I am using an arbitrary authentication with mod_lua which works so far. Authentication is done via mod_lua: https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid Authorization is done via mod_authz_svn. I did that and set r.user = 'foo' to the request - just always the same for this example, which is neither None, Form, Basic, or Digest AuthType. If a later authz_module in the stack, e.g. mod_authz_svn denies, based on authorization rules in the authz access file, that request to the user foo, you get the correct result (Forbidden): [Wed Jan 24 10:46:27.544461 2018] [authz_svn:debug] [pid 7979:tid 140737136023296] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19868] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz [Wed Jan 24 10:46:34.792089 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Wed Jan 24 10:46:34.792152 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Jan 24 10:46:34.792167 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of Require valid-user : denied (no authenticated user yet) [Wed Jan 24 10:46:34.792176 2018] [authz_core:debug] [pid 7979:tid 140737136023296] mod_authz_core.c(809): [client 127.0.0.1:19868] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Jan 24 10:46:34.792570 2018] [lua:debug] [pid 7979:tid 140737136023296] lua_request.c(1848): [client 127.0.0.1:19868] AH01487: request_rec->dispatching debug -> lua_CFunction [Wed Jan 24 10:46:34.792586 2018] [lua:debug] [pid 7979:tid 140737136023296] @/etc/apache2/auth.lua(13): [client 127.0.0.1:19868] user foo: OK [Wed Jan 24 10:46:34.792611 2018] [authz_svn:debug] [pid 7979:tid 140737136023296] subversion/mod_authz_svn/mod_authz_svn.c(448): [client 127.0.0.1:19868] Path to authz file is /home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz [Wed Jan 24 10:46:34.792664 2018] [authz_svn:error] [pid 7979:tid 140737136023296] [client 127.0.0.1:19868] Access denied: 'foo' GET basic_tests-10:/iota The problem in terms of log output is the next line in the log: [Wed Jan 24 10:46:34.792675 2018] [core:error] [pid 7979:tid 140737136023296] [client 127.0.0.1:19868] AH00571: need AuthType to note auth failure: /svn-test-work/repositories/basic_tests-10/iota For every denied request i get that - but AuthType is from here: https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authtype I've implemented neither None, Basic, Digest or Form - so i did not set that on purpose, i just used the LuaHookCheckUserID directive to implement my arbitrary authentication hook - so its more something like AuthType == CUSTOM. 62 <Location /svn-test-work/repositories> 63 DAV svn 64 SVNParentPath "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories" 65 LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early 66 AuthzSVNAccessFile "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz" 67 Require valid-user 68 SVNAdvertiseV2Protocol on 69 SVNCacheRevProps off 70 </Location> Can this check: https://marc.info/?l=apache-httpd-dev&m=100690636419555&w=1 take into account that auth is configured via the mod_lua hooks and that AuthType is not set, authentication was done but it was denied to the user on purpose - this should not log a core:error in that case, opinions? kind regards Torsten
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|