mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2025-01-30 14:22:33 +08:00
Code Issues Packages Projects Releases Wiki Activity

NTLM single-sign on adjustments (VIII)

Browse Source 
Use preprocessor symbols WINBIND_NTLM_AUTH_ENABLED and WINBIND_NTLM_AUTH_FILE
for Samba's winbind daemon ntlm_auth helper code implementation and filename.

Retain preprocessor symbol USE_NTLM_SSO for NTLM single-sign-on feature
availability implementation independent.

For test harness, prefix NTLM_AUTH environment vars with CURL_

Refactor and rename configure option --with-ntlm-auth to --enable-wb-ntlm-auth[=FILE]
This commit is contained in:
Yang Tse 2011-07-31 20:44:41 +02:00
parent cc3e01cfae
commit 10a0bed485
10 changed files with 107 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
configure.ac
View File

@ -2687,34 +2687,6 @@ then
USE_MANUAL="no";
fi
dnl **********************************************************
dnl path of NTLM single-sign-on helper ntlm_auth
dnl
AC_ARG_WITH(ntlm-auth,
AC_HELP_STRING([--with-ntlm-auth=PATH],
[Where to look for ntlm_auth, path points to ntlm_auth installation (default: /usr/bin/ntlm_auth);])
AC_HELP_STRING([--without-ntlm-auth],
[disable ntlm single-sign-on by using ntlm_auth]),
ntlm_auth="$withval",
[if test "$ac_cv_native_windows" = "yes"; then ntlm_auth="no"; else ntlm_auth="/usr/bin/ntlm_auth"; fi])
AC_MSG_CHECKING([if using ntlm_auth is requested])
if test "$ntlm_auth" != "no"; then
AC_DEFINE(USE_NTLM_AUTH, 1, [Whether or not use Samba's 'winbind' daemon helper 'ntlm_auth' for NTLM single-sign-on])
AC_SUBST(USE_NTLM_AUTH, [1])
if test "$ntlm_auth" = "yes"; then
dnl --with-ntlm-auth (without path) used, use default path
ntlm_auth="/usr/bin/ntlm_auth"
fi
AC_MSG_RESULT($ntlm_auth)
else
AC_MSG_RESULT(no)
fi
AC_SUBST(ntlm_auth)
AC_DEFINE_UNQUOTED(NTLM_AUTH, "$ntlm_auth", [Samba's 'winbind' daemon helper 'ntlm_auth' which can be used for NTLM single-sign-on])
dnl *************************************************************************
dnl If the manual variable still is set, then we go with providing a built-in
dnl manual
@ -2823,6 +2795,10 @@ AC_HELP_STRING([--disable-crypto-auth],[Disable cryptographic authentication]),
AC_MSG_RESULT(yes)
)
CURL_CHECK_OPTION_WINBIND_NTLM_AUTH
CURL_CHECK_WINBIND_NTLM_AUTH
dnl ************************************************************
dnl disable TLS-SRP authentication
dnl
@ -2998,7 +2974,7 @@ if test "x$CURL_DISABLE_HTTP" != "x1"; then
if test "x$USE_SSLEAY" = "x1" -o "x$USE_WINDOWS_SSPI" = "x1" \
-o "x$GNUTLS_ENABLED" = "x1" -o "x$NSS_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM"
if test "x$USE_NTLM_AUTH" = "x1"; then
if test "x$WINBIND_NTLM_AUTH_ENABLED" = "x1"; then
SUPPORT_FEATURES="$SUPPORT_FEATURES NTLM_SSO"
fi
fi

6
lib/http.c
View File

@ -542,9 +542,13 @@ output_auth_headers(struct connectdata *conn,
#ifdef USE_NTLM_SSO
if(authstatus->picked == CURLAUTH_NTLM_SSO) {
auth="NTLM_SSO";
#ifdef WINBIND_NTLM_AUTH_ENABLED
result = Curl_output_ntlm_sso(conn, proxy);
if(result)
return result;
#else
return CURLE_REMOTE_ACCESS_DENIED;
#endif
}
else
#endif
@ -767,7 +771,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn,
Curl_input_ntlm(conn, (bool)(httpcode == 407), start);
if(CURLNTLM_BAD != ntlm) {
data->state.authproblem = FALSE;
#ifdef USE_NTLM_SSO
#ifdef WINBIND_NTLM_AUTH_ENABLED
if(authp->picked == CURLAUTH_NTLM_SSO) {
*availp &= ~CURLAUTH_NTLM;
authp->avail &= ~CURLAUTH_NTLM;

