[squid-users] external_acl_type requests authentication

From: ian j hart <ianjhart@dont-contact.us>
Date: Fri, 18 Jan 2008 00:51:40 +0000

The external_acl_type requests authentication since bug 1278 was fixed.

I have something like this (cut down and edited).

external_acl_type logger ttl=0 negative_ttl=0 children=1 %LOGIN ...

acl password proxy_auth REQUIRED

acl proxylist dstdomain .some.site
acl logproxy external logger 8

http_access deny proxylist logproxy
###deny_info ERR_ACCESS_DENIED.proxy logproxy

http_access allow password
http_access deny all

A hit on the proxylist causes authentication and the (bogus) error message
only appears when the user selects cancel. Not intuitive.

The bogus error message (you must authenticate) is easily fixed up with the
deny_info line.

Yes, I realise I could work around this with a dummy acl, but that's just
nasty. In any case I'd rather add a feature than jump thru' hoops.

Judging by the size of the patch to implement this is should be simple enough
to fix up (famous last words).

I had hoped I could just not set the flag, e.g.

--- src/external_acl.c.orig Mon Jan 1 23:32:13 2007
+++ src/external_acl.c Thu Jan 17 21:17:31 2008
@@ -275,6 +275,8 @@
            format->type = EXT_ACL_LOGIN;
            a->require_auth = 1;
        }
+ else if (strcmp(token, "%NOAUTH") == 0)
+ format->type = EXT_ACL_LOGIN;
 #if USE_IDENT
        else if (strcmp(token, "%IDENT") == 0)
            format->type = EXT_ACL_IDENT;

Unfortunately this breaks an assert in authenticate.c near line 648.

At which point I need help.

authenticateUserRequestUsername(auth_user_request_t * auth_user_request)
{
    assert(auth_user_request != NULL);

NULL seems to be a valid return value, that's one option. Dangerous?

Fixing the call would be another. It appears to be called from external_acl.c
makeExternalAclKey

switch (format->type) {
case EXT_ACL_LOGIN:
    str = authenticateUserRequestUsername(request->auth_user_request);

Check the flag and set str=NULL?

Maybe there's a patch for this already? Or a wish list where I could post it.
Or is it near enough that someone could help me out?

Thanks

-- 
ian j hart
Received on Thu Jan 17 2008 - 17:51:52 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST