search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
http: fix endless loop with failed Basic auth
[siplcs.git] / src / core / sipe-http-request.c
blobd522592efb350399efd96c6c091847d81cfc2ab6
1 /**
2 * @file sipe-http-request.c
3 *
4 * pidgin-sipe
5 *
6 * Copyright (C) 2013 SIPE Project <http://sipe.sourceforge.net/>
7 *
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with this program; if not, write to the Free Software
21 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 *
23 *
24 * SIPE HTTP request layer implementation
25 *
26 * - request handling: creation, parameters, deletion, cancelling
27 * - session handling: creation, closing
28 * - client authorization handling
29 * - connection request queue handling
30 * - compile HTTP header contents and hand-off to transport layer
31 * - process HTTP response and hand-off to user callback
32 */
33
34 #ifdef HAVE_CONFIG_H
35 #include "config.h"
36 #endif
37
38 #include <string.h>
39
40 #include <glib.h>
41
42 #include "sipmsg.h"
43 #include "sip-sec.h"
44 #include "sipe-backend.h"
45 #include "sipe-core.h"
46 #include "sipe-core-private.h"
47 #include "sipe-http.h"
48
49 #define _SIPE_HTTP_PRIVATE_IF_REQUEST
50 #include "sipe-http-request.h"
51 #define _SIPE_HTTP_PRIVATE_IF_TRANSPORT
52 #include "sipe-http-transport.h"
53
54 struct sipe_http_session {
55 gchar *cookie; /* extremely simplistic cookie jar :-) */
56 };
57
58 struct sipe_http_request {
59 struct sipe_http_connection_public *connection;
60
61 struct sipe_http_session *session;
62
63 gchar *path;
64 gchar *headers;
65 gchar *body; /* NULL for GET */
66 gchar *content_type; /* NULL if body == NULL */
67 gchar *authorization;
68
69 const gchar *domain; /* not copied */
70 const gchar *user; /* not copied */
71 const gchar *password; /* not copied */
72
73 sipe_http_response_callback *cb;
74 gpointer cb_data;
75
76 guint32 flags;
77 };
78
79 #define SIPE_HTTP_REQUEST_FLAG_FIRST 0x00000001
80 #define SIPE_HTTP_REQUEST_FLAG_REDIRECT 0x00000002
81 #define SIPE_HTTP_REQUEST_FLAG_AUTHDATA 0x00000004
82 #define SIPE_HTTP_REQUEST_FLAG_HANDSHAKE 0x00000008
83
84 static void sipe_http_request_free(struct sipe_core_private *sipe_private,
85 struct sipe_http_request *req,
86 guint status)
87 {
88 if (req->cb)
89 /* Callback: aborted/failed/cancelled */
90 (*req->cb)(sipe_private,
91 status,
92 NULL,
93 NULL,
94 req->cb_data);
95 g_free(req->path);
96 g_free(req->headers);
97 g_free(req->body);
98 g_free(req->content_type);
99 g_free(req->authorization);
100 g_free(req);
101 }
102
103 static void sipe_http_request_send(struct sipe_http_connection_public *conn_public)
104 {
105 struct sipe_http_request *req = conn_public->pending_requests->data;
106 gchar *header;
107 gchar *content = NULL;
108 gchar *cookie = NULL;
109
110 if (req->body)
111 content = g_strdup_printf("Content-Length: %" G_GSIZE_FORMAT "\r\n"
112 "Content-Type: %s\r\n",
113 strlen(req->body),
114 req->content_type);
115
116 if (req->session && req->session->cookie)
117 cookie = g_strdup_printf("Cookie: %s\r\n", req->session->cookie);
118
119 header = g_strdup_printf("%s /%s HTTP/1.1\r\n"
120 "Host: %s\r\n"
121 "User-Agent: Sipe/" PACKAGE_VERSION "\r\n"
122 "%s%s%s%s",
123 content ? "POST" : "GET",
124 req->path,
125 conn_public->host,
126 conn_public->cached_authorization ? conn_public->cached_authorization :
127 req->authorization ? req->authorization : "",
128 req->headers ? req->headers : "",
129 cookie ? cookie : "",
130 content ? content : "");
131 g_free(cookie);
132 g_free(content);
133
134 /* only use authorization once */
135 g_free(req->authorization);
136 req->authorization = NULL;
137
138 sipe_http_transport_send(conn_public,
139 header,
140 req->body);
141 g_free(header);
142 }
143
144 gboolean sipe_http_request_pending(struct sipe_http_connection_public *conn_public)
145 {
146 return(conn_public->pending_requests != NULL);
147 }
148
149 void sipe_http_request_next(struct sipe_http_connection_public *conn_public)
150 {
151 sipe_http_request_send(conn_public);
152 }
153
