Torsten Krah created SVN-4726:
---------------------------------
Summary: mod_authz_svn fails to authorize a valid authenticated
user (which is done via mod_lua)
Key: SVN-4726
URL: https://issues.apache.org/jira/browse/SVN-4726
Project: Subversion
Issue Type: Bug
Components: mod_authz_svn
Affects Versions: 1.10.0-alpha3, 1.9.7
Environment: {quote} # {code}Linux thorstenknbl1 4.9.78-040978-generic
#201801231931 SMP Tue Jan 23 19:32:15 UTC 2018 x86_64 x86_64 x86_64
GNU/Linux{code}
# {code}httpd 2.4.29{code}
# {code}[14:15:05][tkrah@thorstenknbl1:~/Development/src/subversion] $ svn
info{code}
{code}
Pfad: .
Wurzelpfad der Arbeitskopie: /home/tkrah/Development/src/subversion
URL: https://svn.apache.org/repos/asf/subversion/trunk
Relative URL: ^/subversion/trunk
Basis des Projektarchivs: https://svn.apache.org/repos/asf
UUID des Projektarchivs: 13f79535-47bb-0310-9956-ffa450edef68
Revision: 1821650
Knotentyp: Verzeichnis
Plan: normal
Letzter Autor: julianfoad
Letzte geänderte Rev: 1821621
Letztes Änderungsdatum: 2018-01-19 12:29:49 +0100 (Fr, 19. Jan 2018)
{code}
{quote}
Reporter: Torsten Krah
Hi folks,
this is the bug report discussed already on the user list threads here:
[https://svn.haxx.se/users/archive-2018-01/0096.shtml]
and on the dev list here:
[https://svn.haxx.se/dev/archive-2018-01/0070.shtml]
In short this is the recipe:
If you use a lua module to authenticate you're users done via:
[https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid]
like this:
# Use the repo from the already existent test suite and configure a location
like that:
{code:java}
<Location /svn-test-work/repositories>
DAV svn
SVNParentPath
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
AuthzSVNAccessFile
"/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
Require valid-user
SVNAdvertiseV2Protocol on
SVNCacheRevProps off
</Location>
{code}
# The authz file just contains:
{code:java}
[/]
* = rw
{code}
# The auth.lua hook *authcheck_hook* does read like that:
{code:java}
function authcheck_hook(r)
– fake the user
r.user = 'foo'
r:debug('user foo: OK')
return apache2.OK
end
{code}
mod_authz_svn fails to authorize the users which should have access to the
repository.
There are 2 main reasons imho:
# {{mod_authz_svn}} does expect an *AuthType* to be set which is not needed
when doing authentication via mod_lua - so this assumption should be removed
from the code.
# It does expect an *Authorization* header to guess if the user wants to
authenticate to let the request continue on the request stack to actually reach
the configured lua handler which does set the user to the request - but this is
imho also wrong. This assumption does only hold to *basic authentication* -
which is not done here. Arbitrary authentication may be implemented in the lua
hook - so {{mod_authz_svn}} should not make any assumptions about that header
existence either.
*AuthType* seems to be used to determine if auth is configured at all - seems
to be not the correct check in any usecase.
Also have a look at:
http://mail-archives.apache.org/mod_mbox/httpd-users/201801.mbox/browser
where i asked on the httpd list how this *check* if auth is configured at all
could be done - there are ways but like Eric Covener said there:
{code}
It does seem like a risky idea to do it for anything but problem
determination, though.
{code}
So the code should not rely on that check at all it seems.
Something off-topic maybe:
Using the same lua handler to authenticate other locations - e.g. to show a
directory index or some static html files served by httpd does work - so i
would expect that mod_authz_svn should work too here.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
