http://www.squid-cache.org/bugs/show_bug.cgi?id=2455
On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote: > It looks fine; could you dump it into bugzilla for the time being? > (We're working on the Squid-2 -> bzr merge stuff at the moment!) > > > > Adrian > > 2008/9/7 Diego Woitasen <[EMAIL PROTECTED]>: > > This patch apply to Squid 2.7.STABLE4. > > > > If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user > > isn't authenticated previously, send 407. > > > > regards, > > Diego > > > > > > diff --git a/src/client_side.c b/src/client_side.c > > index 23c4274..4f75ea0 100644 > > --- a/src/client_side.c > > +++ b/src/client_side.c > > @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http) > > > > } > > > > -static void > > -clientAccessCheckDone(int answer, void *data) > > +void > > +clientSendErrorReply(clientHttpRequest * http, int answer) > > { > > - clientHttpRequest *http = data; > > err_type page_id; > > http_status status; > > ErrorState *err = NULL; > > char *proxy_auth_msg = NULL; > > + > > + proxy_auth_msg = > > authenticateAuthUserRequestMessage(http->conn->auth_user_request ? > > http->conn->auth_user_request : http->request->auth_user_request); > > + > > + int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > > aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; > > + > > + debug(33, 5) ("Access Denied: %s\n", http->uri); > > + debug(33, 5) ("AclMatchedName = %s\n", > > + AclMatchedName ? AclMatchedName : "<null>"); > > + debug(33, 5) ("Proxy Auth Message = %s\n", > > + proxy_auth_msg ? proxy_auth_msg : "<null>"); > > + > > + /* > > + * NOTE: get page_id here, based on AclMatchedName because > > + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets > > + * clobbered in the clientCreateStoreEntry() call > > + * just below. Pedro Ribeiro <[EMAIL PROTECTED]> > > + */ > > + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, > > answer != ACCESS_REQ_PROXY_AUTH); > > + http->log_type = LOG_TCP_DENIED; > > + http->entry = clientCreateStoreEntry(http, http->request->method, > > + null_request_flags); > > + if (require_auth) { > > + if (!http->flags.accel) { > > + /* Proxy authorisation needed */ > > + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; > > + } else { > > + /* WWW authorisation needed */ > > + status = HTTP_UNAUTHORIZED; > > + } > > + if (page_id == ERR_NONE) > > + page_id = ERR_CACHE_ACCESS_DENIED; > > + } else { > > + status = HTTP_FORBIDDEN; > > + if (page_id == ERR_NONE) > > + page_id = ERR_ACCESS_DENIED; > > + } > > + err = errorCon(page_id, status, http->orig_request); > > + if (http->conn->auth_user_request) > > + err->auth_user_request = http->conn->auth_user_request; > > + else if (http->request->auth_user_request) > > + err->auth_user_request = http->request->auth_user_request; > > + /* lock for the error state */ > > + if (err->auth_user_request) > > + authenticateAuthUserRequestLock(err->auth_user_request); > > + err->callback_data = NULL; > > + errorAppendEntry(http->entry, err); > > + > > +} > > + > > +static void > > +clientAccessCheckDone(int answer, void *data) > > +{ > > + clientHttpRequest *http = data; > > + > > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n", > > RequestMethods[http->request->method].str, http->uri, > > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED", > > AclMatchedName ? AclMatchedName : "NO ACL's"); > > - proxy_auth_msg = > > authenticateAuthUserRequestMessage(http->conn->auth_user_request ? > > http->conn->auth_user_request : http->request->auth_user_request); > > http->acl_checklist = NULL; > > if (answer == ACCESS_ALLOWED) { > > safe_free(http->uri); > > @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data) > > http->redirect_state = REDIRECT_PENDING; > > clientRedirectStart(http); > > } else { > > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > > aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; > > - debug(33, 5) ("Access Denied: %s\n", http->uri); > > - debug(33, 5) ("AclMatchedName = %s\n", > > - AclMatchedName ? AclMatchedName : "<null>"); > > - debug(33, 5) ("Proxy Auth Message = %s\n", > > - proxy_auth_msg ? proxy_auth_msg : "<null>"); > > - /* > > - * NOTE: get page_id here, based on AclMatchedName because > > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets > > - * clobbered in the clientCreateStoreEntry() call > > - * just below. Pedro Ribeiro <[EMAIL PROTECTED]> > > - */ > > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, > > answer != ACCESS_REQ_PROXY_AUTH); > > - http->log_type = LOG_TCP_DENIED; > > - http->entry = clientCreateStoreEntry(http, http->request->method, > > - null_request_flags); > > - if (require_auth) { > > - if (!http->flags.accel) { > > - /* Proxy authorisation needed */ > > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; > > - } else { > > - /* WWW authorisation needed */ > > - status = HTTP_UNAUTHORIZED; > > - } > > - if (page_id == ERR_NONE) > > - page_id = ERR_CACHE_ACCESS_DENIED; > > - } else { > > - status = HTTP_FORBIDDEN; > > - if (page_id == ERR_NONE) > > - page_id = ERR_ACCESS_DENIED; > > - } > > - err = errorCon(page_id, status, http->orig_request); > > - if (http->conn->auth_user_request) > > - err->auth_user_request = http->conn->auth_user_request; > > - else if (http->request->auth_user_request) > > - err->auth_user_request = http->request->auth_user_request; > > - /* lock for the error state */ > > - if (err->auth_user_request) > > - authenticateAuthUserRequestLock(err->auth_user_request); > > - err->callback_data = NULL; > > - errorAppendEntry(http->entry, err); > > + clientSendErrorReply(http, answer); > > } > > } > > > > @@ -517,61 +529,17 @@ static void > > clientAccessCheckDone2(int answer, void *data) > > { > > clientHttpRequest *http = data; > > - err_type page_id; > > - http_status status; > > - ErrorState *err = NULL; > > - char *proxy_auth_msg = NULL; > > + > > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n", > > RequestMethods[http->request->method].str, http->uri, > > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED", > > AclMatchedName ? AclMatchedName : "NO ACL's"); > > - proxy_auth_msg = > > authenticateAuthUserRequestMessage(http->conn->auth_user_request ? > > http->conn->auth_user_request : http->request->auth_user_request); > > + > > http->acl_checklist = NULL; > > if (answer == ACCESS_ALLOWED) { > > clientCheckNoCache(http); > > } else { > > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > > aclIsProxyAuth(AclMatchedName)); > > - debug(33, 5) ("Access Denied: %s\n", http->uri); > > - debug(33, 5) ("AclMatchedName = %s\n", > > - AclMatchedName ? AclMatchedName : "<null>"); > > - if (require_auth) > > - debug(33, 5) ("Proxy Auth Message = %s\n", > > - proxy_auth_msg ? proxy_auth_msg : "<null>"); > > - /* > > - * NOTE: get page_id here, based on AclMatchedName because > > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets > > - * clobbered in the clientCreateStoreEntry() call > > - * just below. Pedro Ribeiro <[EMAIL PROTECTED]> > > - */ > > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, > > answer != ACCESS_REQ_PROXY_AUTH); > > - http->log_type = LOG_TCP_DENIED; > > - http->entry = clientCreateStoreEntry(http, http->request->method, > > - null_request_flags); > > - if (require_auth) { > > - if (!http->flags.accel) { > > - /* Proxy authorisation needed */ > > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; > > - } else { > > - /* WWW authorisation needed */ > > - status = HTTP_UNAUTHORIZED; > > - } > > - if (page_id == ERR_NONE) > > - page_id = ERR_CACHE_ACCESS_DENIED; > > - } else { > > - status = HTTP_FORBIDDEN; > > - if (page_id == ERR_NONE) > > - page_id = ERR_ACCESS_DENIED; > > - } > > - err = errorCon(page_id, status, http->orig_request); > > - if (http->conn->auth_user_request) > > - err->auth_user_request = http->conn->auth_user_request; > > - else if (http->request->auth_user_request) > > - err->auth_user_request = http->request->auth_user_request; > > - /* lock for the error state */ > > - if (err->auth_user_request) > > - authenticateAuthUserRequestLock(err->auth_user_request); > > - err->callback_data = NULL; > > - errorAppendEntry(http->entry, err); > > + clientSendErrorReply(http, answer); > > } > > } > > > > diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c > > index 14ad961..8238d89 100644 > > --- a/src/client_side_rewrite.c > > +++ b/src/client_side_rewrite.c > > @@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data) > > http->acl_checklist = NULL; > > if (answer == ACCESS_ALLOWED) > > redirectStart(http, clientRedirectDone, http); > > + else if (answer == ACCESS_REQ_PROXY_AUTH) > > + clientSendErrorReply(data, answer); > > else > > clientRedirectDone(http, NULL); > > } > > diff --git a/src/client_side_storeurl_rewrite.c > > b/src/client_side_storeurl_rewrite.c > > index 938a254..9f08a25 100644 > > --- a/src/client_side_storeurl_rewrite.c > > +++ b/src/client_side_storeurl_rewrite.c > > @@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void > > *data) > > http->acl_checklist = NULL; > > if (answer == ACCESS_ALLOWED) > > storeurlStart(http, clientStoreURLRewriteDone, http); > > + else if (answer == ACCESS_REQ_PROXY_AUTH) > > + clientSendErrorReply(data, answer); > > else > > clientStoreURLRewriteDone(http, NULL); > > } > > diff --git a/src/protos.h b/src/protos.h > > index 007498e..c992bea 100644 > > --- a/src/protos.h > > +++ b/src/protos.h > > @@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const > > acl_access * acl, const client > > extern void clientInterpretRequestHeaders(clientHttpRequest * http); > > extern void clientAccessCheck2(void *data); > > extern void clientFinishRewriteStuff(clientHttpRequest * http); > > +extern void clientSendErrorReply(clientHttpRequest * http, int answer); > > > > > > /* client_side_redirect.c */ > > > > -- ----------------------- Diego Woitasen - XTECH www.xtech.com.ar