154 static void sipe_http_request_enqueue(struct sipe_core_private *sipe_private,
155 struct sipe_http_request *req,
156 const struct sipe_http_parsed_uri *parsed_uri)
157 {
158 struct sipe_http_connection_public *conn_public;
159
160 req->path = g_strdup(parsed_uri->path);
161 req->connection = conn_public = sipe_http_transport_new(sipe_private,
162 parsed_uri->host,
163 parsed_uri->port,
164 parsed_uri->tls);
165 if (!sipe_http_request_pending(conn_public))
166 req->flags |= SIPE_HTTP_REQUEST_FLAG_FIRST;
167
168 conn_public->pending_requests = g_slist_append(conn_public->pending_requests,
169 req);
170 }
171
172 static void sipe_http_request_drop_context(struct sipe_http_connection_public *conn_public)
173 {
174 g_free(conn_public->cached_authorization);
175 conn_public->cached_authorization = NULL;
176 sip_sec_destroy_context(conn_public->context);
177 conn_public->context = NULL;
178 }
179
180 static void sipe_http_request_finalize_negotiate(struct sipe_http_request *req,
181 struct sipmsg *msg)
182 {
183 #if defined(HAVE_GSSAPI_GSSAPI_H) || defined(HAVE_SSPI)
184 /*
185 * Negotiate can send a final package in the successful response.
186 * We need to forward this to the context or otherwise it will
187 * never reach the ready state.
188 */
189 struct sipe_http_connection_public *conn_public = req->connection;
190
191 if (sip_sec_context_type(conn_public->context) == SIPE_AUTHENTICATION_TYPE_NEGOTIATE) {
192 const gchar *header = sipmsg_find_auth_header(msg, "Negotiate");
193
194 if (header) {
195 gchar **parts = g_strsplit(header, " ", 0);
196 gchar *spn = g_strdup_printf("HTTP/%s", conn_public->host);
197 gchar *token;
198
199 SIPE_DEBUG_INFO("sipe_http_request_finalize_negotiate: init context target '%s' token '%s'",
200 spn, parts[1] ? parts[1] : "<NULL>");
201
202 if (sip_sec_init_context_step(conn_public->context,
203 spn,
204 parts[1],
205 &token,
206 NULL)) {
207 g_free(token);
208 } else {
209 SIPE_DEBUG_INFO_NOFORMAT("sipe_http_request_finalize_negotiate: security context init step failed, throwing away context");
210 sipe_http_request_drop_context(conn_public);
211 }
212
213 g_free(spn);
214 g_strfreev(parts);
215 }
216 }
217 #else
218 (void) req; /* keep compiler happy */
219 (void) msg; /* keep compiler happy */
220 #endif
221 }
222
223
224 /* TRUE indicates failure */
225 static gboolean sipe_http_request_response_redirection(struct sipe_core_private *sipe_private,
226 struct sipe_http_request *req,
227 struct sipmsg *msg)
228 {
229 const gchar *location = sipmsg_find_header(msg, "Location");
230 gboolean failed = TRUE;
231
232 sipe_http_request_finalize_negotiate(req, msg);
233
234 if (location) {
235 struct sipe_http_parsed_uri *parsed_uri = sipe_http_parse_uri(location);
236
237 if (parsed_uri) {
238 /* remove request from old connection */
239 struct sipe_http_connection_public *conn_public = req->connection;
240 conn_public->pending_requests = g_slist_remove(conn_public->pending_requests,
241 req);
242
243 /* free old request data */
244 g_free(req->path);
245 req->flags &= ~( SIPE_HTTP_REQUEST_FLAG_FIRST |
246 SIPE_HTTP_REQUEST_FLAG_HANDSHAKE );
247
248 /* resubmit request on other connection */
249 sipe_http_request_enqueue(sipe_private, req, parsed_uri);
250 failed = FALSE;
251
252 sipe_http_parsed_uri_free(parsed_uri);
253 } else
254 SIPE_DEBUG_INFO("sipe_http_request_response_redirection: invalid redirection to '%s'",
255 location);
256 } else
257 SIPE_DEBUG_INFO_NOFORMAT("sipe_http_request_response_redirection: no URL found?!?");
258
259 return(failed);
260 }
261
262 /* TRUE indicates failure */
263 static gboolean sipe_http_request_response_unauthorized(struct sipe_core_private *sipe_private,
264 struct sipe_http_request *req,
265 struct sipmsg *msg)
266 {
267 struct sipe_http_connection_public *conn_public = req->connection;
268 const gchar *header = NULL;
269 guint type;
270 gboolean failed = TRUE;
271
272 /*
273 * There are some buggy HTTP servers out there that add superfluous
274 * WWW-Authenticate: headers during the authentication handshake.
