ext_ad_group_acl.cc

Go to the documentation of this file.

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */
 
/*
 * ext_ad_group_acl: lookup group membership in a Windows
 * Active Directory domain
 *
 * (C)2008-2009 Guido Serassio - Acme Consulting S.r.l.
 *
 * Authors:
 *  Guido Serassio <guido.serassio@acmeconsulting.it>
 *  Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
 *
 * With contributions from others mentioned in the change history section
 * below.
 *
 * Based on mswin_check_lm_group by Guido Serassio.
 *
 * Dependencies: Windows 2000 SP4 and later.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 * History:
 *
 * Version 2.1
 * 20-09-2009 Guido Serassio
 *              Added explicit Global Catalog query
 *
 * Version 2.0
 * 20-07-2009 Guido Serassio
 *              Global groups support rewritten, now is based on ADSI.
 *              New Features:
 *              - support for Domain Local, Domain Global ad Universal
 *                groups
 *              - full group nesting support
 * Version 1.0
 * 02-05-2008 Guido Serassio
 *              First release, based on mswin_check_lm_group.
 *
 * This is a helper for the external ACL interface for Squid Cache
 *
 * It reads from the standard input the domain username and a list of
 * groups and tries to match it against the groups membership of the
 * specified username.
 *
 * Returns `OK' if the user belongs to a group or `ERR' otherwise, as
 * described on http://devel.squid-cache.org/external_acl/config.html
 *
 */
 
#include "squid.h"
#include "helper/protocol_defines.h"
#include "include/util.h"
#include "rfc1738.h"
 
#if _SQUID_CYGWIN_
#include <cwchar>
int _wcsicmp(const wchar_t *, const wchar_t *);
#endif
 
#undef assert
#include <cassert>
#include <cctype>
#include <cstring>
 
#if HAVE_GETOPT_H
#include <getopt.h>
#endif
#if HAVE_OBJBASE_H
#include <objbase.h>
#endif
#if HAVE_INITGUID_H
#include <initguid.h>
#endif
#if HAVE_ADSIID_H
#include <adsiid.h>
#endif
#if HAVE_IADS_H
#include <iads.h>
#endif
#if HAVE_ADSHLP_H
#include <adshlp.h>
#endif
#if HAVE_ADSERR_H
#include <adserr.h>
#endif
#if HAVE_LM_H
#include <lm.h>
#endif
#if HAVE_DSROLE_H
#include <dsrole.h>
#endif
#if HAVE_SDDL_H
#include <sddl.h>
#endif
 
enum ADSI_PATH {
    LDAP_MODE,
    GC_MODE
} ADSI_Path;
 
int use_global = 0;
char *program_name;
pid_t mypid;
char *machinedomain;
int use_case_insensitive_compare = 0;
char *DefaultDomain = nullptr;
const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/";
int numberofgroups = 0;
int WIN32_COM_initialized = 0;
char *WIN32_ErrorMessage = nullptr;
wchar_t **User_Groups;
int User_Groups_Count = 0;
 
static wchar_t *My_NameTranslate(wchar_t *, int, int);
static char *Get_WIN32_ErrorMessage(HRESULT);
 
static void
CloseCOM(void)
{
    if (WIN32_COM_initialized == 1)
        CoUninitialize();
}
 
static HRESULT
GetLPBYTEtoOctetString(VARIANT * pVar, LPBYTE * ppByte)
{
    HRESULT hr = E_FAIL;
    void HUGEP *pArray;
    long lLBound, lUBound, cElements;
 
    if ((!pVar) || (!ppByte))
        return E_INVALIDARG;
    if ((pVar->vt) != (VT_UI1 | VT_ARRAY))
        return E_INVALIDARG;
 
    hr = SafeArrayGetLBound(V_ARRAY(pVar), 1, &lLBound);
    hr = SafeArrayGetUBound(V_ARRAY(pVar), 1, &lUBound);
 
    cElements = lUBound - lLBound + 1;
    hr = SafeArrayAccessData(V_ARRAY(pVar), &pArray);
    if (SUCCEEDED(hr)) {
        LPBYTE pTemp = (LPBYTE) pArray;
        *ppByte = (LPBYTE) CoTaskMemAlloc(cElements);
        if (*ppByte)
            memcpy(*ppByte, pTemp, cElements);
        else
            hr = E_OUTOFMEMORY;
    }
    SafeArrayUnaccessData(V_ARRAY(pVar));
 
    return hr;
}
 
static wchar_t *
Get_primaryGroup(IADs * pUser)
{
    HRESULT hr;
    VARIANT var;
    unsigned User_primaryGroupID;
    char tmpSID[SECURITY_MAX_SID_SIZE * 2];
    wchar_t *wc = nullptr, *result = nullptr;
    int wcsize;
 
    VariantInit(&var);
 
    /* Get the primaryGroupID property */
    static const auto primaryGroupIdStr = SysAllocString(L"primaryGroupID");
    hr = pUser->Get(primaryGroupIdStr, &var);
    if (SUCCEEDED(hr)) {
        User_primaryGroupID = var.uintVal;
    } else {
        debug("Get_primaryGroup: cannot get primaryGroupID, ERROR: %s\n", Get_WIN32_ErrorMessage(hr));
        VariantClear(&var);
        return result;
    }
    VariantClear(&var);
 
    /*Get the objectSid property */
    static const auto objectSidStr = SysAllocString(L"objectSid");
    hr = pUser->Get(objectSidStr, &var);
    if (SUCCEEDED(hr)) {
        PSID pObjectSID;
        LPBYTE pByte = nullptr;
        char *szSID = nullptr;
        hr = GetLPBYTEtoOctetString(&var, &pByte);
 
        pObjectSID = (PSID) pByte;
 
        /* Convert SID to string. */
        ConvertSidToStringSid(pObjectSID, &szSID);
        CoTaskMemFree(pByte);
 
        *(strrchr(szSID, '-') + 1) = '\0';
        snprintf(tmpSID, sizeof(tmpSID)-1, "%s%u", szSID, User_primaryGroupID);
 
        wcsize = MultiByteToWideChar(CP_ACP, 0, tmpSID, -1, wc, 0);
        wc = (wchar_t *) xmalloc(wcsize * sizeof(wchar_t));
        MultiByteToWideChar(CP_ACP, 0, tmpSID, -1, wc, wcsize);
        LocalFree(szSID);
 
        result = My_NameTranslate(wc, ADS_NAME_TYPE_SID_OR_SID_HISTORY_NAME, ADS_NAME_TYPE_1779);
        safe_free(wc);
 
        if (!result)
            debug("Get_primaryGroup: cannot get DN for %s.\n", tmpSID);
        else
            debug("Get_primaryGroup: Primary group DN: %S.\n", result);
    } else {
        debug("Get_primaryGroup: cannot get objectSid, ERROR: %s\n", Get_WIN32_ErrorMessage(hr));
    }
    VariantClear(&var);
    return result;
}
 
static char *
Get_WIN32_ErrorMessage(HRESULT hr)
{
    FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM |
                  FORMAT_MESSAGE_IGNORE_INSERTS,
                  nullptr,
                  hr,
                  MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
                  (LPTSTR) & WIN32_ErrorMessage,
                  0,
                  nullptr);
    return WIN32_ErrorMessage;
}
 
static wchar_t *
My_NameTranslate(wchar_t * name, int in_format, int out_format)
{
    IADsNameTranslate *pNto;
    HRESULT hr;
    wchar_t *wc;
 
    if (WIN32_COM_initialized == 0) {
        hr = CoInitialize(nullptr);
        if (FAILED(hr)) {
            debug("My_NameTranslate: cannot initialize COM interface, ERROR: %s\n", Get_WIN32_ErrorMessage(hr));
            /* This is a fatal error */
            exit(EXIT_FAILURE);
        }
        WIN32_COM_initialized = 1;
    }
    hr = CoCreateInstance(CLSID_NameTranslate,
                          nullptr,
                          CLSCTX_INPROC_SERVER,
                          IID_IADsNameTranslate,
                          (void **) &pNto);
    if (FAILED(hr)) {
        debug("My_NameTranslate: cannot create COM instance, ERROR: %s\n", Get_WIN32_ErrorMessage(hr));
        /* This is a fatal error */
        exit(EXIT_FAILURE);
    }
    static const auto emptyStr = SysAllocString(L"");
    hr = pNto->Init(ADS_NAME_INITTYPE_GC, emptyStr);
    if (FAILED(hr)) {
        debug("My_NameTranslate: cannot initialise NameTranslate API, ERROR: %s\n", Get_WIN32_ErrorMessage(hr));
        pNto->Release();
        /* This is a fatal error */
        exit(EXIT_FAILURE);
    }
    hr = pNto->Set(in_format, name);
    if (FAILED(hr)) {
        debug("My_NameTranslate: cannot set translate of %S, ERROR: %s\n", name, Get_WIN32_ErrorMessage(hr));
        pNto->Release();
        return nullptr;
    }
    BSTR bstr;
    hr = pNto->Get(out_format, &bstr);
    if (FAILED(hr)) {
        debug("My_NameTranslate: cannot get translate of %S, ERROR: %s\n", name, Get_WIN32_ErrorMessage(hr));
        pNto->Release();
        return nullptr;
    }
    debug("My_NameTranslate: %S translated to %S\n", name, bstr);
 
