Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
Amos Jeffries has voted reject. Status is now: Vetoed Comment: Squid-2 patch. not for BB to handle. For details, see: http://bundlebuggy.aaronbentley.com/project/squid/request/%3C20080907005501.GB8733%40motherbox.xtech.com.ar%3E Project: Squid
Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
http://www.squid-cache.org/bugs/show_bug.cgi?id=2455 On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote: It looks fine; could you dump it into bugzilla for the time being? (We're working on the Squid-2 - bzr merge stuff at the moment!) Adrian 2008/9/7 Diego Woitasen [EMAIL PROTECTED]: This patch apply to Squid 2.7.STABLE4. If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user isn't authenticated previously, send 407. regards, Diego diff --git a/src/client_side.c b/src/client_side.c index 23c4274..4f75ea0 100644 --- a/src/client_side.c +++ b/src/client_side.c @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http) } -static void -clientAccessCheckDone(int answer, void *data) +void +clientSendErrorReply(clientHttpRequest * http, int answer) { -clientHttpRequest *http = data; err_type page_id; http_status status; ErrorState *err = NULL; char *proxy_auth_msg = NULL; + +proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); + +int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; + +debug(33, 5) (Access Denied: %s\n, http-uri); +debug(33, 5) (AclMatchedName = %s\n, + AclMatchedName ? AclMatchedName : null); +debug(33, 5) (Proxy Auth Message = %s\n, + proxy_auth_msg ? proxy_auth_msg : null); + +/* + * NOTE: get page_id here, based on AclMatchedName because + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets + * clobbered in the clientCreateStoreEntry() call + * just below. Pedro Ribeiro [EMAIL PROTECTED] + */ +page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); +http-log_type = LOG_TCP_DENIED; +http-entry = clientCreateStoreEntry(http, http-request-method, + null_request_flags); +if (require_auth) { + if (!http-flags.accel) { + /* Proxy authorisation needed */ + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; + } else { + /* WWW authorisation needed */ + status = HTTP_UNAUTHORIZED; + } + if (page_id == ERR_NONE) + page_id = ERR_CACHE_ACCESS_DENIED; +} else { + status = HTTP_FORBIDDEN; + if (page_id == ERR_NONE) + page_id = ERR_ACCESS_DENIED; +} +err = errorCon(page_id, status, http-orig_request); +if (http-conn-auth_user_request) + err-auth_user_request = http-conn-auth_user_request; +else if (http-request-auth_user_request) + err-auth_user_request = http-request-auth_user_request; +/* lock for the error state */ +if (err-auth_user_request) + authenticateAuthUserRequestLock(err-auth_user_request); +err-callback_data = NULL; +errorAppendEntry(http-entry, err); + +} + +static void +clientAccessCheckDone(int answer, void *data) +{ +clientHttpRequest *http = data; + debug(33, 2) (The request %s %s is %s, because it matched '%s'\n, RequestMethods[http-request-method].str, http-uri, answer == ACCESS_ALLOWED ? ALLOWED : DENIED, AclMatchedName ? AclMatchedName : NO ACL's); -proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); http-acl_checklist = NULL; if (answer == ACCESS_ALLOWED) { safe_free(http-uri); @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data) http-redirect_state = REDIRECT_PENDING; clientRedirectStart(http); } else { - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; - debug(33, 5) (Access Denied: %s\n, http-uri); - debug(33, 5) (AclMatchedName = %s\n, - AclMatchedName ? AclMatchedName : null); - debug(33, 5) (Proxy Auth Message = %s\n, - proxy_auth_msg ? proxy_auth_msg : null); - /* -* NOTE: get page_id here, based on AclMatchedName because -* if USE_DELAY_POOLS is enabled, then AclMatchedName gets -* clobbered in the clientCreateStoreEntry() call -* just below. Pedro Ribeiro [EMAIL PROTECTED] -*/ - page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); - http-log_type = LOG_TCP_DENIED; - http-entry = clientCreateStoreEntry(http, http-request-method, - null_request_flags); - if (require_auth) { - if (!http-flags.accel) { - /* Proxy authorisation needed */ - status =
Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
Thanks! Don't forget to bug me if its not sorted out in the next week or so. Adrian 2008/9/8 Diego Woitasen [EMAIL PROTECTED]: http://www.squid-cache.org/bugs/show_bug.cgi?id=2455 On Sun, Sep 07, 2008 at 09:28:30AM +0800, Adrian Chadd wrote: It looks fine; could you dump it into bugzilla for the time being? (We're working on the Squid-2 - bzr merge stuff at the moment!) Adrian 2008/9/7 Diego Woitasen [EMAIL PROTECTED]: This patch apply to Squid 2.7.STABLE4. If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user isn't authenticated previously, send 407. regards, Diego diff --git a/src/client_side.c b/src/client_side.c index 23c4274..4f75ea0 100644 --- a/src/client_side.c +++ b/src/client_side.c @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http) } -static void -clientAccessCheckDone(int answer, void *data) +void +clientSendErrorReply(clientHttpRequest * http, int answer) { -clientHttpRequest *http = data; err_type page_id; http_status status; ErrorState *err = NULL; char *proxy_auth_msg = NULL; + +proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); + +int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; + +debug(33, 5) (Access Denied: %s\n, http-uri); +debug(33, 5) (AclMatchedName = %s\n, + AclMatchedName ? AclMatchedName : null); +debug(33, 5) (Proxy Auth Message = %s\n, + proxy_auth_msg ? proxy_auth_msg : null); + +/* + * NOTE: get page_id here, based on AclMatchedName because + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets + * clobbered in the clientCreateStoreEntry() call + * just below. Pedro Ribeiro [EMAIL PROTECTED] + */ +page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); +http-log_type = LOG_TCP_DENIED; +http-entry = clientCreateStoreEntry(http, http-request-method, + null_request_flags); +if (require_auth) { + if (!http-flags.accel) { + /* Proxy authorisation needed */ + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; + } else { + /* WWW authorisation needed */ + status = HTTP_UNAUTHORIZED; + } + if (page_id == ERR_NONE) + page_id = ERR_CACHE_ACCESS_DENIED; +} else { + status = HTTP_FORBIDDEN; + if (page_id == ERR_NONE) + page_id = ERR_ACCESS_DENIED; +} +err = errorCon(page_id, status, http-orig_request); +if (http-conn-auth_user_request) + err-auth_user_request = http-conn-auth_user_request; +else if (http-request-auth_user_request) + err-auth_user_request = http-request-auth_user_request; +/* lock for the error state */ +if (err-auth_user_request) + authenticateAuthUserRequestLock(err-auth_user_request); +err-callback_data = NULL; +errorAppendEntry(http-entry, err); + +} + +static void +clientAccessCheckDone(int answer, void *data) +{ +clientHttpRequest *http = data; + debug(33, 2) (The request %s %s is %s, because it matched '%s'\n, RequestMethods[http-request-method].str, http-uri, answer == ACCESS_ALLOWED ? ALLOWED : DENIED, AclMatchedName ? AclMatchedName : NO ACL's); -proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); http-acl_checklist = NULL; if (answer == ACCESS_ALLOWED) { safe_free(http-uri); @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data) http-redirect_state = REDIRECT_PENDING; clientRedirectStart(http); } else { - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; - debug(33, 5) (Access Denied: %s\n, http-uri); - debug(33, 5) (AclMatchedName = %s\n, - AclMatchedName ? AclMatchedName : null); - debug(33, 5) (Proxy Auth Message = %s\n, - proxy_auth_msg ? proxy_auth_msg : null); - /* -* NOTE: get page_id here, based on AclMatchedName because -* if USE_DELAY_POOLS is enabled, then AclMatchedName gets -* clobbered in the clientCreateStoreEntry() call -* just below. Pedro Ribeiro [EMAIL PROTECTED] -*/ - page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); - http-log_type = LOG_TCP_DENIED; - http-entry = clientCreateStoreEntry(http, http-request-method, - null_request_flags); - if (require_auth) { - if
[PATCH] Send 407 on url_rewrite_access/storeurl_access
This patch apply to Squid 2.7.STABLE4. If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user isn't authenticated previously, send 407. regards, Diego diff --git a/src/client_side.c b/src/client_side.c index 23c4274..4f75ea0 100644 --- a/src/client_side.c +++ b/src/client_side.c @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http) } -static void -clientAccessCheckDone(int answer, void *data) +void +clientSendErrorReply(clientHttpRequest * http, int answer) { -clientHttpRequest *http = data; err_type page_id; http_status status; ErrorState *err = NULL; char *proxy_auth_msg = NULL; + +proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); + +int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; + +debug(33, 5) (Access Denied: %s\n, http-uri); +debug(33, 5) (AclMatchedName = %s\n, + AclMatchedName ? AclMatchedName : null); +debug(33, 5) (Proxy Auth Message = %s\n, + proxy_auth_msg ? proxy_auth_msg : null); + +/* + * NOTE: get page_id here, based on AclMatchedName because + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets + * clobbered in the clientCreateStoreEntry() call + * just below. Pedro Ribeiro [EMAIL PROTECTED] + */ +page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); +http-log_type = LOG_TCP_DENIED; +http-entry = clientCreateStoreEntry(http, http-request-method, + null_request_flags); +if (require_auth) { + if (!http-flags.accel) { + /* Proxy authorisation needed */ + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; + } else { + /* WWW authorisation needed */ + status = HTTP_UNAUTHORIZED; + } + if (page_id == ERR_NONE) + page_id = ERR_CACHE_ACCESS_DENIED; +} else { + status = HTTP_FORBIDDEN; + if (page_id == ERR_NONE) + page_id = ERR_ACCESS_DENIED; +} +err = errorCon(page_id, status, http-orig_request); +if (http-conn-auth_user_request) + err-auth_user_request = http-conn-auth_user_request; +else if (http-request-auth_user_request) + err-auth_user_request = http-request-auth_user_request; +/* lock for the error state */ +if (err-auth_user_request) + authenticateAuthUserRequestLock(err-auth_user_request); +err-callback_data = NULL; +errorAppendEntry(http-entry, err); + +} + +static void +clientAccessCheckDone(int answer, void *data) +{ +clientHttpRequest *http = data; + debug(33, 2) (The request %s %s is %s, because it matched '%s'\n, RequestMethods[http-request-method].str, http-uri, answer == ACCESS_ALLOWED ? ALLOWED : DENIED, AclMatchedName ? AclMatchedName : NO ACL's); -proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); http-acl_checklist = NULL; if (answer == ACCESS_ALLOWED) { safe_free(http-uri); @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data) http-redirect_state = REDIRECT_PENDING; clientRedirectStart(http); } else { - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; - debug(33, 5) (Access Denied: %s\n, http-uri); - debug(33, 5) (AclMatchedName = %s\n, - AclMatchedName ? AclMatchedName : null); - debug(33, 5) (Proxy Auth Message = %s\n, - proxy_auth_msg ? proxy_auth_msg : null); - /* -* NOTE: get page_id here, based on AclMatchedName because -* if USE_DELAY_POOLS is enabled, then AclMatchedName gets -* clobbered in the clientCreateStoreEntry() call -* just below. Pedro Ribeiro [EMAIL PROTECTED] -*/ - page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); - http-log_type = LOG_TCP_DENIED; - http-entry = clientCreateStoreEntry(http, http-request-method, - null_request_flags); - if (require_auth) { - if (!http-flags.accel) { - /* Proxy authorisation needed */ - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; - } else { - /* WWW authorisation needed */ - status = HTTP_UNAUTHORIZED; - } - if (page_id == ERR_NONE) - page_id = ERR_CACHE_ACCESS_DENIED; - } else { - status = HTTP_FORBIDDEN; - if (page_id == ERR_NONE) - page_id = ERR_ACCESS_DENIED; - } - err = errorCon(page_id, status, http-orig_request); - if (http-conn-auth_user_request) - err-auth_user_request = http-conn-auth_user_request;
Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
Bundle Buggy has detected this merge request. For details, see: http://bundlebuggy.aaronbentley.com/project/squid/request/%3C20080907005501.GB8733%40motherbox.xtech.com.ar%3E Project: Squid
Re: [PATCH] Send 407 on url_rewrite_access/storeurl_access
It looks fine; could you dump it into bugzilla for the time being? (We're working on the Squid-2 - bzr merge stuff at the moment!) Adrian 2008/9/7 Diego Woitasen [EMAIL PROTECTED]: This patch apply to Squid 2.7.STABLE4. If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user isn't authenticated previously, send 407. regards, Diego diff --git a/src/client_side.c b/src/client_side.c index 23c4274..4f75ea0 100644 --- a/src/client_side.c +++ b/src/client_side.c @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http) } -static void -clientAccessCheckDone(int answer, void *data) +void +clientSendErrorReply(clientHttpRequest * http, int answer) { -clientHttpRequest *http = data; err_type page_id; http_status status; ErrorState *err = NULL; char *proxy_auth_msg = NULL; + +proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); + +int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; + +debug(33, 5) (Access Denied: %s\n, http-uri); +debug(33, 5) (AclMatchedName = %s\n, + AclMatchedName ? AclMatchedName : null); +debug(33, 5) (Proxy Auth Message = %s\n, + proxy_auth_msg ? proxy_auth_msg : null); + +/* + * NOTE: get page_id here, based on AclMatchedName because + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets + * clobbered in the clientCreateStoreEntry() call + * just below. Pedro Ribeiro [EMAIL PROTECTED] + */ +page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); +http-log_type = LOG_TCP_DENIED; +http-entry = clientCreateStoreEntry(http, http-request-method, + null_request_flags); +if (require_auth) { + if (!http-flags.accel) { + /* Proxy authorisation needed */ + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; + } else { + /* WWW authorisation needed */ + status = HTTP_UNAUTHORIZED; + } + if (page_id == ERR_NONE) + page_id = ERR_CACHE_ACCESS_DENIED; +} else { + status = HTTP_FORBIDDEN; + if (page_id == ERR_NONE) + page_id = ERR_ACCESS_DENIED; +} +err = errorCon(page_id, status, http-orig_request); +if (http-conn-auth_user_request) + err-auth_user_request = http-conn-auth_user_request; +else if (http-request-auth_user_request) + err-auth_user_request = http-request-auth_user_request; +/* lock for the error state */ +if (err-auth_user_request) + authenticateAuthUserRequestLock(err-auth_user_request); +err-callback_data = NULL; +errorAppendEntry(http-entry, err); + +} + +static void +clientAccessCheckDone(int answer, void *data) +{ +clientHttpRequest *http = data; + debug(33, 2) (The request %s %s is %s, because it matched '%s'\n, RequestMethods[http-request-method].str, http-uri, answer == ACCESS_ALLOWED ? ALLOWED : DENIED, AclMatchedName ? AclMatchedName : NO ACL's); -proxy_auth_msg = authenticateAuthUserRequestMessage(http-conn-auth_user_request ? http-conn-auth_user_request : http-request-auth_user_request); http-acl_checklist = NULL; if (answer == ACCESS_ALLOWED) { safe_free(http-uri); @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data) http-redirect_state = REDIRECT_PENDING; clientRedirectStart(http); } else { - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) !http-request-flags.transparent; - debug(33, 5) (Access Denied: %s\n, http-uri); - debug(33, 5) (AclMatchedName = %s\n, - AclMatchedName ? AclMatchedName : null); - debug(33, 5) (Proxy Auth Message = %s\n, - proxy_auth_msg ? proxy_auth_msg : null); - /* -* NOTE: get page_id here, based on AclMatchedName because -* if USE_DELAY_POOLS is enabled, then AclMatchedName gets -* clobbered in the clientCreateStoreEntry() call -* just below. Pedro Ribeiro [EMAIL PROTECTED] -*/ - page_id = aclGetDenyInfoPage(Config.denyInfoList, AclMatchedName, answer != ACCESS_REQ_PROXY_AUTH); - http-log_type = LOG_TCP_DENIED; - http-entry = clientCreateStoreEntry(http, http-request-method, - null_request_flags); - if (require_auth) { - if (!http-flags.accel) { - /* Proxy authorisation needed */ - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; - } else { - /* WWW authorisation needed */ - status = HTTP_UNAUTHORIZED; - } - if (page_id == ERR_NONE) - page_id = ERR_CACHE_ACCESS_DENIED; - } else { -