Re: [squid-users] external_acl_type requests authentication

From: ian j hart <ianjhart@dont-contact.us>
Date: Fri, 18 Jan 2008 21:20:28 +0000

On Friday 18 January 2008 20:10:07 ian j hart wrote:
> On Friday 18 January 2008 00:51:40 ian j hart wrote:
> > The external_acl_type requests authentication since bug 1278 was fixed.
> >
> > I have something like this (cut down and edited).
> >
> > external_acl_type logger ttl=0 negative_ttl=0 children=1 %LOGIN ...
> >
> > acl password proxy_auth REQUIRED
> >
> > acl proxylist dstdomain .some.site
> > acl logproxy external logger 8
> >
> > http_access deny proxylist logproxy
> > ###deny_info ERR_ACCESS_DENIED.proxy logproxy
> >
> > http_access allow password
> > http_access deny all
> >
> > A hit on the proxylist causes authentication and the (bogus) error
> > message only appears when the user selects cancel. Not intuitive.
> >
> > The bogus error message (you must authenticate) is easily fixed up with
> > the deny_info line.
> >
> > Yes, I realise I could work around this with a dummy acl, but that's just
> > nasty. In any case I'd rather add a feature than jump thru' hoops.
> >
> > Judging by the size of the patch to implement this is should be simple
> > enough to fix up (famous last words).
> >
> > I had hoped I could just not set the flag, e.g.
> >
> > --- src/external_acl.c.orig Mon Jan 1 23:32:13 2007
> > +++ src/external_acl.c Thu Jan 17 21:17:31 2008
> > @@ -275,6 +275,8 @@
> > format->type = EXT_ACL_LOGIN;
> > a->require_auth = 1;
> > }
> > + else if (strcmp(token, "%NOAUTH") == 0)
> > + format->type = EXT_ACL_LOGIN;
> > #if USE_IDENT
> > else if (strcmp(token, "%IDENT") == 0)
> > format->type = EXT_ACL_IDENT;
> >
> > Unfortunately this breaks an assert in authenticate.c near line 648.
> >
> > At which point I need help.
> >
> > authenticateUserRequestUsername(auth_user_request_t * auth_user_request)
> > {
> > assert(auth_user_request != NULL);
> >
> > NULL seems to be a valid return value, that's one option. Dangerous?
> >
> > Fixing the call would be another. It appears to be called from
> > external_acl.c makeExternalAclKey
> >
> > switch (format->type) {
> > case EXT_ACL_LOGIN:
> > str = authenticateUserRequestUsername(request->auth_user_request);
> >
> > Check the flag and set str=NULL?
> >
> > Maybe there's a patch for this already? Or a wish list where I could post
> > it. Or is it near enough that someone could help me out?
> >
> > Thanks
>
> This appears to work (tested for a whole 10 mins :)
>
> --- src/external_acl.c.orig Mon Jan 1 23:32:13 2007
> +++ src/external_acl.c Fri Jan 18 19:29:15 2008
> @@ -275,6 +275,8 @@
> format->type = EXT_ACL_LOGIN;
> a->require_auth = 1;
> }
> + else if (strcmp(token, "%NOAUTH") == 0)
> + format->type = EXT_ACL_LOGIN;
> #if USE_IDENT
> else if (strcmp(token, "%IDENT") == 0)
> format->type = EXT_ACL_IDENT;
> @@ -627,7 +629,8 @@
> const char *str = NULL;
> switch (format->type) {
> case EXT_ACL_LOGIN:
> - str =
> authenticateUserRequestUsername(request->auth_user_request); + if
> (externalAclRequiresAuth(acl_data))
> + str =
> authenticateUserRequestUsername(request->auth_user_request); break;
> #if USE_IDENT
> case EXT_ACL_IDENT:

No, that's not it. Username passed to external program is always -.

Back to the drawing board.

-- 
ian j hart
Received on Fri Jan 18 2008 - 14:20:41 MST

This archive was generated by hypermail pre-2.1.9 : Fri Feb 01 2008 - 12:00:05 MST