    wc = (wchar_t *) xmalloc((wcslen(bstr) + 1) * sizeof(wchar_t));
    wcscpy(wc, bstr);
    SysFreeString(bstr);
    pNto->Release();
    return wc;
}
 
static wchar_t *
GetLDAPPath(wchar_t * Base_DN, int query_mode)
{
    wchar_t *wc;
 
    wc = (wchar_t *) xmalloc((wcslen(Base_DN) + 8) * sizeof(wchar_t));
 
    if (query_mode == LDAP_MODE)
        wcscpy(wc, L"LDAP://");
    else
        wcscpy(wc, L"GC://");
    wcscat(wc, Base_DN);
 
    return wc;
}
 
static char *
GetDomainName(void)
{
    static char *DomainName = nullptr;
    PDSROLE_PRIMARY_DOMAIN_INFO_BASIC pDSRoleInfo = nullptr;
    DWORD netret;
 
    if ((netret = DsRoleGetPrimaryDomainInformation(nullptr, DsRolePrimaryDomainInfoBasic, (PBYTE *) & pDSRoleInfo)) == ERROR_SUCCESS) {
        /*
         * Check the machine role.
         */
 
        if ((pDSRoleInfo->MachineRole == DsRole_RoleMemberWorkstation) ||
                (pDSRoleInfo->MachineRole == DsRole_RoleMemberServer) ||
                (pDSRoleInfo->MachineRole == DsRole_RoleBackupDomainController) ||
                (pDSRoleInfo->MachineRole == DsRole_RolePrimaryDomainController)) {
 
            size_t len = wcslen(pDSRoleInfo->DomainNameFlat);
 
            /* allocate buffer for str + null termination */
            safe_free(DomainName);
            DomainName = (char *) xmalloc(len + 1);
 
            /* copy unicode buffer */
            WideCharToMultiByte(CP_ACP, 0, pDSRoleInfo->DomainNameFlat, -1, DomainName, len, nullptr, nullptr);
 
            /* add null termination */
            DomainName[len] = '\0';
 
            /*
             * Member of a domain. Display it in debug mode.
             */
            debug("Member of Domain %s\n", DomainName);
            debug("Into forest %S\n", pDSRoleInfo->DomainForestName);
 
        } else {
            debug("Not a Domain member\n");
        }
    } else {
        debug("GetDomainName: ERROR DsRoleGetPrimaryDomainInformation returned: %s\n", Get_WIN32_ErrorMessage(netret));
    }
 
    /*
     * Free the allocated memory.
     */
    if (pDSRoleInfo)
        DsRoleFreeMemory(pDSRoleInfo);
 
    return DomainName;
}
 
static int
add_User_Group(wchar_t * Group)
{
    wchar_t **array;
 
    if (User_Groups_Count == 0) {
        User_Groups = (wchar_t **) xmalloc(sizeof(wchar_t *));
        *User_Groups = nullptr;
        ++User_Groups_Count;
    }
    array = User_Groups;
    while (*array) {
        if (wcscmp(Group, *array) == 0)
            return 0;
        ++array;
    }
    User_Groups = (wchar_t **) xrealloc(User_Groups, sizeof(wchar_t *) * (User_Groups_Count + 1));
    User_Groups[User_Groups_Count] = nullptr;
    User_Groups[User_Groups_Count - 1] = (wchar_t *) xmalloc((wcslen(Group) + 1) * sizeof(wchar_t));
    wcscpy(User_Groups[User_Groups_Count - 1], Group);
    ++User_Groups_Count;
 
    return 1;
}
 
/* returns true on match, false if no match */
/* TODO: convert to std::containers */
static bool
wStrIsInArray(const wchar_t * str, wchar_t ** array)
{
    if (!array)
        return false;
    while (*array) {
        debug("Windows group: %S, Squid group: %S\n", str, *array);
        if (wcscmp(str, *array) == 0)
            return true;
        ++array;
    }
    return false;
}
 