34
lib/http_ntlm.c
View File

@ -33,14 +33,16 @@
#define DEBUG_ME 0
#ifdef HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#ifdef HAVE_UNISTD_H
#include <unistd.h>
#endif
#ifdef USE_NTLM_SSO
#include <unistd.h>
#include <sys/types.h>
#ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#ifdef HAVE_SIGNAL_H
#include <signal.h>
#endif
@ -677,7 +679,7 @@ static void unicodecpy(unsigned char *dest,
}
#endif
#ifdef USE_NTLM_SSO
#ifdef WINBIND_NTLM_AUTH_ENABLED
static void sso_ntlm_close(struct connectdata *conn)
{
if(conn->ntlm_auth_hlpr_socket != CURL_SOCKET_BAD) {
@ -742,17 +744,17 @@ static CURLcode sso_ntlm_initiate(struct connectdata *conn,
username = username + (slash - domain) + 1;
}
/* When DEBUGBUILD is defined and environment variable NTLM_AUTH is set
* (in test case 2005), use a fake_ntlm to do NTLM challenge/response,
* which only accept commands and output strings pre-written/saved in
* test case 2005 */
/* For testing purposes, when DEBUGBUILD is defined and environment
variable CURL_NTLM_AUTH is set a fake_ntlm is used to perform
NTLM challenge/response which only accepts commands and output
strings pre-written in test case definitions */
#ifdef DEBUGBUILD
ntlm_auth_alloc = curl_getenv("NTLM_AUTH");
ntlm_auth_alloc = curl_getenv("CURL_NTLM_AUTH");
if(ntlm_auth_alloc)
ntlm_auth = ntlm_auth_alloc;
else
#endif
ntlm_auth = NTLM_AUTH;
ntlm_auth = WINBIND_NTLM_AUTH_FILE;
if(access(ntlm_auth, X_OK) != 0) {
error = ERRNO;
@ -940,9 +942,9 @@ CURLcode Curl_output_ntlm_sso(struct connectdata *conn,
* http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
* http://www.samba.org/samba/docs/man/manpages-3/winbindd.8.html
* http://www.samba.org/samba/docs/man/manpages-3/ntlm_auth.1.html
* The preprocessor variable 'USE_NTLM_AUTH' indicates whether
* this feature is enabled. Another one 'NTLM_AUTH' contains absolute
* path of it.
* Preprocessor symbol 'WINBIND_NTLM_AUTH_ENABLED' is defined when
* this feature is enabled and 'WINBIND_NTLM_AUTH_FILE' symbol holds
* absolute filename of ntlm_auth helper.
* If NTLM single-sign-on fails, go back to original request
* handling process.
*/
@ -996,7 +998,7 @@ CURLcode Curl_output_ntlm_sso(struct connectdata *conn,
return CURLE_OK;
}
#endif /* USE_NTLM_SSO */
#endif /* WINBIND_NTLM_AUTH_ENABLED */
/* this is for creating ntlm header output */
CURLcode Curl_output_ntlm(struct connectdata *conn,
@ -1644,7 +1646,7 @@ Curl_ntlm_cleanup(struct connectdata *conn)
ntlm_sspi_cleanup(&conn->ntlm);
ntlm_sspi_cleanup(&conn->proxyntlm);
#else
#ifdef USE_NTLM_SSO
#ifdef WINBIND_NTLM_AUTH_ENABLED
sso_ntlm_close(conn);
#endif
(void)conn;

11
lib/http_ntlm.h
View File

@ -1,5 +1,5 @@
#ifndef __HTTP_NTLM_H
#define __HTTP_NTLM_H
#ifndef HEADER_CURL_HTTP_NTLM_H
#define HEADER_CURL_HTTP_NTLM_H
/***************************************************************************
* _ _ ____ _
* Project ___| | | | _ \| |
@ -38,9 +38,9 @@ CURLntlm Curl_input_ntlm(struct connectdata *conn, bool proxy,
/* this is for creating ntlm header output */
CURLcode Curl_output_ntlm(struct connectdata *conn, bool proxy);
#ifdef USE_NTLM_SSO
#ifdef WINBIND_NTLM_AUTH_ENABLED
/* this is for creating ntlm header output by delegating challenge/response
* to a Samba's daemon helper ntlm_auth */
to Samba's winbind daemon helper ntlm_auth */
CURLcode Curl_output_ntlm_sso(struct connectdata *conn, bool proxy);
#endif
@ -152,4 +152,5 @@ void Curl_ntlm_cleanup(struct connectdata *conn);
#define NTLMFLAG_NEGOTIATE_56 (1<<31)
/* Indicates that 56-bit encryption is supported. */
#endif
#endif /* HEADER_CURL_HTTP_NTLM_H */

2
lib/setup.h
View File

@ -566,7 +566,7 @@ int netware_init(void);
#if defined(USE_SSLEAY) || defined(USE_WINDOWS_SSPI) || \
defined(USE_GNUTLS) || defined(USE_NSS)
#define USE_NTLM
#if defined(USE_NTLM_AUTH)
#if defined(WINBIND_NTLM_AUTH_ENABLED)
/* Support NTLM single-sign-on by using Samba's winbind daemon helper
'ntlm_auth' */
#define USE_NTLM_SSO

2
lib/url.c
View File

@ -3515,7 +3515,7 @@ static struct connectdata *allocate_conn(struct SessionHandle *data)
conn->ip_version = data->set.ipver;
#ifdef USE_NTLM_SSO
#ifdef WINBIND_NTLM_AUTH_ENABLED
conn->ntlm_auth_hlpr_socket = CURL_SOCKET_BAD;
conn->ntlm_auth_hlpr_pid = 0;
conn->challenge_header = NULL;

5
lib/urldata.h
View File

@ -905,9 +905,8 @@ struct connectdata {
single requests! */
struct ntlmdata proxyntlm; /* NTLM data for proxy */
#ifdef USE_NTLM_SSO
/* data used for communication with Samba's winbind daemon helper
ntlm_auth */
#ifdef WINBIND_NTLM_AUTH_ENABLED
/* used for communication with Samba's winbind daemon helper ntlm_auth */
curl_socket_t ntlm_auth_hlpr_socket;
pid_t ntlm_auth_hlpr_pid;
char* challenge_header;

64
m4/curl-confopts.m4
View File

@ -5,7 +5,7 @@
# | (__| |_| | _ <| |___
# \___|\___/|_| \_\_____|
#
# Copyright (C) 1998 - 2010, Daniel Stenberg, <daniel@haxx.se>, et al.
# Copyright (C) 1998 - 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
#
# This software is licensed as described in the file COPYING, which
# you should have received as part of this distribution. The terms
@ -21,7 +21,7 @@
#***************************************************************************
# File version for 'aclocal' use. Keep it a single number.
# serial 14
# serial 15
dnl CURL_CHECK_OPTION_THREADED_RESOLVER
dnl -------------------------------------------------
@ -496,3 +496,63 @@ AC_DEFUN([CURL_CHECK_LIB_ARES], [
fi
])
dnl CURL_CHECK_OPTION_WINBIND_NTLM_AUTH
dnl -------------------------------------------------
dnl Verify if configure has been invoked with option
dnl --enable-ntlm-auth or --disable-ntlm-auth, and
dnl set shell variable want_wb_ntlm_auth and
dnl want_wb_ntlm_auth_file as appropriate.
AC_DEFUN([CURL_CHECK_OPTION_WINBIND_NTLM_AUTH], [
AC_BEFORE([$0],[CURL_CHECK_WINBIND_NTLM_AUTH])dnl
OPT_WINBIND_NTLM_AUTH="default"
AC_ARG_ENABLE(wb-ntlm-auth,
AC_HELP_STRING([--enable-wb-ntlm-auth@<:@=FILE@:>@],[Enable winbind's ntlm_auth helper for NTLM SSO, where FILE is ntlm_auth's absolute filename (default: /usr/bin/ntlm_auth)])
AC_HELP_STRING([--disable-wb-ntlm-auth],[Disable winbind's ntlm_auth helper for NTLM SSO]),
OPT_WINBIND_NTLM_AUTH=$enableval)
want_wb_ntlm_auth_file="/usr/bin/ntlm_auth"
case "$OPT_WINBIND_NTLM_AUTH" in
no)
dnl --disable-wb-ntlm-auth option used
want_wb_ntlm_auth="no"
;;
default)
dnl configure option not specified
want_wb_ntlm_auth="yes"
;;
*)
dnl --enable-wb-ntlm-auth option used
want_wb_ntlm_auth="yes"
if test -n "$enableval" && test "$enableval" != "yes"; then
want_wb_ntlm_auth_file="$enableval"
fi
;;
esac
])
dnl CURL_CHECK_WINBIND_NTLM_AUTH
dnl -------------------------------------------------
dnl Check if winbind's ntlm_auth helper support will
dnl finally be enabled depending on configure option
dnl given and target platform.
AC_DEFUN([CURL_CHECK_WINBIND_NTLM_AUTH], [
AC_REQUIRE([CURL_CHECK_OPTION_WINBIND_NTLM_AUTH])dnl
AC_REQUIRE([CURL_CHECK_NATIVE_WINDOWS])dnl
AC_MSG_CHECKING([whether to enable winbind's ntlm_auth support for NTLM SSO])
if test "$ac_cv_native_windows" = "yes"; then
want_wb_ntlm_auth_file=""
want_wb_ntlm_auth="no"
fi
AC_MSG_RESULT([$want_wb_ntlm_auth])
if test "$want_wb_ntlm_auth" = "yes"; then
AC_DEFINE(WINBIND_NTLM_AUTH_ENABLED, 1,
[Define to enable winbind's ntlm_auth support for NTLM SSO.])
AC_DEFINE_UNQUOTED(WINBIND_NTLM_AUTH_FILE, "$want_wb_ntlm_auth_file",
[Define absolute filename for winbind's ntlm_auth helper.])
WINBIND_NTLM_AUTH_ENABLED=1
fi
])

6
tests/data/test1310
View File

@ -70,11 +70,11 @@ CURL_GETHOSTNAME=curlhost
# we try to use the LD_PRELOAD hack, if not a debug build
LD_PRELOAD=%PWD/libtest/.libs/libhostname.so
# set path to fake_auth instead of real ntlm_auth to generate NTLM type1 and type 3 messages
NTLM_AUTH=%PWD/server/fake_ntlm
CURL_NTLM_AUTH=%PWD/server/fake_ntlm
# set source directory so fake_ntlm can find the test files
NTLM_AUTH_SRCDIR=%SRCDIR
CURL_NTLM_AUTH_SRCDIR=%SRCDIR
# set the test number
NTLM_AUTH_TESTNUM=1310
CURL_NTLM_AUTH_TESTNUM=1310
</setenv>
<command>
http://%HOSTIP:%HTTPPORT/1310 -u testuser:anypasswd --ntlm-sso

8
tests/server/fake_ntlm.c
View File

@ -168,21 +168,21 @@ int main(int argc, char *argv[])
helper_user, helper_proto, helper_domain,
(use_cached_creds == TRUE) ? "yes" : "no");
env = getenv("NTLM_AUTH_TESTNUM");
env = getenv("CURL_NTLM_AUTH_TESTNUM");
if (env) {
char *endptr;
long lnum = strtol(env, &endptr, 10);
if((endptr != env + strlen(env)) || (lnum < 1L)) {
logmsg("Test number not valid in NTLM_AUTH_TESTNUM");
logmsg("Test number not valid in CURL_NTLM_AUTH_TESTNUM");
exit(1);
}
testnum = lnum;
} else {
logmsg("Test number not specified in NTLM_AUTH_TESTNUM");
logmsg("Test number not specified in CURL_NTLM_AUTH_TESTNUM");
exit(1);
}
env = getenv("NTLM_AUTH_SRCDIR");
env = getenv("CURL_NTLM_AUTH_SRCDIR");
if (env) {
path = env;
}