PageRenderTime 45ms CodeModel.GetById 24ms RepoModel.GetById 0ms app.codeStats 1ms

/mordor/http/auth.cpp

http://github.com/mozy/mordor
C++ | 264 lines | 235 code | 14 blank | 15 comment | 71 complexity | 5f2900afa550cec90f30b9dec0fdec37 MD5 | raw file
Possible License(s): BSD-3-Clause 
    

  1. // Copyright (c) 2009 - Mozy, Inc.
    2. 

  2. 

  3. #include "auth.h"
    4. 

  4. 

  5. #include "basic.h"
    6. 

  6. #include "client.h"
    7. 

  7. #include "digest.h"
    8. 

  8. #include "mordor/socket.h"
    9. 

  9. 

  10. #ifdef WINDOWS
    11. 

  11. #include "negotiate.h"
    12. 

  12. #elif defined (OSX)
    13. 

  13. #include "mordor/util.h"
    14. 

  14. 

  15. #include <Security/SecItem.h>
    16. 

  16. #include <Security/SecKeychain.h>
    17. 

  17. #include <Security/SecKeychainItem.h>
    18. 

  18. #include <Security/SecKeychainSearch.h>
    19. 

  19. #endif
    20. 

  20. 

  21. namespace Mordor {
    22. 

  22. namespace HTTP {
    23. 

  23. 

  24. static void authorize(const ChallengeList *challenge, AuthParams &authorization,
    25. 

  25.     const URI &uri, const std::string &method, const std::string &scheme,
    26. 

  26.     const std::string &realm, const std::string &username,
    27. 

  27.     const std::string &password)
    28. 

  28. {
    29. 

  29.     if (stricmp(scheme.c_str(), "Basic") == 0) {
    30. 

  30.         BasicAuth::authorize(authorization, username, password);
    31. 

  31.     } else if (stricmp(scheme.c_str(), "Digest") == 0) {
    32. 

  32.         MORDOR_ASSERT(challenge);
    33. 

  33.         DigestAuth::authorize(
    34. 

  34.             challengeForSchemeAndRealm(*challenge, "Digest", realm),
    35. 

  35.             authorization, uri, method, username, password);
    36. 

  36.     }
    37. 

  37. }
    38. 

  38. 

  39. ClientRequest::ptr
    40. 

  40. AuthRequestBroker::request(Request &requestHeaders, bool forceNewConnection,
    41. 

  41.     boost::function<void (ClientRequest::ptr)> bodyDg)
    42. 

  42. {
    43. 

  43.     ClientRequest::ptr priorRequest;
    44. 

  44.     std::string scheme, realm, username, password;
    45. 

  45.     size_t attempts = 0, proxyAttempts = 0;
    46. 

  46. #ifdef WINDOWS
    47. 

  47.     boost::scoped_ptr<NegotiateAuth> negotiateAuth, negotiateProxyAuth;
    48. 

  48. #endif
    49. 

  49.     while (true) {
    50. 

  50. #ifdef WINDOWS
    51. 

  51.         // Reset Negotiate auth sequence if the server didn't continue the
    52. 

  52.         // handshake
    53. 

  53.         if (negotiateProxyAuth) {
    54. 

  54.             const ChallengeList &challenge =
    55. 

  55.                 priorRequest->response().response.proxyAuthenticate;
    56. 

  56.             if (!isAcceptable(challenge, scheme) ||
    57. 

  57.                 !negotiateProxyAuth->authorize(
    58. 

  58.                     challengeForSchemeAndRealm(challenge, scheme),
    59. 

  59.                     requestHeaders.request.proxyAuthorization,
    60. 

  60.                     requestHeaders.requestLine.uri))
    61. 

  61.                 negotiateProxyAuth.reset();
    62. 

  62.         }
    63. 

  63.         if (negotiateAuth) {
    64. 

  64.             const ChallengeList &challenge =
    65. 

  65.                 priorRequest->response().response.wwwAuthenticate;
    66. 

  66.             if (!isAcceptable(challenge, scheme) ||
    67. 

  67.                 !negotiateAuth->authorize(
    68. 

  68.                     challengeForSchemeAndRealm(challenge, scheme),
    69. 

