[PATCH] Send 407 on url_rewrite_access/storeurl_access

Sat, 06 Sep 2008 17:55:21 -0700 

This patch apply to Squid 2.7.STABLE4.

If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user
isn't authenticated previously, send 407.

regards,
        Diego


diff --git a/src/client_side.c b/src/client_side.c
index 23c4274..4f75ea0 100644
--- a/src/client_side.c
+++ b/src/client_side.c
@@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http)
 
 }
 
-static void
-clientAccessCheckDone(int answer, void *data)
+void
+clientSendErrorReply(clientHttpRequest * http, int answer)
 {
-    clientHttpRequest *http = data;
     err_type page_id;
     http_status status;
     ErrorState *err = NULL;
     char *proxy_auth_msg = NULL;
+
+    proxy_auth_msg = 
authenticateAuthUserRequestMessage(http->conn->auth_user_request ? 
http->conn->auth_user_request : http->request->auth_user_request);
+
+    int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || 
aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
+
+    debug(33, 5) ("Access Denied: %s\n", http->uri);
+    debug(33, 5) ("AclMatchedName = %s\n",
+       AclMatchedName ? AclMatchedName : "<null>");
+    debug(33, 5) ("Proxy Auth Message = %s\n",
+       proxy_auth_msg ? proxy_auth_msg : "<null>");
+
+    /*
+     * NOTE: get page_id here, based on AclMatchedName because
+     * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
+     * clobbered in the clientCreateStoreEntry() call
+     * just below.  Pedro Ribeiro <[EMAIL PROTECTED]>
+     */
+    page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, answer 
!= ACCESS_REQ_PROXY_AUTH);
+    http->log_type = LOG_TCP_DENIED;
+    http->entry = clientCreateStoreEntry(http, http->request->method,
+       null_request_flags);
+    if (require_auth) {
+       if (!http->flags.accel) {
+           /* Proxy authorisation needed */
+           status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
+       } else {
+           /* WWW authorisation needed */
+           status = HTTP_UNAUTHORIZED;
+       }
+       if (page_id == ERR_NONE)
+           page_id = ERR_CACHE_ACCESS_DENIED;
+    } else {
+       status = HTTP_FORBIDDEN;
+       if (page_id == ERR_NONE)
+           page_id = ERR_ACCESS_DENIED;
+    }
+    err = errorCon(page_id, status, http->orig_request);
+    if (http->conn->auth_user_request)
+       err->auth_user_request = http->conn->auth_user_request;
+    else if (http->request->auth_user_request)
+       err->auth_user_request = http->request->auth_user_request;
+    /* lock for the error state */
+    if (err->auth_user_request)
+       authenticateAuthUserRequestLock(err->auth_user_request);
+    err->callback_data = NULL;
+    errorAppendEntry(http->entry, err);
+
+}
+
+static void
+clientAccessCheckDone(int answer, void *data)
+{
+    clientHttpRequest *http = data;
+
     debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
        RequestMethods[http->request->method].str, http->uri,
        answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
        AclMatchedName ? AclMatchedName : "NO ACL's");
-    proxy_auth_msg = 
authenticateAuthUserRequestMessage(http->conn->auth_user_request ? 
http->conn->auth_user_request : http->request->auth_user_request);
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED) {
        safe_free(http->uri);
@@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data)
        http->redirect_state = REDIRECT_PENDING;
        clientRedirectStart(http);
     } else {
-       int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || 
aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent;
-       debug(33, 5) ("Access Denied: %s\n", http->uri);
-       debug(33, 5) ("AclMatchedName = %s\n",
-           AclMatchedName ? AclMatchedName : "<null>");
-       debug(33, 5) ("Proxy Auth Message = %s\n",
-           proxy_auth_msg ? proxy_auth_msg : "<null>");
-       /*
-        * NOTE: get page_id here, based on AclMatchedName because
-        * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
-        * clobbered in the clientCreateStoreEntry() call
-        * just below.  Pedro Ribeiro <[EMAIL PROTECTED]>
-        */
-       page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 
answer != ACCESS_REQ_PROXY_AUTH);
-       http->log_type = LOG_TCP_DENIED;
-       http->entry = clientCreateStoreEntry(http, http->request->method,
-           null_request_flags);
-       if (require_auth) {
-           if (!http->flags.accel) {
-               /* Proxy authorisation needed */
-               status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
-           } else {
-               /* WWW authorisation needed */
-               status = HTTP_UNAUTHORIZED;
-           }
-           if (page_id == ERR_NONE)
-               page_id = ERR_CACHE_ACCESS_DENIED;
-       } else {
-           status = HTTP_FORBIDDEN;
-           if (page_id == ERR_NONE)
-               page_id = ERR_ACCESS_DENIED;
-       }
-       err = errorCon(page_id, status, http->orig_request);
-       if (http->conn->auth_user_request)
-           err->auth_user_request = http->conn->auth_user_request;
-       else if (http->request->auth_user_request)
-           err->auth_user_request = http->request->auth_user_request;
-       /* lock for the error state */
-       if (err->auth_user_request)
-           authenticateAuthUserRequestLock(err->auth_user_request);
-       err->callback_data = NULL;
-       errorAppendEntry(http->entry, err);
+       clientSendErrorReply(http, answer);
     }
 }
 
