Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access

From: Adrian Chadd <adrian_at_squid-cache.org>
Date: Mon, 8 Sep 2008 07:19:29 +0800

Thanks! Don't forget to bug me if its not sorted out in the next week or so.

Adrian

2008/9/8 Diego Woitasen <diegows_at_xtech.com.ar>:
> http://www.squid-cache.org/bugs/show_bug.cgi?id=2455
>
> On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote:
>> It looks fine; could you dump it into bugzilla for the time being?
>> (We're working on the Squid-2 -> bzr merge stuff at the moment!)
>>
>>
>>
>> Adrian
>>
>> 2008/9/7 Diego Woitasen <diegows_at_xtech.com.ar>:
>> > This patch apply to Squid 2.7.STABLE4.
>> >
>> > If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
>> > isn't authenticated previously, send 407.
>> >
>> > regards,
>> > Diego
>> >
>> >
>> > diff --git a/src/client_side.c b/src/client_side.c
>> > index 23c4274..4f75ea0 100644
>> > --- a/src/client_side.c
>> > +++ b/src/client_side.c
>> > @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
>> >
>> > }
>> >
>> > -static void
>> > -clientAccessCheckDone(int answer, void *data)
>> > +void
>> > +clientSendErrorReply(clientHttpRequest * http, int answer)
>> > {
>> > - clientHttpRequest *http = data;
>> > err_type page_id;
>> > http_status status;
>> > ErrorState *err = NULL;
>> > char *proxy_auth_msg = NULL;
>> > +
>> > + proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
>> > +
>> > + int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
>> > +
>> > + debug(33, 5) ("Access Denied: %s\n", http->uri);
>> > + debug(33, 5) ("AclMatchedName = %s\n",
>> > + AclMatchedName ? AclMatchedName : "<null>");
>> > + debug(33, 5) ("Proxy Auth Message = %s\n",
>> > + proxy_auth_msg ? proxy_auth_msg : "<null>");
>> > +
>> > + /*
>> > + * NOTE: get page_id here, based on AclMatchedName because
>> > + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
>> > + * clobbered in the clientCreateStoreEntry() call
>> > + * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
>> > + */
>> > + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
>> > + http->log_type = LOG_TCP_DENIED;
>> > + http->entry = clientCreateStoreEntry(http, http->request->method,
>> > + null_request_flags);
>> > + if (require_auth) {
>> > + if (!http->flags.accel) {
>> > + /* Proxy authorisation needed */
>> > + status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
>> > + } else {
>> > + /* WWW authorisation needed */
>> > + status = HTTP_UNAUTHORIZED;
>> > + }
>> > + if (page_id == ERR_NONE)
>> > + page_id = ERR_CACHE_ACCESS_DENIED;
>> > + } else {
>> > + status = HTTP_FORBIDDEN;
>> > + if (page_id == ERR_NONE)
>> > + page_id = ERR_ACCESS_DENIED;
>> > + }
>> > + err = errorCon(page_id, status, http->orig_request);
>> > + if (http->conn->auth_user_request)
>> > + err->auth_user_request = http->conn->auth_user_request;
>> > + else if (http->request->auth_user_request)
>> > + err->auth_user_request = http->request->auth_user_request;
>> > + /* lock for the error state */
>> > + if (err->auth_user_request)
>> > + authenticateAuthUserRequestLock(err->auth_user_request);
>> > + err->callback_data = NULL;
>> > + errorAppendEntry(http->entry, err);
>> > +
>> > +}
>> > +
>> > +static void
>> > +clientAccessCheckDone(int answer, void *data)
>> > +{
>> > + clientHttpRequest *http = data;
>> > +
>> > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
>> > RequestMethods[http->request->method].str, http->uri,
>> > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
>> > AclMatchedName ? AclMatchedName : "NO ACL's");
>> > - proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
>> > http->acl_checklist = NULL;
>> > if (answer == ACCESS_ALLOWED) {
>> > safe_free(http->uri);
>> > @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
>> > http->redirect_state = REDIRECT_PENDING;
>> > clientRedirectStart(http);
>> > } else {
>> > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
>> > - debug(33, 5) ("Access Denied: %s\n", http->uri);
>> > - debug(33, 5) ("AclMatchedName = %s\n",
>> > - AclMatchedName ? AclMatchedName : "<null>");
>> > - debug(33, 5) ("Proxy Auth Message = %s\n",
>> > - proxy_auth_msg ? proxy_auth_msg : "<null>");
>> > - /*
>> > - * NOTE: get page_id here, based on AclMatchedName because
>> > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
>> > - * clobbered in the clientCreateStoreEntry() call
>> > - * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
>> > - */
>> > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
>> > - http->log_type = LOG_TCP_DENIED;
>> > - http->entry = clientCreateStoreEntry(http, http->request->method,
>> > - null_request_flags);
>> > - if (require_auth) {
>> > - if (!http->flags.accel) {
>> > - /* Proxy authorisation needed */
>> > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
>> > - } else {
>> > - /* WWW authorisation needed */
>> > - status = HTTP_UNAUTHORIZED;
>> > - }
>> > - if (page_id == ERR_NONE)
>> > - page_id = ERR_CACHE_ACCESS_DENIED;
>> > - } else {
