Uploaded image for project: 'Subversion'
  1. Subversion
  2. SVN-4726

mod_authz_svn fails to authorize a valid authenticated user (which is done via mod_lua)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.9.7, 1.10.0-alpha3
    • Fix Version/s: None
    • Component/s: mod_authz_svn
    • Environment:

      Description

      Hi folks,

      this is the bug report discussed already on the user list threads here:

      https://svn.haxx.se/users/archive-2018-01/0096.shtml

      and on the dev list here:

      https://svn.haxx.se/dev/archive-2018-01/0070.shtml

      In short this is the recipe:

      If you use a lua module to authenticate you're users done via:

      https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid

      like this:

      1. Use the repo from the already existent test suite and configure a location like that:
        <Location /svn-test-work/repositories>
         DAV svn
         SVNParentPath
         "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories"
         LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early
         AuthzSVNAccessFile
         "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz"
         Require valid-user
         SVNAdvertiseV2Protocol on
         SVNCacheRevProps off
         </Location>
        
      1. The authz file just contains:
        [/]
         * = rw
        
      1. The auth.lua hook authcheck_hook does read like that:
        function authcheck_hook(r)
        
        – fake the user
         r.user = 'foo'
         r:debug('user foo: OK')
         return apache2.OK
         end
         

      mod_authz_svn fails to authorize the users which should have access to the repository.

      There are 2 main reasons imho:

      1. mod_authz_svn does expect an AuthType to be set which is not needed when doing authentication via mod_lua - so this assumption should be removed from the code - see notes below if it is a good idea to check that at all. But even if AuthType is set it will fail on the next assumption.
      2. It does expect an Authorization header to guess if the user wants to authenticate to let the request continue on the request stack to actually reach the configured lua handler which does set the user to the request - but this is imho also wrong. This assumption does only hold to basic authentication - which is not done here. Arbitrary authentication may be implemented in the lua hook - so mod_authz_svn should not make any assumptions about that header existence either.

      AuthType seems to be used to determine if auth is configured at all - seems to be not the correct check in any usecase.

      Also have a look at:

      httpd archive link

      where i asked on the httpd list how this check if auth is configured at all could be done - there are ways but like Eric Covener said there:

      It does seem like a risky  idea to do it for anything but problem
      determination, though.
      

      So the code should not rely on that check at all it seems.

      Something off-topic maybe:

      Using the same lua handler to authenticate other locations - e.g. to show a directory index or some static html files served by httpd does work - so i would expect that mod_authz_svn should work too here.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              tkrah Torsten Krah
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: