Re: [squid-users] Kerberos pac ResourceGroups parsing

2023-11-22 Thread Alex Rousskov 

On 2023-11-21 23:05, Andrey K wrote:

I have posted a PR: https://github.com/squid-cache/squid/pull/1597 

This is my first contribution to open source. Could you please verify if 
everything is OK.


Thank you for posting that pull request! Let's continue this 
conversation on GitHub since squid-users mailing list is not meant for 
code reviews.


Alex.



чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov:

On 2023-11-16 07:48, Andrey K wrote:

 > I have slightly patched the negotiate_kerberos_pac.cc to
 > implement ResourceGropIds-block parsing.

Please consider posting tested changes as a GitHub Pull Request:
https://wiki.squid-cache.org/MergeProcedure#pull-request



Thank you,

Alex.


 > Maybe it will be useful for the community.
 > This patch can be included in future Squid-releases.
 >
 > Kind regards,
 >     Ankor.
 >
 > The patch for the
 > file src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc below:
 >
 > @@ -362,6 +362,123 @@
 >       return ad_groups;
 >   }
 >
 > +
 > +char *
 > +get_resource_group_domain_sid(uint32_t ResourceGroupDomainSid){
 > +
 > +    if (ResourceGroupDomainSid!= 0) {
 > +        uint8_t rev;
 > +        uint64_t idauth;
 > +        char dli[256];
 > +        char *ag;
 > +        int l;
 > +
 > +        align(4);
 > +
 > +        uint32_t nauth = get4byt();
 > +
 > +        size_t length = 1+1+6+nauth*4;
 > +
 > +            ag=(char *)xcalloc((length+1)*sizeof(char),1);
 > +            // the first byte is a length of the SID
 > +            ag[0] = (char) length;
 > +            memcpy((void *)[1],(const void*)[bpos],1);
 > +            memcpy((void *)[2],(const void*)[bpos+1],1);
 > +            ag[2] = ag[2]+1;
 > +            memcpy((void *)[3],(const
void*)[bpos+2],6+nauth*4);
 > +
 > +
 > +
 > +        /* mainly for debug only */
 > +        rev = get1byt();
 > +        bpos = bpos + 1; /*nsub*/
 > +        idauth = get6byt_be();
 > +
 > +        snprintf(dli,sizeof(dli),"S-%d-%lu",rev,(long unsigned
int)idauth);
 > +        for ( l=0; l<(int)nauth; l++ ) {
 > +            uint32_t sauth;
 > +            sauth = get4byt();
 > +            snprintf((char
 > *)[strlen(dli)],sizeof(dli)-strlen(dli),"-%u",sauth);
 > +        }
 > +        debug((char *) "%s| %s: INFO: Got ResourceGroupDomainSid
%s\n",
 > LogTime(), PROGRAM, dli);
 > +        return ag;
 > +    }
 > +
 > +    return NULL;
 > +}
 > +
 > +char *
 > +get_resource_groups(char *ad_groups, char
*resource_group_domain_sid,
 > uint32_t ResourceGroupIds, uint32_t ResourceGroupCount){
 > +    size_t group_domain_sid_len = resource_group_domain_sid[0];
 > +    char *ag;
 > +    size_t length;
 > +
 > +    resource_group_domain_sid++; //now it points to the actual data
 > +
 > +
 > +    if (ResourceGroupIds!= 0) {
 > +        uint32_t ngroup;
 > +        int l;
 > +
 > +        align(4);
 > +        ngroup = get4byt();
 > +        if ( ngroup != ResourceGroupCount) {
 > +            debug((char *) "%s| %s: ERROR: Group encoding error =>
 > ResourceGroupCount: %d Array size: %d\n",
 > +                  LogTime(), PROGRAM, ResourceGroupCount, ngroup);
 > +            return NULL;
 > +        }
 > +        debug((char *) "%s| %s: INFO: Found %d Resource Group
rids\n",
 > LogTime(), PROGRAM, ResourceGroupCount);
 > +
 > +        //make a group template which begins with the
ResourceGroupDomainID
 > +        length = group_domain_sid_len+4;  //+4 for a rid
 > +        ag=(char *)xcalloc(length*sizeof(char),1);
 > +        memcpy((void *)ag,(const void*)resource_group_domain_sid,
 > group_domain_sid_len);
 > +
 > +
 > +        for ( l=0; l<(int)ResourceGroupCount; l++) {
 > +            uint32_t sauth;
 > +            memcpy((void *)[group_domain_sid_len],(const
 > void*)[bpos],4);
 > +
 > +            if (!pstrcat(ad_groups," group=")) {
 > +                debug((char *) "%s| %s: WARN: Too many groups !
size >
 > %d : %s\n",
 > +                      LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE,
ad_groups);
 > +               xfree(ag);
 > +               return NULL;
 > +            }
 > +
 > +
 > +            struct base64_encode_ctx ctx;
 > +            base64_encode_init();
 > +            const uint32_t expectedSz =
base64_encode_len(length) +1 /*
 > terminator */;
 > +            char *b64buf = static_cast(xcalloc(expectedSz, 1));
 > +            size_t blen = base64_encode_update(, b64buf,
length,
 > reinterpret_cast(ag));
 > +            

Re: [squid-users] Kerberos pac ResourceGroups parsing

2023-11-21 Thread Andrey K 
Hello, Alex,

I have posted a PR: https://github.com/squid-cache/squid/pull/1597

This is my first contribution to open source. Could you please verify if
everything is OK.

Kind regards,
Ankor.


чт, 16 нояб. 2023 г. в 17:01, Alex Rousskov <
rouss...@measurement-factory.com>:

> On 2023-11-16 07:48, Andrey K wrote:
>
> > I have slightly patched the negotiate_kerberos_pac.cc to
> > implement ResourceGropIds-block parsing.
>
> Please consider posting tested changes as a GitHub Pull Request:
> https://wiki.squid-cache.org/MergeProcedure#pull-request
>
>
> Thank you,
>
> Alex.
>
>
> > Maybe it will be useful for the community.
> > This patch can be included in future Squid-releases.
> >
> > Kind regards,
> > Ankor.
> >
> > The patch for the
> > file src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc below:
> >
> > @@ -362,6 +362,123 @@
> >   return ad_groups;
> >   }
> >
> > +
> > +char *
> > +get_resource_group_domain_sid(uint32_t ResourceGroupDomainSid){
> > +
> > +if (ResourceGroupDomainSid!= 0) {
> > +uint8_t rev;
> > +uint64_t idauth;
> > +char dli[256];
> > +char *ag;
> > +int l;
> > +
> > +align(4);
> > +
> > +uint32_t nauth = get4byt();
> > +
> > +size_t length = 1+1+6+nauth*4;
> > +
> > +ag=(char *)xcalloc((length+1)*sizeof(char),1);
> > +// the first byte is a length of the SID
> > +ag[0] = (char) length;
> > +memcpy((void *)[1],(const void*)[bpos],1);
> > +memcpy((void *)[2],(const void*)[bpos+1],1);
> > +ag[2] = ag[2]+1;
> > +memcpy((void *)[3],(const void*)[bpos+2],6+nauth*4);
> > +
> > +
> > +
> > +/* mainly for debug only */
> > +rev = get1byt();
> > +bpos = bpos + 1; /*nsub*/
> > +idauth = get6byt_be();
> > +
> > +snprintf(dli,sizeof(dli),"S-%d-%lu",rev,(long unsigned
> int)idauth);
> > +for ( l=0; l<(int)nauth; l++ ) {
> > +uint32_t sauth;
> > +sauth = get4byt();
> > +snprintf((char
> > *)[strlen(dli)],sizeof(dli)-strlen(dli),"-%u",sauth);
> > +}
> > +debug((char *) "%s| %s: INFO: Got ResourceGroupDomainSid %s\n",
> > LogTime(), PROGRAM, dli);
> > +return ag;
> > +}
> > +
> > +return NULL;
> > +}
> > +
> > +char *
> > +get_resource_groups(char *ad_groups, char *resource_group_domain_sid,
> > uint32_t ResourceGroupIds, uint32_t ResourceGroupCount){
> > +size_t group_domain_sid_len = resource_group_domain_sid[0];
> > +char *ag;
> > +size_t length;
> > +
> > +resource_group_domain_sid++; //now it points to the actual data
> > +
> > +
> > +if (ResourceGroupIds!= 0) {
> > +uint32_t ngroup;
> > +int l;
> > +
> > +align(4);
> > +ngroup = get4byt();
> > +if ( ngroup != ResourceGroupCount) {
> > +debug((char *) "%s| %s: ERROR: Group encoding error =>
> > ResourceGroupCount: %d Array size: %d\n",
> > +  LogTime(), PROGRAM, ResourceGroupCount, ngroup);
> > +return NULL;
> > +}
> > +debug((char *) "%s| %s: INFO: Found %d Resource Group rids\n",
> > LogTime(), PROGRAM, ResourceGroupCount);
> > +
> > +//make a group template which begins with the
> ResourceGroupDomainID
> > +length = group_domain_sid_len+4;  //+4 for a rid
> > +ag=(char *)xcalloc(length*sizeof(char),1);
> > +memcpy((void *)ag,(const void*)resource_group_domain_sid,
> > group_domain_sid_len);
> > +
> > +
> > +for ( l=0; l<(int)ResourceGroupCount; l++) {
> > +uint32_t sauth;
> > +memcpy((void *)[group_domain_sid_len],(const
> > void*)[bpos],4);
> > +
> > +if (!pstrcat(ad_groups," group=")) {
> > +debug((char *) "%s| %s: WARN: Too many groups ! size >
> > %d : %s\n",
> > +  LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE,
> ad_groups);
> > +   xfree(ag);
> > +   return NULL;
> > +}
> > +
> > +
> > +struct base64_encode_ctx ctx;
> > +base64_encode_init();
> > +const uint32_t expectedSz = base64_encode_len(length) +1 /*
> > terminator */;
> > +char *b64buf = static_cast(xcalloc(expectedSz, 1));
> > +size_t blen = base64_encode_update(, b64buf, length,
> > reinterpret_cast(ag));
> > +blen += base64_encode_final(, b64buf+blen);
> > +b64buf[expectedSz-1] = '\0';
> > +if (!pstrcat(ad_groups, reinterpret_cast(b64buf))) {
> > +debug((char *) "%s| %s: WARN: Too many groups ! size >
> > %d : %s\n",
> > +  LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE,
> ad_groups);
> > +   xfree(ag);
> > +   xfree(b64buf);
> > +   return NULL;
> > +}
> > +xfree(b64buf);
> > +
> > +
> > +
> > +sauth = get4byt();
> > +debug((char *) "%s|