@@ -517,61 +529,17 @@ static void
 clientAccessCheckDone2(int answer, void *data)
 {
     clientHttpRequest *http = data;
-    err_type page_id;
-    http_status status;
-    ErrorState *err = NULL;
-    char *proxy_auth_msg = NULL;
+
     debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n",
        RequestMethods[http->request->method].str, http->uri,
        answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED",
        AclMatchedName ? AclMatchedName : "NO ACL's");
-    proxy_auth_msg = 
authenticateAuthUserRequestMessage(http->conn->auth_user_request ? 
http->conn->auth_user_request : http->request->auth_user_request);
+
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED) {
        clientCheckNoCache(http);
     } else {
-       int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || 
aclIsProxyAuth(AclMatchedName));
-       debug(33, 5) ("Access Denied: %s\n", http->uri);
-       debug(33, 5) ("AclMatchedName = %s\n",
-           AclMatchedName ? AclMatchedName : "<null>");
-       if (require_auth)
-           debug(33, 5) ("Proxy Auth Message = %s\n",
-               proxy_auth_msg ? proxy_auth_msg : "<null>");
-       /*
-        * NOTE: get page_id here, based on AclMatchedName because
-        * if USE_DELAY_POOLS is enabled, then AclMatchedName gets
-        * clobbered in the clientCreateStoreEntry() call
-        * just below.  Pedro Ribeiro <[EMAIL PROTECTED]>
-        */
-       page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 
answer != ACCESS_REQ_PROXY_AUTH);
-       http->log_type = LOG_TCP_DENIED;
-       http->entry = clientCreateStoreEntry(http, http->request->method,
-           null_request_flags);
-       if (require_auth) {
-           if (!http->flags.accel) {
-               /* Proxy authorisation needed */
-               status = HTTP_PROXY_AUTHENTICATION_REQUIRED;
-           } else {
-               /* WWW authorisation needed */
-               status = HTTP_UNAUTHORIZED;
-           }
-           if (page_id == ERR_NONE)
-               page_id = ERR_CACHE_ACCESS_DENIED;
-       } else {
-           status = HTTP_FORBIDDEN;
-           if (page_id == ERR_NONE)
-               page_id = ERR_ACCESS_DENIED;
-       }
-       err = errorCon(page_id, status, http->orig_request);
-       if (http->conn->auth_user_request)
-           err->auth_user_request = http->conn->auth_user_request;
-       else if (http->request->auth_user_request)
-           err->auth_user_request = http->request->auth_user_request;
-       /* lock for the error state */
-       if (err->auth_user_request)
-           authenticateAuthUserRequestLock(err->auth_user_request);
-       err->callback_data = NULL;
-       errorAppendEntry(http->entry, err);
+       clientSendErrorReply(http, answer);
     }
 }
 
diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c
index 14ad961..8238d89 100644
--- a/src/client_side_rewrite.c
+++ b/src/client_side_rewrite.c
@@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data)
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED)
        redirectStart(http, clientRedirectDone, http);
+    else if (answer == ACCESS_REQ_PROXY_AUTH)
+       clientSendErrorReply(data, answer);
     else
        clientRedirectDone(http, NULL);
 }
diff --git a/src/client_side_storeurl_rewrite.c 
b/src/client_side_storeurl_rewrite.c
index 938a254..9f08a25 100644
--- a/src/client_side_storeurl_rewrite.c
+++ b/src/client_side_storeurl_rewrite.c
@@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void *data)
     http->acl_checklist = NULL;
     if (answer == ACCESS_ALLOWED)
        storeurlStart(http, clientStoreURLRewriteDone, http);
+    else if (answer == ACCESS_REQ_PROXY_AUTH)
+        clientSendErrorReply(data, answer);
     else
        clientStoreURLRewriteDone(http, NULL);
 }
diff --git a/src/protos.h b/src/protos.h
index 007498e..c992bea 100644
--- a/src/protos.h
+++ b/src/protos.h
@@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const 
acl_access * acl, const client
 extern void clientInterpretRequestHeaders(clientHttpRequest * http);
 extern void clientAccessCheck2(void *data);
 extern void clientFinishRewriteStuff(clientHttpRequest * http);
+extern void clientSendErrorReply(clientHttpRequest * http, int answer);
 
 
 /* client_side_redirect.c */

Reply via email to