Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.9.7, 1.10.0-alpha3
-
None
-
Linux thorstenknbl1 4.9.78-040978-generic #201801231931 SMP Tue Jan 23 19:32:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linuxhttpd 2.4.29
[14:15:05][tkrah@thorstenknbl1:~/Development/src/subversion] $ svn info
Pfad: . Wurzelpfad der Arbeitskopie: /home/tkrah/Development/src/subversion URL: https://svn.apache.org/repos/asf/subversion/trunk Relative URL: ^/subversion/trunk Basis des Projektarchivs: https://svn.apache.org/repos/asf UUID des Projektarchivs: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 1821650 Knotentyp: Verzeichnis Plan: normal Letzter Autor: julianfoad Letzte geänderte Rev: 1821621 Letztes Änderungsdatum: 2018-01-19 12:29:49 +0100 (Fr, 19. Jan 2018)
Linux thorstenknbl1 4.9.78-040978- generic #201801231931 SMP Tue Jan 23 19:32:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux httpd 2.4.29 [14:15:05][tkrah@thorstenknbl1:~/Development/src/subversion] $ svn info Pfad: . Wurzelpfad der Arbeitskopie: /home/tkrah/Development/src/subversion URL: https: //svn.apache.org/repos/asf/subversion/trunk Relative URL: ^/subversion/trunk Basis des Projektarchivs: https: //svn.apache.org/repos/asf UUID des Projektarchivs: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 1821650 Knotentyp: Verzeichnis Plan: normal Letzter Autor: julianfoad Letzte geänderte Rev: 1821621 Letztes Änderungsdatum: 2018-01-19 12:29:49 +0100 (Fr, 19. Jan 2018)
Description
Hi folks,
this is the bug report discussed already on the user list threads here:
https://svn.haxx.se/users/archive-2018-01/0096.shtml
and on the dev list here:
https://svn.haxx.se/dev/archive-2018-01/0070.shtml
In short this is the recipe:
If you use a lua module to authenticate you're users done via:
https://httpd.apache.org/docs/2.4/de/mod/mod_lua.html#luahookcheckuserid
like this:
- Use the repo from the already existent test suite and configure a location like that:
<Location /svn-test-work/repositories> DAV svn SVNParentPath "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/repositories" LuaHookCheckUserID /etc/apache2/auth.lua authcheck_hook early AuthzSVNAccessFile "/home/tkrah/Development/src/subversion/subversion/tests/cmdline/svn-test-work/authz" Require valid-user SVNAdvertiseV2Protocol on SVNCacheRevProps off </Location>
- The authz file just contains:
[/] * = rw
- The auth.lua hook authcheck_hook does read like that:
function authcheck_hook(r) – fake the user r.user = 'foo' r:debug('user foo: OK') return apache2.OK end
mod_authz_svn fails to authorize the users which should have access to the repository.
There are 2 main reasons imho:
- mod_authz_svn does expect an AuthType to be set which is not needed when doing authentication via mod_lua - so this assumption should be removed from the code - see notes below if it is a good idea to check that at all. But even if AuthType is set it will fail on the next assumption.
- It does expect an Authorization header to guess if the user wants to authenticate to let the request continue on the request stack to actually reach the configured lua handler which does set the user to the request - but this is imho also wrong. This assumption does only hold to basic authentication - which is not done here. Arbitrary authentication may be implemented in the lua hook - so mod_authz_svn should not make any assumptions about that header existence either.
AuthType seems to be used to determine if auth is configured at all - seems to be not the correct check in any usecase.
Also have a look at:
where i asked on the httpd list how this check if auth is configured at all could be done - there are ways but like Eric Covener said there:
It does seem like a risky idea to do it for anything but problem determination, though.
So the code should not rely on that check at all it seems.
Something off-topic maybe:
Using the same lua handler to authenticate other locations - e.g. to show a directory index or some static html files served by httpd does work - so i would expect that mod_authz_svn should work too here.