Re: [squid-users] Kerberos pac ResourceGroups parsing

2023-11-16 Thread Alex Rousskov 

On 2023-11-16 07:48, Andrey K wrote:

I have slightly patched the negotiate_kerberos_pac.cc to 
implement ResourceGropIds-block parsing.


Please consider posting tested changes as a GitHub Pull Request:
https://wiki.squid-cache.org/MergeProcedure#pull-request


Thank you,

Alex.



Maybe it will be useful for the community.
This patch can be included in future Squid-releases.

Kind regards,
    Ankor.

The patch for the 
file src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc below:


@@ -362,6 +362,123 @@
      return ad_groups;
  }

+
+char *
+get_resource_group_domain_sid(uint32_t ResourceGroupDomainSid){
+
+    if (ResourceGroupDomainSid!= 0) {
+        uint8_t rev;
+        uint64_t idauth;
+        char dli[256];
+        char *ag;
+        int l;
+
+        align(4);
+
+        uint32_t nauth = get4byt();
+
+        size_t length = 1+1+6+nauth*4;
+
+            ag=(char *)xcalloc((length+1)*sizeof(char),1);
+            // the first byte is a length of the SID
+            ag[0] = (char) length;
+            memcpy((void *)[1],(const void*)[bpos],1);
+            memcpy((void *)[2],(const void*)[bpos+1],1);
+            ag[2] = ag[2]+1;
+            memcpy((void *)[3],(const void*)[bpos+2],6+nauth*4);
+
+
+
+        /* mainly for debug only */
+        rev = get1byt();
+        bpos = bpos + 1; /*nsub*/
+        idauth = get6byt_be();
+
+        snprintf(dli,sizeof(dli),"S-%d-%lu",rev,(long unsigned int)idauth);
+        for ( l=0; l<(int)nauth; l++ ) {
+            uint32_t sauth;
+            sauth = get4byt();
+            snprintf((char 
*)[strlen(dli)],sizeof(dli)-strlen(dli),"-%u",sauth);

+        }
+        debug((char *) "%s| %s: INFO: Got ResourceGroupDomainSid %s\n", 
LogTime(), PROGRAM, dli);

+        return ag;
+    }
+
+    return NULL;
+}
+
+char *
+get_resource_groups(char *ad_groups, char *resource_group_domain_sid, 
uint32_t ResourceGroupIds, uint32_t ResourceGroupCount){

+    size_t group_domain_sid_len = resource_group_domain_sid[0];
+    char *ag;
+    size_t length;
+
+    resource_group_domain_sid++; //now it points to the actual data
+
+
+    if (ResourceGroupIds!= 0) {
+        uint32_t ngroup;
+        int l;
+
+        align(4);
+        ngroup = get4byt();
+        if ( ngroup != ResourceGroupCount) {
+            debug((char *) "%s| %s: ERROR: Group encoding error => 
ResourceGroupCount: %d Array size: %d\n",

+                  LogTime(), PROGRAM, ResourceGroupCount, ngroup);
+            return NULL;
+        }
+        debug((char *) "%s| %s: INFO: Found %d Resource Group rids\n", 
LogTime(), PROGRAM, ResourceGroupCount);

+
+        //make a group template which begins with the ResourceGroupDomainID
+        length = group_domain_sid_len+4;  //+4 for a rid
+        ag=(char *)xcalloc(length*sizeof(char),1);
+        memcpy((void *)ag,(const void*)resource_group_domain_sid, 
group_domain_sid_len);

+
+
+        for ( l=0; l<(int)ResourceGroupCount; l++) {
+            uint32_t sauth;
+            memcpy((void *)[group_domain_sid_len],(const 
void*)[bpos],4);

+
+            if (!pstrcat(ad_groups," group=")) {
+                debug((char *) "%s| %s: WARN: Too many groups ! size > 
%d : %s\n",

+                      LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+               xfree(ag);
+               return NULL;
+            }
+
+
+            struct base64_encode_ctx ctx;
+            base64_encode_init();
+            const uint32_t expectedSz = base64_encode_len(length) +1 /* 
terminator */;

+            char *b64buf = static_cast(xcalloc(expectedSz, 1));
+            size_t blen = base64_encode_update(, b64buf, length, 
reinterpret_cast(ag));

+            blen += base64_encode_final(, b64buf+blen);
+            b64buf[expectedSz-1] = '\0';
+            if (!pstrcat(ad_groups, reinterpret_cast(b64buf))) {
+                debug((char *) "%s| %s: WARN: Too many groups ! size > 
%d : %s\n",

+                      LogTime(), PROGRAM, MAX_PAC_GROUP_SIZE, ad_groups);
+               xfree(ag);
+               xfree(b64buf);
+               return NULL;
+            }
+            xfree(b64buf);
+
+
+
+            sauth = get4byt();
+            debug((char *) "%s| %s: Info: Got rid: %u\n", LogTime(), 
PROGRAM, sauth);

+            /* attribute */
+            bpos = bpos+4;
+        }
+
+        xfree(ag);
+       return ad_groups;
+    }
+
+    return NULL;
+}
+
+
  char *
  get_ad_groups(char *ad_groups, krb5_context context, krb5_pac pac)
  {
@@ -379,14 +496,14 @@
      uint32_t LogonDomainId=0;
      uint32_t SidCount=0;
      uint32_t ExtraSids=0;
-    /*
      uint32_t ResourceGroupDomainSid=0;
      uint32_t ResourceGroupCount=0;
      uint32_t ResourceGroupIds=0;
-    */
      char **Rids=NULL;
      int l=0;

+    char * resource_group_domain_sid=NULL;
+
      if (!ad_groups) {
          debug((char *) "%s| %s: ERR: No space to store groups\n",
                LogTime(), PROGRAM);
@@ -454,11 +571,11 @@
      bpos = bpos+40;
      SidCount