acl/win32_group/Attic/readme.txt,v retrieving revision 1.1.8.3 retrieving revision 1.1.8.4 diff -u -r1.1.8.3 -r1.1.8.4 --- squid/helpers/external_acl/win32_group/readme.txt 14 Jul 2002 20:27:06 -0000 1.1.8.3 +++ squid/helpers/external_acl/win32_group/readme.txt 8 Sep 2002 07:34:20 -0000 1.1.8.4 @@ -5,19 +5,19 @@ This helper must be used in with an authentication scheme, tipcally basic or NTLM based on Windows NT/2000 domain users. -It reads two new line terminated argument from the standard input -(the domain username and group) and tries to match it against -the groups membership of the specified username. +It reads from the standard input the domain username and a list of groups +and tries to match it against the groups membership of the specified username. ============== Program Syntax ============== -win32_check_group [-Gd] +win32_check_group [-Gdh] -G start helper in Global Group mode -d enable debug mode +-h this message ================ Index: squid/helpers/external_acl/win32_group/win32_check_group.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/external_acl/win32_group/Attic/win32_check_group.c,v retrieving revision 1.1.8.4 retrieving revision 1.1.8.5 diff -u -r1.1.8.4 -r1.1.8.5 --- squid/helpers/external_acl/win32_group/win32_check_group.c 21 Jul 2002 09:07:11 -0000 1.1.8.4 +++ squid/helpers/external_acl/win32_group/win32_check_group.c 8 Sep 2002 07:34:20 -0000 1.1.8.5 @@ -1,13 +1,13 @@ /* - * $Id: win32_check_group.c,v 1.1.8.4 2002/07/21 09:07:11 serassio Exp $ + * $Id: win32_check_group.c,v 1.1.8.5 2002/09/08 07:34:20 serassio Exp $ * * This is a helper for the external ACL interface for Squid Cache * Copyright (C) 2002 Guido Serassio * Based on previous work of Rodrigo Albani de Campos * - * It reads STDIN looking for a username that matches a NT/2000 global - * Domain group. - * Returns `OK' if the user belongs to the group or `ERR' otherwise, as + * It reads from the standard input the domain username and a list of groups + * and tries to match it against the groups membership of the specified username. + * Returns `OK' if the user belongs to a group or `ERR' otherwise, as * described on http://devel.squid-cache.org/external_acl/config.html * To compile this program, use: * @@ -201,14 +201,28 @@ return DomainName; } +/* returns 0 on match, -1 if no match */ +static int wcstrcmparray(const wchar_t *str, const char **array) +{ + WCHAR wszGroup[256]; // Unicode Group + + while (*array) { + MultiByteToWideChar(CP_ACP, 0, *array, + strlen(*array) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); + debug("Windows group: %S, Squid group: %S\n", str, wszGroup); + if (wcscmp(str, wszGroup) == 0) + return 0; + array++; + } + return -1; +} /* returns 1 on success, 0 on failure */ int -Valid_Local_Group(char *UserName, char *Group) +Valid_Local_Groups(char *UserName, const char **Groups) { int result = 0; WCHAR wszUserName[256]; // Unicode user name - WCHAR wszGroup[256]; // Unicode Group LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; LPLOCALGROUP_USERS_INFO_0 pTmpBuf; @@ -225,8 +239,6 @@ MultiByteToWideChar(CP_ACP, 0, UserName, strlen(UserName) + 1, wszUserName, sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, Group, - strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); /* * Call the NetUserGetLocalGroups function @@ -256,7 +268,7 @@ result = 0; break; } - if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { + if (wcstrcmparray(pTmpBuf->lgrui0_name, Groups) == 0) { result = 1; break; } @@ -277,11 +289,10 @@ /* returns 1 on success, 0 on failure */ int -Valid_Global_Group(char *UserName, char *Group) +Valid_Global_Groups(char *UserName, const char **Groups) { int result = 0; WCHAR wszUserName[256]; // Unicode user name - WCHAR wszGroup[256]; // Unicode Group WCHAR wszLocalDomain[256]; // Unicode Local Domain WCHAR wszUserDomain[256]; // Unicode User Domain @@ -315,8 +326,6 @@ MultiByteToWideChar(CP_ACP, 0, User, strlen(User) + 1, wszUserName, sizeof(wszUserName) / sizeof(wszUserName[0])); - MultiByteToWideChar(CP_ACP, 0, Group, - strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); MultiByteToWideChar(CP_ACP, 0, machinedomain, strlen(machinedomain) + 1, wszLocalDomain, sizeof(wszLocalDomain) / sizeof(wszLocalDomain[0])); @@ -370,7 +379,7 @@ result = 0; break; } - if (wcscmp(pTmpBuf->grui0_name, wszGroup) == 0) { + if (wcstrcmparray(pTmpBuf->grui0_name, Groups) == 0) { result = 1; break; } @@ -398,7 +407,7 @@ static void usage(char *program) { - fprintf(stderr,"Usage: %s [-d] [-h]\n" + fprintf(stderr,"Usage: %s [-d][-G][-h]\n" " -d enable debugging\n" " -G enable Domain Global group mode\n" " -h this message\n", @@ -444,6 +453,8 @@ char *username; char *group; int err = 0; + const char *groups[512]; + int n; if (argc > 0) { /* should always be true */ myname=strrchr(argv[0],'/'); @@ -496,9 +507,11 @@ } username = strwordtok(buf, &t); - group = strwordtok(NULL, &t); + for (n = 0; (group = strwordtok(NULL, &t)) != NULL; n++) + groups[n] = group; + groups[n] = NULL; - if ((use_global ? Valid_Global_Group(username, group) : Valid_Local_Group(username, group))) { + if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) { printf ("OK\n"); } else { error: