Apache SVN module and LUA authentification hook

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache SVN module and LUA authentification hook

Stefan Hauffe

Hello community,

 

I have an Apache 2.4 which shall deliver SVN repos by the http-Protocol. I’m experienced with standard Basic Authentification and path-based authorization for the Subversion repo.

 

In my new application, the authentication will be done by a LUA-script using the directive “LuaHookCheckUserID”. Generally, the LUA script works as expected (used this documentation).

 

Unfortunately it seems, that the authorization file (Subversion Accessfile) is not read out correctly. I see an empty repo with my (authorized) user.

 

From the logfile (Debug/Error) I see, that LUA granted my user. But also a “Access denied” message on a SVN file path:

 

[lua:debug] [pid 6872:tid ] @/path/to/hook.lua(29): [client ip] Accepted user myuser

[authz_svn:info] [pid 6872:tid ] [client ip] Access granted: 'myuser' GET (null)

[authz_svn:debug] [pid 6872:tid ] subversion/mod_authz_svn/mod_authz_svn.c(450): [client ip] Path to authz file is /path/to/accessfile

[authz_svn:info] [pid 6872:tid ] [client ip] Access denied: - GET repo002:/file.txt

 

My simplest working LUA-Scripts goes here:

 

require 'apache2'

function authcheck_hook(r)

    r.user = "myuser"

    r:debug("Accepted user " .. r.user)

    return apache2.OK

end

 

This is the configuration for the Repo:

<Location /svn/repo002>

    DAV svn

    SVNPath "/path/to/repo002"

 

    AuthzSVNAccessFile "/path/to/accessfile"

 

    Require valid-user

    LuaHookCheckUserID "/path/to/hook.lua" authcheck_hook

</Location>

 

I have a basic-auth secured repo with the same accessfile nearby and it works correctly.

 

Question: How can I give the “authz_svn” module my username from LUA? I think this is the problem.

 

Thanks and Kind Regards,

Stefan Hauffe

Reply | Threaded
Open this post in threaded view
|

Re: Apache SVN module and LUA authentification hook

Branko Čibej
On 05.01.2018 16:00, Stefan Hauffe wrote:

>
> Hello community,
>
>  
>
> I have an Apache 2.4 which shall deliver SVN repos by the
> http-Protocol. I’m experienced with standard Basic Authentification
> and path-based authorization for the Subversion repo.
>
>  
>
> In my new application, the authentication will be done by a LUA-script
> using the directive “LuaHookCheckUserID”. Generally, the LUA script
> works as expected (used this documentation
> <https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luahookcheckuserid>).
>
>  
>
> Unfortunately it seems, that the authorization file (Subversion
> Accessfile) is not read out correctly. I see an empty repo with my
> (authorized) user.
>
>  
>
> From the logfile (Debug/Error) I see, that LUA granted my user. But
> also a “Access denied” message on a SVN file path:
>
>  
>
> [lua:debug] [pid 6872:tid ] @/path/to/hook.lua(29): [client ip]
> Accepted user myuser
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access granted: 'myuser'
> GET (null)
>
> [authz_svn:debug] [pid 6872:tid ]
> subversion/mod_authz_svn/mod_authz_svn.c(450): [client ip] Path to
> authz file is /path/to/accessfile
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access denied: - GET
> repo002:/file.txt
>
>  
>
> My simplest working LUA-Scripts goes here:
>
>  
>
> require 'apache2'
>
> function authcheck_hook(r)
>
>     r.user = "myuser"
>
>     r:debug("Accepted user " .. r.user)
>
>     return apache2.OK
>
> end
>

Are you really changing the username stored in the request in your
authentication script? That could certainly be the problem, AFAIK
there's no guarantee that that change gets propagated back to mod_authz_svn.

(It's also a horribly wrong approach to authentication.)

-- Brane

Reply | Threaded
Open this post in threaded view
|

Re: Apache SVN module and LUA authentification hook

Torsten Krah-2
Am Freitag, den 05.01.2018, 16:29 +0100 schrieb Branko Čibej:
> Are you really changing the username stored in the request in your
> authentication script? That could certainly be the problem, AFAIK
> there's no guarantee that that change gets propagated back to
> mod_authz_svn.
>
> (It's also a horribly wrong approach to authentication.)

Just curious - why should that be a problem.

Its a normal authentication hook provided via mod_lua since Apache HTTPD
2.4.

Look here [1].

Even the example in the docs sets that user in the auth phase:

..
if auth ~= nil then
     -- fake the user
     r.user = 'foo'
   end
...

So to me this should not make a problem and other httpd 2.4 resources do
not exhibit any problem with that documented approach to authenticate
users (you could even hard code a user like in the example done here by
the OP, should work regarding to svn).

And if it is - its a bug in mod_authz_svn imho, don't you agree?

What's so horribly wrong?
Its the auth phase module - its what the basic_auth or any other auth
module probably does, it sets r.user - the only difference here is, that
a lua script is used to be the auth handler - can you explain what's
wrong with a auth hook that it sets r.user - seems legit to be done and
the docs [1] do agree here - don't you think?

thanks and kind regards

Torsten

[1]
https://httpd.apache.org/docs/2.4/mod/mod_lua.html#luahookauthchecker

smime.p7s (7K) Download Attachment