You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Torsten Krah <kr...@gmail.com> on 2018/01/24 14:49:36 UTC
mod_lua + mod_authz_svn: Problem with authenticating user and
mod_authz_svn behaviour
Hi dev folks,
as per Stefans request on the user list i am going to repost my request
on this list to continue here (still need to open a ticket for this).
Please bear with me if something is unclear or not in a format which is
normally expected here, first time on this list, just tell me and i'll
try to adapt asap.
Back to topic:
The original issue with some background can be found here:
https://svn.haxx.se/users/archive-2018-01/0096.shtml
In short:
I did configure a custom lua hook to negotiate the user from mod_lua and
did not configure any other auth module like basic, form or digest.
Just the Hook, the AuthzSVNAccessFile configuration and a Require
valid-user directive.
<Location /svn-test-work/repositories>
DAV svn
SVNParentPath
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
AuthzSVNAccessFile
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
Require valid-user
SVNAdvertiseV2Protocol on
SVNCacheRevProps off
</Location>
This does not work although i would expect todo so.
The problem found is that mod_authz_svn does expect a AuthType to be set
and it even looks for Basic-Authorization headers, which is a detail it
should imho not care about because Authentication can be done in
arbitrary ways, e.g. via those lua hooks and i would expect that the
authorization is still done from mod_authz_svn after r.user was set in
the configured hook - but the request gets denied even before the "Check
User ID" hook had a chance to kick in and provide that r.user to the
request.
I'll do not yet have an idea how to determine if auth is configured -
because for a unknown reason to me (i don't know the code well) - the
module wants to get that info and delegates that decision to the
condition:
ap_auth_type(r) != NULL
As described this is NULL, but the authentication hook from LUA is in
place so there is actually some authentication configured.
I'll still have a question running about that on the httpd list - what's
the best way to handle that and get that info (if we need that info at
all - i am not sure about that).
In the mean time my workaround is to set "AuthType Custom" in the httpd
configuration so that something is set to this variable and can continue
on that condition for now.
After that i'll applied the patch attached to remove the checks for the
Authorization header.
I'll recompiled the module and did run the basic_tests.py suite against
it - same results - with and without those header checks. But i am not
sure if there is even a test which checks that detail.
To me it seems ok to remove those checks because the authentication must
not rely on basic authentication only - but maybe i am wrong here and
there are some assumptions made to this authorization module which i may
break here.
TODO like written above is to omit the usage of the AuthType for this
condition:
authn_configured = ap_auth_type(r) != NULL;
but i got no idea yet what else should be used or if this condition
could be removed at all.
That's it :). Feedback welcome and appreciated.
kind regards
Torsten
Re: mod_lua + mod_authz_svn: Problem with authenticating user and
mod_authz_svn behaviour
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Torsten Krah wrote on Wed, 24 Jan 2018 15:49 +0100:
> Hi dev folks,
>
Welcome!
> I'll recompiled the module and did run the basic_tests.py suite against
> it - same results - with and without those header checks. But i am not
> sure if there is even a test which checks that detail.
>
I've gone ahead and run the full test suite ('make davautocheck
APACHE_MPM=event'). There were two failures:
At least one test FAILED, checking /tmp/svn/tests.log
FAIL: mod_authz_svn_tests.py 2: test mixed anonymous and authenticated access
FAIL: mod_authz_svn_tests.py 8: test satisfy all require any config
I haven't looked into the details.
> That's it :). Feedback welcome and appreciated.
Thanks for the extensive/detailed analysis; I'm afraid I'm not an httpd
expert so I'll leave it for someone else to comment on the topic.
Cheers,
Daniel
P.S. We're also on #svn-dev on Freenode IRC, feel free to drop in.
Re: mod_lua + mod_authz_svn: Problem with authenticating user and
mod_authz_svn behaviour
Posted by Torsten Krah <kr...@gmail.com>.
Am Mittwoch, den 24.01.2018, 15:49 +0100 schrieb Torsten Krah:
> I'll do not yet have an idea how to determine if auth is configured -
> because for a unknown reason to me (i don't know the code well) - the
> module wants to get that info and delegates that decision to the
> condition:
>
> ap_auth_type(r) != NULL
>
> As described this is NULL, but the authentication hook from LUA is in
> place so there is actually some authentication configured.
> I'll still have a question running about that on the httpd list -
> what's
> the best way to handle that and get that info (if we need that info at
> all - i am not sure about that).
About that open question i'll received an answer on the httpd list.
Eric Covener answered that it is possible to get that info (there is
some code in mod_info.c which does get that info) but he added:
It does seem like a risky idea to do it for anything but problem
determination, though.
So the question remains - why must atuhz_svn needs that info and is it
possible to remove that condition at all and just continue on the stack
to see what it returns?
May be the ones who added that code have some insights about that.
kind regards
Torsten