auth_basic.c

一个功能非常全面的代理服务器源代码程序,

    storeAppendPrintf(entry, "%s %s children %d\n", name, "basic", config->authenticateChildren);
    storeAppendPrintf(entry, "%s %s concurrency %d\n", name, "basic", config->authenticateConcurrency);
    storeAppendPrintf(entry, "%s %s credentialsttl %d seconds\n", name, "basic", (int) config->credentialsTTL);
    storeAppendPrintf(entry, "%s %s casesensitive %s\n", name, "basic", config->casesensitive ? "on" : "off");
    storeAppendPrintf(entry, "%s %s blankpassword %s\n", name, "basic", config->blankpassword ? "on" : "off");
}

static void
authBasicParse(authScheme * scheme, int n_configured, char *param_str)
{
    if (scheme->scheme_data == NULL) {
	assert(basicConfig == NULL);
	/* this is the first param to be found */
	scheme->scheme_data = xmalloc(sizeof(auth_basic_config));
	memset(scheme->scheme_data, 0, sizeof(auth_basic_config));
	basicConfig = scheme->scheme_data;
	basicConfig->basicAuthRealm = xstrdup("Squid proxy-caching web server");
	basicConfig->authenticateChildren = 5;
	basicConfig->credentialsTTL = 2 * 60 * 60;	/* two hours */
    }
    basicConfig = scheme->scheme_data;
    if (strcasecmp(param_str, "program") == 0) {
	if (basicConfig->authenticate)
	    wordlistDestroy(&basicConfig->authenticate);
	parse_wordlist(&basicConfig->authenticate);
    } else if (strcasecmp(param_str, "children") == 0) {
	parse_int(&basicConfig->authenticateChildren);
    } else if (strcasecmp(param_str, "concurrency") == 0) {
	parse_int(&basicConfig->authenticateConcurrency);
    } else if (strcasecmp(param_str, "realm") == 0) {
	parse_eol(&basicConfig->basicAuthRealm);
    } else if (strcasecmp(param_str, "credentialsttl") == 0) {
	parse_time_t(&basicConfig->credentialsTTL);
    } else if (strcasecmp(param_str, "casesensitive") == 0) {
	parse_onoff(&basicConfig->casesensitive);
    } else if (strcasecmp(param_str, "blankpassword") == 0) {
	parse_onoff(&basicConfig->blankpassword);
    } else {
	debug(29, 0) ("unrecognised basic auth scheme parameter '%s'\n", param_str);
    }
}

static void
authBasicCheckConfig(authScheme * scheme)
{
    auth_basic_config *config = scheme->scheme_data;
    requirePathnameExists("auth_param basic program", config->authenticate->key);
}

static void
authenticateBasicStats(StoreEntry * sentry)
{
    storeAppendPrintf(sentry, "Basic Authenticator Statistics:\n");
    helperStats(sentry, basicauthenticators);
}

CBDATA_TYPE(authenticateStateData);

/* authenticateBasicUsername: return a pointer to the username in the */
char *
authenticateBasicUsername(auth_user_t * auth_user)
{
    basic_data *basic_auth = auth_user->scheme_data;
    if (basic_auth)
	return basic_auth->username;
    return NULL;
}

static basic_data *
authBasicDataNew(void)
{
    basic_data *temp;
    temp = memPoolAlloc(basic_data_pool);
    assert(temp != NULL);
    temp->username = NULL;
    temp->passwd = NULL;
    temp->auth_queue = NULL;
    return temp;
}

#if UNUSED_CODE
static void
authBasicDataFree(basic_data * basic_auth)
{
}

#endif

static auth_user_t *
authBasicAuthUserFindUsername(const char *username)
{
    auth_user_hash_pointer *usernamehash;
    debug(29, 9) ("authBasicAuthUserFindUsername: Looking for user '%s'\n", username);
    if (username && (usernamehash = hash_lookup(proxy_auth_username_cache, username))) {
	while (usernamehash) {
	    if ((usernamehash->auth_user->auth_type == AUTH_BASIC) &&
		!strcmp(username, usernamehash->key))
		return usernamehash->auth_user;
	    usernamehash = usernamehash->next;
	}
    }
    return NULL;
}



