Search squid archive

Re: external_acl_type requests authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 19 January 2008 01:32:28 Amos Jeffries wrote:
> ian j hart wrote:
> > On Friday 18 January 2008 20:10:07 ian j hart wrote:
> >> On Friday 18 January 2008 00:51:40 ian j hart wrote:
> >>> The external_acl_type requests authentication since bug 1278 was fixed.
> >>>
> >>> I have something like this (cut down and edited).
> >>>
> >>> external_acl_type logger ttl=0 negative_ttl=0 children=1 %LOGIN ...
> >>>
> >>> acl password proxy_auth REQUIRED
> >>>
> >>> acl proxylist dstdomain .some.site
> >>> acl logproxy external logger 8
> >>>
> >>> http_access deny proxylist logproxy
> >>> ###deny_info ERR_ACCESS_DENIED.proxy logproxy
> >>>
> >>> http_access allow password
> >>> http_access deny all
> >>>
> >>> A hit on the proxylist causes authentication and the (bogus) error
> >>> message only appears when the user selects cancel. Not intuitive.
> >>>
> >>> The bogus error message (you must authenticate) is easily fixed up with
> >>> the deny_info line.
> >>>
> >>> Yes, I realise I could work around this with a dummy acl, but that's
> >>> just nasty. In any case I'd rather add a feature than jump thru' hoops.
> >>>
> >>> Judging by the size of the patch to implement this is should be simple
> >>> enough to fix up (famous last words).
> >>>
> >>> I had hoped I could just not set the flag, e.g.
> >>>
> >>> --- src/external_acl.c.orig     Mon Jan  1 23:32:13 2007
> >>> +++ src/external_acl.c  Thu Jan 17 21:17:31 2008
> >>> @@ -275,6 +275,8 @@
> >>>             format->type = EXT_ACL_LOGIN;
> >>>             a->require_auth = 1;
> >>>         }
> >>> +       else if (strcmp(token, "%NOAUTH") == 0)
> >>> +           format->type = EXT_ACL_LOGIN;
> >>>  #if USE_IDENT
> >>>         else if (strcmp(token, "%IDENT") == 0)
> >>>             format->type = EXT_ACL_IDENT;
> >>>
> >>> Unfortunately this breaks an assert in authenticate.c near line 648.
> >>>
> >>> At which point I need help.
> >>>
> >>> authenticateUserRequestUsername(auth_user_request_t *
> >>> auth_user_request) {
> >>>     assert(auth_user_request != NULL);
> >>>
> >>> NULL seems to be a valid return value, that's one option. Dangerous?
> >>>
> >>> Fixing the call would be another. It appears to be called from
> >>> external_acl.c makeExternalAclKey
> >>>
> >>> switch (format->type) {
> >>> case EXT_ACL_LOGIN:
> >>>     str = authenticateUserRequestUsername(request->auth_user_request);
> >>>
> >>> Check the flag and set str=NULL?
> >>>
> >>> Maybe there's a patch for this already? Or a wish list where I could
> >>> post it. Or is it near enough that someone could help me out?
> >>>
> >>> Thanks
> >>
> >> This appears to work (tested for a whole 10 mins :)
> >>
> >> --- src/external_acl.c.orig     Mon Jan  1 23:32:13 2007
> >> +++ src/external_acl.c  Fri Jan 18 19:29:15 2008
> >> @@ -275,6 +275,8 @@
> >>             format->type = EXT_ACL_LOGIN;
> >>             a->require_auth = 1;
> >>         }
> >> +       else if (strcmp(token, "%NOAUTH") == 0)
> >> +           format->type = EXT_ACL_LOGIN;
> >>  #if USE_IDENT
> >>         else if (strcmp(token, "%IDENT") == 0)
> >>             format->type = EXT_ACL_IDENT;
> >> @@ -627,7 +629,8 @@
> >>         const char *str = NULL;
> >>         switch (format->type) {
> >>         case EXT_ACL_LOGIN:
> >> -           str =
> >> authenticateUserRequestUsername(request->auth_user_request); +          
> >> if (externalAclRequiresAuth(acl_data))
> >> +                   str =
> >> authenticateUserRequestUsername(request->auth_user_request); break;
> >>  #if USE_IDENT
> >>         case EXT_ACL_IDENT:
> >
> > No, that's not it. Username passed to external program is always -.
> >
> > Back to the drawing board.
>
> I suspect the problem you are facing with that '-' is that the login
> delay occurs during processing of the EXT_ACL_LOGIN state not the %LOGIN
> parsing. So a new state EXT_ACL_NOLOGIN will be needed to skip the
> credential remote-retrieval without skipping the local credential lookup.
>
> You are testing with a non-zero auth_ttl right? (that is TTL on the
> local auth details cache).
>
> PS. could you move patches to squid-dev or bugzilla please.
>
> Thanks
> Amos

Further analysis reveals that I was completely on the wrong track.

aclIsProxyAuth switches on the acl type not the external acl format type.

This is much more difficult. I may be gone for some time :(

In any case I'll move this over to squid-dev@

Thanks to everyone who replied.

-- 
ian j hart

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux