Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access from Adrian Chadd on 2008-09-06 (squid-dev)

From: Adrian Chadd <adrian_at_squid-cache.org>
Date: Sun, 7 Sep 2008 09:28:30 +0800

It looks fine; could you dump it into bugzilla for the time being?
(We're working on the Squid-2 -> bzr merge stuff at the moment!)

Adrian

2008/9/7 Diego Woitasen <diegows_at_xtech.com.ar>:
> This patch apply to Squid 2.7.STABLE4.
>
> If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
> isn't authenticated previously, send 407.
>
> regards,
> Diego
>
>
> diff --git a/src/client_side.c b/src/client_side.c
> index 23c4274..4f75ea0 100644
> --- a/src/client_side.c
> +++ b/src/client_side.c
> @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
>
> }
>
> -static void
> -clientAccessCheckDone(int answer, void *data)
> +void
> +clientSendErrorReply(clientHttpRequest * http, int answer)
> {
> - clientHttpRequest *http = data;
> err_type page_id;
> http_status status;
> ErrorState *err = NULL;
> char *proxy_auth_msg = NULL;
> +
> + proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
> +
> + int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
> +
> + debug(33, 5) ("Access Denied: %s\n", http->uri);
> + debug(33, 5) ("AclMatchedName = %s\n",
> + AclMatchedName ? AclMatchedName : "<null>");
> + debug(33, 5) ("Proxy Auth Message = %s\n",
> + proxy_auth_msg ? proxy_auth_msg : "<null>");
> +
> + /*
> + * NOTE: get page_id here, based on AclMatchedName because
> + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
> + * clobbered in the clientCreateStoreEntry() call
> + * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
> + */
> + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
> + http->log_type = LOG_TCP_DENIED;
> + http->entry = clientCreateStoreEntry(http, http->request->method,
> + null_request_flags);
> + if (require_auth) {
> + if (!http->flags.accel) {
> + /* Proxy authorisation needed */
> + status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> + } else {
> + /* WWW authorisation needed */
> + status = HTTP_UNAUTHORIZED;
> + }
> + if (page_id == ERR_NONE)
> + page_id = ERR_CACHE_ACCESS_DENIED;
> + } else {
> + status = HTTP_FORBIDDEN;
> + if (page_id == ERR_NONE)
> + page_id = ERR_ACCESS_DENIED;
> + }
> + err = errorCon(page_id, status, http->orig_request);
> + if (http->conn->auth_user_request)
> + err->auth_user_request = http->conn->auth_user_request;
> + else if (http->request->auth_user_request)
> + err->auth_user_request = http->request->auth_user_request;
> + /* lock for the error state */
> + if (err->auth_user_request)
> + authenticateAuthUserRequestLock(err->auth_user_request);
> + err->callback_data = NULL;
> + errorAppendEntry(http->entry, err);
> +
> +}
> +
> +static void
> +clientAccessCheckDone(int answer, void *data)
> +{
> + clientHttpRequest *http = data;
> +
> debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
> RequestMethods[http->request->method].str, http->uri,
> answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
> AclMatchedName ? AclMatchedName : "NO ACL's");
> - proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
> http->acl_checklist = NULL;
> if (answer == ACCESS_ALLOWED) {
> safe_free(http->uri);
> @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
> http->redirect_state = REDIRECT_PENDING;
> clientRedirectStart(http);
> } else {
> - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
> - debug(33, 5) ("Access Denied: %s\n", http->uri);
> - debug(33, 5) ("AclMatchedName = %s\n",
> - AclMatchedName ? AclMatchedName : "<null>");
> - debug(33, 5) ("Proxy Auth Message = %s\n",
> - proxy_auth_msg ? proxy_auth_msg : "<null>");
> - /*
> - * NOTE: get page_id here, based on AclMatchedName because
> - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
> - * clobbered in the clientCreateStoreEntry() call
> - * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
> - */
> - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
> - http->log_type = LOG_TCP_DENIED;
> - http->entry = clientCreateStoreEntry(http, http->request->method,
> - null_request_flags);
> - if (require_auth) {
> - if (!http->flags.accel) {
> - /* Proxy authorisation needed */
> - status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> - } else {
> - /* WWW authorisation needed */
> - status = HTTP_UNAUTHORIZED;
> - }
> - if (page_id == ERR_NONE)
> - page_id = ERR_CACHE_ACCESS_DENIED;
> - } else {
> - status = HTTP_FORBIDDEN;
> - if (page_id == ERR_NONE)
> - page_id = ERR_ACCESS_DENIED;
> - }
> - err = errorCon(page_id, status, http->orig_request);
> - if (http->conn->auth_user_request)
> - err->auth_user_request = http->conn->auth_user_request;
> - else if (http->request->auth_user_request)
> - err->auth_user_request = http->request->auth_user_request;
> - /* lock for the error state */
> - if (err->auth_user_request)
> - authenticateAuthUserRequestLock(err->auth_user_request);
> - err->callback_data = NULL;
> - errorAppendEntry(http->entry, err);
> + clientSendErrorReply(http, answer);
> }
> }
>
> @@ -517,61 +529,17 @@ static void
> clientAccessCheckDone2(int answer, void *data)
> {
> clientHttpRequest *http = data;
> - err_type page_id;
> - http_status status;
> - ErrorState *err = NULL;
> - char *proxy_auth_msg = NULL;
> +
> debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
> RequestMethods[http->request->method].str, http->uri,
> answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
> AclMatchedName ? AclMatchedName : "NO ACL's");
> - proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
> +
> http->acl_checklist = NULL;
> if (answer == ACCESS_ALLOWED) {
> clientCheckNoCache(http);
> } else {
> - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName));
> - debug(33, 5) ("Access Denied: %s\n", http->uri);
> - debug(33, 5) ("AclMatchedName = %s\n",
> - AclMatchedName ? AclMatchedName : "<null>");
> - if (require_auth)
> - debug(33, 5) ("Proxy Auth Message = %s\n",
> - proxy_auth_msg ? proxy_auth_msg : "<null>");
> - /*
> - * NOTE: get page_id here, based on AclMatchedName because
> - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
> - * clobbered in the clientCreateStoreEntry() call
> - * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
> - */
> - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
> - http->log_type = LOG_TCP_DENIED;
> - http->entry = clientCreateStoreEntry(http, http->request->method,
> - null_request_flags);
> - if (require_auth) {
> - if (!http->flags.accel) {
> - /* Proxy authorisation needed */
> - status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> - } else {
> - /* WWW authorisation needed */
> - status = HTTP_UNAUTHORIZED;
> - }
> - if (page_id == ERR_NONE)
> - page_id = ERR_CACHE_ACCESS_DENIED;
> - } else {
> - status = HTTP_FORBIDDEN;
> - if (page_id == ERR_NONE)
> - page_id = ERR_ACCESS_DENIED;
> - }
> - err = errorCon(page_id, status, http->orig_request);
> - if (http->conn->auth_user_request)
> - err->auth_user_request = http->conn->auth_user_request;
> - else if (http->request->auth_user_request)
> - err->auth_user_request = http->request->auth_user_request;
> - /* lock for the error state */
> - if (err->auth_user_request)
> - authenticateAuthUserRequestLock(err->auth_user_request);
> - err->callback_data = NULL;
> - errorAppendEntry(http->entry, err);
> + clientSendErrorReply(http, answer);
> }
> }
>
> diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c
> index 14ad961..8238d89 100644
> --- a/src/client_side_rewrite.c
> +++ b/src/client_side_rewrite.c
> @@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data)
> http->acl_checklist = NULL;
> if (answer == ACCESS_ALLOWED)
> redirectStart(http, clientRedirectDone, http);
> + else if (answer == ACCESS_REQ_PROXY_AUTH)
> + clientSendErrorReply(data, answer);
> else
> clientRedirectDone(http, NULL);
> }
> diff --git a/src/client_side_storeurl_rewrite.c b/src/client_side_storeurl_rewrite.c
> index 938a254..9f08a25 100644
> --- a/src/client_side_storeurl_rewrite.c
> +++ b/src/client_side_storeurl_rewrite.c
> @@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void *data)
> http->acl_checklist = NULL;
> if (answer == ACCESS_ALLOWED)
> storeurlStart(http, clientStoreURLRewriteDone, http);
> + else if (answer == ACCESS_REQ_PROXY_AUTH)
> + clientSendErrorReply(data, answer);
> else
> clientStoreURLRewriteDone(http, NULL);
> }
> diff --git a/src/protos.h b/src/protos.h
> index 007498e..c992bea 100644
> --- a/src/protos.h
> +++ b/src/protos.h
> @@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const acl_access * acl, const client
> extern void clientInterpretRequestHeaders(clientHttpRequest * http);
> extern void clientAccessCheck2(void *data);
> extern void clientFinishRewriteStuff(clientHttpRequest * http);
> +extern void clientSendErrorReply(clientHttpRequest * http, int answer);
>
>
> /* client_side_redirect.c */
>
>
Received on Sun Sep 07 2008 - 01:28:32 MDT

This archive was generated by hypermail 2.2.0 : Sun Sep 07 2008 - 12:00:03 MDT