/*
 * Decode a Basic [Proxy-]Auth string, linking the passed auth_user_request structure 
 * to any existing user structure or creating one if needed. Note that just returning
 * will be treated as "cannot decode credentials". Use the message field to return a 
 * descriptive message to the user.
 */

static void
authenticateBasicDecodeAuth(auth_user_request_t * auth_user_request, const char *proxy_auth)
{
    char *sent_auth;
    char *cleartext;
    basic_data *basic_auth, local_basic;
    auth_user_t *auth_user;
    dlink_node *node;

    /* decode the username */
    /* trim BASIC from string */
    while (xisgraph(*proxy_auth))
	proxy_auth++;

    local_basic.passwd = NULL;

    /* Trim leading whitespace before decoding */
    while (xisspace(*proxy_auth))
	proxy_auth++;
    /* username and password */
    sent_auth = xstrdup(proxy_auth);
    /* Trim trailing \n before decoding */
    strtok(sent_auth, "\n");
    cleartext = uudecode(sent_auth);
    xfree(sent_auth);
    /*
     * Don't allow NL or CR in the credentials.
     * Oezguer Kesim <oec@codeblau.de>
     */
    debug(29, 9) ("authenticateBasicDecodeAuth: cleartext = '%s'\n", cleartext);
    if (strcspn(cleartext, "\r\n") != strlen(cleartext)) {
	debug(29, 1) ("authenticateBasicDecodeAuth: bad characters in authorization header '%s'\n",
	    proxy_auth);
	xfree(cleartext);
	return;
    }
    local_basic.username = cleartext;
    if ((cleartext = strchr(local_basic.username, ':')) != NULL)
	*(cleartext)++ = '\0';
    local_basic.passwd = cleartext;
    if (cleartext == NULL) {
	debug(29, 4) ("authenticateBasicDecodeAuth: no password in proxy authorization header '%s'\n",
	    proxy_auth);
	local_basic.passwd = NULL;
	auth_user_request->message = xstrdup("no password was present in the HTTP [proxy-]authorization header. This is most likely a browser bug");
    } else if (*cleartext == '\0' && !basicConfig->blankpassword) {
	debug(29, 4) ("authenticateBasicDecodeAuth: Disallowing empty password,"
	    "user is '%s'\n", local_basic.username);
	local_basic.passwd = NULL;
	auth_user_request->message = xstrdup("Request denied because you provided an empty password. Users MUST have a password.");
    }
    /* special case: we have to free the strings for user and password
     * if we are not returning a filled out structure 
     */
    if (local_basic.passwd == NULL) {
	if (local_basic.username) {
	    /* log the username */
	    debug(29, 9) ("authBasicDecodeAuth: Creating new user for logging '%s'\n", local_basic.username);
	    /* new auth_user */
	    auth_user = authenticateAuthUserNew("basic");
	    /* new scheme data */
	    basic_auth = authBasicDataNew();
	    /* save the credentials */
	    basic_auth->username = local_basic.username;
	    /* link the scheme data in */
	    auth_user->scheme_data = basic_auth;
	    /* set the auth_user type */
	    auth_user->auth_type = AUTH_BROKEN;
	    /* link the request to the user */
	    auth_user_request->auth_user = auth_user;
	    /* lock for the auth_user_request link */
	    authenticateAuthUserLock(auth_user);
	    node = dlinkNodeNew();
	    dlinkAdd(auth_user_request, node, &auth_user->requests);
	}
	return;
    } else {
	local_basic.passwd = xstrndup(cleartext, USER_IDENT_SZ);
    }

    if (!basicConfig->casesensitive)
	Tolower(local_basic.username);
    /* now lookup and see if we have a matching auth_user structure in memory. */

    if ((auth_user = authBasicAuthUserFindUsername(local_basic.username)) == NULL) {
	/* the user doesn't exist in the username cache yet */
	debug(29, 9) ("authBasicDecodeAuth: Creating new user '%s'\n", local_basic.username);
	/* new auth_user */
	auth_user = authenticateAuthUserNew("basic");
	/* new scheme data */
	basic_auth = authBasicDataNew();
	/* save the credentials */
	basic_auth->username = local_basic.username;
	basic_auth->passwd = local_basic.passwd;
	/* link the scheme data in */
	auth_user->scheme_data = basic_auth;
	/* set the auth_user type */
	auth_user->auth_type = AUTH_BASIC;
	/* current time for timeouts */
	auth_user->expiretime = current_time.tv_sec;

