auth_2ntlm_2Config_8cc_source.html

/*

 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors

 *

 * Squid software is distributed under GPLv2+ license and includes

 * contributions from numerous individuals and organizations.

 * Please see the COPYING and CONTRIBUTORS files for details.

 */


/* DEBUG: section 29    NTLM Authenticator */


/* The functions in this file handle authentication.

 * They DO NOT perform access control or auditing.

 * See acl.c for access control and client_side.c for auditing */


#include "squid.h"

#include "auth/Gadgets.h"

#include "auth/ntlm/Config.h"

#include "auth/ntlm/Scheme.h"

#include "auth/ntlm/User.h"

#include "auth/ntlm/UserRequest.h"

#include "auth/State.h"

#include "cache_cf.h"

#include "client_side.h"

#include "helper.h"

#include "http/Stream.h"

#include "HttpHeaderTools.h"

#include "HttpReply.h"

#include "HttpRequest.h"

#include "mgr/Registration.h"

#include "Store.h"

#include "wordlist.h"


/* NTLM Scheme */

static AUTHSSTATS authenticateNTLMStats;


Helper::StatefulClientPointer ntlmauthenticators;

static int authntlm_initialised = 0;


static hash_table *proxy_auth_cache = nullptr;


void

Auth::Ntlm::Config::rotateHelpers()

{

    /* schedule closure of existing helpers */

    if (ntlmauthenticators) {

        helperStatefulShutdown(ntlmauthenticators);

    }


    /* NP: dynamic helper restart will ensure they start up again as needed. */

}


/* free any allocated configuration details */

void

Auth::Ntlm::Config::done()

{

    Auth::SchemeConfig::done();


    authntlm_initialised = 0;


    if (ntlmauthenticators) {

        helperStatefulShutdown(ntlmauthenticators);

    }


    if (!shutting_down)

        return;


    ntlmauthenticators = nullptr;


    if (authenticateProgram)

        wordlistDestroy(&authenticateProgram);


    debugs(29, DBG_IMPORTANT, "Reconfigure: NTLM authentication configuration cleared.");

}


const char *

Auth::Ntlm::Config::type() const

{

    return Auth::Ntlm::Scheme::GetInstance()->type();

}


/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the

 * config file */

void

Auth::Ntlm::Config::init(Auth::SchemeConfig *)

{

    if (authenticateProgram) {


        authntlm_initialised = 1;


        if (ntlmauthenticators == nullptr)

            ntlmauthenticators = statefulhelper::Make("ntlmauthenticator");


        if (!proxy_auth_cache)

            proxy_auth_cache = hash_create((HASHCMP *) strcmp, 7921, hash_string);


        assert(proxy_auth_cache);


        ntlmauthenticators->cmdline = authenticateProgram;


        ntlmauthenticators->childs.updateLimits(authenticateChildren);


        ntlmauthenticators->ipc_type = IPC_STREAM;


        ntlmauthenticators->openSessions();

    }

}


void

Auth::Ntlm::Config::registerWithCacheManager(void)

{

    Mgr::RegisterAction("ntlmauthenticator",

                        "NTLM User Authenticator Stats",

                        authenticateNTLMStats, 0, 1);

}


bool

Auth::Ntlm::Config::active() const

{

    return authntlm_initialised == 1;

}


/* NTLM Scheme */


void

Auth::Ntlm::Config::fixHeader(Auth::UserRequest::Pointer auth_user_request, HttpReply *rep, Http::HdrType hdrType, HttpRequest * request)

{

    if (!authenticateProgram)

        return;


    /* Need keep-alive */

    if (!request->flags.proxyKeepalive && request->flags.mustKeepalive)

        return;


    /* New request, no user details */

    if (auth_user_request == nullptr) {

        debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'");

        httpHeaderPutStrf(&rep->header, hdrType, "NTLM");


        if (!keep_alive) {

            /* drop the connection */

            request->flags.proxyKeepalive = false;

        }

    } else {

        Auth::Ntlm::UserRequest *ntlm_request = dynamic_cast<Auth::Ntlm::UserRequest *>(auth_user_request.getRaw());

        assert(ntlm_request != nullptr);


        switch (ntlm_request->user()->credentials()) {


        case Auth::Failed:

            /* here it makes sense to drop the connection, as auth is

             * tied to it, even if MAYBE the client could handle it - Kinkie */

            request->flags.proxyKeepalive = false;

            [[fallthrough]];


        case Auth::Ok:

            /* Special case: authentication finished OK but disallowed by ACL.

             * Need to start over to give the client another chance.

             */

            [[fallthrough]];


        case Auth::Unchecked:

            /* semantic change: do not drop the connection.

             * 2.5 implementation used to keep it open - Kinkie */

            debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM'");

            httpHeaderPutStrf(&rep->header, hdrType, "NTLM");

            break;


        case Auth::Handshake:

            /* we're waiting for a response from the client. Pass it the blob */

            debugs(29, 9, "Sending type:" << hdrType << " header: 'NTLM " << ntlm_request->server_blob << "'");

            httpHeaderPutStrf(&rep->header, hdrType, "NTLM %s", ntlm_request->server_blob);

            safe_free(ntlm_request->server_blob);

            break;


        default:

            debugs(29, DBG_CRITICAL, "NTLM Auth fixHeader: state " << ntlm_request->user()->credentials() << ".");

            fatal("unexpected state in AuthenticateNTLMFixErrorHeader.\n");

        }

    }

}


static void


authenticateNTLMStats(StoreEntry * sentry)

{

    if (ntlmauthenticators)

        ntlmauthenticators->packStatsInto(sentry, "NTLM Authenticator Statistics");

}


/*

 * Decode a NTLM [Proxy-]Auth string, placing the results in the passed

 * Auth_user structure.

 */

Auth::UserRequest::Pointer

Auth::Ntlm::Config::decode(char const *proxy_auth, const HttpRequest *, const char *aRequestRealm)

{

    Auth::Ntlm::User *newUser = new Auth::Ntlm::User(Auth::SchemeConfig::Find("ntlm"), aRequestRealm);

    Auth::UserRequest::Pointer auth_user_request = new Auth::Ntlm::UserRequest();

    assert(auth_user_request->user() == nullptr);


    auth_user_request->user(newUser);

    auth_user_request->user()->auth_type = Auth::AUTH_NTLM;


    auth_user_request->user()->BuildUserKey(proxy_auth, aRequestRealm);


    /* all we have to do is identify that it's NTLM - the helper does the rest */

    debugs(29, 9, "decode: NTLM authentication");

    return auth_user_request;

}


httpHeaderPutStrf
void httpHeaderPutStrf(HttpHeader *hdr, Http::HdrType id, const char *fmt,...)
Definition HttpHeaderTools.cc:25

HttpHeaderTools.h

HttpReply.h

HttpRequest.h

Registration.h

State.h

Store.h

assert
#define assert(EX)
Definition assert.h:17

Gadgets.h

AUTHSSTATS
void AUTHSSTATS(StoreEntry *)
Definition Gadgets.h:21

proxy_auth_cache
static hash_table * proxy_auth_cache
Definition Config.cc:39

authenticateNTLMStats
static AUTHSSTATS authenticateNTLMStats
Definition Config.cc:34

ntlmauthenticators
Helper::StatefulClientPointer ntlmauthenticators
Definition Config.cc:36

authntlm_initialised
static int authntlm_initialised
Definition Config.cc:37

Config.h

cache_cf.h

Auth::SchemeConfig
Definition SchemeConfig.h:47

Auth::SchemeConfig::done
virtual void done()
Definition SchemeConfig.cc:175

Auth::SchemeConfig::Find
static SchemeConfig * Find(const char *proxy_auth)
Definition SchemeConfig.cc:59

Auth::UserRequest::user
virtual User::Pointer user()
Definition UserRequest.h:143

Helper::ChildConfig::updateLimits
ChildConfig & updateLimits(const ChildConfig &rhs)
Definition ChildConfig.cc:45

Helper::Client::packStatsInto
void packStatsInto(Packable *p, const char *label=nullptr) const
Dump some stats about the helper state to a Packable object.
Definition helper.cc:695

Helper::Client::childs
ChildConfig childs
Configuration settings for number running.
Definition helper.h:119

Helper::Client::cmdline
wordlist * cmdline
Definition helper.h:115

Helper::Client::ipc_type
int ipc_type
Definition helper.h:120

HttpReply
Definition HttpReply.h:25

HttpRequest
Definition HttpRequest.h:49

HttpRequest::flags
RequestFlags flags
Definition HttpRequest.h:141

Http::Message::header
HttpHeader header
Definition Message.h:74

RefCount< statefulhelper >

RefCount::getRaw
C * getRaw() const
Definition RefCount.h:89

RequestFlags::mustKeepalive
bool mustKeepalive
Definition RequestFlags.h:83

RequestFlags::proxyKeepalive
bool proxyKeepalive
Definition RequestFlags.h:42

StoreEntry
Definition Store.h:38

hash_table
Definition hash.h:23

statefulhelper::Make
static Pointer Make(const char *name)
Definition helper.cc:764

statefulhelper::openSessions
void openSessions() override
Definition helper.cc:328

client_side.h

DBG_IMPORTANT
#define DBG_IMPORTANT
Definition Stream.h:38

debugs
#define debugs(SECTION, LEVEL, CONTENT)
Definition Stream.h:192

DBG_CRITICAL
#define DBG_CRITICAL
Definition Stream.h:37

IPC_STREAM
#define IPC_STREAM
Definition defines.h:104

fatal
void fatal(const char *message)
Definition fatal.cc:28

shutting_down
int shutting_down
Definition testConfigParser.cc:32

hash_string
HASHHASH hash_string
Definition hash.h:45

hash_create
hash_table * hash_create(HASHCMP *, int, HASHHASH *)
Definition hash.cc:108

HASHCMP
int HASHCMP(const void *, const void *)
Definition hash.h:13

helperStatefulShutdown
void helperStatefulShutdown(const statefulhelper::Pointer &hlp)
Definition helper.cc:809

Stream.h

Auth::AUTH_NTLM
@ AUTH_NTLM
Definition Type.h:20

Auth::Failed
@ Failed
Definition CredentialState.h:20

Auth::Unchecked
@ Unchecked
Definition CredentialState.h:16

Auth::Ok
@ Ok
Definition CredentialState.h:17

Auth::Handshake
@ Handshake
Definition CredentialState.h:19

Http::HdrType
HdrType
Definition RegisteredHeaders.h:21

Mgr::RegisterAction
void RegisterAction(char const *action, char const *desc, OBJH *handler, Protected, Atomic, Format)
Definition Registration.cc:54

Scheme.h

UserRequest.h

User.h

squid.h

wordlistDestroy
void wordlistDestroy(wordlist **list)
destroy a wordlist
Definition wordlist.cc:16

wordlist.h

safe_free
#define safe_free(x)
Definition xalloc.h:73