275 * Look only for the header of the active security context.
276 */
277 if (conn_public->context) {
278 const gchar *name = sip_sec_context_name(conn_public->context);
279
280 header = sipmsg_find_auth_header(msg, name);
281 type = sip_sec_context_type(conn_public->context);
282
283 if (!header) {
284 SIPE_DEBUG_INFO("sipe_http_request_response_unauthorized: expected authentication scheme %s not found",
285 name);
286 return(failed);
287 }
288
289 if (conn_public->cached_authorization) {
290 /*
291 * The "Basic" scheme doesn't have any state.
292 *
293 * If we enter here then we have already tried "Basic"
294 * authentication once for this request and it was
295 * rejected by the server. As all future requests will
296 * also be rejected, we need to abort here in order to
297 * prevent an endless request/401/request/... loop.
298 */
299 SIPE_DEBUG_INFO("sipe_http_request_response_unauthorized: Basic authentication has failed for host '%s', please check user name and password!",
300 conn_public->host);
301 return(failed);
302 }
303
304 } else {
305 #if defined(HAVE_GSSAPI_GSSAPI_H) || defined(HAVE_SSPI)
306 #define DEBUG_STRING ", NTLM and Negotiate"
307 /* Use "Negotiate" unless the user requested "NTLM" */
308 if (sipe_private->authentication_type != SIPE_AUTHENTICATION_TYPE_NTLM)
309 header = sipmsg_find_auth_header(msg, "Negotiate");
310 if (header) {
311 type = SIPE_AUTHENTICATION_TYPE_NEGOTIATE;
312 } else
313 #else
314 #define DEBUG_STRING " and NTLM"
315 (void) sipe_private; /* keep compiler happy */
316 #endif
317 {
318 header = sipmsg_find_auth_header(msg, "NTLM");
319 type = SIPE_AUTHENTICATION_TYPE_NTLM;
320 }
321
322 /* only fall back to "Basic" after everything else fails */
323 if (!header) {
324 header = sipmsg_find_auth_header(msg, "Basic");
325 type = SIPE_AUTHENTICATION_TYPE_BASIC;
326 }
327 }
328
329 if (header) {
330 if (!conn_public->context) {
331 gboolean valid = req->flags & SIPE_HTTP_REQUEST_FLAG_AUTHDATA;
332 conn_public->context = sip_sec_create_context(type,
333 !valid, /* Single Sign-On flag */
334 TRUE, /* connection-based for HTTP */
335 valid ? req->domain : NULL,
336 valid ? req->user : NULL,
337 valid ? req->password : NULL);
338 }
339
340 if (conn_public->context) {
341 gchar **parts = g_strsplit(header, " ", 0);
342 gchar *spn = g_strdup_printf("HTTP/%s", conn_public->host);
343 gchar *token_out;
344 const gchar *token_in = parts[1];
345
346 SIPE_DEBUG_INFO("sipe_http_request_response_unauthorized: init context target '%s' token '%s'",
347 spn, token_in ? token_in : "<NULL>");
348
349 /*
350 * If we receive a NULL token during the handshake
351 * then the authentication scheme has failed.
352 */
353 if ((req->flags & SIPE_HTTP_REQUEST_FLAG_HANDSHAKE) &&
354 !token_in) {
355 SIPE_DEBUG_INFO_NOFORMAT("sipe_http_request_response_unauthorized: authentication failed, throwing away context");
356 sipe_http_request_drop_context(conn_public);
357
358 } else if (sip_sec_init_context_step(conn_public->context,
359 spn,
360 token_in,
361 &token_out,
362 NULL)) {
363
364 /* handshake has started */
365 req->flags |= SIPE_HTTP_REQUEST_FLAG_HANDSHAKE;
366
367 /* generate authorization header */
368 req->authorization = g_strdup_printf("Authorization: %s %s\r\n",
369 sip_sec_context_name(conn_public->context),
370 token_out ? token_out : "");
371 g_free(token_out);
372
373 /*
374 * authorization never changes for Basic
375 * authentication scheme, so we can keep it.
376 */
377 if (type == SIPE_AUTHENTICATION_TYPE_BASIC) {
378 g_free(conn_public->cached_authorization);
379 conn_public->cached_authorization = g_strdup(req->authorization);
380 }
381
382 /*
383 * Keep the request in the queue. As it is at
384 * the head it will be pulled automatically
385 * by the transport layer after returning.
386 */
387 failed = FALSE;
388
389 } else {
390 SIPE_DEBUG_INFO_NOFORMAT("sipe_http_request_response_unauthorized: security context init step failed, throwing away context");
391 sipe_http_request_drop_context(conn_public);
392 }
393
394 g_free(spn);
395 g_strfreev(parts);
396 } else
397 SIPE_DEBUG_INFO_NOFORMAT("sipe_http_request_response_unauthorized: security context creation failed");
398 } else
399 SIPE_DEBUG_INFO_NOFORMAT("sipe_http_request_response_unauthorized: only Basic" DEBUG_STRING " authentication schemes are supported");
400
401 return(failed);
402 }
403
404 static void sipe_http_request_response_callback(struct sipe_core_private *sipe_private,
405 struct sipe_http_request *req,
406 struct sipmsg *msg)
407 {
408 const gchar *hdr;
409
410 sipe_http_request_finalize_negotiate(req, msg);
411
412 /* Set-Cookie: RMID=732423sdfs73242; expires=Fri, 31-Dec-2010 23:59:59 GMT; path=/; domain=.example.net */
413 if (req->session &&
414 ((hdr = sipmsg_find_header(msg, "Set-Cookie")) != NULL)) {
415 gchar **parts, **current;
416 const gchar *part;
417 gchar *new = NULL;
418
419 g_free(req->session->cookie);
420 req->session->cookie = NULL;
421
422 current = parts = g_strsplit(hdr, ";", 0);
423 while ((part = *current++) != NULL) {
424 /* strip these parts from cookie */
425 if (!(strstr(part, "path=") ||
426 strstr(part, "domain=") ||
427 strstr(part, "expires=") ||
428 strstr(part, "secure"))) {
429 gchar *tmp = new;
430 new = new ?
431 g_strconcat(new, ";", part, NULL) :
432 g_strdup(part);
433 g_free(tmp);
434 }
435 }
436 g_strfreev(parts);
437
438 if (new) {
439 req->session->cookie = new;
440 SIPE_DEBUG_INFO("sipe_http_request_response_callback: cookie: %s", new);
441 }
442 }
443
444 /* Callback: success */
445 (*req->cb)(sipe_private,
446 msg->response,
447 msg->headers,
448 msg->body,
449 req->cb_data);
450
451 /* remove completed request */
452 sipe_http_request_cancel(req);
453 }
454
455 void sipe_http_request_response(struct sipe_http_connection_public *conn_public,
456 struct sipmsg *msg)
457 {
458 struct sipe_core_private *sipe_private = conn_public->sipe_private;
459 struct sipe_http_request *req = conn_public->pending_requests->data;
460 gboolean failed;
461
462 if ((req->flags & SIPE_HTTP_REQUEST_FLAG_REDIRECT) &&
463 (msg->response >= SIPE_HTTP_STATUS_REDIRECTION) &&
464 (msg->response < SIPE_HTTP_STATUS_CLIENT_ERROR)) {
465 failed = sipe_http_request_response_redirection(sipe_private,
466 req,
467 msg);
468
469 } else if (msg->response == SIPE_HTTP_STATUS_CLIENT_UNAUTHORIZED) {
470 failed = sipe_http_request_response_unauthorized(sipe_private,
471 req,
472 msg);
473
474 } else {
475 /* On some errors throw away the security context */
476 if (((msg->response == SIPE_HTTP_STATUS_CLIENT_FORBIDDEN) ||
477 (msg->response == SIPE_HTTP_STATUS_CLIENT_PROXY_AUTH) ||
478 (msg->response >= SIPE_HTTP_STATUS_SERVER_ERROR)) &&
479 conn_public->context) {
480 SIPE_DEBUG_INFO("sipe_http_request_response: response was %d, throwing away security context",
481 msg->response);
482 sipe_http_request_drop_context(conn_public);
483 }
484
485 /* All other cases are passed on to the user */
486 sipe_http_request_response_callback(sipe_private, req, msg);
487
488 /* req is no longer valid */
489 failed = FALSE;
490 }
491
492 if (failed) {
493 /* Callback: request failed */
494 (*req->cb)(sipe_private,
495 SIPE_HTTP_STATUS_FAILED,
496 NULL,
497 NULL,
498 req->cb_data);
499
500 /* remove failed request */
501 sipe_http_request_cancel(req);
502 }
503 }
504
505 void sipe_http_request_shutdown(struct sipe_http_connection_public *conn_public,
506 gboolean abort)
507 {
508 if (conn_public->pending_requests) {
509 GSList *entry = conn_public->pending_requests;
510 while (entry) {
511 sipe_http_request_free(conn_public->sipe_private,
512 entry->data,
513 abort ?
514 SIPE_HTTP_STATUS_ABORTED :
515 SIPE_HTTP_STATUS_FAILED);
516 entry = entry->next;
517 }
518 g_slist_free(conn_public->pending_requests);
519 conn_public->pending_requests = NULL;
520 }
521
522 if (conn_public->context) {
523 g_free(conn_public->cached_authorization);
524 conn_public->cached_authorization = NULL;
525 sip_sec_destroy_context(conn_public->context);
526 conn_public->context = NULL;
527 }
528 }
529
530 struct sipe_http_request *sipe_http_request_new(struct sipe_core_private *sipe_private,
531 const struct sipe_http_parsed_uri *parsed_uri,
532 const gchar *headers,
533 const gchar *body,
534 const gchar *content_type,
535 sipe_http_response_callback *callback,
536 gpointer callback_data)
537 {
538 struct sipe_http_request *req;
539 if (!parsed_uri)
540 return(NULL);
541 if (sipe_http_shutting_down(sipe_private)) {
542 SIPE_DEBUG_ERROR("sipe_http_request_new: new HTTP request during shutdown: THIS SHOULD NOT HAPPEN! Debugging information:\n"
543 "Host: %s\n"
544 "Port: %d\n"
545 "Path: %s\n"
546 "Headers: %s\n"
547 "Body: %s\n",
548 parsed_uri->host,
549 parsed_uri->port,
550 parsed_uri->path,
551 headers ? headers : "<NONE>",
552 body ? body : "<EMPTY>");
553 return(NULL);
554 }
555
556 req = g_new0(struct sipe_http_request, 1);
557 req->flags = 0;
558 req->cb = callback;
559 req->cb_data = callback_data;
560 if (headers)
561 req->headers = g_strdup(headers);
562 if (body) {
563 req->body = g_strdup(body);
564 req->content_type = g_strdup(content_type);
565 }
566
567 /* default authentication */
568 if (!SIPE_CORE_PRIVATE_FLAG_IS(SSO))
569 sipe_http_request_authentication(req,
570 sipe_private->authdomain,
571 sipe_private->authuser,
572 sipe_private->password);
573
574 sipe_http_request_enqueue(sipe_private, req, parsed_uri);
575
576 return(req);
577 }
578
579 void sipe_http_request_ready(struct sipe_http_request *request)
580 {
581 struct sipe_http_connection_public *conn_public = request->connection;
582
583 /* pass first request on already opened connection through directly */
584 if ((request->flags & SIPE_HTTP_REQUEST_FLAG_FIRST) &&
585 conn_public->connected)
586 sipe_http_request_send(conn_public);
587 }
588
589 struct sipe_http_session *sipe_http_session_start(void)
590 {
591 return(g_new0(struct sipe_http_session, 1));
592 }
593
594 void sipe_http_session_close(struct sipe_http_session *session)
595 {
596 if (session) {
597 g_free(session->cookie);
598 g_free(session);
599 }
600 }
601
602 void sipe_http_request_cancel(struct sipe_http_request *request)
603 {
604 struct sipe_http_connection_public *conn_public = request->connection;
605 conn_public->pending_requests = g_slist_remove(conn_public->pending_requests,
606 request);
607
608 /* cancelled by requester, don't use callback */
609 request->cb = NULL;
610
611 sipe_http_request_free(conn_public->sipe_private,
612 request,
613 SIPE_HTTP_STATUS_CANCELLED);
614 }
615
616 void sipe_http_request_session(struct sipe_http_request *request,
617 struct sipe_http_session *session)
618 {
619 request->session = session;
620 }
621
622 void sipe_http_request_allow_redirect(struct sipe_http_request *request)
623 {
624 request->flags |= SIPE_HTTP_REQUEST_FLAG_REDIRECT;
625 }
626
627 void sipe_http_request_authentication(struct sipe_http_request *request,
628 const gchar *domain,
629 const gchar *user,
630 const gchar *password)
631 {
632 request->flags |= SIPE_HTTP_REQUEST_FLAG_AUTHDATA;
633 request->domain = domain;
634 request->user = user;
635 request->password = password;
636 }
637
638 /*
639 Local Variables:
640 mode: c
641 c-file-style: "bsd"
642 indent-tabs-mode: t
643 tab-width: 8
644 End:
645 */
A third-party Pidgin plugin for Microsoft LCS/OCS