--------------------- PatchSet 1832 Date: 2005/09/14 12:18:09 Author: serassio Branch: nt Tag: (none) Log: Updated Windos native basic authentication helper with latest changes from nt-2_5 branch. Members: helpers/basic_auth/win32_locallogon/Makefile.am:1.2.18.2->1.2.18.3 helpers/basic_auth/win32_locallogon/NT_auth.c:1.2.18.3->1.2.18.4 helpers/basic_auth/win32_locallogon/README.txt:1.2.18.3->1.2.18.4 helpers/basic_auth/win32_locallogon/valid.c:1.2.18.2->1.2.18.3 helpers/basic_auth/win32_locallogon/valid.h:1.2.18.3->1.2.18.4 port/win32/update.cmd:1.2.18.8->1.2.18.9 Index: squid3/helpers/basic_auth/win32_locallogon/Makefile.am =================================================================== RCS file: /cvsroot/squid-sf//squid3/helpers/basic_auth/win32_locallogon/Attic/Makefile.am,v retrieving revision 1.2.18.2 retrieving revision 1.2.18.3 diff -u -r1.2.18.2 -r1.2.18.3 --- squid3/helpers/basic_auth/win32_locallogon/Makefile.am 21 Aug 2005 18:41:05 -0000 1.2.18.2 +++ squid3/helpers/basic_auth/win32_locallogon/Makefile.am 14 Sep 2005 12:18:09 -0000 1.2.18.3 @@ -1,15 +1,15 @@ # # Makefile for the Squid Object Cache server # -# $Id: Makefile.am,v 1.2.18.2 2005/08/21 18:41:05 serassio Exp $ +# $Id: Makefile.am,v 1.2.18.3 2005/09/14 12:18:09 serassio Exp $ # # Uncomment and customize the following to suit your needs: # -libexec_PROGRAMS = nt_auth +libexec_PROGRAMS = win32_auth -nt_auth_SOURCES = NT_auth.c valid.c valid.h +win32_auth_SOURCES = NT_auth.c valid.c valid.h LDADD = -L$(top_builddir)/lib -lnetapi32 -ladvapi32 -lsspwin32 \ -lmiscutil $(XTRA_LIBS) Index: squid3/helpers/basic_auth/win32_locallogon/NT_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid3/helpers/basic_auth/win32_locallogon/Attic/NT_auth.c,v retrieving revision 1.2.18.3 retrieving revision 1.2.18.4 diff -u -r1.2.18.3 -r1.2.18.4 --- squid3/helpers/basic_auth/win32_locallogon/NT_auth.c 10 Apr 2004 10:12:42 -0000 1.2.18.3 +++ squid3/helpers/basic_auth/win32_locallogon/NT_auth.c 14 Sep 2005 12:18:09 -0000 1.2.18.4 @@ -1,8 +1,6 @@ /* NT_auth - Version 2.0 - Modified to act as a Squid authenticator module. - Removed all Pike stuff. Returns OK for a successful authentication, or ERR upon error. Guido Serassio, Torino - Italy @@ -41,12 +39,13 @@ char * NTDisAllowedGroup; int UseDisallowedGroup = 0; int UseAllowedGroup = 0; +int debug_enabled = 0; /* * options: - * -a can specify a Windows Local Group name allowed to authenticate. - * -d can specify a Windows Local Group name not allowed to authenticate. - * -D can specify the default Domain against to authenticate. + * -A can specify a Windows Local Group name allowed to authenticate. + * -D can specify a Windows Local Group name not allowed to authenticate. + * -O can specify the default Domain against to authenticate. */ char *my_program_name = NULL; @@ -54,10 +53,11 @@ usage() { fprintf(stderr, - "%s usage:\n%s [-a UserGroup] [-d UserGroup] [-D DefaultDomain] \n" - "-a can specify a Windows Local Group name allowed to authenticate\n" - "-d can specify a Windows Local Group name not allowed to authenticate\n" - "-D can specify the default Domain against to authenticate\n" + "%s usage:\n%s [-A|D UserGroup][-O DefaultDomain][-d]\n" + "-A can specify a Windows Local Group name allowed to authenticate\n" + "-D can specify a Windows Local Group name not allowed to authenticate\n" + "-O can specify the default Domain against to authenticate\n" + "-d enable debugging.\n" "-h this message\n\n", my_program_name, my_program_name); } @@ -66,20 +66,23 @@ process_options(int argc, char *argv[]) { int opt, had_error = 0; - while (-1 != (opt = getopt(argc, argv, "ha:d:D:"))) { + while (-1 != (opt = getopt(argc, argv, "dhA:D:O:"))) { switch (opt) { - case 'a': + case 'A': safe_free(NTAllowedGroup); NTAllowedGroup=xstrdup(optarg); UseAllowedGroup = 1; break; - case 'd': + case 'D': safe_free(NTDisAllowedGroup); NTDisAllowedGroup=xstrdup(optarg); UseDisallowedGroup = 1; break; - case 'D': - strcpy(Default_NTDomain, optarg); + case 'O': + strncpy(Default_NTDomain, optarg, DNLEN); + break; + case 'd': + debug_enabled = 1; break; case 'h': usage(argv[0]); @@ -115,10 +118,14 @@ my_program_name = argv[0]; process_options(argc, argv); + debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", my_program_name); + if (LoadSecurityDll(SSP_BASIC) == NULL) { fprintf(stderr, "FATAL, can't initialize SSPI, exiting.\n"); exit(1); } + debug("SSPI initialized OK\n"); + atexit(UnloadSecurityDll); /* initialize FDescs */ @@ -136,6 +143,7 @@ } if (err) { fprintf(stderr, "Oversized message\n"); + puts("ERR"); goto error; } @@ -147,7 +155,9 @@ username[0] = '\0'; password[0] = '\0'; sscanf(wstr, "%s %s", username, password); /* Extract parameters */ - + + debug("Got %s from Squid\n", wstr); + /* Check for invalid or blank entries */ if ((username[0] == '\0') || (password[0] == '\0')) { fprintf(stderr, "Invalid Request\n"); @@ -157,11 +167,14 @@ } rfc1738_unescape(username); rfc1738_unescape(password); + + debug("Trying to validate; %s %s\n", username, password); + if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) puts("OK"); else + printf("ERR %s\n", errormsg); error: - puts("ERR"); err = 0; fflush(stdout); } Index: squid3/helpers/basic_auth/win32_locallogon/README.txt =================================================================== RCS file: /cvsroot/squid-sf//squid3/helpers/basic_auth/win32_locallogon/Attic/README.txt,v retrieving revision 1.2.18.3 retrieving revision 1.2.18.4 diff -u -r1.2.18.3 -r1.2.18.4 --- squid3/helpers/basic_auth/win32_locallogon/README.txt 28 Feb 2004 09:01:03 -0000 1.2.18.3 +++ squid3/helpers/basic_auth/win32_locallogon/README.txt 14 Sep 2005 12:18:09 -0000 1.2.18.4 @@ -12,11 +12,12 @@ Program Syntax ============== -nt_auth [-a UserGroup] [-d UserGroup] [-D DefaultDomain] +win32_auth [-A UserGroup][-D UserGroup][-O DefaultDomain][-d] --a can specify a Windows Local Group name allowed to authenticate. --d can specify a Windows Local Group name not allowed to authenticate. --D can specify the default Domain against to authenticate. +-A can specify a Windows Local Group name allowed to authenticate. +-D can specify a Windows Local Group name not allowed to authenticate. +-O can specify the default Domain against to authenticate. +-d enable debugging. This is released under the GNU General Public License. @@ -40,17 +41,17 @@ Type 'make', then 'make install', then 'make clean'. -On Cygwin the default is to install 'nt_auth' into /usr/local/squid/libexec, +On Cygwin the default is to install 'win32_auth' into /usr/local/squid/libexec, with other Windows environments into c:/squid/libexec. Refer to Squid documentation for the required changes to squid.conf. You will need to set the following line to enable the authenticator: -auth_param basic program /usr/local/squid/libexec/nt_auth [options] +auth_param basic program /usr/local/squid/libexec/win32_auth [options] or -auth_param basic program c:/squid/libexec/nt_auth [options] +auth_param basic program c:/squid/libexec/win32_auth [options] You will need to set the following lines to enable authentication for your access list - @@ -58,7 +59,7 @@ acl proxy_auth REQUIRED http_access allow -You will need to specify the absolute path to nt_auth in the +You will need to specify the absolute path to win32_auth in the 'auth_param basic program' directive, and check the 'auth_param basic children' and 'auth_param basic credentialsttl'. @@ -68,7 +69,7 @@ ================== The Makefile assumes that GCC is in the current PATH. -NT_auth compile ONLY on Cygwin Environment, MinGW + MSYS Environment +win32_auth compile ONLY on Cygwin Environment, MinGW + MSYS Environment or MS VC++. @@ -76,7 +77,7 @@ Testing ======= -I strongly urge that NT_auth is tested prior to being used in a +I strongly urge that win32_auth is tested prior to being used in a production environment. It may behave differently on different platforms. To test it, run it from the command line. Enter username and password pairs separated by a space. Press ENTER to get an OK or ERR message. Index: squid3/helpers/basic_auth/win32_locallogon/valid.c =================================================================== RCS file: /cvsroot/squid-sf//squid3/helpers/basic_auth/win32_locallogon/Attic/valid.c,v retrieving revision 1.2.18.2 retrieving revision 1.2.18.3 diff -u -r1.2.18.2 -r1.2.18.3 --- squid3/helpers/basic_auth/win32_locallogon/valid.c 3 Jan 2004 16:20:44 -0000 1.2.18.2 +++ squid3/helpers/basic_auth/win32_locallogon/valid.c 14 Sep 2005 12:18:09 -0000 1.2.18.3 @@ -34,11 +34,15 @@ #if defined(_SQUID_CYGWIN_) #include #endif -#include -#include #include "valid.h" -char Default_NTDomain[256] = NTV_DEFAULT_DOMAIN; +char Default_NTDomain[DNLEN+1] = NTV_DEFAULT_DOMAIN; +const char * errormsg; + +const char NTV_SERVER_ERROR_MSG[] = "Internal server errror"; +const char NTV_GROUP_ERROR_MSG[] = "User not allowed to use this cache"; +const char NTV_LOGON_ERROR_MSG[] = "No such user or wrong password"; +const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; /* returns 1 on success, 0 on failure */ int @@ -111,21 +115,28 @@ /* Valid_User return codes - 0 - User authenticated successfully. 1 - Server error. - 2 - Protocol error. + 2 - Group membership error. 3 - Logon error; Incorrect password or username given. */ int Valid_User(char *UserName, char *Password, char *Group) { - int result = NTV_LOGON_ERROR; + int result = NTV_SERVER_ERROR; + size_t i; char NTDomain[256]; char *domain_qualify; char DomainUser[256]; char User[256]; - strcpy(NTDomain, UserName); - if ((domain_qualify = strchr(NTDomain, '\\')) == NULL) { + errormsg = NTV_SERVER_ERROR_MSG; + strncpy(NTDomain, UserName, sizeof(NTDomain)); + + for (i=0; i < strlen(NTV_VALID_DOMAIN_SEPARATOR); i++) { + if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[i])) != NULL) + break; + } + if (domain_qualify == NULL) { strcpy(User, NTDomain); strcpy(NTDomain, Default_NTDomain); } else { @@ -135,6 +146,8 @@ /* Log the client on to the local computer. */ if (!SSP_LogonUser(User, Password, NTDomain)) { result = NTV_LOGON_ERROR; + errormsg = NTV_LOGON_ERROR_MSG; + debug("%s\n", errormsg); } else { result = NTV_NO_ERROR; if (strcmp(NTDomain, NTV_DEFAULT_DOMAIN) == 0) @@ -146,12 +159,16 @@ } if (UseAllowedGroup) { if (!Valid_Group(DomainUser, NTAllowedGroup)) { - result = NTV_LOGON_ERROR; + result = NTV_GROUP_ERROR; + errormsg = NTV_GROUP_ERROR_MSG; + debug("%s\n", errormsg); } } if (UseDisallowedGroup) { if (Valid_Group(DomainUser, NTDisAllowedGroup)) { - result = NTV_LOGON_ERROR; + result = NTV_GROUP_ERROR; + errormsg = NTV_GROUP_ERROR_MSG; + debug("%s\n", errormsg); } } } Index: squid3/helpers/basic_auth/win32_locallogon/valid.h =================================================================== RCS file: /cvsroot/squid-sf//squid3/helpers/basic_auth/win32_locallogon/Attic/valid.h,v retrieving revision 1.2.18.3 retrieving revision 1.2.18.4 diff -u -r1.2.18.3 -r1.2.18.4 --- squid3/helpers/basic_auth/win32_locallogon/valid.h 10 Apr 2004 10:12:42 -0000 1.2.18.3 +++ squid3/helpers/basic_auth/win32_locallogon/valid.h 14 Sep 2005 12:18:09 -0000 1.2.18.4 @@ -2,7 +2,6 @@ NT_auth - Version 2.0 Modified to act as a Squid authenticator module. - Removed all Pike stuff. Returns OK for a successful authentication, or ERR upon error. Guido Serassio, Torino - Italy @@ -29,7 +28,20 @@ #ifndef _VALID_H_ #define _VALID_H_ +#ifdef _SQUID_CYGWIN_ +#include +#endif +#include #include "sspwin32.h" +#undef debug + +/************* CONFIGURATION ***************/ +/* + * define this if you want debugging + */ +#ifndef DEBUG +#define DEBUG +#endif #define safe_free(x) if (x) { free(x); x = NULL; } @@ -37,7 +49,7 @@ #define NTV_NO_ERROR 0 #define NTV_SERVER_ERROR 1 -#define NTV_PROTOCOL_ERROR 2 +#define NTV_GROUP_ERROR 2 #define NTV_LOGON_ERROR 3 #ifndef LOGON32_LOGON_NETWORK @@ -50,7 +62,45 @@ extern char * NTDisAllowedGroup; extern int UseDisallowedGroup; extern int UseAllowedGroup; -extern char Default_NTDomain[256]; +extern int debug_enabled; +extern char Default_NTDomain[DNLEN+1]; +extern const char * errormsg; + +#include + +/* Debugging stuff */ + +#ifdef __GNUC__ /* this is really a gcc-ism */ +#ifdef DEBUG +#include +#include +static char *__foo; +#define debug(X...) if (debug_enabled) { \ + fprintf(stderr,"nt_auth[%d](%s:%d): ", getpid(), \ + ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ + __LINE__);\ + fprintf(stderr,X); } +#else /* DEBUG */ +#define debug(X...) /* */ +#endif /* DEBUG */ +#else /* __GNUC__ */ +static void +debug(char *format,...) +{ +#ifdef DEBUG +#ifdef _SQUID_MSWIN_ + if (debug_enabled) { + va_list args; + + va_start(args,format); + fprintf(stderr, "nt_auth[%d]: ",getpid()); + vfprintf(stderr, format, args); + va_end(args); + } +#endif /* _SQUID_MSWIN_ */ +#endif /* DEBUG */ +} +#endif /* __GNUC__ */ int Valid_User(char *,char *, char *); Index: squid3/port/win32/update.cmd =================================================================== RCS file: /cvsroot/squid-sf//squid3/port/win32/Attic/update.cmd,v retrieving revision 1.2.18.8 retrieving revision 1.2.18.9 diff -u -r1.2.18.8 -r1.2.18.9 --- squid3/port/win32/update.cmd 25 Apr 2005 12:13:54 -0000 1.2.18.8 +++ squid3/port/win32/update.cmd 14 Sep 2005 12:18:47 -0000 1.2.18.9 @@ -18,7 +18,7 @@ if exist %0\..\pinger\%1\pinger.exe copy %0\..\pinger\%1\pinger.exe %2\libexec\pinger.exe copy %0\..\squidclient\%1\squidclient.exe %2\bin\squidclient.exe copy %0\..\fake_auth\%1\fake_auth.exe %2\libexec\fakeauth_auth.exe -copy %0\..\nt_auth\%1\nt_auth.exe %2\libexec\nt_auth.exe +copy %0\..\nt_auth\%1\nt_auth.exe %2\libexec\win32_auth.exe copy %0\..\ncsa_auth\%1\ncsa_auth.exe %2\libexec\ncsa_auth.exe copy %0\..\ntlm_win32_auth\%1\ntlm_win32_auth.exe %2\libexec\win32_ntlm_auth.exe copy %0\..\ldap_auth\%1\ldap_auth.exe %2\libexec\squid_ldap_auth.exe