/* returns 0 on match, -1 if no match */
static int
wcstrcmparray(const wchar_t * str, const char **array)
{
    WCHAR wszGroup[GNLEN + 1];  // Unicode Group
 
    while (*array) {
        MultiByteToWideChar(CP_ACP, 0, *array,
                            strlen(*array) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0]));
        debug("Windows group: %S, Squid group: %S\n", str, wszGroup);
        if ((use_case_insensitive_compare ? _wcsicmp(str, wszGroup) : wcscmp(str, wszGroup)) == 0)
            return 0;
        ++array;
    }
    return -1;
}
 
static HRESULT
Recursive_Memberof(IADs * pObj)
{
    VARIANT var;
    long lBound, uBound;
    HRESULT hr;
 
    VariantInit(&var);
    static const auto memberOfStr = SysAllocString(L"memberOf");
    hr = pObj->Get(memberOfStr, &var);
    if (SUCCEEDED(hr)) {
        if (VT_BSTR == var.vt) {
            if (add_User_Group(var.bstrVal)) {
                wchar_t *Group_Path;
                IADs *pGrp;
 
                Group_Path = GetLDAPPath(var.bstrVal, GC_MODE);
                hr = ADsGetObject(Group_Path, IID_IADs, (void **) &pGrp);
                if (SUCCEEDED(hr)) {
                    hr = Recursive_Memberof(pGrp);
                    pGrp->Release();
                    safe_free(Group_Path);
                    Group_Path = GetLDAPPath(var.bstrVal, LDAP_MODE);
                    hr = ADsGetObject(Group_Path, IID_IADs, (void **) &pGrp);
                    if (SUCCEEDED(hr)) {
                        hr = Recursive_Memberof(pGrp);
                        pGrp->Release();
                    } else {
                        debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
                    }
                } else {
                    debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
                }
                safe_free(Group_Path);
            }
        } else {
            if (SUCCEEDED(SafeArrayGetLBound(V_ARRAY(&var), 1, &lBound)) &&
                    SUCCEEDED(SafeArrayGetUBound(V_ARRAY(&var), 1, &uBound))) {
                VARIANT elem;
                while (lBound <= uBound) {
                    hr = SafeArrayGetElement(V_ARRAY(&var), &lBound, &elem);
                    if (SUCCEEDED(hr)) {
                        if (add_User_Group(elem.bstrVal)) {
                            wchar_t *Group_Path;
                            IADs *pGrp;
 
                            Group_Path = GetLDAPPath(elem.bstrVal, GC_MODE);
                            hr = ADsGetObject(Group_Path, IID_IADs, (void **) &pGrp);
                            if (SUCCEEDED(hr)) {
                                hr = Recursive_Memberof(pGrp);
                                pGrp->Release();
                                safe_free(Group_Path);
                                Group_Path = GetLDAPPath(elem.bstrVal, LDAP_MODE);
                                hr = ADsGetObject(Group_Path, IID_IADs, (void **) &pGrp);
                                if (SUCCEEDED(hr)) {
                                    hr = Recursive_Memberof(pGrp);
                                    pGrp->Release();
                                    safe_free(Group_Path);
                                } else {
                                    debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
                                }
                            } else {
                                debug("Recursive_Memberof: ERROR ADsGetObject for %S failed: %s\n", Group_Path, Get_WIN32_ErrorMessage(hr));
                            }
                            safe_free(Group_Path);
                        }
                        VariantClear(&elem);
                    } else {
                        debug("Recursive_Memberof: ERROR SafeArrayGetElement failed: %s\n", Get_WIN32_ErrorMessage(hr));
                        VariantClear(&elem);
                    }
                    ++lBound;
                }
            } else {
                debug("Recursive_Memberof: ERROR SafeArrayGetxBound failed: %s\n", Get_WIN32_ErrorMessage(hr));
            }
        }
        VariantClear(&var);
    } else {
        if (hr != E_ADS_PROPERTY_NOT_FOUND)
            debug("Recursive_Memberof: ERROR getting memberof attribute: %s\n", Get_WIN32_ErrorMessage(hr));
    }
    return hr;
}
 
static wchar_t **
build_groups_DN_array(const char **array, char *userdomain)
{
    wchar_t *wc = nullptr;
    int wcsize;
    int source_group_format;
    char Group[GNLEN + 1];
 
    wchar_t **wc_array, **entry;
 
    entry = wc_array = (wchar_t **) xmalloc((numberofgroups + 1) * sizeof(wchar_t *));
 
    while (*array) {
        if (strchr(*array, '/')) {
            xstrncpy(Group, *array, GNLEN);
            source_group_format = ADS_NAME_TYPE_CANONICAL;
        } else {
            source_group_format = ADS_NAME_TYPE_NT4;
            if (!strchr(*array, '\\')) {
                strcpy(Group, userdomain);
                strcat(Group, "\\");
                strncat(Group, *array, GNLEN - sizeof(userdomain) - 1);
            } else
                xstrncpy(Group, *array, GNLEN);
        }
 
        wcsize = MultiByteToWideChar(CP_ACP, 0, Group, -1, wc, 0);
        wc = (wchar_t *) xmalloc(wcsize * sizeof(wchar_t));
        MultiByteToWideChar(CP_ACP, 0, Group, -1, wc, wcsize);
        *entry = My_NameTranslate(wc, source_group_format, ADS_NAME_TYPE_1779);
        safe_free(wc);
        ++array;
        if (!*entry) {
            debug("build_groups_DN_array: cannot get DN for '%s'.\n", Group);
            continue;
        }
        ++entry;
    }
    *entry = nullptr;
    return wc_array;
}
 
/* returns 1 on success, 0 on failure */
static int
Valid_Local_Groups(char *UserName, const char **Groups)
{
    int result = 0;
    char *Domain_Separator;
    WCHAR wszUserName[UNLEN + 1];   /* Unicode user name */
 
    LPLOCALGROUP_USERS_INFO_0 pBuf;
    LPLOCALGROUP_USERS_INFO_0 pTmpBuf;
    DWORD dwLevel = 0;
    DWORD dwFlags = LG_INCLUDE_INDIRECT;
    DWORD dwPrefMaxLen = -1;
    DWORD dwEntriesRead = 0;
    DWORD dwTotalEntries = 0;
    NET_API_STATUS nStatus;
    DWORD i;
    DWORD dwTotalCount = 0;
    LPBYTE pBufTmp = nullptr;
 
    if ((Domain_Separator = strchr(UserName, '/')))
        *Domain_Separator = '\\';
 
    debug("Valid_Local_Groups: checking group membership of '%s'.\n", UserName);
 
    /* Convert ANSI User Name and Group to Unicode */
 
    MultiByteToWideChar(CP_ACP, 0, UserName,
                        strlen(UserName) + 1, wszUserName, sizeof(wszUserName) / sizeof(wszUserName[0]));
 
    /*
     * Call the NetUserGetLocalGroups function
     * specifying information level 0.
     *
     * The LG_INCLUDE_INDIRECT flag specifies that the
     * function should also return the names of the local
     * groups in which the user is indirectly a member.
     */
    nStatus = NetUserGetLocalGroups(nullptr,
                                    wszUserName,
                                    dwLevel,
                                    dwFlags,
                                    &pBufTmp,
                                    dwPrefMaxLen,
                                    &dwEntriesRead,
                                    &dwTotalEntries);
    pBuf = (LPLOCALGROUP_USERS_INFO_0) pBufTmp;
    /*
     * If the call succeeds,
     */
    if (nStatus == NERR_Success) {
        if ((pTmpBuf = pBuf)) {
            for (i = 0; i < dwEntriesRead; ++i) {
                if (!pTmpBuf) {
                    result = 0;
                    break;
                }
                if (wcstrcmparray(pTmpBuf->lgrui0_name, Groups) == 0) {
                    result = 1;
                    break;
                }
                ++pTmpBuf;
                ++dwTotalCount;
            }
        }
    } else {
        debug("Valid_Local_Groups: ERROR NetUserGetLocalGroups returned: %s\n", Get_WIN32_ErrorMessage(nStatus));
        result = 0;
    }
    /*
     * Free the allocated memory.
     */
    if (pBuf)
        NetApiBufferFree(pBuf);
    return result;
}
 
/* returns 1 on success, 0 on failure */
static int
Valid_Global_Groups(char *UserName, const char **Groups)
{
    int result = 0;
    WCHAR wszUser[DNLEN + UNLEN + 2];   /* Unicode user name */
    char NTDomain[DNLEN + UNLEN + 2];
 
    char *domain_qualify = nullptr;
    char User[DNLEN + UNLEN + 2];
    size_t j;
 
    wchar_t *User_DN = nullptr, *User_LDAP_path = nullptr;
    wchar_t *User_PrimaryGroup = nullptr;
    IADs *pUser;
    HRESULT hr;
 
    xstrncpy(NTDomain, UserName, sizeof(NTDomain));
 
    for (j = 0; j < strlen(NTV_VALID_DOMAIN_SEPARATOR); ++j) {
        if ((domain_qualify = strchr(NTDomain, NTV_VALID_DOMAIN_SEPARATOR[j])))
            break;
    }
    if (!domain_qualify) {
        xstrncpy(User, DefaultDomain, DNLEN);
        strcat(User, "\\");
        strncat(User, UserName, UNLEN);
        xstrncpy(NTDomain, DefaultDomain, DNLEN);
    } else {
        domain_qualify[0] = '\\';
        xstrncpy(User, NTDomain, DNLEN + UNLEN + 2);
        domain_qualify[0] = '\0';
    }
 
    debug("Valid_Global_Groups: checking group membership of '%s'.\n", User);
 
    /* Convert ANSI User Name to Unicode */
 
    MultiByteToWideChar(CP_ACP, 0, User,
                        strlen(User) + 1, wszUser,
                        sizeof(wszUser) / sizeof(wszUser[0]));
 
    /* Get CN of User */
    if (!(User_DN = My_NameTranslate(wszUser, ADS_NAME_TYPE_NT4, ADS_NAME_TYPE_1779))) {
        debug("Valid_Global_Groups: cannot get DN for '%s'.\n", User);
        return result;
    }
    auto wszGroups = build_groups_DN_array(Groups, NTDomain);
 
    User_LDAP_path = GetLDAPPath(User_DN, GC_MODE);
 
    hr = ADsGetObject(User_LDAP_path, IID_IADs, (void **) &pUser);
    if (SUCCEEDED(hr)) {
        wchar_t *User_PrimaryGroup_Path;
        IADs *pGrp;
 
        User_PrimaryGroup = Get_primaryGroup(pUser);
        if (!User_PrimaryGroup) {
            debug("Valid_Global_Groups: cannot get Primary Group for '%s'.\n", User);
        } else {
            add_User_Group(User_PrimaryGroup);
            User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup, GC_MODE);
            hr = ADsGetObject(User_PrimaryGroup_Path, IID_IADs, (void **) &pGrp);
            if (SUCCEEDED(hr)) {
                hr = Recursive_Memberof(pGrp);
                pGrp->Release();
                safe_free(User_PrimaryGroup_Path);
                User_PrimaryGroup_Path = GetLDAPPath(User_PrimaryGroup, LDAP_MODE);
                hr = ADsGetObject(User_PrimaryGroup_Path, IID_IADs, (void **) &pGrp);
                if (SUCCEEDED(hr)) {
                    hr = Recursive_Memberof(pGrp);
                    pGrp->Release();
                } else {
                    debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_PrimaryGroup_Path, Get_WIN32_ErrorMessage(hr));
                }
            } else {
                debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_PrimaryGroup_Path, Get_WIN32_ErrorMessage(hr));
            }
            safe_free(User_PrimaryGroup_Path);
        }
        hr = Recursive_Memberof(pUser);
        pUser->Release();
        safe_free(User_LDAP_path);
        User_LDAP_path = GetLDAPPath(User_DN, LDAP_MODE);
        hr = ADsGetObject(User_LDAP_path, IID_IADs, (void **) &pUser);
        if (SUCCEEDED(hr)) {
            hr = Recursive_Memberof(pUser);
            pUser->Release();
        } else {
            debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_LDAP_path, Get_WIN32_ErrorMessage(hr));
        }
 
        auto tmp = User_Groups;
        while (*tmp) {
            if (wStrIsInArray(*tmp, wszGroups)) {
                result = 1;
                break;
            }
            ++tmp;
        }
    } else {
        debug("Valid_Global_Groups: ADsGetObject for %S failed, ERROR: %s\n", User_LDAP_path, Get_WIN32_ErrorMessage(hr));
    }
 