  69.                     requestHeaders.request.authorization,
    70. 

  70.                     requestHeaders.requestLine.uri))
    71. 

  71.                 negotiateAuth.reset();
    72. 

  72.         }
    73. 

  73.         // Negotiate auth is a multi-request transaction; if we're in the
    74. 

  74.         // middle of one, just do the next step, and skip asking for
    75. 

  75.         // credentials again
    76. 

  76.         if (!negotiateAuth && !negotiateProxyAuth) {
    77. 

  77. #endif
    78. 

  78.             // If this is the first try, or the last one failed UNAUTHORIZED,
    79. 

  79.             // ask for credentials, and use them if we got them
    80. 

  80.             if ((!priorRequest ||
    81. 

  81.                 priorRequest->response().status.status == UNAUTHORIZED) &&
    82. 

  82.                 m_getCredentialsDg &&
    83. 

  83.                 m_getCredentialsDg(requestHeaders.requestLine.uri, priorRequest,
    84. 

  84.                 scheme, realm, username, password, attempts++)) {
    85. 

  85. #ifdef WINDOWS
    86. 

  86.                 MORDOR_ASSERT(
    87. 

  87.                     stricmp(scheme.c_str(), "Negotiate") == 0 ||
    88. 

  88.                     stricmp(scheme.c_str(), "NTLM") == 0 ||
    89. 

  89.                     stricmp(scheme.c_str(), "Digest") == 0 ||
    90. 

  90.                     stricmp(scheme.c_str(), "Basic") == 0);
    91. 

  91. #else
    92. 

  92.                     MORDOR_ASSERT(
    93. 

  93.                     stricmp(scheme.c_str(), "Digest") == 0 ||
    94. 

  94.                     stricmp(scheme.c_str(), "Basic") == 0);
    95. 

  95. #endif
    96. 

  96. #ifdef WINDOWS
    97. 

  97.                 if (scheme == "Negotiate" || scheme == "NTLM") {
    98. 

  98.                     negotiateAuth.reset(new NegotiateAuth(username, password));
    99. 

  99.                     negotiateAuth->authorize(
    100. 

  100.                         challengeForSchemeAndRealm(priorRequest->response().response.wwwAuthenticate, scheme),
    101. 

  101.                         requestHeaders.request.authorization,
    102. 

  102.                         requestHeaders.requestLine.uri);
    103. 

  103.                 } else
    104. 

  104. #endif
    105. 

  105.                 authorize(priorRequest ?
    106. 

  106.                     &priorRequest->response().response.wwwAuthenticate : NULL,
    107. 

  107.                     requestHeaders.request.authorization,
    108. 

  108.                     requestHeaders.requestLine.uri,
    109. 

  109.                     requestHeaders.requestLine.method,
    110. 

  110.                     scheme, realm, username, password);
    111. 

  111.             } else if (priorRequest &&
    112. 

  112.                 priorRequest->response().status.status == UNAUTHORIZED) {
    113. 

  113.                 // caller didn't want to retry
    114. 

  114.                 return priorRequest;
    115. 

  115.             }
    116. 

  116.             // If this is the first try, or the last one failed (for a proxy)
    117. 

  117.             // ask for credentials, and use them if we got them
    118. 

  118.             if ((!priorRequest ||
    119. 

  119.                 priorRequest->response().status.status ==
    120. 

  120.                     PROXY_AUTHENTICATION_REQUIRED) &&
    121. 

  121.                 m_getProxyCredentialsDg &&
    122. 

  122.                 m_getProxyCredentialsDg(requestHeaders.requestLine.uri,
    123. 

  123.                 priorRequest, scheme, realm, username, password, proxyAttempts++)) {
    124. 

  124. #ifdef WINDOWS
    125. 

  125.                 MORDOR_ASSERT(
    126. 

  126.                     stricmp(scheme.c_str(), "Negotiate") == 0 ||
    127. 

  127.                     stricmp(scheme.c_str(), "NTLM") == 0 ||
    128. 

  128.                     stricmp(scheme.c_str(), "Digest") == 0 ||
    129. 

  129.                     stricmp(scheme.c_str(), "Basic") == 0);
    130. 

  130. #else
    131. 

  131.                     MORDOR_ASSERT(
    132. 

  132.                     stricmp(scheme.c_str(), "Digest") == 0 ||
    133. 

  133.                     stricmp(scheme.c_str(), "Basic") == 0);
    134. 

  134. #endif
    135. 

  135. #ifdef WINDOWS
    136. 

  136.                 if (scheme == "Negotiate" || scheme == "NTLM") {
    137. 

  137.                     negotiateProxyAuth.reset(new NegotiateAuth(username, password));
    138. 

  138.                     negotiateProxyAuth->authorize(
    139. 

  139.                         challengeForSchemeAndRealm(priorRequest->response().response.proxyAuthenticate, scheme),
    140. 

  140.                         requestHeaders.request.proxyAuthorization,
    141. 

  141.                         requestHeaders.requestLine.uri);
    142. 

  142.                 } else
    143. 

  143. #endif
    144. 

  144.                 authorize(priorRequest ?
    145. 

  145.                     &priorRequest->response().response.proxyAuthenticate : NULL,
    146. 

  146.                     requestHeaders.request.proxyAuthorization,
    147. 

  147.                     requestHeaders.requestLine.uri,
    148. 

  148.                     requestHeaders.requestLine.method,
    149. 

  149.                     scheme, realm, username, password);
    150. 

  150.             } else if (priorRequest &&
    151. 

  151.                 priorRequest->response().status.status ==
    152. 

  152.                     PROXY_AUTHENTICATION_REQUIRED) {
    153. 

  153.                 // Caller didn't want to retry
    154. 

  154.                 return priorRequest;
    155. 

  155.             }
    156. 

  156. #ifdef WINDOWS
    157. 

  157.         }
    158. 

  158. #endif
    159. 

  159.         if (priorRequest) {
    160. 

  160.             priorRequest->finish();
    161. 

  161.         } else {
    162. 

  162.             // We're passed our pre-emptive authentication, regardless of what
    163. 

  163.             // actually happened
    164. 

  164.             attempts = 1;
    165. 

  165.             proxyAttempts = 1;
    166. 

  166.         }
    167. 

  167.         priorRequest = parent()->request(requestHeaders, forceNewConnection,
    168. 

  168.             bodyDg);
    169. 

  169.         const ChallengeList *challengeList = NULL;
    170. 

  170.         if (priorRequest->response().status.status == UNAUTHORIZED)
    171. 

  171.             challengeList = &priorRequest->response().response.wwwAuthenticate;
    172. 

  172.         if (priorRequest->response().status.status == PROXY_AUTHENTICATION_REQUIRED)
    173. 

  173.             challengeList = &priorRequest->response().response.proxyAuthenticate;
    174. 

  174.         if (challengeList &&
    175. 

  175.             (isAcceptable(*challengeList, "Basic") ||
    176. 

  176.             isAcceptable(*challengeList, "Digest")
    177. 

  177. #ifdef WINDOWS
    178. 

  178.             || isAcceptable(*challengeList, "Negotiate") ||
    179. 

  179.             isAcceptable(*challengeList, "NTLM")
    180. 

  180. #endif
    181. 

  181.             ))
    182. 

  182.             continue;
    183. 

  183.         return priorRequest;
    184. 

  184.     }
    185. 

  185. }
    186. 

  186. 

  187. #ifdef OSX
    188. 

  188. bool getCredentialsFromKeychain(const URI &uri, ClientRequest::ptr priorRequest,
    189. 

  189.     std::string &scheme, std::string &realm, std::string &username,
    190. 

  190.     std::string &password, size_t attempts)
    191. 

  191. {
    192. 

  192.     if (attempts != 1)
    193. 

  193.         return false;
    194. 

  194.     bool proxy =
    195. 

  195.        priorRequest->response().status.status == PROXY_AUTHENTICATION_REQUIRED;
    196. 

  196.     const ChallengeList &challengeList = proxy ?
    197. 

  197.         priorRequest->response().response.proxyAuthenticate :
    198. 

  198.         priorRequest->response().response.wwwAuthenticate;
    199. 

  199.     if (isAcceptable(challengeList, "Basic"))
    200. 

  200.         scheme = "Basic";
    201. 

  201.     else if (isAcceptable(challengeList, "Digest"))
    202. 

  202.         scheme = "Digest";
    203. 

  203.     else
    204. 

  204.         return false;
    205. 

  205. 

  206.     ScopedCFRef<CFMutableDictionaryRef> query = CFDictionaryCreateMutable(NULL, 0, NULL, NULL);
    207. 

  207.     const std::string host = uri.authority.host();
    208. 

  208.     CFDictionaryAddValue(query, kSecClass, kSecClassInternetPassword);
    209. 

  209.     ScopedCFRef<CFStringRef> server = CFStringCreateWithCStringNoCopy(NULL, host.c_str(), kCFStringEncodingUTF8, kCFAllocatorNull);
    210. 

  210.     CFDictionaryAddValue(query, kSecAttrServer, server);
    211. 

  211. 

  212. 

  213.     if (uri.authority.portDefined()) {
    214. 

  214.         int port = uri.authority.port();
    215. 

  215.         ScopedCFRef<CFNumberRef> cfPort = CFNumberCreate(NULL, kCFNumberIntType, &port);
    216. 

  216.         CFDictionaryAddValue(query, kSecAttrPort, cfPort);
    217. 

  217.     }
    218. 

  218.     CFTypeRef protocol = NULL;
    219. 

  219.     if (proxy && priorRequest->request().requestLine.method == CONNECT)
    220. 

  220.         protocol = kSecAttrProtocolHTTPSProxy;
    221. 

  221.     else if (proxy)
    222. 

  222.         protocol = kSecAttrProtocolHTTPProxy;
    223. 

  223.     else if (uri.scheme() == "https")
    224. 

  224.         protocol = kSecAttrProtocolHTTPS;
    225. 

  225.     else if (uri.scheme() == "http")
    226. 

  226.         protocol = kSecAttrProtocolHTTP;
    227. 

  227.     else
    228. 

  228.         MORDOR_NOTREACHED();
    229. 

  229.     CFDictionaryAddValue(query, kSecAttrProtocol, protocol);
    230. 

  230.     CFDictionaryAddValue(query, kSecReturnRef, kCFBooleanTrue);
    231. 

  231.     ScopedCFRef<SecKeychainItemRef> item;
    232. 

  232.     OSStatus status = SecItemCopyMatching(query, (CFTypeRef*)&item);
    233. 

  233.     if (status != errSecSuccess)
    234. 

  234.         return false;
    235. 

  235.     // SecItemCopyMatching() just returns one record by default.
    236. 

  236.     MORDOR_ASSERT(CFGetTypeID(item) == SecKeychainItemGetTypeID());
    237. 

  237.     SecKeychainAttributeInfo info;
    238. 

  238.     SecKeychainAttrType tag = kSecAccountItemAttr;
    239. 

  239.     CSSM_DB_ATTRIBUTE_FORMAT format = CSSM_DB_ATTRIBUTE_FORMAT_STRING;
    240. 

  240.     info.count = 1;
    241. 

  241.     info.tag = (UInt32 *)&tag;
    242. 

  242.     info.format = (UInt32 *)&format;
    243. 

  243. 

  244.     SecKeychainAttributeList *attrs = NULL;
    245. 

  245.     UInt32 passwordLength = 0;
    246. 

  246.     void *passwordBytes = NULL;
    247. 

  247. 

  248.     status = SecKeychainItemCopyAttributesAndData(item, &info, NULL, &attrs,
    249. 

  249.         &passwordLength, &passwordBytes);
    250. 

  250.     if (status != errSecSuccess)
    251. 

  251.         return false;
    252. 

  252.     try {
    253. 

  253.         username.assign((const char *)attrs->attr[0].data, attrs->attr[0].length);
    254. 

  254.         password.assign((const char *)passwordBytes, passwordLength);
    255. 

  255.     } catch (...) {
    256. 

  256.         SecKeychainItemFreeAttributesAndData(attrs, passwordBytes);
    257. 

  257.         throw;
    258. 

  258.     }
    259. 

  259.     SecKeychainItemFreeAttributesAndData(attrs, passwordBytes);
    260. 

  260.     return true;
    261. 

  261. }
    262. 

  262. #endif
    263. 

  263. 

  264. }}
    265. 

  265.