stub-ntlm-helper 0.0.1

data/.gitignore

@@ -0,0 +1,2 @@
+Gemfile.lock
+.*.swp

data/Gemfile

@@ -0,0 +1,3 @@
+source :rubygems
+
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright 2011 ThoughtWorks, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

data/README.md

@@ -0,0 +1,13 @@
+# stub-ntlm-helper
+
+## Storytime
+
+Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
+
+I feel for you.
+
+Sometimes, passwords and security and Kerberos just don't matter.
+
+## What is this?
+
+This is a stub `ntlm_helper`. It **always** authenticates.

data/Rakefile

@@ -0,0 +1,5 @@
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/bin/stub-ntlm-helper

@@ -0,0 +1,40 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+
+require 'stub-ntlm-helper'
+
+YR = /YR/
+KK = /KK ([0-9A-Za-z=+\/]+)$/
+
+$<.each do |line|
+    if line =~ YR
+      challenge = NTLM::Challenge.new
+
+      [
+        :negotiate_ntlm,
+        :negotiate_extended_security,
+
+        # I wish so much I could say :negotiate_unicode here.
+        #
+        # But, Windows uses UCS-8LE and third-party clients (curl, Firefox,
+        # etc.) use UTF-8. And there's no reliable way to determine which
+        # encoding was used. So, instead, we default to OEM, which is close
+        # enough to ASCII, which is close enough to UTF-8, and just pass
+        # through the value directly to Apache/Squid/whoever.
+        #
+        # Let them deal with codepage compatibility. They brought it on
+        # themselves.
+        :negotiate_oem,
+      ].each { |f| challenge.flags[f] = 1 }
+
+      puts "TT " + challenge.encode
+    elsif line =~ KK
+      authenticate = NTLM::Authenticate.decode $1
+      puts "AF #{authenticate.username}"
+    else
+      puts "BH #{line}"
+    end
+
+    $stdout.flush
+end

data/lib/stub-ntlm-helper.rb

@@ -0,0 +1,114 @@
+require 'base64'
+require 'bindata'
+
+# With help from:
+#
+#   ruby-ntlm: https://github.com/macks/ruby-ntlm/blob/master/lib/ntlm/message.rb
+#   davenport: http://davenport.sourceforge.net/ntlm.html
+#   squid: http://devel.squid-cache.org/ntlm/squid_helper_protocol.html
+
+module NTLM
+  SSP_SIGNATURE = 'NTLMSSP'
+
+  module Serializer
+    module ClassMethods
+      def decode b64
+        self.new.tap { |r| r.read Base64.decode64(b64) }
+      end
+    end
+
+    def self.included klass
+      klass.extend ClassMethods
+    end
+
+    def encode
+      Base64.encode64(to_binary_s).tr "\n", ""
+    end
+  end
+
+  class SecurityBuffer < BinData::Record
+    endian :little
+
+    int16 :uzunluk      # Length
+    int16 :reserved
+    int32 :siktir       # "Offset"
+
+    def value
+      parent.to_binary_s[siktir ... (siktir + uzunluk)]
+    end
+  end
+
+  class Flags < BinData::Record
+    # D
+    bit1 :negotiate_lm_key            # LAN Manager session key computation
+    bit1 :negotiate_datagram          # Connectionless authentication
+    bit1 :negotiate_seal              # Session key negotiation for message confidentiality
+    bit1 :negotiate_sign              # Session key negotiation for message signatures
+    bit1 :unused10
+    bit1 :request_target              # TargetName is supplied in challenge message
+    bit1 :negotiate_oem               # OEM character set encoding
+    bit1 :negotiate_unicode           # Unicode character set encoding
+
+    # C
+    bit1 :negotiate_always_sign
+    bit1 :unused7
+    bit1 :oem_workstation_supplied    # Workstations field is present
+    bit1 :oem_domain_supplied         # Domain field is present
+    bit1 :anonymous                   # Anonymous connection
+    bit1 :unused8
+    bit1 :negotiate_ntlm              # NTLM v1 protocol
+    bit1 :unused9
+
+    # B
+    bit1 :negotiate_target_info       # Requests TargetInfo
+    bit1 :request_non_nt_session_key  # LM session key is used
+    bit1 :unused5
+    bit1 :negotiate_identify          # Requests identify level token
+    bit1 :negotiate_extended_security # NTLM v2 session security
+    bit1 :unused6
+    bit1 :target_type_server          # TargetName is server name
+    bit1 :target_type_domain          # TargetName is domain name
+
+    # A
+    bit1 :negotiate_56                # 56bit encryption
+    bit1 :negotiate_key_exch          # Explicit key exchange
+    bit1 :negotiate_128               # 128bit encryption
+    bit1 :unused1
+    bit1 :unused2
+    bit1 :unused3
+    bit1 :negotiate_version           # Version field is present
+    bit1 :unused4
+  end
+
+  class Challenge < BinData::Record
+    include Serializer
+
+    endian :little
+
+    stringz :signature, :value => SSP_SIGNATURE, :check_value => SSP_SIGNATURE
+    int32 :message_type, :value => 2, :check_value => 2
+    security_buffer :target_name
+    flags :flags
+    string :challenge, :length => 8
+    array :data, :type => :int8, :read_until => :eof
+  end
+
+  class Authenticate < BinData::Record
+    include Serializer
+
+    endian :little
+
+    stringz :signature, :check_value => SSP_SIGNATURE
+    int32 :message_type, :check_value => 3
+    security_buffer :lm_response
+    security_buffer :ntlm_response
+    security_buffer :target_name
+    security_buffer :user_name
+    security_buffer :workstation_name
+    array :data, :type => :int8, :read_until => :eof
+
+    def username
+      "#{target_name.value}+#{user_name.value}"
+    end
+  end
+end

data/spec/challenge_spec.rb

@@ -0,0 +1,31 @@
+require 'stub-ntlm-helper'
+
+describe NTLM::Challenge do
+  context "a minimal type 2 message" do
+    let(:minimal_type_2_message) { 'TlRMTVNTUAACAAAAAAAAAAAAAAACAgAAASNFZ4mrze8=' }
+
+    subject { NTLM::Challenge.decode minimal_type_2_message }
+
+    [:negotiate_ntlm, :negotiate_oem].each do |f|
+      it "#{f} flag should be true" do
+        subject.flags[f].should == 1
+      end
+    end
+
+    [
+      :negotiate_lm_key, :negotiate_datagram, :negotiate_seal,
+      :negotiate_sign, :unused10, :request_target, :negotiate_unicode,
+      :negotiate_always_sign, :unused7, :oem_workstation_supplied,
+      :oem_domain_supplied, :anonymous, :unused8, :unused9,
+      :negotiate_target_info, :request_non_nt_session_key, :unused5,
+      :negotiate_identify, :negotiate_extended_security, :unused6,
+      :target_type_server, :target_type_domain, :negotiate_56,
+      :negotiate_key_exch, :negotiate_128, :unused1, :unused2, :unused3,
+      :negotiate_version, :unused4
+    ].each do |f|
+      it "#{f} flag should be false" do
+        subject.flags[f].should == 0
+      end
+    end
+  end
+end

data/stub-ntlm-helper.gemspec

@@ -0,0 +1,29 @@
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  s.name        = 'stub-ntlm-helper'
+  s.version     = '0.0.1'
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ['Scott Robinson', 'Mustafa Sezgin']
+  s.email       = ['sr@thoughtworks.com', 'msezgin@thoughtworks.com']
+  s.summary      = 'This is a stub ntlm_helper. It always authenticates.'
+  s.description = <<-EOF
+Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
+
+I feel for you.
+
+Sometimes, passwords and security and Kerberos just don't matter.
+
+This is a stub ntlm_helper. It always authenticates.
+  EOF
+  s.homepage    = 'https://github.com/offshore-safety/stub-ntlm-helper'
+
+  s.files         = `git ls-files`.split "\n"
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split "\n"
+  s.executables   = `git ls-files -- bin/*`.split("\n").map { |f| File.basename(f) }
+  s.require_paths = ['lib']
+
+  s.add_development_dependency 'rspec'
+  s.add_development_dependency 'rake'
+
+  s.add_dependency 'bindata'
+end

metadata

@@ -0,0 +1,127 @@
+--- !ruby/object:Gem::Specification 
+name: stub-ntlm-helper
+version: !ruby/object:Gem::Version 
+  hash: 29
+  prerelease: 
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- Scott Robinson
+- Mustafa Sezgin
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-11-22 00:00:00 +11:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: rake
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: bindata
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 3
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id003
+description: |
+  Using Apache or Squid or whatever with NTLM? Ever had Active Directory arbitrarily hate winbind?
+  
+  I feel for you.
+  
+  Sometimes, passwords and security and Kerberos just don't matter.
+  
+  This is a stub ntlm_helper. It always authenticates.
+
+email: 
+- sr@thoughtworks.com
+- msezgin@thoughtworks.com
+executables: 
+- stub-ntlm-helper
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/stub-ntlm-helper
+- lib/stub-ntlm-helper.rb
+- spec/challenge_spec.rb
+- stub-ntlm-helper.gemspec
+has_rdoc: true
+homepage: https://github.com/offshore-safety/stub-ntlm-helper
+licenses: []
+
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      hash: 3
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.6.2
+signing_key: 
+specification_version: 3
+summary: This is a stub ntlm_helper. It always authenticates.
+test_files: 
+- spec/challenge_spec.rb