It looks fine; could you dump it into bugzilla for the time being? (We're working on the Squid-2 -> bzr merge stuff at the moment!)
Adrian 2008/9/7 Diego Woitasen <[EMAIL PROTECTED]>: > This patch apply to Squid 2.7.STABLE4. > > If we use a proxy_auth acl on {storeurl,url_rewrite}_access and the user > isn't authenticated previously, send 407. > > regards, > Diego > > > diff --git a/src/client_side.c b/src/client_side.c > index 23c4274..4f75ea0 100644 > --- a/src/client_side.c > +++ b/src/client_side.c > @@ -448,19 +448,71 @@ clientFinishRewriteStuff(clientHttpRequest * http) > > } > > -static void > -clientAccessCheckDone(int answer, void *data) > +void > +clientSendErrorReply(clientHttpRequest * http, int answer) > { > - clientHttpRequest *http = data; > err_type page_id; > http_status status; > ErrorState *err = NULL; > char *proxy_auth_msg = NULL; > + > + proxy_auth_msg = > authenticateAuthUserRequestMessage(http->conn->auth_user_request ? > http->conn->auth_user_request : http->request->auth_user_request); > + > + int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; > + > + debug(33, 5) ("Access Denied: %s\n", http->uri); > + debug(33, 5) ("AclMatchedName = %s\n", > + AclMatchedName ? AclMatchedName : "<null>"); > + debug(33, 5) ("Proxy Auth Message = %s\n", > + proxy_auth_msg ? proxy_auth_msg : "<null>"); > + > + /* > + * NOTE: get page_id here, based on AclMatchedName because > + * if USE_DELAY_POOLS is enabled, then AclMatchedName gets > + * clobbered in the clientCreateStoreEntry() call > + * just below. Pedro Ribeiro <[EMAIL PROTECTED]> > + */ > + page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, > answer != ACCESS_REQ_PROXY_AUTH); > + http->log_type = LOG_TCP_DENIED; > + http->entry = clientCreateStoreEntry(http, http->request->method, > + null_request_flags); > + if (require_auth) { > + if (!http->flags.accel) { > + /* Proxy authorisation needed */ > + status = HTTP_PROXY_AUTHENTICATION_REQUIRED; > + } else { > + /* WWW authorisation needed */ > + status = HTTP_UNAUTHORIZED; > + } > + if (page_id == ERR_NONE) > + page_id = ERR_CACHE_ACCESS_DENIED; > + } else { > + status = HTTP_FORBIDDEN; > + if (page_id == ERR_NONE) > + page_id = ERR_ACCESS_DENIED; > + } > + err = errorCon(page_id, status, http->orig_request); > + if (http->conn->auth_user_request) > + err->auth_user_request = http->conn->auth_user_request; > + else if (http->request->auth_user_request) > + err->auth_user_request = http->request->auth_user_request; > + /* lock for the error state */ > + if (err->auth_user_request) > + authenticateAuthUserRequestLock(err->auth_user_request); > + err->callback_data = NULL; > + errorAppendEntry(http->entry, err); > + > +} > + > +static void > +clientAccessCheckDone(int answer, void *data) > +{ > + clientHttpRequest *http = data; > + > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n", > RequestMethods[http->request->method].str, http->uri, > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED", > AclMatchedName ? AclMatchedName : "NO ACL's"); > - proxy_auth_msg = > authenticateAuthUserRequestMessage(http->conn->auth_user_request ? > http->conn->auth_user_request : http->request->auth_user_request); > http->acl_checklist = NULL; > if (answer == ACCESS_ALLOWED) { > safe_free(http->uri); > @@ -469,47 +521,7 @@ clientAccessCheckDone(int answer, void *data) > http->redirect_state = REDIRECT_PENDING; > clientRedirectStart(http); > } else { > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > aclIsProxyAuth(AclMatchedName)) && !http->request->flags.transparent; > - debug(33, 5) ("Access Denied: %s\n", http->uri); > - debug(33, 5) ("AclMatchedName = %s\n", > - AclMatchedName ? AclMatchedName : "<null>"); > - debug(33, 5) ("Proxy Auth Message = %s\n", > - proxy_auth_msg ? proxy_auth_msg : "<null>"); > - /* > - * NOTE: get page_id here, based on AclMatchedName because > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets > - * clobbered in the clientCreateStoreEntry() call > - * just below. Pedro Ribeiro <[EMAIL PROTECTED]> > - */ > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, > answer != ACCESS_REQ_PROXY_AUTH); > - http->log_type = LOG_TCP_DENIED; > - http->entry = clientCreateStoreEntry(http, http->request->method, > - null_request_flags); > - if (require_auth) { > - if (!http->flags.accel) { > - /* Proxy authorisation needed */ > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; > - } else { > - /* WWW authorisation needed */ > - status = HTTP_UNAUTHORIZED; > - } > - if (page_id == ERR_NONE) > - page_id = ERR_CACHE_ACCESS_DENIED; > - } else { > - status = HTTP_FORBIDDEN; > - if (page_id == ERR_NONE) > - page_id = ERR_ACCESS_DENIED; > - } > - err = errorCon(page_id, status, http->orig_request); > - if (http->conn->auth_user_request) > - err->auth_user_request = http->conn->auth_user_request; > - else if (http->request->auth_user_request) > - err->auth_user_request = http->request->auth_user_request; > - /* lock for the error state */ > - if (err->auth_user_request) > - authenticateAuthUserRequestLock(err->auth_user_request); > - err->callback_data = NULL; > - errorAppendEntry(http->entry, err); > + clientSendErrorReply(http, answer); > } > } > > @@ -517,61 +529,17 @@ static void > clientAccessCheckDone2(int answer, void *data) > { > clientHttpRequest *http = data; > - err_type page_id; > - http_status status; > - ErrorState *err = NULL; > - char *proxy_auth_msg = NULL; > + > debug(33, 2) ("The request %s %s is %s, because it matched '%s'\n", > RequestMethods[http->request->method].str, http->uri, > answer == ACCESS_ALLOWED ? "ALLOWED" : "DENIED", > AclMatchedName ? AclMatchedName : "NO ACL's"); > - proxy_auth_msg = > authenticateAuthUserRequestMessage(http->conn->auth_user_request ? > http->conn->auth_user_request : http->request->auth_user_request); > + > http->acl_checklist = NULL; > if (answer == ACCESS_ALLOWED) { > clientCheckNoCache(http); > } else { > - int require_auth = (answer == ACCESS_REQ_PROXY_AUTH || > aclIsProxyAuth(AclMatchedName)); > - debug(33, 5) ("Access Denied: %s\n", http->uri); > - debug(33, 5) ("AclMatchedName = %s\n", > - AclMatchedName ? AclMatchedName : "<null>"); > - if (require_auth) > - debug(33, 5) ("Proxy Auth Message = %s\n", > - proxy_auth_msg ? proxy_auth_msg : "<null>"); > - /* > - * NOTE: get page_id here, based on AclMatchedName because > - * if USE_DELAY_POOLS is enabled, then AclMatchedName gets > - * clobbered in the clientCreateStoreEntry() call > - * just below. Pedro Ribeiro <[EMAIL PROTECTED]> > - */ > - page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, > answer != ACCESS_REQ_PROXY_AUTH); > - http->log_type = LOG_TCP_DENIED; > - http->entry = clientCreateStoreEntry(http, http->request->method, > - null_request_flags); > - if (require_auth) { > - if (!http->flags.accel) { > - /* Proxy authorisation needed */ > - status = HTTP_PROXY_AUTHENTICATION_REQUIRED; > - } else { > - /* WWW authorisation needed */ > - status = HTTP_UNAUTHORIZED; > - } > - if (page_id == ERR_NONE) > - page_id = ERR_CACHE_ACCESS_DENIED; > - } else { > - status = HTTP_FORBIDDEN; > - if (page_id == ERR_NONE) > - page_id = ERR_ACCESS_DENIED; > - } > - err = errorCon(page_id, status, http->orig_request); > - if (http->conn->auth_user_request) > - err->auth_user_request = http->conn->auth_user_request; > - else if (http->request->auth_user_request) > - err->auth_user_request = http->request->auth_user_request; > - /* lock for the error state */ > - if (err->auth_user_request) > - authenticateAuthUserRequestLock(err->auth_user_request); > - err->callback_data = NULL; > - errorAppendEntry(http->entry, err); > + clientSendErrorReply(http, answer); > } > } > > diff --git a/src/client_side_rewrite.c b/src/client_side_rewrite.c > index 14ad961..8238d89 100644 > --- a/src/client_side_rewrite.c > +++ b/src/client_side_rewrite.c > @@ -45,6 +45,8 @@ clientRedirectAccessCheckDone(int answer, void *data) > http->acl_checklist = NULL; > if (answer == ACCESS_ALLOWED) > redirectStart(http, clientRedirectDone, http); > + else if (answer == ACCESS_REQ_PROXY_AUTH) > + clientSendErrorReply(data, answer); > else > clientRedirectDone(http, NULL); > } > diff --git a/src/client_side_storeurl_rewrite.c > b/src/client_side_storeurl_rewrite.c > index 938a254..9f08a25 100644 > --- a/src/client_side_storeurl_rewrite.c > +++ b/src/client_side_storeurl_rewrite.c > @@ -45,6 +45,8 @@ clientStoreURLRewriteAccessCheckDone(int answer, void *data) > http->acl_checklist = NULL; > if (answer == ACCESS_ALLOWED) > storeurlStart(http, clientStoreURLRewriteDone, http); > + else if (answer == ACCESS_REQ_PROXY_AUTH) > + clientSendErrorReply(data, answer); > else > clientStoreURLRewriteDone(http, NULL); > } > diff --git a/src/protos.h b/src/protos.h > index 007498e..c992bea 100644 > --- a/src/protos.h > +++ b/src/protos.h > @@ -1484,6 +1484,7 @@ extern aclCheck_t *clientAclChecklistCreate(const > acl_access * acl, const client > extern void clientInterpretRequestHeaders(clientHttpRequest * http); > extern void clientAccessCheck2(void *data); > extern void clientFinishRewriteStuff(clientHttpRequest * http); > +extern void clientSendErrorReply(clientHttpRequest * http, int answer); > > > /* client_side_redirect.c */ > >