Re: [squid-users] external_acl_type requests authentication from ian j hart on 2008-01-19 (squid-users)

From: ian j hart <ianjhart@dont-contact.us>
Date: Sat, 19 Jan 2008 14:59:37 +0000

On Saturday 19 January 2008 01:32:28 Amos Jeffries wrote:
> ian j hart wrote:
> > On Friday 18 January 2008 20:10:07 ian j hart wrote:
> >> On Friday 18 January 2008 00:51:40 ian j hart wrote:
> >>> The external_acl_type requests authentication since bug 1278 was fixed.
> >>>
> >>> I have something like this (cut down and edited).
> >>>
> >>> external_acl_type logger ttl=0 negative_ttl=0 children=1 %LOGIN ...
> >>>
> >>> acl password proxy_auth REQUIRED
> >>>
> >>> acl proxylist dstdomain .some.site
> >>> acl logproxy external logger 8
> >>>
> >>> http_access deny proxylist logproxy
> >>> ###deny_info ERR_ACCESS_DENIED.proxy logproxy
> >>>
> >>> http_access allow password
> >>> http_access deny all
> >>>
> >>> A hit on the proxylist causes authentication and the (bogus) error
> >>> message only appears when the user selects cancel. Not intuitive.
> >>>
> >>> The bogus error message (you must authenticate) is easily fixed up with
> >>> the deny_info line.
> >>>
> >>> Yes, I realise I could work around this with a dummy acl, but that's
> >>> just nasty. In any case I'd rather add a feature than jump thru' hoops.
> >>>
> >>> Judging by the size of the patch to implement this is should be simple
> >>> enough to fix up (famous last words).
> >>>
> >>> I had hoped I could just not set the flag, e.g.
> >>>
> >>> --- src/external_acl.c.orig Mon Jan 1 23:32:13 2007
> >>> +++ src/external_acl.c Thu Jan 17 21:17:31 2008
> >>> @@ -275,6 +275,8 @@
> >>> format->type = EXT_ACL_LOGIN;
> >>> a->require_auth = 1;
> >>> }
> >>> + else if (strcmp(token, "%NOAUTH") == 0)
> >>> + format->type = EXT_ACL_LOGIN;
> >>> #if USE_IDENT
> >>> else if (strcmp(token, "%IDENT") == 0)
> >>> format->type = EXT_ACL_IDENT;
> >>>
> >>> Unfortunately this breaks an assert in authenticate.c near line 648.
> >>>
> >>> At which point I need help.
> >>>
> >>> authenticateUserRequestUsername(auth_user_request_t *
> >>> auth_user_request) {
> >>> assert(auth_user_request != NULL);
> >>>
> >>> NULL seems to be a valid return value, that's one option. Dangerous?
> >>>
> >>> Fixing the call would be another. It appears to be called from
> >>> external_acl.c makeExternalAclKey
> >>>
> >>> switch (format->type) {
> >>> case EXT_ACL_LOGIN:
> >>> str = authenticateUserRequestUsername(request->auth_user_request);
> >>>
> >>> Check the flag and set str=NULL?
> >>>
> >>> Maybe there's a patch for this already? Or a wish list where I could
> >>> post it. Or is it near enough that someone could help me out?
> >>>
> >>> Thanks
> >>
> >> This appears to work (tested for a whole 10 mins :)
> >>
> >> --- src/external_acl.c.orig Mon Jan 1 23:32:13 2007
> >> +++ src/external_acl.c Fri Jan 18 19:29:15 2008
> >> @@ -275,6 +275,8 @@
> >> format->type = EXT_ACL_LOGIN;
> >> a->require_auth = 1;
> >> }
> >> + else if (strcmp(token, "%NOAUTH") == 0)
> >> + format->type = EXT_ACL_LOGIN;
> >> #if USE_IDENT
> >> else if (strcmp(token, "%IDENT") == 0)
> >> format->type = EXT_ACL_IDENT;
> >> @@ -627,7 +629,8 @@
> >> const char *str = NULL;
> >> switch (format->type) {
> >> case EXT_ACL_LOGIN:
> >> - str =
> >> authenticateUserRequestUsername(request->auth_user_request); +
> >> if (externalAclRequiresAuth(acl_data))
> >> + str =
> >> authenticateUserRequestUsername(request->auth_user_request); break;
> >> #if USE_IDENT
> >> case EXT_ACL_IDENT:
> >
> > No, that's not it. Username passed to external program is always -.
> >
> > Back to the drawing board.
>
> I suspect the problem you are facing with that '-' is that the login
> delay occurs during processing of the EXT_ACL_LOGIN state not the %LOGIN
> parsing. So a new state EXT_ACL_NOLOGIN will be needed to skip the
> credential remote-retrieval without skipping the local credential lookup.
>

Yes, I was trying to avoid that (much more code). I've disabled the code in
aclIsProxyAuth and moved on to another task. I'll come back to this later.

> You are testing with a non-zero auth_ttl right? (that is TTL on the
> local auth details cache).

Yes, default 2 hours.

>
> PS. could you move patches to squid-dev or bugzilla please.

Okay, will do.

As I've stated previously I don't qualify to join that list. Given the time
zone difference I was trying to avoid the additional grief of having each
email moderated first.

Anyway, thanks for your reply.

>
> Thanks
> Amos

-- 
ian j hart

Received on Sat Jan 19 2008 - 08:00:03 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST