You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@subversion.apache.org by "Torsten Krah (JIRA)" <ji...@apache.org> on 2018/03/15 14:29:00 UTC
[jira] [Updated] (SVN-4726) mod_authz_svn fails to authorize a
valid authenticated user (which is done via mod_lua)
[ https://issues.apache.org/jira/browse/SVN-4726?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Torsten Krah updated SVN-4726:
------------------------------
Description:
Hi folks,
this is the bug report discussed already on the user list threads here:
[https://svn.haxx.se/users/archive-2018-01/0096.shtml]
and on the dev list here:
[https://svn.haxx.se/dev/archive-2018-01/0070.shtml]
In short this is the recipe:
If you use a lua module to authenticate you're users done via:
[https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid]
like this:
# Use the repo from the already existent test suite and configure a location like that:
{code:java}
<Location /svn-test-work/repositories>
DAV svn
SVNParentPath
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
AuthzSVNAccessFile
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
Require valid-user
SVNAdvertiseV2Protocol on
SVNCacheRevProps off
</Location>
{code}
# The authz file just contains:
{code:java}
[/]
* = rw
{code}
# The auth.lua hook *authcheck_hook* does read like that:
{code:java}
function authcheck_hook(r)
– fake the user
r.user = 'foo'
r:debug('user foo: OK')
return apache2.OK
end
{code}
mod_authz_svn fails to authorize the users which should have access to the repository.
There are 2 main reasons imho:
# {{mod_authz_svn}} does expect an *AuthType* to be set which is not needed when doing authentication via mod_lua - so this assumption should be removed from the code.
# It does expect an *Authorization* header to guess if the user wants to authenticate to let the request continue on the request stack to actually reach the configured lua handler which does set the user to the request - but this is imho also wrong. This assumption does only hold to *basic authentication* - which is not done here. Arbitrary authentication may be implemented in the lua hook - so {{mod_authz_svn}} should not make any assumptions about that header existence either.
*AuthType* seems to be used to determine if auth is configured at all - seems to be not the correct check in any usecase.
Also have a look at:
[httpd archive link|http://mail-archives.apache.org/mod_mbox/httpd-users/201801.mbox/%3CCALK%3DYjO6X8nszrb6tb9b1Z6XcU7HgbWCBxfkabF2B098%3Dnnzzw%40mail.gmail.com%3E]
where i asked on the httpd list how this *check* if auth is configured at all could be done - there are ways but like Eric Covener said there:
{code:java}
It does seem like a risky idea to do it for anything but problem
determination, though.
{code}
So the code should not rely on that check at all it seems.
Something off-topic maybe:
Using the same lua handler to authenticate other locations - e.g. to show a directory index or some static html files served by httpd does work - so i would expect that mod_authz_svn should work too here.
was:
Hi folks,
this is the bug report discussed already on the user list threads here:
[https://svn.haxx.se/users/archive-2018-01/0096.shtml]
and on the dev list here:
[https://svn.haxx.se/dev/archive-2018-01/0070.shtml]
In short this is the recipe:
If you use a lua module to authenticate you're users done via:
[https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid]
like this:
# Use the repo from the already existent test suite and configure a location like that:
{code:java}
<Location /svn-test-work/repositories>
DAV svn
SVNParentPath
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
AuthzSVNAccessFile
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
Require valid-user
SVNAdvertiseV2Protocol on
SVNCacheRevProps off
</Location>
{code}
# The authz file just contains:
{code:java}
[/]
* = rw
{code}
# The auth.lua hook *authcheck_hook* does read like that:
{code:java}
function authcheck_hook(r)
– fake the user
r.user = 'foo'
r:debug('user foo: OK')
return apache2.OK
end
{code}
mod_authz_svn fails to authorize the users which should have access to the repository.
There are 2 main reasons imho:
# {{mod_authz_svn}} does expect an *AuthType* to be set which is not needed when doing authentication via mod_lua - so this assumption should be removed from the code.
# It does expect an *Authorization* header to guess if the user wants to authenticate to let the request continue on the request stack to actually reach the configured lua handler which does set the user to the request - but this is imho also wrong. This assumption does only hold to *basic authentication* - which is not done here. Arbitrary authentication may be implemented in the lua hook - so {{mod_authz_svn}} should not make any assumptions about that header existence either.
*AuthType* seems to be used to determine if auth is configured at all - seems to be not the correct check in any usecase.
Also have a look at:
http://mail-archives.apache.org/mod_mbox/httpd-users/201801.mbox/browser
where i asked on the httpd list how this *check* if auth is configured at all could be done - there are ways but like Eric Covener said there:
{code}
It does seem like a risky idea to do it for anything but problem
determination, though.
{code}
So the code should not rely on that check at all it seems.
Something off-topic maybe:
Using the same lua handler to authenticate other locations - e.g. to show a directory index or some static html files served by httpd does work - so i would expect that mod_authz_svn should work too here.
> mod_authz_svn fails to authorize a valid authenticated user (which is done via mod_lua)
> ---------------------------------------------------------------------------------------
>
> Key: SVN-4726
> URL: https://issues.apache.org/jira/browse/SVN-4726
> Project: Subversion
> Issue Type: Bug
> Components: mod_authz_svn
> Affects Versions: 1.9.7, 1.10.0-alpha3
> Environment: {quote} # {code}Linux thorstenknbl1 4.9.78-040978-generic #201801231931 SMP Tue Jan 23 19:32:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux{code}
> # {code}httpd 2.4.29{code}
> # {code}[14:15:05][tkrah@thorstenknbl1:~/Development/src/subversion] $ svn info{code}
> {code}
> Pfad: .
> Wurzelpfad der Arbeitskopie: /home/tkrah/Development/src/subversion
> URL: https://svn.apache.org/repos/asf/subversion/trunk
> Relative URL: ^/subversion/trunk
> Basis des Projektarchivs: https://svn.apache.org/repos/asf
> UUID des Projektarchivs: 13f79535-47bb-0310-9956-ffa450edef68
> Revision: 1821650
> Knotentyp: Verzeichnis
> Plan: normal
> Letzter Autor: julianfoad
> Letzte geänderte Rev: 1821621
> Letztes Änderungsdatum: 2018-01-19 12:29:49 +0100 (Fr, 19. Jan 2018)
> {code}
> {quote}
> Reporter: Torsten Krah
> Priority: Major
> Labels: AuthFailure, Authentication, Authorization, LUA
>
> Hi folks,
> this is the bug report discussed already on the user list threads here:
> [https://svn.haxx.se/users/archive-2018-01/0096.shtml]
> and on the dev list here:
> [https://svn.haxx.se/dev/archive-2018-01/0070.shtml]
> In short this is the recipe:
> If you use a lua module to authenticate you're users done via:
> [https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid]
> like this:
> # Use the repo from the already existent test suite and configure a location like that:
> {code:java}
> <Location /svn-test-work/repositories>
> DAV svn
> SVNParentPath
> "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
> LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
> AuthzSVNAccessFile
> "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
> Require valid-user
> SVNAdvertiseV2Protocol on
> SVNCacheRevProps off
> </Location>
> {code}
> # The authz file just contains:
> {code:java}
> [/]
> * = rw
> {code}
> # The auth.lua hook *authcheck_hook* does read like that:
> {code:java}
> function authcheck_hook(r)
> – fake the user
> r.user = 'foo'
> r:debug('user foo: OK')
> return apache2.OK
> end
> {code}
> mod_authz_svn fails to authorize the users which should have access to the repository.
> There are 2 main reasons imho:
> # {{mod_authz_svn}} does expect an *AuthType* to be set which is not needed when doing authentication via mod_lua - so this assumption should be removed from the code.
> # It does expect an *Authorization* header to guess if the user wants to authenticate to let the request continue on the request stack to actually reach the configured lua handler which does set the user to the request - but this is imho also wrong. This assumption does only hold to *basic authentication* - which is not done here. Arbitrary authentication may be implemented in the lua hook - so {{mod_authz_svn}} should not make any assumptions about that header existence either.
> *AuthType* seems to be used to determine if auth is configured at all - seems to be not the correct check in any usecase.
> Also have a look at:
> [httpd archive link|http://mail-archives.apache.org/mod_mbox/httpd-users/201801.mbox/%3CCALK%3DYjO6X8nszrb6tb9b1Z6XcU7HgbWCBxfkabF2B098%3Dnnzzw%40mail.gmail.com%3E]
> where i asked on the httpd list how this *check* if auth is configured at all could be done - there are ways but like Eric Covener said there:
> {code:java}
> It does seem like a risky idea to do it for anything but problem
> determination, though.
> {code}
> So the code should not rely on that check at all it seems.
> Something off-topic maybe:
> Using the same lua handler to authenticate other locations - e.g. to show a directory index or some static html files served by httpd does work - so i would expect that mod_authz_svn should work too here.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)