Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access

From: Diego Woitasen <diegows_at_xtech.com.ar>
Date: Sun, 7 Sep 2008 14:04:19 -0300

http://www.squid-cache.org/bugs/show_bug.cgi?id=2455

On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote:
> It looks fine; could you dump it into bugzilla for the time being?
> (We're working on the Squid-2 -> bzr merge stuff at the moment!)
>
>
>
> Adrian
>
> 2008/9/7 Diego Woitasen <diegows_at_xtech.com.ar>:
> > This patch apply to Squid 2.7.STABLE4.
> >
> > If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
> > isn't authenticated previously, send 407.
> >
> > regards,
> > Diego
> >
> >
> > diff --git a/src/client_side.c b/src/client_side.c
> > index 23c4274..4f75ea0 100644
> > --- a/src/client_side.c
> > +++ b/src/client_side.c
> > @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
> >
> > }
> >
> > -static void
> > -clientAccessCheckDone(int answer, void *data)
> > +void
> > +clientSendErrorReply(clientHttpRequest * http, int answer)
> > {
> > - clientHttpRequest *http = data;
> > err_type page_id;
> > http_status status;
> > ErrorState *err = NULL;
> > char *proxy_auth_msg = NULL;
> > +
> > + proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
> > +
> > + int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
> > +
> > + debug(33, 5) ("Access Denied: %s\n", http->uri);
> > + debug(33, 5) ("AclMatchedName = %s\n",
> > + AclMatchedName ? AclMatchedName : "<null>");
> > + debug(33, 5) ("Proxy Auth Message = %s\n",
> > + proxy_auth_msg ? proxy_auth_msg : "<null>");
> > +
> > + /*
> > + * NOTE: get page_id here, based on AclMatchedName because
> > + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
> > + * clobbered in the clientCreateStoreEntry() call
> > + * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
> > + */
> > + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
> > + http->log_type = LOG_TCP_DENIED;
> > + http->entry = clientCreateStoreEntry(http, http->request->method,
> > + null_request_flags);
> > + if (require_auth) {
> > + if (!http->flags.accel) {
> > + /* Proxy authorisation needed */
> > + status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> > + } else {
> > + /* WWW authorisation needed */
> > + status = HTTP_UNAUTHORIZED;
> > + }
> > + if (page_id == ERR_NONE)
> > + page_id = ERR_CACHE_ACCESS_DENIED;
> > + } else {
> > + status = HTTP_FORBIDDEN;
> > + if (page_id == ERR_NONE)
> > + page_id = ERR_ACCESS_DENIED;
> > + }
> > + err = errorCon(page_id, status, http->orig_request);
> > + if (http->conn->auth_user_request)
> > + err->auth_user_request = http->conn->auth_user_request;
> > + else if (http->request->auth_user_request)
> > + err->auth_user_request = http->request->auth_user_request;
> > + /* lock for the error state */
> > + if (err->auth_user_request)
> > + authenticateAuthUserRequestLock(err->auth_user_request);
> > + err->callback_data = NULL;
> > + errorAppendEntry(http->entry, err);
> > +
> > +}
> > +
> > +static void
> > +clientAccessCheckDone(int answer, void *data)
> > +{
> > + clientHttpRequest *http = data;
> > +
> > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
> > RequestMethods[http->request->method].str, http->uri,
> > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
> > AclMatchedName ? AclMatchedName : "NO ACL's");
> > - proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
> > http->acl_checklist = NULL;
> > if (answer == ACCESS_ALLOWED) {
> > safe_free(http->uri);
> > @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
> > http->redirect_state = REDIRECT_PENDING;
> > clientRedirectStart(http);
> > } else {
> > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
> > - debug(33, 5) ("Access Denied: %s\n", http->uri);
> > - debug(33, 5) ("AclMatchedName = %s\n",
> > - AclMatchedName ? AclMatchedName : "<null>");
> > - debug(33, 5) ("Proxy Auth Message = %s\n",
> > - proxy_auth_msg ? proxy_auth_msg : "<null>");
> > - /*
> > - * NOTE: get page_id here, based on AclMatchedName because
> > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
> > - * clobbered in the clientCreateStoreEntry() call
> > - * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
> > - */
> > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
> > - http->log_type = LOG_TCP_DENIED;
> > - http->entry = clientCreateStoreEntry(http, http->request->method,
> > - null_request_flags);
> > - if (require_auth) {
> > - if (!http->flags.accel) {
> > - /* Proxy authorisation needed */
> > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> > - } else {
> > - /* WWW authorisation needed */
> > - status = HTTP_UNAUTHORIZED;
> > - }
> > - if (page_id == ERR_NONE)
> > - page_id = ERR_CACHE_ACCESS_DENIED;
> > - } else {
> > - status = HTTP_FORBIDDEN;
> > - if (page_id == ERR_NONE)
> > - page_id = ERR_ACCESS_DENIED;
> > - }
> > - err = errorCon(page_id, status, http->orig_request);
> > - if (http->conn->auth_user_request)
> > - err->auth_user_request = http->conn->auth_user_request;
> > - else if (http->request->auth_user_request)
> > - err->auth_user_request = http->request->auth_user_request;
> > - /* lock for the error state */
> > - if (err->auth_user_request)
> > - authenticateAuthUserRequestLock(err->auth_user_request);
> > - err->callback_data = NULL;
> > - errorAppendEntry(http->entry, err);
> > + clientSendErrorReply(http, answer);
> > }
> > }
> >
> > @@ -517,61 +529,17 @@ static void
> > clientAccessCheckDone2(int answer, void *data)
> > {
> > clientHttpRequest *http = data;
> > - err_type page_id;
> > - http_status status;
> > - ErrorState *err = NULL;
> > - char *proxy_auth_msg = NULL;
> > +
> > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
> > RequestMethods[http->request->method].str, http->uri,
> > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
> > AclMatchedName ? AclMatchedName : "NO ACL's");
> > - proxy_auth_msg = authenticateAuthUserRequestMessage(http->conn->auth_user_request ? http->conn->auth_user_request : http->request->auth_user_request);
> > +
> > http->acl_checklist = NULL;
> > if (answer == ACCESS_ALLOWED) {
> > clientCheckNoCache(http);
> > } else {
> > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName));
> > - debug(33, 5) ("Access Denied: %s\n", http->uri);
> > - debug(33, 5) ("AclMatchedName = %s\n",
> > - AclMatchedName ? AclMatchedName : "<null>");
> > - if (require_auth)
> > - debug(33, 5) ("Proxy Auth Message = %s\n",
> > - proxy_auth_msg ? proxy_auth_msg : "<null>");
> > - /*
> > - * NOTE: get page_id here, based on AclMatchedName because
> > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
> > - * clobbered in the clientCreateStoreEntry() call
> > - * just below. Pedro Ribeiro <pribeiro_at_isel.pt>
> > - */
> > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH);
> > - http->log_type = LOG_TCP_DENIED;
> > - http->entry = clientCreateStoreEntry(http, http->request->method,
> > - null_request_flags);
> > - if (require_auth) {
> > - if (!http->flags.accel) {
> > - /* Proxy authorisation needed */
> > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
> > - } else {
> > - /* WWW authorisation needed */
> > - status = HTTP_UNAUTHORIZED;
> > - }
> > - if (page_id == ERR_NONE)
> > - page_id = ERR_CACHE_ACCESS_DENIED;
> > - } else {
> > - status = HTTP_FORBIDDEN;
> > - if (page_id == ERR_NONE)
> > - page_id = ERR_ACCESS_DENIED;
> > - }
> > - err = errorCon(page_id, status, http->orig_request);
> > - if (http->conn->auth_user_request)
> > - err->auth_user_request = http->conn->auth_user_request;
> > - else if (http->request->auth_user_request)
> > - err->auth_user_request = http->request->auth_user_request;
> > - /* lock for the error state */
> > - if (err->auth_user_request)
> > - authenticateAuthUserRequestLock(err->auth_user_request);
> > - err->callback_data = NULL;
> > - errorAppendEntry(http->entry, err);
> > + clientSendErrorReply(http, answer);
> > }
> > }
> >
> > diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c
> > index 14ad961..8238d89 100644
> > --- a/src/client_side_rewrite.c
> > +++ b/src/client_side_rewrite.c
> > @@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data)
> > http->acl_checklist = NULL;
> > if (answer == ACCESS_ALLOWED)
> > redirectStart(http, clientRedirectDone, http);
> > + else if (answer == ACCESS_REQ_PROXY_AUTH)
> > + clientSendErrorReply(data, answer);
> > else
> > clientRedirectDone(http, NULL);
> > }
> > diff --git a/src/client_side_storeurl_rewrite.c b/src/client_side_storeurl_rewrite.c
> > index 938a254..9f08a25 100644
> > --- a/src/client_side_storeurl_rewrite.c
> > +++ b/src/client_side_storeurl_rewrite.c
> > @@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void *data)
> > http->acl_checklist = NULL;
> > if (answer == ACCESS_ALLOWED)
> > storeurlStart(http, clientStoreURLRewriteDone, http);
> > + else if (answer == ACCESS_REQ_PROXY_AUTH)
> > + clientSendErrorReply(data, answer);
> > else
> > clientStoreURLRewriteDone(http, NULL);
> > }
> > diff --git a/src/protos.h b/src/protos.h
> > index 007498e..c992bea 100644
> > --- a/src/protos.h
> > +++ b/src/protos.h
> > @@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const acl_access * acl, const client
> > extern void clientInterpretRequestHeaders(clientHttpRequest * http);
> > extern void clientAccessCheck2(void *data);
> > extern void clientFinishRewriteStuff(clientHttpRequest * http);
> > +extern void clientSendErrorReply(clientHttpRequest * http, int answer);
> >
> >
> > /* client_side_redirect.c */
> >
> >

-- 
-----------------------
Diego Woitasen - XTECH
www.xtech.com.ar
Received on Sun Sep 07 2008 - 17:04:32 MDT

This archive was generated by hypermail 2.2.0 : Mon Sep 08 2008 - 12:00:04 MDT