    safe_free(User_DN);
    safe_free(User_LDAP_path);
    safe_free(User_PrimaryGroup);
    auto tmp = wszGroups;
    while (*tmp) {
        safe_free(*tmp);
        ++tmp;
    }
    safe_free(wszGroups);
 
    tmp = User_Groups;
    while (*tmp) {
        safe_free(*tmp);
        ++tmp;
    }
    safe_free(User_Groups);
    User_Groups_Count = 0;
 
    return result;
}
 
static void
usage(const char *program)
{
    fprintf(stderr, "Usage: %s [-D domain][-G][-c][-d][-h]\n"
            " -D    default user Domain\n"
            " -G    enable Active Directory Global group mode\n"
            " -c    use case insensitive compare (local mode only)\n"
            " -d    enable debugging\n"
            " -h    this message\n",
            program);
}
 
static void
process_options(int argc, char *argv[])
{
    int opt;
 
    opterr = 0;
    while (-1 != (opt = getopt(argc, argv, "D:Gcdh"))) {
        switch (opt) {
        case 'D':
            DefaultDomain = xstrndup(optarg, DNLEN + 1);
            strlwr(DefaultDomain);
            break;
        case 'G':
            use_global = 1;
            break;
        case 'c':
            use_case_insensitive_compare = 1;
            break;
        case 'd':
            debug_enabled = 1;
            break;
        case 'h':
            usage(argv[0]);
            exit(EXIT_SUCCESS);
        case '?':
            opt = optopt;
            [[fallthrough]];
        default:
            fprintf(stderr, "%s: FATAL: Unknown option: -%c. Exiting\n", program_name, opt);
            usage(argv[0]);
            exit(EXIT_FAILURE);
            break;      /* not reached */
        }
    }
}
 
int
main(int argc, char *argv[])
{
    char *p;
    char buf[HELPER_INPUT_BUFFER];
    char *username;
    char *group;
    const char *groups[512];
    int n;
 
    assert(argc > 0);
    program_name = strrchr(argv[0], '/');
    if (!program_name)
        program_name = argv[0];
    mypid = getpid();
 
    setbuf(stdout, nullptr);
    setbuf(stderr, nullptr);
 
    /* Check Command Line */
    process_options(argc, argv);
 
    if (use_global) {
        if (!(machinedomain = GetDomainName())) {
            fprintf(stderr, "%s: FATAL: Can't read machine domain\n", program_name);
            exit(EXIT_FAILURE);
        }
        strlwr(machinedomain);
        if (!DefaultDomain)
            DefaultDomain = xstrdup(machinedomain);
    }
    debug("%s " VERSION " " SQUID_BUILD_INFO " starting up...\n", argv[0]);
    if (use_global)
        debug("Domain Global group mode enabled using '%s' as default domain.\n", DefaultDomain);
    if (use_case_insensitive_compare)
        debug("Warning: running in case insensitive mode !!!\n");
 
    atexit(CloseCOM);
 
    /* Main Loop */
    while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) {
        if (!strchr(buf, '\n')) {
            /* too large message received.. skip and deny */
            fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf);
            while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) {
                fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf);
                if (strchr(buf, '\n'))
                    break;
            }
            SEND_BH(HLP_MSG("Invalid Request. Too Long."));
            continue;
        }
        if ((p = strchr(buf, '\n')))
            *p = '\0';      /* strip \n */
        if ((p = strchr(buf, '\r')))
            *p = '\0';      /* strip \r */
 
        debug("Got '%s' from Squid (length: %zu).\n", buf, strlen(buf));
 
        if (buf[0] == '\0') {
            SEND_BH(HLP_MSG("Invalid Request. No Input."));
            continue;
        }
        username = strtok(buf, " ");
        for (n = 0; (group = strtok(nullptr, " ")); ++n) {
            rfc1738_unescape(group);
            groups[n] = group;
        }
        groups[n] = nullptr;
        numberofgroups = n;
 
        if (!username) {
            SEND_BH(HLP_MSG("Invalid Request. No Username."));
            continue;
        }
        rfc1738_unescape(username);
 
        if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) {
            SEND_OK("");
        } else {
            SEND_ERR("");
        }
    }
    return EXIT_SUCCESS;
}