>> > - status = HTTP_FORBIDDEN;
>> > - if (page_id == ERR_NONE)
>> > - page_id = ERR_ACCESS_DENIED;
>> > - }
>> > - err = errorCon(page_id, status, http->orig_request);
>> > - if (http->conn->auth_user_request)
>> > - err->auth_user_request = http->conn->auth_user_request;
>> > - else if (http->request->auth_user_request)
>> > - err->auth_user_request = http->request->auth_user_request;
>> > - /* lock for the error state */
>> > - if (err->auth_user_request)
>> > - authenticateAuthUserRequestLock(err->auth_user_request);
>> > - err->callback_data = NULL;
>> > - errorAppendEntry(http->entry, err);
>> > + clientSendErrorReply(http, answer);
>> > }
>> > }
>> >
>> > @@ -517,61 +529,17 @@ static void
>> > clientAccessCheckDone2(int answer, void *data)
>> > {
>> > clientHttpRequest *http = data;
>> > - err_type page_id;
>> > - http_status status;
>> > - ErrorState *err = NULL;
>> > - char *proxy_auth_msg = NULL;
>> > +
>> > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
>> > RequestMethods[http->request->method].str, http->uri,
>> > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
>> > AclMatchedName ? AclMatchedName : "NO ACL's");
>> > - proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
>> > +
>> > http->acl_checklist = NULL;
>> > if (answer == ACCESS_ALLOWED) {
>> > clientCheckNoCache(http);
>> > } else {
>> > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName));
>> > - debug(33, 5) ("Access Denied: %s\n", http->uri);
>> > - debug(33, 5) ("AclMatchedName = %s\n",
>> > - AclMatchedName ? AclMatchedName : "<null>");
>> > - if (require_auth)
>> > - debug(33, 5) ("Proxy Auth Message = %s\n",
>> > - proxy_auth_msg ? proxy_auth_msg : "<null>");
>> > - /*
>> > - * NOTE: get page_id here, based on AclMatchedName because
>> > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
>> > - * clobbered in the clientCreateStoreEntry() call
>> > - * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
>> > - */
>> > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
>> > - http->log_type = LOG_TCP_DENIED;
>> > - http->entry = clientCreateStoreEntry(http, http->request->method,
>> > - null_request_flags);
>> > - if (require_auth) {
>> > - if (!http->flags.accel) {
>> > - /* Proxy authorisation needed */
>> > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
>> > - } else {
>> > - /* WWW authorisation needed */
>> > - status = HTTP_UNAUTHORIZED;
>> > - }
>> > - if (page_id == ERR_NONE)
>> > - page_id = ERR_CACHE_ACCESS_DENIED;
>> > - } else {
>> > - status = HTTP_FORBIDDEN;
>> > - if (page_id == ERR_NONE)
>> > - page_id = ERR_ACCESS_DENIED;
>> > - }
>> > - err = errorCon(page_id, status, http->orig_request);
>> > - if (http->conn->auth_user_request)
>> > - err->auth_user_request = http->conn->auth_user_request;
>> > - else if (http->request->auth_user_request)
>> > - err->auth_user_request = http->request->auth_user_request;
>> > - /* lock for the error state */
>> > - if (err->auth_user_request)
>> > - authenticateAuthUserRequestLock(err->auth_user_request);
>> > - err->callback_data = NULL;
>> > - errorAppendEntry(http->entry, err);
>> > + clientSendErrorReply(http, answer);
>> > }
>> > }
>> >
>> > diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c
>> > index 14ad961..8238d89 100644
>> > --- a/src/client_side_rewrite.c
>> > +++ b/src/client_side_rewrite.c
>> > @@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data)
>> > http->acl_checklist = NULL;
>> > if (answer == ACCESS_ALLOWED)
>> > redirectStart(http, clientRedirectDone, http);
>> > + else if (answer == ACCESS_REQ_PROXY_AUTH)
>> > + clientSendErrorReply(data, answer);
>> > else
>> > clientRedirectDone(http, NULL);
>> > }
>> > diff --git a/src/client_side_storeurl_rewrite.c b/src/client_side_storeurl_rewrite.c
>> > index 938a254..9f08a25 100644
>> > --- a/src/client_side_storeurl_rewrite.c
>> > +++ b/src/client_side_storeurl_rewrite.c
>> > @@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void *data)
>> > http->acl_checklist = NULL;
>> > if (answer == ACCESS_ALLOWED)
>> > storeurlStart(http, clientStoreURLRewriteDone, http);
>> > + else if (answer == ACCESS_REQ_PROXY_AUTH)
>> > + clientSendErrorReply(data, answer);
>> > else
>> > clientStoreURLRewriteDone(http, NULL);
>> > }
>> > diff --git a/src/protos.h b/src/protos.h
>> > index 007498e..c992bea 100644
>> > --- a/src/protos.h
>> > +++ b/src/protos.h
>> > @@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const acl_access * acl, const client
>> > extern void clientInterpretRequestHeaders(clientHttpRequest * http);
>> > extern void clientAccessCheck2(void *data);
>> > extern void clientFinishRewriteStuff(clientHttpRequest * http);
>> > +extern void clientSendErrorReply(clientHttpRequest * http, int answer);
>> >
>> >
>> > /* client_side_redirect.c */
>> >
>> >
>
> --
> -----------------------
> Diego Woitasen - XTECH
> www.xtech.com.ar
>
>
Received on Sun Sep 07 2008 - 23:19:34 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 08 2008 - 12:00:04 MDT