Apache SVN module and LUA authentification hook

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache SVN module and LUA authentification hook

Stefan Hauffe

Hello community,

 

I have an Apache 2.4 which shall deliver SVN repos by the http-Protocol. I’m experienced with standard Basic Authentification and path-based authorization for the Subversion repo.

 

In my new application, the authentication will be done by a LUA-script using the directive “LuaHookCheckUserID”. Generally, the LUA script works as expected (used this documentation).

 

Unfortunately it seems, that the authorization file (Subversion Accessfile) is not read out correctly. I see an empty repo with my (authorized) user.

 

From the logfile (Debug/Error) I see, that LUA granted my user. But also a “Access denied” message on a SVN file path:

 

[lua:debug] [pid 6872:tid ] @/path/to/hook.lua(29): [client ip] Accepted user myuser

[authz_svn:info] [pid 6872:tid ] [client ip] Access granted: 'myuser' GET (null)

[authz_svn:debug] [pid 6872:tid ] subversion/mod_authz_svn/mod_authz_svn.c(450): [client ip] Path to authz file is /path/to/accessfile

[authz_svn:info] [pid 6872:tid ] [client ip] Access denied: - GET repo002:/file.txt

 

My simplest working LUA-Scripts goes here:

 

require 'apache2'

function authcheck_hook(r)

    r.user = "myuser"

    r:debug("Accepted user " .. r.user)

    return apache2.OK

end

 

This is the configuration for the Repo:

<Location /svn/repo002>

    DAV svn

    SVNPath "/path/to/repo002"

 

    AuthzSVNAccessFile "/path/to/accessfile"

 

    Require valid-user

    LuaHookCheckUserID "/path/to/hook.lua" authcheck_hook

</Location>

 

I have a basic-auth secured repo with the same accessfile nearby and it works correctly.

 

Question: How can I give the “authz_svn” module my username from LUA? I think this is the problem.

 

Thanks and Kind Regards,

Stefan Hauffe

Reply | Threaded
Open this post in threaded view
|

Re: Apache SVN module and LUA authentification hook

Branko Čibej
On 05.01.2018 16:00, Stefan Hauffe wrote:

>
> Hello community,
>
>  
>
> I have an Apache 2.4 which shall deliver SVN repos by the
> http-Protocol. I’m experienced with standard Basic Authentification
> and path-based authorization for the Subversion repo.
>
>  
>
> In my new application, the authentication will be done by a LUA-script
> using the directive “LuaHookCheckUserID”. Generally, the LUA script
> works as expected (used this documentation
> <https://httpd.apache.org/docs/trunk/mod/mod_lua.html#luahookcheckuserid>).
>
>  
>
> Unfortunately it seems, that the authorization file (Subversion
> Accessfile) is not read out correctly. I see an empty repo with my
> (authorized) user.
>
>  
>
> From the logfile (Debug/Error) I see, that LUA granted my user. But
> also a “Access denied” message on a SVN file path:
>
>  
>
> [lua:debug] [pid 6872:tid ] @/path/to/hook.lua(29): [client ip]
> Accepted user myuser
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access granted: 'myuser'
> GET (null)
>
> [authz_svn:debug] [pid 6872:tid ]
> subversion/mod_authz_svn/mod_authz_svn.c(450): [client ip] Path to
> authz file is /path/to/accessfile
>
> [authz_svn:info] [pid 6872:tid ] [client ip] Access denied: - GET
> repo002:/file.txt
>
>  
>
> My simplest working LUA-Scripts goes here:
>
>  
>
> require 'apache2'
>
> function authcheck_hook(r)
>
>     r.user = "myuser"
>
>     r:debug("Accepted user " .. r.user)
>
>     return apache2.OK
>
> end
>

Are you really changing the username stored in the request in your
authentication script? That could certainly be the problem, AFAIK
there's no guarantee that that change gets propagated back to mod_authz_svn.

(It's also a horribly wrong approach to authentication.)

-- Brane