	/* this auth_user struct is the 'lucky one' to get added to the username cache */
	/* the requests after this link to the auth_user */
	/* store user in hash */
	authenticateUserNameCacheAdd(auth_user);
    } else {
	debug(29, 9) ("authBasicDecodeAuth: Found user '%s' in the user cache as '%p'\n", local_basic.username, auth_user);
	xfree(local_basic.username);
	basic_auth = auth_user->scheme_data;
	if (strcmp(local_basic.passwd, basic_auth->passwd)) {
	    debug(29, 4) ("authBasicDecodeAuth: new password found. Updating in user master record and resetting auth state to unchecked\n");
	    basic_auth->flags.credentials_ok = 0;
	    xfree(basic_auth->passwd);
	    basic_auth->passwd = local_basic.passwd;
	} else
	    xfree(local_basic.passwd);
	if (basic_auth->flags.credentials_ok == 3) {
	    debug(29, 4) ("authBasicDecodeAuth: last attempt to authenticate this user failed, resetting auth state to unchecked\n");
	    basic_auth->flags.credentials_ok = 0;
	}
    }
    /* link the request to the user */
    auth_user_request->auth_user = auth_user;
    /* lock for the auth_user_request link */
    authenticateAuthUserLock(auth_user);
    node = dlinkNodeNew();
    dlinkAdd(auth_user_request, node, &auth_user->requests);
    return;
}

/* Initialize helpers and the like for this auth scheme. Called AFTER parsing the
 * config file */
static void
authBasicInit(authScheme * scheme)
{
    static int init = 0;
    if (basicConfig->authenticate) {
	if (!basic_data_pool)
	    basic_data_pool = memPoolCreate("Basic Scheme User Data", sizeof(basic_data));
	authbasic_initialised = 1;
	if (basicauthenticators == NULL)
	    basicauthenticators = helperCreate("basicauthenticator");
	basicauthenticators->cmdline = basicConfig->authenticate;
	basicauthenticators->n_to_start = basicConfig->authenticateChildren;
	basicauthenticators->concurrency = basicConfig->authenticateConcurrency;
	basicauthenticators->ipc_type = IPC_STREAM;
	helperOpenServers(basicauthenticators);
	if (!init) {
	    cachemgrRegister("basicauthenticator",
		"Basic User Authenticator Stats",
		authenticateBasicStats, 0, 1);
	    init++;
	}
	CBDATA_INIT_TYPE(authenticateStateData);
    }
}

/* send the initial data to a basic authenticator module */
static void
authenticateBasicStart(auth_user_request_t * auth_user_request, RH * handler, void *data)
{
    authenticateStateData *r = NULL;
    char buf[8192];
    char user[1024], pass[1024];
    basic_data *basic_auth;
    assert(auth_user_request);
    assert(handler);
    assert(auth_user_request->auth_user->auth_type == AUTH_BASIC);
    assert(auth_user_request->auth_user->scheme_data != NULL);
    basic_auth = auth_user_request->auth_user->scheme_data;
    debug(29, 9) ("authenticateStart: '%s:%s'\n", basic_auth->username,
	basic_auth->passwd);
    if (basicConfig->authenticate == NULL) {
	handler(data, NULL);
	return;
    }
    /* check to see if the auth_user already has a request outstanding */
    if (basic_auth->flags.credentials_ok == 2) {
	/* there is a request with the same credentials already being verified */
	auth_basic_queue_node *node;
	node = xmalloc(sizeof(auth_basic_queue_node));
	assert(node);
	/* save the details */
	node->next = basic_auth->auth_queue;
	basic_auth->auth_queue = node;
	node->handler = handler;
	node->data = data;
	cbdataLock(data);
	return;
    } else {
	r = cbdataAlloc(authenticateStateData);
	r->handler = handler;
	cbdataLock(data);
	r->data = data;
	r->auth_user_request = auth_user_request;
	authenticateAuthUserRequestLock(r->auth_user_request);
	/* mark the user as haveing verification in progress */
	basic_auth->flags.credentials_ok = 2;
	xstrncpy(user, rfc1738_escape(basic_auth->username), sizeof(user));
	xstrncpy(pass, rfc1738_escape(basic_auth->passwd), sizeof(pass));
	snprintf(buf, sizeof(buf), "%s %s\n", user, pass);
	helperSubmit(basicauthenticators, buf, authenticateBasicHandleReply, r);
    }
}