Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
http://www.squid-cache.org/bugs/show_bug.cgi?id=2455
On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote:
It looks fine; could you dump it into bugzilla for the time being?
(We're working on the Squid-2 - bzr merge stuff at the moment!)
Adrian
2008/9/7 Diego Woitasen [EMAIL PROTECTED]:
This patch apply to Squid 2.7.STABLE4.
If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
isn't authenticated previously, send 407.
regards,
Diego
diff --git a/src/client_side.c b/src/client_side.c
index 23c4274..4f75ea0 100644
--- a/src/client_side.c
+++ b/src/client_side.c
@@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
}
-static void
-clientAccessCheckDone(int answer, void *data)
+void
+clientSendErrorReply(clientHttpRequest * http, int answer)
{
-clientHttpRequest *http = data;
err_type page_id;
http_status status;
ErrorState *err = NULL;
char *proxy_auth_msg = NULL;
+
+proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
+
+int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
+
+debug(33, 5) (Access Denied: %s\n, http-uri);
+debug(33, 5) (AclMatchedName = %s\n,
+ AclMatchedName ? AclMatchedName : null);
+debug(33, 5) (Proxy Auth Message = %s\n,
+ proxy_auth_msg ? proxy_auth_msg : null);
+
+/*
+ * NOTE: get page_id here, based on AclMatchedName because
+ * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
+ * clobbered in the clientCreateStoreEntry() call
+ * just below. Pedro Ribeiro [EMAIL PROTECTED]
+ */
+page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
+http-log_type = LOG_TCP_DENIED;
+http-entry = clientCreateStoreEntry(http, http-request-method,
+ null_request_flags);
+if (require_auth) {
+ if (!http-flags.accel) {
+ /* Proxy authorisation needed */
+ status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
+ } else {
+ /* WWW authorisation needed */
+ status = HTTP_UNAUTHORIZED;
+ }
+ if (page_id == ERR_NONE)
+ page_id = ERR_CACHE_ACCESS_DENIED;
+} else {
+ status = HTTP_FORBIDDEN;
+ if (page_id == ERR_NONE)
+ page_id = ERR_ACCESS_DENIED;
+}
+err = errorCon(page_id, status, http-orig_request);
+if (http-conn-auth_user_request)
+ err-auth_user_request = http-conn-auth_user_request;
+else if (http-request-auth_user_request)
+ err-auth_user_request = http-request-auth_user_request;
+/* lock for the error state */
+if (err-auth_user_request)
+ authenticateAuthUserRequestLock(err-auth_user_request);
+err-callback_data = NULL;
+errorAppendEntry(http-entry, err);
+
+}
+
+static void
+clientAccessCheckDone(int answer, void *data)
+{
+clientHttpRequest *http = data;
+
debug(33, 2) (The request %s %s is %s, because it matched '%s'\n,
RequestMethods[http-request-method].str, http-uri,
answer == ACCESS_ALLOWED ? ALLOWED : DENIED,
AclMatchedName ? AclMatchedName : NO ACL's);
-proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
http-acl_checklist = NULL;
if (answer == ACCESS_ALLOWED) {
safe_free(http-uri);
@@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
http-redirect_state = REDIRECT_PENDING;
clientRedirectStart(http);
} else {
- int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
- debug(33, 5) (Access Denied: %s\n, http-uri);
- debug(33, 5) (AclMatchedName = %s\n,
- AclMatchedName ? AclMatchedName : null);
- debug(33, 5) (Proxy Auth Message = %s\n,
- proxy_auth_msg ? proxy_auth_msg : null);
- /*
-* NOTE: get page_id here, based on AclMatchedName because
-* if USE_DELAY_POOLS is enabled, then AclMatchedName gets
-* clobbered in the clientCreateStoreEntry() call
-* just below. Pedro Ribeiro [EMAIL PROTECTED]
-*/
- page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
- http-log_type = LOG_TCP_DENIED;
- http-entry = clientCreateStoreEntry(http, http-request-method,
- null_request_flags);
- if (require_auth) {
- if (!http-flags.accel) {
- /* Proxy authorisation needed */
- status =
Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
Thanks! Don't forget to bug me if its not sorted out in the next week or so.
Adrian
2008/9/8 Diego Woitasen [EMAIL PROTECTED]:
http://www.squid-cache.org/bugs/show_bug.cgi?id=2455
On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote:
It looks fine; could you dump it into bugzilla for the time being?
(We're working on the Squid-2 - bzr merge stuff at the moment!)
Adrian
2008/9/7 Diego Woitasen [EMAIL PROTECTED]:
This patch apply to Squid 2.7.STABLE4.
If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
isn't authenticated previously, send 407.
regards,
Diego
diff --git a/src/client_side.c b/src/client_side.c
index 23c4274..4f75ea0 100644
--- a/src/client_side.c
+++ b/src/client_side.c
@@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
}
-static void
-clientAccessCheckDone(int answer, void *data)
+void
+clientSendErrorReply(clientHttpRequest * http, int answer)
{
-clientHttpRequest *http = data;
err_type page_id;
http_status status;
ErrorState *err = NULL;
char *proxy_auth_msg = NULL;
+
+proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
+
+int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
+
+debug(33, 5) (Access Denied: %s\n, http-uri);
+debug(33, 5) (AclMatchedName = %s\n,
+ AclMatchedName ? AclMatchedName : null);
+debug(33, 5) (Proxy Auth Message = %s\n,
+ proxy_auth_msg ? proxy_auth_msg : null);
+
+/*
+ * NOTE: get page_id here, based on AclMatchedName because
+ * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
+ * clobbered in the clientCreateStoreEntry() call
+ * just below. Pedro Ribeiro [EMAIL PROTECTED]
+ */
+page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
+http-log_type = LOG_TCP_DENIED;
+http-entry = clientCreateStoreEntry(http, http-request-method,
+ null_request_flags);
+if (require_auth) {
+ if (!http-flags.accel) {
+ /* Proxy authorisation needed */
+ status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
+ } else {
+ /* WWW authorisation needed */
+ status = HTTP_UNAUTHORIZED;
+ }
+ if (page_id == ERR_NONE)
+ page_id = ERR_CACHE_ACCESS_DENIED;
+} else {
+ status = HTTP_FORBIDDEN;
+ if (page_id == ERR_NONE)
+ page_id = ERR_ACCESS_DENIED;
+}
+err = errorCon(page_id, status, http-orig_request);
+if (http-conn-auth_user_request)
+ err-auth_user_request = http-conn-auth_user_request;
+else if (http-request-auth_user_request)
+ err-auth_user_request = http-request-auth_user_request;
+/* lock for the error state */
+if (err-auth_user_request)
+ authenticateAuthUserRequestLock(err-auth_user_request);
+err-callback_data = NULL;
+errorAppendEntry(http-entry, err);
+
+}
+
+static void
+clientAccessCheckDone(int answer, void *data)
+{
+clientHttpRequest *http = data;
+
debug(33, 2) (The request %s %s is %s, because it matched '%s'\n,
RequestMethods[http-request-method].str, http-uri,
answer == ACCESS_ALLOWED ? ALLOWED : DENIED,
AclMatchedName ? AclMatchedName : NO ACL's);
-proxy_auth_msg =
authenticateAuthUserRequestMessage(http-conn-auth_user_request ?
http-conn-auth_user_request : http-request-auth_user_request);
http-acl_checklist = NULL;
if (answer == ACCESS_ALLOWED) {
safe_free(http-uri);
@@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
http-redirect_state = REDIRECT_PENDING;
clientRedirectStart(http);
} else {
- int require_auth = (answer == ACCESS_REQ_PROXY_AUTH ||
aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent;
- debug(33, 5) (Access Denied: %s\n, http-uri);
- debug(33, 5) (AclMatchedName = %s\n,
- AclMatchedName ? AclMatchedName : null);
- debug(33, 5) (Proxy Auth Message = %s\n,
- proxy_auth_msg ? proxy_auth_msg : null);
- /*
-* NOTE: get page_id here, based on AclMatchedName because
-* if USE_DELAY_POOLS is enabled, then AclMatchedName gets
-* clobbered in the clientCreateStoreEntry() call
-* just below. Pedro Ribeiro [EMAIL PROTECTED]
-*/
- page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName,
answer != ACCESS_REQ_PROXY_AUTH);
- http-log_type = LOG_TCP_DENIED;
- http-entry = clientCreateStoreEntry(http, http-request-method,
- null_request_flags);
- if (require_auth) {
- if
